-2

How can I rewrite each file into readable code?

For example in the source code there's variables like this:

${"\x47\x4c\x4f\x42\x41\x4cS"}["y\x61\x72\x64s\x70\x71"]="va\x6cu\x65";

How can I convert that into readable code such as:

$somevariable = "somevalue";
Improve this question
9
  • thats a code obfuscated not utf-8 realated Commented Nov 5, 2011 at 13:29
  • 1
    That sounds like obfuscated source code to me - someone explicitly doesn't want you to do this. If you insist on reverse engineering this, Tokenizer is probably the way forward... Commented Nov 5, 2011 at 13:30
  • $GLOBALS["yardspq"] = "value"; isn't much better, really. You can simply replace all occurrences of \xNN with chr(NN), but even if you do that, you still won't have a very readable script. Commented Nov 5, 2011 at 13:33
  • @Radu the files aren't that big. Refactoring should be a breeze, really. Commented Nov 5, 2011 at 13:35
  • Hmm, there may be legal implications regarding this. If you've accepted a license agreement for web-based software you've purchased, then reverse-engineering may go against that. Commented Nov 5, 2011 at 13:39

5 Answers 5

Reset to default
5

Just replace all occurrences of \xNN with chr(NN). For example:

$source = file_get_contents('obfuscated_source.php');
if (preg_match_all('/\\x(..)/', $source, $matches)) {
    for ($i = 0, $len = count($matches[0]); $i < $len; ++$i) {
        $source = str_replace($matches[0][$i], chr(hexdec($matches[1][$i])), $source);
    }
}
file_put_contents('source.php', $source);
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

4

That's not UTF8, that's just some obfuscation someone thought of to make the script less readable. You can convert every string to its character representation. For instance \x41 means 'captial A'.

You don't have to convert these values yourself. When you echo the string, it will show its actual value.

The accolades are just a way to use a string value for a variable name, so ${'foo'} = 10; will set the variable $foo to 10.

In your case, you got a script that's messing with your globals.

<pre><?php

//${"\x47\x4c\x4f\x42\x41\x4cS"}["y\x61\x72\x64s\x70\x71"]="va\x6cu\x65";

echo
  'It means: ' .
  '${"' . "\x47\x4c\x4f\x42\x41\x4cS" .
  '"}["' . "y\x61\x72\x64s\x70\x71" . '"]="' .
  "va\x6cu\x65" . '";<br>';

// = $GLOBALS['yardspq'] = 'value';

var_dump(${"\x47\x4c\x4f\x42\x41\x4cS"});

?>
Improve this answer

1 Comment

Indeed, you could display the whole code like this: eval('print "'.str_replace('"','\"',file_get_contents('source_file.php')).'";');. eval() is evil but also sometimes useful...
2

Simply make it print out the plain strings, like:

<pre><?php
    //${"\x47\x4c\x4f\x42\x41\x4cS"}["y\x61\x72\x64s\x70\x71"]="va\x6cu\x65";
    print_r(
        array(
            "\x47\x4c\x4f\x42\x41\x4cS",
            "y\x61\x72\x64s\x70\x71",
            "va\x6cu\x65",
        )
    );
?></pre>

To me, it resulted in:

$GLOBALS["yardspq"]="value";

See it working...

Improve this answer

Comments

1

I would use PHP de-obfuscators (reverse PHP encoding processors)...

Searching for "PHP deobfuscator" you may find many, the list grows as it is becoming common to find such in injected files from hacked websites.

Such injections are usually mass processed, so it may be possible to find solutions by experts for most cases.

Improve this answer

Comments

0

I don't think there is any script that "clean" an obfuscated code.

For your commnent, that line is "equal" to something like

$array["key"] = 'value';
Improve this answer

2 Comments

Would you be able to point me in the direction of what type of obfuscation this is? the ${""}[""] is confusing me. The rest I can replace.
@Kyle it is valid PHP variable variable syntax. ${"\x47\x4c\x4f\x42\x41\x4cS"}["y\x61\x72\x64s\x70\x71"]="va\x6cu\x65"; == ${'GLOBALS'}['yardspq'] = 'value'; == $GLOBALS['yardspq'] = 'value';

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.