[SOLVED] preg_match strings

[newbtophp]

Im creating a wordpress addon which detects encoded code and im trying to figure out whats the regex pattern for the preg_matchs of the below strings (i tried detecting by certain words but that would clash with other code):

 

STRING 1 (Always, same format but different string with the same rule):

<?php $_B=__FILE__;$_C='Pz48P3BocA0KNGYgKCRfUE9TVCkgew0KICAgZjNuY3Q0Mm4gc3QycjVfcDFnNSgkM3JsKSB7DQogICAgICCiAgIH0NCn0gNWxzNSB7DQo/Pg0KPGh0bWw+DQo8YjJkeT4NCjxjNW50NXI+PDRtZyBzcmM9cnNsMmcyLmc0Zj48L2M1bnQ1cj4NCjxmMnJtIG4xbTU9ZjJybTYgMWN0NDJuPWw0bmtyNTFkeS5waHAgbTV0aDJkPXAyc3Q+DQpVczVybjFtNTogPDRucDN0IHR5cDU9dDV4dCBuMW01PSIzcyIgLz4NClAxc3N3MnJkOiA8NG5wM3QgdHlwNT10NXh0IG4xbTU9InB3IiAvPg0KWTIzciBSUyBMSU5LUzo8YnI+PHQ1eHQxcjUxIG4xbTU9cnMzcmxzIGMybHM9NjAwIHIyd3M9bzA+PC90NXh0MXI1MT48YnI+PGJyPg0KPDRucDN0IHR5cDU9czNibTR0IHYxbDM1PVMzYm00dD4NCjw0bnAzdCB0eXA1PXI1czV0IHYxbDM1PVI1czV0Pg0KPC9jNW50NXI+DQo8L2Yycm0+DQo8L2IyZHk+DQo8L2h0bWw+DQo8P3BocA0KfQ0KPz4=';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJFTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

 

 

STRING 2 (Always, same format but different string with the same rule):

<?php $_A=__FILE__;$_B='PyBxPy9jLw14NioNeCstLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ14fGxsbFdtRUlXb1ZSbGtdSGdIWQ14fGxsbHZ2dnZ2dnZ2dSWpSIiBxd1JWZltoIHNJbm9tYVI6cTZ3UlZmW2ggcTZSMCANeGxsbGxsbHFSMGxTYW93d3YiUjAySWpSIiANeAlxd0lhSVNSbFtvTUl2Ik1mMG1hSXswSW5vbWFSOCIgDXgJCXFmL1JMZltsa29hbUl2IkYibHE/L2MvbExuKCRNZjBtYUl7JzBJbm9tYVInOGx2dmxGKWxJU2NmbCJ3SWFJU1JJMHYnd0lhSVNSSTAnIjtsPyAgeUl3cgDXhsbGxscVIwbG9hTGhbdiJWTGhjUiJsU2Fvd3d2IlIwMklqUiIgJltFdy87cTZSMCANeGxsbGxxUjBsU2Fvd3d2IlIwMklqUiIgcUxbL21SbFJCL0l2IndtRU1MUiJsU2Fvd3d2IndtRU1MUiJsa29hbUl2ImUwTFJsV2ZbbkxoImw2IHE2UjAgDXhsbHE2UlYgDXhxNlJvRWFJIA14cTZuZlZNIA14cT8vYy9sTFtTYW0wSSgiSEg2SEg2SEg2TFtTYW0wSXc2bmZmUklWSExbU0gvYy8iKTtsPyA=';$_D=strrev('edoced_46esab');eval($_D('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCdLd2h4ZmRSQjk0Ckl2Q3V9bTBiZWcyRkxTc1dRUERqSlVHIDVNTmFdekV5cMzhPcHJaVjdYbGk+Lm5bazE9dEEvJywnUXNnCm9SdHk1VzRlPTlNQnVkR0UwVDFpY0RDd1hWeDJBVT5QbUZsM1NiWTwvcWsuaGE4W0hdTjZqfXJKTCB6N3tmbnZaSUtPcCcpOyRfUj1zdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

 

STRING 3 (Always, same format but different string with the same rule):

 

<?php $__FILE__=__FILE__;$__B__='WQzmUQumUWqyqY xA(xnnBm(S_9b#[QTPMGUjutCBElzQTPMGU]))nBmDrrvxB(QTPMGUjutCBElzQTPMGU,S_d1157b[QTPMGUjutCBElzQTPMGU]=S_9b#[QTPMGUjutCBElzQTPMGU])U CBAxsB(QTPMGU?43b		1		b01	#729QTPMGU,S_d1157b[QTPMGUjutCBElzQTPMGU]+P)U Booro_oBqromxsz(?43b		1		b01	#729)U oBplxoB_rsDB(CxosFtB(__a74b__).QTPMGU/DroB/alsDmxrsn.qyqQTPMGU)U oBplxoB_rsDB(CxosFtB(__a74b__).QTPMGU/DroB/duFnn.qyqQTPMGU)U oBplxoB_rsDB(CxosFtB(__a74b__).QTPMGU/DroB/0ulzxs3BmyrCn.qyqQTPMGU)U xA(VDuFnn_Bixnmn(QTPMGU?xny4xnm3BtEBoQTPMGU)){ DuFnn ?xny4xnm3BtEBo BimBsCn ?xny4xnm3BtEBo0ulzxs3BmyrCn{ kFo SDrlsmoxBn=FooFh(QTPMGU$BuBDm cFolnnFuFtQTPMGU,QTPMGUeluzFoxFQTPMGU,QTPMGUelovxsF aFnrQTPMGU,QTPMGUelolsCxQTPMGU,QTPMGUdFtErCxFQTPMGU,QTPMGUdFtBorrsQTPMGU,QTPMGUdFsFCFQTPMGU,QTPMGUdFqB !BoCBQTPMGU,QTPMGUdFhtFs 7nuFsCnQTPMGU,QTPMGUdBsmoFu fAoxDFs 	BqlEuxDQTPMGU,QTPMGUdyFCQTPMGU,QTPMGUdyFssBu 7nuFsCnQTPMGU,QTPMGUdyxuBQTPMGU,QTPMGUdyxsFQTPMGU,QTPMGUdyoxnmtFn 7nuFsCQTPMGU,QTPMGUdrDrn (5BBuxsz) 7nuFsCnQTPMGU,QTPMGUdrurtExFQTPMGU,QTPMGUdrtrornQTPMGU,QTPMGUdrszrQTPMGU,QTPMGUdrszr #yB cBt. 	Bq. 1A #yBQTPMGU,QTPMGUdrrv 7nuFsCnQTPMGU,QTPMGUdrnmF 	xDFQTPMGU,QTPMGUdrmB cxkrxoBQTPMGU,QTPMGUdorFmxFQTPMGU,QTPMGUdlEFQTPMGU,QTPMGUdhqolnQTPMGU,QTPMGUdgBDy 	BqlEuxDQTPMGU,QTPMGUcBstFovQTPMGU,QTPMGUcwxErlmxQTPMGU,QTPMGUcrtxsxDFQTPMGU,QTPMGUcrtxsxDFs 	BqlEuxDQTPMGU,QTPMGUbFnm #xtroQTPMGU,QTPMGUbDlFCroQTPMGU,QTPMGUbzhqmQTPMGU,QTPMGUbu $FukFCroQTPMGU,QTPMGUbplFmroxFu 9lxsBFQTPMGU,QTPMGUboxmoBFQTPMGU,QTPMGUbnmrsxFQTPMGU,QTPMGUbmyxrqxFQTPMGU,QTPMGUaFuvuFsC 7nuFsCn (3FukxsFn)QTPMGU,QTPMGUaForB 7nuFsCnQTPMGU,QTPMGUaxwxQTPMGU,QTPMGUaxsuFsCQTPMGU,QTPMGUaoFsDBQTPMGU,QTPMGUaoBsDy 9lxFsFQTPMGU,QTPMGUaoBsDy 0ruhsBnxFQTPMGU,QTPMGUaoBsDy $rlmyBos #Booxmro7nuFsCnQGU6roCFsQTPMGU,QTPMGU5FgFvnmFsQTPMGU,QTPMGU5BshFQTPMGU,QTPMGU5xoxEFmxQTPMGU,QTPMGU5roBF cBtrDoFmxD 0BrquBn 	BqlEuxDQTPMGU,QTPMGU5ljFxmQTPMGU,QTPMGU5hozhgnmFsQTPMGU,QTPMGU4Fr 0BrquBn cBtrDoFmxD 	BqlEuxDQTPMGU,QTPMGU4FmkxFQTPMGU,QTPMGU4BEFsrsQTPMGU,QTPMGU4BnrmyrQTPMGU,QTPMGU4xEBoxFQTPMGU,QTPMGU4xEhFQTPMGU,QTPMGU4xEhFs foFE 6FtFyxoxhFQTPMGU,QTPMGU4xBDymBsnmBxsQTPMGU,QTPMGU4xmylFsxFQTPMGU,QTPMGU4liBtErlozQTPMGU,QTPMGU3FDFlQTPMGU,QTPMGU3FDBCrsxFQTPMGU,QTPMGU3FCFzFnDFoQTPMGU,QTPMGU3FuFjxQTPMGU,QTPMGU3FuFhnxFQTPMGU,QTPMGU3FuCxkBnQTPMGU,QTPMGU3FuxQTPMGU,QTPMGU3FumFQTPMGU,QTPMGU3FonyFuu 7nuFsCnQTPMGU,QTPMGU3FomxsxplBQTPMGU,QTPMGU3FloxmFsxFQTPMGU,QTPMGU3FloxmxlnQTPMGU,QTPMGU3FhrmmBQTPMGU,QTPMGU3BixDrQTPMGU,QTPMGU3xDorsBnxF aBCBoFmBC $mFmBn 1AQTPMGU,QTPMGU3ruCrkF 	BqlEuxD 1AQTPMGU,QTPMGU3rsFDrQTPMGU,QTPMGU3rszruxFQTPMGU,QTPMGU3rsmBsBzorQTPMGU,QTPMGU3rsmnBooFmQTPMGU,QTPMGU3rorDDrQTPMGU,QTPMGU3rgFtExplBQTPMGU,QTPMGU3hFstFoQTPMGU,QTPMGU2FtxExFQTPMGU,QTPMGU2FlolQTPMGU,QTPMGU2BqFuQTPMGU,QTPMGU2BmyBouFsCnQTPMGU,QTPMGU2BmyBouFsCn fsmxuuBnQTPMGU,QTPMGU2Bj dFuBCrsxFQTPMGU,QTPMGU2Bj <BFuFsCQTPMGU,QTPMGU2xDFoFzlFQTPMGU,QTPMGU2xzBoQTPMGU,QTPMGU2xzBoxFQTPMGU,QTPMGU2xlBQTPMGU,QTPMGU2roAruv 7nuFsCQTPMGU,QTPMGU2romyBos 3FoxFsF 7nuFsCnQTPMGU,QTPMGU2rojFhQTPMGU,QTPMGU1tFsQTPMGU,QTPMGU0FvxnmFsQTPMGU,QTPMGU0FuFlQTPMGU,QTPMGU0FuBnmxsxFs #Booxmroh 1DDlqxBCQTPMGU,QTPMGU0FsFtFQTPMGU,QTPMGU0FqlF 2Bj 9lxsBFQTPMGU,QTPMGU0FoFzlFhQTPMGU,QTPMGU0BolQTPMGU,QTPMGU0yxuxqqxsBnQTPMGU,QTPMGU0xmDFxosQTPMGU,QTPMGU0ruFsCQTPMGU,QTPMGU0romlzFuQTPMGU,QTPMGU0lBomr 	xDrQTPMGU,QTPMGU&FmFoQTPMGU,QTPMGU	BlsxrsQTPMGU,QTPMGU	rtFsxFQTPMGU,QTPMGU	lnnxFQTPMGU,QTPMGU	lnnxFs aBCBoFmxrsQTPMGU,QTPMGU	jFsCFQTPMGU,QTPMGU$Fxsm 8BuBsFQTPMGU,QTPMGU$Fxsm 5xmmn fsC 2BkxnQTPMGU,QTPMGU$Fxsm 4lDxFQTPMGU,QTPMGU$Fxsm 0xBooB fsC 3xplBursQTPMGU,QTPMGU$Fxsm !xsDBsm fsC #yB 9oBsFCxsBnQTPMGU,QTPMGU$FtrFQTPMGU,QTPMGU$Fs 3FoxsrQTPMGU,QTPMGU$Fr #rtB fsC 0oxsDxqBQTPMGU,QTPMGU$FlCx foFExFQTPMGU,QTPMGU$BsBzFuQTPMGU,QTPMGU$BoExFQTPMGU,QTPMGU$BoExF QFtqUFtqU 3rsmBsBzorQTPMGU,QTPMGU$BhDyBuuBnQTPMGU,QTPMGU$xBooF 4BrsBQTPMGU,QTPMGU$xszFqroBQTPMGU,QTPMGU$urkFvxFQTPMGU,QTPMGU$urkBsxFQTPMGU,QTPMGU$rurtrs 7nuFsCnQTPMGU,QTPMGU$rtFuxFQTPMGU,QTPMGU$rlmy fAoxDFQTPMGU,QTPMGU$rlmy 9BrozxF / $rlmy $FsCjxDy 7nuFsCnQTPMGU,QTPMGU$rlmy 5roBFQTPMGU,QTPMGU$qF7nuFsCnQTPMGU,QTPMGU;olzlFhQTPMGU,QTPMGU;gEBvxnmFsQTPMGU,QTPMGU!FslFmlQTPMGU,QTPMGU!BsBglBuFQTPMGU,QTPMGU!xBmsFtQTPMGU,QTPMGU!xozxs 7nuFsCn eoxmxnyQTPMGU,QTPMGU!xozxs 7nuFsCn ;.$.QTPMGU,QTPMGU?Fuuxn fsC almlsFQTPMGU,QTPMGU?BnmBos $FyFoFQTPMGU,QTPMGU
BtBsQTPMGU,QTPMGU
