Last Updated: February 25, 2016
· camilocot

Deobfuscate PHP preg_replace


Deobfuscate the next code:

preg_replace("/.*/e","{hexpart1}'{obfuscated code}'{hexpart2}",".")

The pattern /.*/, means "match everything". The /e Modifier eval()'s the code in the next parameter

{hexpart1} -> hex to ascii

For example:

\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28 -> eval(gzinflate(base64_decode(

obfuscated code -> print without eval

For example with the previous code:
print gzinflate(base64_decode("{obfuscated code}")

{hexpart2} -> hex to ascii

Ref: stackoverflow.com

Ref: Hex to ASCII