 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
I am having problems decoding this byterun file |
 |
 Posted: Tue Aug 12, 2008 2:56 pm |
 |
|
| ephe |
| Regular user |
 |
|
| Joined: Aug 12, 2008 |
| Posts: 9 |
|
|
|
 |
|
 |
|
|
|
|
|
| Posted: Tue Aug 12, 2008 2:59 pm |
|
|
| lenny |
| Valuable expert |
 |
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
Well I can't even open it... My antivirus is going crazy... but I doubt that the file is infected, probably a false-positive. I'll take a peek in Linux, bear with me  |
|
|
|
|
| Posted: Tue Aug 12, 2008 3:02 pm |
|
|
| ephe |
| Regular user |
|
|
| Joined: Aug 12, 2008 |
| Posts: 9 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Tue Aug 12, 2008 3:12 pm |
|
|
| lenny |
| Valuable expert |
|
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
Yeah, its still being a pain. Ill use my linux box, much easier than messing around with stupid permissions in windows.
Edit: hang on, this is a Byterun file which is bytecoded... and bytecoded files are undecodable... sombody prove me wrong?
Edit Edit: Only some ByteRun files are encoded, thankfully!  |
|
Last edited by lenny on Tue Aug 12, 2008 3:44 pm; edited 1 time in total |
|
|
|
| Posted: Tue Aug 12, 2008 3:20 pm |
|
|
| ephe |
| Regular user |
|
|
| Joined: Aug 12, 2008 |
| Posts: 9 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Tue Aug 12, 2008 3:23 pm |
|
|
| lenny |
| Valuable expert |
|
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
Yes, i can open it now - It seems Windows has a problem with that particular file and the .php extension :S
Oh well, its fine in Linux
Decoding now (or at least attempting to ) |
|
|
|
|
| Posted: Tue Aug 12, 2008 3:28 pm |
|
|
| ephe |
| Regular user |
|
|
| Joined: Aug 12, 2008 |
| Posts: 9 |
|
|
|
|
|
|
|
| I quote Mr. Burns: "Excellent" |
|
|
|
|
| Posted: Tue Aug 12, 2008 3:54 pm |
|
|
| lenny |
| Valuable expert |
|
|
| Joined: May 15, 2008 |
| Posts: 275 |
|
|
|
|
|
|
|
Well i have an output, but you're not going to like it. I'll do a little more research, but you can find the output at http://www.media3k.com/decoder.php
Back to the drawing board. |
|
|
|
|
| Posted: Tue Aug 12, 2008 3:55 pm |
|
|
| ephe |
| Regular user |
|
|
| Joined: Aug 12, 2008 |
| Posts: 9 |
|
|
|
|
|
|
|
Yeh, thats what I got when I tried, and unfortunatly, thats where my skills ended.
john |
|
|
|
|
| Posted: Tue Aug 12, 2008 4:19 pm |
|
|
| ZiPo |
| Advanced user |
|
|
| Joined: Jul 08, 2008 |
| Posts: 86 |
|
|
|
|
|
|
|
well i tried to play a bit and i am no way an expert here...very roughly the begginer, but this is what i have so far...still pretty messy.
| Code: | | eval(''?><?php\r\nclass ebay_lite{\r\n\r\n var $title = "";\r\n var $link_url = "";\r\n var $image = "";\r\n var $image_url = "";\r\n var $price = "";\r\n var $bids = "";\r\n var $end_date = "";\r\n var $bin_price = "";\r\n var $bid_now_url = "";\r\n var $buy_now_url = "";\r\n var $watch_url = "";\r\n var $html = "";\r\n var $site_url = "";\r\n \r\n var $eb_rss_url = "";\r\n var $eb_saaff = "";\r\n var $eb_siteId = 0;\r\n var $eb_language = "";\r\n var $eb_pid = "";\r\n var $eb_cid = "";\r\n v...'') |
|
|
|
|
|
| Posted: Tue Aug 12, 2008 4:25 pm |
|
|
| ephe |
| Regular user |
|
|
| Joined: Aug 12, 2008 |
| Posts: 9 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Tue Aug 12, 2008 4:27 pm |
|
|
| ZiPo |
| Advanced user |
|
|
| Joined: Jul 08, 2008 |
| Posts: 86 |
|
|
|
|
|
|
|
hmmm there is still something inside...here is complete paste...
(...www\) - is my directory where i test this stuff
| Code: | ...www\encoded.phpbase64_decode
Fatal error: Call to undefined function add_filter() in ...www\encoded.php(6) : eval()'d code(3) : eval()'d code on line 336
Call Stack:
0.4875 69536 1. {main}() ...www\encoded.php:0
13.4670 91040 2. eval(''$_X=base64_decode($_X);$_X=strtr($_X,\'hGQKcLqJWVoC1r0.S/8d=f3MRb\nxIDe5Yk>TiE4wZ]UnXNsgj7l[{p6a}9zPuy FOvABm2t<H\',\'hHoUdRkev2Py<DsFAV15LflY}baGt mEj/J7]C[Qrx3Z\n604c8upO>9izSKwnXMI.qgN=BTW{\');$_R=str_replace(\'__FILE__\',"\'".$_F."\'",$_X);eval($_R);$_R=0;$_X=0;'') ...www\encoded.php:6
13.4697 244224 3. eval(''?><?php\r\nclass ebay_lite{\r\n\r\n var $title = "";\r\n var $link_url = "";\r\n var $image = "";\r\n var $image_url = "";\r\n var $price = "";\r\n var $bids = "";\r\n var $end_date = "";\r\n var $bin_price = "";\r\n var $bid_now_url = "";\r\n var $buy_now_url = "";\r\n var $watch_url = "";\r\n var $html = "";\r\n var $site_url = "";\r\n \r\n var $eb_rss_url = "";\r\n var $eb_saaff = "";\r\n var $eb_siteId = 0;\r\n var $eb_language = "";\r\n var $eb_pid = "";\r\n var $eb_cid = "";\r\n v...'') ...www\encoded.php(6) : eval()'d code:3
|
|
|
|
|
|
|
|
|
|
| Posted: Tue Aug 12, 2008 4:41 pm |
|
|
| ephe |
| Regular user |
|
|
| Joined: Aug 12, 2008 |
| Posts: 9 |
|
|
|
|
|
|
|
OK I may have some help on that.
This is the whole file (there was non encrypted php in it, I removed it for the decrypting. Perhaps that will help).
http://rapidshare.com/files/136817847/phpbaylite.txt.html
That functions (add_filter) is not in the non-encrypted section. But thats part of wordpresses api |
|
|
|
|
|
|
|
|
| Posted: Tue Aug 12, 2008 5:34 pm |
|
|
| ZiPo |
| Advanced user |
|
|
| Joined: Jul 08, 2008 |
| Posts: 86 |
|
|
|
|
|
|
|
Ok that's everything from me so far...will put more effort in this and hopefuly learn few more thing.
Anyway this still has me puzzled so if any of the experts here want to take a look and tell me what is this
| Code: | | eval(''$_X=base64_decode($_X);$_X=strtr($_X,\'hGQKcLqJWVoC1r0.S/8d=f3MRb\nxIDe5Yk>TiE4wZ]UnXNsgj7l[{p6a}9zPuy FOvABm2t<H\',\'hHoUdRkev2Py<DsFAV15LflY}baGt mEj/J7]C[Qrx3Z\n604c8upO>9izSKwnXMI.qgN=BTW{\');$_R=str_replace(\'__FILE__\',"\'".$_F."\'",$_X);eval($_R);$_R=0;$_X=0;'') |
This should be encoded file name right?
