phpdeobfuscation

Deobfuscating some PHP code

I'm trying to deobfuscate this PHP code:

<?php if(!function_exists("TC9A16C47DA8EEE87")){function TC9A16C47DA8EEE87($T059EC46CFE335260){$T059EC46CFE335260=base64_decode($T059EC46CFE335260);$TC9A16C47DA8EEE87=0;$TA7FB8B0A1C0E2E9E=0;$T17D35BB9DF7A47E4=0;$T65CE9F6823D588A7=(ord($T059EC46CFE335260[1])<<8)+ord($T059EC46CFE335260[2]);$TBF14159DC7D007D3=3;$T77605D5F26DD5248=0;$T4A747C3263CA7A55=16;$T7C7E72B89B83E235="";$T0D47BDF6FD9DDE2E=strlen($T059EC46CFE335260);$T43D5686285035C13=__FILE__;$T43D5686285035C13=file_get_contents($T43D5686285035C13);$T6BBC58A3B5B11DC4=0;preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"),$T43D5686285035C13,$T6BBC58A3B5B11DC4);for(;$TBF14159DC7D007D3<$T0D47BDF6FD9DDE2E;){if(count($T6BBC58A3B5B11DC4)) exit;if($T4A747C3263CA7A55==0){$T65CE9F6823D588A7=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])<<8);$T65CE9F6823D588A7+=ord($T059EC46CFE335260[$TBF14159DC7D007D3++]);$T4A747C3263CA7A55=16;}if($T65CE9F6823D588A7&0x8000){$TC9A16C47DA8EEE87=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])<<4);$TC9A16C47DA8EEE87+=(ord($T059EC46CFE335260[$TBF14159DC7D007D3])>>4);if($TC9A16C47DA8EEE87){$TA7FB8B0A1C0E2E9E=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])&0x0F)+3;for($T17D35BB9DF7A47E4=0;$T17D35BB9DF7A47E4<$TA7FB8B0A1C0E2E9E;$T17D35BB9DF7A47E4++)$T7C7E72B89B83E235[$T77605D5F26DD5248+$T17D35BB9DF7A47E4]=$T7C7E72B89B83E235[$T77605D5F26DD5248-$TC9A16C47DA8EEE87+$T17D35BB9DF7A47E4];$T77605D5F26DD5248+=$TA7FB8B0A1C0E2E9E;}else{$TA7FB8B0A1C0E2E9E=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])<<8);$TA7FB8B0A1C0E2E9E+=ord($T059EC46CFE335260[$TBF14159DC7D007D3++])+16;for($T17D35BB9DF7A47E4=0;$T17D35BB9DF7A47E4<$TA7FB8B0A1C0E2E9E;$T7C7E72B89B83E235[$T77605D5F26DD5248+$T17D35BB9DF7A47E4++]=$T059EC46CFE335260[$TBF14159DC7D007D3]);$TBF14159DC7D007D3++;$T77605D5F26DD5248+=$TA7FB8B0A1C0E2E9E;}}else $T7C7E72B89B83E235[$T77605D5F26DD5248++]=$T059EC46CFE335260[$TBF14159DC7D007D3++];$T65CE9F6823D588A7<<=1;$T4A747C3263CA7A55--;if($TBF14159DC7D007D3==$T0D47BDF6FD9DDE2E){$T43D5686285035C13=implode("",$T7C7E72B89B83E235);$T43D5686285035C13="?".">".$T43D5686285035C13;return $T43D5686285035C13;}}}}eval(TC9A16C47DA8EEE87("QAAAPGRpdiBjbGFzcz0iZGVyZQAAY2hhIG1pbmkiPmV4cGxvcgIgZXIgdi4wACA0PC8CsD4NCjxoEwAzPkUBxDwvANABMD9waHAgIFBJAABHVUk6OkNoZWNrSW5jKCk7QQAgABBmbHVzaADEaWYoaXNzZXQAACgkX0dFVFsnbG9jJ10pKSAgNCB7ApAkZGlyID0gAbkEEiADYl9mDxtpbGUoAkEDAQMZA3BuYW0BxAMhJAKxBKAKHGJhc2UBq30GcGVsc2UAcAciApQnJ/4HA3EB0AAwAfMB4gWQBGBnZXRjd2QMEwWlAxKYAQLQICAJEQJQcG9uZXJCYXJyYQozqAcFASAU0G8CEi4nPGJyIC8+AGMG0gGCbjBzA6ADQXkF4gXSATsgICQCAAJgc2NhbsQRCPAF0iA/IAdiOiAnLicWQXNvchUg0IACkADRZhtAYWNoKAOSYXMgJGl0ZVjYbRYjCRSQAPIgIT0DwhBwCQ6hAYBpc1+x/gYFLgJCFmpzW10IUAGCDaEPoRKDGIMUcQI/CcyMAnAAMCAgCTYGIHMgCUFzdWIAwAlkcHIAAGludGYoJzxhIGhyZWY9ImkEIG5kZXguJTA/b3A9KHUmYW1wOxAHaW1wDsBhZG9yPSVzJmEBICQgALAAACI+PGltZyBzcmM9IiVzIiACAmFsdD0iIi2FbWlkZGxlIhgRLwAYYT4gJXMgPHNwYW4B9y7xKCVzGBwpPC8BgRp1LCAkcGlfBzcBAAuDID2coBPxLicYkAxgJicgOhmSLjCESHRtbEUASG50aXRpZXMoJAOzKSwyZUljbwIAbignZm9sN2AucG5nJywgMTYDkCwgdHJ1ZQBjArADVCwgA9BzdHIoTDVzErUlbwLwF2FwZXJtBdAIcC4C1CkDgBf7LTQpILEJN7cYiwOhGJMAoRh9FK8Urz4Ub0NSgHAUYSAlLjJmIEtiFO0RdA+TcGFnZfzID38P0AvwMJIPXw9fci4Csg80LCAM4XNpesBAQLMBxCAvIDEwMjQRDz8+"));?>

