This page has been robot translated, sorry for typos if any. Original content here.

How to decrypt eval (base64_decode ()); eval (gzinflate (base64_decode ()));

On this topic:


How to decrypt or decode eval gzinflate base64_decode

The basic principles of encryption and packaging, weak points of protection, methods of manual removal, as well as universal tools for automatic removal of packers and attachment protection from JavaScript scripts.

Recently, increasingly, the source code of scripts is encrypted or packaged.

Yandex, DLE and other popular projects started to get involved in this, and beautiful stories about “taking care of users”, “saving traffic” and other nonsense look very funny.

Well, if someone has something to hide, then our task is to bring them to the clear water.

Theory

Due to the nature of the execution of JavaScript, all encoders and packers, despite their diversity, have only two variants of the algorithm:

	 var encrypted = 'encrypted data'; 
	 function decrypt (str) { 
	  // decryption or unpacking function 
	 } 
	 // Execute decrypted script 
	 eval (decrypt (encrypted)); 	
	

or as an option:

	 var encrypted = 'encrypted data'; 
	 function decrypt (str) { 
	  // decryption or unpacking function 
	 } 
	 // Display Decrypted Data 
	 document.write (decrypt (encrypted)); 
	

The second method is most often used to protect the source html-code of the page, as well as various trojans to inject malicious code into the page, for example, a hidden frame.

Both algorithms can be combined, the “tricked out” and entanglement of the decoder can be any, only the principle itself remains unchanged.

In both cases, it turns out that fully decrypted data is transferred to the eval () and document.write () functions.

How to intercept them?

Try replacing eval () with alert () , and in the opened MessageBox you will immediately see the decrypted text.

Some browsers allow you to copy text from MessageBoxes, but it’s better to use such a semi-automatic decoder:

	 <html> 
	 <head> <title> JavaScript Decoder </ title> </ head> 
	 <body> 
	 
	 <script type = "text / javascript"> 
	 // The function of writing to the log the results of decryption 
	 function decoder (str) { 
	  document.getElementById ('decoded'). value + = str + '\ n'; 
	 } 
	 </ script> 
	 
	 <! - Log window -> 
	 <textarea id = "decoded" style = "width: 900px; height: 500px;"> </ textarea> 
	 
	 <script type = "text / javascript"> 
	 // Insert the encrypted script here 
	 // replace all eval () and document.write () calls with decoder (). 
	 </ script> 
	 
	 </ body> 
	 </ html> 
	

For example, let's take some script from Yandex , looking at the source code, we see something unhealthy:

eval(function(p,a,c,k,e,r){e=function(c){return(c 35?String.fromCharCode(c+29):c.toString(36))};if(! ''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e ){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c]) p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('$.1e .18=8(j){3 k=j["6-9"]||"#6-9";3 l=j["6-L"]||".uL";3 m=j["6-L-17"] ||"";3 n=j["1d"]||0;$(5).2(".6-9").14("7");$(5).2(".6-9").Z("7",8( ){3 a=$(5).x();3 o=$(5).x();3 h=$(5).B("C");$(5).v("g-4");$(5).16( $(k).q());3 t=$(o).2("15");3 c=$(o).2(".br");3 d=$(o).2(".b-12"); [остальной такой же бред отрезан] eval(function(p,a,c,k,e,r){e=function(c){return(c 35?String.fromCharCode(c+29):c.toString(36))};if(! ''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e ){return r[e]}];e=function(){return'\w+'};c=1};while(c--)if(k[c]) p=p.replace(new RegExp('\b'+e(c)+'\b','g'),k[c]);return p}('$.1e .18=8(j){3 k=j["6-9"]||"#6-9";3 l=j["6-L"]||".uL";3 m=j["6-L-17"] ||"";3 n=j["1d"]||0;$(5).2(".6-9").14("7");$(5).2(".6-9").Z("7",8( ){3 a=$(5).x();3 o=$(5).x();3 h=$(5).B("C");$(5).v("g-4");$(5).16( $(k).q());3 t=$(o).2("15");3 c=$(o).2(".br");3 d=$(o).2(".b-12"); [остальной такой же бред отрезан]

At once I will say that this script is processed by the JavaScript Compressor , it is easy to recognize it by its signature - the characteristic name of the function at the beginning of the script. Copy the entire script source code, replace the first eval with the decoder , insert it into the decoder and save it as an html-page.

	 <script type = "text / javascript">
	 // Insert the encrypted script here
	 // replace all eval () and document.write () calls with decoder ().
	 decoder (function (p, a, c, k, e, r) {e = function (c) {return (c <a? '': e ...
	 </ script>
	

Open it in any browser and see that the unpacked script immediately appeared in the textarea. It’s too early to rejoice, all line breaks and code formatting have been removed. How to deal with this is written in the article about deobfuscation .

The second example. HTML-page, covered with the program HTML Protector. This is a page that demonstrates the capabilities of the program, so all options are involved: blocking the selection and copying of text, prohibiting the right mouse button, protecting pictures, hiding the status bar, encrypting html code, etc. We open the source code, we look. At the very top is an already familiar document.write and an encrypted script. Run it through the decoder, we get the function of decrypting the main content:

hp_ok=true;function hp_d01(s){ ...вырезано... o=ar.join("")+os;document.write(o)

Replace the last document.write with the decoder in the function and insert after it all three remaining encrypted scripts:

	 <script type = "text / javascript"> 
	 // Insert the encrypted script here 
	 // replace all eval () and document.write () calls with decoder (). 
	 hp_ok = true; function hp_d01 (s) {.... o = ar.join ("") + os; decoder (o); 
	 hp_d01 (unescape ("> QAPKRV% 22NCLEWC .... 
	 hp_d01 (unescape ("> QAPKRV% 22NCLEWCEG? HctcQa ... 
	 hp_d01 (unescape (">` mf {% 22`eamnmp?! DDDDDD% 22v ... 
	 </ script> 
	

For convenience, the article scripts are not completely, you have to copy them entirely. Open the decoder in the browser and see the security scripts added by the program and the decrypted source text of the page. For convenience, you can decrypt only the third script, which contains the html-code of the page. That's all the protection. As you can see, nothing complicated. Similarly removed and other protection html-pages.

Software for research of Trojans and other malicious code

For more complex cases, heavy artillery will have to be used. This is a free Malzilla project designed to investigate Trojans and other malicious code. Since all programs designed to protect copyright are clearly malicious, Malzilla will help us in the fight against them. We download the latest version, unpack, run. Open the second tab Decoder, paste the code of the encrypted script into the upper window, press the Run script button.

How to decrypt or decode eval gzinflate base64_decode
Malzilla at work

The eval_temp folder contains all the results of the eval () functions, including intermediate ones. They can be viewed by clicking on the Show eval () results button, the text will open in the bottom window. It can be copied, pasted into the upper window and immediately formatted by pressing the Format code button. In addition to the decoder, Malzilla has many more tools and settings that allow you to easily remove any protection from JavaScript scripts.

How to decrypt or decode eval gzinflate base64_decode
The script has been successfully decrypted and formatted.

You can also pay attention to another free tool for working with encrypted scripts - FreShow .

Decoding <? Php eval ( gzinflate ( base64_decode ( ' encoded text ' ))); ?> - option 1 (script)

I just encountered the problem of popping the coded via <? Php eval ( gzinflate ( base64_decode ( ' encoded text ' ))); ?> php code

As always, I decided to turn to Google for a hint. The answer, as always, was found.

