Full disclosure
Multiple sandbox escapes in asteval python sandboxing module
SEC Consult SA-20250226-0 :: Multiple vulnerabilities in Siemens A8000 CP-8050 & CP-8031 PLC
Re: MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client
MitM attack against OpenSSH's VerifyHostKeyDNS-enabled client
Self Stored XSS - acp2sev7.2.2
Python's official documentation contains textbook example of insecure code (XSS)
Re: Netgear Router Administrative Web Interface Lacks Transport Encryption By Default
Monero 18.3.4 zero-day DoS vulnerability has been droppedpublicly on social network.
Netgear Router Administrative Web Interface Lacks Transport Encryption By Default
[CVE-2024-54756] GZDoom <= 4.13.1 Arbitrary Code Execution viaMalicious ZScript
Re: Text injection on https://www.google.com/so rry/index via ?q parameter (no XSS)
SEC Consult SA-20250211-0 :: Multiple vulnerabilities in Wattsense Bridge
APPLE-SA-02-10-2025-2 iPadOS 17.7.5
APPLE-SA-02-10-2025-1 iOS 18.3.1 and iPadOS 18.3.1
CVE-2024-55447: Access Control in Paxton Net2 software (update)
www.waraxe.us Forum Index -> PHP script decode requests -> Need to call on some experts!
Need to call on some experts!
PostPosted: Wed Aug 01, 2012 12:53 am Reply with quote
Joined: Aug 01, 2012
Posts: 1

I've a file that is somehow obfuscated and the support site for it no longer exists. I've been following several posts here and have been able to recover some parts of the code, but hit a roadblock in translating the rest. It appears to be defining a php function as x0b(something,something), but that's either a form feed or the letter b? I'm lost in it! Confused

If someone can clue me in on some tools to use, and how to use them, I probably could manage thru or just unscramble the code for me would be quicker for both of us!

Here's the full php page:

