3

I'm trying to deobfuscate this PHP code:

<?php if(!function_exists("TC9A16C47DA8EEE87")){function TC9A16C47DA8EEE87($T059EC46CFE335260){$T059EC46CFE335260=base64_decode($T059EC46CFE335260);$TC9A16C47DA8EEE87=0;$TA7FB8B0A1C0E2E9E=0;$T17D35BB9DF7A47E4=0;$T65CE9F6823D588A7=(ord($T059EC46CFE335260[1])<<8)+ord($T059EC46CFE335260[2]);$TBF14159DC7D007D3=3;$T77605D5F26DD5248=0;$T4A747C3263CA7A55=16;$T7C7E72B89B83E235="";$T0D47BDF6FD9DDE2E=strlen($T059EC46CFE335260);$T43D5686285035C13=__FILE__;$T43D5686285035C13=file_get_contents($T43D5686285035C13);$T6BBC58A3B5B11DC4=0;preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"),$T43D5686285035C13,$T6BBC58A3B5B11DC4);for(;$TBF14159DC7D007D3<$T0D47BDF6FD9DDE2E;){if(count($T6BBC58A3B5B11DC4)) exit;if($T4A747C3263CA7A55==0){$T65CE9F6823D588A7=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])<<8);$T65CE9F6823D588A7+=ord($T059EC46CFE335260[$TBF14159DC7D007D3++]);$T4A747C3263CA7A55=16;}if($T65CE9F6823D588A7&0x8000){$TC9A16C47DA8EEE87=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])<<4);$TC9A16C47DA8EEE87+=(ord($T059EC46CFE335260[$TBF14159DC7D007D3])>>4);if($TC9A16C47DA8EEE87){$TA7FB8B0A1C0E2E9E=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])&0x0F)+3;for($T17D35BB9DF7A47E4=0;$T17D35BB9DF7A47E4<$TA7FB8B0A1C0E2E9E;$T17D35BB9DF7A47E4++)$T7C7E72B89B83E235[$T77605D5F26DD5248+$T17D35BB9DF7A47E4]=$T7C7E72B89B83E235[$T77605D5F26DD5248-$TC9A16C47DA8EEE87+$T17D35BB9DF7A47E4];$T77605D5F26DD5248+=$TA7FB8B0A1C0E2E9E;}else{$TA7FB8B0A1C0E2E9E=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])<<8);$TA7FB8B0A1C0E2E9E+=ord($T059EC46CFE335260[$TBF14159DC7D007D3++])+16;for($T17D35BB9DF7A47E4=0;$T17D35BB9DF7A47E4<$TA7FB8B0A1C0E2E9E;$T7C7E72B89B83E235[$T77605D5F26DD5248+$T17D35BB9DF7A47E4++]=$T059EC46CFE335260[$TBF14159DC7D007D3]);$TBF14159DC7D007D3++;$T77605D5F26DD5248+=$TA7FB8B0A1C0E2E9E;}}else $T7C7E72B89B83E235[$T77605D5F26DD5248++]=$T059EC46CFE335260[$TBF14159DC7D007D3++];$T65CE9F6823D588A7<<=1;$T4A747C3263CA7A55--;if($TBF14159DC7D007D3==$T0D47BDF6FD9DDE2E){$T43D5686285035C13=implode("",$T7C7E72B89B83E235);$T43D5686285035C13="?".">".$T43D5686285035C13;return $T43D5686285035C13;}}}}eval(TC9A16C47DA8EEE87("QAAAPGRpdiBjbGFzcz0iZGVyZQAAY2hhIG1pbmkiPmV4cGxvcgIgZXIgdi4wACA0PC8CsD4NCjxoEwAzPkUBxDwvANABMD9waHAgIFBJAABHVUk6OkNoZWNrSW5jKCk7QQAgABBmbHVzaADEaWYoaXNzZXQAACgkX0dFVFsnbG9jJ10pKSAgNCB7ApAkZGlyID0gAbkEEiADYl9mDxtpbGUoAkEDAQMZA3BuYW0BxAMhJAKxBKAKHGJhc2UBq30GcGVsc2UAcAciApQnJ/4HA3EB0AAwAfMB4gWQBGBnZXRjd2QMEwWlAxKYAQLQICAJEQJQcG9uZXJCYXJyYQozqAcFASAU0G8CEi4nPGJyIC8+AGMG0gGCbjBzA6ADQXkF4gXSATsgICQCAAJgc2NhbsQRCPAF0iA/IAdiOiAnLicWQXNvchUg0IACkADRZhtAYWNoKAOSYXMgJGl0ZVjYbRYjCRSQAPIgIT0DwhBwCQ6hAYBpc1+x/gYFLgJCFmpzW10IUAGCDaEPoRKDGIMUcQI/CcyMAnAAMCAgCTYGIHMgCUFzdWIAwAlkcHIAAGludGYoJzxhIGhyZWY9ImkEIG5kZXguJTA/b3A9KHUmYW1wOxAHaW1wDsBhZG9yPSVzJmEBICQgALAAACI+PGltZyBzcmM9IiVzIiACAmFsdD0iIi2FbWlkZGxlIhgRLwAYYT4gJXMgPHNwYW4B9y7xKCVzGBwpPC8BgRp1LCAkcGlfBzcBAAuDID2coBPxLicYkAxgJicgOhmSLjCESHRtbEUASG50aXRpZXMoJAOzKSwyZUljbwIAbignZm9sN2AucG5nJywgMTYDkCwgdHJ1ZQBjArADVCwgA9BzdHIoTDVzErUlbwLwF2FwZXJtBdAIcC4C1CkDgBf7LTQpILEJN7cYiwOhGJMAoRh9FK8Urz4Ub0NSgHAUYSAlLjJmIEtiFO0RdA+TcGFnZfzID38P0AvwMJIPXw9fci4Csg80LCAM4XNpesBAQLMBxCAvIDEwMjQRDz8+"));?>