However i am still playing with this so if i find anything new ill post it here
EDIT: Or could be nothing...just encode/decode string added on base64 to avoid direct decoding. However i am sure that one of the experts here will know the answer |
|
|
|
|
|
|
|
|
| Posted: Tue Aug 12, 2008 7:00 pm |
|
|
| mge |
| Valuable expert |
|
|
| Joined: Jul 16, 2008 |
| Posts: 142 |
|
|
|
|
|
|
|
| Code: | ?><?php
class ebay_lite{
var $title = "";
var $link_url = "";
var $image = "";
var $image_url = "";
var $price = "";
var $bids = "";
var $end_date = "";
var $bin_price = "";
var $bid_now_url = "";
var $buy_now_url = "";
var $watch_url = "";
var $html = "";
var $site_url = "";
var $eb_rss_url = "";
var $eb_saaff = "";
var $eb_siteId = 0;
var $eb_language = "";
var $eb_pid = "";
var $eb_cid = "";
var $eb_satitle = "";
function listings($keywords, $num) {
# assign variables
$this->eb_satitle = $keywords;
$this->eb_satitle = urlencode($this->eb_satitle);
$this->eb_cid = urlencode($this->eb_cid);
$this->eb_rss_url = "http://rss.api.ebay.com/ws/rssapi?FeedName=SearchResults&siteId=" . $this->eb_siteId . "&language=". $this->eb_language . "&output=RSS20&catref=C5&sacqy=&sacur=0&fsop=1&fsoo=1&from=R6&sacqyop=ge&saslc=0&floc=1&saprclo=&saprchi=";
$this->eb_rss_url .= "&saaff=" . $this->eb_saaff . "&ftrv=1&ftrt=1&fcl=3&" . $this->eb_saaff . "=" . $this->eb_pid;
if ($this->eb_saaff == "afepn") {
$this->eb_rss_url .= "&customid=" . urlencode($this->eb_cid);
}
$this->eb_rss_url .= "&frpp=10&nojspr=y&satitle=" . $this->eb_satitle . "&sacat=-1&saslop=1&afmp=&fss=0";
if (!isset($num)) {$num = 10;}
error_reporting(0);
# setup the RSS class
$rss = new rss;
$rss_html = "";
$count = 0;
$rss->get($this->eb_rss_url);
foreach ($rss->itemInfo as $item) {
$count++;
# break up html onto lines so we can search it by line below and preg match the urls
$item['description'] = $this->makelines($item['description']);
# get the item title
$this->title = str_replace("&", "&", $item['title']);
# get the ebay thumbnail image url
preg_match('/(?<=src=")(.*?)(?=")/', $item['description'], $match);
$this->image = $match[0];
# This preg_match has been inconsistent on some servers for getting the image
# so I've added a second attempt to get the thumbnail image if the preg_match fails
if ($this->image == "") {
$img = strstr($item['description'], 'http://thumbs.');
$pos = strpos($img, '.jpg');
$pos = $pos + 4;
$img = substr($img, 0, $pos);
$this->image = $img;
}
# get the item price
preg_match('%(?<=<strong>)(.+?)(?=</strong>)%', $item['description'], $match);
$this->price = $match[0];
# get the number of bids
preg_match('%(?<=</strong>)(.+?)(?=\r\n)%', $item['description'], $match);
$this->bids = $match[0];
# get the item auction end date
preg_match('%(?<=End Date: )(.+?)(?=\r\n)%', $item['description'], $match);
$this->end_date = $match[0];
# get main link
$this->link_url = $item['link'];
$this->link_url = str_replace("&", "&", $this->link_url);
# put lines into array so we can walk through and base64_encode the a href urls to obfuscate
$html = explode("\r\n", $item['description']);
for ($i = 0; $i <= count($html); $i ++) {
$line = $html[$i];
$pos = strpos($line, '<a href="');
if ($pos === false) {
# do nothing
} else {
# find the urls for the auction item
$epos = strpos($line, '">');
$match[1] = substr($line, $pos + 9, $epos - $pos - 9);
# Going to copy this too, Peter?
$match[1] = str_replace(" ", "+", $match[1]);
$pos = strpos($match[1], 'A102');
if ($pos) {
$this->image_url = str_replace("&", "&", $match[1]);
}
$pos = strpos($match[1], 'A103');
if ($pos) {
$this->bid_now_url = str_replace("&", "&", $match[1]);
}
$pos = strpos($match[1], 'A104');
if ($pos) {
$this->watch_url = str_replace("&", "&", $match[1]);
}
$pos = strpos($match[1], 'A105');
if ($pos) {
$this->buy_now_url = str_replace("&", "&", $match[1]);
}
}
}
$this->formatHTML();
