1

I decode some of my ionCube encoded PHP pages but it contain code with obfuscated PHP function names:

Example :

_obfuscate_DRYWMSUQDzIXCSohIQMqCz0NJiIUBSIÿ("Location: error.php");

this is the code for header function.

header("Location: error.php");

can you anyone please explain me how to this deobfuscate this code ?

Sasith Maduranga
  • 33
  • 1
  • 4
  • 1
    possible duplicate of [Decode obfuscated PHP source code](http://stackoverflow.com/questions/8020457/decode-obfuscated-php-source-code) – D4V1D Mar 31 '15 at 09:20
  • Ask who ever obsficated it in the first place –  Mar 31 '15 at 09:29
  • seems like this one is different, cuz this has no '\' or numbers @d4v1d :/ – Sasith Maduranga Mar 31 '15 at 09:36
  • @Dagon : it'll be my first thing, if I know the person ... unfortunately it done by one of past employer here :/ – Sasith Maduranga Mar 31 '15 at 09:38
  • @SasithMaduranga - but you'll have backups and version control of the original source, right? :) Encoding is great for licensing code, and useful by organsations needing to ensure that live code isn't tinkered with by developers bypassing strict change control procedures, but if you *only* have protected sources then something sounds seriously wrong with your management and development practise. – Nick Apr 18 '15 at 10:26
  • Possible duplicate of [How to display ioncube decoded php-file through PHP code?](http://stackoverflow.com/questions/20216716/how-to-display-ioncube-decoded-php-file-through-php-code) – Blue Sep 21 '16 at 18:33

1 Answers1

-2

Obfuscation is designed to be irreversible - if there was a method to easily reverse the obfuscation then using obfuscation would be pointless. Think of it as hashing the function name -- although it may be possible to bruteforce the original names, you'll have to put some serious effort into it, including:

  • Find out which hashing algorithm is used
  • Get the used obfuscation key (which was specified during the encoding)
  • Bruteforce every single function name, starting from a() to my_function_name_that_does_something()

As indicated in the comments, your only realistic chance at retrieving the original source code is to contact the original developer. You wouldn't expect to gain the original source code from a binary file compiled from C code, would you?

SebiH
  • 669
  • 1
  • 8
  • 18
  • ugh. so how PHP Processor know which function is this obfuscation statement ? – Sasith Maduranga Apr 08 '15 at 05:41
  • @SasithMaduranga They don't - all functions inside the project are hashed to the same obfuscated name, they don't need to know the actual function name. This breaks things like variable variables (`$$var`) and `eval()`, but these things shouldn't be used any way in "good code". System functions should still be unobfuscated and readable however, as far as I'm aware. – SebiH Apr 08 '15 at 06:18