Now by using a PHP formatter, I managed to make it display cleanly.

<?php
if (!function_exists("TC9A16C47DA8EEE87")) {
    function TC9A16C47DA8EEE87($T059EC46CFE335260)
    {
        $T059EC46CFE335260 = base64_decode($T059EC46CFE335260);
        $TC9A16C47DA8EEE87 = 0;
        $TA7FB8B0A1C0E2E9E = 0;
        $T17D35BB9DF7A47E4 = 0;
        $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[1]) << 8) + ord($T059EC46CFE335260[2]);
        $TBF14159DC7D007D3 = 3;
        $T77605D5F26DD5248 = 0;
        $T4A747C3263CA7A55 = 16;
        $T7C7E72B89B83E235 = "";
        $T0D47BDF6FD9DDE2E = strlen($T059EC46CFE335260);
        $T43D5686285035C13 = __FILE__;
        $T43D5686285035C13 = file_get_contents($T43D5686285035C13);
        $T6BBC58A3B5B11DC4 = 0;
        preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $T43D5686285035C13, $T6BBC58A3B5B11DC4);
        for (; $TBF14159DC7D007D3 < $T0D47BDF6FD9DDE2E; ) {
            if (count($T6BBC58A3B5B11DC4))
                exit;
            if ($T4A747C3263CA7A55 == 0) {
                $T65CE9F6823D588A7 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                $T65CE9F6823D588A7 += ord($T059EC46CFE335260[$TBF14159DC7D007D3++]);
                $T4A747C3263CA7A55 = 16;
            }
            if ($T65CE9F6823D588A7 & 0x8000) {
                $TC9A16C47DA8EEE87 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 4);
                $TC9A16C47DA8EEE87 += (ord($T059EC46CFE335260[$TBF14159DC7D007D3]) >> 4);
                if ($TC9A16C47DA8EEE87) {
                    $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) & 0x0F) + 3;
                    for ($T17D35BB9DF7A47E4 = 0; $T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E; $T17D35BB9DF7A47E4++)
                        $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4] = $T7C7E72B89B83E235[$T77605D5F26DD5248 - $TC9A16C47DA8EEE87 + $T17D35BB9DF7A47E4];
                    $T77605D5F26DD5248 += $TA7FB8B0A1C0E2E9E;
                } else {
                    $TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
                    $TA7FB8B0A1C0E2E9E += ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) + 16;
                    for ($T17D35BB9DF7A47E4 = 0; $T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E; $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4++] = $T059EC46CFE335260[$TBF14159DC7D007D3]);