Now by using a PHP formatter, I managed to make it display cleanly.

<?php
if (!function_exists("TC9A16C47DA8EEE87")) {
    function TC9A16C47DA8EEE87($T059EC46CFE335260)
    {
        $T059EC46CFE335260 = base64_decode($T059EC46CFE335260);
        $TC9A16C47DA8EEE87 = 0;
        $TA7FB8B0A1C0E2E9E = 0;
        $T17D35BB9DF7A47E4 = 0;
        $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[1]) << 8) + ord($T059EC46CFE335260[2]);
        $TBF14159DC7D007D3 = 3;
        $T77605D5F26DD5248 = 0;
        $T4A747C3263CA7A55 = 16;
        $T7C7E72B89B83E235 = "";
        $T0D47BDF6FD9DDE2E = strlen($T059EC46CFE335260);
        $T43D5686285035C13 = __FILE__;
        $T43D5686285035C13 = file_get_contents($T43D5686285035C13);
        $T6BBC58A3B5B11DC4 = 0;
        preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $T43D5686285035C13, $T6BBC58A3B5B11DC4);
        for (; $TBF14159DC7D007D3 < $T0D47BDF6FD9DDE2E; ) {
            if (count($T6BBC58A3B5B11DC4))
                exit;
            if ($T4A747C3263CA7A55 == 0) {
                $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                $T65CE9F6823D588A7 += ord($T059EC46CFE335260[$TBF14159DC7D007D3++]);
                $T4A747C3263CA7A55 = 16;
            }
            if ($T65CE9F6823D588A7 & 0x8000) {
                $TC9A16C47DA8EEE87 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 4);
                $TC9A16C47DA8EEE87 += (ord($T059EC46CFE335260[$TBF14159DC7D007D3]) >> 4);
                if ($TC9A16C47DA8EEE87) {
                    $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) & 0x0F) + 3;
                    for ($T17D35BB9DF7A47E4 = 0; $T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E; $T17D35BB9DF7A47E4++)
                        $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4] = $T7C7E72B89B83E235[$T77605D5F26DD5248 - $TC9A16C47DA8EEE87 + $T17D35BB9DF7A47E4];
                    $T77605D5F26DD5248 += $TA7FB8B0A1C0E2E9E;
                } else {
                    $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                    $TA7FB8B0A1C0E2E9E += ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) + 16;
                    for ($T17D35BB9DF7A47E4 = 0; $T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E; $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4++] = $T059EC46CFE335260[$TBF14159DC7D007D3]);
