Skip to content

Instantly share code, notes, and snippets.

@i64

i64/phpkilitDeobfuscator.py

Last active August 27, 2018 11:26
Show Gist options
  • Save i64/491f1527c6c7f75983e241a3722c276c to your computer and use it in GitHub Desktop.
Save i64/491f1527c6c7f75983e241a3722c276c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
phpkilitDeobfuscator.py
'''
phpkilit.com deobfuscator
Date: 1535082393
'''
import binascii
import json
import zlib
import base64
import phply
import json
import sys
from phply.phplex import lexer
from phply.phpparse import make_parser
with_lineno = True
def top(a):
if type(a[1]['expr']) == int:
return a[1]['expr']
last = []
tup1 = a[1]['expr'][1]
x = tup1
count = 0
while True:
if type(x['left']) is not tuple:
last.append(str(x['left']))
for i in range(count, -1, -1):
x = eval("tup1" + i*"['left'][1]")
last.append(str(x['op']))
last.append(str(x['right']))
last.append(')')
last = last[:-1]
return eval(''.join(last))
else:
last.insert(0, '(')
x = x['left'][1]
count += 1
def fon(s, n, nb):
nb = nb + nb
n = int(n % int(len(nb)/2))
s = list(s)
for i in range(0, len(s)):
if nb.find(s[i]) is not -1:
s[i] = nb[int((nb.find(s[i]) + len(nb)/2) - n)]
return ''.join(s)
def export(items, name):
if items:
for item in items:
if hasattr(item, 'generic'):
item = item.generic(with_lineno=with_lineno)
if name == 0:
if item[0] == 'FunctionCall':
try:
if item[1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][0][1]['node']:
return item
except:
try:
if item[1]['params'][1][1]['node'][1]['params'][1][1]['node'][1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][1][1]['node']:
return item
except:
pass
else:
if item[0] == 'Assignment':
if item[1]['node'][1]['name'] == name:
return item
def fon2(obsf):
return zlib.decompress(binascii.unhexlify(binascii.unhexlify(obsf)), -zlib.MAX_WBITS).decode("utf-8")
def getter(inp, name=0):
parser = make_parser()
jss = export(parser.parse(inp,
lexer=lexer,
tracking=with_lineno), name)
return jss
def kill(obsf, deg, key, inp):
deg = top(getter(inp, deg))
return base64.b64decode((fon(zlib.decompress(base64.b64decode(binascii.unhexlify(obsf)), -zlib.MAX_WBITS).decode('utf-8'), deg, key))).decode("utf-8")
kod = open(sys.argv[1]).read()
a = getter(kod, 0)
key = a[1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][2][1]['node']
deg = a[1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][1][1]['node'][1]['name']
obsf = a[1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][0][1][
'node'][1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][0][1]['node']
kod = kill(obsf, deg, key, kod)[2:]
a = getter(kod, 0)
key = a[1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][2][1]['node']
deg = a[1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][1][1]['node'][1]['name']
obsf = a[1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][0][1][
'node'][1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][0][1]['node']
kod = kill(obsf, deg, key, kod)[2:]
a = getter(kod, name=0)
kod = fon2(a[1]['params'][1][1]['node'][1]['params'][1][1]['node'][1]['params'][0][1]['node']
[1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][1][1]['node'])[2:]
a = getter(kod, name=0)
kod = fon2(a[1]['params'][1][1]['node'][1]['params'][1][1]['node'][1]['params'][0][1]['node']
[1]['params'][0][1]['node'][1]['params'][0][1]['node'][1]['params'][1][1]['node'])[2:]
print(kod)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment