eval gzinflate base64_decode str_rot13 part 2

Oktober 19th, 2006 by admin

on all my servers the php configuration value short_open_tag is disabled. that means i must write < ?php and can not use the short < ? to open the php session. another fact is "quote from php.net/eval):

eval() is used to protect (read: hide) source code. A well known way to encrypt some php code is security through obscurity. Someone used eval(base64_encode(".....")); - which basically had 10-16 nested calls to eval(base64_encode()) inside the data.

the most of these protected scripts use the short version to open php. so i can not execute them. therefor i coded a little function that deals with the problem. but the old function just decrypt "gzinflate(str_rot13(base64_decode(.....)))" and "gzinflate(base64_decode(...))" that is crap an does not work on most scripts (see comments). now i coded a whole class that deals with this problem. the class can recursive "decrypt" these scripts and let you download the original source code. i tested the class with scripts that are protected with the following functions (of couse recursive).

PLAIN TEXT
PHP:

note: the class is really easy to use. look at the source and you know how.

note2: please do not edit the class and ask for help if you get any error (see comments).

note3: THIS IS IMPORTANT -> do NOT use the class to break any license,law or copyright.

the last note: check the decrypted source code and you will see 2 little errors. correct them and you are done.

PLAIN TEXT
PHP:
  1. class decode
  2. {
  3. function __construct($file)
  4. {
  5. $this->org_data = file_get_contents($file);
  6. $this->result = $this->org_data;
  7. $this->done = false;
  8. $this->file = $file;
  9. }
  10.  
  11. function strip_php_tags($str)
  12. {
  13. $str_del = Array('');
  14. return str_replace($str_del,'',$str);
  15. }
  16.  
  17. function strip_what_to_execute()
  18. {
  19. $possible_code = substr($this->result,0,strpos($this->result,"'"));
  20. $possible_code_end = strrpos($this->result,"'");
  21. if($this->test_possible_code($possible_code) && count($this->execute)> 0)
  22. {
  23. $possible_code_start = strlen($possible_code)+1;
  24. $this->result = substr($this->result,$possible_code_start,$possible_code_end-$possible_code_start);
  25. }
  26. }
  27.  
  28. function clean_string($str)
  29. {
  30. $str = trim($str,"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f");
  31. $str = trim($str,"\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff");
  32. $str = trim($str);
  33. return $str;
  34. }
  35.  
  36. function test_possible_code($str)
  37. {
  38. $str = $this->clean_string($this->strip_php_tags($str));
  39. //echo $str."\n";
  40. $functions = explode('(',$str);
  41. $this->execute = array();
  42. if(!in_array('eval',$functions))
  43. {
  44. $this->done = true;
  45. return false;
  46. }
  47. foreach($functions as $function)
  48. {
  49. if($function!='' && $function!='eval')
  50. {
  51. if(!function_exists($function))
  52. $this->error('sorry but i can not access the function:"'.$function.'"');
  53. else
  54. $this->execute[] = $function;
  55. }
  56. }
  57. return true;
  58. }
  59.  
  60. function execute()
  61. {
  62. $cmd_str = '';
  63. $cmd_end = '';
  64. foreach($this->execute as $cmd)
  65. {
  66. $cmd_str .= $cmd.'(';
  67. $cmd_end .= ')';
  68. }
  69. $eval = $cmd_str."'".$this->result."'".$cmd_end;
  70. eval ("\$this->result = ".$eval.";");
  71. }
  72.  
  73. function error($msg)
  74. {
  75. die($msg);
  76. }
  77.  
  78. function decode()
  79. {
  80. $this->strip_what_to_execute();
  81. if($this->done==false && count($this->execute)> 0)
  82. {
  83. $this->execute();
  84. $this->decode();
  85. }
  86. else
  87. {
  88. //i think this is the "decrypted"
  89. $this->download();
  90. }
  91. }
  92.  
  93. function download()
  94. {
  95. header('Content-Disposition: attachment; filename="decrypted_'.$this->file.'"');
  96. header('Content-Type: application/php');
  97. header('Content-Length: '.strlen($this->result));
  98. die($this->result);
  99. }
  100. }
  101. $decode = new decode('test.php');
  102. $decode->decode();

Posted in coding, php |

38 Responses

  1. Pham Tung Says:
    Dezember 27th, 2006 at 21:54

    I run it and download a file with no content. Anyone can help me. Thanks a lot :)

  2. admin Says:
    Dezember 28th, 2006 at 12:27

    please mail me your code. maybe i can help you.

