Every once in a while, I receive code that is encrypted using one of many php encoder software out there, so when I face this situation and if the project is worth it, I start playing around with the encrypted files to see how the encoding algorithm works, so far I’ve been able to successful decrypt files encoded with Zend, and ioncube, I don’t remember the versions of the encoders but I remember that the latter one took me some time, but I decode the source.
I must say that decoding files also becomes a personal challenge, it is like a hobby when I have the time to play with it.
Yesterday I received a couple of files encoded with an unknown encoder for me, it didnt require any php modification or extension install, so I tough that it would be easy to break it, because at some point the code must be evaluated, so after I opened the zip file, I noticed a folder called “scopbin“, that contained only 1 php file named “911006.php“, the two encoded files were including this file so I assumed that this is were the decryption logic had to be.
I was exhausted by a long working day, and when I got this files and saw that they were encrypted I placed them in my laptop for later analysis. This analysis was done the next day, I didnt research the encoding process, or did anything that give me some pointers, I just started playing around with the code to see how far I could get.
My objective this time was getting this files decrypted, and not analysing the steps of the algorithm, so with this in mind, this is what I did:
This was the original “911006.php” file:
<?php ini_set('include_path',dirname(__FILE__));function A4540acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function b5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function c43dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function Xdsf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function y0666f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){$x0b43c25ccf2340e23492d4d3141479dc='';$x71510c08e23d2083eda280afa650b045=0;$x16754c94f2e48aae0d6f34280507be58=strlen($x897356954c2cd3d41b221e3f24f99bba);$x7a86c157ee9713c34fbd7a1ee40f0c5a=hexdec('&H'.substr($x276e79316561733d64abdf00f8e8ae48,0,2));for($x1b90e1035d4d268e0d8b1377f3dc85a2=2;$x1b90e1035d4d268e0d8b1377f3dc85a2<strlen($x276e79316561733d64abdf00f8e8ae48);$x1b90e1035d4d268e0d8b1377f3dc85a2+=2){$xe594cc261a3b25a9c99ec79da9c91ba5=hexdec(trim(substr($x276e79316561733d64abdf00f8e8ae48, $x1b90e1035d4d268e0d8b1377f3dc85a2, 2)));$x71510c08e23d2083eda280afa650b045=(($x71510c08e23d2083eda280afa650b045<$x16754c94f2e48aae0d6f34280507be58)?$x71510c08e23d2083eda280afa650b045 + 1:1);$xab6389e47b1edcf1a5267d9cfb513ce5=$xe594cc261a3b25a9c99ec79da9c91ba5 ^ ord(substr($x897356954c2cd3d41b221e3f24f99bba, $x71510c08e23d2083eda280afa650b045-1, 1));if($xab6389e47b1edcf1a5267d9cfb513ce5<=$x7a86c157ee9713c34fbd7a1ee40f0c5a)$xab6389e47b1edcf1a5267d9cfb513ce5=255+$xab6389e47b1edcf1a5267d9cfb513ce5-$x7a86c157ee9713c34fbd7a1ee40f0c5a;else $xab6389e47b1edcf1a5267d9cfb513ce5=$xab6389e47b1edcf1a5267d9cfb513ce5-$x7a86c157ee9713c34fbd7a1ee40f0c5a;$x0b43c25ccf2340e23492d4d3141479dc=$x0b43c25ccf2340e23492d4d3141479dc.chr($xab6389e47b1edcf1a5267d9cfb513ce5);$x7a86c157ee9713c34fbd7a1ee40f0c5a=$xe594cc261a3b25a9c99ec79da9c91ba5;} return $x0b43c25ccf2340e23492d4d3141479dc;}function f5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function j43dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function hdsf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function tr5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function f0666f0acdeed38d4cd9084ade1739498($x) { return implode('',file($x));} function g0666f0acdeed38d4cd9084ade1739498($s){return (strstr($s,'echo')==false?(strstr($s,'print')==false)?(strstr($s,'sprint')==false)?(strstr($s,'sprintf')==false)?false:exit():exit():exit():exit());}function hyr3dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function uygf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function drfg34f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function jhkgvdsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function yrdhhdacdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;} ini_set('include_path','.');
