This page has been robot translated, sorry for typos if any. Original content here.

Deobfuscating PHP and JavaScript Scripts

On this topic:

One of the most reliable ways to protect scripts from learning and modification today is obfuscation.

Obfuscation (from Latin obfuscare, “shade, darken”) - obfuscation of the program code, that is, casting the source text to a form that preserves the program’s functionality, but complicates the analysis, understanding of the operation algorithms and modification.

Unlike uniquely reversible encryption and packaging, obfuscation is an irreversible action. This means that it is not possible to restore the script code to its original form. Without exception, all PHP and JavaScript obfuscators work in two ways: line breaks and insignificant spaces are removed from the source text, and the names of classes, variables and functions are replaced with a meaningless character set. These actions can be combined or performed independently.

As I already said, during deobfuscation it is impossible to bring the code back to its original form. But it is quite possible to "refine" it to a state where it is possible to easily understand the algorithm and make the necessary changes. For example, after deobfuscation, you can break the protection of some PHP scripts, remove the binding of JavaScript to the domain, cut out forced advertisements, or something like that.

The first stage of deobfuscation is the formatting of the script text, hyphenation, and alignment of the code with an easy-to-read "ladder". For this, I use two tools. WaterProof Software has developed a small (less than 100 kilobytes) free program to format phpCodeBeautifier PHP script code . To download it from an offsite, free registration is required, so here is a direct download link for your convenience. The program is console, command line parameters can be found in the instructions from the archive. For lovers of windows there is a GUI version, although it’s older, but you can attach a console file from the latest version to it.

Деобфускация скриптов PHP и JavaScript

There is a great online Beautify Javascript service for formatting JavaScript scripts and HTML code. Just paste the script text into the form, click the "Beautify" button and get a beautifully formatted script. For convenience, I slightly modified and compiled this page into a stationary exe-file. Maybe someday I will find the time and energy to rewrite the script into a full-fledged application.

When formatting large scripts, the browser may display a message that the script is frozen and will offer to stop its execution. This is not necessary, just processing takes more time.

Деобфускация скриптов PHP и JavaScript

If variable names were not replaced during obfuscation, then after formatting the code, deobfuscation can be considered complete. In any case, the script is already much more readable and understandable.

If the names of variables and functions are spoiled, then we pass to the second part of deobfuscation. Here, unfortunately, there are no ready-made tools, well, or at least I have not seen them. If someone wants to take up writing such a tool for free, then I can provide a detailed technical task. For now, we have to limit ourselves to theoretical calculations.

Oddly enough this sounds, but for deobfuscation we use the same principles as for obfuscation. The names of all variables are extracted from all scripts, and replaced with others. The only difference is that we will extract spoiled names and replace them with more convenient ones for perception. For example $ kOObgZ4tf2LEaSmFfc555 (Obfusc) or $ IIIIIIIIIIIIIIl (PHP LockIt!) Replaced with $ var_3 . For a single script, this can be done in a regular notepad with global replacement; for several scripts, you will first need to extract all the variable names from all scripts, and only then perform a global replacement. At the same time, do not forget about service variables such as global arrays $ _GET and $ _POST in PHP, as well as reserved words in JavaScript. They do not need to be processed. To make the replacement more efficient, it is recommended to do it after formatting the code.

This article describes only the general principles of deobfuscation, for each case it is necessary to think over and apply an individual approach. But usually, to perform hacking or parsing an algorithm of a particular function, complete deobfuscation is not required.