|Obfuscated PHP code: one big eval()|
- Base64 encoding
- Encoding strings into hexadecimal and octal values
- Assigning functions to variables
- Multiple calls to eval()
This code can be deobfuscated by hand, but it takes multiple iterations and can be time-consuming. Fortunately, Steffan Esser wrote evalhook to make deobfuscation easier. His article about the tool describes how it works. Basically, it is a library used with PHP to render code that is executed by the eval() function.
There are no instructions for compiling the source code, so it took me a little bit of time to understand all the necessary steps to use the code on CentOS5. Here are basic instructions to compile the code.
First, you need:
- PHP >= v5.2
- PHP Zend Optimizer
Then, run these commands:
tar xvfz evalhook-0.1.tar.gz cd evalhook phpize ./configure make sudo make install
Now, you can use the evahlhook library to deobfuscate PHP files, as described in the original article:
$ php -d extension=evalhook.so encoded_script.php
The only inconvenience I had to deal with when using evalhook, was that the resulting code still has strings encoded with hexadecimal and octal. So I wrote a small (and ugly!) Perl script to parse these strings into ASCII. Download strings.pl if you're interested in using it.
perl strings.pl source.php target.php