UnPHP - The Online PHP Decoder UnPHP is a free service for analyzing obfuscated and malicious PHP code. To get started either copy your code below or choose a file to upload then click 'Decode This PHP'. Jun 10, 2015 Extract the encrypted code from the target php file. Place the two variables from above in a function which will give the decoded file. Decode “phpcipher.bin”. Phpcipher.bin is encoded with Zend Guard and php 5.2 and it can be decoded by any decoder made for IonCube and php 5.2.
- How To Decode Php Files That Encoded By Zend Encoder Decoder Download
- How To Decode Php Files That Encoded By Zend Encoder Decoder Key
There are many ways to encode and decode PHP code. From the perspective of site security, there are three PHP functions —
str_rot13()
, base64_encode()
, and gzinflate
— that are frequently used to obfuscate malicious strings of PHP code. For those involved in the securing of websites, understanding how these functions are used to encode and decode encrypted chunks of PHP data is critical to accurate monitoring and expedient attack recovery.For those already familiar with the concept, but could use a quick reference with examples, I put together a concise summary of this article. The article here is intended as a “behind-the-scenes” look at the decoding and encoding happening on the examples page. Here’s the quick-jump menu:
Encoding and decoding with str_rot13()
As explained in the PHP documentation,
str_rot13()
is a simple function used for rotating every letter “13 places in the alphabet” while ignoring non-alphanumeric characters. This type of encoding is called ROT13 encoding and it’s very straightforward using the str_rot13()
function. Let’s look at an example..Let’s say we want to ROT13-encode the following string:
<?php $string = 'Encoding and Decoding Encrypted PHP Code'; ?>
We run this string through
str_rot13()
and set it as a variable named $encoded
like so:<?php $encoded = str_rot13($string); ?>
Echoing the
$encoded
variable to the browser, we get this string of gibberish:Rapbqvat naq Qrpbqvat Rapelcgrq CUC Pbqr
To decode a string encoded with
str_rot13()
, we simply run it back through the function to restore the original string. Here is an example that returns the original string to a variable named $decoded
:$decoded = str_rot13(str_rot13($string))
Echoing
$decoded
, we see the original string as expected:Encoding and Decoding Encrypted PHP Code
Copy/paste example (try it for yourself):
Encode and decode with base64_encode() & base64_decode()
Also explained in the PHP documentation, the
base64_encode()
function “encodes the given data with base64.” Rather than get into the mechanics of encoding with base64, I’ll repeat the enigmatic haiku given in the docs:This encoding is designed to make binary data survive transport through transport layers that are not 8-bit clean, such as mail bodies.
Ahh, I love taking stuff out of context, but I digress.. Let’s get back on track with a quick example showing how
base64_encode()
works its magic. Let’s say we want to encode the following string with base64:<?php $string = 'Encoding and Decoding Encrypted PHP Code'; ?>
We run this string through
base64_encode()
and set it as a variable named $encoded
like so:<?php $encoded = base64_encode($string); ?>
Echoing the
$encoded
variable to the browser, we get this string of gibberish:RW5jb2RpbmcgYW5kIERlY29kaW5nIEVuY3J5cHRlZCBQSFAgQ29kZQ
As you may count, the base64-encoded string contains around 33% more data than the original. Now to decode a string encoded with
base64_encode
, we use the converse function, base64_decode. Here is an example that returns the original string to a variable named $decoded
:<?php $decoded = base64_decode(base64_encode($string)); ?>
Echoing
$decoded
, we see the original string as expected:Encoding and Decoding Encrypted PHP Code
Copy/paste example (try for yourself):
Deflate and inflate with gzdeflate() & gzinflate()
A third visit to the PHP docs gives us our third function,
gzdeflate()
is used to “compress the given string using the DEFLATE data format.” Again, not gonna veer off — let’s stay focused with a quick example.Let’s say we want to “gzdeflate” the following string:
<?php $string = 'Encoding and Decoding Encrypted PHP Code'; ?>
![Encoded Encoded](/uploads/1/1/7/8/117822140/156081261.gif)
We run this string through
gzdeflate()
and set it as a variable named $compressed
:<?php $compressed = gzdeflate($string); ?>
Echoing the
$compressed
variable to the browser, we get this bizarre-looking gibberish:s�K�O��KWH�KQpI�r���*000bJRS00140002<00020014��SR0001
To “decode” this alien-speak, we inflate it with the converse function, gzinflate(), to restore the original string. Here is an example that returns the original string to a variable named
$uncompressed
:$uncompressed = gzinflate(gzdeflate($string));
Echoing
$uncompressed
, we see the original string as expected:Encoding and Decoding Encrypted PHP Code
Copy/paste example:
Parameters
Also worth mentioning: whereas the first two functions —
str_rot13()
and base64_encode()
— accept only one parameter (the input $string
), the inflate/deflate functions accept two parameters. Perhaps surprisingly, these second parameters are different between the two functions:- gzdeflate() —
level
= the level of compression (0
to9
) - gzinflate() —
length
= the maximum length of data to decode
Returning to our example, let’s employ these second parameters to help visualize:
And the result as displayed in a browser:
s�K�O��KWH�KQpI�r���*000bJRS00140002<00020014��SR
Encoding and Decoding Encrypted PHP Code
Combined example: gzinflate(str_rot13(base64_decode()))
Malicious scripts often combine multiple encoding methods to further obfuscate data strings. Using the numerous PHP encoding-type functions (and their various parameters), it’s possible to scramble data with many layers of obfuscation. For example, on common technique for encrypting malicious scripts combines all three of the functions described in this article. The structure of such technique looks like this:
$gibberish = eval(gzinflate(str_rot13(base64_decode($string))));
The concept is straightforward, however decoding the
$gibberish
can be tricky. The easiest way to decode such a string is to use an online decoding tool. And that’s my slick segue into the next section..Online tools for decoding/encoding PHP code
How To Decode Php Files That Encoded By Zend Encoder Decoder Download
To further contribute to the cause, I’ve created some online decoding tools to simplify the process. Here are some tools for encoding/decoding with some common PHP functions:
Additional resources
Into this decoding/ecoding stuff? You may also enjoy these fine functions..