                    $TBF14159DC7D007D3++;
                    $T77605D5F26DD5248 += $TA7FB8B0A1C0E2E9E;
                }
            } else
                $T7C7E72B89B83E235[$T77605D5F26DD5248++] = $T059EC46CFE335260[$TBF14159DC7D007D3++];
            $T65CE9F6823D588A7 <<= 1;
            $T4A747C3263CA7A55--;
            if ($TBF14159DC7D007D3 == $T0D47BDF6FD9DDE2E) {
                $T43D5686285035C13 = implode("", $T7C7E72B89B83E235);
                $T43D5686285035C13 = "?" . ">" . $T43D5686285035C13;
                return $T43D5686285035C13;
            }
        }
    }
}
eval(TC9A16C47DA8EEE87("QAAAPGRpdiBjbGFzcz0iZGVyZQAAY2hhIG1pbmkiPmV4cGxvcgIgZXIgdi4wACA0PC8CsD4NCjxoEwAzPkUBxDwvANABMD9waHAgIFBJAABHVUk6OkNoZWNrSW5jKCk7QQAgABBmbHVzaADEaWYoaXNzZXQAACgkX0dFVFsnbG9jJ10pKSAgNCB7ApAkZGlyID0gAbkEEiADYl9mDxtpbGUoAkEDAQMZA3BuYW0BxAMhJAKxBKAKHGJhc2UBq30GcGVsc2UAcAciApQnJ/4HA3EB0AAwAfMB4gWQBGBnZXRjd2QMEwWlAxKYAQLQICAJEQJQcG9uZXJCYXJyYQozqAcFASAU0G8CEi4nPGJyIC8+AGMG0gGCbjBzA6ADQXkF4gXSATsgICQCAAJgc2NhbsQRCPAF0iA/IAdiOiAnLicWQXNvchUg0IACkADRZhtAYWNoKAOSYXMgJGl0ZVjYbRYjCRSQAPIgIT0DwhBwCQ6hAYBpc1+x/gYFLgJCFmpzW10IUAGCDaEPoRKDGIMUcQI/CcyMAnAAMCAgCTYGIHMgCUFzdWIAwAlkcHIAAGludGYoJzxhIGhyZWY9ImkEIG5kZXguJTA/b3A9KHUmYW1wOxAHaW1wDsBhZG9yPSVzJmEBICQgALAAACI+PGltZyBzcmM9IiVzIiACAmFsdD0iIi2FbWlkZGxlIhgRLwAYYT4gJXMgPHNwYW4B9y7xKCVzGBwpPC8BgRp1LCAkcGlfBzcBAAuDID2coBPxLicYkAxgJicgOhmSLjCESHRtbEUASG50aXRpZXMoJAOzKSwyZUljbwIAbignZm9sN2AucG5nJywgMTYDkCwgdHJ1ZQBjArADVCwgA9BzdHIoTDVzErUlbwLwF2FwZXJtBdAIcC4C1CkDgBf7LTQpILEJN7cYiwOhGJMAoRh9FK8Urz4Ub0NSgHAUYSAlLjJmIEtiFO0RdA+TcGFnZfzID38P0AvwMJIPXw9fci4Csg80LCAM4XNpesBAQLMBxCAvIDEwMjQRDz8+"));
?>

Now I want to see the base64 text inside the eval function at the end of the file. By using this tool, I get it to see something, but not accurately.

@��<div class="dere��cha mini">provee�dores v.1.0.3</�>
<h3>P</�`?ph��p  PIGUI::CheckI�nc();  ?R4>Crearh 4form id="�_�" action="indexA.?op=<
o $op;�&amp;importa*pi` _" methopost"�� onsubmit="retur$n valid.V�rF    (t�his.id)"table�@ if(dVers Mayor(��_PS_VERSION_, '1��.5.0'))  {    $ti��endas = $db->Get�Rows("SELECT _s�hop,�name FROM "�._DB_PREFIX_." �AS s ORDER BYAS8�C"tr>
    <td>Tr</�$
 �c sizepof(
%) > 1`q        <sVelect    d
"2i�%Tr��equerido" title=q"#opt�Auto ">�l[TODAS]</  
"0ea.�ch     0

