Shagshag
6/24/2013 - 9:36 AM

Unobfuscate this type of code : "eval(gzinflate(base64_decode(strrev('AYwtRlkyv8MKXlcyNj09QdFyO30S'))));"

Unobfuscate this type of code : "eval(gzinflate(base64_decode(strrev('AYwtRlkyv8MKXlcyNj09QdFyO30S'))));"

<?php

$obfuscated = "eval(gzinflate(base64_decode(strrev('AYwtRlkyv8MKXlcyNj09QdFyO30S'))));";
$decoder = new unobfuscate($obfuscated);

echo $decoder->decode(); // echo 'Hello world';


class unobfuscate
{
	public $string; // string to decode
	
	public function __construct($string)
	{
		$this->string = $string;
	}
	
	/**
	* return the decoded string
	* @return string
	**/
	public function decode()
	{
		$x = $this->string;
		
		while (substr($x, 0, 5) == 'eval(') {
			$prev = $x;
			$string = substr($x, 5, strlen($x) - 8);
			$x = $this->my_eval($string);
		}
		echo $x;
	}
	
	/**
	* eval a string without execute it
	* 
	* @param string $string
	* @return string
	**/
	public function my_eval($string) {
		if (
			($string[0] == '\'')
			|| ($string[0] == '"')
		) {
			// found the string 'AYwtRlkyv8MKXlcyNj09QdFyO30S'
			return substr($string, 1, strlen($string) - 2); // 
		} else {
			// we have something like function(xxxx);
			// search the function name
			$pos = strpos($string, '(');
			$function = substr($string, 0, $pos);
			// eval 'xxxx'
			$arg = $this->my_eval(substr($string, $pos+1));
			
			return $function($arg);
		}
	}
}  
?>