A dummy decoder of encoded php files.

php-decode.sh

#/bin/bash

# A dummy decoder of encoded php files.
# usage: php-decode.sh ./folder

if [ -z $1 ]; then
	echo "Search dir should be provided as a param"
	exit
fi

SEARCH_PATH="$1"

if [ ! -d "$SEARCH_PATH" ]; then
	echo "The param should be a folder, not file!"
	exit
fi

decode_php_file(){
	FILENAME="$1"
		
	# Get decoded php code.
	CODE1=$(grep -oP "(?<=\\\$_X=')[^']*" "$FILENAME")
	# Get the secret code.
	STEP1=$(grep -oP "(?<=_D\(')[^']*(?='\))" "$FILENAME")
	
	if [ -z "$CODE1" ]; then
		echo "File $FILENAME is not decoded."
		return
	fi

	php -r "echo base64_decode('$STEP1');" > step1.php

	# Prepend data to the begining of the file.
	echo '<?php $_X="'"$CODE1"'";' > step2.php

	# Disable trash data.
	sed -i s/'$_R=str_replace'/'echo $_X;die;$_R=str_replace'/ step1.php

	# Concat files and decode.
	cat step2.php step1.php > step3.php

	php -f step3.php > "$FILENAME"
	
	echo "$FILENAME possibly was decoded."
}

# Find php files in the folder.
PHP_FILES=()
while IFS= read -r -d $'\0' foundFile; do
    PHP_FILES+=("$foundFile")
done < <(find "$SEARCH_PATH" -maxdepth 20 -type f -name "*.php" -print0 2> /dev/null)

if [[ ${#PHP_FILES[@]} -ne 0 ]]; then
    for filename in "${PHP_FILES[@]}"; do
        decode_php_file "$filename"
    done
    
    if [ -f step1.php ]; then rm step1.php; fi
    if [ -f step2.php ]; then rm step2.php; fi
    if [ -f step3.php ]; then rm step3.php; fi
fi

echo "Finished decoding php files."