kevinquinnyo/decode nested eval(gzinflate(base64_decode hax

kevinquinnyo · 2015-12-25T17:25:32Z

Example output:

$ /tmp/decode.sh /tmp/hacked.php
Pass 1 : 0474655c8ec9522e79050e92e6091cf5  /tmp/hacked.php
Pass 2 : c4dc4f435b256e09309b594235f5c682  /tmp/file1.php
Pass 3 : c8663f798ece322a62e526b74a74c6dc  /tmp/file1.php
Pass 4 : 7688ffa608410c8128d8c2d8553d1d90  /tmp/file1.php
Pass 5 : f10641a2d78b5686cc5f7ddeb756bd9c  /tmp/file1.php
Pass 6 : 108b40340fdb8f7cb664e71daedf346f  /tmp/file1.php
Pass 7 : 203728c9671838e4259821e11a0e590f  /tmp/file1.php
Pass 8 : 64bde441e9ccee3c4d856c0627655412  /tmp/file1.php
Pass 9 : 99a08126e7275832771903c525de008c  /tmp/file1.php
Pass 10 : 815a3db7994ba62ed45e54688bab82ac  /tmp/file1.php
Pass 11 : 6ef689540173abfc593a83d11448ba48  /tmp/file1.php
Pass 12 : 83a9783bb55578307b7c543e267682ac  /tmp/file1.php
Pass 13 : 0da2dd6af4ef751e3a2b39da405dbfee  /tmp/file1.php
Pass 14 : 9e39800a8a6fb92ec941d95681f7913e  /tmp/file1.php
Pass 15 : fe362b043179eb9f8abeccf0da747ca8  /tmp/file1.php
Pass 16 : ad9fc4331d5c523903d6cf7eef67374f  /tmp/file1.php
Pass 17 : 04877dd73bd577a85528d0be7d23dc7f  /tmp/file1.php
Pass 18 : e756c8260cd1ff3f461aa0f9d3fcc6b3  /tmp/file1.php
Pass 19 : ae6e59d6ef05e25adfa446fe98577b7a  /tmp/file1.php
Pass 20 : ded0a98cf094e839f2ed09455e491ba5  /tmp/file1.php
Pass 21 : 02309aef370ab13d3a08bdf761863c3e  /tmp/file1.php
Pass 22 : 71643931446a1e4c13a934e817fc5fe3  /tmp/file1.php
Pass 23 : 3edca1f9018d42a3f117a7b0e701911b  /tmp/file1.php
Pass 24 : 670272fdccf2db370a0689b6f135064c  /tmp/file1.php
Pass 25 : ffad63223199caae3efb175fd44c68af  /tmp/file1.php
Pass 26 : c15eef031211d73269d77fcb7cb75a78  /tmp/file1.php
Pass 27 : a3c933924cbbc6bd3df5b891c7b73891  /tmp/file1.php
Pass 28 : df428542c526a71141b4eb45f76a3846  /tmp/file1.php
Pass 29 : 9a4a2f28634306cc6027c6e0d370229d  /tmp/file1.php
Pass 30 : 66402d6e2621850758c301a036f0dbab  /tmp/file1.php
Pass 31 : 0359001081428f27350a9c774619650b  /tmp/file1.php
Pass 32 : 72d2866860e99704c0797d90c873fde9  /tmp/file1.php
Pass 33 : 64b51db7f12d62f42c0ae34d1783e341  /tmp/file1.php
Pass 34 : 06b7a896ea4063ab23369b57b7d6c226  /tmp/file1.php
Pass 35 : e2b3fde4ca18d327e5bf8778cc19fbf1  /tmp/file1.php
Pass 36 : 8b88f74278c8f9a52d698c35002eb594  /tmp/file1.php
Pass 37 : e66f554927de5315c04429a88789b59c  /tmp/file1.php
Pass 38 : d81516be55cb7a27d5c68a17f7d9f2ea  /tmp/file1.php
Pass 39 : a6aa11f9bc0bc1574c358b36be3f6017  /tmp/file1.php
Pass 40 : bb8d30842f315d9039a8ddfb42594f7a  /tmp/file1.php
Pass 41 : 88039c99e6a55150b5c03d7ba2e916a5  /tmp/file1.php
Pass 42 : 08f477cf9aed3b9dbd45e31df863cd2c  /tmp/file1.php
Pass 43 : 4e4d676c894ecc89ab5d14447e3d9da8  /tmp/file1.php
Pass 44 : a1c59b08105cd68c2c91556d4a38a79b  /tmp/file1.php
Pass 45 : c02690e52688c344c93e86ff3dcfc3f2  /tmp/file1.php
Pass 46 : 3e79142549eea68c1f829561c3c69785  /tmp/file1.php
Pass 47 : 36932e192952ef265b8b0ac3e214688a  /tmp/file1.php
Pass 48 : 7a8b3e4c031aebbbf6e6caf94a04ad28  /tmp/file1.php
Pass 49 : dbc6166cd833c61c2610cc412c6119c8  /tmp/file1.php
Pass 50 : adafd234851bf02856236e35c850e676  /tmp/file1.php
Pass 51 : 985f564450baa5e4389a4f42a1f18264  /tmp/file1.php
Pass 52 : d0a55c4b715fff253fdc268340f01605  /tmp/file1.php
Pass 53 : 9d920937b1712e97ef62090c9daf143a  /tmp/file1.php
Pass 54 : 1b849e14cd24a5f449d36e0087cc1783  /tmp/file1.php
Pass 55 : 5532aa39b9aa7534ca0288f459ed3a38  /tmp/file1.php
Pass 56 : b537a6c779bc379063208b15c1ae3714  /tmp/file1.php
Pass 57 : 6212e9b8ab32e44b162cc9532968bc79  /tmp/file1.php
Pass 58 : b9a1dea07c6f6bedf0844babaa8c76c0  /tmp/file1.php
Pass 59 : 376d2853d7f8e63d3a0c4f2af5e2ed8f  /tmp/file1.php
Pass 60 : 89d8f66d0c273462ceb2122e307ecac9  /tmp/file1.php
Pass 61 : 0e2c3ee9a59a43c53e18fb3ec9e17823  /tmp/file1.php
Pass 62 : 5a023b4c0e833a4edc860fb484c80d12  /tmp/file1.php
Pass 63 : 9216e38951ef289a7a8b85dc381b4ef3  /tmp/file1.php
Pass 64 : fde3553b83a0350650d8ee495119c5d7  /tmp/file1.php
Pass 65 : 8b842471bfb0c7df1c85af4806fa700c  /tmp/file1.php
Pass 66 : 88d5ba5eee48453d213c43b419f2e13e  /tmp/file1.php
Pass 67 : 071177b2f0a106ccabd157e1c9b957df  /tmp/file1.php
Pass 68 : 7b20d6608ca5d9e4b2d5f381fcd4e7fd  /tmp/file1.php
Pass 69 : e0708a9317f695fb50e3c86af8ff0b16  /tmp/file1.php
Pass 70 : 90045e81beb1bd603ab8e577192d3485  /tmp/file1.php
Pass 71 : c5803fd9f4e0a2cfbea5139cae4974c3  /tmp/file1.php
Pass 72 : 85e40c884920dc4076fb49cc61918ec7  /tmp/file1.php
Pass 73 : 692b55c49b0d625704dcd9b0d0feb88c  /tmp/file1.php
Pass 74 : 50d510950f708f20b5ff265d746d75fc  /tmp/file1.php
Pass 75 : 413a4dea8cb803b6d2d4784baeba876e  /tmp/file1.php
Pass 76 : 50cf23cef8b1b8ea640f854fa0513272  /tmp/file1.php
Pass 77 : 5f7c73c4dd5f08437b969c872ee2741f  /tmp/file1.php
Pass 78 : 2c3e94b697e808c375b2882323016597  /tmp/file1.php
Pass 79 : 2bfa4b6ff26834f9d8305177abc57fdc  /tmp/file1.php
Pass 80 : 744f20cfed1a9dd38a791137c4a47ddf  /tmp/file1.php
Pass 81 : dba05de1d2f2f7892cb6e9c1fff66fb6  /tmp/file1.php
Pass 82 : 367f2d04665f7fea1b2068deb2938c4b  /tmp/file1.php
Pass 83 : 755ee623075d64f4e73d2dbcb92d9254  /tmp/file1.php
Pass 84 : 2c82592800db960fa5d4d05ab7d9d615  /tmp/file1.php
Pass 85 : 2751c2fefd2e7db761b1a0042446e032  /tmp/file1.php
Pass 86 : 012c741ea4a1830506ae9c3163f54ed0  /tmp/file1.php
Pass 87 : 6a302e74593743fe16d76466bd580948  /tmp/file1.php
Pass 88 : ec0b836247f56475dc6d0f2a9a8a0de8  /tmp/file1.php
Pass 89 : 35d376a75dec749daf2d02b5948d819c  /tmp/file1.php
Pass 90 : f550543678c424268e23fa281801a418  /tmp/file1.php
Pass 91 : f836bfd8afae0d369d662af9dfac8f3c  /tmp/file1.php
Pass 92 : 5c51fa9117c7b32fcb48143a8c7eeecf  /tmp/file1.php
Pass 93 : 393a58cf27d516995d7bd21a9995f0e1  /tmp/file1.php
Pass 94 : 27b180dacb0a1909c63277f011034bcc  /tmp/file1.php
Pass 95 : a2ded60a45adebaf66711d9520dddce7  /tmp/file1.php
Pass 96 : b1b1c4f0954ec32d41cd772f2bf4ade2  /tmp/file1.php
Pass 97 : 931cef89fac899a70736bb4eb9c11465  /tmp/file1.php
Pass 98 : e7b1957c6ac9f80936a94ca74d4da196  /tmp/file1.php
Pass 99 : d9a7c6562abc9a54ebb031dc08d2fed8  /tmp/file1.php
Pass 100 : ddcbb9c896be3df740c005b57d45f6cb  /tmp/file1.php
Pass 101 : 133df96c6ba8985c58396908e0c4c8e3  /tmp/file1.php
Pass 102 : 2612386894499b8860b33ac5f858d778  /tmp/file1.php
Pass 103 : ae892fe90d9b1605487871b83c1972d2  /tmp/file1.php
Pass 104 : cf54f7dfcc594e5f2a4ba40655da5257  /tmp/file1.php
Pass 105 : c3b855e44e1e1585e77883fbe5e33d8b  /tmp/file1.php
Pass 106 : 3b84133200e05483451751f55d329e8c  /tmp/file1.php
Pass 107 : 6ea7edc0c6c1d970c704d75c9c32d84f  /tmp/file1.php
Pass 108 : 720369742b35ad39487dce0b0656854b  /tmp/file1.php
Pass 109 : 0472a3e36592a293efe6f06bb4bb6362  /tmp/file1.php
Pass 110 : 885fc2f5bd4d582deeecf62c16e1bc9d  /tmp/file1.php
Pass 111 : 1fc4818cff4b5eead3a647efa4c479ba  /tmp/file1.php
Pass 112 : cd3c64b6b186253dea39303ea685c346  /tmp/file1.php
Pass 113 : 1c3e2fcfcdc75c9ce3f916d793e94a95  /tmp/file1.php
Pass 114 : 27a7a62991e64c5ee8b1ef657a16d3ee  /tmp/file1.php
Pass 115 : ac235f6e0387ad89656450094cc2d921  /tmp/file1.php
Pass 116 : 50eee83e7607c8ee493a04bfeda1bcc8  /tmp/file1.php
Pass 117 : 5e56e4c271d51a23391fa43189f9e999  /tmp/file1.php
Pass 118 : eaab308420fdf1c7b0f089ef889b6ff5  /tmp/file1.php
STOP:  Check /tmp/file1.php for payload

