Reversing a PHP Script Dynamically and Statically

A reader sent me two PHP scripts because the PHP Converter program I wrote wasn’t able to handle it. They are both similar so I’ll just work on one of them in this post. Here’s what it looks like:

2014-07-11_01

And this is what happens when you try to use PHP Converter:

2014-07-11_02

Let’s reverse this script dynamically and then statically.

First, I’ll just change the ‘eval’ keyword to ‘echo’.

2014-07-11_03

And take a peek at what’s going on.

2014-07-11_04

Yikes, this is messed up! I thought the PHP file got corrupted somehow but then I looked closely and noticed several PHP keywords. This is actually a pretty clever technique. Basically the script is converting the strange characters to text but it’s surrounded by long, seemingly random strings that are variable names.

So I figure I would just write it out to a file and then change the ‘eval’ I noticed at the end to ‘echo’.

2014-07-11_05

Here’s the resulting file:

2014-07-11_06

I’ll just make that quick change and run it again.

2014-07-11_07

Cool, now we know what this script does!

Now let’s reverse this script statically.

Here’s a new, fixed version of PHP Converter. I added a filter to present the results of the deobfuscation without stopping if it encounters any strange characters. The characters outside the alphanumeric range will be represented by a neutral character.

2014-07-11_08

I also added the ability to output the result to Base64 format and/or to a file. With both options checked, you will get a text file of the result encoded in Base64 so the binary values will be preserved.

2014-07-11_09

Now I can convert this base64-encoded string to text using Converter.

2014-07-11_10

After cleaning this up, we can see that the section below is XOR’ing the blob using the decimal value of ’30’ which is assigned to the first variable.

2014-07-11_11

I’m going to convert the base64-encoded string to hex this time.

2014-07-11_12

Then send the data to Converter’s Key Search/Convert feature and set the values accordingly:

2014-07-11_13

And I get this result. The junk at the top and bottom is the result of XOR’ing the original text so I can ignore that.

2014-07-11_14

There are other ways to get to the final result but I think these two methods are straightforward and quick/easy to do.

The updated version of PHP Converter can be downloaded here.

This entry was posted in Malscript, Tools and tagged , , . Bookmark the permalink.