|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 50
Members: 0
Total: 50
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
130 phplockit files. |
|
Posted: Thu Jul 12, 2012 2:22 pm |
|
|
eslim |
Regular user |
|
|
Joined: Jul 12, 2012 |
Posts: 6 |
|
|
|
|
|
|
|
I have about 130 files encoded with Phplockit.
I searched the web and found several tools but no one is working.
If any one can help decoding them or showing me how to do it, I will pay for it.
Here is a sample file :
Code: | <?php /* This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited. */$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$O0O000O0O=$O0O000O00.$OOO000000{11};$O0O000O00=$O0O000O00.$OOO000000{3};$O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0x214;eval($OOO0000O0('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NGZjKTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgzNzgpLCdFbnRlcnlvdXdraFJIWUtOV09VVEFhQmJDY0RkRmZHZ0lpSmpMbE1tUHBRcVNzVnZYeFp6MDEyMzQ1Njc4OSsvPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));return;?>J^jcM{f2ipdoAPwbnZcBfgdBy0C2IPkZYGhtIVhlXVhT9icoYvduOFRMYvdULLw2LmRtONHeEXT08XHr89holzF2a0htOgA0aUaLaUBZfTOakBOakgTLyYOUffhT8Lb1YyAlcyAlSmA0aUaLaUb05nTAAmbTPPDbYzcbWPky9TOakBOakdk0iAayngUr9TatffhT8Lb1YyAlcyAlSmUyOAAy9wT1YAk106holzF2a0htOwayOWb1YyAlcyAl9BWakTBZfTOakBOakgTLyYOUffhT8LUyOAAy9TOakBOakgaLyUA1SmA0aUaLaUb05nTAAmbTPPDbYzcbWPkriAayngA0aUaLaUb1cnAlYdk0iAayngUr9TatffhT8LUyOAAy9TOakBOakgaLyUA1SmUyOAAy9wT1YAk106kZFphULphUlLDBAPkr8XHenNTzEXTZ4mKJnADolzwuYjFMlXftnpFZnSd2YqcBWIfo8ICBOjd2x0RMYvdUnLd21iDB4VkZL7kr9NHenNHenNHe1zfukgFMaXdoyjcUImb19oUAxyb18mRtwmwJ4LT09NHr8XTzEXRJwmwJXLT09NHeEXHr8XhtONT08XHeEXHr8Pkr8XTzEXT08XHtILTzEXHr8XTzEXRtONTzEXTzEXHeEpRtfydmOlFmlvfbfqDykwBAsKa09aaryiWMkeC0OLOMcuc0lpUMpHdr1sAunOFaYzamcCGyp6HerZHzW1YjF4KUSvNUFSk0ytW0OyOLfwUApRTr1KT1nOAlYAaacbBylDCBkjcoaMc2ipDMsSdB5vFuyZF3O1fmf4GbPXHTwzYeA2YzI5hZ8mhULpK2cjdo9zcUILTzEXHr8XTzEXhTslfMyShtONTzEXTzEXTzEpKX==tmklFbapFMAIFMaidunifoIPcolZdMyscUigb0ckTragbZLIRJFvRJ4vRJ4vkZLIRJFvDB5pft5XDuEmKXPLC29VHUE9wo15F3ySb2YvdM5lC3WPkrfHT0knTyYdk19YWaImbaSmW09KOJffBZfLCbOiCMyzcUffBZfPd3Y0k10SkrfHT0knTyYdk19YWaImbaSmW09KOJffBZfLCbOiCMyzcUffBZf1F2aZdMyscUffRtOuTr9tWAxTBZfgTAyCk11dk0YNTLCmbaSmcoy0CBkiF2AmbaSmFoyzF3fvFMWmbUL7tM15F3ySb3Yldoajfy9LCJILO0xNWLyHA1Smb01nBtffBZfeT05ok11dk2OifoyJCbYlk11dk25idBAmbUXLC29VHUlvFJnLDBAPwMY1do5vftnzcBxlC3W6wJ5sGbYxdy9lFmkvFJIphTShkuOiCMxlb3nZcBcpGtE9wtOuTr9tWAxTBZfgTAyCk11dk0YNTLCmbaSmfoyJdoAmbaSmFuklcMl4k107tjS=_XsAifsMQ~ |
|
|
|
|
|
|
|
|
|
Posted: Thu Jul 12, 2012 3:36 pm |
|
|
vince213333 |
Advanced user |
|
|
Joined: Aug 03, 2009 |
Posts: 737 |
Location: Belgium |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Thu Jul 12, 2012 11:07 pm |
|
|
eslim |
Regular user |
|
|
Joined: Jul 12, 2012 |
Posts: 6 |
|
|
|
|
|
|
|
Thanks for your help.
That tutorial helped in some files but in other cases (big files) it's only showing like this :
Code: | Á<ÀÁ<À¤ì™[˜Ý[Ûˆ\œÙQ[]™\žR[šQš[J ÛÛ™šYÔ]H[ ÛÛ™šYÑš[HH[ ÙXÝ[ÛœÈHYJBžÂšYˆ IÛÛ™šYÔ] H‰ÛÛ™šYÔ]HPVÔU‰Ëݘ\‰ÎŸBšYˆ ÛÛ™šYÑš[JH‰ÛÛ™šYÑš[HH ˉˉÛÛ™šYÑš[NŸB‰ÜÝHÖÙÙ]Üݘ[YJ N‰ÛÛ™šYÑš[S˜[YHH ÛÛ™šYÔ]‰ËÉˉÜ݉ÛÛ™šYÑš[H‰Ë˜ÛÛ™‹œ ΉÛÛ™ˆH\œÙWÚ[šWÙš[J ÛÛ™šYÑš[S˜[YK ÙXÝ[ÛœÊNšYˆ \ÜÙ] ÛÛ™–ÉÜ™X[ÛÛ™šYÉ×JJH‰™X[ÛÛ™ˆH\œÙWÚ[šWÙš[JPVÔU‰Ëݘ\‹ÉˉÛÛ™–ÉÜ™X[ÛÛ™šYÉ×H‰Ë˜ÛÛ™‹œ Ë ÙXÝ[ÛœÊN‰ÛÛ™ˆHY\™ÙPÛÛ™šYÑš[\Ê ™X[ÛÛ™‹ ÛÛ™NŸBšYˆ Y[\J ÛÛ™JHÂœ™]\›ˆ ÛÛ™ŽÂŸY[ÙZYˆ ÛÛ™šYÑš[HOOH ËœYÚ[‰ÊH‰YÚ[•\HH˜\Ù[˜[YJ ÛÛ™šYÔ] N‰Y˜][ÛÛ™šYÈHPVÔU‰ËÜYÚ[œËÉˉYÚ[•\H‰ËÙY˜][œYÚ[‹˜ÛÛ™‹œ ΉÛÛ™ˆH\œÙWÚ[šWÙš[J Y˜][ÛÛ™šYË ÙXÝ[ÛœÊNšYˆ ÛÛ™ˆOOH˜[ÙJHÂœ™]\›ˆ ÛÛ™ŽÂŸB™XÚÈ“Ü[–ÛÝ[›Ý™XYHY˜][ÛÛ™šYÝ\˜][Ûˆš[H›ÜˆHÉYÚ[•\_HYÚ[ˆŽÂ™^] JNŸB‰ÛÛ™šYÑš[S˜[YHH ÛÛ™šYÔ]‰ËÙY˜][ ˉÛÛ™šYÑš[H‰Ë˜ÛÛ™‹œ |
or sometimes nothing as a result. |
|
|
|
|
|
|
|
|
Posted: Fri Jul 13, 2012 12:11 pm |
|
|
eslim |
Regular user |
|
|
Joined: Jul 12, 2012 |
Posts: 6 |
|
|
|
|
|
|
|
Here is my 2 keys :
From (65 characters) :
Code: | EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/= |
To (64 characters):
Code: | ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ |
Which leaves the = character not replaced, and for base64_decode, = is not a valid character.
What should I do ? |
|
|
|
|
|
|
|
|
Posted: Sat Jul 14, 2012 8:12 am |
|
|
astra1993 |
Advanced user |
|
|
Joined: Jun 20, 2012 |
Posts: 125 |
|
|
|
|
|
|
|
This is the decoded sample file. PHPLockit reads from itself when it is being decoded. Adding even a single byte to the file, ruins the script. And the tutorial which is posted is very old. In the sample script you sent, a host lock is added, which prevents you from getting the source with the decoder posted above. I use a separate technique. I've already created a decoder but it is not complete yet.
Code: |
<?php
require realpath(dirname(__FILE__) .'/../../') .'/init.php';
$con1 = mysql_connect($GLOBALS['_MAX']['CONF']['database']['host'],$GLOBALS['_MAX']['CONF']['database']['username'],$GLOBALS['_MAX']['CONF']['database']['password']);
mysql_select_db($GLOBALS['_MAX']['CONF']['database']['name'],$con1)or die("culnot select:".mysql_error());
$table_prefix = $GLOBALS['_MAX']['CONF']['table']['prefix'];
;
?>
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 14, 2012 11:13 pm |
|
|
eslim |
Regular user |
|
|
Joined: Jul 12, 2012 |
Posts: 6 |
|
|
|
|
|
|
|
Found it .
here is the piece of code I'm using in the last step :
Code: | <?php
$s = "some random code";
$from = "EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=";
$to = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
$s = substr ($s,0x378);
$s = strtr($s,$from,$to);
str_replace("==","=",$s);
$tab = split("==",$s);
foreach($tab as $value)
{
highlight_string(base64_decode($value));
}
?>
| |
|
|
|
|
Posted: Sun Jul 15, 2012 6:10 am |
|
|
astra1993 |
Advanced user |
|
|
Joined: Jun 20, 2012 |
Posts: 125 |
|
|
|
|
|
|
|
Still does not work on all of the PHPLockit files. |
|
|
|
|
www.waraxe.us Forum Index -> PHP script decode requests
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB 2001-2008 phpBB Group
|
|
|
|
|
|
|