deobf.php

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<?php
function process_string ($match) {
$str = str_replace ('"', '', $match[0]);
$str = str_replace ("\\", ".:::.\\", $str);
$str = preg_replace ('/\\\x([a-f0-9]{2})/e', 'chr(0x\\1)', $str);
$str = preg_replace ('/\\\(\d{1,3})/e', 'chr(0\\1)', $str);
$str = str_replace (".:::.", '', $str);
return '"' . $str . '"';
}
if ($argc != 2)
die ("Usage: php {$argv[0]} [obfuscated-script.php]\n");
$enc_file = $argv[1];
if (!is_file ($enc_file))
die ("$enc_file is not file\n");
$content = str_replace (array ("\r", "\n"), '', file_get_contents ($argv[1]));
preg_match ('/\@eval\s*\(\$\w+\s*\(\s*\"(.+?)\"\)\);/s', $content, $m);
preg_match ('/\@eval\(\$\w+\(\$\w+\(\$\w+\(\"(.+?)\"\)\)\)\);/',
base64_decode ($m[1]), $m);
$code = gzinflate (base64_decode (str_rot13 ($m[1])));
$code = preg_replace_callback ('/"(.*?)"/', 'process_string', $code);
echo $code, "\n";
?>