Created
August 15, 2014 21:14
-
-
Save kmark/1e7941978485a171da68 to your computer and use it in GitHub Desktop.
Recursively removes the base64 "encryption" on some obfuscated PHP files. First and only CLI parameter is the path to the encoded file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /* Works on targets that are in this format: | |
| * <?php $FirstVar = 'base64here'; $SecondVar = '$ThirdVar = base64_decode($FirstVar); eval($ThirdVar);'; eval($SecondVar); ?> | |
| * Where the result of the base64_decode is more PHP that follows the above format. | |
| */ | |
| $target = $argc < 2 ? "" : $argv[1]; | |
| if($target === "" || !file_exists($target)) { | |
| echo "Bad target.\r\n"; | |
| exit(1); | |
| } | |
| $src = file_get_contents($target); | |
| for($i = 1; $i < PHP_INT_MAX; $i++) { | |
| if(!preg_match('%\$[A-Za-z]+ *= *\'([A-Za-z0-9-_+/=]+)\';%', $src, $matches)) { | |
| exit("----------\r\n$src\r\n----------\r\nStopped after $i iteration".($i==1?"":"s").".\r\n"); | |
| } | |
| $src = base64_decode($matches[1]); | |
| } | |
| echo "Must go deeper...\r\n"; | |
| exit(1); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment