Jump to content

[SOLVED] preg_match strings


newbtophp

Recommended Posts

Im creating a wordpress addon which detects encoded code and im trying to figure out whats the regex pattern for the preg_matchs of the below strings (i tried detecting by certain words but that would clash with other code):

 

STRING 1 (Always, same format but different string with the same rule):

<?php $_B=__FILE__;$_C='Pz48P3BocA0KNGYgKCRfUE9TVCkgew0KICAgZjNuY3Q0Mm4gc3QycjVfcDFnNSgkM3JsKSB7DQogICAgICCiAgIH0NCn0gNWxzNSB7DQo/Pg0KPGh0bWw+DQo8YjJkeT4NCjxjNW50NXI+PDRtZyBzcmM9cnNsMmcyLmc0Zj48L2M1bnQ1cj4NCjxmMnJtIG4xbTU9ZjJybTYgMWN0NDJuPWw0bmtyNTFkeS5waHAgbTV0aDJkPXAyc3Q+DQpVczVybjFtNTogPDRucDN0IHR5cDU9dDV4dCBuMW01PSIzcyIgLz4NClAxc3N3MnJkOiA8NG5wM3QgdHlwNT10NXh0IG4xbTU9InB3IiAvPg0KWTIzciBSUyBMSU5LUzo8YnI+PHQ1eHQxcjUxIG4xbTU9cnMzcmxzIGMybHM9NjAwIHIyd3M9bzA+PC90NXh0MXI1MT48YnI+PGJyPg0KPDRucDN0IHR5cDU9czNibTR0IHYxbDM1PVMzYm00dD4NCjw0bnAzdCB0eXA1PXI1czV0IHYxbDM1PVI1czV0Pg0KPC9jNW50NXI+DQo8L2Yycm0+DQo8L2IyZHk+DQo8L2h0bWw+DQo8P3BocA0KfQ0KPz4=';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJFTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

 

 

STRING 2 (Always, same format but different string with the same rule):

<?php $_A=__FILE__;$_B='PyBxPy9jLw14NioNeCstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ14fGxsbFdtRUlXb1ZSbGtdSGdIWQ14fGxsbHZ2dnZ2dnZ2dSWpSIiBxd1JWZltoIHNJbm9tYVI6cTZ3UlZmW2ggcTZSMCANeGxsbGxsbHFSMGxTYW93d3YiUjAySWpSIiANeAlxd0lhSVNSbFtvTUl2Ik1mMG1hSXswSW5vbWFSOCIgDXgJCXFmL1JMZltsa29hbUl2IkYibHE/L2MvbExuKCRNZjBtYUl7JzBJbm9tYVInOGx2dmxGKWxJU2NmbCJ3SWFJU1JJMHYnd0lhSVNSSTAnIjtsPyAgeUl3cgDXhsbGxscVIwbG9hTGhbdiJWTGhjUiJsU2Fvd3d2IlIwMklqUiIgJltFdy87cTZSMCANeGxsbGxxUjBsU2Fvd3d2IlIwMklqUiIgcUxbL21SbFJCL0l2IndtRU1MUiJsU2Fvd3d2IndtRU1MUiJsa29hbUl2ImUwTFJsV2ZbbkxoImw2IHE2UjAgDXhsbHE2UlYgDXhxNlJvRWFJIA14cTZuZlZNIA14cT8vYy9sTFtTYW0wSSgiSEg2SEg2SEg2TFtTYW0wSXc2bmZmUklWSExbU0gvYy8iKTtsPyA=';$_D=strrev('edoced_46esab');eval($_D('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCdLd2h4ZmRSQjk0Ckl2Q3V9bTBiZWcyRkxTc1dRUERqSlVHIDVNTmFdekV5cMzhPcHJaVjdYbGk+Lm5bazE9dEEvJywnUXNnCm9SdHk1VzRlPTlNQnVkR0UwVDFpY0RDd1hWeDJBVT5QbUZsM1NiWTwvcWsuaGE4W0hdTjZqfXJKTCB6N3tmbnZaSUtPcCcpOyRfUj1zdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

 

STRING 3 (Always, same format but different string with the same rule):

 

<?php $__FILE__=__FILE__;$__B__='WQzmUQumUWqyqY xA(xnnBm(S_9b#[QTPMGUjutCBElzQTPMGU]))nBmDrrvxB(QTPMGUjutCBElzQTPMGU,S_d1157b[QTPMGUjutCBElzQTPMGU]=S_9b#[QTPMGUjutCBElzQTPMGU])U CBAxsB(QTPMGU?43b		1		b01	#729QTPMGU,S_d1157b[QTPMGUjutCBElzQTPMGU]+P)U Booro_oBqromxsz(?43b		1		b01	#729)U oBplxoB_rsDB(CxosFtB(__a74b__).QTPMGU/DroB/alsDmxrsn.qyqQTPMGU)U oBplxoB_rsDB(CxosFtB(__a74b__).QTPMGU/DroB/duFnn.qyqQTPMGU)U oBplxoB_rsDB(CxosFtB(__a74b__).QTPMGU/DroB/0ulzxs3BmyrCn.qyqQTPMGU)U xA(VDuFnn_Bixnmn(QTPMGU?xny4xnm3BtEBoQTPMGU)){ DuFnn ?xny4xnm3BtEBo BimBsCn ?xny4xnm3BtEBo0ulzxs3BmyrCn{ kFo SDrlsmoxBn=FooFh(QTPMGU$BuBDm cFolnnFuFtQTPMGU,QTPMGUeluzFoxFQTPMGU,QTPMGUelovxsF aFnrQTPMGU,QTPMGUelolsCxQTPMGU,QTPMGUdFtErCxFQTPMGU,QTPMGUdFtBorrsQTPMGU,QTPMGUdFsFCFQTPMGU,QTPMGUdFqB !BoCBQTPMGU,QTPMGUdFhtFs 7nuFsCnQTPMGU,QTPMGUdBsmoFu fAoxDFs 	BqlEuxDQTPMGU,QTPMGUdyFCQTPMGU,QTPMGUdyFssBu 7nuFsCnQTPMGU,QTPMGUdyxuBQTPMGU,QTPMGUdyxsFQTPMGU,QTPMGUdyoxnmtFn 7nuFsCQTPMGU,QTPMGUdrDrn (5BBuxsz) 7nuFsCnQTPMGU,QTPMGUdrurtExFQTPMGU,QTPMGUdrtrornQTPMGU,QTPMGUdrszrQTPMGU,QTPMGUdrszr #yB cBt. 	Bq. 1A #yBQTPMGU,QTPMGUdrrv 7nuFsCnQTPMGU,QTPMGUdrnmF 	xDFQTPMGU,QTPMGUdrmB cxkrxoBQTPMGU,QTPMGUdorFmxFQTPMGU,QTPMGUdlEFQTPMGU,QTPMGUdhqolnQTPMGU,QTPMGUdgBDy 	BqlEuxDQTPMGU,QTPMGUcBstFovQTPMGU,QTPMGUcwxErlmxQTPMGU,QTPMGUcrtxsxDFQTPMGU,QTPMGUcrtxsxDFs 	BqlEuxDQTPMGU,QTPMGUbFnm #xtroQTPMGU,QTPMGUbDlFCroQTPMGU,QTPMGUbzhqmQTPMGU,QTPMGUbu $FukFCroQTPMGU,QTPMGUbplFmroxFu 9lxsBFQTPMGU,QTPMGUboxmoBFQTPMGU,QTPMGUbnmrsxFQTPMGU,QTPMGUbmyxrqxFQTPMGU,QTPMGUaFuvuFsC 7nuFsCn (3FukxsFn)QTPMGU,QTPMGUaForB 7nuFsCnQTPMGU,QTPMGUaxwxQTPMGU,QTPMGUaxsuFsCQTPMGU,QTPMGUaoFsDBQTPMGU,QTPMGUaoBsDy 9lxFsFQTPMGU,QTPMGUaoBsDy 0ruhsBnxFQTPMGU,QTPMGUaoBsDy $rlmyBos #Booxmro7nuFsCnQGU6roCFsQTPMGU,QTPMGU5FgFvnmFsQTPMGU,QTPMGU5BshFQTPMGU,QTPMGU5xoxEFmxQTPMGU,QTPMGU5roBF cBtrDoFmxD 0BrquBn 	BqlEuxDQTPMGU,QTPMGU5ljFxmQTPMGU,QTPMGU5hozhgnmFsQTPMGU,QTPMGU4Fr 0BrquBn cBtrDoFmxD 	BqlEuxDQTPMGU,QTPMGU4FmkxFQTPMGU,QTPMGU4BEFsrsQTPMGU,QTPMGU4BnrmyrQTPMGU,QTPMGU4xEBoxFQTPMGU,QTPMGU4xEhFQTPMGU,QTPMGU4xEhFs foFE 6FtFyxoxhFQTPMGU,QTPMGU4xBDymBsnmBxsQTPMGU,QTPMGU4xmylFsxFQTPMGU,QTPMGU4liBtErlozQTPMGU,QTPMGU3FDFlQTPMGU,QTPMGU3FDBCrsxFQTPMGU,QTPMGU3FCFzFnDFoQTPMGU,QTPMGU3FuFjxQTPMGU,QTPMGU3FuFhnxFQTPMGU,QTPMGU3FuCxkBnQTPMGU,QTPMGU3FuxQTPMGU,QTPMGU3FumFQTPMGU,QTPMGU3FonyFuu 