Waraxe IT Security Portal
Login or Register
November 5, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 115
Members: 0
Total: 115
Full disclosure
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
APPLE-SA-10-28-2024-3 macOS Sequoia 15.1
APPLE-SA-10-28-2024-2 iOS 17.7.1 and iPadOS 17.7.1
APPLE-SA-10-28-2024-1 iOS 18.1 and iPadOS 18.1
Open Redirect / Reflected XSS - booked-schedulerv2.8.5
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PHP script decode requests -> I am having problems decoding this byterun file Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
I am having problems decoding this byterun file
PostPosted: Tue Aug 12, 2008 2:56 pm Reply with quote
ephe
Regular user
Regular user
Joined: Aug 12, 2008
Posts: 9




Hi all, I keep trying but its not coming out. I used some code that I found to decode it but its not working. Can someone please decode this?
http://rapidshare.com/files/136796896/encoded.php.html
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 2:59 pm Reply with quote
lenny
Valuable expert
Valuable expert
Joined: May 15, 2008
Posts: 275




Well I can't even open it... My antivirus is going crazy... but I doubt that the file is infected, probably a false-positive. I'll take a peek in Linux, bear with me Smile
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:02 pm Reply with quote
ephe
Regular user
Regular user
Joined: Aug 12, 2008
Posts: 9




sorry,
try this
http://rapidshare.com/files/136797891/encoded.php.zip.html
i ziped it this time
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:12 pm Reply with quote
lenny
Valuable expert
Valuable expert
Joined: May 15, 2008
Posts: 275




Yeah, its still being a pain. Ill use my linux box, much easier than messing around with stupid permissions in windows.

Edit: hang on, this is a Byterun file which is bytecoded... and bytecoded files are undecodable... sombody prove me wrong?
Edit Edit: Only some ByteRun files are encoded, thankfully! Very Happy


Last edited by lenny on Tue Aug 12, 2008 3:44 pm; edited 1 time in total
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:20 pm Reply with quote
ephe
Regular user
Regular user
Joined: Aug 12, 2008
Posts: 9




Seriously - unencodeable? I find that hard to believe.

here is a txt version in case you want to still give it a shot.
http://rapidshare.com/files/136801547/encoded.txt.html
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:23 pm Reply with quote
lenny
Valuable expert
Valuable expert
Joined: May 15, 2008
Posts: 275




Yes, i can open it now - It seems Windows has a problem with that particular file and the .php extension :S
Oh well, its fine in Linux
Decoding now (or at least attempting to Smile )
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:28 pm Reply with quote
ephe
Regular user
Regular user
Joined: Aug 12, 2008
Posts: 9




I quote Mr. Burns: "Excellent"
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:54 pm Reply with quote
lenny
Valuable expert
Valuable expert
Joined: May 15, 2008
Posts: 275




Well i have an output, but you're not going to like it. I'll do a little more research, but you can find the output at http://www.media3k.com/decoder.php

Back to the drawing board.
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:55 pm Reply with quote
ephe
Regular user
Regular user
Joined: Aug 12, 2008
Posts: 9




Yeh, thats what I got when I tried, and unfortunatly, thats where my skills ended.
john
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 4:19 pm Reply with quote
ZiPo
Advanced user
Advanced user
Joined: Jul 08, 2008
Posts: 86




well i tried to play a bit and i am no way an expert here...very roughly the begginer, but this is what i have so far...still pretty messy.


Code:
eval(''?><?php\r\nclass ebay_lite{\r\n\r\n var $title = "";\r\n var $link_url = "";\r\n var $image = "";\r\n var $image_url = "";\r\n var $price = "";\r\n var $bids = "";\r\n var $end_date = "";\r\n var $bin_price = "";\r\n var $bid_now_url = "";\r\n var $buy_now_url = "";\r\n var $watch_url = "";\r\n var $html = "";\r\n var $site_url = "";\r\n \r\n var $eb_rss_url = "";\r\n var $eb_saaff = "";\r\n var $eb_siteId = 0;\r\n var $eb_language = "";\r\n var $eb_pid = "";\r\n var $eb_cid = "";\r\n v...'')
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 4:25 pm Reply with quote
ephe
Regular user
Regular user
Joined: Aug 12, 2008
Posts: 9




sweet! looks good.
John
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 4:27 pm Reply with quote
ZiPo
Advanced user
Advanced user
Joined: Jul 08, 2008
Posts: 86




hmmm there is still something inside...here is complete paste...
(...www\) - is my directory where i test this stuff

Code:
...www\encoded.phpbase64_decode
Fatal error: Call to undefined function add_filter() in ...www\encoded.php(6) : eval()'d code(3) : eval()'d code on line 336

Call Stack:
0.4875 69536 1. {main}() ...www\encoded.php:0
13.4670 91040 2. eval(''$_X=base64_decode($_X);$_X=strtr($_X,\'hGQKcLqJWVoC1r0.S/8d=f3MRb\nxIDe5Yk>TiE4wZ]UnXNsgj7l[{p6a}9zPuy FOvABm2t<H\',\'hHoUdRkev2Py<DsFAV15LflY}baGt mEj/J7]C[Qrx3Z\n604c8upO>9izSKwnXMI.qgN=BTW{\');$_R=str_replace(\'__FILE__\',"\'".$_F."\'",$_X);eval($_R);$_R=0;$_X=0;'') ...www\encoded.php:6
13.4697 244224 3. eval(''?><?php\r\nclass ebay_lite{\r\n\r\n var $title = "";\r\n var $link_url = "";\r\n var $image = "";\r\n var $image_url = "";\r\n var $price = "";\r\n var $bids = "";\r\n var $end_date = "";\r\n var $bin_price = "";\r\n var $bid_now_url = "";\r\n var $buy_now_url = "";\r\n var $watch_url = "";\r\n var $html = "";\r\n var $site_url = "";\r\n \r\n var $eb_rss_url = "";\r\n var $eb_saaff = "";\r\n var $eb_siteId = 0;\r\n var $eb_language = "";\r\n var $eb_pid = "";\r\n var $eb_cid = "";\r\n v...'') ...www\encoded.php(6) : eval()'d code:3
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 4:41 pm Reply with quote
ephe
Regular user
Regular user
Joined: Aug 12, 2008
Posts: 9




OK I may have some help on that.
This is the whole file (there was non encrypted php in it, I removed it for the decrypting. Perhaps that will help).
http://rapidshare.com/files/136817847/phpbaylite.txt.html
That functions (add_filter) is not in the non-encrypted section. But thats part of wordpresses api
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 5:34 pm Reply with quote
ZiPo
Advanced user
Advanced user
Joined: Jul 08, 2008
Posts: 86




Ok that's everything from me so far...will put more effort in this and hopefuly learn few more thing.
Anyway this still has me puzzled so if any of the experts here want to take a look and tell me what is this Smile

Code:
eval(''$_X=base64_decode($_X);$_X=strtr($_X,\'hGQKcLqJWVoC1r0.S/8d=f3MRb\nxIDe5Yk>TiE4wZ]UnXNsgj7l[{p6a}9zPuy FOvABm2t<H\',\'hHoUdRkev2Py<DsFAV15LflY}baGt mEj/J7]C[Qrx3Z\n604c8upO>9izSKwnXMI.qgN=BTW{\');$_R=str_replace(\'__FILE__\',"\'".$_F."\'",$_X);eval($_R);$_R=0;$_X=0;'')


This should be encoded file name right?
However i am still playing with this so if i find anything new ill post it here Smile

EDIT: Or could be nothing...just encode/decode string added on base64 to avoid direct decoding. However i am sure that one of the experts here will know the answer Smile
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 7:00 pm Reply with quote
mge
Valuable expert
Valuable expert
Joined: Jul 16, 2008
Posts: 142




Code:
?><?php
class ebay_lite{

var $title = "";
var $link_url = "";
var $image = "";
var $image_url = "";
var $price = "";
var $bids = "";
var $end_date = "";
var $bin_price = "";
var $bid_now_url = "";
var $buy_now_url = "";
var $watch_url = "";
var $html = "";
var $site_url = "";

var $eb_rss_url = "";
var $eb_saaff = "";
var $eb_siteId = 0;
var $eb_language = "";
var $eb_pid = "";
var $eb_cid = "";
var $eb_satitle = "";

function listings($keywords, $num) {
# assign variables
$this->eb_satitle = $keywords;
$this->eb_satitle = urlencode($this->eb_satitle);
$this->eb_cid = urlencode($this->eb_cid);

$this->eb_rss_url = "http://rss.api.ebay.com/ws/rssapi?FeedName=SearchResults&siteId=" . $this->eb_siteId . "&language=". $this->eb_language . "&output=RSS20&catref=C5&sacqy=&sacur=0&fsop=1&fsoo=1&from=R6&sacqyop=ge&saslc=0&floc=1&saprclo=&saprchi=";
$this->eb_rss_url .= "&saaff=" . $this->eb_saaff . "&ftrv=1&ftrt=1&fcl=3&" . $this->eb_saaff . "=" . $this->eb_pid;
if ($this->eb_saaff == "afepn") {
$this->eb_rss_url .= "&customid=" . urlencode($this->eb_cid);
}
$this->eb_rss_url .= "&frpp=10&nojspr=y&satitle=" . $this->eb_satitle . "&sacat=-1&saslop=1&afmp=&fss=0";
if (!isset($num)) {$num = 10;}
error_reporting(0);

# setup the RSS class
$rss = new rss;
$rss_html = "";
$count = 0;
$rss->get($this->eb_rss_url);
foreach ($rss->itemInfo as $item) {
$count++;
# break up html onto lines so we can search it by line below and preg match the urls
$item['description'] = $this->makelines($item['description']);

# get the item title
$this->title = str_replace("&", "&amp;", $item['title']);

# get the ebay thumbnail image url
preg_match('/(?<=src=")(.*?)(?=")/', $item['description'], $match);
$this->image = $match[0];
# This preg_match has been inconsistent on some servers for getting the image
# so I've added a second attempt to get the thumbnail image if the preg_match fails
if ($this->image == "") {
$img = strstr($item['description'], 'http://thumbs.');
$pos = strpos($img, '.jpg');
$pos = $pos + 4;
$img = substr($img, 0, $pos);
$this->image = $img;
}

# get the item price
preg_match('%(?<=<strong>)(.+?)(?=</strong>)%', $item['description'], $match);
$this->price = $match[0];

# get the number of bids
preg_match('%(?<=</strong>)(.+?)(?=\r\n)%', $item['description'], $match);
$this->bids = $match[0];

# get the item auction end date
preg_match('%(?<=End Date: )(.+?)(?=\r\n)%', $item['description'], $match);
$this->end_date = $match[0];

# get main link
$this->link_url = $item['link'];
$this->link_url = str_replace("&", "&amp;", $this->link_url);

# put lines into array so we can walk through and base64_encode the a href urls to obfuscate
$html = explode("\r\n", $item['description']);

for ($i = 0; $i <= count($html); $i ++) {
$line = $html[$i];
$pos = strpos($line, '<a href="');

if ($pos === false) {
# do nothing
} else {
# find the urls for the auction item
$epos = strpos($line, '">');
$match[1] = substr($line, $pos + 9, $epos - $pos - 9);

# Going to copy this too, Peter?
$match[1] = str_replace(" ", "+", $match[1]);

$pos = strpos($match[1], 'A102');
if ($pos) {
$this->image_url = str_replace("&", "&amp;", $match[1]);
}

$pos = strpos($match[1], 'A103');
if ($pos) {
$this->bid_now_url = str_replace("&", "&amp;", $match[1]);
}

$pos = strpos($match[1], 'A104');
if ($pos) {
$this->watch_url = str_replace("&", "&amp;", $match[1]);
}

$pos = strpos($match[1], 'A105');
if ($pos) {
$this->buy_now_url = str_replace("&", "&amp;", $match[1]);
}
}
}

$this->formatHTML();

# ebay has a bug where, as of the date this source was published, the &frpp= parameter
# (which represents the number of results to return) is not functioning correctly.
# It will erroneously return 100 results regardless of the value set. To correct for this
# I've put in a counter to return no more than ten of those listings. You could alter
# this value below, if desired.
if (($count) >= $num) {break;}
}

if (get_option("PBL_ebay_logo") == "1") {$this->html .= '<p align="center"><img src="wp-content/plugins/phpbaylite/logo.gif" alt="" /></p>';}

if ($rss->counter <= 0) {
$this->html = "No items matching your keywords were found.<br>\r\n";
}
}

function makelines($lines) {
$lines = str_replace("<tr>", "\r\n <tr>\r\n", $lines);
$lines = str_replace("<td>", " <td>\r\n", $lines);
$lines = str_replace("</a>", "</a>\r\n", $lines);
$lines = str_replace("</td>", " </td>\r\n", $lines);
$lines = str_replace("</tr>", " </tr>\r\n", $lines);
$lines = str_replace("</table>", "</table>\r\n", $lines);
$lines = str_replace("<br />", "\r\n <br />\r\n", $lines);
return $lines;
}

function formatHTML() {
$crlf = "\r\n";
$html = '<table width="100%" border="0" cellspacing="5" cellpadding="5">' . $crlf;
$html .= ' <tr>' . $crlf;
$html .= ' <td width="100" align="left"><a href="' . $this->image_url . '" rel="nofollow" target="_blank"><img src="' . $this->image . '" alt="' . $this->prepText($this->title) . '" border="0" /></a></td>' . $crlf;
$html .= ' <td>' . $crlf;
$html .= ' <a href="' . $this->link_url . '" rel="nofollow" target="_blank">' . $this->title . '</a><br />' . $crlf;
$html .= ' <span style="color:#FF0000;font-weight:bold">' . $this->price . '</span> <span style="font-weight:bold">' . $this->bids . '</span><br />' . $crlf;
$html .= ' <span style="font-weight:bold">Auction Ends:</span> ' . $this->end_date . '<br />' . $crlf;
if ($this->bid_now_url > "") {
$html .= ' <a href="' . $this->bid_now_url . '" rel="nofollow" target="_blank">' . "Bid on this Item" . '</a>';
}
if ($this->buy_now_url > "") {
if ($this->bid_now_url > "") {
$html .= " ;; | ";
} else {
$html .= " ";
}
$html .= '<a href="' . $this->buy_now_url . '" rel="nofollow" target="_blank">' . "Buy this Item" . '</a>';
}
$html .= ' ;; | <a href="' . $this->watch_url . '" rel="nofollow" target="_blank">' . "Watch this Item" . '</a>' . $crlf;
$html .= ' </td>' . $crlf;
$html .= ' </tr>' . $crlf;
$html .= '</table>' . $crlf . $crlf;

$this->html .= $html;
}

function prepText($text) {
$text = str_replace('/',' ',$text);
$text = str_replace('-',' ',$text);
$text = str_replace(' & ',' ',$text);
$text = str_replace('"',' ',$text);
$text = str_replace(".",' ',$text);
$text = str_replace("'",' ',$text);
$text = str_replace(",",' ',$text);
$text = str_replace(' ','-',$text);
$text = str_replace('-----','-',$text);
$text = str_replace('----','-',$text);
$text = str_replace('---','-',$text);
$text = str_replace('--','-',$text);
$text = str_replace(':','',$text);
$text = str_replace('#','',$text);
$text = str_replace('(','',$text);
$text = str_replace('%','',$text);
$text = str_replace(')','',$text);
$text = strtolower($text);
return $text;
}

} # end eBay class

#################################################
# XML RSS Class #
#################################################

class rss {
var $counter = 0;
var $type = 0;
var $tag = "";
var $itemInfo = array();
var $channelInfo = array();

function opening_element($xmlParser, $name, $attribute) {
$this->tag = $name;
if($name == "CHANNEL"){
$this->type = 1;
} else if($name == "ITEM") {
$this->type = 2;
}
}

function closing_element($xmlParser, $name){
$this->tag = "";
if($name == "ITEM") {
$this->type = 0;
$this->counter++;
} else if($name == "CHANNEL") {
$this->type = 0;
}
}

function c_data($xmlParser, $data){
if($this->tag == "TITLE" || $this->tag == "DESCRIPTION" || $this->tag == "LINK") {
if($this->type == 1) {
$this->channelInfo[strtolower($this->tag)] = $data;
} else if($this->type == 2) {
$this->itemInfo[$this->counter][strtolower($this->tag)] .= $data;
}
}
}

function get($xml_file) {
$xmlParser = xml_parser_create();
xml_set_object ($xmlParser, $this);
xml_parser_set_option($xmlParser, XML_OPTION_CASE_FOLDING, TRUE);
xml_parser_set_option($xmlParser, XML_OPTION_SKIP_WHITE, TRUE);
xml_set_element_handler($xmlParser, "opening_element", "closing_element");
xml_set_character_data_handler($xmlParser, "c_data");