$x25="\x63\x68m\x6fd"; $x26="\143\x6c\x65\x61r\163tat\143\x61\x63\x68\145"; $x27="\x65\170pl\157d\x65"; $x28="f\x69\x6c\x65\x5f\x65\x78is\x74\163"; $x29="\x66i\x6c\x65\x5fg\x65\x74\137c\x6f\x6et\145\x6e\x74\x73"; $x2a="\x67\x65\x74\145\x6ev"; $x2b="h\145xd\x65\x63"; $x2c="i\x6d\x61\x67\x65\143olo\x72\x61\x6c\x6co\143\x61te"; $x2d="\151ma\x67\145\x63\162\145\141\x74\145\164\162\x75\145\143\157\154or"; $x2e="\151mag\x65\x66il\x6c\145\144\x72\x65c\164\x61n\147le"; $x2f="\x69\155a\147e\143\157p\x79me\x72\x67\x65"; $x30="\151m\141\x67e\x63\x72e\x61\x74e"; $x31="\x69ma\x67\x65d\145\x73\164\162oy"; $x32="\151\x6da\x67\x65f\x69\x6ct\x65\162"; $x33="\x69m\x61ges\x78"; $x34="\151m\x61ges\171"; $x35="i\155ag\145\163\164\162i\x6e\147"; $x36="s\x74\x72\137\162\145\x70\154\x61\x63\145"; $x37="\163\165\x62\x73\164\162"; $x38="\x75\x6elink";
error_reporting(0);function x0b(&$x0b,$x0c){ global $x25,$x26,$x27,$x28,$x29,$x2a,$x2b,$x2c,$x2d,$x2e,$x2f,$x30,$x31,$x32,$x33,$x34,$x35,$x36,$x37,$x38; $x0d=$x33($x0b);$x0e=$x34($x0b);$x0f=$x2d($x0d,$x0e);$x10=$x2c($x0f,100,50,50);$x2e($x0f,0,0,$x0d,$x0e,$x10);$x2f($x0b,$x0f,0,0,0,0,$x0d,$x0e,$x0c);}function x0c(&$x0b, $x11){ global $x25,$x26,$x27,$x28,$x29,$x2a,$x2b,$x2c,$x2d,$x2e,$x2f,$x30,$x31,$x32,$x33,$x34,$x35,$x36,$x37,$x38; if($x11 == "\x6e\157")return $x0b; elseif($x11 == "n\x65ga\164\145")$x32($x0b, IMG_FILTER_NEGATE); elseif($x11 == "\x67\x72a\171sc\141\x6c\x65")$x32($x0b, IMG_FILTER_GRAYSCALE); elseif($x11 == "\142\x72\151\147\150\164\x6ee\x73\163")$x32($x0b, IMG_FILTER_BRIGHTNESS, 50); elseif($x11 == "\x63\157nt\162\141s\164")$x32($x0b, IMG_FILTER_CONTRAST, 225); elseif($x11 == "\x65dg\x65")$x32($x0b, IMG_FILTER_EDGEDETECT); elseif($x11 == "\142l\165\x72")$x32($x0b, IMG_FILTER_GAUSSIAN_BLUR); elseif($x11 == "em\x62\x6f\x73\x73")$x32($x0b, IMG_FILTER_EMBOSS); elseif($x11 == "s\x6bet\143\150")$x32($x0b, IMG_FILTER_MEAN_REMOVAL); elseif($x11 == "\x73\x65\160\151a") {$x32($x0b, IMG_FILTER_CONTRAST, 25);x0b($x0b, 40); }}$x12 = $x27('x', $_GET['size']);$x13 = array( 'wm_opacity' => 50, 'wm_vrt_alignment' => 'p', 'wm_hor_alignment' => 'c', 'wm_padding' => 0, 'wm_use_truetype' => TRUE, 'dynamic_output' => FALSE, 'orig_width' => $x12[0], 'orig_height' => $x12[1],);require_once 'includes/Image_lib.php';$x14 = new CI_Image_lib($x13); if(!isset($_GET['uploaded_image']) || $_GET['uploaded_image'] == ''){ require_once('includes/gd-gradient.php'); $x15 = new gd_gradient_fill($x12[0],$x12[1],$_GET['grad'], '#'.$x36('%23', '', $_GET['grad_start_color']),'#'.$x36('%23', '', $_GET['grad_end_color']) );$x14->image_type = 3; $x0b = $x15->image;} else{ $x16 = $_GET['uploaded_image']; $x17 = $_GET['uploaded_ext'];if($x28('uploads/'.$x16.'_banner.'.$x17)) {if($x17 == 'gif')$x18 = 1;elseif($x17 == 'jpg' || $x17 == 'jpeg')$x18 = 2;else $x18 = 3; $x14->image_type=$x18; $x0b = $x14->image_create_gd('uploads/'.$x16.'_banner.'.$x17); }}include 'includes/check.php';if(!checkup()){ if(isset($_GET['eba']) and ($_GET['eba'] == 'edge' or $_GET['eba'] == 'blur' or $_GET['eba'] == 'emboss' or $_GET['eba'] == 'sketch' or $_GET['eba'] == 'sepia')) $_GET['eff'] = 'no';}if(isset($_GET['eba'])) x0c($x0b, $_GET['eff']);for($x19 = 0; $x19 < 3; $x19++){ if(!isset($_GET['tx'][$x19]) or $_GET['tx'][$x19] == "") {continue; }$x14->wm_text = $_GET['tx'][$x19]; $x14->wm_font_path = 'fonts/'.$_GET['ff'][$x19].'.ttf'; $x14->wm_font_size = $_GET['fs'][$x19]; $x14->wm_font_color = $_GET['tc'][$x19]; $x14->wm_vrt_percent = 100 - $_GET['vs'][$x19]; $x14->wm_hor_percent = $_GET['hs'][$x19]; if($_GET['sd'][$x19] != 0) {$x14->wm_use_drop_shadow = TRUE;$x14->wm_shadow_color = $_GET['sc'][$x19];$x14->wm_shadow_distance = $_GET['sd'][$x19]; } else { $x14->wm_use_drop_shadow = FALSE; } $x14->wm_text_angle = $_GET['a'][$x19];$x0b = $x14->text_watermark($x0b);}if(!isset($_GET['eba'])) x0c($x0b, $_GET['eff']);if(isset($_GET['bs']) && $_GET['bs'] != 0){ $x1a = $_GET['bs']; $x1b = $x2b($x37($_GET['bc'], 0, 2)); $x1c = $x2b($x37($_GET['bc'], 2, 2)); $x1d = $x2b($x37($_GET['bc'], 4, 2)); $x1e = $x2c($x0b, $x1b, $x1c, $x1d);$x2e($x0b, 0, 0, $x14->orig_width, $x1a - 1, $x1e);$x2e($x0b, $x14->orig_width - $x1a +20, 0, $x14->orig_width, $x14->orig_height, $x1e);$x2e($x0b, 0, $x14->orig_height - $x1a, $x14->orig_width, $x14->orig_height, $x1e);$x2e($x0b, 0, 0, $x1a - 1, $x14->orig_height, $x1e);} if(checkup()){ $x1f = $x29('pro/watermark.info'); $x20 = ''; $x21 = ''; @list($x20, $x21) = $x27('::', $x1f); if($x20 == '') {$x20 = $x2a('SERVER_NAME'); }}else{ $x20 = base64_decode('TWFkZSB3aXRoIEJhbm5lcmRldg==');} if($x21 != 'on'){ $x22 = @$x30($x12[0], 15); $x23 = $x2c($x22, 0, 0, 0); $x2e($x22, 0, 0, $x12[0], 15, $x23); $x24 = $x2c($x22, 255, 255, 255); $x35($x22, 2, 5, 0,$x20, $x24); $x2f($x0b, $x22, 0, $x12[1] - 15, 0, 0, $x12[0], 20, 50);}if(!isset($_GET['save'])){ $x14->image_display_gd($x0b);}else{ if(isset($x17)) {$x18 = $x17; } else {$x18 = 'png'; } $x14->full_dst_path = 'banners/'.$_GET['save'].'.'.$x18;if($x28($x14->full_dst_path))$x38($x14->full_dst_path);$x14->image_save_gd($x0b); @$x25($x14->full_dst_path, 0777);echo 'http://'.$x2a('SERVER_NAME').$x36('wizard.php', '', $x2a('SCRIPT_NAME')).$x14->full_dst_path;}$x31($x0b);if(isset($x15->image)){ $x31($x15->image); } $x26();

Much thanks in advance!
PostPosted: Wed Aug 01, 2012 6:15 am Reply with quote
Advanced user
Advanced user
Joined: Jun 20, 2012
Posts: 125

Here you go:


