Decoding eval gzinflate base64_decode str_rot13
This is a supplement to the PHP snippet I shared describing how to decode code obfuscated using eval(gzinflate(base64_decode(‘encoded text‘))); and was originally posted on my Tangential Musings blog back in November 2006.
The following code snippet is a simple PHP class found at the post by macosbrain entitled, “Decode Function: eval gzinflate base64_decode str_rot13.”
Contrary to this post’s title, the class is capable of decoding the following functions that are commonly used for obfuscating PHP code:
- eval(gzinflate(base64_decode(
- eval(gzinflate(str_rot13(base64_decode(
- eval(gzinflate(base64_decode(base64_decode(str_rot13(
- eval(gzinflate(base64_decode(str_rot13(
Prior to decoding something with this script make sure to remove any comments or code that’s not encoded (i.e. not obfuscated and readable) otherwise it won’t work.
<?php
/*
This code was taken from http://wordpress.macosbrain.com/2006/08/17/decode-function-eval-gzinflate-base64_decode-str_rot13/Directions:
1. Save this code to a PHP file (e.g. decode.php)
2. Copy the encoded PHP code and place it in encoded.php
3. Execute this script by visiting decode.php in your browser
4. You will be prompted to download the decrypted file (e.g. decode_test.php)Notice:
Do not use this to violate copyright. This is intended for educational and security purposes only.
*/class decode
{ function __construct($file) { $this->org_data = file_get_contents($file); $this->result = $this->org_data; $this->done = false; $this->file = $file; }function strip_php_tags($str) { $str_del = Array(‘’); return str_replace($str_del,’’,$str); }function strip_what_to_execute() { $possible_code = substr($this->result,0,strpos($this->result,”’”)); $possible_code_end = strrpos($this->result,”’”); if($this->test_possible_code($possible_code) && count($this->execute)> 0) { $possible_code_start = strlen($possible_code)+1; $this->result = substr($this->result,$possible_code_start,$possible_code_end-$possible_code_start); } }function clean_string($str) { $str = trim($str,”\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f”); $str = trim($str,”\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff”); $str = trim($str); return $str; }function test_possible_code($str) { $str = $this->clean_string($this->strip_php_tags($str)); //echo $str.”\n”; $functions = explode(‘(‘,$str); $this->execute = array(); if(!in_array(‘eval’,$functions)) { $this->done = true; return false; } foreach($functions as $function) { if($function!=’’ && $function!=’eval’) { if(!function_exists($function)) $this->error(‘sorry but i can not access the function:”’.$function.’”’); else $this->execute[] = $function; } } return true; }function execute() { $cmd_str = ‘’; $cmd_end = ‘’; foreach($this->execute as $cmd) { $cmd_str .= $cmd.’(‘; $cmd_end .= ‘)’; } $eval = $cmd_str.”’”.$this->result.”’”.$cmd_end; eval (“\$this->result = “.$eval.”;”); }function error($msg) { die($msg); }function decode() { $this->strip_what_to_execute(); if($this->done==false && count($this->execute)> 0) { $this->execute(); $this->decode(); } else { //i think this is the “decrypted”, you may see two little errors, correct them. $this->download(); } }function download() { header(‘Content-Disposition: attachment; filename=”decrypted_’.$this->file.’”’); header(‘Content-Type: application/php’); header(‘Content-Length: ‘.strlen($this->result)); die($this->result); }
}//put your encoded PHP code in encoded.php
$decode = new decode(‘encoded.php’);
$decode->decode();
?>
If you do manage to decode something with this class please leave a comment, if you have any issues please leave a reply here or comment on the author’s original post. Please note that I have received permission from macosbrain to include his class in this article.
Originally published at http://danilo.ariadoss.com on November 10, 2006.