I want to identify ioncube encoded PHP files through a script. I see some common string in every ioncube encoded PHP file:
<?php //003ab
if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='ioncube_loader_'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');@dl($__ln);if(function_exists('_il_exec')){return _il_exec();}$__ln='/ioncube/'.$__ln;$__oid=$__id=realpath(ini_get('extension_dir'));$__here=dirname(__FILE__);if(strlen($__id)>1&&$__id[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}@dl($__ln);}else{die('The file '.__FILE__." is corrupted.\n");}if(function_exists('_il_exec')){return _il_exec();}echo('Site error: the file <b>'.__FILE__.'</b> requires the ionCube PHP Loader '.basename($__ln).' to be installed by the site administrator.');exit(199);
?>
I wonder if this string is typical for all ioncube encoded files, reagardless of ioncube version or the plateform ioncube was running on when the encoding operation took place.
After the closing php tag ?> Ioncube files always start with: 0a 03 c1 2b bytes
UPDATE:
Then you need the ioncube extension loaded and after that:
"5.4.1 mixed ioncube_read_file(string path [,bool &was_encrypted [,string passphrase] ] ] ) ... If a file is read successfully the contents are returned as a binary-safe string. "
IONCUBE manual: http://www.ioncube.com/USER-GUIDE.pdf