Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Non-alpha PHP code
Posted by: Gareth Heyes
Date: September 22, 2011 11:59AM

I guess the fun can begin all over again :D

[www.thespanner.co.uk]

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/22/2011 07:05PM by Gareth Heyes.

Options: ReplyQuote
Re: Non-alpha PHP code
Posted by: barbarianbob
Date: September 22, 2011 06:26PM

Not part of the new minification effort, but that bitwise stuff is really good for obfuscation.

Ex:
$create_function = '`pd`td_dtl`thll'|'cbaa`a_babc`acb';
$register_shutdown_function = 'pddhptdp_phttdltl_dtl`thll'|'bacac`ab_c`a``ccb_babc`acb';

$shell = 'var_dump(123);';

$register_shutdown_function($create_function('', $shell));

Here all the var names can be changed, but you can still get the func names as strings without actually writing them. This would make it impossible to find just by grepping through the source.


Half-assed code to generate the strings:
$str='create_function';
$part1 = '';
$part2 = '';
for($a=0;$a<strlen($str);$a+=1){
  $chr = $str[$a];
  if($chr < 'a' || $chr > 'z'){
    $part1.=$chr;
    $part2.=$chr;
    continue;
  }
  $num = ord($chr);
  $bin = substr(str_pad(base_convert($num, 10, 2), 8, '0', STR_PAD_LEFT), 0, 8);
  $part1.=chr(base_convert('011'.substr($bin,3,3).'00', 2, 10));
  $part2.=chr(base_convert('011000'.substr($bin,6,2), 2, 10));
}
var_dump(
  $part1,
  $part2,
  $part1 | $part2
);

Options: ReplyQuote
Re: Non-alpha PHP code
Posted by: Gareth Heyes
Date: September 22, 2011 07:05PM

Stefen Esser (of course) found the shortest way to create an array:
@$§[]=$§;

So here we need to convert it to strings and get "_" for complete non-alpha without quotes or underscore. I wonder how small it can get? :D

Here's how to get underscore: $§[]=$§;$§=$§.$§;$§§=+$§;$§[+$§§++]|($§[$§§+$§§+$§§]^);

I started work on a basic generator, lots of chars still missing;


(function(){   

//externals
params = ['Ϩ'];
code = 'array0123456789';
//end externals

           var i,        
           output = '', lookup;
    output += '<?php\n';
    output += '$'+params[0]+'[]=$'+params[0]+';';
    output += '$'+params[0]+'=$'+params[0]+'.$'+params[0]+';';
    output += '$'+params[0]+''+params[0]+'=+$'+params[0]+';';
    output += '$'+params[0]+''+params[0]+''+params[0]+'=$'+params[0]+'[+$'+params[0]+''+params[0]+'++]|($'+params[0]+'[$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+']^);';       
    lookup = {
                0:'(+$'+params[0]+')',
                1:'($'+params[0]+''+params[0]+')',
                2:'($'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+')',
                3:'($'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+')',
                4:'($'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+')',
                5:'($'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+')',
                6:'($'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+')',
                7:'($'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+')',
                8:'($'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+')',
                9:'($'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+')',
                '_':'$'+params[0]+''+params[0]+''+params[0],
                'A':'$'+params[0]+'[+$'+params[0]+']',
                'a':'$'+params[0]+'[$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+']',
                'r':'$'+params[0]+'[$'+params[0]+''+params[0]+']',
                'y':'$'+params[0]+'[$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+']',
                's':'($'+params[0]+'[$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+']|'+'$'+params[0]+'[$'+params[0]+''+params[0]+'])',
                'p':'($'+params[0]+'[$'+params[0]+''+params[0]+']&'+'$'+params[0]+'[$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'+$'+params[0]+''+params[0]+'])',
                'R':'($'+params[0]+'[$'+params[0]+''+params[0]+']'
    };
    output += '\n?>';
    output += '<?php\n';
    output += code.replace(/./g,function(c){
        if(lookup[c]) {
            return '.('+lookup[c]+')';
        } else {
            return c;
        }
    }).replace(/^[.]/,'');       
    output += '\n?>';
    return output;
})();

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/23/2011 01:20PM by Gareth Heyes.

Options: ReplyQuote
Re: Non-alpha PHP code
Posted by: Gareth Heyes
Date: September 26, 2011 12:41PM

And I decided to be lazy and make a better one:

[hackvertor.co.uk]

Quoteless, underscoreless, this calls assert and chr for every char and will allow you to generate anything.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 09/26/2011 12:41PM by Gareth Heyes.

Options: ReplyQuote


Sorry, only registered users may post in this forum.