I’ve used a code formatter to make the code more readable:
ivan@mini:/var/www/copdecrypt/scopbin$ phpCB --space-after-if \
--space-after-switch \
--space-after-while \
--space-before-srt-angle-bracket \
--space-after-end-angle-bracket \
--glue-amperscore \
--change-shell-comment-to-double-slashes-comment \
--force-large-php-code-tag \
--force-true-false-null-contant-lowercase \
--align-equal-statements \
--comment-rendering-style PEAR \
--equal-align-position 50 \
--padding-char-count 4 \
911006.php
And this was the result:
<?php
ini_set('include_path', dirname(__FILE__));
function A4540acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function b5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function c43dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function Xdsf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function y0666f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
$x0b43c25ccf2340e23492d4d3141479dc = '';
$x71510c08e23d2083eda280afa650b045 = 0;
$x16754c94f2e48aae0d6f34280507be58 = strlen($x897356954c2cd3d41b221e3f24f99bba);
$x7a86c157ee9713c34fbd7a1ee40f0c5a = hexdec('&H' . substr($x276e79316561733d64abdf00f8e8ae48, 0, 2));
for($x1b90e1035d4d268e0d8b1377f3dc85a2 = 2;$x1b90e1035d4d268e0d8b1377f3dc85a2 < strlen($x276e79316561733d64abdf00f8e8ae48);$x1b90e1035d4d268e0d8b1377f3dc85a2 += 2) {
$xe594cc261a3b25a9c99ec79da9c91ba5 = hexdec(trim(substr($x276e79316561733d64abdf00f8e8ae48, $x1b90e1035d4d268e0d8b1377f3dc85a2, 2)));
$x71510c08e23d2083eda280afa650b045 = (($x71510c08e23d2083eda280afa650b045 < $x16754c94f2e48aae0d6f34280507be58)?$x71510c08e23d2083eda280afa650b045 + 1:1);
$xab6389e47b1edcf1a5267d9cfb513ce5 = $xe594cc261a3b25a9c99ec79da9c91ba5 ^ ord(substr($x897356954c2cd3d41b221e3f24f99bba, $x71510c08e23d2083eda280afa650b045-1, 1));
if ($xab6389e47b1edcf1a5267d9cfb513ce5 <= $x7a86c157ee9713c34fbd7a1ee40f0c5a)$xab6389e47b1edcf1a5267d9cfb513ce5 = 255 + $xab6389e47b1edcf1a5267d9cfb513ce5 - $x7a86c157ee9713c34fbd7a1ee40f0c5a;
else $xab6389e47b1edcf1a5267d9cfb513ce5 = $xab6389e47b1edcf1a5267d9cfb513ce5 - $x7a86c157ee9713c34fbd7a1ee40f0c5a;
$x0b43c25ccf2340e23492d4d3141479dc = $x0b43c25ccf2340e23492d4d3141479dc . chr($xab6389e47b1edcf1a5267d9cfb513ce5);
$x7a86c157ee9713c34fbd7a1ee40f0c5a = $xe594cc261a3b25a9c99ec79da9c91ba5;
}
return $x0b43c25ccf2340e23492d4d3141479dc;
}
function f5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
unlink($x456e79316561733d64abdf00f8e8ae48);
} ;
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function j43dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
unlink($x456e79316561733d64abdf00f8e8ae48);
} ;
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function hdsf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
unlink($x456e79316561733d64abdf00f8e8ae48);
} ;
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function tr5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
unlink($x456e79316561733d64abdf00f8e8ae48);
} ;
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function f0666f0acdeed38d4cd9084ade1739498($x) {
return implode('', file($x));
}
function g0666f0acdeed38d4cd9084ade1739498($s) {
return (strstr($s, 'echo') == false?(strstr($s, 'print') == false)?(strstr($s, 'sprint') == false)?(strstr($s, 'sprintf') == false)?false:exit():exit():exit():exit());
}
function hyr3dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
unlink($x456e79316561733d64abdf00f8e8ae48);
} ;
