Zend decompiler - NOW created

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

alex_123
Forum Newbie
Posts: 5
Joined: Thu Jun 02, 2005 1:56 am
Contact:

Zend decompiler - NOW created

Post by alex_123 »

We can decompile any files that encoded by Zend technology. This program has been developed for encryption some sites that source codes was lost.

As sample ModernBill 4.3 fully decompiled. Who want - we will send suitable information.

We can help if you lost source code for your sites.

This topic created not for advertise our software, but for giving instructions that Zend, Ioncube and etc. DO NOT PROTECT YOUR PHP CODE. :!:

If someone doubt, please, send me your encoded files - I will publish their open source code in this forum.

Your reply. Thanks. 8)
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Hmmm.... and you charge for licensing?

I'm not sure what to say... I'm interested in how easily you've done this if what you're claiming is true but I'm also concerned by the security implications of it. We have a few cyptology whizzes here who will no doubt be interested in this too 8O
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Frankly, I don't think PHP should be closed source, it should either be released and the source is open, or it should not be released at all. However, I'm a bit skeptical about this claim (1st post, no reference to external material, etc).
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

d11wtq wrote:We have a few cyptology whizzes here who will no doubt be interested in this too 8O
Yeah, I'm rather inclined to think its not true.

From what I remember, the Zend encoder essentially uses a PKI (Public Key) system for encoding. Without the private key, you can't decode it. Now, I suspect if there is a weakness, it would be in guessing the private key. That might be feasible, but even then I'd be surprised.

If I had a copy of zend encoder, I'd push a few sample scripts through it and post em.. if for nothing else than to prove its false. Unfortunately, I don't, so I'll just wait to see if any further proof is given. Sounds sketchy to me.

UPDATE: Months later a very informed blog post makes clear that if you can modify the php executible, you can 'capture' the unencrypted code before php interprets it. So no matter how Zend works its magic with encoding, it will be possible to capture the unencrypted output before the parser gets it. I stand humbly corrected.
Last edited by Roja on Thu Oct 06, 2005 9:24 am, edited 1 time in total.
alex_123
Forum Newbie
Posts: 5
Joined: Thu Jun 02, 2005 1:56 am
Contact:

Post by alex_123 »

I am very surprised ... :wink:
If you think it's a lie than answer me: FOR WHAT I create this topic :)

Ok. You want proofs I will give it.

I place part of file "functions.inc.php" from ModernBill4.3. This file was encoded by Zend. This is CORE file in ModernBill and it file certainly and always encoded !

****************** part of FUNCTIONS.INC.PHP *******************

Code: Select all

<?php

// file: d:\Program Files\Apache Group\Apache2\htdocs\mb43\include\functions.inc.php - 04/31/05 23:42:27

global $rc;
$_CONFIG["modules"]["mod_license"]["enabled"] = FALSE;
$tier2 = TRUE;
$version = $current_version = "4.3.1";
$build_type = "Commercial Product";
$version_name = "Modern Bill .:. Hosting Management System";
$mbchecksum = "ljhgerot782075ghv7092cceewwwegse3e3e4ersg987jnhg6tsdasdas3jgu9766r6f3g4f65gr89GVRCETFO";
if (function_exists("ini_get"))
{
   $onoff = ini_get("register_globals");
}
else
{
   $onoff = get_cfg_var("register_globals");
}
if (($onoff) != (1))
{
@   extract($HTTP_SERVER_VARS, EXTR_SKIP);
@   extract($HTTP_COOKIE_VARS, EXTR_SKIP);
@   extract($HTTP_POST_FILES, EXTR_SKIP);
@   extract($HTTP_POST_VARS, EXTR_SKIP);
@   extract($HTTP_GET_VARS, EXTR_SKIP);
@   extract($HTTP_ENV_VARS, EXTR_SKIP);
   global $_SERVER;
@   extract($_SERVER, EXTR_SKIP);
   global $_COOKIE;
@   extract($_COOKIE, EXTR_SKIP);
   global $_POST;
@   extract($_POST, EXTR_SKIP);
   global $_GET;
@   extract($_GET, EXTR_SKIP);
   global $_ENV;
@   extract($_ENV, EXTR_SKIP);
}

