AntiWPA Forum

Hi everyone.
A couple years ago I was very passionate about PHP/JS decoding and reverse engineering in general. I made more than 40 (private) decoders in 2012 just for academic purposes (I love challenges, you know). After becoming a father for first time I left the scene.

My current job is related to web development, security audit, malware analysis, etc. I realize that digging into obfuscated PHP code is PITA that's why I made my own PHP deobfuscator, see screenshot.

obfuscated:

PHP Code:

<?php        

$fff = "flock";        
if ($fff($aaa, LOCK_EX)) {
    $fff($aaa, LOCK_UN);
}

function aaa() {
    $fff2 = "fget";        
    if ($fff2($aaa, LOCK_EX)) {
        $fff2($aaa, LOCK_UN);
    }
} 

deobfuscated:

PHP Code:

<?php

if (flock($aaa, LOCK_EX)) {
    flock($aaa, LOCK_UN);
}
function aaa()
{
    if (fget($aaa, LOCK_EX)) {
        fget($aaa, LOCK_UN);
    }
} 

[attachment=4088]

update:
[attachment=4184]

Does anyone already have success with similar tools?

Hello

Yeah I 2nd that Tongue

Deobfuscating just take time. A bit of a pity there is no simple way to do it like ionCube or SourceGuardian :/

Tankou My Firend

(08-06-2015 07:30 AM)object0 Wrote: [ -> ]Hi everyone.
A couple years ago I was very passionate about PHP/JS decoding and reverse engineering in general. I made more than 40 (private) decoders in 2012 just for academic purposes (I love challenges, you know). After becoming a father for the first time I left the scene.

My current job is related to web development, security audit / pentesting, malware analysis, etc. I realize that digging into obfuscated PHP code is PITA that's why I made my own PHP deobfuscator, see screenshot.

obfuscated:

PHP Code:

<?php $fff = "flock"; if ($fff($aaa, LOCK_EX)) { $fff($aaa, LOCK_UN); } function aaa() { $fff2 = "fget"; if ($fff2($aaa, LOCK_EX)) { $fff2($aaa, LOCK_UN); } }

deobfuscated:

PHP Code:

<?php if (flock($aaa, LOCK_EX)) { flock($aaa, LOCK_UN); } function aaa() { if (fget($aaa, LOCK_EX)) { fget($aaa, LOCK_UN); } }

Does anyone already have success with similar tools?

You bumping? Tongue

I like what you've done there, although I'm assuming it's not a generic deobfuscator i.e. you've programmed the tool to recognise certain patterns and based on that it will deobfuscate using the relevant function, if that makes sense?

Cyko my deobfuscator uses AST (abstract syntax tree), modifies it and compiles back to PHP source, does it make sense now? ))
In fact it does what it should and it makes sense to me...

P.S. Updated my post.

(07-25-2016 08:22 AM)object0 Wrote: [ -> ]Cyko my deobfuscator uses AST (abstract syntax tree), modifies it and compiles back to PHP source, does it make sense now? ))
In fact it does what it should and it makes sense to me...

P.S. Updated my post.

Fair enough! Thanks for the clarity. Big Grin

Hi there,

How mature is your decompiler and would it be possible to try it out? Smile

object0

Cyko

JackRabbit

onsitbin

object0

Cyko

object0

Cyko

tboner