Its very common in these days that you buy script from web and after a while you need modification but the developer is out of reach. So you have to be satisfied with the current script. You may not modify it by yourself because most commercial scripts are encrypted or obfuscated. Today, I’ll describe my experience about decoding an obfuscated php script.
First of all. Don’t start looking for part I. Because there is no part one. I have done this sort of things many times. But I forget to write. There was another php script I have decoded months ago. That’ll be first part. Now this is second part. Just keeping a place for first part.
Okay. Lets start.
I got an script. I don’t know what does it do. What I saw, the script was obfuscated. I wont give you the full script but I’ll give you a patter of the script.
Here is the raw script I got.
<?php
$o="QAAAOzh3b3cKDW5pZGiLwAGJXNvbnQndGR1bndzJwCgELRjAFAnaGlrfidzaCcEXCUToXoKDWQKmG9iZGwC1C8TcSsR4isjEHECQTg5";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29k3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;
?>
See, the raw data. Its format looks like base64 encoded. Though you can see base64_decode function is called, it does not assure that successive raw data will be also base64 encoded. I’ll not touch $o variable. Because, its static. $o is not used in eval() statement. so Its not the obfuscated code I guess. I may not be right.
Note, The base64 data is truncated at the middle section. Their size was huge.
Now I did the following,
<?php $eval_data = "JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29k3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="; // Decoding base64 data $a = base64_decode($eval_data); echo $a; ?>
It shows an nearly unreadable php code fragment.
$lll=0;$code=(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));echo $code;eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));$ll=0;$code=($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));echo $code;eval($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));$llll=0;$lllll=3;$code= ... ... ... ... ... ... ... ... ... ... ... ... ... ...
... ... ... ... ... ... ... ... ... ... ... ...
... ... ... ... ... ... ... ... ... ... ... ... ... ($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));echo $code;eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));$code=($lllllllll);echo $code;eval($lllllllll);$lllllllllll='base64_decode';$llllllllll='ord';$l=$lllllllllll($o);$lllllllllllll='strlen';$llllllllllll='chr';$lllllllll="?".$llllllllllll(62);$lllllllll.=$lllllllll
But you’ll see something about this code. (I used regular expression for pattern)
- variables are like /^\$l{3,}/ which mathces $lll, $llll, $lllll and so on.
- some base64 strings again. /”[a-zA-Z0-9\+\/]+={0,2}”/ matches all these strings.
- all base64 strings are started by “J” !!
- Lots of eval() call as expected
In the above code fragment only the base64 strings were needed to decode. Cause others were only simple php syntax. Nothing special. So I extract the base64s and decode to observe it.
<?php
// extract any base64 data in the new string
$m = array();
preg_match_all('|"(JGx[a-zA-Z0-9=]+)"|',$a,$m);
// yes the patter is a bit different. 
// watch the variables;
print_r($m);
// Decode the strings.
foreach ($m[1] as $v){
echo base64_decode($v)."\n";
}?>
After decoding, I saw something like this.
$lllllllllll='base64_decode'; $llllllllll='ord'; $lllllllllllll='strlen'; $llllllllllll='chr'; $lllllllll="?".$llllllllllll(62); $lllllllll.=$llllllllll.$llllllllllll(60)."?";
Ha ha. see? how the native functions are obfuscated.
Remember there was some eval() calls. They were used to dynamically evaluate php code. My target was to just echoing the code before it executes. Something like echo $x; eval($x). Say There is a code
eval($d)
I need to convert it to
echo $d; eval($d)
The following magic regular expression does the trick
//modify the code to echo before eval
$a1= preg_replace('|eval(\([^;]+\));|','$code=$1;echo $code;eval$1;',$a);
// here $a contains the first base64 decoded data. see code above.
Our code is modified. so when it will execute, it’ll show the dynamic php code.
We are almost there. Remember, the first base64 string was passed in an eval() ??
So, we’ll just put the new modified code in eval() and call it.
That’s it as you have guessed
//eval finally to see the code.
eval($a1);
That’ll make you see the code.
Here is what I have seen
include_once('license.php');
//valid license
…. …. ….
Hope to write my first part soon.
MD. Fahim Murshed