Reverse Engineering

April 2013

Command line PHP deobfuscation

Recently a customer asked me to debug some problems on their Joomla!/PHP site that had interoperability issues after some long time for unknown reasons. The site was using some commercial plugins which producer was long time gone and unreachable and worst of all they were all obfuscated. So even searching for some basic string that was displayed on the screen on error to understand what’s going on was not a straight forward exercise and going through the code was a mess. Apart from changing the code in a logical way, for example by adding intermediate variables or splitting variable assignations into more operations and so on, the first most annoying part of PHP obfuscators is that they modify most of the characters in the strings values with their respective hexadecimal (format \xXX) or octal (\XXX) values and eliminate any line feeds or code structure. Once you get rid of this the code stays quite very messy but is, at least in the cases I analyzed, quite readable and just needs a little more bookkeeping with automatically named vars to go through. Getting rid at least of this confusing representation is quite straightforward on the command line with a few tricks.

Command Line Deobfuscation Linux Desktop Php Reverse Engineering Security Teaching Material

4 minutes