Open xoceunder opened 9 months ago
Thats impossible without knowing context. Context is generated during obfuscation process and located in output directory/context folder (set of serialized files)
`<?php // Set unlimited execution time set_time_limit(0);
// Retrieve the value of the REMOTE_ADDR key from the $_SERVER array $remoteAddr = $_SERVER["REMOTE_ADDR"];
// Check if the IP address is set if (!empty($remoteAddr)) {
// ... (the rest of the code after the check)
}
// Continue with the rest of the code
// ...
`
@gab12 I would say that this is pure hallucination on the part of the chatbot you used to produce this piece of onstensibly "unobfuscated" code. This is just some code that (maybe) bears some similarity in structure with the obfuscated one - but that's all. It's not the deobfuscated version of the code in question, because there are probably infinite many unobfuscated originals that could lead to that obfuscated example.
Don't take everything a chatbot throws to you as Pure Truth. A lot of times, it will just create an answer, that looks true - but is not.
@gab12 How can I make this reversible?
Could you help me achieve my goal since I have several files to decode? @gab12 @pk-fr
Could you help me if I'm doing well with being able to make Riversa have the obfuscated code?
function reverse_obfuscate($filename) // takes a file_path as input, returns the corresponding obfuscated code as a string { global $conf; global $parser,$traverser,$prettyPrinter; global $debug_mode;
$src_filename = $filename;
$tmp_filename = $first_line = '';
$t_source = file($filename);
if (substr($t_source[0],0,2)=='#!')
{
$first_line = array_shift($t_source);
$tmp_filename = tempnam(sys_get_temp_dir(), 'po-');
file_put_contents($tmp_filename,implode(PHP_EOL,$t_source));
$filename = $tmp_filename; // override
}
try
{
$source = php_strip_whitespace($filename);
fprintf(STDERR,"Obfuscating %s%s",$src_filename,PHP_EOL);
//var_dump( token_get_all($source)); exit;
if ($source==='')
{
if ($conf->allow_and_overwrite_empty_files) return $source;
throw new Exception("Error obfuscating [$src_filename]: php_strip_whitespace returned an empty string!");
}
try
{
$stmts = $parser->parse($source); // PHP-Parser returns the syntax tree
}
catch (PhpParser\Error $e) // if an error occurs, then redo it without php_strip_whitespace, in order to display the right line number with error!
{
$source = file_get_contents($filename);
$stmts = $parser->parse($source);
}
if ($debug_mode===2) // == 2 is true when debug_mode is true!
{
$source = file_get_contents($filename);
$stmts = $parser->parse($source);
}
if ($debug_mode) var_dump($stmts);
$stmts = $traverser->traverse($stmts); // Use PHP-Parser function to
$code = trim($prettyPrinter->prettyPrintFile($stmts)); // Use PHP-Parser function to output the obfuscated source, taking the modified obfuscated syntax tree as input
if (isset($conf->strip_indentation) && $conf->strip_indentation) // self-explanatory
{
$code = remove_whitespaces($code);
}
$endcode = substr($code,6);//?<?php
$code = '<?php'.PHP_EOL;
$code .= $conf->get_comment(); // comment obfuscated source
if (isset($conf->extract_comment_from_line) && isset($conf->extract_comment_to_line) )
{
$t_source = file($filename);
for($i=$conf->extract_comment_from_line-1;$i<$conf->extract_comment_to_line;++$i) $code .= $t_source[$i];
}
if (isset($conf->user_comment))
{
$code .= '/*'.PHP_EOL.$conf->user_comment.PHP_EOL.'*/'.PHP_EOL;
}
$code .= $endcode;
if (($tmp_filename!='') && ($first_line!=''))
{
$code = $first_line.$code;
unlink($tmp_filename);
}
return trim($code);
}
catch (Exception $e)
{
fprintf(STDERR,"Obfuscator Parse Error [%s]:%s\t%s%s", $filename,PHP_EOL, $e->getMessage(),PHP_EOL);
return null;
}
}
@gab12 @pk-fr
Help to decode this code
goto b90ea5151ac67729b14c9b1822dc162a; D3aa631f1fe7217217f3893fc45c3f43: $b7eaa095f27405cf78a432ce6504dae0 = $_SERVER["\x52\x45\115\117\x54\105\137\x41\104\x44\122"]; goto Cf1a44bb5bdae788fe6a2b66373affd0; b90ea5151ac67729b14c9b1822dc162a: set_time_limit(0); goto b34071cd8224bd806c9a2e686173303b; B4d0c2c01a529bb6b69bed40e0845fd7: Ac1a81228acfbd324b64ee30148afd1f: goto Bfd6964984b7d4b31ae435f1dd3dbf71; c31605b4c573994382021ca01630adec: cd5f291f17fc89d840f4f69783ef81c8: goto B7454738eb37658b7db7dc14ed9b2c5c;
@pk-fr