PHP deobfuscation

One of the things that you see with depressing regularity when hosting crummy PHP scripts for others is this:

eval&28;base64_decode&28;'aWYgKCFlbXB0eSgkX1JFUVVFU1RbInRoZW

What’s that? Well it says to decode that gobbledegook into a binary stream (the base64_decode part), and then interpret whatever it turns out to be as PHP code (the eval)

Now, if you have the time, you can decode this kind of thing yourself, and maybe find out whether it is evil or not. This takes some time (which is why you need to have the time). If you install the php xdebug extension, then you can hack in a bit of code to trace the execution of the process, and print out what it is that is being eval’d and see what it is. That’s the right way to do it. Alternatively you can do a crude search and replace and a few other hacks, and end up with the following abominable PHP code that decodes a stack of php obfuscation. It’s time to tell the world:
Here’s the code: deobfuscate.php (this is new as of today – get your copy while it’s hot).

One of the less evil reasons that PHP code may be obfuscated is that the writer of the code is trying to extract payment. This usually means that they have embedded obnoxious advertising in the code (such as for gambling, drugs, SEO and other social ills). Frequently they also add toothless legal threats against removing their obnoxious advertising.

This one of today takes the cake. It combines all of that good stuff, like putting the copyright notice in the “uncopyable part”, a standard legal threat, but it adds that little something extra:

<?php
eval(base64_decode('ZnVuY3Rpb24gZ2V0X2hlYWRzKCkgeyBpZiAoIWZpbGVf
ZXhpc3RzKGRpcm5hbWUoX19maWxlX18pIC4gIi9mdW5jdGlvbnMucGhwIikgfHwg

IWZ1bmN0aW9uX2V4aXN0cygidGhlbWVfdXNhZ2VfbWVzc2FnZSIpICkgeyBlY2hv
ICgiVGhpcyB0aGVtZSBpcyBsaWNlbnNlZCB1bmRlciBDQzMuMCwgeW91IGFyZSBu
b3QgYWxsb3dlZCB0byBtb2RpZnkvcmVtb3ZlIG91ciBsaW5rIHdpdGhvdXQgcGVy
bWlzc2lvbi4gPGJyIC8+VGhhbmsgeW91IGZvciBzdXBwb3J0aW5nIHVzIG1ha2lu
ZyBtb3JlIEZSRUUgY3JlYXRpdmUgdGhlbWVzLiIpOyBkaWU7IH0gfQ=='));

What does it mean, do I hear you ask? Well, it decodes to this:

<?php function get_heads() { if (!file_exists(dirname(__file__) .
"/functions.php") || !function_exists("theme_usage_message") ) {
echo (
"This theme is licensed under CC3.0, you are not allowed
to modify/remove our link without permission. <br />Thank you
for supporting us making more FREE creative themes."
); die; } }

Yep. That’s right. It checks that functions.php is still around. It had better be. It also checks whether there is a function theme_usage_message defined. You must not take out the link. (What link?) And it you don’t like that, then die.

This entry was posted in Stuff and tagged , , , , , . Bookmark the permalink.