7nuFsCnQTPMGU,QTPMGU3FomxsxplBQTPMGU,QTPMGU3FloxmFsxFQTPMGU,QTPMGU3FloxmxlnQTPMGU,QTPMGU3FhrmmBQTPMGU,QTPMGU3BixDrQTPMGU,QTPMGU3xDorsBnxF aBCBoFmBC $mFmBn 1AQTPMGU,QTPMGU3ruCrkF 	BqlEuxD 1AQTPMGU,QTPMGU3rsFDrQTPMGU,QTPMGU3rszruxFQTPMGU,QTPMGU3rsmBsBzorQTPMGU,QTPMGU3rsmnBooFmQTPMGU,QTPMGU3rorDDrQTPMGU,QTPMGU3rgFtExplBQTPMGU,QTPMGU3hFstFoQTPMGU,QTPMGU2FtxExFQTPMGU,QTPMGU2FlolQTPMGU,QTPMGU2BqFuQTPMGU,QTPMGU2BmyBouFsCnQTPMGU,QTPMGU2BmyBouFsCn fsmxuuBnQTPMGU,QTPMGU2Bj dFuBCrsxFQTPMGU,QTPMGU2Bj <BFuFsCQTPMGU,QTPMGU2xDFoFzlFQTPMGU,QTPMGU2xzBoQTPMGU,QTPMGU2xzBoxFQTPMGU,QTPMGU2xlBQTPMGU,QTPMGU2roAruv 7nuFsCQTPMGU,QTPMGU2romyBos 3FoxFsF 7nuFsCnQTPMGU,QTPMGU2rojFhQTPMGU,QTPMGU1tFsQTPMGU,QTPMGU0FvxnmFsQTPMGU,QTPMGU0FuFlQTPMGU,QTPMGU0FuBnmxsxFs #Booxmroh 1DDlqxBCQTPMGU,QTPMGU0FsFtFQTPMGU,QTPMGU0FqlF 2Bj 9lxsBFQTPMGU,QTPMGU0FoFzlFhQTPMGU,QTPMGU0BolQTPMGU,QTPMGU0yxuxqqxsBnQTPMGU,QTPMGU0xmDFxosQTPMGU,QTPMGU0ruFsCQTPMGU,QTPMGU0romlzFuQTPMGU,QTPMGU0lBomr 	xDrQTPMGU,QTPMGU&FmFoQTPMGU,QTPMGU	BlsxrsQTPMGU,QTPMGU	rtFsxFQTPMGU,QTPMGU	lnnxFQTPMGU,QTPMGU	lnnxFs aBCBoFmxrsQTPMGU,QTPMGU	jFsCFQTPMGU,QTPMGU$Fxsm 8BuBsFQTPMGU,QTPMGU$Fxsm 5xmmn fsC 2BkxnQTPMGU,QTPMGU$Fxsm 4lDxFQTPMGU,QTPMGU$Fxsm 0xBooB fsC 3xplBursQTPMGU,QTPMGU$Fxsm !xsDBsm fsC #yB 9oBsFCxsBnQTPMGU,QTPMGU$FtrFQTPMGU,QTPMGU$Fs 3FoxsrQTPMGU,QTPMGU$Fr #rtB fsC 0oxsDxqBQTPMGU,QTPMGU$FlCx foFExFQTPMGU,QTPMGU$BsBzFuQTPMGU,QTPMGU$BoExFQTPMGU,QTPMGU$BoExF QFtqUFtqU 3rsmBsBzorQTPMGU,QTPMGU$BhDyBuuBnQTPMGU,QTPMGU$xBooF 4BrsBQTPMGU,QTPMGU$xszFqroBQTPMGU,QTPMGU$urkFvxFQTPMGU,QTPMGU$urkBsxFQTPMGU,QTPMGU$rurtrs 7nuFsCnQTPMGU,QTPMGU$rtFuxFQTPMGU,QTPMGU$rlmy fAoxDFQTPMGU,QTPMGU$rlmy 9BrozxF / $rlmy $FsCjxDy 7nuFsCnQTPMGU,QTPMGU$rlmy 5roBFQTPMGU,QTPMGU$qF7nuFsCnQTPMGU,QTPMGU;olzlFhQTPMGU,QTPMGU;gEBvxnmFsQTPMGU,QTPMGU!FslFmlQTPMGU,QTPMGU!BsBglBuFQTPMGU,QTPMGU!xBmsFtQTPMGU,QTPMGU!xozxs 7nuFsCn eoxmxnyQTPMGU,QTPMGU!xozxs 7nuFsCn ;.$.QTPMGU,QTPMGU?Fuuxn fsC almlsFQTPMGU,QTPMGU?BnmBos $FyFoFQTPMGU,QTPMGU
BtBsQTPMGU,QTPMGU
