Unknown PHP obfuscation technique

Question

I've come accross a piece of code using various techniques of obfuscation and, mostly driven by curiosity, have been trying to understand the techniques it uses.

I've done some work on it, but i'm at a point where I don't understand fully what it's doing :

public $x1528 = null;
public $x153c = null;

function __construct()
{
    $this->x1528 = new \StdClass();
    $this->x153c = new \StdClass();
    $this->x1528->x21a9 = "getSingleton";
    $this->x1528->x1569 = "x1565";
    $this->x1528->x1e45 = "x1e40";
    $this->x153c->x3b3b = "x3b38";
    $this->x1528->x16c3 = "x16c2";
    $this->x1528->x1bec = "x1be8";
    $this->x1528->x245a = "x2455";
    $this->x1528->x1b14 = "x10d7";
    $this->x153c->x36d4 = "x36d2";
    $this->x1528->x24d6 = "getSingleton";
    $this->x1528->x1876 = "xf0f";
    $this->x1528->x2901 = "x2900";
    $this->x1528->x1877 = "x1876";
    $this->x153c->x335b = "x3356";
    $this->x1528->x2836 = "x2833";
    $this->x1528->x2119 = "x2115";
    $this->x1528->x18bb = "xf3d";
    $this->x153c->x349e = "x349a";
    $this->x1528->x2383 = "getData";
    $this->x1528->x17b1 = "x5f2";
    $this->x153c->x2d06 = "xf41";
    $this->x1528->x1f35 = "x1f30";
    $this->x1528->x1a93 = "x1138";
    $this->x1528->x1d79 = "x1d76";
    $this->x1528->x1d7c = "x1d79";
    $this->x153c->x3248 = "_isAllowed";
    ...
    [it keeps going for a while...]

So it declares empty variables, generates empty objects, and then stores strings and references to other variables, but... for example,

$this->x1528->x21a9 = "getSingleton";

What is x21a9 ? There's no reference to this anywhere, and I thought the x1528 variable was empty ? Also, is this a way of referencing the $x1528 without the $, because i've never seen this syntax before.

This is using PHP techniques I was not aware of, and this has made me very curious. Any help ?

I've no idea. I've found this code already obfuscated and I would like to understand it. I don't even know how this technique is called, so I can't find a tool that does this. — Quentin Le Caignec, Jan 26 '18 at 10:30

score 2 · Accepted Answer · answered Jan 26 '18 at 10:32

Without seeing the entire code it's hard to tell. But basically this is just "gibberish" making it hard to read, but basic PHP nevertheless.

What is x21a9 ?

It's just a random property set on the $x1528 class. Like:

$dummyClass = new StdClass(); // Same as $this->x1528 = new \StdClass();
$dummyClass->foo = "bar"; // Same as $this->x1528->x21a9 = "getSingleton";

Now, echo $dummyClass->foo would return bar. It's just setting a property with a value, but with "cryptic" names.

I thought the x1528 variable was empty ?

It starts out empty at the beginning of the class, but then in the constructor, it's immediately set up as an instance of StdClass:

$this->x1528 = new \StdClass();

Also, is this a way of referencing the $x1528 without the $, because i've never seen this syntax before.

This is basic syntax for objects. The object itself has a $ in front of it, but the properties don't.

I guess I got confused by the names, this is just really heavy layering It seems. Thanks — Quentin Le Caignec, Jan 26 '18 at 10:48
Extra question : In this file,nothing else is ever called or echoed, it just adds a ton of object properties and that's it. How does it actually execute anything ? How would you deobfuscate this ? — Quentin Le Caignec, Feb 08 '18 at 10:16

Unknown PHP obfuscation technique

1 Answers1