	#!/bin/bash

	usage=" $0 \"full quoted path to hacked file\""
	original_file="$1"
	inputfile="/tmp/file1.php"
	outputfile="/tmp/file2.php"

	die()
	{
	msg="$@"
	printf "%s\n" "$msg"
	exit 1
	}

	obfuscated ()
	{
	local file="$1";
	egrep -o ' eval.gzinflate.base64_decode.' "$file" > /dev/null && return 0;
	return 1
	}

	c=1
	deobfuscate ()
	{
	local inf="$1"
	echo -ne "Pass $c : "
	md5sum "$inf"
	if obfuscated "$inf"; then
	sed 's/\ eval/ echo/' "$inf" > "$outputfile"
	php "$outputfile" > "$inputfile"
	let c++
	deobfuscate "$inputfile"
	else
	echo "STOP: Check $inputfile for payload"
	exit 0
	fi
	}

	# test original file to see if it contains obfuscation
	[[ -e "$original_file" ]] \|\| die "$usage"
	if obfuscated "$original_file"; then
	deobfuscate "$original_file"
	else
	die "Original file "$original_file" does not contain eval(gzinflate(base64_decode(..."
	fi

kevinquinnyo/decode nested eval(gzinflate(base64_decode hax

kevinquinnyo commented Dec 25, 2015

Uh oh!