Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Timesink.
Posted by: Skyphire
Date: April 05, 2011 09:07PM

After deobfuscating this turd:

http://pastie.org/1761035

I got this:

http://pastie.org/1761013

What a waste of time. It's a big pile of crapiola. It writes a bunch of files and folders, a .htaccess, makes some calls to Google and stuff. Does anybody see some logic in it??? btw took quite a while to deobfuscate it actually. Are there any methods to do it faster? I now simply rung a couple of var_dumps and a bunch of loops that figure out the arrays.

Options: ReplyQuote
Re: Timesink.
Posted by: Skyphire
Date: April 05, 2011 09:14PM

Oh, and I was expecting some super awesome console of some kind. And if you want a challenge, let's see how fast you can de-obfuscate the first paste. Took me quite a bit actually. Didn't kept the time, but it was probably an hour or so.

Options: ReplyQuote
Re: Timesink.
Posted by: Reiners
Date: April 06, 2011 01:49PM

about 30mins with token parsing :)

script for deobfuscation: http://pastie.org/1763886
output: http://pastie.org/1763894 (can be optimized a lot more by parsing other tokens as well)

edit:
obfus3.php contains the echo'd code from the third eval block.



Edited 1 time(s). Last edit at 04/06/2011 01:50PM by Reiners.

Options: ReplyQuote
Re: Timesink.
Posted by: Skyphire
Date: April 06, 2011 07:01PM

Nice Reiners! pretty sweet way to do it.

Options: ReplyQuote
Re: Timesink.
Posted by: Skyphire
Date: April 09, 2011 07:11PM

I was pondering about a way to automate this without any additional/manual steps, any ideas? I thought about simply use an eval as a function and then simply dump it? not sure if that if the correct approach though.

Options: ReplyQuote
Re: Timesink.
Posted by: Reiners
Date: April 10, 2011 10:51AM

stefan esser wrote an extension called evalhook:
http://php-security.org/2010/05/13/article-decoding-a-user-space-encoded-php-script/

Options: ReplyQuote


Sorry, only registered users may post in this forum.