Home

Awesome

PHPDeobfuscator

Overview

This deobfuscator attempts to reverse common obfuscation techniques applied to PHP source code.

It is implemented in PHP with the help of PHP-Parser.

Features

Installation

PHP Deobfuscator uses Composer to manage its dependencies. Make sure Composer is installed first.

Run composer install in the root of this project to fetch dependencies.

Usage

CLI

php index.php [-f filename] [-t] [-o]

required arguments:

-f    The obfuscated PHP file

optional arguments:

-t    Dump the output node tree for debugging
-o    Output comments next to each expression with the original code

The deobfuscated output is printed to STDOUT.

Web Server

index.php outputs a simple textarea to paste the PHP code into. Deobfuscated code is printed when the form is submitted

Examples

Input

<?php
eval(base64_decode("ZWNobyAnSGVsbG8gV29ybGQnOwo="));

Output

<?php

eval /* PHPDeobfuscator eval output */ {
    echo "Hello World";
};

Input

<?
$f = fopen(__FILE__, 'r');
$str = fread($f, 200);
list(,, $payload) = explode('?>', $str);
eval($payload . '');
?>
if ($doBadThing) {
    evil_payload();
}

Output

<?php

$f = fopen("/var/www/html/input.php", 'r');
$str = "<?\n\$f = fopen(__FILE__, 'r');\n\$str = fread(\$f, 200);\nlist(,, \$payload) = explode('?>', \$str);\neval(\$payload . '');\n?>\nif (\$doBadThing) {\n    evil_payload();\n}\n";
list(, , $payload) = array(0 => "<?\n\$f = fopen(__FILE__, 'r');\n\$str = fread(\$f, 200);\nlist(,, \$payload) = explode('", 1 => "', \$str);\neval(\$payload . '');\n", 2 => "\nif (\$doBadThing) {\n    evil_payload();\n}\n");
eval /* PHPDeobfuscator eval output */ {
    if ($doBadThing) {
        evil_payload();
    }
};
?>
if ($doBadThing) {
    evil_payload();
}

Input

<?php
$x = 'y';
$$x = 10;
echo $y * 2;

Output

<?php

$x = 'y';
$y = 10;
echo 20;

Input

<?php
goto label4;
label1:
func4();
exit;
label2:
func3();
goto label1;
label3:
func2();
goto label2;
label4:
func1();
goto label3;

Output

<?php

func1();
func2();
func3();
func4();
exit;