Deobfuscating PHP Scripts

Occasionally people send me PHP scripts to help them analyze it. Most of the time, it's simply unescaping the script and finding the right variable to echo. I got two tricky ones within the past couple of months and finally got around to writing a program to quickly deobfuscate them. These scripts represent obfuscation methods that make it difficult to read them but they don't employ character rotation, XOR, base64, etc. I'm not sure if there's an easier way to do this; if there is, I'd like to hear about it.

I already wrote a tool to handle an older variety of this method and I decided to add functionality to handle the newer ones. I also added a pretty basic (crappy) beautifier and making this available as a separate download (I think I'll add this to Converter later).

Method 1 - Array Search/Replace

This script uses an array of base64-encoded strings. The second part of the script references specific values from the array. The obfuscated script looks like this:

The idea is to first base64-decode the strings and load them into an array. Loop through the array and replace the calling variables with the actual values.

You should concatenate the strings first. I use Converter but even Notepad will do.

Then you need to base64-decode the strings. Again I'm using Converter.

Using the PHP Script Decoder tool, I paste the result from above to the "Lookup Array" box. I paste the obfuscated script to the input box. When you choose the Array method you have to enter a delimiter (in this case the comma is used) and the search string. The search string is the variable you wish to replace with the value. In this case I enter "_449578015(#)". The pound sign is a placeholder which the tool needs.

Here's what it looks like. Now the deobfuscated script is much easier to figure out.

If you want to beautify the script, click on the "Copy Output to Input" button then click on the "Beautify" button.

The result is a simple and rough cleanup of the script.

Method 2 - Random Variables

This script uses randomize variable names and assigns a value to it. The later portion references the value. Here's what this looks like:

The tool will parse the script and load each variable and associated value into an array. It then does a search for the variable and replaces it with the value.

I just paste the entire script in the input box and choose the "random vars" option. The delimiter for this script is a semi-colon and for the search string I enter ${"GLOBALS"}["#"]="*"; The pound sign is a placeholder for the variable name and the asterisk is the placeholder for the value.

Here's the result:

Method 3 - Key Lookup

This script uses a lookup array to build the values for its variables. Each character in this string is loaded into an array:

",`TD[r)Ej|4*^QXOK\t: @.tl#2%\\L\r_R-~b=Z7zaV{]S+'Gio>gd058up6C!HkwxmvN?nJI(\"FMWc3hYs\$&;\nBA<U}/ef9Pqy1"

The script concatenates each character of the value and assigns it to a variable. The tool again does a search and replace of each character. You can optionally concatenate the result. For this particular script, you then need to use the second method and replace the variable name with the value.

Here we go...the first step I do is paste the entire script in the input box and choose the key lookup option. The delimiter is irrelevant. I use $f9[#] as the search string. In the lookup key box I need to paste the key with the starting and ending quotes. The tool will unescape the value so you don't have to do it yourself.

You can see that the strings should be concatenated so I check the box and click on Convert again.

Now I click on the "Copy Output to Input" button and choose the random vars option. I leave the delimiter to semi-colon and use $GLOBALS['#'] = '*'; as my search string.

Ah, much more readable! By the way, you may have seen this on several compromised sites as the output looks something like this:

Linux10+cfcd208495d565ef66e7dff9f98764da

-or-

WINNT20+cfcd208495d565ef66e7dff9f98764da

This script is essentially an emailer.

You can find this program on the Tools page.

Posted on: 06/01/2014