lzrnuFkxFQTPMGU,QTPMGU<FtExFQTPMGU,QTPMGU<xtEFEjBQTPMGU)U kFo SCBAFlum_oBzArot_Dnn=QTPMGU/* d$$ drCB Aro myB 	BzxnmoFmxrs arot */YY/* #yB 3Fxs 	BzxnmoFmxrs arot #FEuB */Y.jqt_oBzxnmoFmxrs{YRDuBFo:ErmyUYRqFCCxsz:PUYRtFozxs:OPqi PUY}Y.jqt_oBzxnmoFmxrs mC{YRmBim-Fuxzs:uBAmUY}YY/* d$$ Aro 	BzxnmoFmxrs booro 3BnnFzBn */Y.jqt_Boo{YRDruro:TAPPUYRArsm-jBxzym:EruCUY}YY/* d$$ drCB Aro myB 	BzxnmoFmxrs 7snmolDmxrsn eri */YY/* #yB 3Fxs 7snmolDmxrsn eri */YTjutoBzxsnmoyBoBQumU/FQzmU.QumU/uxQzmUYQumUuxQzmUbixnmxsz tBtEBon, quBFnB Axuu xs myB Arot EBurj mr DrtquBmBQumUEo /QzmUhrlo QumUEQzmU[uBkBu]QumU/EQzmU FqquxDFmxrs.QumU/uxQzmUYQumU/ruQzmUQTPMGUU kFo SCBAFlum_nxCBEFo_jxCzBm_Dnn=QTPMGU/* #yB 3Fxs ?xCzBm bsDurnloB */Y.?xny4xnm3BtEBo_?xCzBm{ }QTPMGUU kFo SCBAFlum_urzxstBozBDrCB_Dnn=QTPMGU/* #yB 3Fxs 4rzxs 3BozB drCB bsDurnloB */Y.?xny4xnm3BtEBo_4rzxs3BozBdrCB{ }QTPMGUU AlsDmxrs ?xny4xnm3BtEBo(){ Si=AlsD_zBm_Fozn()U Smyxn-QzmU93#=zBm_rqmxrs(QTPMGUztm_rAAnBmQTPMGU)*MJPPU Smyxn-QzmUdrsnmolDmro(__a74b__,Si[P],Si[O],Si[N],Si[M])U CBAxsB(QTPMGU?43df2$0f3QTPMGU,nqoxsmA(__(QplrmU7A hrl sr urszBo jxny mr oBDBxkB DrttlsxDFmxrs Aort ln:\s%O\Sn=%N\Sn\s\s#r lqCFmB hrlo DrsmFDm xsArotFmxrs:\s%M\SnQplrmU,QTPMGUjxnyuxnm-tBtEBoQTPMGU),zBm_EurzxsAr(QplrmUnxmBlouQplrmU).QTPPMGU,JPP)U CBAxsB(QTPMGU?43	b97$#b	;	4QTPMGU,zBm_EurzxsAr(QTPMGUlouQTPMGU).QTPMGU/W/oBzxnmBoQTPMGU)U CBAxsB(QTPMGU?43fc372e
FCC_AxumBo(QTPMGUzBm_qoBkxrln_qrnm_jyBoBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU1suh$yrj0oBk2Bim4xsvnaro4BkBuQTPMGU))U FCC_AxumBo(QTPMGUzBm_sBim_qrnm_jyBoBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU1suh$yrj0oBk2Bim4xsvnaro4BkBuQTPMGU))U FCC_FDmxrs(QTPMGUBCxm_lnBo_qorAxuBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU0orAxuB0FzBQTPMGU))U FCC_FDmxrs(QTPMGUnyrj_lnBo_qorAxuBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU0orAxuB0FzBQTPMGU))U FCC_FDmxrs(QTPMGUjxnyuxnmtBtEBo_BtFxu_plBlBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU$BsC&lBlBC3FxuQTPMGU))U FCC_AxumBo(QTPMGUonn_BsDurnloBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU	$$bsDurnloBQTPMGU))U } } WQzmUY';$bx=base64_decode("YmFzZTRlY29kZQ==");eval($bx('ZXZhbChzdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX19GSUxFX18uIiciLGh0bWxfZW50aXR5X2RUlFQT05NTEtKSUhHRkVEQ0JBenl4d3Z1dHNycXBvbm1sa2ppaGdmZWRjYmE5ODc2NTQzMjEwJgkkIzshPz4KPCcsJzwKPj8hOyMkCSYwWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXpBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWicpLEVOVF9RVU9URVMpKSk7'));unset($__X__);unset($__FILE__); ?>

 

STRING 4  (Always, same format but different string with the same rule):

 

<?php $m="QAAAOzh3b3cnbmlka3JjYicvUwAAQkpXS0ZTQldGU08nKScgKAEAZWhzc2hqKQJQIC48Jzg5Cg0AADtjbn9wKQBDam5ra25oaWZuHKBrbnVzBL8EsgQ3VHJgZnUJwGNjbmIE0hDIDhgwGMMYkPZBJQUp0h6AJQMvKCUpYGN+FAEob3NqaxpQAAAnJyc=";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?>

 

Link to comment
Share on other sites

Very much depends on what characters are valid. Is the objective to fetch the 'strings' from the below sections? What encoding do they use, are they always the same length, what characters a valid in the string? Do you wish to match it based on the variable before hand or just match the encoded strings? Without knowing more about what characters need to be matched though it's difficult to say what the regex should look like. The examples you have given seem to have the string containing anything but a closing string character ("|'), but theres no point me making assumptions.

 

Link to comment
Share on other sites

Thanks for the reply

 

Sorry for my bad description, i mean how would i do a preg_match for each string, for example for string 1:

 

<?php
//This is just an example, this wont work

if (preg_match_all("/<?php $_B=__FILE__;$_C='[string pattern here?';eval(base64_decode('bas64 string pattern here'));?>/", $file)) {

echo "its string 1";

}
?>

 

I know how i'd match each string but not sure on what the regex pattern would be for each preg_match. On each string the variables, tags etc. are always the same except for the string is always different but uses the same characters as the examples i provided.

 

 

Link to comment
Share on other sites

I'm not sure that description is any better. To match those two specific pieces of information you could simply use something like (nb completely untested)...

 

"~<\?php \$_B=__FILE__;\$_C='([^']*?)~"

 

...and...