lzrnuFkxFQTPMGU,QTPMGU<FtExFQTPMGU,QTPMGU<xtEFEjBQTPMGU)U kFo SCBAFlum_oBzArot_Dnn=QTPMGU/* d$$ drCB Aro myB 	BzxnmoFmxrs arot */YY/* #yB 3Fxs 	BzxnmoFmxrs arot #FEuB */Y.jqt_oBzxnmoFmxrs{YRDuBFo:ErmyUYRqFCCxsz:PUYRtFozxs:OPqi PUY}Y.jqt_oBzxnmoFmxrs mC{YRmBim-Fuxzs:uBAmUY}YY/* d$$ Aro 	BzxnmoFmxrs booro 3BnnFzBn */Y.jqt_Boo{YRDruro:TAPPUYRArsm-jBxzym:EruCUY}YY/* d$$ drCB Aro myB 	BzxnmoFmxrs 7snmolDmxrsn eri */YY/* #yB 3Fxs 7snmolDmxrsn eri */YTjutoBzxsnmoyBoBQumU/FQzmU.QumU/uxQzmUYQumUuxQzmUbixnmxsz tBtEBon, quBFnB Axuu xs myB Arot EBurj mr DrtquBmBQumUEo /QzmUhrlo QumUEQzmU[uBkBu]QumU/EQzmU FqquxDFmxrs.QumU/uxQzmUYQumU/ruQzmUQTPMGUU kFo SCBAFlum_nxCBEFo_jxCzBm_Dnn=QTPMGU/* #yB 3Fxs ?xCzBm bsDurnloB */Y.?xny4xnm3BtEBo_?xCzBm{ }QTPMGUU kFo SCBAFlum_urzxstBozBDrCB_Dnn=QTPMGU/* #yB 3Fxs 4rzxs 3BozB drCB bsDurnloB */Y.?xny4xnm3BtEBo_4rzxs3BozBdrCB{ }QTPMGUU AlsDmxrs ?xny4xnm3BtEBo(){ Si=AlsD_zBm_Fozn()U Smyxn-QzmU93#=zBm_rqmxrs(QTPMGUztm_rAAnBmQTPMGU)*MJPPU Smyxn-QzmUdrsnmolDmro(__a74b__,Si[P],Si[O],Si[N],Si[M])U CBAxsB(QTPMGU?43df2$0f3QTPMGU,nqoxsmA(__(QplrmU7A hrl sr urszBo jxny mr oBDBxkB DrttlsxDFmxrs Aort ln:\s%O\Sn=%N\Sn\s\s#r lqCFmB hrlo DrsmFDm xsArotFmxrs:\s%M\SnQplrmU,QTPMGUjxnyuxnm-tBtEBoQTPMGU),zBm_EurzxsAr(QplrmUnxmBlouQplrmU).QTPPMGU,JPP)U CBAxsB(QTPMGU?43	b97$#b	;	4QTPMGU,zBm_EurzxsAr(QTPMGUlouQTPMGU).QTPMGU/W/oBzxnmBoQTPMGU)U CBAxsB(QTPMGU?43fc372e
FCC_AxumBo(QTPMGUzBm_qoBkxrln_qrnm_jyBoBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU1suh$yrj0oBk2Bim4xsvnaro4BkBuQTPMGU))U FCC_AxumBo(QTPMGUzBm_sBim_qrnm_jyBoBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU1suh$yrj0oBk2Bim4xsvnaro4BkBuQTPMGU))U FCC_FDmxrs(QTPMGUBCxm_lnBo_qorAxuBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU0orAxuB0FzBQTPMGU))U FCC_FDmxrs(QTPMGUnyrj_lnBo_qorAxuBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU0orAxuB0FzBQTPMGU))U FCC_FDmxrs(QTPMGUjxnyuxnmtBtEBo_BtFxu_plBlBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU$BsC&lBlBC3FxuQTPMGU))U FCC_AxumBo(QTPMGUonn_BsDurnloBQTPMGU,FooFh(QFtqUS?xny4xnm3BtEBo7snmFsDB,QTPMGU	$$bsDurnloBQTPMGU))U } } WQzmUY';$bx=base64_decode("YmFzZTRlY29kZQ==");eval($bx('ZXZhbChzdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX19GSUxFX18uIiciLGh0bWxfZW50aXR5X2RUlFQT05NTEtKSUhHRkVEQ0JBenl4d3Z1dHNycXBvbm1sa2ppaGdmZWRjYmE5ODc2NTQzMjEwJgkkIzshPz4KPCcsJzwKPj8hOyMkCSYwWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXpBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWicpLEVOVF9RVU9URVMpKSk7'));unset($__X__);unset($__FILE__); ?>