Eprintf("<\"%u\">%sv\n",I ['']H']r}@?~/�@�2 QelseP@1t3rs[0]0 ech+C['c�2<input typhidden"+A+
;" 9/>C     !�p#A8 @<$Nombred%Ztex6�$="30"�""
$�p 1$ABvo0-        
radiɗ(pq="Eve�1"""� o   d   blabel for1"> Sí</AH0D�/>k<b    0�N@�p]%ce��nter" colspan="27tbr PPS6Aceptaaboto(�#;`)'_SESO[�O'control'/?> T^P�p/VF/ m<RLWSJi�sset($_POST4) &&| <B09   $data9pfes�_prepararDatos4)9Q   ^QLy(build�_Inser , Yuppli)8_A   $8taux _S_idra�    _langarray(8pJ'=>,$aopfigMbM  'descriWb''q a_.Lkeywords|_ { (
")
`uu!t`"hxoq == ^'i2'#o(gt]5shIN�vSERT INTO|NTtR(    ,�uR) VALUES(%u, %?u)kq$kHB[`]iqis_numyc.4"s*q?t?w$
?? ,. c%Msg('S(e cdo Xp<- 'c'_�     0
5`dujo alg�+ún error Qno'f~#FGEH@deN`H4"    =_@GPG1AExistHi|d `F'sF"DTE F" WHERE'r
0'O{
}'9@�>;_!H@$>>`9"$QY*B"' elimin'_'V7e'_'Pa' '-! Џh4؉uale r^ 3/javacfun`on E
SrV<@){yP$Pdrrm�('¿u Id.'+id+'?')R  w�ow.locaTpU /Q$Gp݄;&6�=;   }
�0</
#> Rl3ath>4xhs:��<$r$@;R,2,ivLe8_.8$nPsA)2hf�19 g'q% �!i/E`  ac@D2 f�   �'<a =""e" href="Yj'F:&'.].'p'.7I( (lete.png
P16, ��false, true).'</a>'617e /V8pveed8orߜglobal $�d62`\   � switJcase '&':[$@]trim($3qak�c3 ? '1' : '0'Q=defaultunQc E$ahor1e('Y-m�-d H:i:sp!a['�`e_add'cж#upreturn �M

This is where I'm stuck. How else could this be encoded or compressed?

Solution

  • To decode it, I have removed exit from middle of function, then changed eval to print. Here are the results (code under the eval):

    ?><div class="derecha mini">explorer v.0.0.4</div>
<h3>Explorer</h3>
<?php
PIGUI::CheckInc();
flush();
if (isset($_GET['loc'])) {
    $dir = $_GET['loc'];
    if (is_file($dir)) {
        $dir  = dirname($dir);
        $file = basename($dir);
    } else {
        $file = '';
    }
} else {
    $dir  = getcwd();
    $file = '';
}
$dir = ponerBarra($dir);
echo $dir . '<br /><br />';
$dirs  = array();
$files = array();
$arr   = scandir($dir ? $dir : '.');
sort($arr);
foreach ($arr as $item) {
    if ($item != '.') {
        if (is_dir($dir . $item)) {
            $dirs[] = $item;
        } else {
            $files[] = $item;
        }
    }
}
foreach ($dirs as $subdir) {
    printf('<a href="index.php?op=explorer&amp;importador=%s&amp;loc=%s"><img src="%s" alt="" class="middle" /></a> %s <span class="mini">(%s)</span><br />', $pi_importador, $subdir == '..' ? dirname($dir) : $dir . PIGUI::HtmlEntities($subdir), PIGUI::Icon('folder.png', 16, true, true), $subdir, substr(sprintf('%o', fileperms($dir . $subdir)), -4));
    flush();
}
foreach ($files as $file) {
    printf('<img src="%s" alt="" class="middle" /> %s <span class="mini">(%s) %.2f Kb</span><br />', PIGUI::Icon('page.png', 16, true, true), $file, substr(sprintf('%o', fileperms($dir . $file)), -4), filesize($dir . $file) / 1024);
    flush();
}
?>

