This page has been robot translated, sorry for typos if any. Original content here.

Deobfuscation of PHP and JavaScript scripts

On this topic:

Obfuscation is one of the most reliable ways to protect scripts from being studied and modified today.

Obfuscation (from Latin obfuscare, "shade, dim") - entanglement of the program code, that is, bringing the source text to a form that preserves the functionality of the program, but complicates the analysis, understanding of the algorithms of work and modification.

Unlike uniquely reversible encryption and packaging, obfuscation is an irreversible action. This means that restoring the script code to its original form is not possible. Without exception, PHP and JavaScript obfuscators work in two ways: line breaks and insignificant spaces are removed from the source text, and the names of classes, variables, and functions are replaced with a meaningless set of characters. These actions can both be combined and performed independently.

As I already said, when deobfuscation, it is impossible to bring the code into its original form. But it is quite possible to “ennoble” him to such a state when one can easily understand the algorithm and make the necessary changes. For example, after deobfuscation, it is possible to break the protection of some PHP scripts, remove the binding of JavaScript to the domain, cut out a forced advertisement or something like that.

The first stage of de-obfuscation is the formatting of the script text, hyphenation, alignment of the code with an easy-to-read “ladder”. For this, I use two tools. WaterProof Software has developed a small (less than 100 kilobyte) free program for formatting php code code phpCodeBeautifier . To download it from ofsayt free registration is required, so here for the convenience of a direct link to download. The program is a console, command line parameters can be found in the instructions from the archive. For window lovers, there is a GUI version, although the older one is, but it is quite possible to attach a console file from the latest version to it.

Деобфускация скриптов PHP и JavaScript

For formatting scripts in JavaScript and HTML code, there is a wonderful online service Beautify Javascript . Simply paste the script text into the form, press the "Beautify" button and get a beautifully formatted script. For convenience, I have slightly modified and compiled this page into a stationary exe-file. Maybe someday I will find the time and effort to rewrite the script in a full application.

When formatting large-volume scripts, the browser may display a message that the script is frozen, and will offer to stop its execution. You do not need to do this, it just takes more time to process.

Деобфускация скриптов PHP и JavaScript

If the variable names were not replaced during obfuscation, then after formatting the code, deobfuscation can be considered complete. In any case, the script becomes much more readable and understandable.

If the names of variables and functions are corrupted, then proceed to the second part of deobfuscation. Unfortunately, there are no ready-made tools here, or at least I have not met them. If someone wants to donate to write such a tool, I can provide a detailed technical task. While it is necessary to be limited to theoretical calculations.

Strange as it may sound, but for deobfuscation we use the same principles as for obfuscation. The names of all variables are extracted from all scripts, and replaced with others. The only difference is that we will retrieve the damaged names and replace them with more convenient ones for perception. For example, $ kOObgZ4tf2LEaSmFfc555 (Obfusc) or $ IIIIIIIIIIIl (PHP LockIt!) Replace with $ var_3 . For a single script, this can be done in a regular notebook with a global replacement; for several scripts, you will first have to extract all the variable names from all the scripts, and only then perform a global replacement. At the same time, do not forget about service variables of the type of global arrays $ _GET and $ _POST in PHP, as well as reserved words in JavaScript. They do not need to process. To replace the performed better, it is recommended to do it after formatting the code.

This article describes only the general principles of deobfuscation, for each case it is necessary to think over and apply an individual approach. But usually, to perform a hack or parse algorithm of a separate function, full deobfuscation is not required.