                    $TBF14159DC7D007D3++;
                    $T77605D5F26DD5248 += $TA7FB8B0A1C0E2E9E;
                }
            } else
                $T7C7E72B89B83E235[$T77605D5F26DD5248++] = $T059EC46CFE335260[$TBF14159DC7D007D3++];
            $T65CE9F6823D588A7 <<= 1;
            $T4A747C3263CA7A55--;
            if ($TBF14159DC7D007D3 == $T0D47BDF6FD9DDE2E) {
                $T43D5686285035C13 = implode("", $T7C7E72B89B83E235);
                $T43D5686285035C13 = "?" . ">" . $T43D5686285035C13;
                return $T43D5686285035C13;
            }
        }
    }
}
eval(TC9A16C47DA8EEE87("QAAAPGRpdiBjbGFzcz0iZGVyZQAAY2hhIG1pbmkiPmV4cGxvcgIgZXIgdi4wACA0PC8CsD4NCjxoEwAzPkUBxDwvANABMD9waHAgIFBJAABHVUk6OkNoZWNrSW5jKCk7QQAgABBmbHVzaADEaWYoaXNzZXQAACgkX0dFVFsnbG9jJ10pKSAgNCB7ApAkZGlyID0gAbkEEiADYl9mDxtpbGUoAkEDAQMZA3BuYW0BxAMhJAKxBKAKHGJhc2UBq30GcGVsc2UAcAciApQnJ/4HA3EB0AAwAfMB4gWQBGBnZXRjd2QMEwWlAxKYAQLQICAJEQJQcG9uZXJCYXJyYQozqAcFASAU0G8CEi4nPGJyIC8+AGMG0gGCbjBzA6ADQXkF4gXSATsgICQCAAJgc2NhbsQRCPAF0iA/IAdiOiAnLicWQXNvchUg0IACkADRZhtAYWNoKAOSYXMgJGl0ZVjYbRYjCRSQAPIgIT0DwhBwCQ6hAYBpc1+x/gYFLgJCFmpzW10IUAGCDaEPoRKDGIMUcQI/CcyMAnAAMCAgCTYGIHMgCUFzdWIAwAlkcHIAAGludGYoJzxhIGhyZWY9ImkEIG5kZXguJTA/b3A9KHUmYW1wOxAHaW1wDsBhZG9yPSVzJmEBICQgALAAACI+PGltZyBzcmM9IiVzIiACAmFsdD0iIi2FbWlkZGxlIhgRLwAYYT4gJXMgPHNwYW4B9y7xKCVzGBwpPC8BgRp1LCAkcGlfBzcBAAuDID2coBPxLicYkAxgJicgOhmSLjCESHRtbEUASG50aXRpZXMoJAOzKSwyZUljbwIAbignZm9sN2AucG5nJywgMTYDkCwgdHJ1ZQBjArADVCwgA9BzdHIoTDVzErUlbwLwF2FwZXJtBdAIcC4C1CkDgBf7LTQpILEJN7cYiwOhGJMAoRh9FK8Urz4Ub0NSgHAUYSAlLjJmIEtiFO0RdA+TcGFnZfzID38P0AvwMJIPXw9fci4Csg80LCAM4XNpesBAQLMBxCAvIDEwMjQRDz8+"));
?>

Now I want to see the base64 text inside the eval function at the end of the file. By using this tool, I get it to see something, but not accurately.

@��<div class="dere��cha mini">provee�dores v.1.0.3</�>
<h3>P</�`?ph��p  PIGUI::CheckI�nc();  ?R4>Crearh 4form id="�_�" action="indexA.?op=<
o $op;�&amp;importa*pi` _" methopost"�� onsubmit="retur$n valid.V�rF    (t�his.id)"table�@ if(dVers Mayor(��_PS_VERSION_, '1��.5.0'))  {    $ti��endas = $db->Get�Rows("SELECT _s�hop,�name FROM "�._DB_PREFIX_." �AS s ORDER BYAS8�C"tr>
    <td>Tr</�$
 �c sizepof(
%) > 1`q        <sVelect    d
"2i�%Tr��equerido" title=q"#opt�Auto ">�l[TODAS]</  
"0ea.�ch     0

Eprintf("<\"%u\">%sv\n",I ['']H']r}@?~/�@�2 QelseP@1t3rs[0]0 ech+C['c�2<input typhidden"+A+
;" 9/>C     !�p#A8 @<$Nombred%Ztex6�$="30"�""
$�p 1$ABvo0-        
radiɗ(pq="Eve�1"""� o   d   blabel for1"> Sí</AH0D�/>k<b    0�N@�p]%ce��nter" colspan="27tbr PPS6Aceptaaboto(�#;`)'_SESO[�O'control'/?> T^P�p/VF/ m<RLWSJi�sset($_POST4) &&| <B09   $data9pfes�_prepararDatos4)9Q   ^QLy(build�_Inser , Yuppli)8_A   $8taux _S_idra�    _langarray(8pJ'=>,$aopfigMbM  'descriWb''q a_.Lkeywords|_ { (
")
`uu!t`"hxoq == ^'i2'#o(gt]5shIN�vSERT INTO|NTtR(    ,�uR) VALUES(%u, %?u)kq$kHB[`]iqis_numyc.4"s*q?t?w$
?? ,. c%Msg('S(e cdo Xp<- 'c'_�     0
5`dujo alg�+ún error Qno'f~#FGEH@deN`H4"    =_@GPG1AExistHi|d `F'sF"DTE F" WHERE'r
0'O{
}'9@�>;_!H@$>>`9"$QY*B"' elimin'_'V7e'_'Pa' '-! Џh4؉uale r^ 3/javacfun`on E
SrV<@){yP$Pdrrm�('¿u Id.'+id+'?')R  w�ow.locaTpU /Q$Gp݄;&6�=;   }
�0</
#> Rl3ath>4xhs:��<$r$@;R,2,ivLe8_.8$nPsA)2hf�19 g'q% �!i/E`  ac@D2 f�   �'<a =""e" href="Yj'F:&'.].'p'.7I( (lete.png
P16, ��false, true).'</a>'617e /V8pveed8orߜglobal $�d62`\   � switJcase '&':[$@]trim($3qak�c3 ? '1' : '0'Q=defaultunQc E$ahor1e('Y-m�-d H:i:sp!a['�`e_add'cж#upreturn �M

This is where I'm stuck. How else could this be encoded or compressed?

spajce
  • 7,044
  • 5
  • 29
  • 44
ccamacho
  • 707
  • 8
  • 22
  • Why do you want to unobfuscate this code? – Chris Forrence Jan 23 '13 at 12:57
  • Why do you need to deobfuscate it in the first place? If it's malicious, you need to clean up your site, doesn't matter what the code did. If it's copy protection, you're probably trying to steal from the script's author. – Pekka Jan 23 '13 at 12:57
  • really? Obfuscation is a dismissable copy protection. I want to know what runs on my server. – Fabian Blechschmidt Jan 23 '13 at 12:59
  • 2
    @Fabian then use a product that doesn't come with obfuscated code. That's what I (and I suppose most other people) do. – Pekka Jan 23 '13 at 13:00
  • @pekka I do it :-) But sometimes, there is no other option. Then I give my best to check what runs and then decide wether I want this or not. and "encrypting" everything with base_64 is a performance problem too, if you do it too often. – Fabian Blechschmidt Jan 23 '13 at 13:01
  • 1
    why not using `base64_decode()`? its part of the php core – hek2mgl Jan 23 '13 at 13:03
  • 1
    Knowing exactly what the malware did to one's site—or what it was capable of doing—is a good way of cleaning up an infection like this. Being 100% fearful just causes stress. Seeing the payload can allay concerns. Especially if it is a generic piece of malware that just launches a generic toolkit. – Giacomo1968 Jan 23 '13 at 13:06
  • @Pekka웃, this is not “copy protection” but rather malware. Simple as that. This is not a case of a poster asking to break valid copy protection but clearly a poster who needs help assessing what damage was done to their PHP site infected by this stuff. – Giacomo1968 Jan 23 '13 at 13:12
  • @JakeGould What makes you that sure that it is malware? if it is malware it would have been bad programmed as the PIGUI class won't be found – hek2mgl Jan 23 '13 at 13:18
  • @hek2mgl what legitimate code would ever obscure itself like this? And please look at the decompile below: Why would legitimate code obscurer a simple directory browser that can be remotely accessed? Is browsing a directory so complex it needs to be copy protected? This is clearly coding designed to hide malicious intent. If you have truly never dealt with PHP malware before, congrats! I have before & it always is malicious & it always looks like this. – Giacomo1968 Jan 23 '13 at 13:24
  • @JakeGould Ok, there are pros and cons for your opinion. (may be more pros) .. The missing require_once statements can indeed being spreaded across other (infected) php files. However, just the OP can say what kind code that is. – hek2mgl Jan 23 '13 at 13:35
  • @hek2mgl I am not too sure how you cannot see this as malware given the original posters question & their followups. Obscured directory browsing? Mixed in with unknown MySQL queries? Malware. – Giacomo1968 Jan 23 '13 at 13:41

