Skip to content

Instantly share code, notes, and snippets.

@sh4dowb

sh4dowb/phpkoru-deobfuscate-2.php

Last active October 12, 2024 17:14
Show Gist options
  • Save sh4dowb/86ad09b9bcbfce323b511395e446d616 to your computer and use it in GitHub Desktop.
Save sh4dowb/86ad09b9bcbfce323b511395e446d616 to your computer and use it in GitHub Desktop.
Download ZIP
PHPkoru.com v1.0.6 (new) deobfuscator. Make sure to run it isolated, to prevent any attacks from eval'd code
Raw
phpkoru-deobfuscate-2.php
<?php
// V1.0.7 DEOBFUSCATOR: https://gist.github.com/sh4dowb/68c9e090a3006b1d19ce49a22529c0a5
// put encrypted code in encrypted.php, or use it like:
// $ php phpkoru-deobfuscate-2.php encryptedfilename.php
// for decrypting advanced version contact me on telegram
function decrypt($fn, $try=0){
$onfr64_qrpbqr = 'base64_decode';
$fge_ebg13 = 'str_rot13';
if($try == 1){
$onfr64_qrpbqr = 'str_rot13';
$fge_ebg13 = 'base64_decode';
}
$input = file_get_contents($fn);
$encrypted = explode("[/PHPkoru_Code]", explode("[PHPkoru_Code]", $input)[1])[0];
if($try == 0)
$decryptor = 'eval($onfr64_qrpbqr($fge_ebg13(' . explode("\n", explode('eval($onfr64_qrpbqr($fge_ebg13(', $input)[1])[0];
else
$decryptor = 'eval($fge_ebg13($onfr64_qrpbqr(' . explode("\n", explode('eval($fge_ebg13($onfr64_qrpbqr(', $input)[1])[0];
while(strpos($decryptor, 'eval') !== false) {
$decryptor = str_replace('eval', 'return ', $decryptor);
if(strpos($decryptor, 'extension_loaded') !== false)
break;
$decryptor = eval($decryptor);
}
$keys_s = explode('call_user_func', $decryptor);
if(count($keys_s) < 2){
if($try == 0)
return decrypt($fn, 1);
else
return "Error: Decryption failed, key/IV couldn't be found.";
}
$keys = $keys_s[1];
if($try == 0){
$key = base64_decode(str_rot13(explode('\')), 0', explode('$onfr64_qrpbqr($fge_ebg13(\'', $keys)[1])[0]));
$iv = base64_decode(str_rot13(explode('\'', explode('$onfr64_qrpbqr($fge_ebg13(\'', $keys)[2])[0]));
} else {
$key = base64_decode(str_rot13(explode('\')), 0', explode('$fge_ebg13($onfr64_qrpbqr(\'', $keys)[1])[0]));
$iv = base64_decode(str_rot13(explode('\'', explode('$fge_ebg13($onfr64_qrpbqr(\'', $keys)[2])[0]));
}
if(!$key || !$iv){
if($try == 0)
return decrypt($fn, 1);
else
return "Error: Decryption failed, key/IV couldn't be found.";
}
return str_rot13(base64_decode(str_rot13(openssl_decrypt(base64_decode($encrypted), "AES-256-CBC", $key, 0, $iv))));
}
print(decrypt($argv[1] ?? "encrypted.php"));
@Fer010
Copy link

Fer010 commented Aug 28, 2023

do u mind suggesting me an easy way to run it isolated? i'm kind of new to php... thanks!

@sh4dowb
Copy link
Author

sh4dowb commented Aug 28, 2023

do u mind suggesting me an easy way to run it isolated? i'm kind of new to php... thanks!

just use docker or a virtual machine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment