Reversing a PHP Script Dynamically and Statically
A reader sent me two PHP scripts because the PHP Converter program I wrote wasn't able to handle it. They are both similar so I'll just work on one of them in this post. Here's what it looks like:
And this is what happens when you try to use PHP Converter:
Let's reverse this script dynamically and then statically.
First, I'll just change the 'eval' keyword to 'echo'.
And take a peek at what's going on.
Yikes, this is messed up! I thought the PHP file got corrupted somehow but then I looked closely and noticed several PHP keywords. This is actually a pretty clever technique. Basically the script is converting the strange characters to text but it's surrounded by long, seemingly random strings that are variable names.
So I figure I would just write it out to a file and then change the 'eval' I noticed at the end to 'echo'.
Here's the resulting file:
I'll just make that quick change and run it again.
Cool, now we know what this script does!
Now let's reverse this script statically.
Here's a new, fixed version of PHP Converter. I added a filter to present the results of the deobfuscation without stopping if it encounters any strange characters. The characters outside the alphanumeric range will be represented by a neutral character.
I also added the ability to output the result to Base64 format and/or to a file. With both options checked, you will get a text file of the result encoded in Base64 so the binary values will be preserved.
Now I can convert this base64-encoded string to text using Converter.
After cleaning this up, we can see that the section below is XOR'ing the blob using the decimal value of '30' which is assigned to the first variable.
I'm going to convert the base64-encoded string to hex this time.
Then send the data to Converter's Key Search/Convert feature and set the values accordingly:
And I get this result. The junk at the top and bottom is the result of XOR'ing the original text so I can ignore that.
There are other ways to get to the final result but I think these two methods are straightforward and quick/easy to do.
The updated version of PHP Converter can be downloaded from the Tools page.