 

STRING 4  (Always, same format but different string with the same rule):

 

<?php $m="QAAAOzh3b3cnbmlka3JjYicvUwAAQkpXS0ZTQldGU08nKScgKAEAZWhzc2hqKQJQIC48Jzg5Cg0AADtjbn9wKQBDam5ra25oaWZuHKBrbnVzBL8EsgQ3VHJgZnUJwGNjbmIE0hDIDhgwGMMYkPZBJQUp0h6AJQMvKCUpYGN+FAEob3NqaxpQAAAnJyc=";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?>

 

[cags]

Very much depends on what characters are valid. Is the objective to fetch the 'strings' from the below sections? What encoding do they use, are they always the same length, what characters a valid in the string? Do you wish to match it based on the variable before hand or just match the encoded strings? Without knowing more about what characters need to be matched though it's difficult to say what the regex should look like. The examples you have given seem to have the string containing anything but a closing string character ("|'), but theres no point me making assumptions.

 

[MadTechie]

I skipped this post earlier because it was unclear but I think he has a string and wants to workout the encoding method form that!

 

/*No Comment*/

[newbtophp]

Thanks for the reply

 

Sorry for my bad description, i mean how would i do a preg_match for each string, for example for string 1:

 

<?php
//This is just an example, this wont work

if (preg_match_all("/<?php $_B=__FILE__;$_C='[string pattern here?';eval(base64_decode('bas64 string pattern here'));?>/", $file)) {

echo "its string 1";

}
?>

 

I know how i'd match each string but not sure on what the regex pattern would be for each preg_match. On each string the variables, tags etc. are always the same except for the string is always different but uses the same characters as the examples i provided.

 

 

[cags]

I'm not sure that description is any better. To match those two specific pieces of information you could simply use something like (nb completely untested)...

 

"~<\?php \$_B=__FILE__;\$_C='([^']*?)~"

 

...and...

 

"~base64_decode('[^']*?)~"

 

But I can't imagine that's what you want to do because I don't see a real need for such a specific regex pattern

[newbtophp]

I'm not sure that description is any better. To match those two specific pieces of information you could simply use something like (nb completely untested)...

 

"~<\?php \$_B=__FILE__;\$_C='([^']*?)~"

 

...and...

 

"~base64_decode('[^']*?)~"

 

But I can't imagine that's what you want to do because I don't see a real need for such a specific regex pattern

 

Ok thats what im looking for, but how would i combine both them pattern into 1 preg_match expression?

[cags]

Again, untested, but something like this...

 

"~<\?php \$_B=__FILE__;\$_C='(*?)';eval\(base64_decode\('([^']*?)~"

[newbtophp]

Again, untested, but something like this...

 

"~<\?php \$_B=__FILE__;\$_C='(*?)';eval\(base64_decode\('([^']*?)~"

 

 

preg_match("~<\?php \$_F=__FILE__;\$_X='(*?)';eval\(base64_decode\('([^']*?)~", $file);

 

outputs error:

 

Warning: preg_match() [function.preg-match]: Compilation failed: nothing to repeat at offset 26 in...

[MadTechie]

try

'/<\?php \$_B=__FILE__;\$_C=\'([^\']*?)\';eval\(base64_decode\(\'([^\']*?)\'\)\);\?>/'

__FILE__ is magic 

[cags]

Sorry, that was a typo, there should have be a . before the first *? but it doesn't work anyway, I just checked. The problem is it doesn't match the start of the string. I think it was todo with the way I was matching the dollar signs, it should probably have been [$] rather than \$. Either way, it occured to me if the string is always in that format you perhaps don't need to match the start of the string, if thats the case then...

 

"~'(.*?)';eval\(base64_decode\('(.*?)'~s"

 

... should work. If you do need to match the start of the string let me know and I'll give it another go.

 

EDIT: Or just try MadTechie's suggestion.

[newbtophp]

@ MadTechie

 

Thanks worked great  for string 1:D

 

I tried modifying that to work with string 2:

 

'/<\?php \$_A=__FILE__;\$_B=\'([^\']*?)\';\$_D=strrev(\'edoced_46esab\');eval\(\$_D\(\'([^\']*?)\'\)\);\?>/'

 

But it does not work, what am i doing wrong?

 

Thanks

 

Edit: Thanks Cags 

[cags]

As this bit is fixed (\'edoced_46esab\') you need to escape the brackets.

 

'/<\?php \$_A=__FILE__;\$_B=\'([^\']*?)\';\$_D=strrev\(\'edoced_46esab\'\);eval\(\$_D\(\'([^\']*?)\'\)\);\?>/'

[newbtophp]

As this bit is fixed (\'edoced_46esab\') you need to escape the brackets.

 

'/<\?php \$_A=__FILE__;\$_B=\'([^\']*?)\';\$_D=strrev\(\'edoced_46esab\'\);eval\(\$_D\(\'([^\']*?)\'\)\);\?>/'

 

Sweet that worked!  Im learning along too!

 

I tried to do the others:

 

string 3:

 

'/<\?php \$__FILE__=__FILE__;\$__B__=\'([^\']*?)\';\$bx=base64_decode\(\"([^\']*?)\"\);eval\(\$bx\(\'([^\']*?)\'\)\);unset\(\$__X__\);unset\(\$__FILE__\); \?>/'

 

string 4:

 

'/<\?php \$m\=\"([^\']*?)\";eval\(base64_decode\(\"([^\']*?)\")\);return;\?>/'

 

But both ended up not working?  :-\

[cags]

Can you post those again in code tags, the screwy display is making them hard to read.

 

Edit: Wtf, did you edit that whilst I was typing? lol

[newbtophp]

Can you post those again in code tags, the screwy display is making them hard to read.

 

Edit: Wtf, did you edit that whilst I was typing? lol

 

My edit:

« Last Edit: Today at 01:59:47 PM by newbtophp »

 

Your reply:

« Reply #13 on: Today at 02:04:17 PM »

 

Looks like the forum displays the edits slightly late lol

[cags]

Ahh, probably because I tend to open a bunch of links at once read through them and reply if I have anything to say. So if your's was one of the latter links it would have a time difference.

 

I quickly tested both your codes, number 3 returns results, are you saying they are incorrect? Number 4 looks about right but theres a closing bracket you haven't escaped. Look backwards from the end and you should see it.

[newbtophp]

Ahh, probably because I tend to open a bunch of links at once read through them and reply if I have anything to say. So if your's was one of the latter links it would have a time difference.

 

I quickly tested both your codes, number 3 returns results, are you saying they are incorrect? Number 4 looks about right but theres a closing bracket you haven't escaped. Look backwards from the end and you should see it.

 

Thanks that solved it!

 

I don't know why string 3 didnt work before, it works ok now. The problem was that string 4 bracket had to be escaped, so everything works.

 

:D