$fp = file($xml_file);

# if the file() function fails, then try curl
# some shared hosts prevent the use of file() for security reasons
if ($fp == false) {
$ch = curl_init($xml_file);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$xml = curl_exec($ch);
curl_close($ch);
$fp = explode("\n", $xml);
}

foreach($fp as $line){
if(!xml_parse($xmlParser, $line)) {
die("Could not parse file.");
}
}
}

} # end RSS XML class

function phpBayLite($text) {
#if WP is erroneously adding <p></p> tags, let's catch them
$text = str_replace("<p>[phpbay]", "[phpbay]", $text);
$text = str_replace("[/phpbay]</p>", "[/phpbay]", $text);

if (preg_match('%(\\[phpbay\\](.*?)\\[\\/phpbay\\])%', $text, $match)) {
$params = $match[0];
$params = str_replace("[phpbay]", "", $params);
$params = str_replace("[/phpbay]", "", $params);
$values = explode(",", $params);
$kw = trim($values[0]);
$num = trim($values[1]);

if ($kw) {
$ebay_lite = new ebay_lite();

# Set global options that are stored in the phpBay Lite Admin Panel

$ebay_lite->eb_saaff = get_option("PBL_aff_type");
$ebay_lite->eb_pid = get_option("PBL_ebay_pid");
$ebay_lite->eb_cid = get_option("PBL_ebay_cid");

# Set Country Code Information
$ebay_lite->eb_siteId = get_option("PBL_siteId");
if ($ebay_lite->eb_siteId == "") {$ebay_lite->eb_siteId = "0";}
if ($ebay_lite->eb_siteId == "0") {$ebay_lite->eb_language = "en-US";}
if ($ebay_lite->eb_siteId == "15") {$ebay_lite->eb_language = "en-AU";}
if ($ebay_lite->eb_siteId == "16") {$ebay_lite->eb_language = "de-AT";}
if ($ebay_lite->eb_siteId == "123") {$ebay_lite->eb_language = "nl-BE";}
if ($ebay_lite->eb_siteId == "2") {$ebay_lite->eb_language = "en-CA";}
if ($ebay_lite->eb_siteId == "71") {$ebay_lite->eb_language = "fr-FR";}
if ($ebay_lite->eb_siteId == "77") {$ebay_lite->eb_language = "de-DE";}
if ($ebay_lite->eb_siteId == "203") {$ebay_lite->eb_language = "en-IN";}
if ($ebay_lite->eb_siteId == "205") {$ebay_lite->eb_language = "";}
if ($ebay_lite->eb_siteId == "101") {$ebay_lite->eb_language = "it-IT";}
if ($ebay_lite->eb_siteId == "146") {$ebay_lite->eb_language = "nl-NL";}
if ($ebay_lite->eb_siteId == "186") {$ebay_lite->eb_language = "es-ES";}
if ($ebay_lite->eb_siteId == "193") {$ebay_lite->eb_language = "de-CH";}
if ($ebay_lite->eb_siteId == "3") {$ebay_lite->eb_language = "en-GB";}

# We do some error checking here. If either of the two values directly abovve
# are not set, then we need to display a message to the WP Blog owner and exit

if ($ebay_lite->eb_saaff == "") {
echo "Please set the Affiliate Type and Ebay PID in your <strong>admin -> options -> phpBay Lite</strong> control panel.";
return $text;
exit;
}

$ebay_lite->listings($kw, $num);
$ebay_lite->html = "<div>\r\n" . $ebay_lite->html . "\r\n</div>\r\n";
$text = str_replace($match[0], $ebay_lite->html, $text);
}
}
return $text;
}

function pb_add_button() {
$insert_this = '[phpbay]keyword(s), 10[/phpbay]';
phpbay_textbutton_post("", 'pBL', "", $insert_this);
phpbay_textbutton_page("", 'pBL', "", $insert_this);
}

# Add phpBay auctions to page
add_filter('the_content', 'phpBayLite');
# Add the phpBay Pro Admin Panel
add_action('admin_menu','add_admin_panel');
# Add the phpBay button to the editor
include('phpbaysnap.php');
add_action('init', 'pb_add_button');
?>


Smile
View user's profile Send private message
I am having problems decoding this byterun file
www.waraxe.us Forum Index -> PHP script decode requests
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.046 Seconds