if (($DIR && $HTTP_COOKIE_VARS[DIR]) || ($DIR && $HTTP_POST_VARS[DIR]) || ($DIR && $HTTP_GET_VARS[DIR]) || ($DIR && $_COOKIE[DIR]) || ($DIR && $_POST[DIR]) || ($DIR && $_GET[DIR]))
{
   $ip = $HTTP_SERVER_VARS[REMOTE_ADDR];
   $host = gethostbyaddr($ip);
   $url = $HTTP_SERVER_VARS["HTTP_HOST"] . $HTTP_SERVER_VARS["REQUEST_URI"];
   $admin = ($GLOBALS[SERVER_ADMIN]?$GLOBALS[SERVER_ADMIN]:"security@modernbill.com");
   $body = "IP:	" . $ip . "
   HOST:	" . $host . "
   URL:	" . $url . "
   VER:	" . $version . "
   TIME:	" . date("Y/m/d: h:i:s") . "
   ";
@   mail($admin, "Possible breakin attempt.", $body, "From: " . $admin . "

   ");
   echo str_repeat(" ", 300) . "
   ";
   str_repeat(" ", 300);
   flush();
   echo " <html><head><body><center><h3><tt><b><font color=RED>Security violation from: ";
   echo $ip;
   echo " @ ";
   echo $host;
   echo "</font></b></tt></h3></center><hr><pre>";
@   system("traceroute " . escapeshellcmd($ip) . " 2>&1");
   echo "</pre><hr><center><h2><tt><b><font color=RED>The admin has been alerted.</font></b></tt></h2></center></body></html>";
   exit ();
}
***************************** end of part functions.inc.php *********

