Page 1 of 1

Obfuscated PHP code

Posted: Wed Apr 05, 2006 11:38 am
by jimbanks
Could someone please tell me some ideas on how to decrypt this......

I tried the classic tricks (replace "eval" with "echo") but it's probably nested...
and I think the base64 encoded stuff is encrypted ( I can see something
like this: $a ^ $b ....XOR).....

but it works (no parsing errors), so it can be decrypted...

Code: Select all

<?php
$z01010011000000111110="z01010011000000111110";
function z010010001001010($z010010001010,$z010010001010111){$z010010001010111=md5($z010010001010111);$z010010011=0;$z0101110000011010011="";for($z01011111010011=0;$z01011111010011<strlen($z010010001010);$z01011111010011++){if($z010010011==strlen($z010010001010111))$z010010011=0;$z0101110000011010011.=substr($z010010001010,$z01011111010011,1)^substr($z010010001010111,$z010010011,1);$z010010011++;}return $z0101110000011010011;}function z01010011($z111110000110111111){return(gzinflate($z111110000110111111));}function z01010011001010010($z010010001010,$z01010011000000111110){$z010010001010=z010010001001010($z010010001010,$z01010011000000111110);$z0101110000011010011="";for($z01011111010011=0;$z01011111010011<strlen($z010010001010);$z01011111010011++){$z01001000101010101010=substr($z010010001010,$z01011111010011,1);$z01011111010011++;$z0101110000011010011.=(substr($z010010001010,$z01011111010011,1)^$z01001000101010101010);}return $z0101110000011010011;}function z0100100010100($z1000011110000110111111){return(base64_decode($z1000011110000110111111));}function z010111110100110($z111110101001111100000000110){return(eval($z111110101001111100000000110));}function z010100111111111111110($z0101001111100000000110){return(z01010011001010010(base64_decode($z0101001111100000000110),$z01010011000000111110));}z010111110100110(z01010011(z0100100010100(z010100111111111111110("
BxMGN1pNV0APMlEgVkwITVdKWhMHSgpaA10CZFc6DylSUQYLABwGGl1FVjsDAFQgXG1aBwJ8DEYAcgcMBkYOCQcgBhpaQFc4DyZRPFZRCH1XOVo2B2oKZgNAAm1XIw9pUikGIwA1BmhdR1YzA3xUZ1x6WnkCJAx7AHIHawZUDhsHbgYGWmRXOA8XUThWVQh4VzNaBgdeCj4DRgIMVxYPBFJrBh4AFwY9XUxWHwM9VDFcT1oCAmcMOQBWB2EGVA4UBw4GFFp2V3kPB1EHVlMIXFdbWiUHJQp7A2sCNVdjDyVSaQY7AGkGMV1mVhcDCVQGXEFaKAJJDD0APwcUBnIObgctBitaZVdtDyVRA1ZsCDxXWVo6B20KOQNRAhhXIA8bUk8GOgBpBhFddFY+AxpUOVxMWjwCewx4AFEHMAZQDh8HbwZrWk9XfQ8CUWdWUAh9V0haOAc2CjkDMgI9VyQPNlJnBjUAHQYKXWtWEAM2VGdcOFpnAiQMRAA1BxQGaQ42BzoGN1pqV34PPlFkVkIIeVd7WiQHSQpRA2MCKFcHD2xSRgYEAAMGE10yViEDCVQnXEVaZAJtDHsAKQcPBjMOBAdvBjZaRFdED2JRHVZ/CG9XY1ozB2IKcwNOAglXPQ8oUkEGYAAuBh1dNFYDAwRUFlxHWiACagxFAGgHFAZVDjgHEgZqWnFXPQ8cUSZWMAhNVzhaGwdICn8DMgIJVzIPdlJgBiUANQYMXVpWPgMyVCpcZlo7Aj0MdABKBz0GOA4GBw0GP1pbVzwPK1EYVjYIa1dZWjkHXwpgA0MCMVcHD2RSMAYJAGIGKl13Vm4DElRkXDZaOAJfDE8ASQcSBmsOCgctBilae1dBDxlRN1ZTCHhXOFoxB2QKPQNAAmtXOA8aUikGBgAxBhRdSVZlAztUKlw3WiUCaAw8AGIHPQYxDjQHPgYgWjFXUA8HUTpWMQhpVzNaPwdpCl0DQwIsVwcPC1JwBjwAKwYSXWdWDgMdVH9cTVo0AnIMawBJB2kGSA4dBzQGNlpgV2cPaVE2Vn4IQFdEWj0HdApRA10CCVceDzFScgY1AD0GKV1WVjMDPlQWXGVaAAI6DE4AdwcVBkIOMgdnBh9aZ1djDwBRPVY2CGJXe1omB2MKOQN1AhZXFQ83UjAGYAAhBjddNlYQAxhUE1xBWjcCPAxXAGoHbQZWDjUHPAY7WmxXIQ9oUWZWSQh2V39aEQdnCkQDcAIZVzYPbFI1BjwAaQYiXWRWHQMEVDFcbVphAnMMOgBRBzYGdA4TBwAGZ1p0V3oPFlF6VlcIOldxWh0HdApFA2MCLlcdDxdSTwYUAGkGKV02Vh8DIlQ5XFlaZAI4DEAAVwcKBmYOOAccBgFaa1dbDzlRElZDCElXfloDB1wKbANmAglXIw8NUlgGAgATBhddSVZ9AyJUNlw4WhkCTgxjAE0HCgZnDiwHJAYjWm1XZg8rUWJWYAhhV3paawdMClIDSAIXVwIPJVJ2BhoALgYJXVpWFwMCVDJcY1oZAmMMYQA0BwgGdQ4vBzoGPlo1V2cPB1E8VnMIZFdoWhwHQApuA3ICNlcSDyxSRAY1AD8GOl1kVicDGFQIXFhaGQJpDGAAfgc2Bm0ONgcEBgVaaFdnDxpROlZLCGlXXFoqBzsKRwNnAhdXIA9kUm8GGQAiBg1dR1YgAwdUIlw2Wn0COAx3AD4HdgZQDgQHZQZ8WmdXJQ8DUQFWPghN"))));
?>

