'}", f" lines: {inner.metadata.line_start}..{inner.metadata.line_end}", f" opcodes: {inner.block.opcode_count}", f" literals: {inner.metadata.literal_count}", f" args: {inner.metadata.num_args} (required {inner.metadata.required_num_args})", "", "variables:", ] for idx, name in enumerate(inner.metadata.variables): lines.append(f" CV{idx}: ${name}") lines += ["", "literals:"] for lit in literals: v = lit.get("value") lines.append(f" [{lit['index']:3d}] {lit['type_name']:12s} = {v!r}") lines += ["", "opcodes:"] lines.append(render_opcode_text(decoded).rstrip()) return "\n".join(lines) + "\n" def _read_serialized_string_at(buf: bytes, off: int) -> "tuple[bytes | None, int]": """Port of the loader's serialized-string reader (8.3 ``sub_1009FD70``). Layout: ``u32 raw``; bit ``0x80000000`` marks a null string (no payload); otherwise the byte length is ``raw & 0x9FFFFFFF`` (the ``0x20000000`` bit is a no-rehash flag, not part of the length). Returns ``(bytes|None, next_off)``. """ if off + 4 > len(buf): raise ParseError("eof reading serialized-string length") raw = struct.unpack_from(" len(buf): raise ParseError(f"serialized-string length {ln} out of range") return buf[off:off + ln], off + ln def _parse_class_record_header(buf: bytes, off: int) -> dict: """Structural parse of a class record header — port of ``sub_100A2D30`` up to the method table. No heuristics; this is the loader's exact layout: u8 class kind serialized-string class name u32 ce_flags serialized-string|null parent name u16 n + (n+1) bytes lowercased-name / source-location blob (sub_100A2500) u32 interface count (ce+268) serialized-string × N interface names (sub_100A2CB0) u16 method count (incl. inherited) Returns a dict; ``first_method_offset`` is where the method records begin. """ start = off kind = buf[off] off += 1 name, off = _read_serialized_string_at(buf, off) ce_flags = struct.unpack_from(" 0x10000: raise ParseError(f"implausible interface count {iface_count}") interfaces: list[bytes] = [] for _ in range(iface_count): s, off = _read_serialized_string_at(buf, off) if s is not None: interfaces.append(s) method_count = struct.unpack_from(" str | None: """Return a valid PHP identifier from a (possibly obfuscated) name blob.""" if raw: try: text = raw.decode("ascii") except UnicodeDecodeError: text = "" if text and re.fullmatch(r"[A-Za-z_\x80-\xff][A-Za-z0-9_\x80-\xff]*", text): return text return fallback # ── class-record tail parser ─────────────────────────────────────────────── # Exact port of sub_100A2D30's tail (everything after the method table): # default-value tables, properties, constants, trait uses, attributes, and the # class doc-comment. Parsing it consumes the precise byte count so the next # class record begins exactly where this one ends — the basis for multi-class # files. Helpers below mirror the loader's stream primitives. def _read_buffer_value_at(buf: bytes, off: int) -> "tuple[bytes | None, int]": """Port the loader buffer reader (sub_1000A0A0): u32 raw; bit 0x80000000 → empty; else ``raw & 0x9FFFFFFF`` payload bytes, plus one trailing byte when the ``0x20000000`` flag is clear. Returns ``(payload_or_None, next_off)``.""" if off + 4 > len(buf): raise ParseError("eof reading buffer length") raw = struct.unpack_from(" len(buf): raise ParseError("buffer payload out of range") return buf[off:off + ln], off + ln def _read_buffer_at(buf: bytes, off: int) -> int: """Like :func:`_read_buffer_value_at` but only returns the next offset.""" _, off = _read_buffer_value_at(buf, off) return off def _decode_property_default(payload: bytes | None) -> "tuple[bool, object]": """Decode an ionCube default-value buffer (an IC_ENCODED_ZVAL). The payload is the compact zval text optionally prefixed by a high-bit format marker byte (e.g. ``0x81``). Returns ``(has_default, value)``; ``has_default`` is False when the value is absent or an implicit null. """ if not payload: return False, None text = payload.decode("latin1") if text and ord(text[0]) >= 0x80: # strip the format-marker byte text = text[1:] if not text: return False, None try: value = decode_encoded_zval(text) except ParseError: return False, None # An implicit null default (untyped property with no initializer) is not # worth rendering as ``= null`` — keep the bare declaration instead. if value is None: return False, None return True, value def _read_attributes(buf: bytes, off: int) -> int: """sub_100A0240: u32 count (signed; ``<= 0`` → none) + count attribute entries (sub_100A0150).""" count = struct.unpack_from(" 0x2710: return off for _ in range(count): # sub_100A0150: u32 v13 + sstring + 3×u32 + v13×(sstring + buffer) v13 = struct.unpack_from(" 0x10000: raise ParseError("implausible attribute member count") for _ in range(v13 & 0x7FFFFFFF if not (v13 & 0x80000000) else 0): _, off = _read_serialized_string_at(buf, off) off = _read_buffer_at(buf, off) return off def _read_type(buf: bytes, off: int) -> int: """sub_1009FE30 (zend_type): u32 mask; bit 0x01000000 → one name string; bit 0x00400000 → u32 n + n nested types; otherwise nothing more.""" mask = struct.unpack_from(" 0x10000: raise ParseError("implausible type-list count") for _ in range(n): off = _read_type(buf, off) return off def _read_value_table(buf: bytes, off: int) -> "tuple[int, list]": """sub_100A2BC0: u32 count + count default-value buffers. Returns ``(next_off, [payload_bytes | None, ...])``.""" count = struct.unpack_from(" int: """sub_10001930: u32 a + a names; sub_10001490: u32 b + b×(2 buffers + sstring + u32); sub_10001630: u32 c + c×(2 buffers + u32 d + d names).""" def u32(o: int) -> "tuple[int, int]": return struct.unpack_from(" 0x10000: raise ParseError("implausible trait-name count") for _ in range(a): _, off = _read_serialized_string_at(buf, off) b, off = u32(off) if b > 0x10000: raise ParseError("implausible trait-method count") for _ in range(b): off = _read_buffer_at(buf, off) off = _read_buffer_at(buf, off) _, off = _read_serialized_string_at(buf, off) _, off = u32(off) c, off = u32(off) if c > 0x10000: raise ParseError("implausible trait-rule count") for _ in range(c): off = _read_buffer_at(buf, off) off = _read_buffer_at(buf, off) d, off = u32(off) if d > 0x10000: raise ParseError("implausible trait-insteadof count") for _ in range(d): _, off = _read_serialized_string_at(buf, off) return off _PROP_VISIBILITY = {1: "public", 2: "protected", 4: "private"} def _consume_class_tail(buf: bytes, off: int, *, php_version: int) -> dict: """Parse the class-record tail starting at the first byte after the methods. Returns ``{"next_offset", "doc_comment", "properties", "constants"}``. ``next_offset`` is where the following class record begins. """ off, default_props = _read_value_table(buf, off) # instance defaults off, default_statics = _read_value_table(buf, off) # static defaults # properties (sub_100A03C0): u32 count + count×(buffer name, u32 flags, # sstring, attributes, type). Default values live in the two tables above — # instance properties draw from the first, static ones from the second, each # in declaration order. properties: list[dict] = [] prop_count = struct.unpack_from(" 0x2710: raise ParseError("implausible property count") inst_idx = static_idx = 0 for _ in range(prop_count): name_off = off + 4 name_raw = struct.unpack_from(" 0x2710: raise ParseError("implausible constant count") for _ in range(const_count): cname, off = _read_serialized_string_at(buf, off) off = _read_buffer_at(buf, off) _, off = _read_serialized_string_at(buf, off) off = _read_attributes(buf, off) if php_version >= 83: off = _read_type(buf, off) if cname is not None: constants.append(cname.decode("latin1", "replace")) off = _read_trait_uses(buf, off) off = _read_attributes(buf, off) # class-level attributes info_a = struct.unpack_from("= 6: _xor_tmp = build_php81_opcode_xor_stream( main_inner.block, main_inner.metadata, outer=main_rec, request_key=request_key, serialization_version=sv, header_flags=php_flags, ) _dec_tmp = decode_opcode_block( main_inner.block, main_inner.metadata, serialization_version=sv, opcode_xor=_xor_tmp.xor_bytes, opcode_names=opcode_names, header_flags=php_flags, ) handler_variant = _detect_handler_variant(handler_tables, _dec_tmp, _xor_tmp) raw, text = _dump_function( main_rec, main_inner, request_key=request_key, serialization_version=sv, opcode_names=opcode_names, handler_tables=handler_tables, handler_variant=handler_variant, php_flags=php_flags, php_version=php_version, ) main_id, main_op = build_op_array_entry(raw, str(source), kind="main") op_arrays[main_id] = main_op all_methods_text.append(text) report_methods.append({ "name": "

", "state": main_state, "opcodes": main_inner.block.opcode_count, "literals": main_inner.metadata.literal_count, "lines": f"{main_inner.metadata.line_start}..{main_inner.metadata.line_end}", }) else: report_methods.append({"name": "

", "state": "failed"}) after_main = main_rec.end_offset # ── standalone functions ─────────────────────────────────────────────────── fn_count = struct.unpack_from(" 0 and remaining > 1 and scan < len(body) - 16: print(f" note: {remaining} of {class_count} class record(s) " f"not parsed (stopped at {scan:#x} of {len(body):#x})") break classes_parsed += 1 class_name = _decode_class_name(hdr["name"], f"Class{cls_idx + 1}") parent_name = _decode_class_name(hdr["parent"], None) interfaces = [ n for n in (_decode_class_name(i, None) for i in hdr["interfaces"]) if n ] ce_flags = hdr["ce_flags"] ce_flags_decoded = { "is_interface": bool(ce_flags & 0x1), "is_trait": bool(ce_flags & 0x2), "is_final": bool(ce_flags & 0x20), "is_abstract": bool(ce_flags & 0x40), } kind_kw = "interface" if ce_flags_decoded["is_interface"] else ( "trait" if ce_flags_decoded["is_trait"] else "class") extends = f" extends {parent_name}" if parent_name else "" impl = f" implements {', '.join(interfaces)}" if interfaces else "" print(f" {kind_kw} {class_name}{extends}{impl}") method_idx = 0 class_methods: dict = {} # method name → op_array id scan = hdr["first_method_offset"] def _register_method(nm: str, fid: str) -> None: key = nm or f"m{len(class_methods)}" while key in class_methods: key += "_" class_methods[key] = fid # Parse method records sequentially until one fails (class end). while scan < len(body) - 50: try: rec = extract_dynamic_main_record( b"\x00\x00\x00\x00" + body[scan:], php_flags=php_flags, offset=0, ) real_end = scan + rec.end_offset - 4 rec.start_offset = scan rec.end_offset = real_end rec.blob_offset = scan + rec.blob_offset - 4 except Exception: break # no more method records; class ended # Successfully parsed a method record. name = rec.table_name or f"" _, state, inner = _decrypt_blob(rec) if inner is None: cipher_type = _detect_dynamic_cipher_type(rec) print(f" STUB {name}: dynamic key ({cipher_type})") stub_raw = _make_stub_raw(rec, cipher_type) fn_id, fn_op = build_op_array_entry(stub_raw, str(source), kind="method") if fn_id in op_arrays: fn_id = f"{fn_id}@{scan:#x}" fn_op["id"] = fn_id fn_op["meta"]["static_dump_status"] = { "failed": True, "dynamic_key_stub": True, "cipher_type": cipher_type, "blob_tag": rec.blob_tag, "blob_len": len(rec.blob), } op_arrays[fn_id] = fn_op _register_method(name, fn_id) report_methods.append({"name": name, "state": f"stub:{cipher_type}"}) else: if resolver: resolve_interned_literal_strings(inner.literals, resolver) resolve_interned_type_names(inner.arg_type_info, resolver) try: raw, text = _dump_function( rec, inner, request_key=request_key, serialization_version=sv, opcode_names=opcode_names, handler_tables=handler_tables, handler_variant=handler_variant, php_flags=php_flags, php_version=php_version, ) except Exception as exc: safe_name = (name or "").encode("ascii", "replace").decode() print(f" FAIL {safe_name}: {exc}") report_methods.append({"name": name, "state": f"opcode_error: {exc}"}) scan = real_end method_idx += 1 class_method_count += 1 continue fn_id, fn_op = build_op_array_entry(raw, str(source), kind="method") if fn_id in op_arrays: fn_id = f"{fn_id}@{scan:#x}" fn_op["id"] = fn_id op_arrays[fn_id] = fn_op _register_method(name, fn_id) all_methods_text.append(text) report_methods.append({ "name": name, "state": state, "opcodes": inner.block.opcode_count, "literals": inner.metadata.literal_count, "lines": f"{inner.metadata.line_start}..