Below I have placed part of bytecodes of this file

***************************** part of BYTE-CODES for functions.inc.php ***

Code: Select all

filename:       d:\Program Files\Apache Group\Apache2\htdocs\include\functions.inc2.php
function name:  (null)
number of ops:  1347
line     #  op                           fetch          ext  operands
-------------------------------------------------------------------------------
   2     0  FETCH_CONSTANT                                   tempvar1, 'FALSE'
         1  FETCH_DIM_W                                      tempvar0, $_CONFIG, 'modules'
         2  FETCH_DIM_W                                      tempvar2, tempvar0, 'mod_license'
         3  FETCH_DIM_W                                      tempvar0, tempvar2, 'enabled'
         4  ASSIGN                                           tempvar0, tempvar1
  24     5  FETCH_CONSTANT                                   tempvar0, 'TRUE'
         6  ASSIGN                                           $tier2, tempvar0
  25     7  ASSIGN                                           tempvar0, $current_version, '4.2.1'
         8  ASSIGN                                           $version, tempvar0
  26     9  ASSIGN                                           $build_type, 'DEMO:Z'
  27    10  ASSIGN                                           $version_name, 'ModernBill .:. Client Billing System'
  28    11  ASSIGN                                           $mbchecksum, 'ljhgerot782075ghv7092cceewwwegse3e3e4ersg987jnhg6tsdasdas3jgu9766r6f3g4f65gr89GVRCETFO'
  42    12  INIT_FCALL_BY_NAME                               'function_exists'
        13  SEND_VAL                                         'ini_get'
        14  DO_FCALL_BY_NAME                              1  tempvar0, 'function_exists', 0
        15  JMPZ                                             tempvar0, ->21
  43    16  INIT_FCALL_BY_NAME                               'ini_get'
        17  SEND_VAL                                         'register_globals'
        18  DO_FCALL_BY_NAME                              1  tempvar0, 'ini_get', 0
        19  ASSIGN                                           $onoff, tempvar0
  44    20  JMP                                              ->25
  45    21  INIT_FCALL_BY_NAME                               'get_cfg_var'
        22  SEND_VAL                                         'register_globals'
        23  DO_FCALL_BY_NAME                              1  tempvar0, 'get_cfg_var', 0
        24  ASSIGN                                           $onoff, tempvar0
  47    25  IS_NOT_EQUAL                                     tempvar0, $onoff, 1
        26  JMPZ                                             tempvar0, ->115
  48    27  BEGIN_SILENCE                                    
        28  INIT_FCALL_BY_NAME                               'extract'
        29  FETCH_FUNC_ARG                                   tempvar1, 'HTTP_SERVER_VARS'
        30  SEND_VAR                                         tempvar1
        31  FETCH_CONSTANT                                   tempvar1, 'EXTR_SKIP'
        32  SEND_VAL                                         tempvar1
        33  DO_FCALL_BY_NAME                              2  'extract', 0
        34  END_SILENCE                                      tempvar0, 
  49    35  BEGIN_SILENCE                                    
        36  INIT_FCALL_BY_NAME                               'extract'
        37  FETCH_FUNC_ARG                                   tempvar1, 'HTTP_COOKIE_VARS'
        38  SEND_VAR                                         tempvar1
        39  FETCH_CONSTANT                                   tempvar1, 'EXTR_SKIP'
        40  SEND_VAL                                         tempvar1
        41  DO_FCALL_BY_NAME                              2  'extract', 0
        42  END_SILENCE                                      tempvar0, 
  50    43  BEGIN_SILENCE                                    
        44  INIT_FCALL_BY_NAME                               'extract'
        45  FETCH_FUNC_ARG                                   tempvar1, 'HTTP_POST_FILES'
        46  SEND_VAR                                         tempvar1
        47  FETCH_CONSTANT                                   tempvar1, 'EXTR_SKIP'
        48  SEND_VAL                                         tempvar1
        49  DO_FCALL_BY_NAME                              2  'extract', 0
        50  END_SILENCE                                      tempvar0, 
  51    51  BEGIN_SILENCE                                    
        52  INIT_FCALL_BY_NAME                               'extract'
        53  FETCH_FUNC_ARG                                   tempvar1, 'HTTP_POST_VARS'
        54  SEND_VAR                                         tempvar1
        55  FETCH_CONSTANT                                   tempvar1, 'EXTR_SKIP'
        56  SEND_VAL                                         tempvar1
        57  DO_FCALL_BY_NAME                              2  'extract', 0
        58  END_SILENCE                                      tempvar0, 
  52    59  BEGIN_SILENCE                                    
        60  INIT_FCALL_BY_NAME                               'extract'
        61  FETCH_FUNC_ARG                                   tempvar1, 'HTTP_GET_VARS'
        62  SEND_VAR                                         tempvar1
        63  FETCH_CONSTANT                                   tempvar1, 'EXTR_SKIP'
        64  SEND_VAL                                         tempvar1
        65  DO_FCALL_BY_NAME                              2  'extract', 0
        66  END_SILENCE                                      tempvar0, 
  53    67  BEGIN_SILENCE                                    
        68  INIT_FCALL_BY_NAME                               'extract'
        69  FETCH_FUNC_ARG                                   tempvar1, 'HTTP_ENV_VARS'
        70  SEND_VAR                                         tempvar1
        71  FETCH_CONSTANT                                   tempvar1, 'EXTR_SKIP'
        72  SEND_VAL                                         tempvar1
        73  DO_FCALL_BY_NAME                              2  'extract', 0
        74  END_SILENCE                                      tempvar0, 
  54    75  BEGIN_SILENCE                                    
        76  INIT_FCALL_BY_NAME                               'extract'
        77  FETCH_FUNC_ARG               global              tempvar1, '_SERVER'
        78  SEND_VAR                                         tempvar1
        79  FETCH_CONSTANT                                   tempvar1, 'EXTR_SKIP'
        80  SEND_VAL                                         tempvar1
        81  DO_FCALL_BY_NAME                              2  'extract', 0
        82  END_SILENCE                                      tempvar0, 
  55    83  BEGIN_SILENCE                                    
        84  INIT_FCALL_BY_NAME                               'extract'
        85  FETCH_FUNC_ARG               global              tempvar1, '_COOKIE'
        86  SEND_VAR                                         tempvar1
        87  FETCH_CONSTANT                                   tempvar1, 'EXTR_SKIP'
        88  SEND_VAL                                         tempvar1
        89  DO_FCALL_BY_NAME                              2  'extract', 0
        90  END_SILENCE                                      tempvar0, 
  56    91  BEGIN_SILENCE                                    
        92  INIT_FCALL_BY_NAME                               'extract'
        93  FETCH_FUNC_ARG               global              tempvar1, '_POST'
        94  SEND_VAR                                         tempvar1
        95  FETCH_CONSTANT                                   tempvar1, 'EXTR_SKIP'
        96  SEND_VAL                                         tempvar1
        97  DO_FCALL_BY_NAME                              2  'extract', 0
        98  END_SILENCE                                      tempvar0, 
  57    99  BEGIN_SILENCE                                    
       100  INIT_FCALL_BY_NAME                               'extract'
       101  FETCH_FUNC_ARG               global              tempvar1, '_GET'
       102  SEND_VAR                                         tempvar1
       103  FETCH_CONSTANT                                   tempvar1, 'EXTR_SKIP'
       104  SEND_VAL                                         tempvar1
       105  DO_FCALL_BY_NAME                              2  'extract', 0
       106  END_SILENCE                                      tempvar0, 
  58   107  BEGIN_SILENCE                                    
       108  INIT_FCALL_BY_NAME                               'extract'
       109  FETCH_FUNC_ARG               global              tempvar1, '_ENV'
       110  SEND_VAR                                         tempvar1
       111  FETCH_CONSTANT                                   tempvar1, 'EXTR_SKIP'
       112  SEND_VAL                                         tempvar1
       113  DO_FCALL_BY_NAME                              2  'extract', 0
       114  END_SILENCE                                      tempvar0, 
  68   115  JMPZ_EX                                          tempvar0, $DIR, ->142
       116  FETCH_CONSTANT                                   tempvar1, 'DIR'
       117  FETCH_DIM_R                                      tempvar2, $HTTP_COOKIE_VARS, tempvar1
       118  JMPNZ_EX                                         tempvar1, tempvar2, ->141
       119  FETCH_CONSTANT                                   tempvar3, 'DIR'
       120  FETCH_DIM_R                                      tempvar2, $HTTP_POST_VARS, tempvar3
       121  BOOL                                             tempvar1, tempvar2
       122  JMPNZ_EX                                         tempvar1, tempvar1, ->141
       123  FETCH_CONSTANT                                   tempvar3, 'DIR'
       124  FETCH_DIM_R                                      tempvar2, $HTTP_GET_VARS, tempvar3
       125  BOOL                                             tempvar1, tempvar2
       126  JMPNZ_EX                                         tempvar1, tempvar1, ->141
       127  FETCH_CONSTANT                                   tempvar4, 'DIR'
       128  FETCH_R                      global              tempvar3, '_COOKIE'
       129  FETCH_DIM_R                                      tempvar2, tempvar3, tempvar4
       130  BOOL                                             tempvar1, tempvar2
       131  JMPNZ_EX                                         tempvar1, tempvar1, ->141
       132  FETCH_CONSTANT                                   tempvar4, 'DIR'
       133  FETCH_R                      global              tempvar3, '_POST'
       134  FETCH_DIM_R                                      tempvar2, tempvar3, tempvar4
       135  BOOL                                             tempvar1, tempvar2
       136  JMPNZ_EX                                         tempvar1, tempvar1, ->141
       137  FETCH_CONSTANT                                   tempvar4, 'DIR'
       138  FETCH_R                      global              tempvar3, '_GET'
       139  FETCH_DIM_R                                      tempvar2, tempvar3, tempvar4
       140  BOOL                                             tempvar1, tempvar2
       141  BOOL                                             tempvar0, tempvar1
       142  JMPZ                                             tempvar0, ->221
       143  FETCH_CONSTANT                                   tempvar1, 'REMOTE_ADDR'
       144  FETCH_DIM_R                                      tempvar0, $HTTP_SERVER_VARS, tempvar1
       145  ASSIGN                                           $ip, tempvar0
       146  INIT_FCALL_BY_NAME                               'gethostbyaddr'
       147  FETCH_FUNC_ARG                                   tempvar0, 'ip'
       148  SEND_VAR                                         tempvar0
       149  DO_FCALL_BY_NAME                              1  tempvar0, 'gethostbyaddr', 0
       150  ASSIGN                                           $host, tempvar0
**************** end of part of BYTE-CODES for functions.inc.php ***

