Waraxe IT Security Portal
Login or Register
December 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 138
Members: 0
Total: 138
Full disclosure
Stored XSS with Filter Bypass - blogenginev3.3.8
[SYSS-2024-085]: Broadcom CA Client Automation - Improper Privilege Management (CWE-269)
[KIS-2024-07] GFI Kerio Control <= 9.4.5 Multiple HTTP Response Splitting Vulnerabilities
RansomLordNG - anti-ransomware exploit tool
APPLE-SA-12-11-2024-9 Safari 18.2
APPLE-SA-12-11-2024-8 visionOS 2.2
APPLE-SA-12-11-2024-7 tvOS 18.2
APPLE-SA-12-11-2024-6 watchOS 11.2
APPLE-SA-12-11-2024-5 macOS Ventura 13.7.2
APPLE-SA-12-11-2024-4 macOS Sonoma 14.7.2
APPLE-SA-12-11-2024-3 macOS Sequoia 15.2
APPLE-SA-12-11-2024-2 iPadOS 17.7.3
APPLE-SA-12-11-2024-1 iOS 18.2 and iPadOS 18.2
SEC Consult SA-20241211-0 :: Reflected Cross-Site Scripting in Numerix License Server Administration System Login
St. Poelten UAS | Multiple Vulnerabilities in ORing IAP
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Php -> obfuscate file
Post new topicReply to topic View previous topic :: View next topic
obfuscate file
PostPosted: Sat Dec 22, 2012 6:18 pm Reply with quote
amin
Regular user
Regular user
Joined: Aug 08, 2012
Posts: 10




hello there

i have multiple files that are encoded with zend guard

when i decode them with dezender.net.2011

they become like this :
http://pastebin.com/1040ND6s

there are some codes like this :
_obfuscate_CXIZARoUBQt7HD8ÿ( $sql )

can they be decoded?

with prior thanks
View user's profile Send private message
dezend
PostPosted: Thu Dec 27, 2012 10:10 pm Reply with quote
amin
Regular user
Regular user
Joined: Aug 08, 2012
Posts: 10




can any one decode this file?

http://nanoweb.ir/template.class.zip
View user's profile Send private message
PostPosted: Thu Dec 27, 2012 10:14 pm Reply with quote
pirate-sky
Advanced user
Advanced user
Joined: Dec 17, 2012
Posts: 75




http://pastebin.com/M3U6y5Ky
View user's profile Send private message
PostPosted: Fri Dec 28, 2012 6:08 am Reply with quote
amin
Regular user
Regular user
Joined: Aug 08, 2012
Posts: 10




thank you but as you see there is some names that is not decoded properly
such as _obfuscate_eGVobXo4aWIя
in here
http://pastebin.com/M3U6y5Ky

and i have bunch of this files and i need the decoder to decode them.


thanks
View user's profile Send private message
opf db
PostPosted: Fri Dec 28, 2012 4:09 pm Reply with quote
amin
Regular user
Regular user
Joined: Aug 08, 2012
Posts: 10




i have found a opf db like this ;

array('jdate','_obfuscate_ZC8rHHoÿ'),
array('$ip','$_obfuscate_Asÿ'),
array('$get_user_info','$_obfuscate_amyM0UI2ZB2Hlodoxwÿÿ'),
array('get_user_info','_obfuscate_bh16aDByCiogAWBubQÿÿ'),

that i can replace obfuscated names with real ones:

for example $ip=$_obfuscate_Asÿ;

does any body have complete db?

thanks
View user's profile Send private message
Re: opf db
PostPosted: Fri Dec 28, 2012 8:51 pm Reply with quote
Cyko
Moderator
Moderator
Joined: Jul 21, 2009
Posts: 375




amin wrote:
i have found a opf db like this ;

array('jdate','_obfuscate_ZC8rHHoÿ'),
array('$ip','$_obfuscate_Asÿ'),
array('$get_user_info','$_obfuscate_amyM0UI2ZB2Hlodoxwÿÿ'),
array('get_user_info','_obfuscate_bh16aDByCiogAWBubQÿÿ'),

that i can replace obfuscated names with real ones:

for example $ip=$_obfuscate_Asÿ;

does any body have complete db?

thanks


I have not bothered to look at your file, but...


If the file was originally encoded with zend:

If you run the file through the db you have - at least all obfuscated internal functions should be replaced to there equivalents (assuming the db you have, has not been changed from the original publication). Any remaining obfuscates will be user defined - so these could equate to almost anything! (which means the db can never be 'complete' Sad).

If the file was originally encoded with ioncube:

Unfourtanetly this makes it slightly more difficult then the above - as a unique key is used for the obfuscation, so the db you have will not even replace the obfuscated internal functions!

So how do you deobfuscate the obfuscates not covered?

Analyse the whole PHP script - looking for trends, and then add to the db - this should not be too difficult if you have sufficient PHP knowledge.
View user's profile Send private message
PostPosted: Fri Dec 28, 2012 9:01 pm Reply with quote
amin
Regular user
Regular user
Joined: Aug 08, 2012
Posts: 10




thank you cyko
i know that the file was originally encoded with zend

all i want is a bigger db of this dictionary because there is many obfuscated names yet.

some one told me :
Quote:
eg. under NWS-core and run the cmd line:
php.exe /level:4,3 /dic
and then you can get the dic file php_info.log, Making them to obs's php array by Base64 encoder...


but i did not know what he said.
View user's profile Send private message
PostPosted: Sun Jan 27, 2013 5:14 pm Reply with quote
anandinvit
Regular user
Regular user
Joined: Jan 26, 2013
Posts: 6




it is hard to decode some php if they are coded again and again i.e if there are many layers. so if we decode 1 layer we will find the second layer and this may continue to some steps.
View user's profile Send private message
obfuscate file
www.waraxe.us Forum Index -> Php
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.028 Seconds