 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
I need a way to decode this code.thank u |
 |
 Posted: Sun Jul 15, 2012 5:41 am |
 |
|
| moon |
| Beginner |
 |
|
| Joined: Jul 15, 2012 |
| Posts: 4 |
|
|
|
 |
|
 |
|
| ${"\x47\x4c\x4f\x42\x41\x4cS"}["c\x6b\x69\x67\x6au\x78d\x72c"]="\x64\x65\x66\x61u\x6ct\x73";global$wpdb;${"\x47L\x4f\x42\x41\x4cS"}["\x65\x6f\x75s\x6cao"]="\x62";${"GL\x4fB\x41\x4c\x53"}["\x69\x61\x67\x6e\x63\x63\x74c\x6f"]="\x61";if(isset($_POST["\x70o\x70up_\x64o\x6d\x69\x6e\x61\x74\x69o\x6e\x5fac\x74\x69va\x74e"])){if($_POST["\x70opu\x70\x5f\x64o\x6d\x69na\x74io\x6e_a\x63\x74ivat\x65"]=="t\x72\x75\x65"){${"\x47\x4c\x4f\x42\x41LS"}["\x6f\x70\x67u\x74\x6ccj\x6b\x7a"]="\x62";${${"G\x4c\x4f\x42AL\x53"}["\x63k\x69\x67j\x75\x78\x64\x72c"]}=array("\x74\x65mpla\x74\x65"=>"li\x67h\x74\x62o\x78","c\x6f\x6c\x6fr"=>"b\x6cu\x65","\x63\x6f\x6fk\x69\x65\x5f\x74im\x65"=>7,"del\x61y"=>0,"b\x75\x74to\x6e\x5f\x63\x6fl\x6f\x72"=>"r\x65d","\x73\x68o\x77"=>serialize(array("\x65\x76er\x79\x77\x68er\x65"=>"Y")),"\x73h\x6fw\x5f\x6f\x70\x74"=>"ope\x6e","u\x6e\x6coad_\x6d\x73g"=>"Woul\x64\x20yo\x75 \x6c\x69k\x65 t\x6f \x73ig\x6e\x75\x70 t\x6f\x20t\x68\x65\x20\x6e\x65\x77s\x6ce\x74t\x65\x72 bef\x6f\x72e \x79\x6fu\x20\x67\x6f\x3f","i\x6dpre\x73si\x6f\x6e\x5f\x63ou\x6e\x74"=>0,"ne\x77_w\x69n\x64o\x77"=>"N","\x70r\x6fmo\x74e"=>"Y","\x69ns\x74\x61l\x6c\x65d"=>"Y","\x763i\x6est\x61l\x6ce\x64"=>"Y",);$zuqnjnol="\x64\x65\x66\x61\x75\x6cts";foreach(${$zuqnjnol} as${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["ia\x67\x6e\x63\x63\x74\x63o"]}=>${${"\x47\x4c\x4f\x42A\x4c\x53"}["\x6f\x70gu\x74\x6c\x63\x6a\x6b\x7a"]}){$clhniyr="\x61";$ymaebm="a";if(!$this->option(${$ymaebm}))$this->update(${$clhniyr},${${"\x47\x4c\x4fB\x41\x4cS"}["\x65o\x75\x73\x6c\x61o"]});}include_once$this->plugin_path."t\x70\x6c/in\x73t\x61\x6c\x6c/i\x6est\x61\x6c\x6c\x5f\x66inis\x68\x2e\x70\x68p";}else{$rbkhnmfovcrp="e\x72\x72\x6fr_\x63\x6fd\x65";${"G\x4c\x4f\x42\x41\x4c\x53"}["\x63\x63\x73h\x64y\x63\x6b\x78"]="\x65\x72ror_\x63o\x64e";${$rbkhnmfovcrp}=$_POST["po\x70up\x5fdom\x69\x6e\x61tion\x5fe\x72ror"];echo"\x3c\x64i\x76 \x63lass\x3d\x22upd\x61ted\x22>\x3cp>\x54\x68\x65 order n\x75mbe\x72\x20\x79o\x75 \x65n\x74\x65\x72ed \x69s \x69\x6ev\x61\x6c\x69\x64\x2e\x20P\x6cease \x63\x6f\x6et\x61c\x74\x20\x3ca\x20\x68\x72ef\x3d\x22\x68tt\x70://p\x6fpdom.