« Microsoft adCenter and Windows Live versus Google and Firefox?
Google AdSense versus Yahoo! Publisher Network »

Decoding eval gzinflate base64_decode str_rot13

Published November 10th, 2006 in Security and PHP.

This is sort of a supplement to the the blog post I made with the PHP snippet on decoding code encrypted via eval(gzinflate(base64_decode('encoded text'))); over at:

Decoding eval gzinflate base64_decode

The following code snippet is a simple PHP class found at the post
by macosbrain entitled Decode
Function: eval gzinflate base64_decode str_rot13

Contrary to this post's title, the class is cabable of decoding
the following functions that are commonly used for protecting PHP
code:

  1. eval(gzinflate(base64_decode(
  2. eval(gzinflate(str_rot13(base64_decode(
  3. eval(gzinflate(base64_decode(base64_decode(str_rot13(
  4. eval(gzinflate(base64_decode(str_rot13(
PLAIN TEXT
PHP:
  1. <?php
  2. /*
  3. This code was taken from http://wordpress.macosbrain.com/2006/08/17/decode-function-eval-gzinflate-base64_decode-str_rot13/
  5. Directions:
  6. 1. Save this code to a PHP file (e.g. decode.php)
  7. 2. Copy the encoded PHP code and place it in encoded.php
  8. 3. Execute this script by visiting decode.php in your browser
  9. 4. You will be prompted to download the decrypted file (e.g. decode_test.php)
  11. Notice:
  12. Do not use this to violate copyright. This is intended for educational and security purposes only.
  13. */
  14.  
  15. class decode
  16. {
  17.     function __construct($file)
  18.     {
  19.         $this->org_data = file_get_contents($file);
  20.         $this->result = $this->org_data;
  21.         $this->done = false;
  22.         $this->file = $file;
  23.     }
  24.    
  25.     function strip_php_tags($str)
  26.     {
  27.         $str_del = Array('');
  28.         return str_replace($str_del,'',$str);
  29.     }
  30.    
  31.     function strip_what_to_execute()
  32.     {
  33.         $possible_code = substr($this->result,0,strpos($this->result,"'"));
  34.         $possible_code_end = strrpos($this->result,"'");
  35.         if($this->test_possible_code($possible_code) && count($this->execute)> 0)
  36.         {
  37.             $possible_code_start = strlen($possible_code)+1;
  38.             $this->result = substr($this->result,$possible_code_start,$possible_code_end-$possible_code_start);
  39.         }
  40.     }
  41.    
  42.     function clean_string($str)
  43.     {
  44.         $str = trim($str,"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f");
  45.         $str = trim($str,"\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff");
  46.         $str = trim($str);
  47.         return $str;
  48.     }
  49.    
  50.     function test_possible_code($str)
  51.     {
  52.         $str = $this->clean_string($this->strip_php_tags($str));
  53.         //echo $str."\n";
  54.         $functions = explode('(',$str);
  55.         $this->execute = array();
  56.         if(!in_array('eval',$functions))
  57.         {
  58.             $this->done = true;
  59.             return false;
  60.         }
  61.         foreach($functions as $function)
  62.         {
  63.             if($function!='' && $function!='eval')
  64.             {
  65.                 if(!function_exists($function))
  66.                 $this->error('sorry but i can not access the function:"'.$function.'"');
  67.                 else
  68.                 $this->execute[] = $function;
  69.             }
  70.         }
  71.         return true;
  72.     }
  73.    
  74.     function execute()
  75.     {
  76.         $cmd_str = '';
  77.         $cmd_end = '';
  78.         foreach($this->execute as $cmd)
  79.         {
  80.             $cmd_str .= $cmd.'(';
  81.             $cmd_end .= ')';
  82.         }
  83.         $eval = $cmd_str."'".$this->result."'".$cmd_end;
  84.         eval ("\$this->result = ".$eval.";");
  85.     }
  86.    
  87.     function error($msg)
  88.     {
  89.         die($msg);
  90.     }
  91.    
  92.     function decode()
  93.     {
  94.         $this->strip_what_to_execute();
  95.         if($this->done==false && count($this->execute)> 0)
  96.         {
  97.             $this->execute();
  98.             $this->decode();
  99.         }
  100.         else
  101.         {
  102.             //i think this is the "decrypted", you may see two little errors, correct them.
  103.             $this->download();
  104.         }
  105.     }
  106.    
  107.     function download()
  108.     {
  109.         header('Content-Disposition: attachment; filename="decrypted_'.$this->file.'"');
  110.         header('Content-Type: application/php');
  111.         header('Content-Length: '.strlen($this->result));
  112.         die($this->result);
  113.     }
  114. }
  115. //put your encoded PHP code in encoded.php
  116. $decode = new decode('encoded.php');
  117. $decode->decode();
  118. ?>

If you do manage to decode something with this class please leave a comment, if you have any issues please leave a reply here or comment on the author's original post. Please note that I have received permission from macosbrain to include his class in this article.

