Decoding eval gzinflate base64_decode str_rot13

This is sort of a supplement to the the blog post I made with the PHP snippet on decoding code encrypted via eval(gzinflate(base64_decode('encoded text'))); over at:

Decoding eval gzinflate base64_decode

The following code snippet is a simple PHP class found at the post
by macosbrain entitled Decode
Function: eval gzinflate base64_decode str_rot13

Contrary to this post's title, the class is cabable of decoding
the following functions that are commonly used for protecting PHP
code:

eval(gzinflate(base64_decode(
eval(gzinflate(str_rot13(base64_decode(
eval(gzinflate(base64_decode(base64_decode(str_rot13(
eval(gzinflate(base64_decode(str_rot13(

PLAIN TEXT

PHP:

<?php
/*
This code was taken from http://wordpress.macosbrain.com/2006/08/17/decode-function-eval-gzinflate-base64_decode-str_rot13/
Directions:
1. Save this code to a PHP file (e.g. decode.php)
2. Copy the encoded PHP code and place it in encoded.php
3. Execute this script by visiting decode.php in your browser
4. You will be prompted to download the decrypted file (e.g. decode_test.php)
Notice:
Do not use this to violate copyright. This is intended for educational and security purposes only.
*/
class decode
{
function __construct($file)
{
$this->org_data = file_get_contents($file);
$this->result = $this->org_data;
$this->done = false;
$this->file = $file;
}
function strip_php_tags($str)
{
$str_del = Array('');
return str_replace($str_del,'',$str);
}
function strip_what_to_execute()
{
$possible_code = substr($this->result,0,strpos($this->result,"'"));
$possible_code_end = strrpos($this->result,"'");
if($this->test_possible_code($possible_code) && count($this->execute)> 0)
{
$possible_code_start = strlen($possible_code)+1;
$this->result = substr($this->result,$possible_code_start,$possible_code_end-$possible_code_start);
}
}
function clean_string($str)
{
$str = trim($str,"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f");
$str = trim($str,"\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff");
$str = trim($str);
return $str;
}
function test_possible_code($str)
{
$str = $this->clean_string($this->strip_php_tags($str));
//echo $str."\n";
$functions = explode('(',$str);
$this->execute = array();
if(!in_array('eval',$functions))
{
$this->done = true;
return false;
}
foreach($functions as $function)
{
if($function!='' && $function!='eval')
{
if(!function_exists($function))
$this->error('sorry but i can not access the function:"'.$function.'"');
else
$this->execute[] = $function;
}
}
return true;
}
function execute()
{
$cmd_str = '';
$cmd_end = '';
foreach($this->execute as $cmd)
{
$cmd_str .= $cmd.'(';
$cmd_end .= ')';
}
$eval = $cmd_str."'".$this->result."'".$cmd_end;
eval ("\$this->result = ".$eval.";");
}
function error($msg)
{
die($msg);
}
function decode()
{
$this->strip_what_to_execute();
if($this->done==false && count($this->execute)> 0)
{
$this->execute();
$this->decode();
}
else
{
//i think this is the "decrypted", you may see two little errors, correct them.
$this->download();
}
}
function download()
{
header('Content-Disposition: attachment; filename="decrypted_'.$this->file.'"');
header('Content-Type: application/php');
header('Content-Length: '.strlen($this->result));
die($this->result);
}
}
//put your encoded PHP code in encoded.php
$decode = new decode('encoded.php');
$decode->decode();
?>

If you do manage to decode something with this class please leave a comment, if you have any issues please leave a reply here or comment on the author's original post. Please note that I have received permission from macosbrain to include his class in this article.

9 Responses to “Decoding eval gzinflate base64_decode str_rot13”

Feed for this Entry Trackback Address

1

Rating: ? | timsky Feb 19th, 2007 at 9:04 am

Hi!

I tried to decode shell that some hackers left on my website. It's VERY IMPORTANT for me to decode it.

I have this error on localhost:
=========================
Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 29

Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 29

Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 30

Notice: Undefined property: file in z:\home\localhost\www\dec\decrypt2.php on line 105

Warning: Cannot modify header information - headers already sent by (output started at z:\home\localhost\www\dec\decrypt2.php:29) in z:\home\localhost\www\dec\decrypt2.php on line 105

Warning: Cannot modify header information - headers already sent by (output started at z:\home\localhost\www\dec\decrypt2.php:29) in z:\home\localhost\www\dec\decrypt2.php on line 106

Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 107

Warning: Cannot modify header information - headers already sent by (output started at z:\home\localhost\www\dec\decrypt2.php:29) in z:\home\localhost\www\dec\decrypt2.php on line 107

Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 108
=========================

Then I created ".htaccess" file containing "php_value error_reporting 7" string and script seems to start working but size of downloaded file is 0

Can you help me?

Best regards,
timsky
2

Rating: ? | richard May 8th, 2007 at 2:01 am

hi, thank you. i've tried it , done everything you said. yes it downloaded a file but that file was blank.........there were nothing in it just a white page.
3

Rating: 1 | dilip May 9th, 2007 at 3:30 am

hi, i tried this script but i get the blank file which is downloaded.
4

Rating: 8 | Danilo Stern-Sapad May 10th, 2007 at 4:44 am

I should have mentioned this in my actual post (I'll amend it at a later date), but the snippet actually works fairly well for decoding scripts; unfortunately you have to remove any unnecessary code first, meaning don't include comments or unencrypted code when you run the snippet. What you feed this script should look something like this:

eval(gzinflate(str_rot13(base64_decode('FZ3HjuvQlUV...'))));

FZ3HjuvQlUV... = encoded text

What method of encoding is being used? Perhaps you'd have an easier time with the script for decoding eval gzinflate base64_decode, it works great for what it does if you follow the directions I included. The snippet above is good for recursive decoding (i.e. if the encoded text is encoded).
5

Rating: ? | carlos Oct 8th, 2007 at 11:36 pm

what about trying to decode " eval(gzuncompress (base64_decode('encodedtext'))); "

How can i decode this? And is there any online decoder?
6

Rating: ? | Ben Nov 29th, 2007 at 12:06 pm

This looks like a great post, however i like everyone else here can not seem to get this to work. has anyone been succesful??
7

Rating: ? | EllisGL Jan 26th, 2008 at 11:35 am

I didn't even see this when I went on my own to make a decoder...
http://www.webdeveloper.com/forum/showthread.php?t=172020 or
http://refactormycode.com/codes/218-eval-encoded-file-decoder

(All the same thing - but just in case one or two get deleted).
8

Rating: ? | hack Feb 9th, 2008 at 4:32 am

no its return the same code
9

Rating: ? | Daniel Apr 27th, 2008 at 7:29 pm

Hi can anyone decode this for me

Please reply back to NUTTYKEITH@GOOGLEMAIL.COM thanks

Tangential Musings

Decoding eval gzinflate base64_decode str_rot13

9 Responses to “Decoding eval gzinflate base64_decode str_rot13”

Leave a Reply

Search

About

Random Quote

Topics

Currently Reading

Recent Posts

My Websites

Friends & Family

Sponsors

OK