Rodiq » Page 'decrypting php'

decrypting php

let’s suppose you took the source code for your from your php developer, the application is in production and you require some changes to the code, but your developer is not longer available.

if the php sources  contain a  scopbin directory and a 911006.php then this post may be helpful.

It is highly probable that a part of the php source code is obfuscated, looking like this:

<?php if(!function_exists(‘findsysfolder’)){function findsysfolder($fld){$fld1=dirname($fld);$fld=$fld1.’/scopbin’;clearstatcache();if(!is_dir($fld))return findsysfolder($fld1);else return $fld;}}require_once(findsysfolder(__FILE__).’/911006.php’);$REXISTHECAT4FBI=’FE50E574D754E76AC679F242F450F768FB5DCB77F34DE341 660C280D176E374DE7FB3B090A782B6B68DBC97BEAD93B681C452F25BE26′;$REXISTHEDOG4FBI=’5BADAEA9DF69E5102D 65FE7104788C576A1F251F72DA5D1CDB7114443503292C8 936EE287BA24F8BD4 26D4A65D3D39B8F9C88EB16B11…..

The solution:

at the beginning of file delete this part:

g0666f0acdeed38d4cd9084ade1739498(f0666f0acdeed38d4cd9084ade1739498(__FILE__));

for instance:

$REXISTHECAT4FBI=’FE50E574D754E76AC679F242F450F768FB5DCB77F34DE341 660C280D176E374DE7FB3B090A782B6B68DBC97BEAD93B681C452F25BE26′;g0666f0acdeed38d4cd9084ade1739498(f0666f0acdeed38d4cd9084ade1739498(__FILE__));$REXISTHEDOG4FBI=

becomes:$REXISTHECAT4FBI=’FE50E574D754E76AC679F242F450F768FB5DCB77F34DE341 660C280D176E374DE7FB3B090A782B6B68DBC97BEAD93B681C452F25BE26′;$REXISTHEDOG4FBI=

at the end of the file replace this part:

eval(y0666f0acdeed38d4cd9084ade1739498(’7EC794F0133F434CE3′,$REXISTHEDOG4FBI));?>

with:

echo y0666f0acdeed38d4cd9084ade1739498(’7EC794F0133F434CE3′,$REXISTHEDOG4FBI);?>

in words: change eval with echo, delete the ( bracket after eval, delete in the end one of the ) bracket.

After the changes have been done, run the application. at the first call to a function in the encrypted file, de decrypted content will be outputted. save the output in a file and replace the encrypted one. that’s it!

ps. many thanks to len for graciously putting into practice the solution.

Share and Enjoy:
  • Digg
  • StumbleUpon
  • Facebook
  • Google Bookmarks
  • Reddit
  • RSS

4 comments to “decrypting php”

  1. Sir,,,

    Anybody help me to decode it…..

  2. what is $REXISTHEDOG4FBI ?

  3. Any Body Can Help Me To Decode It…

    <?php ini_set('include_path',dirname(__FILE__));function A4540acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function b5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function c43dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function Xdsf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function y0666f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){$x0b43c25ccf2340e23492d4d3141479dc='';$x71510c08e23d2083eda280afa650b045=0;$x16754c94f2e48aae0d6f34280507be58=strlen($x897356954c2cd3d41b221e3f24f99bba);$x7a86c157ee9713c34fbd7a1ee40f0c5a=hexdec('&H'.substr($x276e79316561733d64abdf00f8e8ae48,0,2));for($x1b90e1035d4d268e0d8b1377f3dc85a2=2;$x1b90e1035d4d268e0d8b1377f3dc85a2<strlen($x276e79316561733d64abdf00f8e8ae48);$x1b90e1035d4d268e0d8b1377f3dc85a2+=2){$xe594cc261a3b25a9c99ec79da9c91ba5=hexdec(trim(substr($x276e79316561733d64abdf00f8e8ae48, $x1b90e1035d4d268e0d8b1377f3dc85a2, 2)));$x71510c08e23d2083eda280afa650b045=(($x71510c08e23d2083eda280afa650b045<$x16754c94f2e48aae0d6f34280507be58)?$x71510c08e23d2083eda280afa650b045 + 1:1);$xab6389e47b1edcf1a5267d9cfb513ce5=$xe594cc261a3b25a9c99ec79da9c91ba5 ^ ord(substr($x897356954c2cd3d41b221e3f24f99bba, $x71510c08e23d2083eda280afa650b045-1, 1));if($xab6389e47b1edcf1a5267d9cfb513ce5

  4. Thank u for ur valuable information

Leave a comment


three × = 15