DevNetwork Obfuscated PHP Contest 2006

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

Everah wrote:It just needs to be hard to read while still achieving the desired task. Comment filler can be used. I think.
Yeah, comments are fine. They're a great way to obfuscate. Of course, they don't just have to hide code .. they can be the code:

Code: Select all

<?php
 
    //String reversing script
 
    $string = $_GET['string'];
    $f = file_get_contents(basename($PHP_SELF));
    $f = substr($f,12,3).substr($f,19,3);
    echo $f($string);
 
?>
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

Can we enter twice? I just had a great idea.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I did :) but that was because I liked Hawley's idea and rewrote mine to be like his. Besides, what's the worse that could happen?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

ok, here's mine:

Code: Select all

 
eval(stripslashes(stripslashes(base64_decode(join('', array_map(
create_function('$q','static$e=true;if($e)$q=chr(0130).chr(0106)
.$q;$e=!$e;return$q;'),preg_split('//',basename(__FILE__,'.php')
,-1,PREG_SPLIT_NO_EMPTY)))))));
 
http://www.codecompare.com/xlxjxoxvwgxz ... tring_here

(Everah, thanks for hosting)
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You got it.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

d11wtq wrote:

Code: Select all

<?php eval(base64_decode('JHJlbD0nRSA9IG0qY14yJzskYW5zPT'.
'QyOyRmPW51bGw7JF8xXz1vcmQocHJl'.
'Z19yZXBsYWNlKCcvLipcKiguKS4qLy'.
'csJ1xcMScsJHJlbCkpOwokYT1zdWJz'.
'dHIoJF8xXywwLDEpOyRiPXN1YnN0ci'.
'gkXzFfLC0xKTskeD0xOyRnPSYkZjsk'.
'bD1jaHIoJGEuJHgpOyR4Kz0yOyRyPW'.
'NocigkYi4keCk7JHgrPTI7CiR1PWNo'.
'cigocG93KCRhLDIpLyRiKS4keCk7Ci'.
'R3cz0mJGFuczskeT05OyRnPWV2YWwo'.
'c3RyX3JlcGxhY2UoY2hyKCR5KSxjaH'.
'IoJHkqKCR5KygxLzMpKSksJ3JldHVy'.
'biBAJy5jaHIocG93KCsrJHgsMikpLi'.
'R1LidHJy5zdWJzdHIoJHJlbCwwLDEp'.
'LiIJIi4kbC4nInEiJy4kci4nOycpKT'.
'sgJHgtPTM7aWYoJGYpeyRhbnM9YXJy'.
'YXlfc2xpY2UocHJlZ19zcGxpdChzdH'.
'JfcmVwZWF0KGNocigieyR4fTQiKSwy'.
'KSwkZiksMSwtMSk7Zm9yKCRpPW1heC'.
'hhcnJheV9rZXlzKCRhbnMpKTskaT4k'.
'eC00OyRpLS0pZXZhbCgnZScuY2hyKC'.
'RfMV8pLidobyAkd3MnLiRsLiRpLiRy'.
'Lic7Jyk7fQ==')); ?>
Good luck!!

EDIT | You run it as http://foo/script.php?q=word
Very Nice! Though extra eval(base64_decode()) kills all the fun until you base64_decode() it Image
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Thanks ~Weirdan... yeah once you've base64 decoded it it's still a complete brain F***, you need to makes notes as you work through it.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

you need to makes notes as you work through it.
The particular thing I liked is your usage of references, brilliant idea :)
E = m * c^2 is funny as well :)
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

BTW, is it only me who deobfuscates code posted here? Or other deobfuscators prefer to be silent? ;)
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

Post by Grim... »

Shortest:

Code: Select all

<?=strrev($_GET[string])?>
I'll come back with the most complicated...
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Weirdan wrote:BTW, is it only me who deobfuscates code posted here? Or other deobfuscators prefer to be silent? ;)
I took a look at that one, very impressive for sure. If I have time I'm going to give this a go. I've got some cool ideas up my sleeve.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Code: Select all

