- Joined
- Jun 28, 2020
- Messages
- 6,655
- Reaction score
- 715
- Points
- 212
- Awards
- 2
hello brothers, perhaps you have it already knows and who does not know that I will teach, today we will talk about Decode and Encode Php code
There are many ways to encode and decode PHP code. From the perspective of site security, there are three PHP functions — str_rot13(), base64_encode(), and gzinflate — that are frequently used to obfuscate malicious strings of PHP code. For those involved in the securing of websites, understanding how these functions are used to encode and decode encrypted chunks of PHP data is critical to accurate monitoring and expedient attack recovery.
Encoding and decoding with str_rot13()
As explained in the PHP documentation, str_rot13() is a simple function used for rotating every letter “13 places in the alphabet” while ignoring non-alphanumeric characters. This type of encoding is called ROT13 encoding and it’s very straightforward using the str_rot13() function. Let’s look at an example..
Let’s say we want to ROT13-encode the following string:
Code:
<?php $string = 'Congratulations Anonymous; ?>
We run this string through str_rot13() and set it as a variable named $encoded like so:
Code:
<?php $encoded = str_rot13($string); ?>
Echoing the $encoded variable to the browser, we get this string of gibberish:
Code:
Pbatenghyngvbaf Nabalzbhf
To decode a string encoded with str_rot13(), we simply run it back through the function to restore the original string. Here is an example that returns the original string to a variable named $decoded:
Code:
$decoded = str_rot13(str_rot13($string))
Echoing $decoded, we see the original string as expected:
Code:
Congratulations Anonymous
Example:
Code:
<?php // str_rot13() example
$string = 'Congratulations Anonymous';
$encoded = str_rot13($string);
$decoded = str_rot13(str_rot13($string));
echo $encoded ."\n";
echo $decoded;
?>
Encode and decode with base64_encode() & base64_decode()
Quote:This encoding is designed to make binary data survive transport through transport layers that are not 8-bit clean, such as mail bodies.
Also explained in the PHP documentation.
Ahh, I love taking stuff out of context, but I digress.. Let’s get back on track with a quick example showing how base64_encode() works its magic. Let’s say we want to encode the following string with base64:
Code:
<?php $string = 'Congratulations Anonymous'; ?>
We run this string through base64_encode() and set it as a variable named $encoded like so:
Code:
<?php $encoded = base64_encode($string); ?>
Echoing the $encoded variable to the browser, we get this string of gibberish:
Code:
Q29uZ3JhdHVsYXRpb25zIEFub255bW91cw==
As you may count, the base64-encoded string contains around 33% more data than the original. Now to decode a string encoded with base64_encode, we use the converse function, base64_decode. Here is an example that returns the original string to a variable named $decoded:
Code:
<?php $decoded = base64_decode(base64_encode($string)); ?>
Echoing $decoded, we see the original string as expected:
Code:
Congratulations Anonymous
Example:
Code:
<?php // base64_encode()/base64_decode() example
$string = 'Encoding and Decoding Encrypted PHP Code';
$encoded = base64_decode($string);
$decoded = base64_decode(base64_encode($string));
echo $encoded ."\n";
echo $decoded;
?>
Deflate and inflate with gzdeflate() & gzinflate()
PHP docs
Let’s say we want to “gzdeflate” the following string:
Code:
<?php $string = 'Congratulations Anonymous'; ?>
We run this string through gzdeflate() and set it as a variable named $compressed:
Code:
<?php $compressed = gzdeflate($string); ?>
Echoing the $compressed variable to the browser, we get this bizarre-looking gibberish:
Code:
sНKОOaМKWHМKQpI…r\у’‹*
JRS<њуSR
To “decode” this alien-speak, we inflate it with the converse function, gzinflate(), to restore the original string. Here is an example that returns the original string to a variable named $uncompressed:
Code:
$uncompressed = gzinflate(gzdeflate($string));
Echoing $uncompressed, we see the original string as expected:
Code:
Congratulations Anonymous
Example:
Code:
<?php // gzinflate()/gzdeflate() example
$string = 'Encoding and Decoding Encrypted PHP Code';
$compressed = gzdeflate($string);
$uncompressed = gzinflate($compressed);
echo $compressed ."\n";
echo $uncompressed;
?>
Combined example: gzinflate(str_rot13(base64_decode()))
Malicious scripts often combine multiple encoding methods to further obfuscate data strings. Using the numerous PHP encoding-type functions (and their various parameters), it’s possible to scramble data with many layers of obfuscation. For example, on common technique for encrypting malicious scripts combines all three of the functions described in this article. The structure of such technique looks like this:
Code:
$gibberish = eval(gzinflate(str_rot13(base64_decode($string))));
There are many ways to encode and decode PHP code. From the perspective of site security, there are three PHP functions — str_rot13(), base64_encode(), and gzinflate — that are frequently used to obfuscate malicious strings of PHP code. For those involved in the securing of websites, understanding how these functions are used to encode and decode encrypted chunks of PHP data is critical to accurate monitoring and expedient attack recovery.
