 |
| Obfuscated PHP code: one big eval() |
- Base64 encoding
- Encoding strings into hexadecimal and octal values
- Assigning functions to variables
- Multiple calls to eval()
This code can be deobfuscated by hand, but it takes multiple iterations and can be time-consuming. Fortunately, Steffan Esser wrote evalhook to make deobfuscation easier. His article about the tool describes how it works. Basically, it is a library used with PHP to render code that is executed by the eval() function.
There are no instructions for compiling the source code, so it took me a little bit of time to understand all the necessary steps to use the code on CentOS5. Here are basic instructions to compile the code.
First, you need:
- PHP >= v5.2
- php-devel
- PHP Zend Optimizer
Then, run these commands:
tar xvfz evalhook-0.1.tar.gz cd evalhook phpize ./configure make sudo make install
Now, you can use the evahlhook library to deobfuscate PHP files, as described in the original article:
$ php -d extension=evalhook.so encoded_script.php
The only inconvenience I had to deal with when using evalhook, was that the resulting code still has strings encoded with hexadecimal and octal. So I wrote a small (and ugly!) Perl script to parse these strings into ASCII. Download strings.pl if you're interested in using it.
perl strings.pl source.php target.php
-- Julien
Posts
3 comments:
how to use this extension with easyphp (windows) ?
Thank you for detailed tutorial, I learned few things from it :-)
my question: would it work with ioncube encrypted files?
Kal
This works on any PHP code that do not rely on external libraries for the obfuscation. Ioncube relies on an external library for the decoding, so technique does not work.
Post a Comment