Decrypting SourceCop php files
Every once in a while, I receive code that is encrypted using one of many php encoder software out there, so when I face this situation and if the project is worth it, I start playing around with the encrypted files to see how the encoding algorithm works, so far I’ve been able to successful decrypt files encoded with Zend, and ioncube, I don’t remember the versions of the encoders but I remember that the latter one took me some time, but I did it.
I must say that decoding files also becomes a personal challenge, it is like a hobby when I have the time to play with it.
Yesterday I received a couple of files encoded with an unknown encoder for me, it didn’t require any php modification or extension install, so I tough that it would be easy to break it, because at some point the code must be evaluated, so after I opened the zip file, I noticed a folder called “scopbin“, that contained only 1 php file named “911006.php“, the two encoded files were including this file so I assumed that this is were the decryption logic had to be.
I was exhausted by a long working day, and when I got this files and saw that they were encrypted I placed them in my laptop for later analysis. This analysis was done while I was waiting for the local news, I didn’t research the encoding, or did anything that give me some pointers, I just started to playing around with the code to see how far could I get.
My objective this time was getting this files decrypted, and not analysing the steps of the algorithm, so with this in mind, this is what I did:
This was the original “911006.php” file:
I’ve used a code formatter to make the code more readable:
--space-after-switch \--space-after-while \--space-before-srt-angle-bracket \--space-after-end-angle-bracket \--glue-amperscore \--change-shell-comment-to-double-slashes-comment \--force-large-php-code-tag \--force-true-false-null-contant-lowercase \--align-equal-statements \--comment-rendering-style PEAR \--equal-align-position 50 \
And this was the result:
< ?php}}}}}}}}}}}}}}}}}
After a quick review of this file, I saw that it had several functions that had same logic, return an unknow variable or delete the file that this unknown variable had, appart from all this “useless” functions I quickly found what appeared to be the decryption function this was the function named y0666f0acdeed38d4cd9084ade1739498 with this information I headed to check one of the encrypted files, and this is how it looked:
Again I used the code beautifier to make this file more readable:
--space-after-switch \--space-after-while \--space-before-srt-angle-bracket \--space-after-end-angle-bracket \--glue-amperscore \--change-shell-comment-to-double-slashes-comment \--force-large-php-code-tag \--force-true-false-null-contant-lowercase \--align-equal-statements \--comment-rendering-style PEAR \--equal-align-position 50 \
And this was the result:
}}
So what we have here is more obfuscated code, but a simple to understand, we have 2 variables and 3 functions, the variable that has the encrypted code should be the larger one so I'm assuming that is the "$REXISTHEDOG4FBI" variable, the other one apparently isn't used, so what I did at this point was to print the results of the evaluated function which corresponds to the function where the decrypt logic is (deofuscated):
}}
unfortunately printing the result didn't work, so I did a review to check why, and I found that the other 2 functions where the problem, let me explain what happens, first a call is made to
}
this function receives the name of the executing file (test.php in my case), read its content in an array, then glues all lines to create a 1 line string, without any new lines, then this result is passed to the following function:
}
which are a series of nested ternary conditions, looking for the words "echo,print,sprint,sprintf", if any of this words are in the encrypted file, then the script simply exits, that's why I was unable to print the decrypted code after calling the decoding function, so simply avoiding the call to this function will fix the issue and I will get my decrypted code.
However, I didn't want to modify the original encrypted files, so a second approach I took was modifying the decryption function and echoing the output from there, so I've added a couple of lines (15 and 16) to the "y0666f0acdeed38d4cd9084ade1739498" function:
01 02 03 04 05 06 07 08 09 10 11 12 13 14 }15 16 17 18 }
And voilà, I was able to see the source code 
, here is a screen shot of the decrypted source:
So in short, just print the output of the decrypt function, and kill the script to get the decrypted code, I don't know if there are any other versions of the "911006.php" file, but I guess that the same logic applies.
Please remember that this isn't a how-to, it is just my experience dealing with this files, also don't use any of these information for any illegal purposes.
I found this article useful in a paper I am writing at university. Hopefully, I get an A+ now!
Thanks
Bernice Franklin
Nice!
Some third party software encrypted with this method use an encrypted file to make a remote API call to script authors site, so it is relatively easy to ‘disable’ the API call and stop a genuine license from expiring.
I had to do this myself when a product I bought stopped being developed so I could continue to use the product.
Just on word : Thanks !
Great tutorial, great explanation. A really good work.
i’just put result into a file instade of display it.
Thanks
Wow Man, you have made $50 useless, so, what do you think the best php encryption program is ? or how do you protect your php code ?
Regards,
Great analytic.
Wow Man, you have made 50 dollar useless, then, how do you protect your php code ? would you like to answer via my email ?
Regards
Well, I’m not sure about what would be the best encryption program, but any encoder that do bytecode compiling will require significantly more time and resources to get the code back, from my experience the harder one has been ion cube, then zend guard.
Thank you , this post is really usefull. Many thanks for making it public.
Many many thanks.
Cheers,
Good morning, I tried to decrypt my file is not got it you got a simpler example.
Actually is pretty simple replace the function y0666f0acdeed38d4cd9084ade1739498, with the one in the Post, execute your script in the console, and you will get the source of the script
Good work and great tutorial! Thank you!!
you’re a genius man!!!! geeeeniiiiioooo gracias, thank you very much ,really!!