# ebay has a bug where, as of the date this source was published, the &frpp= parameter
# (which represents the number of results to return) is not functioning correctly.
# It will erroneously return 100 results regardless of the value set. To correct for this
# I've put in a counter to return no more than ten of those listings. You could alter
# this value below, if desired.
if (($count) >= $num) {break;}
}
if (get_option("PBL_ebay_logo") == "1") {$this->html .= '<p align="center"><img src="wp-content/plugins/phpbaylite/logo.gif" alt="" /></p>';}
if ($rss->counter <= 0) {
$this->html = "No items matching your keywords were found.<br>\r\n";
}
}
function makelines($lines) {
$lines = str_replace("<tr>", "\r\n <tr>\r\n", $lines);
$lines = str_replace("<td>", " <td>\r\n", $lines);
$lines = str_replace("</a>", "</a>\r\n", $lines);
$lines = str_replace("</td>", " </td>\r\n", $lines);
$lines = str_replace("</tr>", " </tr>\r\n", $lines);
$lines = str_replace("</table>", "</table>\r\n", $lines);
$lines = str_replace("<br />", "\r\n <br />\r\n", $lines);
return $lines;
}
function formatHTML() {
$crlf = "\r\n";
$html = '<table width="100%" border="0" cellspacing="5" cellpadding="5">' . $crlf;
$html .= ' <tr>' . $crlf;
$html .= ' <td width="100" align="left"><a href="' . $this->image_url . '" rel="nofollow" target="_blank"><img src="' . $this->image . '" alt="' . $this->prepText($this->title) . '" border="0" /></a></td>' . $crlf;
$html .= ' <td>' . $crlf;
$html .= ' <a href="' . $this->link_url . '" rel="nofollow" target="_blank">' . $this->title . '</a><br />' . $crlf;
$html .= ' <span style="color:#FF0000;font-weight:bold">' . $this->price . '</span> <span style="font-weight:bold">' . $this->bids . '</span><br />' . $crlf;
$html .= ' <span style="font-weight:bold">Auction Ends:</span> ' . $this->end_date . '<br />' . $crlf;
if ($this->bid_now_url > "") {
$html .= ' <a href="' . $this->bid_now_url . '" rel="nofollow" target="_blank">' . "Bid on this Item" . '</a>';
}
if ($this->buy_now_url > "") {
if ($this->bid_now_url > "") {
$html .= " ;; | ";
} else {
$html .= " ";
}
$html .= '<a href="' . $this->buy_now_url . '" rel="nofollow" target="_blank">' . "Buy this Item" . '</a>';
}
$html .= ' ;; | <a href="' . $this->watch_url . '" rel="nofollow" target="_blank">' . "Watch this Item" . '</a>' . $crlf;
$html .= ' </td>' . $crlf;
$html .= ' </tr>' . $crlf;
$html .= '</table>' . $crlf . $crlf;
$this->html .= $html;
}
function prepText($text) {
$text = str_replace('/',' ',$text);
$text = str_replace('-',' ',$text);
$text = str_replace(' & ',' ',$text);
$text = str_replace('"',' ',$text);
$text = str_replace(".",' ',$text);
$text = str_replace("'",' ',$text);
$text = str_replace(",",' ',$text);
$text = str_replace(' ','-',$text);
$text = str_replace('-----','-',$text);
$text = str_replace('----','-',$text);
$text = str_replace('---','-',$text);
$text = str_replace('--','-',$text);
$text = str_replace(':','',$text);
$text = str_replace('#','',$text);
$text = str_replace('(','',$text);
$text = str_replace('%','',$text);
$text = str_replace(')','',$text);
$text = strtolower($text);
return $text;
}
} # end eBay class
#################################################
# XML RSS Class #
#################################################
class rss {
var $counter = 0;
var $type = 0;
var $tag = "";
var $itemInfo = array();
var $channelInfo = array();
function opening_element($xmlParser, $name, $attribute) {
$this->tag = $name;
if($name == "CHANNEL"){
$this->type = 1;
} else if($name == "ITEM") {
$this->type = 2;
}
}
function closing_element($xmlParser, $name){
$this->tag = "";
if($name == "ITEM") {
$this->type = 0;
$this->counter++;
} else if($name == "CHANNEL") {
$this->type = 0;
}
}
function c_data($xmlParser, $data){
if($this->tag == "TITLE" || $this->tag == "DESCRIPTION" || $this->tag == "LINK") {
if($this->type == 1) {
$this->channelInfo[strtolower($this->tag)] = $data;
} else if($this->type == 2) {
$this->itemInfo[$this->counter][strtolower($this->tag)] .= $data;
}
}
}
function get($xml_file) {
$xmlParser = xml_parser_create();
xml_set_object ($xmlParser, $this);
xml_parser_set_option($xmlParser, XML_OPTION_CASE_FOLDING, TRUE);
xml_parser_set_option($xmlParser, XML_OPTION_SKIP_WHITE, TRUE);
xml_set_element_handler($xmlParser, "opening_element", "closing_element");
xml_set_character_data_handler($xmlParser, "c_data");
$fp = file($xml_file);
# if the file() function fails, then try curl
# some shared hosts prevent the use of file() for security reasons
if ($fp == false) {
$ch = curl_init($xml_file);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$xml = curl_exec($ch);
curl_close($ch);
$fp = explode("\n", $xml);
}
foreach($fp as $line){
if(!xml_parse($xmlParser, $line)) {
die("Could not parse file.");
}
}
}
} # end RSS XML class
function phpBayLite($text) {
#if WP is erroneously adding <p></p> tags, let's catch them
$text = str_replace("<p>[phpbay]", "[phpbay]", $text);
$text = str_replace("[/phpbay]</p>", "[/phpbay]", $text);
if (preg_match('%(\\[phpbay\\](.*?)\\[\\/phpbay\\])%', $text, $match)) {
$params = $match[0];
$params = str_replace("[phpbay]", "", $params);
$params = str_replace("[/phpbay]", "", $params);
$values = explode(",", $params);
$kw = trim($values[0]);
$num = trim($values[1]);
if ($kw) {
$ebay_lite = new ebay_lite();
# Set global options that are stored in the phpBay Lite Admin Panel
$ebay_lite->eb_saaff = get_option("PBL_aff_type");
$ebay_lite->eb_pid = get_option("PBL_ebay_pid");
$ebay_lite->eb_cid = get_option("PBL_ebay_cid");
# Set Country Code Information
$ebay_lite->eb_siteId = get_option("PBL_siteId");
if ($ebay_lite->eb_siteId == "") {$ebay_lite->eb_siteId = "0";}
if ($ebay_lite->eb_siteId == "0") {$ebay_lite->eb_language = "en-US";}
if ($ebay_lite->eb_siteId == "15") {$ebay_lite->eb_language = "en-AU";}
if ($ebay_lite->eb_siteId == "16") {$ebay_lite->eb_language = "de-AT";}
if ($ebay_lite->eb_siteId == "123") {$ebay_lite->eb_language = "nl-BE";}
if ($ebay_lite->eb_siteId == "2") {$ebay_lite->eb_language = "en-CA";}
if ($ebay_lite->eb_siteId == "71") {$ebay_lite->eb_language = "fr-FR";}
if ($ebay_lite->eb_siteId == "77") {$ebay_lite->eb_language = "de-DE";}
if ($ebay_lite->eb_siteId == "203") {$ebay_lite->eb_language = "en-IN";}
if ($ebay_lite->eb_siteId == "205") {$ebay_lite->eb_language = "";}
if ($ebay_lite->eb_siteId == "101") {$ebay_lite->eb_language = "it-IT";}
if ($ebay_lite->eb_siteId == "146") {$ebay_lite->eb_language = "nl-NL";}
if ($ebay_lite->eb_siteId == "186") {$ebay_lite->eb_language = "es-ES";}
if ($ebay_lite->eb_siteId == "193") {$ebay_lite->eb_language = "de-CH";}
if ($ebay_lite->eb_siteId == "3") {$ebay_lite->eb_language = "en-GB";}
# We do some error checking here. If either of the two values directly abovve
# are not set, then we need to display a message to the WP Blog owner and exit
if ($ebay_lite->eb_saaff == "") {
echo "Please set the Affiliate Type and Ebay PID in your <strong>admin -> options -> phpBay Lite</strong> control panel.";
return $text;
exit;
}
$ebay_lite->listings($kw, $num);
$ebay_lite->html = "<div>\r\n" . $ebay_lite->html . "\r\n</div>\r\n";
$text = str_replace($match[0], $ebay_lite->html, $text);
}
}
return $text;
}
function pb_add_button() {
$insert_this = '[phpbay]keyword(s), 10[/phpbay]';
phpbay_textbutton_post("", 'pBL', "", $insert_this);
phpbay_textbutton_page("", 'pBL', "", $insert_this);
}
# Add phpBay auctions to page
add_filter('the_content', 'phpBayLite');
# Add the phpBay Pro Admin Panel
add_action('admin_menu','add_admin_panel');
# Add the phpBay button to the editor
include('phpbaysnap.php');
add_action('init', 'pb_add_button');
?> |
|
|
|
|
|
|
www.waraxe.us Forum Index -> PHP script decode requests
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 87
Members: 0
Total: 87
