Waraxe IT Security Portal
Login or Register
November 6, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 78
Members: 0
Total: 78
Full disclosure
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
APPLE-SA-10-28-2024-3 macOS Sequoia 15.1
APPLE-SA-10-28-2024-2 iOS 17.7.1 and iPadOS 17.7.1
APPLE-SA-10-28-2024-1 iOS 18.1 and iPadOS 18.1
Open Redirect / Reflected XSS - booked-schedulerv2.8.5
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PHP script decode requests -> Quick PHPLockIt task, half-finished, need a few tips
Post new topicReply to topic View previous topic :: View next topic
Quick PHPLockIt task, half-finished, need a few tips
PostPosted: Mon Jun 21, 2010 4:19 am Reply with quote
Q4242
Beginner
Beginner
Joined: Jun 21, 2010
Posts: 3
Location: Q-Continuum




Hey everyone,

I've been browsing through some threads here and have managed to partially
decode my file with some Cyko's tips, B64 tool and one tutorial that I've
found somewhere, but I won't post the url as I know that admins of many
forums don't like when urls of their competitors are posted on their forums.

Ok, so here we go... My file is here - http://pastebin.com/uZWe8zhQ.

PHPLockIt - Obfuscation Used:

( a ) Variable name scrambling and shuffling (e.g. $OOO0O0O00, $OOO000000)
( b ) Nesting and compacting (e.g., strtr(), urlencode(), gzuncompress())
( c ) Function name, string text scrambling and shuffling

File will be divided in 3 parts: urlencoding, base64, and footer.

1. urlencoding - don't know what to do with this one, yet, haven't found
out anything about that.
2. Base 64 - decoded that bunch of gibberish, and got this:
Code:

($$O0O0000O0('$OO0OO0000=$OOO000000{17}.$OOO000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO000000{19};if(!0)$O000O0O00=$OO0OO0000($OOO0O0O00,'rb');$OO0OO000O=$OOO000000{17}.$OOO000000{20}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OO0OO00O0=$OOO000000{14}.$OOO000000{0}.$OOO000000{20}.$OOO000000{0}.$OOO000000{20};$OO0OO000O($O000O0O00,1143);

$OO00O00O0=($OOO0000O0($OO0OO00O0($OO0OO000O($O000O0O00,380),'69iZQMGcN2XhDdFRs7/o3jwme0LVH5rux8PvYtKI1JAabUSWEkgOyTpnlzfC+4Bq=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));eval($OO00O00O0);'))


I was able to figure out that I'll need fread & '380' as a parameter for it,
and those two strings after it will be used to decode the footer, what I've
done by creating a .php script for that and executing it:

Code:

$footer = _onebigblockofcodeafterreturn_;
$fread = 380;
$secondcode = substr($footer, $fread);
$strtr = strtr($footer, '69iZQMGcN2XhDdFRs7/o3jwme0LVH5rux8PvYtKI1JAabUSWEkgOyTpnlzfC+4Bq=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/');
$strtr = base64_decode($strtr);
$decoded = "<?php $strtr?>";
highlight_string($decoded);


End result is this: http://pastebin.com/PtjnfhW1 ,

but I'm seeing some additional protection at the top, and some junk code
in there (though I'm a PHP newb, can't see much in there), can someone
just take a look at this and tell me what to do next, or help me decipher this correctly?

There have been some tips for replacing echoes with something else, but
it fucked up the code even more, so my syntax checker went nuts.

Thanks.
View user's profile Send private message
PostPosted: Mon Jun 21, 2010 6:28 am Reply with quote
Cyko
Moderator
Moderator
Joined: Jul 21, 2009
Posts: 375




It was all their in MY tutorial which some looser miscredited and claimed it as his.

If you followed it correctly and if that looser who pasted the tutorial's content on his site correctly, im sure you'd have decoded it by now.

The pastebin link to your original encoded file is dead, can you reup?
View user's profile Send private message
PostPosted: Mon Jun 21, 2010 1:13 pm Reply with quote
Q4242
Beginner
Beginner
Joined: Jun 21, 2010
Posts: 3
Location: Q-Continuum




Yeah, plagiarism is unavoidable with great works. Smile
View user's profile Send private message
Quick PHPLockIt task, half-finished, need a few tips
www.waraxe.us Forum Index -> PHP script decode requests
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.043 Seconds