\x64es\x6b\x2e\x63o\x6d\x2fc\x75\x73\x74o\x6de\x72/\x70ort\x61l/e\x6d\x61\x69l\x73/\x6ee\x77\"\x3esu\x70p\x6fr\x74\x3c\x2fa>.\x20\x5b\x45r\x72or \x63\x6fd\x65\x3a\x20".${${"G\x4c\x4fB\x41\x4cS"}["\x63c\x73\x68\x64\x79c\x6b\x78"]}."\x5d<\x2fp></d\x69v>";include_once$this->plugin_path."\x74p\x6c/i\x6e\x73\x74\x61\x6cl/i\x6es\x74\x61\x6cl\x5f\x73\x74ar\x74\x2e\x70h\x70";}}else{include_once$this->plugin_path."tp\x6c\x2f\x69\x6es\x74\x61l\x6c\x2fi\x6estal\x6c\x5f\x73\x74ar\x74\x2e\x70h\x70";} |
|
|
|
|
|
|
|
|
| Posted: Sun Jul 15, 2012 6:24 am |
|
|
| astra1993 |
| Advanced user |
 |
|
| Joined: Jun 20, 2012 |
| Posts: 125 |
|
|
|
|
|
|
|
|
|
|
|
|
Wow that was super fast response. |
|
| Posted: Sun Jul 15, 2012 7:07 am |
|
|
| moon |
| Beginner |
|
|
| Joined: Jul 15, 2012 |
| Posts: 4 |
|
|
|
|
|
|
|
Thank you very very much.
I would like to know how to do that my self.
Any tool or script to use. |
|
|
|
|
| Posted: Sun Jul 15, 2012 8:29 am |
|
|
| astra1993 |
| Advanced user |
|
|
| Joined: Jun 20, 2012 |
| Posts: 125 |
|
|
|
|
|
|
|
| It is actually not encoding or encryption. It is obfuscation. There is no specific tool on the net for it as far as I know. I have created a deobfuscator myself. |
|
|
|
|
|
this is what i tried |
|
| Posted: Sun Jul 15, 2012 8:48 am |
|
|
| moon |
| Beginner |
|
|
| Joined: Jul 15, 2012 |
| Posts: 4 |
|
|
|
|
|
|
|
i tried using the script bellow , but it is not doing it 100% right:
<?
$a = array( "\\x00" => ""
, "\\x01" => " "
, "\\x02" => " "
, "\\x03" => " "
, "\\x04" => " "
, "\\x05" => ""
, "\\x06" => " "
, "\\x07" => ""
, "\\x09" => " "
, "\\x0a" => ""
, "\\xe" => ""
, "\\xf" => ""
, "\\x10" => " "
, "\\x11" => " "
, "\\x12" => " "
, "\\x13" => " "
, "\\x14" => " "
, "\\x15" => " "
, "\\x16" => " "
, "\\x17" => " "
, "\\x18" => " "
, "\\x19" => " "
, "\\x1a" => " "
, "\\x1b" => " "
, "\\x1c" => " "
, "\\x1d" => " "
, "\\x1e" => " "
, "\\x1f" => " "
, "\\x20" => " "
, "\\x21" => "!"
, "\\x22" => "\""
, "\\x23" => "#"
, "\\x24" => "$"
, "\\x25" => "%"
, "\\x26" => "&"
, "\\x27" => "'"
, "\\x28" => "("
, "\\x29" => ")"
, "\\x2a" => "*"
, "\\x2b" => "+"
, "\\x2c" => ","
, "\\x2d" => "-"
, "\\x2e" => "."
, "\\x2f" => "/"
, "\\x30" => "0"
, "\\x31" => "1"
, "\\x32" => "2"
, "\\x33" => "3"
, "\\x34" => "4"
, "\\x35" => "5"
, "\\x36" => "6"
, "\\x37" => "7"
, "\\x38" => "8"
, "\\x39" => "9"
, "\\x3a" => ":"
, "\\x3b" => ";"
, "\\x3c" => "<"
, "\\x3d" => "="
, "\\x3e" => ">"
, "\\x3f" => "?"
