Skip to content

Instantly share code, notes, and snippets.

@sh4dowb
Last active February 19, 2024 21:14
Show Gist options
  • Save sh4dowb/68c9e090a3006b1d19ce49a22529c0a5 to your computer and use it in GitHub Desktop.
Save sh4dowb/68c9e090a3006b1d19ce49a22529c0a5 to your computer and use it in GitHub Desktop.
PHPkoru.com v1.0.7 deobfuscator. Make sure to run it isolated, to prevent any attacks from eval'd code
<?php
// put encrypted code in encrypted.php, or use it like:
// $ php phpkoru-deobfuscate-3.php encryptedfilename.php
// UPDATED v1.0.7 , if you are getting error "IV passed is only 15 bytes long", try this
// for decrypting advanced (.dll/.so) version contact me on telegram
function trydecrypt($fn, $b64='fge_ebg13‎‎‎‎', $rot13='bcraffy_qrpelcg‎'){
eval('$'.$b64.'="base64_decode";');
eval('$'.$rot13.'="str_rot13";');
$input = file_get_contents($fn);
$encrypted = explode("[/PHPkoru_Code]", explode("[PHPkoru_Code]", $input)[1])[0];
$decryptor = 'eval($'.$b64.'($'.$rot13.'(' . explode("\n", explode('$'.$b64.'($'.$rot13.'(', $input)[1])[0];
while(strpos($decryptor, 'eval') !== false) {
$decryptor = str_replace('eval', 'return ', $decryptor);
if(strpos($decryptor, 'extension_loaded') !== false)
break;
$decryptor = eval($decryptor);
}
$keys_s = explode('call_user_func', $decryptor);
if(count($keys_s) < 2)
return false; // Decryption failed, key/IV couldn't be found.
$keys = $keys_s[1];
$uses_line = strpos($keys, ")).__LINE__, 0") !== false; // new update
if($uses_line){
$key = base64_decode(str_rot13(explode('\')).__LINE__, 0', explode('$'.$b64.'($'.$rot13.'(\'', $keys)[1])[0]));
$iv = base64_decode(str_rot13(explode('\'', explode('$'.$b64.'($'.$rot13.'(\'', $keys)[2])[0]));
} else {
$key = base64_decode(str_rot13(explode('\')), 0', explode('$'.$b64.'($'.$rot13.'(\'', $keys)[1])[0]));
$iv = base64_decode(str_rot13(explode('\'', explode('$'.$b64.'($'.$rot13.'(\'', $keys)[2])[0]));
}
if(!$key || !$iv)
return false; // Decryption failed, key/IV couldn't be found.
if($uses_line){
for($ln = 0; $ln < 9; $ln++){
$decrypt_result = openssl_decrypt(base64_decode($encrypted), "AES-256-CBC", $key.$ln, 0, $ln.$iv);
if($decrypt_result)
return str_rot13(base64_decode(str_rot13($decrypt_result)));
}
return false;
}
return str_rot13(base64_decode(str_rot13(openssl_decrypt(base64_decode($encrypted), "AES-256-CBC", $key, 0, $iv))));
}
function decrypt($fn){
$input = file_get_contents($fn);
$vars = explode('\n', explode('eval($',$input)[1])[0];
$b64 = explode('($',$vars)[0];
$rot13 = explode('($', explode('(\'', $vars)[0])[1];
if(strpos($b64, ')') !== false || strpos($rot13, ')') !== false){
echo 'Cannot find function names. Open the encrypted code, find longest eval line, call trydecrypt with two variable names etc. trydecrypt($fn, "fge_ebg13‎‎‎", "eha_pbqr‎") -- some function names might have unicode U+200E invisible character';
return;
}
$res = trydecrypt($fn, $b64, $rot13 );
if(!$res)
echo 'Decryption failed';
else
print($res);
}
decrypt($argv[1] ?? "encrypted.php");
@orcun9988
Copy link

how to use?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment