Jump to content

Decrypting encrypted PHP...


jyeager

Recommended Posts

In good faith, I hired a foreign programmer to write some PHP for me, and the original deal was "no encrypted files" so that I could edit bad wording and phrase turns. This guy's english isn't very good.

Anyhow, half the files he sent me are encrypted after all, but since he already got paid, he isn't returning emails anymore. I can't use this stuff with the shoddy english.

My question is... though I'm no programming expert, since the server seems to know what to do with the encrypted PHP files without any 3rd party accessories, it's probably a very common encryption method... one that could be de-crypted pretty easily.

Here's what the stuff looks like when opened by a text editor :

<?php $_F=__FILE__;$_X='Pz48P3BocA0KJGNoMW5nNV9wMXNzXzVycjJy [snip]
0KPz4=';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZ [snip]
=='));?>

Note the "eval(base64_decode"

There are 7 or 8 files like this, with the average file about 1500 chrs long.

Someone in another forum recommended I use the following link to decode :
[a href=\"http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/\" target=\"_blank\"]http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/[/a]

But this generated a "Invalid character in a Base-64 string." error.

Someone else recommended I replace "eval" by "print" or "echo" and view in a browser. Tried both, and both produce garbage.

Note that this code is fully functional. It does what it's supposed to do, even encrypted. I'm only looking to correct the english in these encrypted files.

Anyone know how I can get this stuff decrypted?

Thanks.
Link to comment
Share on other sites

Taking a part of that and decoding it comes out as below... can't really be of any further help, i'm not too hot on encryption. I've never seen much point to it.


Pz48P3BocA0KJGNoMW5nNV9wMXNzXzVycjJy

is decoded as:

?><?php
$ch1ng5_p1ss_5rr2r
Link to comment
Share on other sites

I would find out what program he used to encrypt the files.
This looks like source cop or sourceguardian.
There are some sites that offer decoding of the files for small fees or even free.

Maybe you could post how the directory structure looks like of the files he delivered.
I.e. sourcecop can be recognized by the scopbin folder.

Link to comment
Share on other sites

[!--quoteo(post=376633:date=May 24 2006, 08:01 AM:name=Myst)--][div class=\'quotetop\']QUOTE(Myst @ May 24 2006, 08:01 AM) [snapback]376633[/snapback][/div][div class=\'quotemain\'][!--quotec--]
I would find out what program he used to encrypt the files. [/quote]

How would you suggest I find that out? He's avoiding me.

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]
This looks like source cop or sourceguardian.
There are some sites that offer decoding of the files for small fees or even free.[/quote]

Which? Or do I have to pay for that info too? ;)

[!--quoteo--][div class=\'quotetop\']QUOTE[/div][div class=\'quotemain\'][!--quotec--]
Maybe you could post how the directory structure looks like of the files he delivered.
I.e. sourcecop can be recognized by the scopbin folder.[/quote]

All of the files for the script he sent me (encrypted and non-encrypted) are stored in the same folder, called "release".

Help :S
Link to comment
Share on other sites

Just reading some information on the sourceguardian website, and according to that, a file called ixed.pxp is required in order for the server to decrypt the code.

Check your "release" directory to see if you have this file. If you do, at least then you will know it was sourceguardian that was used to encrypt it. Not much progress, but it would be something at least.
Link to comment
Share on other sites

[!--quoteo(post=376716:date=May 24 2006, 11:47 AM:name=wisewood)--][div class=\'quotetop\']QUOTE(wisewood @ May 24 2006, 11:47 AM) [snapback]376716[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Just reading some information on the sourceguardian website, and according to that, a file called ixed.pxp is required in order for the server to decrypt the code.

Check your "release" directory to see if you have this file. If you do, at least then you will know it was sourceguardian that was used to encrypt it. Not much progress, but it would be something at least.
[/quote]

Unfortunately, there's nothing but PHP files in the folder that makes up the entire script (and he only sent me that folder... so there's nothing else driving this thing unless he's got a decrypter on one of his own servers, which I doubt, since that would mean my script working would depend on his server being up).

The files are half encrypted, half not. (Each non-encrypted file has mostly HTML, and calls up an encrypted version of itself which makes up the "motor" of the page)

For example, there's "comments_reply.php" which is made up of mostly HTML and a couple of PHP "if" statements... and then there's an accompanying "s_comments_reply.php" which is encrypted, and has all the hardcore PHP stuff.

Maybe that helps? Knowing that all the encrypted files begin with "s_"? Or maybe that's just how this guy did it.
Link to comment
Share on other sites

  • 7 months later...
wisewood has it from his first post. From the snippet provided, it's just base64 encoded (hardly call that 'encrypted'!). You just need to base64_decode those. As previously mentioned, replace the "eval" with "echo"/"print", and you'll see the code in your page. I decoded the JF9YP... part, and it comes out to "$_X=base64_deco", so it looks like he may have base64 encoded it a couple times -- but it's hard to tell without seeing more of the encoded string.

See for yourself using [url=http://makcoder.sourceforge.net/demo/base64.php]http://makcoder.sourceforge.net/demo/base64.php[/url]. The original opinionatedgeek.com site didn't work for me earlier on another base64 encoded string, but this one did, and worked for decoding your snippet above.

So, I'd suggest you either try to do the eval -> echo/print replacement, post the code, or PM one of the people who offered their help (count me in)...

Good luck!
Link to comment
Share on other sites

[quote author=MCP link=topic=94096.msg494972#msg494972 date=1167700157]
wisewood has it from his first post. From the snippet provided, it's just base64 encoded (hardly call that 'encrypted'!). You just need to base64_decode those. As previously mentioned, replace the "eval" with "echo"/"print", and you'll see the code in your page. I decoded the JF9YP... part, and it comes out to "$_X=base64_deco", so it looks like he may have base64 encoded it a couple times -- but it's hard to tell without seeing more of the encoded string.

See for yourself using [url=http://makcoder.sourceforge.net/demo/base64.php]http://makcoder.sourceforge.net/demo/base64.php[/url]. The original opinionatedgeek.com site didn't work for me earlier on another base64 encoded string, but this one did, and worked for decoding your snippet above.

So, I'd suggest you either try to do the eval -> echo/print replacement, post the code, or PM one of the people who offered their help (count me in)...

Good luck!
[/quote]

I've seen a file "encrypted" like that before, it's not as easy as it looks to "decrypt" it again, at least not if it is the same way it's done.
Link to comment
Share on other sites

[quote]I've seen a file "encrypted" like that before, it's not as easy as it looks to "decrypt" it again, at least not if it is the same way it's done.[/quote]

If you have a sample, I'd like to have a look at it -- sounds kind of interesting!
Link to comment
Share on other sites

The original poster only has a total of the three posts that are in this thread and has not been active since the May 24, 2006 post. It is highly unlikely that he is still in need of help with this nor does he spend any time on this forum to see the recent responses.
Link to comment
Share on other sites

[quote author=PFMaBiSmAd link=topic=94096.msg495281#msg495281 date=1167749012]
The original poster only has a total of the three posts that are in this thread and has not been active since the May 24, 2006 post. It is highly unlikely that he is still in need of help with this nor does he spend any time on this forum to see the recent responses.
[/quote]
Agreed. Thread locked.
Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.