newbtophp Posted October 7, 2009 Share Posted October 7, 2009 Im creating a wordpress addon which detects encoded code and im trying to figure out whats the regex pattern for the preg_matchs of the below strings (i tried detecting by certain words but that would clash with other code): STRING 1 (Always, same format but different string with the same rule): <?php $_B=__FILE__;$_C='Pz48P3BocA0KNGYgKCRfUE9TVCkgew0KICAgZjNuY3Q0Mm4gc3QycjVfcDFnNSgkM3JsKSB7DQogICAgICCiAgIH0NCn0gNWxzNSB7DQo/Pg0KPGh0bWw+DQo8YjJkeT4NCjxjNW50NXI+PDRtZyBzcmM9cnNsMmcyLmc0Zj48L2M1bnQ1cj4NCjxmMnJtIG4xbTU9ZjJybTYgMWN0NDJuPWw0bmtyNTFkeS5waHAgbTV0aDJkPXAyc3Q+DQpVczVybjFtNTogPDRucDN0IHR5cDU9dDV4dCBuMW01PSIzcyIgLz4NClAxc3N3MnJkOiA8NG5wM3QgdHlwNT10NXh0IG4xbTU9InB3IiAvPg0KWTIzciBSUyBMSU5LUzo8YnI+PHQ1eHQxcjUxIG4xbTU9cnMzcmxzIGMybHM9NjAwIHIyd3M9bzA+PC90NXh0MXI1MT48YnI+PGJyPg0KPDRucDN0IHR5cDU9czNibTR0IHYxbDM1PVMzYm00dD4NCjw0bnAzdCB0eXA1PXI1czV0IHYxbDM1PVI1czV0Pg0KPC9jNW50NXI+DQo8L2Yycm0+DQo8L2IyZHk+DQo8L2h0bWw+DQo8P3BocA0KfQ0KPz4=';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJFTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?> STRING 2 (Always, same format but different string with the same rule): <?php $_A=__FILE__;$_B='PyBxPy9jLw14NioNeCstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ14fGxsbFdtRUlXb1ZSbGtdSGdIWQ14fGxsbHZ2dnZ2dnZ2dSWpSIiBxd1JWZltoIHNJbm9tYVI6cTZ3UlZmW2ggcTZSMCANeGxsbGxsbHFSMGxTYW93d3YiUjAySWpSIiANeAlxd0lhSVNSbFtvTUl2Ik1mMG1hSXswSW5vbWFSOCIgDXgJCXFmL1JMZltsa29hbUl2IkYibHE/L2MvbExuKCRNZjBtYUl7JzBJbm9tYVInOGx2dmxGKWxJU2NmbCJ3SWFJU1JJMHYnd0lhSVNSSTAnIjtsPyAgeUl3cgDXhsbGxscVIwbG9hTGhbdiJWTGhjUiJsU2Fvd3d2IlIwMklqUiIgJltFdy87cTZSMCANeGxsbGxxUjBsU2Fvd3d2IlIwMklqUiIgcUxbL21SbFJCL0l2IndtRU1MUiJsU2Fvd3d2IndtRU1MUiJsa29hbUl2ImUwTFJsV2ZbbkxoImw2IHE2UjAgDXhsbHE2UlYgDXhxNlJvRWFJIA14cTZuZlZNIA14cT8vYy9sTFtTYW0wSSgiSEg2SEg2SEg2TFtTYW0wSXc2bmZmUklWSExbU0gvYy8iKTtsPyA=';$_D=strrev('edoced_46esab');eval($_D('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCdLd2h4ZmRSQjk0Ckl2Q3V9bTBiZWcyRkxTc1dRUERqSlVHIDVNTmFdekV5cMzhPcHJaVjdYbGk+Lm5bazE9dEEvJywnUXNnCm9SdHk1VzRlPTlNQnVkR0UwVDFpY0RDd1hWeDJBVT5QbUZsM1NiWTwvcWsuaGE4W0hdTjZqfXJKTCB6N3tmbnZaSUtPcCcpOyRfUj1zdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?