Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Decoding an encoded php file?

  1. Aug 28, 2015 #1
    My cousin gave me this file
    ?temp_hash=8839ed0b6dccd9a22fe9a24b3cb6615e.jpg
    The commands eval(gzinflate(base64_decode())); decodes the entered code and run it as a php code .
    The problem is that its not the only decoding command there are several of this command in the code .
    I used this command for the code and put the result in a variable and commanded to save whatever there is in the variable into .txt file (Couldn't show it in the browser page because its php code it will execute instead of apearing)
    Now does anyone know how to write a code in php that decodes this several time until it gets the final code ?
     

    Attached Files:

  2. jcsd
  3. Aug 28, 2015 #2

    mfb

    User Avatar
    2016 Award

    Staff: Mentor

    It also means you will run arbitrary code sent by someone - including potential malware. Don't do the eval().

    What do you mean with "decode this several times"? It is possible to send the result of base64-encoding through the same algorithm again, but this is quite pointless. It can be reverted by applying the decode function again on the result as often as necessary. The same applies to gzdeflate and gzinflate.
     
  4. Aug 28, 2015 #3
    I have tried removing eval and doing this before but the problem is that it gives a some weird chinese or japanese letters
    Its not malware its a shell i think
    When i decode it there is another <?php eval(gzinflate(base64_decode("blah blah blah"))); ?> inside
    While running on a server it will continue decoding until the main code executed how can i stop it there ?
     
  5. Aug 29, 2015 #4

    mfb

    User Avatar
    2016 Award

    Staff: Mentor

    Remove the eval, make a loop that applies the gzinflate and base64_decode as often as you like and removes those characters from the decoded string (so only the things in " " gets decoded), print each result and check which one has some readable code.
     
  6. Aug 29, 2015 #5
    I did it about 14 times still needs to decode
    I wrote a program to do it but it seems it doesnt work
    $thecode=gzinflate(base64_decode('blah blah blah'));
    $time=0;
    while ($time=0){
    $exists1 = strpos($thecode, "?><?phpeval(gzinflate(base64_decode('");
    $exists2 = strpos($thecode, "')));?><?");
    if ($exists1=== true and $exists2 === true){
    str_replace("?><?phpeval(gzinflate(base64_decode('","",$thecode);
    str_replace("')));?><?","",$thecode);
    $decodedtext = gzinflate(base64_decode($thecode));}
    else {$time=1;}
    }
    $myfile = fopen("text/textfile.txt",w);
    fwrite($myfile, $decodedtext);
    fclose($myfile);

    it just jumps to $myfile's line
     
  7. Aug 29, 2015 #6

    mfb

    User Avatar
    2016 Award

    Staff: Mentor

    That will set $time to 0 and get always evaluated as true.
    strpos returns an integer or false, but never true.
     
  8. Aug 29, 2015 #7
    There is "else {$time=1}" at the end of while loop
    I edited my code still jumps to $myfile with only one time passing the while loop
    $time=0;
    while ($time=0){
    $exists1 = strpos($thecode, "?><?phpeval(gzinflate(base64_decode('");
    $exists2 = strpos($thecode, "')));?><?");
    if ($exists1 == 1 and $exists2 == 1){
    str_replace("?><?phpeval(gzinflate(base64_decode('","",$thecode);
    str_replace("')));?><?","",$thecode);
    $decodedtext = gzinflate(base64_decode($thecode));}
    else {$time=1;}
    }
    $myfile = fopen("text/textfile.txt",w);
    fwrite($myfile, $decodedtext);
    fclose($myfile);

    errors : Notice: Use of undefined constant w - assumed 'w' in C:\wamp\www\autodecode.php on line 15
    Notice: Undefined variable: decodedtext in C:\wamp\www\autodecode.php on line 16
     
  9. Aug 29, 2015 #8

    mfb

    User Avatar
    2016 Award

    Staff: Mentor

    Which does not do anything as it gets overwritten again with the while condition.
    I don't think you want to check if strpos returns 1.
     
  10. Aug 30, 2015 #9
    Sorry im a begginer ...
    Checked and it returns nothing the problem is the command in smaller scales it returns a value but here it returns nothing . The code is a 12 kb text file .
     
  11. Aug 30, 2015 #10
    At last finished
    Using this code substr($decodedtext, 39, -10);
    It doesn't decode all of these kind of codes automatically but if you give it the exact numbers it will ...
    However its not the proper way to do it ... It would be better to use str_replace but whatever i did that code didn't work
     
Know someone interested in this topic? Share this thread via Reddit, Google+, Twitter, or Facebook




Similar Discussions: Decoding an encoded php file?
  1. PHP Help ? (Replies: 16)

  2. Huffman encoding (Replies: 1)

  3. Php or c++ ? (Replies: 40)

Loading...