{inner.metadata.line_end}", }) safe_name = (name or "").encode("ascii", "replace").decode() print(f" OK {safe_name}: {inner.block.opcode_count} opcodes " f"{inner.metadata.literal_count} literals " f"lines {inner.metadata.line_start}..{inner.metadata.line_end}") scan = real_end method_idx += 1 class_method_count += 1 # Parse the class-record tail (default values, properties, constants, # trait uses, attributes, doc-comment). This consumes the exact byte # count so the next class record begins where this one ends. doc_comment = None properties_info: dict = {} try: tail = _consume_class_tail(body, scan, php_version=php_version) scan = tail["next_offset"] doc_comment = tail["doc_comment"] for p in tail["properties"]: pname = p["name"] if not pname: continue entry = { "flags_decoded": { "visibility": p["visibility"], "is_static": p["is_static"], }, "is_static": p["is_static"], "has_default_value": p.get("has_default", False), } if p.get("has_default"): entry["default_value"] = safe_value(p["default"]) if p.get("doc_comment"): entry["doc_comment"] = p["doc_comment"] properties_info[pname] = entry if tail["properties"] or tail["constants"] or doc_comment: print(f" tail: {len(tail['properties'])} prop(s), " f"{len(tail['constants'])} const(s)" + (", doc-comment" if doc_comment else "")) except Exception as exc: # Tail layout not fully recognized — keep the class we decoded # but stop the loop, since we can no longer locate the next one. safe = str(exc).encode("ascii", "replace").decode() print(f" note: class tail not fully parsed ({safe}); " f"stopping after this class") class_id = f"class:{class_name.encode('utf-8').hex()}" if class_id in class_index: class_id = f"{class_id}_{cls_idx}" class_index[class_id] = { "id": class_id, "name": class_name, "parent": parent_name, "interfaces": interfaces, "methods": class_methods, "ce_flags_decoded": ce_flags_decoded, } break # Register the class and its decoded methods in the normalized IR. class_id = f"class:{class_name.encode('utf-8').hex()}" if class_id in class_index: class_id = f"{class_id}_{cls_idx}" class_index[class_id] = { "id": class_id, "name": class_name, "parent": parent_name, "interfaces": interfaces, "methods": class_methods, "ce_flags_decoded": ce_flags_decoded, "doc_comment": doc_comment, "properties_info": properties_info, } if class_method_count: print(f"class_methods_total: {class_method_count}") # ── icdump-ir-v1 output ──────────────────────────────────────────────────── ok = sum(1 for m in report_methods if "opcodes" in m) stubs = sum(1 for m in report_methods if m.get("state", "").startswith("stub:")) fails = sum(1 for m in report_methods if m.get("state") == "failed") resolve_function_calls(op_arrays) icdump = { "format": "icdump-ir-v1", "source_file": str(source), "summary": { "op_array_count": len(op_arrays), "function_count": len(function_index), "closure_count": 0, "class_count": len(class_index), }, "entry": "main", "op_arrays": op_arrays, "function_index": function_index, "closure_index": {}, "class_index": class_index, "ioncube_api_calls": safe_value([]), } sep = "\n" + "=" * 72 + "\n" combined_txt = sep.join(all_methods_text) (out_dir / f"{source.stem}.icdump.json").write_text( json.dumps(icdump, indent=2, ensure_ascii=False), encoding="utf-8" ) (out_dir / f"{source.stem}.icdump.txt").write_text(combined_txt, encoding="utf-8") print(f"\ndone: {ok} decoded, {stubs} stubs, {fails} failed") print(f"output: {out_dir}") if __name__ == "__main__": raise SystemExit(main())