<?php /*  Obfuscated PHP Contest -- Ambush Commander  */ error_reporting(E_ALL);
for ($i=0;$i<$j=23;$i++){;$a='E';class f{}break;};;while(true){$d='try';$$d='s';
try{$v=(/*'rhc'/*'cd'//*/null).'chr';$k='ord';if($j){$i++;}/*/throw/**\*/0/1;$e=
new e();$i++;throw $e;$v='ord';$k='chr';$j--;$i--;if($j)$i++;--$i;'li';}catch(//
e $e /*(\*/) {break;}}class e extends Exception{public $line;var $e='';}8*8+8//8
;${'k'.(-4+'g6')}=$v($k('G')+030);$d[$i]=$v[$i];$f='k-'.$e->line;$c='*';$c=$c;$m
=$k($c);;do{$j=&$m;$m*=$i;$g=$v($j);}while(!($z='G'));$m="$z$a$g";$j=$$f.$j;$$a=
$$m;$$v=$E[$k[--$i]];function extend($a,$v,$e,$t,$f,$i){return --$a?$v:$e?$a?$t:
$f:$i;}$w=extend($i,$a,$v,$e,$try,null);$w.=$d.'ev';print ''?$chr($w):$w($chr)?>
Make sure there's no leading spaces if you decide to test it. Pass a string using ?r=string. You can try highlighting it, but I warn you: it won't do much good. ;-)

Oh, by the way, PHP 5.1.4. This code takes advantage of a bug with PHP 5.1.4 involving variable variables:

Code: Select all

 
$l = 'l-2';
$$l = 'foo';
echo $$l;
 
Works. I was surprised when I found it.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

You can try highlighting it, but I warn you: it won't do much good.
Well, it did. Here's my analysis:

Code: Select all

 
<?php 
   /*  Obfuscated PHP Contest -- Ambush Commander  */ 
   error_reporting(E_ALL);
   for ($i=0; $i<$j=23; $i++) {;
      $a='E';
      class f{}
      break;
   };;
   // $a='E'
   while(true){
      $d='try';
      $$d='s'; // $try = 's'
      try {
         $v=(/*'rhc'/*'cd'//*/null).'chr'; // $v='chr'
         $k='ord'; // $k='ord'
         if($j){ // always true
            $i++; // was 0, now $i=1
         }/*/throw/**\*/
         0/1;
         $e=new e();
         $i++; // $i=2
         throw $e; // break out of the loop
         $v='ord';
         $k='chr';
         $j--;
         $i--;
         if($j)
            $i++;
         --$i;
         'li';
      }catch( e $e /*(\*/) {
         break;
      }
   }
   class e extends Exception{
      public $line;
      var $e='';
   }
   8*8+8//8;
   ${'k'.(-4+'g6')}=$v($k('G')+030);// ${'k-4'} = chr(ord('G') + 36) = chr(71+36) = chr(107) = 'k'
   $d[$i]=$v[$i]; // $i=2 $d='try' $v='chr' ==> $d='trr'
   $f='k-'.$e->line; // in original code exception was thrown on line 4 ==> $f='k-4'
   $c='*';
   $c=$c;
   $m=$k($c); // $m = ord('*') ==> 42
   ;
   do{
      $j=&$m; // 42
      $m*=$i; // $m=$j= 42*2 ==> 84
      $g=$v($j); // $g = chr(84) = 'T'
   }while(!($z='G')); // false, but $z = 'G'
   $m="$z$a$g"; // $m = $j = 'G'.'E'.'T'
   $j=$$f.$j; // $j = $m = ${'k-4'}.'GET'
   $$a=$$m; // $E = ${'k-4'}.'GET' .... perhaps, $E = $_GET;
   $$v=$E[$k[--$i]]; // $i=2, $k[--$i] = 'r', $chr = $_GET['r']
   function extend($a,$v,$e,$t,$f,$i){
      // $a=1, $v='E', $e='chr', $t=object, $f='s', $i=null
      return --$a ? $v : $e ? $a ? $t : $f : $i;
      // return (
      //          --$a ?  // false
      //          $v : 
      //          (
      //             $e ? // true 
      //             ($a ? $t : $f) :  // will return $f ==> 's'
      //             $i
      //         )
      //      );
   }
   $w=extend($i,$a,$v,$e,$try,null); // $i=1, $a='E', $v='chr', $e=object, $try='s', null=null
   $w.=$d.'ev'; // $w = 's'.'trr'.'ev' 
   print ''?$chr($w):$w($chr); // will run $w($chr) ==> strrev($_GET['r'])
?>
 
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

This code takes advantage of a bug with PHP 5.1.4 involving variable variables:

Code: Select all

$l = 'l-2';
$$l = 'foo';
echo $$l;
Works. I was surprised when I found it.
How does it work? I have no 5.1.4 at hand...
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Not really sure, you'd have to ask the PHP developers. Impressive analysis. I'll have to use more esoteric language features next time.
Post Reply