Share This

10 Responses to “Decoding eval gzinflate base64_decode str_rot13”

Feed for this Entry Trackback Address
  1. 1
    avatar
    Rating: ? | timsky     Feb 19th, 2007 at 9:04 am

    Hi!

    I tried to decode shell that some hackers left on my website. It's VERY IMPORTANT for me to decode it.

    I have this error on localhost:
    =========================
    Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 29

    Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 29

    Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 30

    Notice: Undefined property: file in z:\home\localhost\www\dec\decrypt2.php on line 105

    Warning: Cannot modify header information - headers already sent by (output started at z:\home\localhost\www\dec\decrypt2.php:29) in z:\home\localhost\www\dec\decrypt2.php on line 105

    Warning: Cannot modify header information - headers already sent by (output started at z:\home\localhost\www\dec\decrypt2.php:29) in z:\home\localhost\www\dec\decrypt2.php on line 106

    Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 107

    Warning: Cannot modify header information - headers already sent by (output started at z:\home\localhost\www\dec\decrypt2.php:29) in z:\home\localhost\www\dec\decrypt2.php on line 107

    Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 108
    =========================

    Then I created ".htaccess" file containing "php_value error_reporting 7" string and script seems to start working but size of downloaded file is 0

    Can you help me?

    Best regards,
    timsky

  2. 2
    avatar
    Rating: ? | richard     May 8th, 2007 at 2:01 am

    hi, thank you. i've tried it , done everything you said. yes it downloaded a file but that file was blank.........there were nothing in it just a white page.

  3. 3
    avatar
    Rating: 1 | dilip     May 9th, 2007 at 3:30 am

    hi, i tried this script but i get the blank file which is downloaded.

  4. 4
    avatar
    Rating: 8 | Danilo Stern-Sapad     May 10th, 2007 at 4:44 am

    I should have mentioned this in my actual post (I'll amend it at a later date), but the snippet actually works fairly well for decoding scripts; unfortunately you have to remove any unnecessary code first, meaning don't include comments or unencrypted code when you run the snippet. What you feed this script should look something like this:


    eval(gzinflate(str_rot13(base64_decode('FZ3HjuvQlUV...'))));

    FZ3HjuvQlUV... = encoded text

    What method of encoding is being used? Perhaps you'd have an easier time with the script for decoding eval gzinflate base64_decode, it works great for what it does if you follow the directions I included. The snippet above is good for recursive decoding (i.e. if the encoded text is encoded).

  5. 5
    avatar
    Rating: ? | carlos     Oct 8th, 2007 at 11:36 pm

    what about trying to decode " eval(gzuncompress (base64_decode('encodedtext'))); "

    How can i decode this? And is there any online decoder?

  6. 6
    avatar
    Rating: ? | Ben     Nov 29th, 2007 at 12:06 pm

    This looks like a great post, however i like everyone else here can not seem to get this to work. has anyone been succesful??

  7. 7
    avatar
    Rating: ? | EllisGL     Jan 26th, 2008 at 11:35 am

    I didn't even see this when I went on my own to make a decoder...
    http://www.webdeveloper.com/forum/showthread.php?t=172020 or
    http://refactormycode.com/codes/218-eval-encoded-file-decoder

    (All the same thing - but just in case one or two get deleted).

  8. 8
    avatar
    Rating: ? | hack     Feb 9th, 2008 at 4:32 am

    no its return the same code

  9. 9
    avatar
    Rating: ? | Daniel     Apr 27th, 2008 at 7:29 pm

    Hi can anyone decode this for me

    Please reply back to NUTTYKEITH@GOOGLEMAIL.COM thanks

  10. 10
    avatar
    Rating: 5 | Hacker Identified, BEWARE !     May 23rd, 2008 at 9:02 am

    The post from the bloke above, calling himself DANIEL is a known hacker.

    Don't give him any information, he's stolen from a LOT of people.
    He's known by many names / emails / etc

Leave a Reply

« Microsoft adCenter and Windows Live versus Google and Firefox?
Google AdSense versus Yahoo! Publisher Network »

About

The personal blog of Danilo Stern-Sapad aka Ariadoss. Featuring the general jabber and ostentatious prater of the self-proclaimed expert on all things analytical, critical, and technological.

Random Quote

Although the world is full of suffering, it is full also of the overcoming of it. My optimism, then, does not rest on the absence of evil, but on a glad belief in the preponderance of good and a willing effort always to cooperate with the good, that it may prevail.
Helen Keller
bubble

OK

Close
E-mail It