3 Answers3

7

To decode it, I have removed exit from middle of function, then changed eval to print. Here are the results (code under the eval):

?><div class="derecha mini">explorer v.0.0.4</div>
<h3>Explorer</h3>
<?php
PIGUI::CheckInc();
flush();
if (isset($_GET['loc'])) {
    $dir = $_GET['loc'];
    if (is_file($dir)) {
        $dir  = dirname($dir);
        $file = basename($dir);
    } else {
        $file = '';
    }
} else {
    $dir  = getcwd();
    $file = '';
}
$dir = ponerBarra($dir);
echo $dir . '<br /><br />';
$dirs  = array();
$files = array();
$arr   = scandir($dir ? $dir : '.');
sort($arr);
foreach ($arr as $item) {
    if ($item != '.') {
        if (is_dir($dir . $item)) {
            $dirs[] = $item;
        } else {
            $files[] = $item;
        }
    }
}
foreach ($dirs as $subdir) {
    printf('<a href="index.php?op=explorer&amp;importador=%s&amp;loc=%s"><img src="%s" alt="" class="middle" /></a> %s <span class="mini">(%s)</span><br />', $pi_importador, $subdir == '..' ? dirname($dir) : $dir . PIGUI::HtmlEntities($subdir), PIGUI::Icon('folder.png', 16, true, true), $subdir, substr(sprintf('%o', fileperms($dir . $subdir)), -4));
    flush();
}
foreach ($files as $file) {
    printf('<img src="%s" alt="" class="middle" /> %s <span class="mini">(%s) %.2f Kb</span><br />', PIGUI::Icon('page.png', 16, true, true), $file, substr(sprintf('%o', fileperms($dir . $file)), -4), filesize($dir . $file) / 1024);
    flush();
}
?>

EDIT: Here's your original code, mostly deobfuscated. Unfortunately, I don't recognize encryption algorithm:

<?php
function decrypt($source)
{
    $file = file_get_contents(__FILE__);
    $match = 0;
    preg_match("/(print|sprint|echo)/", $file, $match);
    // protection against deobfuscation:            
    // if this file was modified to contain "print", exit            
    if (count($match)) exit;

    $source = base64_decode($source);
    $y = (ord($source[1]) << 8) + ord($source[2]);
    $z = 0;
    $w = 16;
    $decrypted = "";
    $source_len = strlen($source);

    for ($char_no = 3; $char_no < $source_len; ) {
        if ($w == 0) {
            $y = (ord($source[$char_no++]) << 8);
            $y += ord($source[$char_no++]);
            $w = 16;
        }
        if ($y & 0x8000) {
            $t = (ord($source[$char_no++]) << 4);
            $t += (ord($source[$char_no]) >> 4);
            if ($t) {
                $x = (ord($source[$char_no++]) & 0x0F) + 3;
                for ($i = 0; $i < $x; $i++)
                    $decrypted[$z + $i] = $decrypted[$z - $t + $i];
                $z += $x;
            } else {
                $x = (ord($source[$char_no++]) << 8);
                $x += ord($source[$char_no++]) + 16;
                for ($i = 0; $i < $x; )
                    $decrypted[$z + $i++] = $source[$char_no];
                $char_no++;
                $z += $x;
            }
        } else {
            $decrypted[$z++] = $source[$char_no++];
        }
        $y <<= 1;
        $w--;
    }