  3. World8X Says:
    Dezember 30th, 2006 at 13:48

    Please help me decode this code below:

  4. hkhot Says:
    Januar 1st, 2007 at 11:03

    I also have the same problem.
    I run it and download a file with no content.

  5. admin Says:
    Januar 1st, 2007 at 14:27

    ok for all who use this script.

    it is important to place your encoded script in the same directory as my decoder script.
    then change line 101:
    $decode = new decode(’test.php’); // test.php is your encoded script

    thats it. still problems? -> mail me the code.

  6. simon Says:
    Januar 5th, 2007 at 08:36

    but i still download a file with no content :(
    this is my test.php:

  7. hkhot Says:
    Januar 5th, 2007 at 15:26

    Hello ,
    I have e-mail my code to you.
    Also, could you tell me what server configure you used.
    Thanks

  8. admin Says:
    Januar 6th, 2007 at 20:02

    it does not matter what server config you use.

    PHP 5 -> this is important.

  9. admin Says:
    Januar 18th, 2007 at 17:33

    it ist really easy to decode a script but you have to remove all unnecessary code.
    the encoded script sould look like this:

    < ? eval(gzinflate(str_rot13(base64_decode('***********)))); ?>

    there are no comments and no “normal” codeblocks.
    if you use the script this way it sould work fine.

  10. just Says:
    Januar 19th, 2007 at 20:21

    Admin need your email, the code is this:

  11. just Says:
    Januar 19th, 2007 at 20:22

    give me your email plz and i mail you mi code, thanks!

  12. Decoding eval gzinflate base64_decode str_rot13 | Tangential Musings Says:
    Januar 20th, 2007 at 00:55

    […] The following code snippet is a simple PHP class found at the postby macosbrain entitled DecodeFunction: eval gzinflate base64_decode str_rot13 […]

  13. just Says:
    Januar 20th, 2007 at 12:23

    admin, plz give me your email

  14. admin Says:
    Januar 20th, 2007 at 13:11

    ebg2 @ macosbrain dot com

  15. justcause Says:
    Januar 22nd, 2007 at 22:22

    Well it’s not warking on this encoded data:

    JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCc3Q…..

    I would appreciate any help. 10x!

  16. need-help Says:
    Januar 28th, 2007 at 07:45

    I am running the script, and the result file just spits out the code I am trying to decrypt.

    Any suggestions are appreciated!

    Thanks for publishing the script :)

  17. admin Says:
    Januar 31st, 2007 at 18:09

    please do not post any code here.
    second if you try to decode and the result ist the same. please look at comment nr. 14

  18. macosbrain » self modifying php script Says:
    Februar 1st, 2007 at 16:57

    […] my previous post i released a class which “decrypt” php scripts that hide source code with special functions like eval, gzinflate, […]

  19. admin Says:
    Februar 3rd, 2007 at 12:11

    once again.
    I DO NOT SUPPORT ANY ILLEGAL ACTIONS.
    I DO NOT HELP YOU TO CRACK PROTECTIONS IN PHP SCRIPTS!

  20. admin Says:
    Februar 7th, 2007 at 21:41

    i got a lot of email with the request to decode a script from http://www.uploadscript.net(UPLOADSCRIPT v1.02)

    i take a quick look at the source and i give you one serious advice -> look for another upload script.
    here is a list with security related “bugs” in the upload script:
    phpinfo.php -> really bad
    *.txt -> bad too - because everyone can read it and got access to your data
    storagedata -> directory is unprotected

  21. Chester Says:
    Februar 13th, 2007 at 08:10

    well what file uploader do you recommand tho?

