Last active
February 19, 2024 21:14
-
-
Save sh4dowb/68c9e090a3006b1d19ce49a22529c0a5 to your computer and use it in GitHub Desktop.
PHPkoru.com v1.0.7 deobfuscator. Make sure to run it isolated, to prevent any attacks from eval'd code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| // put encrypted code in encrypted.php, or use it like: | |
| // $ php phpkoru-deobfuscate-3.php encryptedfilename.php | |
| // UPDATED v1.0.7 , if you are getting error "IV passed is only 15 bytes long", try this | |
| // for decrypting advanced (.dll/.so) version contact me on telegram | |
| function trydecrypt($fn, $b64='fge_ebg13', $rot13='bcraffy_qrpelcg'){ | |
| eval('$'.$b64.'="base64_decode";'); | |
| eval('$'.$rot13.'="str_rot13";'); | |
| $input = file_get_contents($fn); | |
| $encrypted = explode("[/PHPkoru_Code]", explode("[PHPkoru_Code]", $input)[1])[0]; | |
| $decryptor = 'eval($'.$b64.'($'.$rot13.'(' . explode("\n", explode('$'.$b64.'($'.$rot13.'(', $input)[1])[0]; | |
| while(strpos($decryptor, 'eval') !== false) { | |
| $decryptor = str_replace('eval', 'return ', $decryptor); | |
| if(strpos($decryptor, 'extension_loaded') !== false) | |
| break; | |
| $decryptor = eval($decryptor); | |
| } | |
| $keys_s = explode('call_user_func', $decryptor); | |
| if(count($keys_s) < 2) | |
| return false; // Decryption failed, key/IV couldn't be found. | |
| $keys = $keys_s[1]; | |
| $uses_line = strpos($keys, ")).__LINE__, 0") !== false; // new update | |
| if($uses_line){ | |
| $key = base64_decode(str_rot13(explode('\')).__LINE__, 0', explode('$'.$b64.'($'.$rot13.'(\'', $keys)[1])[0])); | |
| $iv = base64_decode(str_rot13(explode('\'', explode('$'.$b64.'($'.$rot13.'(\'', $keys)[2])[0])); | |
| } else { | |
| $key = base64_decode(str_rot13(explode('\')), 0', explode('$'.$b64.'($'.$rot13.'(\'', $keys)[1])[0])); | |
| $iv = base64_decode(str_rot13(explode('\'', explode('$'.$b64.'($'.$rot13.'(\'', $keys)[2])[0])); | |
| } | |
| if(!$key || !$iv) | |
| return false; // Decryption failed, key/IV couldn't be found. | |
| if($uses_line){ | |
| for($ln = 0; $ln < 9; $ln++){ | |
| $decrypt_result = openssl_decrypt(base64_decode($encrypted), "AES-256-CBC", $key.$ln, 0, $ln.$iv); | |
| if($decrypt_result) | |
| return str_rot13(base64_decode(str_rot13($decrypt_result))); | |
| } | |
| return false; | |
| } | |
| return str_rot13(base64_decode(str_rot13(openssl_decrypt(base64_decode($encrypted), "AES-256-CBC", $key, 0, $iv)))); | |
| } | |
| function decrypt($fn){ | |
| $input = file_get_contents($fn); | |
| $vars = explode('\n', explode('eval($',$input)[1])[0]; | |
| $b64 = explode('($',$vars)[0]; | |
| $rot13 = explode('($', explode('(\'', $vars)[0])[1]; | |
| if(strpos($b64, ')') !== false || strpos($rot13, ')') !== false){ | |
| echo 'Cannot find function names. Open the encrypted code, find longest eval line, call trydecrypt with two variable names etc. trydecrypt($fn, "fge_ebg13", "eha_pbqr") -- some function names might have unicode U+200E invisible character'; | |
| return; | |
| } | |
| $res = trydecrypt($fn, $b64, $rot13 ); | |
| if(!$res) | |
| echo 'Decryption failed'; | |
| else | |
| print($res); | |
| } | |
| decrypt($argv[1] ?? "encrypted.php"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
how to use?