PHPDeobfuscator
1.0.0
This deobfuscator attempts to reverse common obfuscation techniques applied to PHP source code.
It is implemented in PHP with the help of PHP-Parser.
1 + 2 is replaced by 3base64_decodeeval expressions$var1 = 10; $var2 = &$var1; $var2 = 20; can determine $var1 equals 20)PHP Deobfuscator uses Composer to manage its dependencies. Make sure Composer is installed first.
Run composer install in the root of this project to fetch dependencies.
php index.php [-f filename] [-t] [-o]
required arguments:
-f The obfuscated PHP file
optional arguments:
-t Dump the output node tree for debugging
-o Output comments next to each expression with the original code
The deobfuscated output is printed to STDOUT.
index.php outputs a simple textarea to paste the PHP code into. Deobfuscated code is printed when the form is submitted
<?php
eval(base64_decode("ZWNobyAnSGVsbG8gV29ybGQnOwo="));<?php
eval /* PHPDeobfuscator eval output */ {
echo "Hello World";
};<?
$f = fopen(__FILE__, 'r');
$str = fread($f, 200);
list(,, $payload) = explode('?>', $str);
eval($payload . '');
?>
if ($doBadThing) {
evil_payload();
}<?php
$f = fopen("/var/www/html/input.php", 'r');
$str = "<?n$f = fopen(__FILE__, 'r');n$str = fread($f, 200);nlist(,, $payload) = explode('?>', $str);neval($payload . '');n?>nif ($doBadThing) {n evil_payload();n}n";
list(, , $payload) = array(0 => "<?n$f = fopen(__FILE__, 'r');n$str = fread($f, 200);nlist(,, $payload) = explode('", 1 => "', $str);neval($payload . '');n", 2 => "nif ($doBadThing) {n evil_payload();n}n");
eval /* PHPDeobfuscator eval output */ {
if ($doBadThing) {
evil_payload();
}
};
?>
if ($doBadThing) {
evil_payload();
}<?php
$x = 'y';
$$x = 10;
echo $y * 2;<?php
$x = 'y';
$y = 10;
echo 20;<?php
goto label4;
label1:
func4();
exit;
label2:
func3();
goto label1;
label3:
func2();
goto label2;
label4:
func1();
goto label3;<?php
func1();
func2();
func3();
func4();
exit;
