Jump to content


Photo

Decrypting encrypted PHP...


  • This topic is locked This topic is locked
13 replies to this topic

#1 jyeager

jyeager
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 23 May 2006 - 10:56 PM

In good faith, I hired a foreign programmer to write some PHP for me, and the original deal was "no encrypted files" so that I could edit bad wording and phrase turns. This guy's english isn't very good.

Anyhow, half the files he sent me are encrypted after all, but since he already got paid, he isn't returning emails anymore. I can't use this stuff with the shoddy english.

My question is... though I'm no programming expert, since the server seems to know what to do with the encrypted PHP files without any 3rd party accessories, it's probably a very common encryption method... one that could be de-crypted pretty easily.

Here's what the stuff looks like when opened by a text editor :

<?php $_F=__FILE__;$_X='Pz48P3BocA0KJGNoMW5nNV9wMXNzXzVycjJy [snip]
0KPz4=';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZ [snip]
=='));?>

Note the "eval(base64_decode"

There are 7 or 8 files like this, with the average file about 1500 chrs long.

Someone in another forum recommended I use the following link to decode :
[a href=\"http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/\" target=\"_blank\"]http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/[/a]

But this generated a "Invalid character in a Base-64 string." error.

Someone else recommended I replace "eval" by "print" or "echo" and view in a browser. Tried both, and both produce garbage.

Note that this code is fully functional. It does what it's supposed to do, even encrypted. I'm only looking to correct the english in these encrypted files.

Anyone know how I can get this stuff decrypted?

Thanks.

#2 wisewood

wisewood
  • Members
  • PipPipPip
  • Advanced Member
  • 226 posts
  • LocationRotherham, England

Posted 24 May 2006 - 10:38 AM

Taking a part of that and decoding it comes out as below... can't really be of any further help, i'm not too hot on encryption. I've never seen much point to it.


Pz48P3BocA0KJGNoMW5nNV9wMXNzXzVycjJy

is decoded as:

?><?php
$ch1ng5_p1ss_5rr2r

wisewood: proven fact, I am both wise, and wooden.

#3 mystxx

mystxx
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 24 May 2006 - 12:01 PM

I would find out what program he used to encrypt the files.
This looks like source cop or sourceguardian.
There are some sites that offer decoding of the files for small fees or even free.

Maybe you could post how the directory structure looks like of the files he delivered.
I.e. sourcecop can be recognized by the scopbin folder.



#4 jyeager

jyeager
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 24 May 2006 - 02:08 PM

[!--quoteo(post=376633:date=May 24 2006, 08:01 AM:name=Myst)--][div class=\'quotetop\']QUOTE(Myst @ May 24 2006, 08:01 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
I would find out what program he used to encrypt the files. [/quote]

How would you suggest I find that out? He's avoiding me.

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]
This looks like source cop or sourceguardian.
There are some sites that offer decoding of the files for small fees or even free.[/quote]

Which? Or do I have to pay for that info too? ;)

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]
Maybe you could post how the directory structure looks like of the files he delivered.
I.e. sourcecop can be recognized by the scopbin folder.[/quote]

All of the files for the script he sent me (encrypted and non-encrypted) are stored in the same folder, called "release".

Help :S

#5 wisewood

wisewood
  • Members
  • PipPipPip
  • Advanced Member
  • 226 posts
  • LocationRotherham, England

Posted 24 May 2006 - 03:47 PM

Just reading some information on the sourceguardian website, and according to that, a file called ixed.pxp is required in order for the server to decrypt the code.

Check your "release" directory to see if you have this file. If you do, at least then you will know it was sourceguardian that was used to encrypt it. Not much progress, but it would be something at least.
wisewood: proven fact, I am both wise, and wooden.

#6 jyeager

jyeager
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 24 May 2006 - 04:42 PM

[!--quoteo(post=376716:date=May 24 2006, 11:47 AM:name=wisewood)--][div class=\'quotetop\']QUOTE(wisewood @ May 24 2006, 11:47 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Just reading some information on the sourceguardian website, and according to that, a file called ixed.pxp is required in order for the server to decrypt the code.

Check your "release" directory to see if you have this file. If you do, at least then you will know it was sourceguardian that was used to encrypt it. Not much progress, but it would be something at least.
[/quote]

Unfortunately, there's nothing but PHP files in the folder that makes up the entire script (and he only sent me that folder... so there's nothing else driving this thing unless he's got a decrypter on one of his own servers, which I doubt, since that would mean my script working would depend on his server being up).

The files are half encrypted, half not. (Each non-encrypted file has mostly HTML, and calls up an encrypted version of itself which makes up the "motor" of the page)

For example, there's "comments_reply.php" which is made up of mostly HTML and a couple of PHP "if" statements... and then there's an accompanying "s_comments_reply.php" which is encrypted, and has all the hardcore PHP stuff.

Maybe that helps? Knowing that all the encrypted files begin with "s_"? Or maybe that's just how this guy did it.

#7 mystxx

mystxx
  • New Members
  • Pip
  • Newbie
  • 6 posts

Posted 01 January 2007 - 11:00 PM

Can you post your  complete file structure in that folder? or pm me with it?

#8 corbin

corbin
  • Staff Alumni
  • Advanced Member
  • 8,129 posts

Posted 01 January 2007 - 11:04 PM

You could always hit control H in notepad replace all the evals with echos and then manually change them... Would be a pain in the butt though...
Why doesn't anyone ever say hi, hey, or whad up world?

#9 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 01 January 2007 - 11:11 PM

Try to post/attach an entire encrypted file so we can see if anybody here is able to decrypt it. If posting please put it in [code]-tags.

#10 MCP

MCP
  • Members
  • PipPipPip
  • Advanced Member
  • 60 posts

Posted 02 January 2007 - 01:09 AM

wisewood has it from his first post. From the snippet provided, it's just base64 encoded (hardly call that 'encrypted'!). You just need to base64_decode those. As previously mentioned, replace the "eval" with "echo"/"print", and you'll see the code in your page. I decoded the JF9YP... part, and it comes out to "$_X=base64_deco", so it looks like he may have base64 encoded it a couple times -- but it's hard to tell without seeing more of the encoded string.

See for yourself using http://makcoder.sour...demo/base64.php. The original opinionatedgeek.com site didn't work for me earlier on another base64 encoded string, but this one did, and worked for decoding your snippet above.

So, I'd suggest you either try to do the eval -> echo/print replacement, post the code, or PM one of the people who offered their help (count me in)...

Good luck!

#11 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 02 January 2007 - 07:03 AM

wisewood has it from his first post. From the snippet provided, it's just base64 encoded (hardly call that 'encrypted'!). You just need to base64_decode those. As previously mentioned, replace the "eval" with "echo"/"print", and you'll see the code in your page. I decoded the JF9YP... part, and it comes out to "$_X=base64_deco", so it looks like he may have base64 encoded it a couple times -- but it's hard to tell without seeing more of the encoded string.

See for yourself using http://makcoder.sour...demo/base64.php. The original opinionatedgeek.com site didn't work for me earlier on another base64 encoded string, but this one did, and worked for decoding your snippet above.

So, I'd suggest you either try to do the eval -> echo/print replacement, post the code, or PM one of the people who offered their help (count me in)...

Good luck!


I've seen a file "encrypted" like that before, it's not as easy as it looks to "decrypt" it again, at least not if it is the same way it's done.

#12 MCP

MCP
  • Members
  • PipPipPip
  • Advanced Member
  • 60 posts

Posted 02 January 2007 - 01:07 PM

I've seen a file "encrypted" like that before, it's not as easy as it looks to "decrypt" it again, at least not if it is the same way it's done.


If you have a sample, I'd like to have a look at it -- sounds kind of interesting!

#13 PFMaBiSmAd

PFMaBiSmAd
  • Staff Alumni
  • Advanced Member
  • 16,767 posts
  • LocationColorado, U.S.A.

Posted 02 January 2007 - 02:43 PM

The original poster only has a total of the three posts that are in this thread and has not been active since the May 24, 2006 post. It is highly unlikely that he is still in need of help with this nor does he spend any time on this forum to see the recent responses.
Signature: (not a comment about anything you posted unless specifically indicated)
Debugging step #1: To get past the garbage-out equals garbage-in stage in your code, you must check that the inputs to your code are what you expect.

Programming is just problem solving, but it is done in another language. You must learn enough of the programming language you are using to be able to read and write code.

#14 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 02 January 2007 - 02:46 PM

The original poster only has a total of the three posts that are in this thread and has not been active since the May 24, 2006 post. It is highly unlikely that he is still in need of help with this nor does he spend any time on this forum to see the recent responses.

Agreed. Thread locked.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users