Skip to content

simon816/PHPDeobfuscator

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits

src

src

 
 

tests

tests

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

composer.json

composer.json

 
 

index.php

index.php

 
 

test.php

test.php

 
 

Repository files navigation

PHPDeobfuscator

Overview

This deobfuscator attempts to reverse common obfuscation techniques applied to PHP source code.

It is implemented in PHP with the help of PHP-Parser.

Features

  • Reduces all constant expressions e.g. 1 + 2 is replaced by 3
  • Safely run whitelisted PHP functions e.g. base64_decode
  • Deobfuscate eval expressions
  • Unwrap deeply nested obfuscation
  • Filesystem virtualization
  • Variable resolver (e.g. $var1 = 10; $var2 = &$var1; $var2 = 20; can determine $var1 equals 20)
  • Rewrite control flow obfuscation

Installation

PHP Deobfuscator uses Composer to manage its dependencies. Make sure Composer is installed first.

Run composer install in the root of this project to fetch dependencies.

Usage

CLI

php index.php [-f filename] [-t] [-o]

required arguments:

-f    The obfuscated PHP file

optional arguments:

-t    Dump the output node tree for debugging
-o    Output comments next to each expression with the original code

The deobfuscated output is printed to STDOUT.

Web Server

index.php outputs a simple textarea to paste the PHP code into. Deobfuscated code is printed when the form is submitted

Examples

Input

<?php
eval(base64_decode("ZWNobyAnSGVsbG8gV29ybGQnOwo="));

Output

<?php

eval /* PHPDeobfuscator eval output */ {
    echo "Hello World";
};

Input

<?
$f = fopen(__FILE__, 'r');
$str = fread($f, 200);
list(,, $payload) = explode('?>', $str);
eval($payload . '');
?>
if ($doBadThing) {
    evil_payload();
}

Output

<?php

$f = fopen("/var/www/html/input.php", 'r');
$str = "<?\n\$f = fopen(__FILE__, 'r');\n\$str = fread(\$f, 200);\nlist(,, \$payload) = explode('?>', \$str);\neval(\$payload . '');\n?>\nif (\$doBadThing) {\n    evil_payload();\n}\n";
list(, , $payload) = array(0 => "<?\n\$f = fopen(__FILE__, 'r');\n\$str = fread(\$f, 200);\nlist(,, \$payload) = explode('", 1 => "', \$str);\neval(\$payload . '');\n", 2 => "\nif (\$doBadThing) {\n    evil_payload();\n}\n");
eval /* PHPDeobfuscator eval output */ {
    if ($doBadThing) {
        evil_payload();
    }
};
?>
if ($doBadThing) {
    evil_payload();
}

Input

<?php
$x = 'y';
$$x = 10;
echo $y * 2;

Output

<?php

$x = 'y';
$y = 10;
echo 20;

Input

<?php
goto label4;
label1:
func4();
exit;
label2:
func3();
goto label1;
label3:
func2();
goto label2;
label4:
func1();
goto label3;

Output

<?php

func1();
func2();
func3();
func4();
exit;

About

Advanced PHP deobfuscator

Topics

php reverse-engineering hacktoberfest deobfuscator

Resources

Readme

License

MIT license
Activity

Stars

95 stars

Watchers

8 watching

Forks

42 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages