Decompiling and deobfuscating a Zend Guard protected code base

Up untill PHP version 5.6 Zend Guard could be used to obfuscate / compile your PHP source code. It is possible to deobfuscate these code bases.

The easiest way to achieve deobfuscation is by using a PHP runtime that caches opcodes, translating these cache entries back to source code. The repository Zend-Decoder by Tools2 on Github hooks into the lighttpd xcache opcode cacher, and does exactly this.

For my own convenience, I have written a Dockerfile that sets up this workflow. Combined with some bash one liners it’s possible to deobfuscate an entire code base.

Steps to get this running are:

  1. Get the codebase with the Dockerfile: git clone
  2. Obtain a copy of and place it in the cloned repository
  3. Build the container docker build -t zenddecoder .
  4. Run the container, with the code base as a bind mount, and drop into a shell docker run -v /path/to/your/codebase:/src -it zenddecoder /bin/bash
  5. Now it’s possible to deobfuscate your entire code base with one-liners like this:
    for f in $(find /src/ -name '*.php'); do php index.php $f > ${f::-4}".dec.php"; done"