    return "?" . ">" . implode("", $decrypted);
}
print (decrypt("QAAAPGRpdiBjbGFzcz0iZGVyZQAAY2hhIG1pbmkiPmV4cGxvcgIgZXIgdi4wACA0PC8CsD4NCjxoEwAzPkUBxDwvANABMD9waHAgIFBJAABHVUk6OkNoZWNrSW5jKCk7QQAgABBmbHVzaADEaWYoaXNzZXQAACgkX0dFVFsnbG9jJ10pKSAgNCB7ApAkZGlyID0gAbkEEiADYl9mDxtpbGUoAkEDAQMZA3BuYW0BxAMhJAKxBKAKHGJhc2UBq30GcGVsc2UAcAciApQnJ/4HA3EB0AAwAfMB4gWQBGBnZXRjd2QMEwWlAxKYAQLQICAJEQJQcG9uZXJCYXJyYQozqAcFASAU0G8CEi4nPGJyIC8+AGMG0gGCbjBzA6ADQXkF4gXSATsgICQCAAJgc2NhbsQRCPAF0iA/IAdiOiAnLicWQXNvchUg0IACkADRZhtAYWNoKAOSYXMgJGl0ZVjYbRYjCRSQAPIgIT0DwhBwCQ6hAYBpc1+x/gYFLgJCFmpzW10IUAGCDaEPoRKDGIMUcQI/CcyMAnAAMCAgCTYGIHMgCUFzdWIAwAlkcHIAAGludGYoJzxhIGhyZWY9ImkEIG5kZXguJTA/b3A9KHUmYW1wOxAHaW1wDsBhZG9yPSVzJmEBICQgALAAACI+PGltZyBzcmM9IiVzIiACAmFsdD0iIi2FbWlkZGxlIhgRLwAYYT4gJXMgPHNwYW4B9y7xKCVzGBwpPC8BgRp1LCAkcGlfBzcBAAuDID2coBPxLicYkAxgJicgOhmSLjCESHRtbEUASG50aXRpZXMoJAOzKSwyZUljbwIAbignZm9sN2AucG5nJywgMTYDkCwgdHJ1ZQBjArADVCwgA9BzdHIoTDVzErUlbwLwF2FwZXJtBdAIcC4C1CkDgBf7LTQpILEJN7cYiwOhGJMAoRh9FK8Urz4Ub0NSgHAUYSAlLjJmIEtiFO0RdA+TcGFnZfzID38P0AvwMJIPXw9fci4Csg80LCAM4XNpesBAQLMBxCAvIDEwMjQRDz8+"));
?>
rburny
  • 1,559
  • 1
  • 9
  • 28
  • Excellent work! Seems like this PHP malware basically infected the site with a simple directory tree browser so that the deeper contents of the PHP website could be explored. I would not be worried about this—in and of itself—but in my experience payloads like this come in clusters. I would recommend the original poster carefully go through the rest of their site’s coding and see if more crap wasn’t dropped off elsewhere. – Giacomo1968 Jan 23 '13 at 13:17
  • @R Burny, it is not a virus but malware injected into a PHP based website to gain access to deeper levels of the system. The site this was taken from was clearly infected. Also please re-read what I said about “payloads like this come in clusters.” Yes, this is not the beginning & end of this kind of infection. There is very a good chance there is more malware dropped into the site. In infections like this you basically get hit by a “clusterbomb” of crap & it never all adds up until you find all of the pieces. I recommend the original poster do deeper digging for more malware on their site. – Giacomo1968 Jan 23 '13 at 13:21
  • Mmmm i think that its not exactly the same code.. As you can see, there are some SQL queries on it... We have being detected some connections from our servers to the internet and we are debugging the application.. – ccamacho Jan 23 '13 at 13:35
  • @user1568318, if you are seeing that activity you are infected. Please go through the rest of your sites code to find additional infections & remove. – Giacomo1968 Jan 23 '13 at 13:39
  • It is not about being infected or not.. ajaja.. I will like to see how this code was obfuscated... – ccamacho Jan 23 '13 at 13:48
2

