# Decoding an encoded php file?

1. Aug 28, 2015

### AliGh

My cousin gave me this file

The commands eval(gzinflate(base64_decode())); decodes the entered code and run it as a php code .
The problem is that its not the only decoding command there are several of this command in the code .
I used this command for the code and put the result in a variable and commanded to save whatever there is in the variable into .txt file (Couldn't show it in the browser page because its php code it will execute instead of apearing)
Now does anyone know how to write a code in php that decodes this several time until it gets the final code ?

#### Attached Files:

• ###### 2015-08-28_164111.jpg
File size:
92.4 KB
Views:
206
2. Aug 28, 2015

### Staff: Mentor

It also means you will run arbitrary code sent by someone - including potential malware. Don't do the eval().

What do you mean with "decode this several times"? It is possible to send the result of base64-encoding through the same algorithm again, but this is quite pointless. It can be reverted by applying the decode function again on the result as often as necessary. The same applies to gzdeflate and gzinflate.

3. Aug 28, 2015

### AliGh

I have tried removing eval and doing this before but the problem is that it gives a some weird chinese or japanese letters
Its not malware its a shell i think
When i decode it there is another <?php eval(gzinflate(base64_decode("blah blah blah"))); ?> inside
While running on a server it will continue decoding until the main code executed how can i stop it there ?

4. Aug 29, 2015

### Staff: Mentor

Remove the eval, make a loop that applies the gzinflate and base64_decode as often as you like and removes those characters from the decoded string (so only the things in " " gets decoded), print each result and check which one has some readable code.

5. Aug 29, 2015

### AliGh

I did it about 14 times still needs to decode
I wrote a program to do it but it seems it doesnt work
$thecode=gzinflate(base64_decode('blah blah blah'));$time=0;
while ($time=0){$exists1 = strpos($thecode, "?><?phpeval(gzinflate(base64_decode('");$exists2 = strpos($thecode, "')));?><?"); if ($exists1=== true and $exists2 === true){ str_replace("?><?phpeval(gzinflate(base64_decode('","",$thecode);
str_replace("')));?><?","",$thecode);$decodedtext = gzinflate(base64_decode($thecode));} else {$time=1;}
}
$myfile = fopen("text/textfile.txt",w); fwrite($myfile, $decodedtext); fclose($myfile);

it just jumps to $myfile's line 6. Aug 29, 2015 ### mfb ### Staff: Mentor That will set$time to 0 and get always evaluated as true.
strpos returns an integer or false, but never true.

7. Aug 29, 2015

### AliGh

There is "else {$time=1}" at the end of while loop I edited my code still jumps to$myfile with only one time passing the while loop
$time=0; while ($time=0){
$exists1 = strpos($thecode, "?><?phpeval(gzinflate(base64_decode('");
$exists2 = strpos($thecode, "')));?><?");
if ($exists1 == 1 and$exists2 == 1){
str_replace("?><?phpeval(gzinflate(base64_decode('","",$thecode); str_replace("')));?><?","",$thecode);
$decodedtext = gzinflate(base64_decode($thecode));}
else {$time=1;} }$myfile = fopen("text/textfile.txt",w);
fwrite($myfile,$decodedtext);
fclose($myfile); errors : Notice: Use of undefined constant w - assumed 'w' in C:\wamp\www\autodecode.php on line 15 Notice: Undefined variable: decodedtext in C:\wamp\www\autodecode.php on line 16 8. Aug 29, 2015 ### mfb ### Staff: Mentor Which does not do anything as it gets overwritten again with the while condition. I don't think you want to check if strpos returns 1. 9. Aug 30, 2015 ### AliGh Sorry im a begginer ... Checked and it returns nothing the problem is the command in smaller scales it returns a value but here it returns nothing . The code is a 12 kb text file . 10. Aug 30, 2015 ### AliGh At last finished Using this code substr($decodedtext, 39, -10);
It doesn't decode all of these kind of codes automatically but if you give it the exact numbers it will ...
However its not the proper way to do it ... It would be better to use str_replace but whatever i did that code didn't work

Know someone interested in this topic? Share this thread via Reddit, Google+, Twitter, or Facebook