Hello There, Guest! Login Register
Logo
Dismiss this notice
MaDLeeTs is not responsible for any attacks that are carried out on networks, websites or servers.
MaDLeeTs staff members cannot be held responsible.
All information on this forum is for educational purposes only.


FOPO Deobfuscator

  • 0 Vote(s) - 0 Average


07-26-2017, 01:14 AM #1
ZeroDay Offline Junior Member **
Registered
Posts:1 Threads:1 Joined:Jul 2017 Reputation: 0
Mood: Hacker
Hi , This Is My First Post In MadLeets
[*] About FOPO.com.ar :
 FOPO creates equivalent PHP obfuscated code which requires no special server runtime for    execution. It's not one-way encryption but it will keep curious eyes away from your code. Submitted code gets deleted immediately after obfuscation and is not stored in any way


Python Deobfuscator :


Code:
#!/usr/bin/env python

__description__ = 'Deobfuscator script for FOPO PHP obfuscated files'
__author__ = 'Antelox'
__version__ = '0.21'
__date__ = '01/28/2017'

"""
FOPO PHP Deobfuscator script
Coded by Antelox
Twitter: @Antelox
UIC R.E. Academy - quequero.org
Copyright (C) 2017 - MIT License
"""

import zlib
import base64
import sys
import re

def str_rot13(string):
   return string.encode('rot13')

def base64_decode(string):
   return base64.b64decode(string)

def gzinflate(string):
   return zlib.decompress(string, -15)

#main
if len(sys.argv) > 1:
print "\n***FOPO Deobfuscator ver. 0.2***\n"

contents = open(sys.argv[1],'r').read()
if "Obfuscation provided by FOPO - Free Online PHP Obfuscator:" not in contents:
print "*ERROR: Provided a PHP script not obfuscated with FOPO PHP Obfuscator!"
sys.exit()

contents = re.sub('//?\s*\*[\s\S]*?\*\s*//?', '', contents)

eval = contents.split('(')

#base64 = base64 encoded block inside obfuscated PHP script
base64_ = eval[2].split('"')

i1 = base64_decode(base64_[1]).split("eval")

#there is a ternary operator at this point "?:" -> (condition) ? (expr for TRUE) : (expr 4 FALSE)
#the right data block to be decoded is the second one, that is the data block relative to ":" (FALSE)
i2 = i1[1].split(':')
i3 = i2[1].split('"')

#initialization variables
encryptionlayer = ''
dl = ''
nextlayer = ''
backup = ''
#Here final steps with n recursive encoded layers:
#First layer here
encryptionlayer = gzinflate(base64_decode(str_rot13(i3[1])))

#n-1 remaining layers inside while loop below
while (str(re.match('\?\>', encryptionlayer)) == 'None'):
backup = encryptionlayer
dl = encryptionlayer.split('"')

if (len(dl)>7):
nextlayer = gzinflate(base64_decode(str_rot13(dl[7])))
encryptionlayer = nextlayer
else:
nextlayer = gzinflate(base64_decode(dl[5]))
encryptionlayer = nextlayer

#here final[1] variable contains deobfuscated PHP code :D
backup = encryptionlayer
final = backup.split('?>')

try:
open(sys.argv[2],'wb').write(final[1])
except:
open('deobfuscated.php','wb').write(final[1])

else:
print "\n*ERROR: Please provide the input file name as argument!"
print "\nExample: python deobfuscator.py input.php [output=deobfuscated.php]"
sys.exit()


[*] A Online Tool To Deobfuscate : https://glot.io/snippets/efruafhnez

Good Luck , If Anyone Have A Question Post Here ...
Good Bye <3






Forum Jump:


Users browsing this thread:2 Guest(s)