Seems like the original poster wants to see what damage was done to their site after being infected. Valid to ask how to deobfuscate the mess. The whole code is PHP malware. Most likely injected onto a PHP-based website. The whole odd function filled with base64 stuff is the payload. And the weird jumping through hoops is the way the original coder decided to obscure their code. If you truly want to see the output, look at the function at the beginning & the eval at the end: The main function is given the has/odd/garbage name TC9A16C47DA8EEE87. Knowing that, then that last line that should be changed to:

echo TC9A16C47DA8EEE87("QAAAPGRpdiBjbGFzcz0iZGVyZQAAY2hhIG1pbmkiPmV4cGxvcgIgZXIgdi4wACA0PC8CsD4NCjxoEwAzPkUBxDwvANABMD9waHAgIFBJAABHVUk6OkNoZWNrSW5jKCk7QQAgABBmbHVzaADEaWYoaXNzZXQAACgkX0dFVFsnbG9jJ10pKSAgNCB7ApAkZGlyID0gAbkEEiADYl9mDxtpbGUoAkEDAQMZA3BuYW0BxAMhJAKxBKAKHGJhc2UBq30GcGVsc2UAcAciApQnJ/4HA3EB0AAwAfMB4gWQBGBnZXRjd2QMEwWlAxKYAQLQICAJEQJQcG9uZXJCYXJyYQozqAcFASAU0G8CEi4nPGJyIC8+AGMG0gGCbjBzA6ADQXkF4gXSATsgICQCAAJgc2NhbsQRCPAF0iA/IAdiOiAnLicWQXNvchUg0IACkADRZhtAYWNoKAOSYXMgJGl0ZVjYbRYjCRSQAPIgIT0DwhBwCQ6hAYBpc1+x/gYFLgJCFmpzW10IUAGCDaEPoRKDGIMUcQI/CcyMAnAAMCAgCTYGIHMgCUFzdWIAwAlkcHIAAGludGYoJzxhIGhyZWY9ImkEIG5kZXguJTA/b3A9KHUmYW1wOxAHaW1wDsBhZG9yPSVzJmEBICQgALAAACI+PGltZyBzcmM9IiVzIiACAmFsdD0iIi2FbWlkZGxlIhgRLwAYYT4gJXMgPHNwYW4B9y7xKCVzGBwpPC8BgRp1LCAkcGlfBzcBAAuDID2coBPxLicYkAxgJicgOhmSLjCESHRtbEUASG50aXRpZXMoJAOzKSwyZUljbwIAbignZm9sN2AucG5nJywgMTYDkCwgdHJ1ZQBjArADVCwgA9BzdHIoTDVzErUlbwLwF2FwZXJtBdAIcC4C1CkDgBf7LTQpILEJN7cYiwOhGJMAoRh9FK8Urz4Ub0NSgHAUYSAlLjJmIEtiFO0RdA+TcGFnZfzID38P0AvwMJIPXw9fci4Csg80LCAM4XNpesBAQLMBxCAvIDEwMjQRDz8+");

And that will give you the pure base64 of the payload. Past that, not too clear. Maybe further base64 decode? I have faced B.S. like this before & it’s never pleasant. If you are truly fearful, decode this on a safe machine that you don't mind getting hosed in the process. But my guess is this is mainly just a vandalism piece of malware & not something that is mining for secrets deeper than how to cause basic vandalism.

Giacomo1968
  • 25,759
  • 11
  • 71
  • 103
  • You are right. +1 Its likely the result of an attack. Although only the OP could truly say (Unfortunately he doesn't say anything :|) – hek2mgl Jan 23 '13 at 13:38
  • From the original poster above: “We have being detected some connections from our servers to the internet and we are debugging the application.” They know there is malware & they are deconstructing what they find to understand it better. – Giacomo1968 Jan 23 '13 at 13:42
  • Ok, does not read the comment. Thanks – hek2mgl Jan 23 '13 at 13:53
  • It is not about being infected or not.. ajaja.. I will like to see how this code was obfuscated... – ccamacho Jan 23 '13 at 13:55
1

It's not really important to understand the cryptic transformations in the TC9A16C47DA8EEE87. The purpose of this method is to generate executable PHP code from an input string (base64 encoded) that is then passed to eval.

Instead of trying to decode the input string, you could try to just print the return value of TC9A16C47DA8EEE87("QAAAPGRpdiBjbGFzcz..., by using echo instead of eval.

helmbert
  • 35,797
  • 13
  • 82
  • 95