Hi !
I am currently trying to decode a base64 encrypted PHP file , but without any luck. Could someone be able to help?
Thanks
A:
This won't decode it fully. Adaption left as exercise to you (this is not a give me the codes forum):
$text = file_get_contents("b64");
while (preg_match("/([\w\(]+)['\"](.+)['\"]/ims", $text, $uu)) {
list($old, $funcs, $text) = $uu;
foreach (array_reverse(explode("(", $funcs)) as $func) {
if (in_array($func, array("base64_decode", "gzinflate", "gzdecode", "gzuncompress", "str_rot13"))) {
$text = $func($text);
}
}
print "$funcs\n";
}
print $text;
mario
2010-08-25 14:52:24
A:
One extremely simple script http://pastebin.com/g2n8kxeZ
278 runs later (about 2 minutes) - the original file - http://pastebin.com/eyiycRkB
vlad b.
2010-08-25 15:04:51
A:
It says (after 277 evals):
?><?php
/***************************************************************/
/* Call Custom Page Variables */
/***************************************************************/
require CWZ_FILES ."/inc/page-constants.php"; // Group Slider Gallery
/***************************************************************/
/* Call Custom Page Variables *END* */
/***************************************************************/
?>
<?php if($DYN_hidecontent!="yes") { ?>
etc.
whatever that means. The rest has already been posted by vlad.
Used script:
$code = file_get_contents('QmCdtDne.txt');
$done = 0; $level = 0;
while( ! $done ) {
$stuff = preg_split('/\'/', $code, 3);
$code = $stuff[1];
$decoder = preg_split('/\(/', $stuff[0]);
foreach(array_reverse($decoder) as $cmd) {
switch($cmd) {
case 'base64_decode': $code = base64_decode($code); break;
case 'str_rot13': $code = str_rot13($code); break;
case 'gzinflate': $code = gzinflate($code); break;
case '<? eval':
case '?><? eval':
printf("eval level %02d, length: %d", ++$level, strlen($code));
break;
case '': break;
default: $done = 1; break;
}
}
foreach(array_reverse($decoder) as $cmd) print(", $cmd");
print "\n";
if( ! count($decoder) || $level >= 277 ) $done = 1;
}
echo $code;
Regards
rbo
rubber boots
2010-08-25 15:30:59