|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Quick PHPLockIt task, half-finished, need a few tips |
|
Posted: Mon Jun 21, 2010 4:19 am |
|
|
Q4242 |
Beginner |
|
|
Joined: Jun 21, 2010 |
Posts: 3 |
Location: Q-Continuum |
|
|
|
|
|
|
Hey everyone,
I've been browsing through some threads here and have managed to partially
decode my file with some Cyko's tips, B64 tool and one tutorial that I've
found somewhere, but I won't post the url as I know that admins of many
forums don't like when urls of their competitors are posted on their forums.
Ok, so here we go... My file is here - http://pastebin.com/uZWe8zhQ.
PHPLockIt - Obfuscation Used:
( a ) Variable name scrambling and shuffling (e.g. $OOO0O0O00, $OOO000000)
( b ) Nesting and compacting (e.g., strtr(), urlencode(), gzuncompress())
( c ) Function name, string text scrambling and shuffling
File will be divided in 3 parts: urlencoding, base64, and footer.
1. urlencoding - don't know what to do with this one, yet, haven't found
out anything about that.
2. Base 64 - decoded that bunch of gibberish, and got this:
Code: |
($$O0O0000O0('$OO0OO0000=$OOO000000{17}.$OOO000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO000000{19};if(!0)$O000O0O00=$OO0OO0000($OOO0O0O00,'rb');$OO0OO000O=$OOO000000{17}.$OOO000000{20}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OO0OO00O0=$OOO000000{14}.$OOO000000{0}.$OOO000000{20}.$OOO000000{0}.$OOO000000{20};$OO0OO000O($O000O0O00,1143);
$OO00O00O0=($OOO0000O0($OO0OO00O0($OO0OO000O($O000O0O00,380),'69iZQMGcN2XhDdFRs7/o3jwme0LVH5rux8PvYtKI1JAabUSWEkgOyTpnlzfC+4Bq=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));eval($OO00O00O0);'))
|
I was able to figure out that I'll need fread & '380' as a parameter for it,
and those two strings after it will be used to decode the footer, what I've
done by creating a .php script for that and executing it:
Code: |
$footer = _onebigblockofcodeafterreturn_;
$fread = 380;
$secondcode = substr($footer, $fread);
$strtr = strtr($footer, '69iZQMGcN2XhDdFRs7/o3jwme0LVH5rux8PvYtKI1JAabUSWEkgOyTpnlzfC+4Bq=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/');
$strtr = base64_decode($strtr);
$decoded = "<?php $strtr?>";
highlight_string($decoded);
|
End result is this: http://pastebin.com/PtjnfhW1 ,
but I'm seeing some additional protection at the top, and some junk code
in there (though I'm a PHP newb, can't see much in there), can someone
just take a look at this and tell me what to do next, or help me decipher this correctly?
There have been some tips for replacing echoes with something else, but
it fucked up the code even more, so my syntax checker went nuts.
Thanks. |
|
|
|
|
|
|
|
|
Posted: Mon Jun 21, 2010 6:28 am |
|
|
Cyko |
Moderator |
|
|
Joined: Jul 21, 2009 |
Posts: 375 |
|
|
|
|
|
|
|
It was all their in MY tutorial which some looser miscredited and claimed it as his.
If you followed it correctly and if that looser who pasted the tutorial's content on his site correctly, im sure you'd have decoded it by now.
The pastebin link to your original encoded file is dead, can you reup? |
|
|
|
|
Posted: Mon Jun 21, 2010 1:13 pm |
|
|
Q4242 |
Beginner |
|
|
Joined: Jun 21, 2010 |
Posts: 3 |
Location: Q-Continuum |
|
|
|
|
|
|
Yeah, plagiarism is unavoidable with great works. |
|
|
|
|
www.waraxe.us Forum Index -> PHP script decode requests
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|