in reply to Is there a script somewhere to de-obfuscate code?

Well it ain't easy...

One thing you can try is to use Perl::Tidy on it, but that might not solve the problem, partly because the only thing that's able to parse Perl is perl itself (meaning that Perl::Tidy itself sometimes fail) and partly because even if it works, it doesn't do everything... but it might be a good start...

And then you'll have to break it down in chunks and try to understand the flow of the code... it surely helps if you already have an idea of what it does...

Regarding the code you're posting, it seems just like a variable name...

Anyway, how did it get to the point that you're left with obfuscated scripts? It seems somebody didn't do his(her) job properly... that's no way to work...

  • Comment on Re: Is there a script somewhere to de-obfuscate code?

Replies are listed 'Best First'.
Re^2: Is there a script somewhere to de-obfuscate code?
by nashr (Novice) on Mar 27, 2005 at 13:56 UTC
    The code I'm looking at right now is a counter to track the number of users currently on a website. I downloaded it from a website, but they clearly state that it connects back to them. I'd rather learn from this code to rewrite my own counter for this purpose, but the code is a single string of obfuscated code. 
    $A36l105l112l32l61l32l36l69l78l86l123l39l82l69l77l79l84l69l95l65l68l68
+l82l39l125l59l36l116l105l109l101l32l61l32l116l105l109l101l59l36l102l1
+11l117l110l100l32l61l32l48l59l36l117l115l101l114l115l32l61l32l48l59l6
+4l112l97l105l114l115l32l61l32l115l112l108l10=q#36l105l112l32l61l32l36
+l69l78l86l123l39l82l69l77l79l84l69l95l65l68l68l82l39l125l59l36l116l10
+5l109l101l32l61l32l116l105l109l101l59l36l102l111l117l110l100l32l61l32
+l48l59l36l117l115l101l114l115l32l61l32l48l59l64l112l97l105l114l115l32
+l61l32l115l112l108l105l116l40l47l38l47l44l32l36l69l78l86l123l34l81l85
+l69l82l89l95l83l84l82l73l78l71l34l125l41l59l102l111l114l101l97l99l104
+l32l36l112l97l105l114l32l40l64l112l97l105l114l115l41l32l123l40l36l110
+l97l109l101l44l32l36l118l97l108l117l101l41l32l61l32l115l112l108l105l1
+16l40l47l61l47l44l32l36l112l97l105l114l41l59l36l118l97l108l117l101l32
+l61l126l32l116l114l47l43l47l32l47l59l36l118l97l108l117l101l32l61l126l
+32l115l47l37l40l91l97l45l102l65l45l70l48l45l57l93l91l97l45l102l65l45l
+70l48l45l57l93l41l47l112l97l99l107l40l34l67l34l44l32l104l101l120l40l3
+6l49l41l41l47l101l103l59l99l104l111l109l112l40l36l118l97l108l117l101l
+41l59l36l81l85l69l82l89l123l36l110l97l109l101l125l32l61l32l36l118l97l
+108l117l101l59l125l105l102l32l40l33l32l40l45l102l32l34l100l97l116l97l
+47l117l115l101l114l115l46l116l120l116l34l41l41l32l123l111l112l101l110
+l32l40l67l82l69l65l84l69l44l32l34l62l100l97l116l97l47l117l115l101l114
+l115l46l116l120l116l34l41l59l99l108l111l115l101l32l67l82l69l65l84l69l
+59l99l104l109l111l100l40l48l54l54l54l44l32l34l100l97l116l97l47l117l11
+5l101l114l115l46l116l120l116l34l41l59l125l111l112l101l110l32l70l73l76
+l69l44l34l43l60l100l97l116l97l47l117l115l101l114l115l46l116l120l116l3
+4l59l38l108l111l99l107l40l70l73l76l69l41l59l64l117l115l101l114l115l32
+l61l32l60l70l73l76l69l62l59l99l104l111l109l112l40l64l117l115l101l114l
+115l41l59l115l101l101l107l40l70l73l76l69l44l48l44l48l41l59l116l114l11
+7l110l99l97l116l101l40l70l73l76l69l44l48l41l59l102l111l114l101l97l99l
+104l32l36l108l105l110l101l32l40l64l117l115l101l114l115l41l32l123l40l3
+6l115l97l118l101l100l105l112l44l36l115l97l118l101l100l116l105l109l101
+l41l32l61l32l115l112l108l105l116l47l92l124l47l44l36l108l105l110l101l5
+9l105l102l32l40l36l115l97l118l101l100l105l112l32l101l113l32l36l105l11
+2l41l32l123l36l115l97l118l101l100l116l105l109l101l32l61l32l36l116l105
+l109l101l59l36l102l111l117l110l100l32l61l32l49l59l125l105l102l32l40l3
+6l116l105l109l101l32l60l32l36l115l97l118l101l100l116l105l109l101l32l4
+3l32l40l36l109l105l110l117l116l101l115l32l42l32l54l48l41l41l32l123l11
+2l114l105l110l116l32l70l73l76l69l32l34l36l115l97l118l101l100l105l112l
+124l36l115l97l118l101l100l116l105l109l101l92l110l34l59l9l36l117l115l1
+01l114l115l32l61l32l36l117l115l101l114l115l32l43l32l49l59l125l125l105
+l102l32l40l36l102l111l117l110l100l32l61l61l32l48l41l32l123l112l114l10
+5l110l116l32l70l73l76l69l32l34l36l105l112l124l36l116l105l109l101l92l1
+10l34l59l36l117l115l101l114l115l32l61l32l36l117l115l101l114l115l32l43
+l32l49l59l125l99l108l111l115l101l32l40l70l73l76l69l41l59l36l99l111l10
+0l101l32l61l32l34l60l97l32l104l114l101l102l61l92l34l104l116l116l112l5
+8l47l47l119l119l119l46l112l101l114l108l111l110l108l105l110l101l46l99l
+111l109l92l34l32l115l116l121l108l101l61l92l34l36l115l116l121l108l101l
+92l34l62l36l117l115l101l114l115l60l47l97l62l34l59l105l102l32l40l36l81
+l85l69l82l89l123l39l111l117l116l112l117l116l39l125l32l101l113l32l34l1
+06l97l118l97l115l99l114l105l112l116l34l32l111l114l32l36l111l117l116l1
+12l117l116l32l101l113l32l34l106l97l118l97l115l99l114l105l112l116l34l4
+1l32l123l112l114l105l110l116l32l34l67l111l110l116l101l110l116l45l116l
+121l112l101l58l32l116l101l120l116l47l104l116l109l108l92l110l92l110l34
+l59l36l99l111l100l101l32l61l126l32l115l47l92l39l47l92l92l92l39l47l105
+l103l59l36l99l111l100l101l32l61l126l32l115l47l92l34l47l92l92l92l34l47
+l105l103l59l112l114l105l110l116l32l34l100l111l99l117l109l101l110l116l
+46l119l114l105l116l101l40l92l34l36l99l111l100l101l92l34l41l59l34l59l1
+01l120l105l116l59l125l101l108l115l101l123l112l114l105l110l116l32l34l6
+7l111l110l116l101l110l116l45l116l121l112l101l58l32l116l101l120l116l47
+l104l116l109l108l92l110l92l110l34l59l112l114l105l110l116l32l34l36l99l
+111l100l101l34l59l101l120l105l116l59l125l115l117l98l32l108l111l99l107
+l123l109l121l32l36l108l111l99l107l32l61l32l48l59l119l104l105l108l101l
+32l40l36l108l111l99l107l32l60l32l53l41l32l9l123l105l102l32l40l102l108
+l111l99l107l40l64l95l91l48l93l44l32l50l41l41l32l123l114l101l116l117l1
+14l110l32l48l59l125l115l108l101l101l112l32l40l49l41l59l36l108l111l99l
+107l43l43l59l125l101l120l105l116l59l125l#;eval(pack('C*',split('\D',$
+A36l105l112l32l61l32l36l69l78l86l123l39l82l69l77l79l84l69l95l65l68l68
+l82l39l125l59l36l116l105l109l101l32l61l32l116l105l109l101l59l36l102l1
+11l117l110l100l32l61l32l48l59l36l117l115l101l114l115l32l61l32l48l59l6
+4l112l97l105l114l115l32l61l32l115l112l108l10)));