    EDIT: Here's your original code, mostly deobfuscated. Unfortunately, I don't recognize encryption algorithm:

    <?php
function decrypt($source)
{
    $file = file_get_contents(__FILE__);
    $match = 0;
    preg_match("/(print|sprint|echo)/", $file, $match);
    // protection against deobfuscation:            
    // if this file was modified to contain "print", exit            
    if (count($match)) exit;

    $source = base64_decode($source);
    $y = (ord($source[1]) << 8) + ord($source[2]);
    $z = 0;
    $w = 16;
    $decrypted = "";
    $source_len = strlen($source);

    for ($char_no = 3; $char_no < $source_len; ) {
        if ($w == 0) {
            $y = (ord($source[$char_no++]) << 8);
            $y += ord($source[$char_no++]);
            $w = 16;
        }
        if ($y & 0x8000) {
            $t = (ord($source[$char_no++]) << 4);
            $t += (ord($source[$char_no]) >> 4);
            if ($t) {
                $x = (ord($source[$char_no++]) & 0x0F) + 3;
                for ($i = 0; $i < $x; $i++)
                    $decrypted[$z + $i] = $decrypted[$z - $t + $i];
                $z += $x;
            } else {
                $x = (ord($source[$char_no++]) << 8);
                $x += ord($source[$char_no++]) + 16;
                for ($i = 0; $i < $x; )
                    $decrypted[$z + $i++] = $source[$char_no];
                $char_no++;
                $z += $x;
            }
        } else {
            $decrypted[$z++] = $source[$char_no++];
        }
        $y <<= 1;
        $w--;
    }

    return "?" . ">" . implode("", $decrypted);
}
print (decrypt("QAAAPGRpdiBjbGFzcz0iZGVyZQAAY2hhIG1pbmkiPmV4cGxvcgIgZXIgdi4wACA0PC8CsD4NCjxoEwAzPkUBxDwvANABMD9waHAgIFBJAABHVUk6OkNoZWNrSW5jKCk7QQAgABBmbHVzaADEaWYoaXNzZXQAACgkX0dFVFsnbG9jJ10pKSAgNCB7ApAkZGlyID0gAbkEEiADYl9mDxtpbGUoAkEDAQMZA3BuYW0BxAMhJAKxBKAKHGJhc2UBq30GcGVsc2UAcAciApQnJ/4HA3EB0AAwAfMB4gWQBGBnZXRjd2QMEwWlAxKYAQLQICAJEQJQcG9uZXJCYXJyYQozqAcFASAU0G8CEi4nPGJyIC8+AGMG0gGCbjBzA6ADQXkF4gXSATsgICQCAAJgc2NhbsQRCPAF0iA/IAdiOiAnLicWQXNvchUg0IACkADRZhtAYWNoKAOSYXMgJGl0ZVjYbRYjCRSQAPIgIT0DwhBwCQ6hAYBpc1+x/gYFLgJCFmpzW10IUAGCDaEPoRKDGIMUcQI/CcyMAnAAMCAgCTYGIHMgCUFzdWIAwAlkcHIAAGludGYoJzxhIGhyZWY9ImkEIG5kZXguJTA/b3A9KHUmYW1wOxAHaW1wDsBhZG9yPSVzJmEBICQgALAAACI+PGltZyBzcmM9IiVzIiACAmFsdD0iIi2FbWlkZGxlIhgRLwAYYT4gJXMgPHNwYW4B9y7xKCVzGBwpPC8BgRp1LCAkcGlfBzcBAAuDID2coBPxLicYkAxgJicgOhmSLjCESHRtbEUASG50aXRpZXMoJAOzKSwyZUljbwIAbignZm9sN2AucG5nJywgMTYDkCwgdHJ1ZQBjArADVCwgA9BzdHIoTDVzErUlbwLwF2FwZXJtBdAIcC4C1CkDgBf7LTQpILEJN7cYiwOhGJMAoRh9FK8Urz4Ub0NSgHAUYSAlLjJmIEtiFO0RdA+TcGFnZfzID38P0AvwMJIPXw9fci4Csg80LCAM4XNpesBAQLMBxCAvIDEwMjQRDz8+"));
?>