  22. admin Says:
    Februar 14th, 2007 at 18:21

    good question.
    i have no answer. but i know if i need an upload script i would not use UPLOADSCRIPT, because of its massive seurity bugs.

  23. deniz Says:
    Mai 27th, 2007 at 22:27

    I used this function but i wont work for me.. It give me decrypt_test.php with same contents of encoded data..

    ie:
    test.php (encoded)

    decrypted_test.php (decoded)

  24. deniz Says:
    Mai 27th, 2007 at 22:28

    test.php encoded
    eval(gzinflate(str_rot13(base64_decode(’HZzHYcRDZVJ/cmkzAy6YE3lrw….’);

    decrypted_test.php (decoded)
    eval(gzinflate(str_rot13(base64_decode(’HZzHYcRDZVJ/cmkzAy6YE3lrw….’);

  25. admin Says:
    Mai 28th, 2007 at 17:51

    it works fine just. please have a look at comment 9
    http://wordpress.macosbrain.com/2006/10/19/eval-gzinflate-base64_decode-str_rot13-part-2/#comment-1733

  26. ravi Says:
    Juli 17th, 2007 at 22:41

    i tried to contact upload script owner but no reply

    can you just check if this code you can decode or not..

    i dont want to violate terms of uploadscript .. i will keep copyright of them.. but he is not answering and i need to make few changes in script

    let me know if you can help me

  27. ravi Says:
    Juli 17th, 2007 at 22:42

    here is the code

    FZrHDoTIG………./76669//uPv//zr7/8B

    edit: what is that??? what should i do with this code ????

  28. x0kster Says:
    August 16th, 2007 at 12:06

    hey script doesn’t work!!
    the file decrypted_test.php is the same of test.php!
    and the code of test.php is like :

  29. admin Says:
    August 16th, 2007 at 19:12

    the script works fine. please look at your source code an delete all comments.

  30. david Says:
    September 22nd, 2007 at 02:39

    I deciphered a peice of code that was already encoded with any other type of encryption, can you take a look at it for me?
    Here is a sample of the code:
    ”5²Å¶·2Þt‡ 1Å·Ä,]18bfÖêÿsWu²²¼ÒáŸúk§jHòŸ,ÝKû_QæsQü×ÌRXwÃKüE=×–={(G®

  31. admin Says:
    September 23rd, 2007 at 11:58

    if you got any trouble with the decryption please mail me the whole php file to ebg2 at macosbrain dot com

  32. Abdul Says:
    Oktober 7th, 2007 at 20:19

    Hi

    I would like to know if I can use this to encrypt the source of a php script.

    I want to make it so that the code of the php file is all encrypted.

    Does this do it?

    Can you please say how too?

    Thanks

  33. Haryanahome.info Says:
    Februar 24th, 2008 at 12:05

    Dear macosbrain & team,
    I have come with multi string eval base decoder.just have a look http://haryanahome.info/forum/showthread.php?t=4 and paste the code here
    http://haryanahome.info gives you something new
    Jai Haryana Jai Bharat

  34. Haryanahome.info Says:
    Februar 24th, 2008 at 13:12

    Am i not allowed to post codes here ? My posts being blocked plz get this code from and paste it here http://haryanahome.info/showthread.php?t=3
    Note: I am not author of this script. credit goes to Jurgan(the mastermind).I have just made it easy and compitable with all PHP

  35. Haryanahome.info Says:
    Februar 24th, 2008 at 13:25

    Sorry above url is mispelled its http://haryanahome.info/forum/showthread.php?t=3

  36. admin Says:
    Februar 24th, 2008 at 13:25

    yes this is right. phpids does a very good job :-)

    please mail me the sourcecode.

  37. Steve Says:
    Mai 6th, 2008 at 17:53

    can’t execute your script
    Parse error: syntax error, unexpected T_CLASS in /home/user/public_html/decode.php on line 3

  38. admin Says:
    Mai 8th, 2008 at 17:06

    which php version do you use?

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.