Deobfuscating Multicraft’s WHMCS Module

Our good friends over at XHost.ch felt the need to obfuscate the source code for their WHMCS module. Properly-done obfuscation can make reverse engineering nontrivial (thought certainly not impossible); deobfuscating source code when the obfuscating function is provided is trivial. This obfuscation uses two parts- renaming functions and variables to nonsense characters, and encoding strings. Below is a snippet of the original encoded source:

We can see that function and variable names are limited to 3 and 4 characters in length, and do not convey any meaningful information. String values are encapsulated in a custom function __phpend_s_func, which will return an eval’d, base64 decoded, URL encoded string; URL encoding will present special characters as their ASCII values (e.g. “=” becomes %3D); this could be useful in avoiding scanner searching for Base64 encoded values (or attempting to trip up reverse engineering efforts). Regardless, it’s trivial. Below will deobfuscate all strings by simply reversing the obfuscation function:

Which gives us the following:

So, we can conveniently recover string literals. Variable and function names must be manually reverse engineered, which can be a time consuming process. I’m about halfway done and will post the complete output once I’ve finished.

2 thoughts on “Deobfuscating Multicraft’s WHMCS Module

    1. To be quiet honest, I haven’t had time to pursue this. I’ve been busy with personal exploits (getting married, no big deal 😉 ) and working at $dayjob (heading to LISA next week). I may come back to this in the future, but for now, it hasn’t been a priority. Is there something specific you’re looking for with this?

Leave a Reply

Your email address will not be published. Required fields are marked *