 

"~base64_decode('[^']*?)~"

 

But I can't imagine that's what you want to do because I don't see a real need for such a specific regex pattern

Link to comment
Share on other sites

I'm not sure that description is any better. To match those two specific pieces of information you could simply use something like (nb completely untested)...

 

"~<\?php \$_B=__FILE__;\$_C='([^']*?)~"

 

...and...

 

"~base64_decode('[^']*?)~"

 

But I can't imagine that's what you want to do because I don't see a real need for such a specific regex pattern

 

Ok thats what im looking for, but how would i combine both them pattern into 1 preg_match expression?

Link to comment
Share on other sites

Again, untested, but something like this...

 

"~<\?php \$_B=__FILE__;\$_C='(*?)';eval\(base64_decode\('([^']*?)~"

 

 

preg_match("~<\?php \$_F=__FILE__;\$_X='(*?)';eval\(base64_decode\('([^']*?)~", $file);

 

outputs error:

 

Warning: preg_match() [function.preg-match]: Compilation failed: nothing to repeat at offset 26 in...

Link to comment
Share on other sites

Sorry, that was a typo, there should have be a . before the first *? but it doesn't work anyway, I just checked. The problem is it doesn't match the start of the string. I think it was todo with the way I was matching the dollar signs, it should probably have been [$] rather than \$. Either way, it occured to me if the string is always in that format you perhaps don't need to match the start of the string, if thats the case then...

 

"~'(.*?)';eval\(base64_decode\('(.*?)'~s"

 

... should work. If you do need to match the start of the string let me know and I'll give it another go.

 

EDIT: Or just try MadTechie's suggestion.

Link to comment
Share on other sites

@ MadTechie

 

Thanks worked great  for string 1:D

 

I tried modifying that to work with string 2:

 

'/<\?php \$_A=__FILE__;\$_B=\'([^\']*?)\';\$_D=strrev(\'edoced_46esab\');eval\(\$_D\(\'([^\']*?)\'\)\);\?>/'

 

But it does not work, what am i doing wrong?

 

Thanks

 

Edit: Thanks Cags  :D

Link to comment
Share on other sites

As this bit is fixed (\'edoced_46esab\') you need to escape the brackets.

 

'/<\?php \$_A=__FILE__;\$_B=\'([^\']*?)\';\$_D=strrev\(\'edoced_46esab\'\);eval\(\$_D\(\'([^\']*?)\'\)\);\?>/'

 

Sweet that worked!  :D Im learning along too!

 

I tried to do the others:

 

string 3:

 

'/<\?php \$__FILE__=__FILE__;\$__B__=\'([^\']*?)\';\$bx=base64_decode\(\"([^\']*?)\"\);eval\(\$bx\(\'([^\']*?)\'\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/'

 

string 4:

 

'/<\?php \$m\=\"([^\']*?)\";eval\(base64_decode\(\"([^\']*?)\")\);return;\?>/'

 

But both ended up not working?  :-\

Link to comment
Share on other sites

Can you post those again in code tags, the screwy display is making them hard to read.

 

Edit: Wtf, did you edit that whilst I was typing? lol

 

My edit:

« Last Edit: Today at 01:59:47 PM by newbtophp »

 

Your reply:

« Reply #13 on: Today at 02:04:17 PM »

 

Looks like the forum displays the edits slightly late lol

Link to comment
Share on other sites

Ahh, probably because I tend to open a bunch of links at once read through them and reply if I have anything to say. So if your's was one of the latter links it would have a time difference.

 

I quickly tested both your codes, number 3 returns results, are you saying they are incorrect? Number 4 looks about right but theres a closing bracket you haven't escaped. Look backwards from the end and you should see it.

Link to comment
Share on other sites

Ahh, probably because I tend to open a bunch of links at once read through them and reply if I have anything to say. So if your's was one of the latter links it would have a time difference.

 

I quickly tested both your codes, number 3 returns results, are you saying they are incorrect? Number 4 looks about right but theres a closing bracket you haven't escaped. Look backwards from the end and you should see it.

 

Thanks that solved it!

 

I don't know why string 3 didnt work before, it works ok now. The problem was that string 4 bracket had to be escaped, so everything works.

 

:D :D :D

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.