First at all we must decrypt ZEND-encoded file. And we will get BYTE_CODES.
Than (very difficult) we will RESTORE original plain text from BYTECODES.

Do you really think IT is impossible ? :?


Your reply. Very Thanks.


( JAM | Very interesting. But now read the rules on how to post codesnippets on the board, using the proper tags. Thank you. )
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Roja wrote:From what I remember, the Zend encoder essentially uses a PKI (Public Key) system for encoding. Without the private key, you can't decode it. Now, I suspect if there is a weakness, it would be in guessing the private key. That might be feasible, but even then I'd be surprised.
Zend wrote:The Zend Encoder compiles and converts plain-text PHP scripts into a platform-independent binary format known as a 'Zend Intermediate Code' file.
Just compiles it. It should be reversible.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

If we can verify that came from the function page, then that'll pose some interesting questions to how Zend will react. Will a client file a lawsuit (after all, the encoder ain't cheap-- $960)? Change their encoding scheme? Drop encoding completely?

Besides, http://www.invisionboard.com/?triallimited gives you the source code if you buy their license (I know, I'm downplaying this).
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Ambush Commander wrote:If we can verify that came from the function page, then that'll pose some interesting questions to how Zend will react. Will a client file a lawsuit (after all, the encoder ain't cheap-- $960)? Change their encoding scheme? Drop encoding completely?

Besides, http://www.invisionboard.com/?triallimited gives you the source code if you buy their license (I know, I'm downplaying this).
Since you bring up legal issues, hasn't DMCA just been violated in the above post?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Yup. Definitely (well, if it is the real thing).

http://www.modernbill.com/download/order.htm?tier=32
EULA wrote:4. PROHIBITION ON REVERSE ENGINEERING, DECOMPILATION, AND DISASSEMBLY.

You may not reverse engineer, decompile, defeat license encryption mechanisms, or disassemble the Software Product or Software Product License except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.
EDIT - Well, unless you count this as fair, demonstration-of-concept use.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Usually you can decompile... But the issue is that you end up with "funky" function names and variable names...

Can give only one good suggestion: Don't buy encrypted code. Request that you have the right to view/modify the source. Will save you money in the long run..
alex_123
Forum Newbie
Posts: 5
Joined: Thu Jun 02, 2005 1:56 am
Contact:

Post by alex_123 »

According to Zend technology and specific character of PHP, bytecodes FULLY hold original names all classes, functions and variables !

Decompiled code come very like original source code. In PHP5 bytecodes containt even all comments.

Draw a conclusion ...
sanchez
Forum Newbie
Posts: 2
Joined: Wed Sep 21, 2005 10:31 am

Post by sanchez »

neato
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

So.. the claim is that PHP when 'compiled' maintains comments etc?

Not likely..
sanchez
Forum Newbie
Posts: 2
Joined: Wed Sep 21, 2005 10:31 am

Post by sanchez »

i wonder if this is related to the "reflection API" that comes with PHP5, this adds the ability to reverse-engineer classes, interfaces, functions and methods as well as extensions. Additionally, the reflection API also offers ways of retrieving doc comments for functions, classes and methods.

anyone know?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the reflection API when used on built-in stuff doesn't tell you a whole hell of a lot... really basic schema information on each thing, no data on parameters to functions really.. When used on user-defined stuff, it returns a LOT of information..
Locked