Encoding and decoding with str_rot13()
As explained in the PHP documentation, str_rot13() is a simple function used for rotating every letter “13 places in the alphabet” while ignoring non-alphanumeric characters. This type of encoding is called ROT13 encoding and it’s very straightforward using the str_rot13() function. Let’s look at an example..
Let’s say we want to ROT13-encode the following string:
Code:
<?php $string = 'Congratulations Anonymous; ?>
We run this string through str_rot13() and set it as a variable named $encoded like so:
Code:
<?php $encoded = str_rot13($string); ?>
Echoing the $encoded variable to the browser, we get this string of gibberish:
Code:
Pbatenghyngvbaf Nabalzbhf
To decode a string encoded with str_rot13(), we simply run it back through the function to restore the original string. Here is an example that returns the original string to a variable named $decoded:
Code:
$decoded = str_rot13(str_rot13($string))
Echoing $decoded, we see the original string as expected:
Code:
Congratulations Anonymous
Example:
Code:
<?php // str_rot13() example
$string = 'Congratulations Anonymous';
$encoded = str_rot13($string);
$decoded = str_rot13(str_rot13($string));
echo $encoded ."\n";
echo $decoded;
?>
Encode and decode with base64_encode() & base64_decode()
Quote:This encoding is designed to make binary data survive transport through transport layers that are not 8-bit clean, such as mail bodies.
Also explained in the PHP documentation.
Ahh, I love taking stuff out of context, but I digress.. Let’s get back on track with a quick example showing how base64_encode() works its magic. Let’s say we want to encode the following string with base64:
Code:
<?php $string = 'Congratulations Anonymous'; ?>
We run this string through base64_encode() and set it as a variable named $encoded like so:
Code:
<?php $encoded = base64_encode($string); ?>
Echoing the $encoded variable to the browser, we get this string of gibberish:
Code:
Q29uZ3JhdHVsYXRpb25zIEFub255bW91cw==
As you may count, the base64-encoded string contains around 33% more data than the original. Now to decode a string encoded with base64_encode, we use the converse function, base64_decode. Here is an example that returns the original string to a variable named $decoded:
Code:
<?php $decoded = base64_decode(base64_encode($string)); ?>
Echoing $decoded, we see the original string as expected:
Code:
Congratulations Anonymous
Example:
Code:
<?php // base64_encode()/base64_decode() example
$string = 'Encoding and Decoding Encrypted PHP Code';
$encoded = base64_decode($string);
$decoded = base64_decode(base64_encode($string));
echo $encoded ."\n";
echo $decoded;
?>
Deflate and inflate with gzdeflate() & gzinflate()
PHP docs
Let’s say we want to “gzdeflate” the following string:
Code:
<?php $string = 'Congratulations Anonymous'; ?>
We run this string through gzdeflate() and set it as a variable named $compressed:
Code:
<?php $compressed = gzdeflate($string); ?>
Echoing the $compressed variable to the browser, we get this bizarre-looking gibberish:
Code:
sНKОOaМKWHМKQpI…r\у’‹*
JRS<њуSR
To “decode” this alien-speak, we inflate it with the converse function, gzinflate(), to restore the original string. Here is an example that returns the original string to a variable named $uncompressed:
Code:
$uncompressed = gzinflate(gzdeflate($string));
Echoing $uncompressed, we see the original string as expected:
Code:
Congratulations Anonymous
Example:
Code:
<?php // gzinflate()/gzdeflate() example
$string = 'Encoding and Decoding Encrypted PHP Code';
$compressed = gzdeflate($string);
$uncompressed = gzinflate($compressed);
echo $compressed ."\n";
echo $uncompressed;
?>
Combined example: gzinflate(str_rot13(base64_decode()))
Malicious scripts often combine multiple encoding methods to further obfuscate data strings. Using the numerous PHP encoding-type functions (and their various parameters), it’s possible to scramble data with many layers of obfuscation. For example, on common technique for encrypting malicious scripts combines all three of the functions described in this article. The structure of such technique looks like this:
Code:
$gibberish = eval(gzinflate(str_rot13(base64_decode($string))));