Posted: Wed Apr 05, 2006 11:51 am
by hawleyjr
You should probably layout the php code better. You're making it look like that is one large string when it is really one really poorly labeled group of functions and variables...

Code: Select all

$z01010011000000111110 ="z01010011000000111110";
	
	function z010010001001010($z010010001010,$z010010001010111){
		$z010010001010111 = md5($z010010001010111);
		$z010010011=0;
		$z0101110000011010011="";
		for($z01011111010011=0;$z01011111010011<strlen($z010010001010);$z01011111010011++){
			if($z010010011==strlen($z010010001010111))
				$z010010011=0;
			$z0101110000011010011.=substr($z010010001010,$z01011111010011,1)^substr($z010010001010111,$z010010011,1);
			$z010010011++;
		}
		return $z0101110000011010011;
	}
	function z01010011($z111110000110111111){
		return(gzinflate($z111110000110111111));
	}
	function z01010011001010010($z010010001010,$z01010011000000111110){
		$z010010001010=z010010001001010($z010010001010,$z01010011000000111110);
		$z0101110000011010011="";
		for($z01011111010011=0;$z01011111010011<strlen($z010010001010);$z01011111010011++){
			$z01001000101010101010=substr($z010010001010,$z01011111010011,1);
			$z01011111010011++;
			$z0101110000011010011.=(substr($z010010001010,$z01011111010011,1)^$z01001000101010101010);
		}
		return $z0101110000011010011;}
	function z0100100010100($z1000011110000110111111){
		return(base64_decode($z1000011110000110111111));
	}
	function z010111110100110($z111110101001111100000000110){
		return(eval($z111110101001111100000000110));
	}
	function z010100111111111111110($z0101001111100000000110){
		return(z01010011001010010(base64_decode($z0101001111100000000110),$z01010011000000111110));
	}
