Good day.

I have a script that is covered with some kind of protector, a script for entering the site. There are concerns that there may be malicious code.

I would like to know what kind of encoder?

I spent all night with him, nothing takes him from the public. I would be very grateful for the decoder or at least the decoded script.

Is it possible to deobfuse it?

Samples:

Encrypted file: https://pastebin.com/etEWDu2S eval(gzuncompress(base64_decode('

The decrypted file (but the lines are obfuscated): https://pastebin.com/AWr6zGg1 $GLOBALS['_1867101966_'][round(0)]

Another route.php file, there are several blocks in general: https://pastebin.com/FmbSyYLZ multiple eval(gzuncompress(base64_decode('

Good luck to all.

  • "or at least a decoded script" So what's stopping you? There are 2 ways - either to sit and use the pens to drive all these hellish rounds through the interpreter in order to get what it is all the same, or dig out some libraries for parsing PHP syntax and write an automatic parser. Taste. - SmInc
  • But this is clearly not hand-encrypted, this is some kind of encoder, if you find out which one, you can search for a decoder :) - JuniorD
  • Sources you hardly get, the decoder is hardly there. Any round does not violate the logic, you can skim the file and tell if there are any vulnerabilities or not. - Manitikyl
  • via r2: www.rada.re - 0-Level UNIX Monk

1 answer 1

I don’t know about automated tools (unless I’m writing my own under this particular case), but the script itself is quite simple and quickly put in order. There is nothing dangerous in it.

 <?php if (isset($_SESSION['id'])) { header('Location: ../'); exit(); } $message = ''; if (isset($_GET['data']) && isset($_GET['a'])) { $id = check($_GET['a'], "int"); $STH = $pdo->prepare("SELECT `id`, `login`, `email` FROM `users` WHERE `id`=:id LIMIT 1"); $STH->setFetchMode(PDO::FETCH_OBJ); $STH->execute(array(':id' => $id)); $row = $STH->fetch(); if (empty($row->id)) { show_error_page(); } if ($_GET['data'] != md5($row->id . $conf->code . $row->email . date("Ymd"))) { $message = '<p class=\'text-danger\'>' . $messages['Link_not_active'] . '</p>'; } else { $password = crate_pass(7, 1); $password2 = convert_password($password, $conf->salt); $STH = $pdo->prepare("UPDATE `users` SET `password`=:password WHERE `id`=:id LIMIT 1"); if ($STH->execute(array(':password' => $password2, ':id' => $id)) == '1') { include_once "inc/notifications.php"; $letter = recovery_letter($conf->name, $row->login, $password); sendmail($row->email, $letter['subject'], $letter['message'], $pdo); $message = '<p class=\'text-success\'>' . $messages['Recovery_pass1'] . $row->email . $messages['Recovery_pass2'] . '</p>'; write_log("User reinstated pass #" . $row->email); } else { $message = '<p class=\'text-danger\'>' . $messages['Error_page'] . '</p>'; } } } $tpl->load_template('elements/title.tpl'); $tpl->set("{title}", $page->title); $tpl->set("{name}", $conf->name); $tpl->compile('title'); $tpl->clear(); $tpl->load_template('head.tpl'); $tpl->set("{title}", $tpl->result['title']); $tpl->set("{site_name}", $conf->name); $tpl->set("{image}", $page->image); $tpl->set("{robots}", $page->robots); $tpl->set("{type}", $page->kind); $tpl->set("{description}", $page->description); $tpl->set("{keywords}", $page->keywords); $tpl->set("{url}", $page->full_url); $tpl->set("{other}", ''); $tpl->set("{token}", $token); $tpl->set("{cache}", $conf->cache); $tpl->set("{template}", $conf->template); $tpl->set("{site_host}", $site_host); $tpl->compile('content'); $tpl->clear(); $menu = $tpl->get_menu($pdo); $nav = array( $PI->to_nav('main', 0, 0), $PI->to_nav('recovery', 1, 0) ); $nav = $tpl->get_nav($nav, 'elements/nav_li.tpl'); include_once "inc/not_authorized.php"; $tpl->load_template('/index/recovery.tpl'); $tpl->set("{site_host}", $site_host); $tpl->set("{template}", $conf->template); $tpl->set("{message}", $message); $tpl->compile('content'); $tpl->clear();