Making Sense of Obfuscated Code

It should be no surprise that some plugin authors can no be trusted. We’ve seen that with the BlogPress SEO plugin, but that one was just sloppy. Others actually try to hide what they are doing. An easy way of doing this is to use a PHP code obfuscating application. These will produce code such as:

<?php if(!function_exists("TC9A16C47DA8EEE87")){function TC9A16C47DA8EEE87(...

Pretty right? The underlying code supporting all of this is the eval() function. If there was any function that should be removed from PHP it would be eval(). Its power is also a gigantic liability. eval() will happily execute any valid PHP code passed into it in the form of a string. The danger should be obvious. Now, if only there was something like eval(), but it told us what it attempted to execute.

Meet highlight_string(), a PHP function that outputs a syntax highlighted version of input given PHP code. Decoding any “encrypted” or lazily “obfuscated” PHP code just requires replacing all instances of eval() with highlight_string(). Naturally, there are more sinister methods of obfuscating code that this does not help with. But, the vast majority of hidden code snippets are ripe for the viewing.

Wondering what the TC9A16C47DA8EEE87() function does? It happens to be a decrypter of sorts that takes in an encrypted string and outputs a string containing PHP code that eval() can execute. Who wrote this function? Not sure, searching Google doesn’t result in much either. The name along with member variables seem to be randomly generated in an attempt to not be discovered or conflict with existing functions. Where was this found? A plugin someone kept spamming on Twitter, there will be more on it later.

-John Havlik

[end of transmission, stay tuned]