Decompiling and deobfuscating a Zend Guard protected code base

16 Mar 2020

Up untill PHP version 5.6 Zend Guard could be used to obfuscate / compile your PHP source code. It is possible to deobfuscate these code bases.

The easiest way to achieve deobfuscation is by using a PHP runtime that caches opcodes, translating these cache entries back to source code. The repository Zend-Decoder by Tools2 on Github hooks into the lighttpd xcache opcode cacher, and does exactly this.

For my own convenience, I have written a Dockerfile that sets up this workflow. Combined with some bash one liners it’s possible to deobfuscate an entire code base.

Steps to get this running are:

Get the codebase with the Dockerfile: git clone https://github.com/bartbroere/zend-decoder
Obtain a copy of ZendGuardLoader.so and place it in the cloned repository
Build the container docker build -t zenddecoder .
Run the container, with the code base as a bind mount, and drop into a shell docker run -v /path/to/your/codebase:/src -it zenddecoder /bin/bash

Now it’s possible to deobfuscate your entire code base with one-liners like this:

for f in $(find /src/ -name '*.php'); do php index.php $f > ${f::-4}".dec.php"; done"

Bart Broere

Decompiling and deobfuscating a Zend Guard protected code base

Related Posts

Adding custom HTML and Javascript to Streamlit 02 Apr 2024

Adding a custom Tornado handler to a streamlit project 27 Mar 2024

Looking at PHP backdoor malware 31 Dec 2023