How can I decode multiple layers of encoded php code?

  • Context: PHP 
  • Thread starter Thread starter AliGh
  • Start date Start date
  • Tags Tags
    File Php
Click For Summary

Discussion Overview

The discussion revolves around decoding multiple layers of encoded PHP code, specifically using functions like eval, gzinflate, and base64_decode. Participants explore methods to automate the decoding process and address challenges encountered while attempting to extract the final code from a complex encoded string.

Discussion Character

  • Technical explanation
  • Debate/contested
  • Mathematical reasoning

Main Points Raised

  • One participant describes a PHP file containing multiple layers of encoded commands using eval, gzinflate, and base64_decode, seeking a method to decode it repeatedly until the final code is revealed.
  • Another participant warns against using eval due to the risk of executing arbitrary and potentially malicious code.
  • Some participants discuss the possibility of repeatedly applying decoding functions, questioning the necessity and effectiveness of such an approach.
  • A participant mentions encountering unreadable characters after decoding attempts, suggesting that the code may not be malware but rather a shell.
  • There are suggestions to create a loop that applies decoding functions while filtering out unwanted characters, with the aim of isolating readable code.
  • Several participants point out issues in the provided PHP code, such as logical errors in the while loop and incorrect checks for the return values of strpos.
  • One participant shares a final solution that involves using substr to extract parts of the decoded text, although they acknowledge it may not be the most appropriate method.

Areas of Agreement / Disagreement

Participants express various opinions on the best approach to decode the PHP code, with no consensus reached on a definitive method. Disagreements arise regarding the effectiveness of certain coding strategies and the risks associated with using eval.

Contextual Notes

Participants note limitations in their approaches, including issues with variable initialization, the need for precise string matching, and the challenges posed by the size of the encoded file.

AliGh
Messages
64
Reaction score
1
My cousin gave me this file
?temp_hash=8839ed0b6dccd9a22fe9a24b3cb6615e.jpg

The commands eval(gzinflate(base64_decode())); decodes the entered code and run it as a php code .
The problem is that its not the only decoding command there are several of this command in the code .
I used this command for the code and put the result in a variable and commanded to save whatever there is in the variable into .txt file (Couldn't show it in the browser page because its php code it will execute instead of apearing)
Now does anyone know how to write a code in php that decodes this several time until it gets the final code ?
 

Attachments

  • 2015-08-28_164111.jpg
    2015-08-28_164111.jpg
    76.8 KB · Views: 708
Technology news on Phys.org
AliGh said:
The commands eval(gzinflate(base64_decode())); decodes the entered code and run it as a php code .
It also means you will run arbitrary code sent by someone - including potential malware. Don't do the eval().

What do you mean with "decode this several times"? It is possible to send the result of base64-encoding through the same algorithm again, but this is quite pointless. It can be reverted by applying the decode function again on the result as often as necessary. The same applies to gzdeflate and gzinflate.
 
mfb said:
It also means you will run arbitrary code sent by someone - including potential malware. Don't do the eval().

What do you mean with "decode this several times"? It is possible to send the result of base64-encoding through the same algorithm again, but this is quite pointless. It can be reverted by applying the decode function again on the result as often as necessary. The same applies to gzdeflate and gzinflate.
I have tried removing eval and doing this before but the problem is that it gives a some weird chinese or japanese letters
Its not malware its a shell i think
When i decode it there is another <?php eval(gzinflate(base64_decode("blah blah blah"))); ?> inside
While running on a server it will continue decoding until the main code executed how can i stop it there ?
 
Remove the eval, make a loop that applies the gzinflate and base64_decode as often as you like and removes those characters from the decoded string (so only the things in " " gets decoded), print each result and check which one has some readable code.
 
I did it about 14 times still needs to decode
I wrote a program to do it but it seems it doesn't work
$thecode=gzinflate(base64_decode('blah blah blah'));
$time=0;
while ($time=0){
$exists1 = strpos($thecode, "?><?phpeval(gzinflate(base64_decode('");
$exists2 = strpos($thecode, "')));?><?");
if ($exists1=== true and $exists2 === true){
str_replace("?><?phpeval(gzinflate(base64_decode('","",$thecode);
str_replace("')));?><?","",$thecode);
$decodedtext = gzinflate(base64_decode($thecode));}
else {$time=1;}
}
$myfile = fopen("text/textfile.txt",w);
fwrite($myfile, $decodedtext);
fclose($myfile);

it just jumps to $myfile's line
 
AliGh said:
while ($time=0){
That will set $time to 0 and get always evaluated as true.
strpos returns an integer or false, but never true.
 
mfb said:
That will set $time to 0 and get always evaluated as true.
strpos returns an integer or false, but never true.
There is "else {$time=1}" at the end of while loop
I edited my code still jumps to $myfile with only one time passing the while loop
$time=0;
while ($time=0){
$exists1 = strpos($thecode, "?><?phpeval(gzinflate(base64_decode('");
$exists2 = strpos($thecode, "')));?><?");
if ($exists1 == 1 and $exists2 == 1){
str_replace("?><?phpeval(gzinflate(base64_decode('","",$thecode);
str_replace("')));?><?","",$thecode);
$decodedtext = gzinflate(base64_decode($thecode));}
else {$time=1;}
}
$myfile = fopen("text/textfile.txt",w);
fwrite($myfile, $decodedtext);
fclose($myfile);

errors : Notice: Use of undefined constant w - assumed 'w' in C:\wamp\www\autodecode.php on line 15
Notice: Undefined variable: decodedtext in C:\wamp\www\autodecode.php on line 16
 
AliGh said:
There is "else {$time=1}" at the end of while loop
Which does not do anything as it gets overwritten again with the while condition.
I don't think you want to check if strpos returns 1.
 
mfb said:
Which does not do anything as it gets overwritten again with the while condition.
I don't think you want to check if strpos returns 1.
Sorry I am a begginer ...
Checked and it returns nothing the problem is the command in smaller scales it returns a value but here it returns nothing . The code is a 12 kb text file .
 
  • #10
At last finished
Using this code substr($decodedtext, 39, -10);
It doesn't decode all of these kind of codes automatically but if you give it the exact numbers it will ...
However its not the proper way to do it ... It would be better to use str_replace but whatever i did that code didn't work
 

Similar threads

PHP WEBSITE HIJACKED - Php code infected - HELP?
  • · Replies 5 ·
Replies
5
Views
4K
Storing program source as relations in a database instead of text file
  • · Replies 65 ·
3
Replies
65
Views
5K
MATLAB How can I import multiple .csv files into MATLAB using a loop?
  • · Replies 5 ·
Replies
5
Views
3K
Mathematica How to type mathematical equations using LaTeX
  • · Replies 3 ·
Replies
3
Views
2K
How can I list all files in my home directory that have read, write, and execute permissions?
  • · Replies 7 ·
Replies
7
Views
3K
MHB Online Sage Commands at the Sage Cell Server
  • · Replies 3 ·
Replies
3
Views
6K
MATLAB How can I properly save and manipulate data in MATLAB using text files?
  • · Replies 3 ·
Replies
3
Views
3K
LaTeX Guide to Using LaTeX for Equations
  • · Replies 4 ·
Replies
4
Views
5K
Can Windows Media Player in Vista Play MP3 Files Encoded in Layer 2?
  • · Replies 17 ·
Replies
17
Views
5K
Frink - the ultimate physics calculator and units converter
  • · Replies 1 ·
Replies
1
Views
8K