Skip to content

Commit

Permalink
feat: decode chr functions
Browse files Browse the repository at this point in the history
  • Loading branch information
@marcocesarato
marcocesarato committed Jan 10, 2021
1 parent b9688c9 commit da4fa8e
Showing 1 changed file with 39 additions and 26 deletions.
65 changes: 39 additions & 26 deletions src/Deobfuscator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,7 @@ public function decode($code)
{
$matchesPhp = Match::getCode($code);
foreach ($matchesPhp as $matchPhp) {
$matchPhp = preg_replace("/<\?(?:php)?(.*?)(?!\B\"[^\"]*)(\?>|$)(?![^\"]*\"\B)/si", '$1', @$matchPhp[0]);
$str = preg_replace("/(\\'|\\\")[\s\r\n]*\.[\s\r\n]*('|\")/si", '', $matchPhp); // Remove "ev"."al"
$str = preg_replace("/([\s]+)/i", ' ', $str); // Remove multiple spaces
$str = preg_replace("/<\?(?:php)?(.*?)(?!\B\"[^\"]*)(\?>|$)(?![^\"]*\"\B)/si", '$1', @$matchPhp[0]);

// Convert dec
$str = preg_replace_callback('/\\\\(0\d{2})/si', function ($match) {
Expand All @@ -101,6 +99,19 @@ public function decode($code)
return @hex2bin(str_replace('\\x', '', $match[0]));
}, $str);

// Convert chr
$str = preg_replace_callback('/(chr|mb_chr)[\s]*\((([\s\(\)]*[\d\.]+[\s\(\)]*[\*\/\-\+]?[\s\(\)]*)+)\)/six', function ($match) {
$calc = (int)$this->calc(trim($match[2]));
$result = $match[1]($calc);

return "'" . $result . "'";
}, $str);

// Remove point between two strings ex. "ev"."al" to "eval"
$str = preg_replace("/(\\'|\\\")[\s\r\n]*\.[\s\r\n]*('|\")/si", '', $str);
// Remove multiple spaces
$str = preg_replace("/([\s]+)/i", ' ', $str);

// Decode strings
$decoders = [
'str_rot13',
Expand Down Expand Up @@ -230,33 +241,35 @@ private function calc($expr)
$expr = $expr[0];
}
preg_match('~(min|max)?\(([^\)]+)\)~msi', $expr, $exprArr);
if ($exprArr[1] === 'min' || $exprArr[1] === 'max') {
if (!empty($exprArr[1]) && ($exprArr[1] === 'min' || $exprArr[1] === 'max')) {
return $exprArr[1](explode(',', $exprArr[2]));
}

preg_match_all('~([\d\.]+)([\*\/\-\+])?~', $expr, $exprArr);
if (in_array('*', $exprArr[2])) {
$pos = array_search('*', $exprArr[2]);
$res = $exprArr[1][$pos] * $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '*' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('/', $exprArr[2])) {
$pos = array_search('/', $exprArr[2]);
$res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('-', $exprArr[2])) {
$pos = array_search('-', $exprArr[2]);
$res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('+', $exprArr[2])) {
$pos = array_search('+', $exprArr[2]);
$res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} else {
return $expr;
if (!empty($exprArr[1]) && !empty($exprArr[2])) {
if (in_array('*', $exprArr[2])) {
$pos = array_search('*', $exprArr[2]);
$res = @$exprArr[1][$pos] * @$exprArr[1][$pos + 1];
$expr = str_replace(@$exprArr[1][$pos] . '*' . @$exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('/', $exprArr[2])) {
$pos = array_search('/', $exprArr[2]);
$res = $exprArr[1][$pos] / $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '/' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('-', $exprArr[2])) {
$pos = array_search('-', $exprArr[2]);
$res = $exprArr[1][$pos] - $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '-' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} elseif (in_array('+', $exprArr[2])) {
$pos = array_search('+', $exprArr[2]);
$res = $exprArr[1][$pos] + $exprArr[1][$pos + 1];
$expr = str_replace($exprArr[1][$pos] . '+' . $exprArr[1][$pos + 1], $res, $expr);
$expr = $this->calc($expr);
} else {
return $expr;
}
}

return $expr;
Expand Down

0 comments on commit da4fa8e

Please sign in to comment.