Skip to content

Instantly share code, notes, and snippets.

@Shagshag
Last active July 3, 2023 21:45
Show Gist options
  • Save Shagshag/5848915 to your computer and use it in GitHub Desktop.
Save Shagshag/5848915 to your computer and use it in GitHub Desktop.
Unobfuscate this type of code : "eval(gzinflate(base64_decode(strrev('AYwtRlkyv8MKXlcyNj09QdFyO30S'))));"
<?php
$obfuscated = "eval(gzinflate(base64_decode(strrev('AYwtRlkyv8MKXlcyNj09QdFyO30S'))));";
$decoder = new unobfuscate($obfuscated);
echo $decoder->decode(); // echo 'Hello world';
class unobfuscate
{
public $string; // string to decode
public function __construct($string)
{
$this->string = $string;
}
/**
* return the decoded string
* @return string
**/
public function decode()
{
$x = $this->string;
while (substr($x, 0, 5) == 'eval(') {
$prev = $x;
$string = substr($x, 5, strlen($x) - 8);
$x = $this->my_eval($string);
}
echo $x;
}
/**
* eval a string without execute it
*
* @param string $string
* @return string
**/
public function my_eval($string) {
if (
($string[0] == '\'')
|| ($string[0] == '"')
) {
// found the string 'AYwtRlkyv8MKXlcyNj09QdFyO30S'
return substr($string, 1, strlen($string) - 2); //
} else {
// we have something like function(xxxx);
// search the function name
$pos = strpos($string, '(');
$function = substr($string, 0, $pos);
// eval 'xxxx'
$arg = $this->my_eval(substr($string, $pos+1));
return $function($arg);
}
}
}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment