Jump to content

Recommended Posts

OK I've found a way to decode, I have to place the encoded base64 in encoded_file.php and run the below script, which then provides the source code.

 

Except if the code is encoded numerous times, I have to place the eval...base64 in encoded_file.php, run the below script and then copy the new eval...base64 back an fourth in to encoded_file.php until the source code is displayed.

 

Is their a way to auto run this so I just place the encoded in encoded_file.php and the results will display in the below script, without me having to keep on copying and pasting.

 

<?php

// Open and read the content of the encoded file into a variable
$file = file_get_contents('encoded_file.php');

// Strip php tags
$file = str_replace('<?php', "", $file);
$file = str_replace('<?', "", $file);   // Make sure to get rid of short tags....
$file = str_replace('?>', "", $file);

// Strip new lines
$file = str_replace("\n", "", $file);

// Add semi colon to get around a parsing issue.
$file = $file.';';

// Change the Eval function
$file = str_replace('eval', 'echo ', $file);

// Function to eval the new string
function deval()
{
  global $file;
  ob_start();
  eval($file);
  $contents = ob_get_contents();
  ob_end_clean();
  return($contents);
}

// Run the code thru once
$file = deval();

// Counter
$cnt = 1;

// Loop it till it's decoded
while(preg_match('/^\?><\?php eval/', $file))
{
  $file = str_replace('?><?php eval', 'echo', $file);
  $file = str_replace('?><?', "", $file);
  $file = deval();
  ++$cnt;
}

//clean up some tags
$file = str_replace('?><?php', "", $file);
$file = str_replace('?><?', "", $file);

echo $cnt,' iterations<br/><br/>';
echo '<pre>';
echo $file;
echo '</pre>';
?>

I really don't understand your problem.

 

If you have

eval(base64_decode(strtr(strrev('$code')));

, then

base64_decode(strtr(strrev('$code'))

will be evaluated as PHP code. Just echo it instead of evaluating it. I don't see the problem. The output of the latter will have to be valid PHP code. Otherwise you'll get a fatal error.

No I must have explained it wrong, what I mean, is the script I just posted renames eval to echo and displays the result.

 

Except if the encoded script is nested, so base64 is encoded on top of another base64; then the result will display the first base64 layer and show the second layer as the result, I have to keep copying the output back in to the encoded_file.php until it displays the real php source.

 

So is their a way which will automatically loop it, so it decodes all the base64 no matter how many times its encoded/layered/nested.?

 

If you still dont understand, try encoding an encoded base64 string and submitting it to encoded_file.php, and running the above decode script, you'll see that it just displays the result as the first encoded base64 string. It dont loop/run until all source is displayed.

 

nested = encoded numerous times using same encoding

Hmm... maybe something like this:

 

function decode($phpCode)
{
if (stripos($phpCode, 'eval') === false) {
	return $phpCode;
}

$phpCode = trim($phpCode);

if (substr($phpCode, -1) != ';') {
	$phpCode .= ';';
}

$phpCode = eval(str_replace('eval', 'return', $phpCode));

if (stripos($phpCode, 'eval') !== false) {
	$phpCode = decode($phpCode);
}

return $phpCode;
}

 

It's a bit difficult testing without having any sample code, but I think it should work.

 

Edit: Okay, it should work.

echo decode("eval(base64_decode('ZXZhbChiYXNlNjRfZGVjb2RlKCdaV05vYnlBaVJtOXZJanM9JykpOw=='))");

outputs:

echo "Foo";

which is two times "encoded".

Yes thanks, that works.

 

Whereas I tried another type of base64 string and it returned errors:

 

Warning: fopen() [function.fopen]: Filename cannot be empty in /home/dechost/public_html/baser.php(49) : eval()'d code on line 10

Warning: fseek(): supplied argument is not a valid stream resource in /home/dechost/public_html/baser.php(49) : eval()'d code on line 11

Warning: fread(): supplied argument is not a valid stream resource in /home/dechost/public_html/baser.php(49) : eval()'d code on line 12

Warning: fclose(): supplied argument is not a valid stream resource in /home/dechost/public_html/baser.php(49) : eval()'d code on line 15

Warning: Cannot modify header information - headers already sent by (output started at /home/dechost/public_html/baser.php(49) : eval()'d code:10) in /home/dechost/public_html/baser.php(49) : eval()'d code on line 5

 

This is the string type im trying to decode:

 

eval(base64_decode(strrev('$string')))

 

Its encoded 7 times using base64.

Yes thanks, that works.

 

Whereas I tried another type of base64 string and it returned errors:

 

Warning: fopen() [function.fopen]: Filename cannot be empty in /home/dechost/public_html/baser.php(49) : eval()'d code on line 10

Warning: fseek(): supplied argument is not a valid stream resource in /home/dechost/public_html/baser.php(49) : eval()'d code on line 11

Warning: fread(): supplied argument is not a valid stream resource in /home/dechost/public_html/baser.php(49) : eval()'d code on line 12

Warning: fclose(): supplied argument is not a valid stream resource in /home/dechost/public_html/baser.php(49) : eval()'d code on line 15

Warning: Cannot modify header information - headers already sent by (output started at /home/dechost/public_html/baser.php(49) : eval()'d code:10) in /home/dechost/public_html/baser.php(49) : eval()'d code on line 5

 

This is the string type im trying to decode:

 

eval(base64_decode(strrev('$string')))

 

Its encoded 7 times using base64.

 

Edit: Another bug, the encoded base64 is functioning/running (like a normal php script) instead of displaying the php source code. (so i can copy)

who's script are you trying to reverse engineer?

 

A wp footer, i want to see whats within it. Theirs usually malicous code in most free wp skins.

 

As you can see since the designer has encoded the base64 7 times, its becoming hard to decode.

 

I might use this technique in my footer when it comes my own scripts.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.