- chunk_split() — Split a string into smaller chunks
- convert_uuencode() — Uuencode a string
- gzcompress() — Compress a string
- gzuncompress() — Uncompress a compressed string
- gzencode() — Create a gzip compressed string
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
How To Decode Php Files That Encoded By Zend Encoder Decoder Key
About Hex Decoder
Hex Decoder, is a easy to use tool start by typing or searching file, and click on convert to decode. After decoding, you can copy or save data as a txt file. This website also contain tutorial on how to decode or encode hex in different programming languages like PHP, Go, Java, Javascript, and Python.
Hexadecimal notation uses sixteen symbols to represent sixteen numerical values. Since, the decimal numbering system provides only ten digits (0 through 9), six additional symbols are used by hexadecimals A, B, C, D, E and F. Hexadecimals are widely used for denoting errors and in data transmission also.
Basics – Binary, ASCII and Decimal
Binary is a language of electronics basically, 0 and 1 are ON and OFF signal. Binary is a best way to store and process data with in electronics. We can also use decimal but like i said earlier ON and OFF signal, we need 10 more units. For example – in on and off, we need 2 unit only, first one is OFF (No volt) and second one is 0.5 volts (ON). But when we create ten units like (0.5 volts, 1 volt, 1.5 volt so on) then how much electricity it will consume, for now binary is a most efficient way.
Decimal
We use 1-9 numbering system in our daily life, much familiar to us ten fingers, ten toes etc. We use decimal numbering system for notation purpose (With decimals you can easily get the position of any binary or text) as well as, you can also convert decimal to binary or binary to decimal through calculation.
ASCII
ASCII character (ABC,123) take 8-bit, while other language character or sign take more space. Binary like 01100001 is reserved for certain character, as you know computer was developed by US. So its very obvious they reserve front binary set for english characters.
Country like china and many more developed their own parameters, it mean certain binary like 01100001 is reserved for one Chinese character while the same binary have different meaning in US. These parameter can be used with in one or two countries not globally. So to avoid incompatibilities in data handling, we use global parameter known as UTF-8. It contain almost all human known characters and every binary slot is fixed for certain character, that’s why UTF-8 hold 70-80% market share.
Hexadecimal Usage
Computers do not actually work in hex, it always works on binary, then why we use hexadecimal numbers, two reason behind this.
It gives a more human-friendly representation, which is far more simpler then representing something in binary numbers. For small binaries we can use decimals, but big ones have quite large decimals you can see it in a given example. Hex take less space and having human-friendly output, that’s why used for denoting errors.
Hexadecimal: 2AF3
Decimal: 10995
Octal: 25363
Binary: 0010 1010 1111 0011
Decimal: 10995
Octal: 25363
Binary: 0010 1010 1111 0011
![Files Files](/uploads/1/1/7/8/117822140/831873633.jpg)
Second and the main, also used for encoding because some portal works on (ASCII only) scheme, so its difficult to work with (non-ASCII) characters because they take much space (More than 8 bits), at this time schemes like hex or base64 take place, basically they convert all non-ASCII character into ASCII ones (Hex ASCII string), now data can be transferred through (ASCII only portal) and on the receiver side hex gets decoded, now receiver can read it.
What is hexadecimal
In mathematics and computing, hexadecimal is a base 16 (hexa) number system, which means that it contains 16 unique symbols to represent data: the numbers from 0 to 9 and the letters from A to F.
This system is useful because it can represent each byte (8 bits) with two consecutive hexadecimal digits. This allows people to read hexadecimal numbers more easily than binary numbers.
This technique allows us to count hexadecimal numbers using our fingers and phalanges, as can be seen in the image. It allows us to count up to FF16 (255 in decimal).
Hexadecimal numbers are widely used by programmers and designers of computer systems. There are several notations to represent hexadecimal constants in programming languages. The prefix “0x” is the most widespread due to its use in Unix and C, it indicates that there will be a hexadecimal number below. Other authors prefer to use suffixes to represent hexadecimal values. For example, the hexadecimal number can be written like this 0x2AF3 or, in the case that a suffix is used, the same number as 2AF316 (where the final 16 indicates that it is a hexadecimal) or 2AF3hex is also used a lot.