Code:

	 <html>
	 <body>
	 <! - start decryption ->
	 <? php
	 $ str = gzinflate (base64_decode ('encoded text'));
	 while (1) {
	 if (($ pos1 = strpos ($ str, 'eval (')) === FALSE) {
	 break;
	 }
	 $ pos2 = strpos ($ str, ');');
	 $ newstr = substr ($ str, $ pos1 + 5, $ pos2- $ pos1-5);
	 eval ('$ str ='. $ newstr. ";");
	 }
	 print $ str;
	 ?>
	 <! - end of decryption ->
	 </ body>
	 </ html>
	

Save this file as you like, upload it to the host, or launch it on your localhost and copy everything between the tags from the source

<! - start decryption ->
...
<! - end of decryption ->

All. The code is decrypted.

Decoding <? Php eval ( gzinflate ( base64_decode ( ' encoded text ' ))); ?> - option 2 (script)

In this case, do the following:

  1. save this file as decrypt.php
  2. Save encrypted code as coded.txt
  3. create an empty decoded.txt file (if you run the file on the server, then specify it CHMOD 0666)
  4. run the decrypt.php file
  5. The decoded.txt file should now contain the decoded PHP code.

Code:

	 <? php
	 / *
	 Taken from http://www.php.net/manual/de/function.eval.php#59862
	 Directions:
	 1. Save this snippet as decrypt.php
	 2. Save encoded PHP code in coded.txt
	 3. Create a blank file called decoded.txt (from shell do CHMOD 0666 decoded.txt)
	 4. Execute this script (visit decrypt.php in a web browser or decrypt.php in the shell)
	 5. Open decoded.txt, the PHP should be decrypted if not comment below http://danilo.ariadoss.com/decoding-eval-gzinflate-base64-decode/
	 * /
	 echo "\ nDECODE nested eval (gzinflate ()) by DEBO Jurgen <jurgen@person.be> \ n \ n";
	 echo "1. Reading coded.txt \ n";
	 $ fp1 = fopen ("coded.txt", "r");
	 $ contents = fread ($ fp1, filesize ("coded.txt"));
	 fclose ($ fp1);
	 echo "2. Decoding \ n";
	 while (preg_match ("/ eval \ (gzinflate /", $ contents)) {
	  $ contents = preg_replace ("/ <\? | \?> /", "", $ contents);  eval (preg_replace ("/ eval /", "\ $ contents =", $ contents));  } echo "3. Writing decoded.txt \ n";  $ fp2 = fopen ("decoded.txt", "w");  fwrite ($ fp2, trim ($ contents));  fclose ($ fp2);
	 ?> 

When decrypting the code, I’m not sure that I’ve seen it. It has been shown that it’s impossible to get rid of it. ” I will help you to continue your post.

Decoding <? Php eval ( gzinflate ( base64_decode ( ' encoded text ' ))); ?> - option 3 (online)

How to decipher the code and remove commercial links from paid and free scripts?

Case One:

eval(base64_decode ('SGksIG1hbg=='));

If we meet the eval string (base64_decode ('SGksIG1hbg ==')) ,
then we go by this link On the online decoder, we insert into the form only SGksIG1hbg == from our line and click the "Decode data" button.

Case two:

eval(gzinflate(base64_decode ('80jNyclXyFTPVUhJTc5PSU0BAA==')));

If we meet the string eval (gzinflate (base64_decode ('80jNyclXyFTPVUhJTc5PSU0BAA =='))); ,
go by this link and insert the entire line into the form starting with eval (gzinflate and ending ))); and click "Decode".

<? php eval ( ( base64_decode ( ' encoded text ' )); option 4 (using echo)

To decrypt malicious inclusions in php type code:

eval(base64_decode(”DQplcnJvcl9yZXBv...tPWhlYWRlc...2F0aW9uOiBodHRwOi8...eGl0KCk7DQp9Cn0KfQ0KfQ0KfQ==”));

You can simply replace the eval function with the echo function and see what happened.

This is one of the most basic ways to decrypt base64_decode ...

If none of the methods helped, then no luck :(

If you have met any other solutions to this problem, write in the comment, try to deal with them.