Pattern for detecting if a specific file is encoded by ioncube

Question

I want to identify ioncube encoded PHP files through a script. I see some common string in every ioncube encoded PHP file:

<?php //003ab
if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='ioncube_loader_'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');@dl($__ln);if(function_exists('_il_exec')){return _il_exec();}$__ln='/ioncube/'.$__ln;$__oid=$__id=realpath(ini_get('extension_dir'));$__here=dirname(__FILE__);if(strlen($__id)>1&&$__id[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}@dl($__ln);}else{die('The file '.__FILE__." is corrupted.\n");}if(function_exists('_il_exec')){return _il_exec();}echo('Site error: the file <b>'.__FILE__.'</b> requires the ionCube PHP Loader '.basename($__ln).' to be installed by the site administrator.');exit(199);
?>

I wonder if this string is typical for all ioncube encoded files, reagardless of ioncube version or the plateform ioncube was running on when the encoding operation took place.

Answer 1

After the closing php tag ?> Ioncube files always start with: 0a 03 c1 2b bytes

UPDATE:

Then you need the ioncube extension loaded and after that:

"5.4.1 mixed ioncube_read_file(string path [,bool &was_encrypted [,string passphrase] ] ] ) ... If a file is read successfully the contents are returned as a binary-safe string. "

IONCUBE manual: http://www.ioncube.com/USER-GUIDE.pdf