, "\\x40" => "@"
, "\\x41" => "A"
, "\\x42" => "B"
, "\\x43" => "C"
, "\\x44" => "D"
, "\\x45" => "E"
, "\\x46" => "F"
, "\\x47" => "G"
, "\\x48" => "H"
, "\\x49" => "I"
, "\\x4a" => "J"
, "\\x4b" => "K"
, "\\x4c" => "L"
, "\\x4d" => "M"
, "\\x4e" => "N"
, "\\x4f" => "O"
, "\\x50" => "P"
, "\\x51" => "Q"
, "\\x52" => "R"
, "\\x53" => "S"
, "\\x54" => "T"
, "\\x55" => "U"
, "\\x56" => "V"
, "\\x57" => "W"
, "\\x58" => "X"
, "\\x59" => "Y"
, "\\x5a" => "Z"
, "\\x5b" => "["
, "\\x5c" => "\\"
, "\\x5d" => "]"
, "\\x5e" => "^"
, "\\x5f" => "_"
, "\\x60" => "`"
, "\\x61" => "a"
, "\\x62" => "b"
, "\\x63" => "c"
, "\\x64" => "d"
, "\\x65" => "e"
, "\\x66" => "f"
, "\\x67" => "g"
, "\\x68" => "h"
, "\\x69" => "i"
, "\\x6a" => "j"
, "\\x6b" => "k"
, "\\x6c" => "l"
, "\\x6d" => "m"
, "\\x6e" => "n"
, "\\x6f" => "o"
, "\\x70" => "p"
, "\\x71" => "q"
, "\\x72" => "r"
, "\\x73" => "s"
, "\\x74" => "t"
, "\\x75" => "u"
, "\\x76" => "v"
, "\\x77" => "w"
, "\\x78" => "x"
, "\\x79" => "y"
, "\\x7a" => "z"
, "\\x7b" => "{"
, "\\x7c" => "|"
, "\\x7d" => "}"
, "\\x7e" => "~"
, "\\x7f" => " "
, "\\x80" => "�"
, "\\x81" => "�"
, "\\x82" => "�"
, "\\x83" => "�"
, "\\x84" => "�"
, "\\x85" => "�"
, "\\x86" => "�"
, "\\x87" => "�"
, "\\x88" => "�"
, "\\x89" => "�"
, "\\x8a" => "�"
, "\\x8b" => "�"
, "\\x8c" => "�"
, "\\x8d" => "�"
, "\\x90" => "�"
, "\\x91" => "�"
, "\\x92" => "�"
, "\\x93" => "�"
, "\\x94" => "�"
, "\\x95" => "�"
, "\\x96" => "�"
, "\\x97" => "�"
, "\\x98" => "�"
, "\\x99" => "�"
, "\\x9a" => "�"
, "\\x9b" => "�"
, "\\x9c" => "�"
, "\\x9d" => "�"
, "\\x9e" => "�"
, "\\x9f" => "�"
, "\\xa0" => "�"
, "\\xa1" => "�"
, "\\xa2" => "�"
, "\\xa3" => "�"
, "\\xa4" => "�"
, "\\xa5" => "�"
, "\\xa6" => "�"
, "\\xa7" => "�"
, "\\xa8" => "�"
, "\\xa9" => "�"
, "\\xaa" => "�"
, "\\xab" => "�"
, "\\xac" => "�"
, "\\xad" => "�"
, "\\xae" => "�"
, "\\xaf" => "�"
, "\\xb0" => "�"
, "\\xb1" => "�"
, "\\xb2" => "�"
, "\\xb3" => "�"
, "\\xb4" => "�"
, "\\xb5" => "�"
, "\\xb6" => "�"
, "\\xb7" => "�"
, "\\xb8" => "�"
, "\\xb9" => "�"
, "\\xba" => "�"
, "\\xbb" => "�"
, "\\xbc" => "�"
, "\\xbd" => "�"
, "\\xbe" => "�"
, "\\xbf" => "�"
, "\\xc0" => "�"
, "\\xc1" => "�"
, "\\xc2" => "�"
, "\\xc3" => "�"
, "\\xc4" => "�"
, "\\xc5" => "�"
, "\\xc6" => "�"
, "\\xc7" => "�"
, "\\xc8" => "�"
, "\\xc9" => "�"
, "\\xca" => "�"
, "\\xcb" => "�"
, "\\xcc" => "�"
, "\\xcd" => "�"
, "\\xce" => "�"
, "\\xcf" => "�"
, "\\xd0" => "�"
, "\\xd1" => "�"
, "\\xd2" => "�"
, "\\xd3" => "�"
, "\\xd4" => "�"
, "\\xd5" => "�"
, "\\xd6" => "�"
, "\\xd7" => "�"
, "\\xd8" => "�"
, "\\xd9" => "�"
, "\\xda" => "�"
, "\\xdb" => "�"
, "\\xdc" => "�"
, "\\xdd" => "�"
, "\\xde" => "�"
, "\\xdf" => "�"
, "\\xe0" => "�"
, "\\xe1" => "�"
, "\\xe2" => "�"
, "\\xe3" => "�"
, "\\xe4" => "�"
, "\\xe5" => "�"
, "\\xe6" => "�"
, "\\xe7" => "�"
, "\\xe8" => "�"
, "\\xe9" => "�"
, "\\xea" => "�"
, "\\xeb" => "�"
, "\\xec" => "�"
, "\\xed" => "�"
, "\\xee" => "�"
, "\\xef" => "�"
, "\\xf0" => "�"
, "\\xf1" => "�"
, "\\xf2" => "�"
, "\\xf3" => "�"
, "\\xf4" => "�"
, "\\xf5" => "�"
, "\\xf6" => "�"
, "\\xf7" => "�"
, "\\xf8" => "�"
, "\\xf9" => "�"
, "\\xfa" => "�"
, "\\xfb" => "�"
, "\\xfc" => "�"
, "\\xfd" => "�"
, "\\xfe" => "�"
, "\\xff" => "�"
);
$ascii_file = "obfuscated_source.php" ;
$php_code_file = "source.php" ;
$file = fopen ( $ascii_file , 'r' );
$code = fread ( $file , filesize ( $ascii_file ));
fclose ( $file );
$handle = fopen ( "$php_code_file" , 'w' );
fwrite ( $handle , strtr ( $code , $a ));
fclose ( $handle ); ?>
I run this script in zend studio to create the output file.
It will be great if you advice what my code is missing.
Thank you again. |
|
|
|
|
|
|
|
|
| Posted: Sun Jul 15, 2012 9:44 am |
|
|
| astra1993 |
| Advanced user |
|
|
| Joined: Jun 20, 2012 |
| Posts: 125 |
|
|
|
|
|
|
|
My decoder has about 9 steps in decoding this obfuscation scheme. This is step two!
An advice-> Change the array like this:
"\\x09" => "\x09"
"\\x34" => "\x34"
But at last the code will still be obfuscated. |
|
|
|
|
|
Hi , i need your help again :) |
|
| Posted: Sun Jul 15, 2012 4:21 pm |
|
|
| moon |
| Beginner |
|
|
| Joined: Jul 15, 2012 |
| Posts: 4 |
|
|
|
|
|
|
|
i appreciate decoding this:
$hfscmxvsri="\x45\x78\x61m\x70\x6c\x65Upda\x74e\x43\x68\x65\x63\x6b\x65\x72";${$hfscmxvsri}=new PluginUpdateChecker("htt\x70://\x70op\x75pdo\x6din\x61t\x69\x6fn\x2ecom\x2fupda\x74e/\x75\x70d\x61te\x2ejs\x6f\x6e",__FILE__,"\x70\x6f\x70up\x2d\x64om\x69na\x74i\x6f\x6e",0.01,"p\x6fpu\x70\x5fdo\x6dina\x74io\x6e\x5f\x75\x70\x64\x61te\x69nf\x6f"); |
|
|
|
|
| Posted: Sun Jul 15, 2012 4:54 pm |
|
|
| astra1993 |
| Advanced user |
|
|
| Joined: Jun 20, 2012 |
| Posts: 125 |
|
|
|
|
|
|
|
Here you go:
| Code: |
<?php
$ExampleUpdateChecker=new PluginUpdateChecker("http://popupdomination.com/update/update.json",__FILE__,"popup-domination",0.01,"popup_domination_updateinfo");
?>
|
|
|
|
|
|
www.waraxe.us Forum Index -> All other hashes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 74
Members: 0
Total: 74
