This is sort of a supplement to the the blog post I made with the PHP snippet on decoding code encrypted via eval(gzinflate(base64_decode(’encoded text‘))); over at:
Decoding eval gzinflate base64_decode
The following code snippet is a simple PHP class found at the post by macosbrain entitled Decode Function: eval gzinflate base64_decode str_rot13
Contrary to this post’s title, the class is cabable of decoding the following functions that are commonly used for protecting PHP code:
- eval(gzinflate(base64_decode(
- eval(gzinflate(str_rot13(base64_decode(
- eval(gzinflate(base64_decode(base64_decode(str_rot13(
- eval(gzinflate(base64_decode(str_rot13(
<?php
/*
This code was taken from http://wordpress.macosbrain.com/2006/08/17/decode-function-eval-gzinflate-base64_decode-str_rot13/
Directions:
1. Save this code to a PHP file (e.g. decode.php)
2. Copy the encoded PHP code and place it in encoded.php
3. Execute this script by visiting decode.php in your browser
4. You will be prompted to download the decrypted file (e.g. decode_test.php)
Notice:
Do not use this to violate copyright. This is intended for educational and security purposes only.
*/
class decode
{
function __construct($file)
{
$this->org_data = file_get_contents($file);
$this->result = $this->org_data;
$this->done = false;
$this->file = $file;
}
function strip_php_tags($str)
{
$str_del = Array('');
return str_replace($str_del,'',$str);
}
function strip_what_to_execute()
{
$possible_code = substr($this->result,0,strpos($this->result,"'"));
$possible_code_end = strrpos($this->result,"'");
if($this->test_possible_code($possible_code) && count($this->execute)> 0)
{
$possible_code_start = strlen($possible_code)+1;
$this->result = substr($this->result,$possible_code_start,$possible_code_end-$possible_code_start);
}
}
function clean_string($str)
{
$str = trim($str,"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f");
$str = trim($str,"\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff");
$str = trim($str);
return $str;
}
function test_possible_code($str)
{
$str = $this->clean_string($this->strip_php_tags($str));
//echo $str."\n";
$functions = explode('(',$str);
$this->execute = array();
if(!in_array('eval',$functions))
{
$this->done = true;
return false;
}
foreach($functions as $function)
{
if($function!='' && $function!='eval')
{
if(!function_exists($function))
$this->error('sorry but i can not access the function:"'.$function.'"');
else
$this->execute[] = $function;
}
}
return true;
}
function execute()
{
$cmd_str = '';
$cmd_end = '';
foreach($this->execute as $cmd)
{
$cmd_str .= $cmd.'(';
$cmd_end .= ')';
}
$eval = $cmd_str."'".$this->result."'".$cmd_end;
eval ("\$this->result = ".$eval.";");
}
function error($msg)
{
die($msg);
}
function decode()
{
$this->strip_what_to_execute();
if($this->done==false && count($this->execute)> 0)
{
$this->execute();
$this->decode();
}
else
{
//i think this is the "decrypted", you may see two little errors, correct them.
$this->download();
}
}
function download()
{
header('Content-Disposition: attachment; filename="decrypted_'.$this->file.'"');
header('Content-Type: application/php');
header('Content-Length: '.strlen($this->result));
die($this->result);
}
}
//put your encoded PHP code in encoded.php
$decode = new decode('encoded.php');
$decode->decode();
?>
If you do manage to decode something with this class please leave a comment, if you have any issues please leave a reply here or comment on the author’s original post. Please note that I have received permission from macosbrain to include his class in this article.
About
Feb 19, 2007
Hi!
I tried to decode shell that some hackers left on my website. It’s VERY IMPORTANT for me to decode it.
I have this error on localhost:
=========================
Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 29
Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 29
Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 30
Notice: Undefined property: file in z:\home\localhost\www\dec\decrypt2.php on line 105
Warning: Cannot modify header information – headers already sent by (output started at z:\home\localhost\www\dec\decrypt2.php:29) in z:\home\localhost\www\dec\decrypt2.php on line 105
Warning: Cannot modify header information – headers already sent by (output started at z:\home\localhost\www\dec\decrypt2.php:29) in z:\home\localhost\www\dec\decrypt2.php on line 106
Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 107
Warning: Cannot modify header information – headers already sent by (output started at z:\home\localhost\www\dec\decrypt2.php:29) in z:\home\localhost\www\dec\decrypt2.php on line 107
Notice: Undefined property: result in z:\home\localhost\www\dec\decrypt2.php on line 108
=========================
Then I created “.htaccess” file containing “php_value error_reporting 7″ string and script seems to start working but size of downloaded file is 0
Can you help me?
Best regards,
timsky