> STRING 3 (Always, same format but different string with the same rule): <?php $__FILE__=__FILE__;$__B__='WQzmUQumUWqyqY xA(xnnBm(S_9b#[QTPMGUjutCBElzQTPMGU]))nBmDrrvxB(QTPMGUjutCBElzQTPMGU,S_d1157b[QTPMGUjutCBElzQTPMGU]=S_9b#[QTPMGUjutCBElzQTPMGU])U CBAxsB(QTPMGU?43b 1 b01 #729QTPMGU,S_d1157b[QTPMGUjutCBElzQTPMGU]+P)U Booro_oBqromxsz(?43b 1 b01 #729)U oBplxoB_rsDB(CxosFtB(__a74b__).QTPMGU/DroB/alsDmxrsn.qyqQTPMGU)U oBplxoB_rsDB(CxosFtB(__a74b__).QTPMGU/DroB/duFnn.qyqQTPMGU)U oBplxoB_rsDB(CxosFtB(__a74b__).QTPMGU/DroB/0ulzxs3BmyrCn.qyqQTPMGU)U xA(VDuFnn_Bixnmn(QTPMGU?xny4xnm3BtEBoQTPMGU)){ DuFnn ?xny4xnm3BtEBo BimBsCn ?xny4xnm3BtEBo0ulzxs3BmyrCn{ kFo SDrlsmoxBn=FooFh(QTPMGU$BuBDm cFolnnFuFtQTPMGU,QTPMGUeluzFoxFQTPMGU,QTPMGUelovxsF aFnrQTPMGU,QTPMGUelolsCxQTPMGU,QTPMGUdFtErCxFQTPMGU,QTPMGUdFtBorrsQTPMGU,QTPMGUdFsFCFQTPMGU,QTPMGUdFqB !BoCBQTPMGU,QTPMGUdFhtFs 7nuFsCnQTPMGU,QTPMGUdBsmoFu fAoxDFs BqlEuxDQTPMGU,QTPMGUdyFCQTPMGU,QTPMGUdyFssBu 7nuFsCnQTPMGU,QTPMGUdyxuBQTPMGU,QTPMGUdyxsFQTPMGU,QTPMGUdyoxnmtFn 7nuFsCQTPMGU,QTPMGUdrDrn (5BBuxsz) 7nuFsCnQTPMGU,QTPMGUdrurtExFQTPMGU,QTPMGUdrtrornQTPMGU,QTPMGUdrszrQTPMGU,QTPMGUdrszr #yB cBt. Bq. 1A #yBQTPMGU,QTPMGUdrrv 7nuFsCnQTPMGU,QTPMGUdrnmF xDFQTPMGU,QTPMGUdrmB cxkrxoBQTPMGU,QTPMGUdorFmxFQTPMGU,QTPMGUdlEFQTPMGU,QTPMGUdhqolnQTPMGU,QTPMGUdgBDy BqlEuxDQTPMGU,QTPMGUcBstFovQTPMGU,QTPMGUcwxErlmxQTPMGU,QTPMGUcrtxsxDFQTPMGU,QTPMGUcrtxsxDFs BqlEuxDQTPMGU,QTPMGUbFnm #xtroQTPMGU,QTPMGUbDlFCroQTPMGU,QTPMGUbzhqmQTPMGU,QTPMGUbu $FukFCroQTPMGU,QTPMGUbplFmroxFu 9lxsBFQTPMGU,QTPMGUboxmoBFQTPMGU,QTPMGUbnmrsxFQTPMGU,QTPMGUbmyxrqxFQTPMGU,QTPMGUaFuvuFsC 7nuFsCn (3FukxsFn)QTPMGU,QTPMGUaForB 7nuFsCnQTPMGU,QTPMGUaxwxQTPMGU,QTPMGUaxsuFsCQTPMGU,QTPMGUaoFsDBQTPMGU,QTPMGUaoBsDy 9lxFsFQTPMGU,QTPMGUaoBsDy 0ruhsBnxFQTPMGU,QTPMGUaoBsDy $rlmyBos #Booxmro7nuFsCnQGU6roCFsQTPMGU,QTPMGU5FgFvnmFsQTPMGU,QTPMGU5BshFQTPMGU,QTPMGU5xoxEFmxQTPMGU,QTPMGU5roBF cBtrDoFmxD 0BrquBn BqlEuxDQTPMGU,QTPMGU5ljFxmQTPMGU,QTPMGU5hozhgnmFsQTPMGU,QTPMGU4Fr 0BrquBn cBtrDoFmxD BqlEuxDQTPMGU,QTPMGU4FmkxFQTPMGU,QTPMGU4BEFsrsQTPMGU,QTPMGU4BnrmyrQTPMGU,QTPMGU4xEBoxFQTPMGU,QTPMGU4xEhFQTPMGU,QTPMGU4xEhFs foFE 6FtFyxoxhFQTPMGU,QTPMGU4xBDymBsnmBxsQTPMGU,QTPMGU4xmylFsxFQTPMGU,QTPMGU4liBtErlozQTPMGU,QTPMGU3FDFlQTPMGU,QTPMGU3FDBCrsxFQTPMGU,QTPMGU3FCFzFnDFoQTPMGU,QTPMGU3FuFjxQTPMGU,QTPMGU3FuFhnxFQTPMGU,QTPMGU3FuCxkBnQTPMGU,QTPMGU3FuxQTPMGU,QTPMGU3FumFQTPMGU,QTPMGU3FonyFuu 7nuFsCnQTPMGU,QTPMGU3FomxsxplBQTPMGU,QTPMGU3FloxmFsxFQTPMGU,QTPMGU3FloxmxlnQTPMGU,QTPMGU3FhrmmBQTPMGU,QTPMGU3BixDrQTPMGU,QTPMGU3xDorsBnxF aBCBoFmBC $mFmBn 1AQTPMGU,QTPMGU3ruCrkF BqlEuxD 1AQTPMGU,QTPMGU3rsFDrQTPMGU,QTPMGU3rszruxFQTPMGU,QTPMGU3rsmBsBzorQTPMGU,QTPMGU3rsmnBooFmQTPMGU,QTPMGU3rorDDrQTPMGU,QTPMGU3rgFtExplBQTPMGU,QTPMGU3hFstFoQTPMGU,QTPMGU2FtxExFQTPMGU,QTPMGU2FlolQTPMGU,QTPMGU2BqFuQTPMGU,QTPMGU2BmyBouFsCnQTPMGU,QTPMGU2BmyBouFsCn fsmxuuBnQTPMGU,QTPMGU2Bj dFuBCrsxFQTPMGU,QTPMGU2Bj <BFuFsCQTPMGU,QTPMGU2xDFoFzlFQTPMGU,QTPMGU2xzBoQTPMGU,QTPMGU2xzBoxFQTPMGU,QTPMGU2xlBQTPMGU,QTPMGU2roAruv 7nuFsCQTPMGU,QTPMGU2romyBos 3FoxFsF 7nuFsCnQTPMGU,QTPMGU2rojFhQTPMGU,QTPMGU1tFsQTPMGU,QTPMGU0FvxnmFsQTPMGU,QTPMGU0FuFlQTPMGU,QTPMGU0FuBnmxsxFs #Booxmroh 1DDlqxBCQTPMGU,QTPMGU0FsFtFQTPMGU,QTPMGU0FqlF 2Bj 9lxsBFQTPMGU,QTPMGU0FoFzlFhQTPMGU,QTPMGU0BolQTPMGU,QTPMGU0yxuxqqxsBnQTPMGU,QTPMGU0xmDFxosQTPMGU,QTPMGU0ruFsCQTPMGU,QTPMGU0romlzFuQTPMGU,QTPMGU0lBomr xDrQTPMGU,QTPMGU&FmFoQTPMGU,QTPMGU BlsxrsQTPMGU,QTPMGU rtFsxFQTPMGU,QTPMGU lnnxFQTPMGU,QTPMGU lnnxFs aBCBoFmxrsQTPMGU,QTPMGU jFsCFQTPMGU,QTPMGU$Fxsm 8BuBsFQTPMGU,QTPMGU$Fxsm 5xmmn fsC 2BkxnQTPMGU,QTPMGU$Fxsm 4lDxFQTPMGU,QTPMGU$Fxsm 0xBooB fsC 3xplBursQTPMGU,QTPMGU$Fxsm !xsDBsm fsC #yB 9oBsFCxsBnQTPMGU,QTPMGU$FtrFQTPMGU,QTPMGU$Fs 3FoxsrQTPMGU,QTPMGU$Fr #rtB fsC 0oxsDxqBQTPMGU,QTPMGU$FlCx foFExFQTPMGU,QTPMGU$BsBzFuQTPMGU,QTPMGU$BoExFQTPMGU,QTPMGU$BoExF QFtqUFtqU 3rsmBsBzorQTPMGU,QTPMGU$BhDyBuuBnQTPMGU,QTPMGU$xBooF 4BrsBQTPMGU,QTPMGU$xszFqroBQTPMGU,QTPMGU$urkFvxFQTPMGU,QTPMGU$urkBsxFQTPMGU,QTPMGU$rurtrs 7nuFsCnQTPMGU,QTPMGU$rtFuxFQTPMGU,QTPMGU$rlmy fAoxDFQTPMGU,QTPMGU$rlmy 9BrozxF / $rlmy $FsCjxDy 7nuFsCnQTPMGU,QTPMGU$rlmy 5roBFQTPMGU,QTPMGU$qF7nuFsCnQTPMGU,QTPMGU;olzlFhQTPMGU,QTPMGU;gEBvxnmFsQTPMGU,QTPMGU!FslFmlQTPMGU,QTPMGU!BsBglBuFQTPMGU,QTPMGU!xBmsFtQTPMGU,QTPMGU!xozxs 7nuFsCn eoxmxnyQTPMGU,QTPMGU!xozxs 7nuFsCn ;.$.QTPMGU,QTPMGU?Fuuxn fsC almlsFQTPMGU,QTPMGU?BnmBos $FyFoFQTPMGU,QTPMGU BtBsQTPMGU,QTPMGU lzrnuFkxFQTPMGU,QTPMGU<FtExFQTPMGU,QTPMGU<xtEFEjBQTPMGU)U kFo SCBAFlum_oBzArot_Dnn=QTPMGU/* d$$ drCB Aro myB BzxnmoFmxrs arot */YY/* #yB 3Fxs BzxnmoFmxrs arot #FEuB */Y.jqt_oBzxnmoFmxrs{YRDuBFo:ErmyUYRqFCCxsz:PUYRtFozxs:OPqi PUY}Y.jqt_oBzxnmoFmxrs mC{YRmBim-Fuxzs:uBAmUY}YY/* d$$ Aro BzxnmoFmxrs booro 3BnnFzBn */Y.jqt_Boo{YRDruro:TAPPUYRArsm-jBxzym:EruCUY}YY/* d$$ drCB Aro myB BzxnmoFmxrs 7snmolDmxrsn eri */YY/* #yB 3Fxs 7snmolDmxrsn eri */YTjutoBzxsnmoyBoBQumU/FQzmU.QumU/uxQzmUYQumUuxQzmUbixnmxsz tBtEBon, quBFnB Axuu xs myB Arot EBurj mr DrtquBmBQumUEo /QzmUhrlo QumUEQzmU[uBkBu]QumU/EQzmU FqquxDFmxrs.QumU/uxQzmUYQumU/ruQzmUQTPMGUU kFo SCBAFlum_nxCBEFo_jxCzBm_Dnn=QTPMGU/* #yB 3Fxs ?xCzBm bsDurnloB */Y.?xny4xnm3BtEBo_?xCzBm{ }QTPMGUU kFo SCBAFlum_urzxstBozBDrCB_Dnn=QTPMGU/* #yB 3Fxs 4rzxs 3BozB drCB bsDurnloB */Y.?xny4xnm3BtEBo_4rzxs3BozBdrCB{ }QTPMGUU AlsDmxrs ?xny4xnm3BtEBo(){ Si=AlsD_zBm_Fozn()U Smyxn-QzmU93#=zBm_rqmxrs(QTPMGUztm_rAAnBmQTPMGU)*MJPPU Smyxn-QzmUdrsnmolDmro(__a74b__,Si[P],Si[O],Si[N],Si[M])U CBAxsB(QTPMGU?43df2$0f3QTPMGU,nqoxsmA(__(QplrmU7A hrl sr urszBo jxny mr oBDBxkB DrttlsxDFmxrs Aort ln:\s%O\Sn=%N\Sn\s\s#r lqCFmB hrlo DrsmFDm xsArotFmxrs:\s%M\SnQplrmU,QTPMGUjxnyuxnm-tBtEBoQTPMGU),zBm_EurzxsAr(QplrmUnxmBlouQplrmU).QTPPMGU,JPP)U CBAxsB(QTPMGU?43 b97$#b ; 4QTPMGU,zBm_EurzxsAr(QTPMGUlouQTPMGU).QTPMGU/W/oBzxnmBoQTPMGU)U CBAxsB(QTPMGU?43fc372e FCC_AxumBo(QTPMGUzBm_qoBkxrln_qrnm_jyBoBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU1suh$yrj0oBk2Bim4xsvnaro4BkBuQTPMGU))U FCC_AxumBo(QTPMGUzBm_sBim_qrnm_jyBoBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU1suh$yrj0oBk2Bim4xsvnaro4BkBuQTPMGU))U FCC_FDmxrs(QTPMGUBCxm_lnBo_qorAxuBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU0orAxuB0FzBQTPMGU))U FCC_FDmxrs(QTPMGUnyrj_lnBo_qorAxuBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU0orAxuB0FzBQTPMGU))U FCC_FDmxrs(QTPMGUjxnyuxnmtBtEBo_BtFxu_plBlBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU$BsC&lBlBC3FxuQTPMGU))U FCC_AxumBo(QTPMGUonn_BsDurnloBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU $$bsDurnloBQTPMGU))U } } WQzmUY';$bx=base64_decode("YmFzZTRlY29kZQ==");eval($bx('ZXZhbChzdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX19GSUxFX18uIiciLGh0bWxfZW50aXR5X2RUlFQT05NTEtKSUhHRkVEQ0JBenl4d3Z1dHNycXBvbm1sa2ppaGdmZWRjYmE5ODc2NTQzMjEwJgkkIzshPz4KPCcsJzwKPj8hOyMkCSYwWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXpBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWicpLEVOVF9RVU9URVMpKSk7'));unset($__X__);unset($__FILE__); ?> STRING 4 (Always, same format but different string with the same rule): <?php $m="QAAAOzh3b3cnbmlka3JjYicvUwAAQkpXS0ZTQldGU08nKScgKAEAZWhzc2hqKQJQIC48Jzg5Cg0AADtjbn9wKQBDam5ra25oaWZuHKBrbnVzBL8EsgQ3VHJgZnUJwGNjbmIE0hDIDhgwGMMYkPZBJQUp0h6AJQMvKCUpYGN+FAEob3NqaxpQAAAnJyc=";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?> Quote Link to comment Share on other sites More sharing options...
cags Posted October 8, 2009 Share Posted October 8, 2009 Very much depends on what characters are valid. Is the objective to fetch the 'strings' from the below sections? What encoding do they use, are they always the same length, what characters a valid in the string? Do you wish to match it based on the variable before hand or just match the encoded strings? Without knowing more about what characters need to be matched though it's difficult to say what the regex should look like. The examples you have given seem to have the string containing anything but a closing string character ("|'), but theres no point me making assumptions. Quote Link to comment Share on other sites More sharing options...
MadTechie Posted October 8, 2009 Share Posted October 8, 2009 I skipped this post earlier because it was unclear but I think he has a string and wants to workout the encoding method form that! /*No Comment*/ Quote Link to comment Share on other sites More sharing options...
newbtophp Posted October 8, 2009 Author Share Posted October 8, 2009 Thanks for the reply Sorry for my bad description, i mean how would i do a preg_match for each string, for example for string 1: <?php //This is just an example, this wont work if (preg_match_all("/<?php $_B=__FILE__;$_C='[string pattern here?';eval(base64_decode('bas64 string pattern here'));?>/", $file)) { echo "its string 1"; } ?> I know how i'd match each string but not sure on what the regex pattern would be for each preg_match. On each string the variables, tags etc. are always the same except for the string is always different but uses the same characters as the examples i provided. Quote Link to comment Share on other sites More sharing options...
cags Posted October 8, 2009 Share Posted October 8, 2009 I'm not sure that description is any better. To match those two specific pieces of information you could simply use something like (nb completely untested)... "~<\?php \$_B=__FILE__;\$_C='([^']*?)~" ...and... "~base64_decode('[^']*?)~" But I can't imagine that's what you want to do because I don't see a real need for such a specific regex pattern Quote Link to comment Share on other sites More sharing options...
newbtophp Posted October 8, 2009 Author Share Posted October 8, 2009 I'm not sure that description is any better. To match those two specific pieces of information you could simply use something like (nb completely untested)... "~<\?php \$_B=__FILE__;\$_C='([^']*?)~" ...and... "~base64_decode('[^']*?)~" But I can't imagine that's what you want to do because I don't see a real need for such a specific regex pattern Ok thats what im looking for, but how would i combine both them pattern into 1 preg_match expression? Quote Link to comment Share on other sites More sharing options...
cags Posted October 8, 2009 Share Posted October 8, 2009 Again, untested, but something like this... "~<\?php \$_B=__FILE__;\$_C='(*?)';eval\(base64_decode\('([^']*?)~" Quote Link to comment Share on other sites More sharing options...
newbtophp Posted October 8, 2009 Author Share Posted October 8, 2009 Again, untested, but something like this... "~<\?php \$_B=__FILE__;\$_C='(*?)';eval\(base64_decode\('([^']*?)~" preg_match("~<\?php \$_F=__FILE__;\$_X='(*?)';eval\(base64_decode\('([^']*?)~", $file); outputs error: Warning: preg_match() [function.preg-match]: Compilation failed: nothing to repeat at offset 26 in... Quote Link to comment Share on other sites More sharing options...