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function uygf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
unlink($x456e79316561733d64abdf00f8e8ae48);
} ;
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function drfg34f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
unlink($x456e79316561733d64abdf00f8e8ae48);
} ;
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function jhkgvdsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
unlink($x456e79316561733d64abdf00f8e8ae48);
} ;
return $Xew6e79316561733d64abdf00f8e8ae48;
}
function yrdhhdacdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
unlink($x456e79316561733d64abdf00f8e8ae48);
} ;
return $Xew6e79316561733d64abdf00f8e8ae48;
}
ini_set('include_path', '.');
After a quick review of this file, I saw that it had several functions with the same logic, return an unknow variable or delete the file that this unknown variable had, appart from all this “useless” functions I quickly found what appeared to be the decryption function this was the function named y0666f0acdeed38d4cd9084ade1739498 with this information I ran a quick check by passing the content of one of the encrypted files, and this is the response I got from that function:
<?php if(!function_exists('findsysfolder')){function findsysfolder($fld){$fld1=dirname($fld);$fld=$fld1.'/scopbin';clearstatcache();if(!is_dir($fld))return findsysfolder($fld1);else return $fld;}}require_once(findsysfolder(__FILE__).'/911006.php');$REXISTHECAT4FBI='FE50E574D754E76AC679F242F450F768FB5DCB77F34DE341 660C280D176E374DE7FB3B090A782B6B68DBC97BEAD93B681C452F25BE26';g0666f0acdeed38d4cd9084ade1739498(f0666f0acdeed38d4cd9084ade1739498(__FILE__));$REXISTHEDOG4FBI='9CEF6BE117B329ADFC4560538EBF16BB6DAD1748FE354E8EDA7AABFA376EB6938496F43560E4123D85D272E342E363FD51F3181763A3F623 660B6E2369243EE5781CD76A133E272E37DACA198968397F150425B4326A126CD64F051F35287DE7BD3 5354276B880BDEF525247533610 64282D07BA63861F81DB715C115BC1BD57FC5D9C8 225D2 A F177EDC7EA026A7E74D37AC28A125D1B8F73B63C6D1C3A1E137639BEECEDACFDBBD9F8D948CE93D6FCDCDD8CCA98B36AA21A08B8BD87FD8 15143C2C2D37593B82857516FC9ABF9237BDEC9DBB9F92F7BDEB8EE3B6AEA153C9DF3 A2CAE2CD218B1E566C0D274D6 F32DC2A E20 512 062A2F72C 96FB9ED3B6FC9ABF927A34985CAB5D3 65D89B315B3E61076D8 E4488B2127FCEF82C78DDBBED3A6FBB7FCEEACEE04453412363B6E246F05086C7 52E C408CC263E078A53461E0 331B71EB81DC475DB6CAC9531914393D4 22AC9C3D7CE7194438AD638 03D6FCDCDD8CCA98F99211B1177D5C7DEC6A3F427 5 510 461C7D1C51AB492F850FA56FE445EC0154885BDACDC 819BD76A72A419A4D859CFE5A5268CDABFD2A7FAB8DEF227BA3869183E12277A386E03763B6E241F75282CDBFCA187ECE74D7 D1D4881D3C7432177D4 E3F83DA54417EAA8FE93C68BDE94C2E7CA5FD5B4C5E3C9993A98CEA3D69BCE84F2D989C9EEECFDDBFFF15 164C2D471D3 228D3 51CBA75D4 A3C85C1 4618EC5 E6BE91FCD F4D87BE F 56BFB5BFE2A3EA923BDDDBB9D26BE13CD 41F6E584D593C1A C18 D19D29D958C94F12577D5D5C0D4B19781958094F21EB6EF20CC77D87CD0CDC57FA13D8484F61076D47ED5 366F521A6FA2FEFBAF22772A680E23168B0958290F23366B297F12470A5F1543664EF6DA42DAD5E5EB718C569EA2C5F8AE81BBF16BE489E3EE13D7FBD98FE297DA8FC5B396BB2EA4E594B2969D3C7689230A1F4441763B1E83114 31173B3E6331670A6F22672D4B6E43C64C1D6C475FA5AFB2BDF36A83F9F55F8 62A C69BEEC4F4F5A4E2B D1B F1A E68CAD86F44 B1C E6CACF92E B6DDCDDD26437 3';$REXISTHECAT4FBI='94CD76CD371C5A7BC70C186E779C293B9B49BACA5A781A6'; eval(y0666f0acdeed38d4cd9084ade1739498('4EF6454FB298E72B 5',$REXISTHEDOG4FBI));?>
Again I used the code beautifier to make the file more readable:
<?php if (!function_exists('findsysfolder')) {
function findsysfolder($fld) {
$fld1 = dirname($fld);
$fld = $fld1 . '/scopbin';
clearstatcache();
if (!is_dir($fld))return findsysfolder($fld1);
else return $fld;
}
}
require_once(findsysfolder(__FILE__) . '/911006.php');
$REXISTHECAT4FBI = 'FE50E574D754E76AC679F242F450F768FB5DCB77F34DE341 660C280D176E374DE7FB3B090A782B6B68DBC97BEAD93B681C452F25BE26';