	z010111110100110(z01010011(z0100100010100(z010100111111111111110("BxMGN1pNV0APMlEgVkwITVdKWhMHSgpaA10CZFc6DylSUQYLABwGGl1FVjsDAFQgXG1aBwJ8DEYAcgcMBkYOCQcgBhpaQFc4DyZRPFZRCH1XOVo2B2oKZgNAAm1XIw9pUikGIwA1BmhdR1YzA3xUZ1x6WnkCJAx7AHIHawZUDhsHbgYGWmRXOA8XUThWVQh4VzNaBgdeCj4DRgIMVxYPBFJrBh4AFwY9XUxWHwM9VDFcT1oCAmcMOQBWB2EGVA4UBw4GFFp2V3kPB1EHVlMIXFdbWiUHJQp7A2sCNVdjDyVSaQY7AGkGMV1mVhcDCVQGXEFaKAJJDD0APwcUBnIObgctBitaZVdtDyVRA1ZsCDxXWVo6B20KOQNRAhhXIA8bUk8GOgBpBhFddFY+AxpUOVxMWjwCewx4AFEHMAZQDh8HbwZrWk9XfQ8CUWdWUAh9V0haOAc2CjkDMgI9VyQPNlJnBjUAHQYKXWtWEAM2VGdcOFpnAiQMRAA1BxQGaQ42BzoGN1pqV34PPlFkVkIIeVd7WiQHSQpRA2MCKFcHD2xSRgYEAAMGE10yViEDCVQnXEVaZAJtDHsAKQcPBjMOBAdvBjZaRFdED2JRHVZ/CG9XY1ozB2IKcwNOAglXPQ8oUkEGYAAuBh1dNFYDAwRUFlxHWiACagxFAGgHFAZVDjgHEgZqWnFXPQ8cUSZWMAhNVzhaGwdICn8DMgIJVzIPdlJgBiUANQYMXVpWPgMyVCpcZlo7Aj0MdABKBz0GOA4GBw0GP1pbVzwPK1EYVjYIa1dZWjkHXwpgA0MCMVcHD2RSMAYJAGIGKl13Vm4DElRkXDZaOAJfDE8ASQcSBmsOCgctBilae1dBDxlRN1ZTCHhXOFoxB2QKPQNAAmtXOA8aUikGBgAxBhRdSVZlAztUKlw3WiUCaAw8AGIHPQYxDjQHPgYgWjFXUA8HUTpWMQhpVzNaPwdpCl0DQwIsVwcPC1JwBjwAKwYSXWdWDgMdVH9cTVo0AnIMawBJB2kGSA4dBzQGNlpgV2cPaVE2Vn4IQFdEWj0HdApRA10CCVceDzFScgY1AD0GKV1WVjMDPlQWXGVaAAI6DE4AdwcVBkIOMgdnBh9aZ1djDwBRPVY2CGJXe1omB2MKOQN1AhZXFQ83UjAGYAAhBjddNlYQAxhUE1xBWjcCPAxXAGoHbQZWDjUHPAY7WmxXIQ9oUWZWSQh2V39aEQdnCkQDcAIZVzYPbFI1BjwAaQYiXWRWHQMEVDFcbVphAnMMOgBRBzYGdA4TBwAGZ1p0V3oPFlF6VlcIOldxWh0HdApFA2MCLlcdDxdSTwYUAGkGKV02Vh8DIlQ5XFlaZAI4DEAAVwcKBmYOOAccBgFaa1dbDzlRElZDCElXfloDB1wKbANmAglXIw8NUlgGAgATBhddSVZ9AyJUNlw4WhkCTgxjAE0HCgZnDiwHJAYjWm1XZg8rUWJWYAhhV3paawdMClIDSAIXVwIPJVJ2BhoALgYJXVpWFwMCVDJcY1oZAmMMYQA0BwgGdQ4vBzoGPlo1V2cPB1E8VnMIZFdoWhwHQApuA3ICNlcSDyxSRAY1AD8GOl1kVicDGFQIXFhaGQJpDGAAfgc2Bm0ONgcEBgVaaFdnDxpROlZLCGlXXFoqBzsKRwNnAhdXIA9kUm8GGQAiBg1dR1YgAwdUIlw2Wn0COAx3AD4HdgZQDgQHZQZ8WmdXJQ8DUQFWPghN"))));
NOTE: in all my years of programming I don't believe I've ever seen worse naming conventions...

Posted: Wed Apr 05, 2006 11:57 am
by neophyte
That's stupid! :lol: :lol: :lol: :lol:

Posted: Wed Apr 05, 2006 12:24 pm
by feyd
I'd write a little script to use the built-in tokenizer to rewrite the variables and function names to a bit more meaningful versions (alpha, beta, gamma maybe.) Then go from there..