Hello, Today i found code who was encoded using following functions: gzinflate, str_rot13, base64_decode. The problem is what php code is encoded like 200times using following functions, so i decided to write decoder to optimize my work, but decoder don't want to work, here is decoder code: $string = $_POST['text'] ; $action = $_POST['button'] ; //let php do all dirty job ore not?// if($action==="Automatic Decoding"){ //How content is encoded? $decoding_found=false; $search = array("eval(gzinflate(base64_decode('", 'eval(gzinflate(base64_decode("', "')));", '")));'); if(stristr($string, $search)==true){ $decoding == "gzinflate base64_decode"; $decoding_found=true; $bad = array("eval(gzinflate(base64_decode('", 'eval(gzinflate(base64_decode("'); $string = str_replace($bad, '', $string); } $search = array("eval(gzinflate(str_rot13(base64_decode('", 'eval(gzinflatestr_rot13((base64_decode("', "'))));", '"))));'); if(stristr($string, $search)==true){ $decoding == "gzinflate str_rot13 base64_decode"; $decoding_found=true; $bad = array("eval(gzinflate(str_rot13(base64_decode('", 'eval(gzinflatestr_rot13((base64_decode("'); $string = str_replace($bad, '', $string); } //Now lets decode content if($decoding_found==true){ $bad = array('<?php', 'php?>','<?','?>', ' ', "'))));", '"))));', "')));", '")));'); $string = str_replace($bad, '', $string); if($decoding==='gzinflate base64_decode'){ $string = gzinflate(base64_decode($string)); } elseif($decoding==='gzinflate str_rot13 base64_decode'){ $string = gzinflate(str_rot13(base64_decode($string))); } else{} }else{} }else{} PHP: On following: eval(gzinflate(base64_decode('(some content here)'))); it will output: eval(gzinflate(base64_decode(\'(some content here)\')));. Thanks for help, and feel free to use code.
Please optimize your code. - Don't repeat yourself (use functions instead). - Several IF statements with the same condition? Merge them. - Empty else statements? Unnecessary, delete 'em. - Use loops where appropriate. - Use proper indentation. I won't even attempt to dig into this mess.
Ok, now code must be better: //let php do all dirty job ore not?// if($action=="Automatic Decoding"){ //How content is encoded? $decodingf=false; function search($words, $content){ if(stristr($content, $words)){ return str_replace($words, '', $content); }else{ return false; } } $search = array("eval(gzinflate(base64_decode('", 'eval(gzinflate(base64_decode("', "')));", '")));'); if(search($search, $string)){ $decoding == "gz_base"; $decodingf=true; $string = search($search, $string); } $search = array("eval(gzinflate(str_rot13(base64_decode('", 'eval(gzinflatestr_rot13((base64_decode("', "'))));", '"))));'); if(search($search, $string)){ $decoding == "gz_base"; $decodingf=true; $string = search($search, $string); } //Now lets decode content if($decodingf==true){ $bad = array('<?php', 'php?>','<?','?>', ' '); $string = str_replace($bad, '', $string); if($decoding==='gz_base'){ $string = gzinflate(base64_decode($string)); }elseif($decoding==='gz_rot_base'){ $string = gzinflate(str_rot13(base64_decode($string))); }else{return false;} }else{$error="Decoder not found";} }else{ //Here goes code of not automatic variant. } PHP: P.S. the code i going to decode is not from scriptmafia, i found it on forum