g0666f0acdeed38d4cd9084ade1739498(f0666f0acdeed38d4cd9084ade1739498(__FILE__));
$REXISTHEDOG4FBI = '9CEF6BE117B329ADFC4560538EBF16BB6DAD1748FE354E8EDA7AABFA376EB6938496F43560E4123D85D272E342E363FD51F3181763A3F623 660B6E2369243EE5781CD76A133E272E37DACA198968397F150425B4326A126CD64F051F35287DE7BD3 5354276B880BDEF525247533610 64282D07BA63861F81DB715C115BC1BD57FC5D9C8 225D2 A F177EDC7EA026A7E74D37AC28A125D1B8F73B63C6D1C3A1E137639BEECEDACFDBBD9F8D948CE93D6FCDCDD8CCA98B36AA21A08B8BD87FD8 15143C2C2D37593B82857516FC9ABF9237BDEC9DBB9F92F7BDEB8EE3B6AEA153C9DF3 A2CAE2CD218B1E566C0D274D6 F32DC2A E20 512 062A2F72C 96FB9ED3B6FC9ABF927A34985CAB5D3 65D89B315B3E61076D8 E4488B2127FCEF82C78DDBBED3A6FBB7FCEEACEE04453412363B6E246F05086C7 52E C408CC263E078A53461E0 331B71EB81DC475DB6CAC9531914393D4 22AC9C3D7CE7194438AD638 03D6FCDCDD8CCA98F99211B1177D5C7DEC6A3F427 5 510 461C7D1C51AB492F850FA56FE445EC0154885BDACDC 819BD76A72A419A4D859CFE5A5268CDABFD2A7FAB8DEF227BA3869183E12277A386E03763B6E241F75282CDBFCA187ECE74D7 D1D4881D3C7432177D4 E3F83DA54417EAA8FE93C68BDE94C2E7CA5FD5B4C5E3C9993A98CEA3D69BCE84F2D989C9EEECFDDBFFF15 164C2D471D3 228D3 51CBA75D4 A3C85C1 4618EC5 E6BE91FCD F4D87BE F 56BFB5BFE2A3EA923BDDDBB9D26BE13CD 41F6E584D593C1A C18 D19D29D958C94F12577D5D5C0D4B19781958094F21EB6EF20CC77D87CD0CDC57FA13D8484F61076D47ED5 366F521A6FA2FEFBAF22772A680E23168B0958290F23366B297F12470A5F1543664EF6DA42DAD5E5EB718C569EA2C5F8AE81BBF16BE489E3EE13D7FBD98FE297DA8FC5B396BB2EA4E594B2969D3C7689230A1F4441763B1E83114 31173B3E6331670A6F22672D4B6E43C64C1D6C475FA5AFB2BDF36A83F9F55F8 62A C69BEEC4F4F5A4E2B D1B F1A E68CAD86F44 B1C E6CACF92E B6DDCDDD26437 3';
$REXISTHECAT4FBI = '94CD76CD371C5A7BC70C186E779C293B9B49BACA5A781A6';
eval(y0666f0acdeed38d4cd9084ade1739498('4EF6454FB298E72B 5', $REXISTHEDOG4FBI));
So what we have here is more obfuscated code, but a simple to understand, we have 2 variables and 3 functions, the variable that has the encrypted code should be the larger one so In the above file I’m assuming that is the ”$REXISTHEDOG4FBI” variable, the other one apparently isn’t used, so what I did at this point was to print the results of the evaluated function which corresponds to the function where the decrypt logic is (below is the decryption function deobfuscated):
function ($key, $program) {
$result = '';
$position = 0;
$keyLength = strlen($key);
$decValue = hexdec('&H' . substr($program, 0, 2));
for($i = 2;$i < strlen($program);$i += 2) {
$decProgram = hexdec(trim(substr($program, $i, 2)));
$position = (($position < $keyLength) ? $position + 1 : 1);
$ascii = $decProgram^ ord(substr($key, $position-1, 1));
if ($ascii <= $decValue) $ascii = 255 + $ascii - $decValue;
else $ascii = $ascii - $decValue;
$result = $result . chr($ascii);
$decValue = $decProgram;
}
return $result;
} unfortunately printing the result didn’t work, so I did a review to check why, and I found that the other 2 functions where the problem, let me explain what happens, first a call is made to:
function f0666f0acdeed38d4cd9084ade1739498($x) {
return implode('', file($x));
}this function receives the name of the executing file (test.php in my case), read its content in an array, then glues all lines to create a 1 line string, without any new lines, then this result is passed to the following function:
function g0666f0acdeed38d4cd9084ade1739498($s) {
return (strstr($s, 'echo') == false ? (strstr($s, 'print') == false) ? (strstr($s, 'sprint') == false) ? (strstr($s, 'sprintf') == false) ? false : exit() : exit() : exit() : exit());
}which are a series of nested ternary conditions, looking for the words “echo,print,sprint,sprintf”, if any of this words are in the encrypted file, then the script simply exits, that’s why I was unable to print the decrypted code after calling the decoding function, so simply avoiding the call to this function will fix the issue and I will get the decrypted code.
However, I didnt want to modify the original encrypted files, so a second approach I took was to modify the decryption function and printing the output from there, so I’ve added a couple of lines (15 and 16) to the “y0666f0acdeed38d4cd9084ade1739498” function:
function y0666f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
$x0b43c25ccf2340e23492d4d3141479dc = '';
$x71510c08e23d2083eda280afa650b045 = 0;
$x16754c94f2e48aae0d6f34280507be58 = strlen($x897356954c2cd3d41b221e3f24f99bba);
$x7a86c157ee9713c34fbd7a1ee40f0c5a = hexdec('&H' . substr($x276e79316561733d64abdf00f8e8ae48, 0, 2));
for($x1b90e1035d4d268e0d8b1377f3dc85a2 = 2;$x1b90e1035d4d268e0d8b1377f3dc85a2 < strlen($x276e79316561733d64abdf00f8e8ae48);$x1b90e1035d4d268e0d8b1377f3dc85a2 += 2) {
$xe594cc261a3b25a9c99ec79da9c91ba5 = hexdec(trim(substr($x276e79316561733d64abdf00f8e8ae48, $x1b90e1035d4d268e0d8b1377f3dc85a2, 2)));
$x71510c08e23d2083eda280afa650b045 = (($x71510c08e23d2083eda280afa650b045 < $x16754c94f2e48aae0d6f34280507be58)?$x71510c08e23d2083eda280afa650b045 + 1:1);
$xab6389e47b1edcf1a5267d9cfb513ce5 = $xe594cc261a3b25a9c99ec79da9c91ba5 ^ ord(substr($x897356954c2cd3d41b221e3f24f99bba, $x71510c08e23d2083eda280afa650b045-1, 1));
if ($xab6389e47b1edcf1a5267d9cfb513ce5 <= $x7a86c157ee9713c34fbd7a1ee40f0c5a)$xab6389e47b1edcf1a5267d9cfb513ce5 = 255 + $xab6389e47b1edcf1a5267d9cfb513ce5 - $x7a86c157ee9713c34fbd7a1ee40f0c5a;
else $xab6389e47b1edcf1a5267d9cfb513ce5 = $xab6389e47b1edcf1a5267d9cfb513ce5 - $x7a86c157ee9713c34fbd7a1ee40f0c5a;
$x0b43c25ccf2340e23492d4d3141479dc = $x0b43c25ccf2340e23492d4d3141479dc . chr($xab6389e47b1edcf1a5267d9cfb513ce5);
$x7a86c157ee9713c34fbd7a1ee40f0c5a = $xe594cc261a3b25a9c99ec79da9c91ba5;
}
echo $x0b43c25ccf2340e23492d4d3141479dc;
die();
return $x0b43c25ccf2340e23492d4d3141479dc;
} And voilà, I was able to see the source code.
TL:DR, just print the output of the decrypt function, and kill the script to get the decrypted code, I don’t know if there are any other versions of the “911006.php” file, but I guess that the same logic applies.
At least The IonCube and Zend Loaders does this with an engine extension, so there is no way you can view the source withouth modifyng the php engine, but this “encryptors” that offer “security by obscurity” is never a good idea, also most of the time the source encrypted is most likely a pile of garbage.