Tuesday, October 5, 2010

PHP code deobfuscation

The zscaler weblog  describes how to use  Evalhook from Steffan Esser to  deobfuscate PHP code.

They point to the following article that explains how the tool works.

From Steffan Esser's article:
Whenever encoders like php-crypt have to be analysed the task is usually the same. You take the script, replace all calls to eval() with die() and check what it tries to eval(). When it looks safe you will replace the eval() with the evaluated code and repeat. This is a very stupid and time consuming work, especially when there are multiple wrappers of eval(). Therefore I wrote a short PHP extension called evalhook that helps with this task.

No comments:

Post a Comment