    [download]
    It's a single long string. The full code can be obtained at http://www.perlonline.com/usersonline/index.htm This script is provided for free so I don't think it's wrong to try and write new code based on this, I just can't read it. :)

    20050527 Edit by ysth: use code paragraph, not inline.

[reply]
[d/l]
      It's pretty simple, actually...

      First, they use a *very long* variable name, which is the $A361 stuff.

      Then they put their code, packed, inside that variable.

      Afterwards, they eval their unpacked code.

      Simply replace the eval statement with a print and you'll get their code out, which looks like this:

      $ip = $ENV{'REMOTE_ADDR'};$time = time;$found = 0;$users = 0;@pairs = split(/&/, $ENV{"QUERY_STRING"});foreach $pair (@pairs) {($name, $value) = split(/=/, $pair);$value =~ tr/+/ /;$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;chomp($value);$QUERY{$name} = $value;}if (! (-f "data/users.txt")) {open (CREATE, ">data/users.txt");close CREATE;chmod(0666, "data/users.txt");}open FILE,"+<data/users.txt";&lock(FILE);@users = <FILE>;chomp(@users);seek(FILE,0,0);truncate(FILE,0);foreach $line (@users) {($savedip,$savedtime) = split/\|/,$line;if ($savedip eq $ip) {$savedtime = $time;$found = 1;}if ($time < $savedtime + ($minutes * 60)) {print FILE "$savedip|$savedtime\n";  $users = $users + 1;}}if ($found == 0) {print FILE "$ip|$time\n";$users = $users + 1;}close (FILE);$code = "<a href=\"http://www.perlonline.com\" style=\"$style\">$users</a>";if ($QUERY{'output'} eq "javascript" or $output eq "javascript") {print "Content-type: text/html\n\n";$code =~ s/\'/\\\'/ig;$code =~ s/\"/\\\"/ig;print "document.write(\"$code\");";exit;}else{print "Content-type: text/html\n\n";print "$code";exit;}sub lock{my $lock = 0;while ($lock < 5)      {if (flock(@_[0], 2)) {return 0;}sleep (1);$lock++;}exit;}

      Simply run perltidy on that code and you'll be able to see, clearly, everything that is going on.

[reply]
[d/l]

In Section Seekers of Perl Wisdom