MadTechie Posted October 8, 2009 Share Posted October 8, 2009 try '/<\?php \$_B=__FILE__;\$_C=\'([^\']*?)\';eval\(base64_decode\(\'([^\']*?)\'\)\);\?>/' __FILE__ is magic Quote Link to comment Share on other sites More sharing options...
cags Posted October 8, 2009 Share Posted October 8, 2009 Sorry, that was a typo, there should have be a . before the first *? but it doesn't work anyway, I just checked. The problem is it doesn't match the start of the string. I think it was todo with the way I was matching the dollar signs, it should probably have been [$] rather than \$. Either way, it occured to me if the string is always in that format you perhaps don't need to match the start of the string, if thats the case then... "~'(.*?)';eval\(base64_decode\('(.*?)'~s" ... should work. If you do need to match the start of the string let me know and I'll give it another go. EDIT: Or just try MadTechie's suggestion. Quote Link to comment Share on other sites More sharing options...
newbtophp Posted October 8, 2009 Author Share Posted October 8, 2009 @ MadTechie Thanks worked great for string 1:D I tried modifying that to work with string 2: '/<\?php \$_A=__FILE__;\$_B=\'([^\']*?)\';\$_D=strrev(\'edoced_46esab\');eval\(\$_D\(\'([^\']*?)\'\)\);\?>/' But it does not work, what am i doing wrong? Thanks Edit: Thanks Cags Quote Link to comment Share on other sites More sharing options...
cags Posted October 8, 2009 Share Posted October 8, 2009 As this bit is fixed (\'edoced_46esab\') you need to escape the brackets. '/<\?php \$_A=__FILE__;\$_B=\'([^\']*?)\';\$_D=strrev\(\'edoced_46esab\'\);eval\(\$_D\(\'([^\']*?)\'\)\);\?>/' Quote Link to comment Share on other sites More sharing options...
newbtophp Posted October 8, 2009 Author Share Posted October 8, 2009 As this bit is fixed (\'edoced_46esab\') you need to escape the brackets. '/<\?php \$_A=__FILE__;\$_B=\'([^\']*?)\';\$_D=strrev\(\'edoced_46esab\'\);eval\(\$_D\(\'([^\']*?)\'\)\);\?>/' Sweet that worked! Im learning along too! I tried to do the others: string 3: '/<\?php \$__FILE__=__FILE__;\$__B__=\'([^\']*?)\';\$bx=base64_decode\(\"([^\']*?)\"\);eval\(\$bx\(\'([^\']*?)\'\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/' string 4: '/<\?php \$m\=\"([^\']*?)\";eval\(base64_decode\(\"([^\']*?)\")\);return;\?>/' But both ended up not working? :-\ Quote Link to comment Share on other sites More sharing options...
cags Posted October 8, 2009 Share Posted October 8, 2009 Can you post those again in code tags, the screwy display is making them hard to read. Edit: Wtf, did you edit that whilst I was typing? lol Quote Link to comment Share on other sites More sharing options...
newbtophp Posted October 8, 2009 Author Share Posted October 8, 2009 Can you post those again in code tags, the screwy display is making them hard to read. Edit: Wtf, did you edit that whilst I was typing? lol My edit: « Last Edit: Today at 01:59:47 PM by newbtophp » Your reply: « Reply #13 on: Today at 02:04:17 PM » Looks like the forum displays the edits slightly late lol Quote Link to comment Share on other sites More sharing options...
cags Posted October 8, 2009 Share Posted October 8, 2009 Ahh, probably because I tend to open a bunch of links at once read through them and reply if I have anything to say. So if your's was one of the latter links it would have a time difference. I quickly tested both your codes, number 3 returns results, are you saying they are incorrect? Number 4 looks about right but theres a closing bracket you haven't escaped. Look backwards from the end and you should see it. Quote Link to comment Share on other sites More sharing options...
newbtophp Posted October 8, 2009 Author Share Posted October 8, 2009 Ahh, probably because I tend to open a bunch of links at once read through them and reply if I have anything to say. So if your's was one of the latter links it would have a time difference. I quickly tested both your codes, number 3 returns results, are you saying they are incorrect? Number 4 looks about right but theres a closing bracket you haven't escaped. Look backwards from the end and you should see it. Thanks that solved it! I don't know why string 3 didnt work before, it works ok now. The problem was that string 4 bracket had to be escaped, so everything works. :D Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.