Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.
Moderator: General Moderators
onion2k
Jedi Mod
Posts: 5263 Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com
Post
by onion2k » Wed Aug 09, 2006 5:29 pm
Everah wrote: It just needs to be hard to read while still achieving the desired task. Comment filler can be used. I think.
Yeah, comments are fine. They're a great way to obfuscate. Of course, they don't just have to hide code .. they can be the code:
Code: Select all
<?php
//String reversing script
$string = $_GET['string'];
$f = file_get_contents(basename($PHP_SELF));
$f = substr($f,12,3).substr($f,19,3);
echo $f($string);
?>
jayshields
DevNet Resident
Posts: 1912 Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England
Post
by jayshields » Wed Aug 09, 2006 6:45 pm
Can we enter twice? I just had a great idea.
RobertGonzalez
Site Administrator
Posts: 14293 Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA
Post
by RobertGonzalez » Wed Aug 09, 2006 6:46 pm
I did
but that was because I liked Hawley's idea and rewrote mine to be like his. Besides, what's the worse that could happen?
Weirdan
Moderator
Posts: 5978 Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine
Post
by Weirdan » Wed Aug 09, 2006 8:54 pm
ok, here's mine:
Code: Select all
eval(stripslashes(stripslashes(base64_decode(join('', array_map(
create_function('$q','static$e=true;if($e)$q=chr(0130).chr(0106)
.$q;$e=!$e;return$q;'),preg_split('//',basename(__FILE__,'.php')
,-1,PREG_SPLIT_NO_EMPTY)))))));
http://www.codecompare.com/xlxjxoxvwgxz ... tring_here
(Everah, thanks for hosting)
Weirdan
Moderator
Posts: 5978 Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine
Post
by Weirdan » Wed Aug 09, 2006 9:39 pm
d11wtq wrote: Code: Select all
<?php eval(base64_decode('JHJlbD0nRSA9IG0qY14yJzskYW5zPT'.
'QyOyRmPW51bGw7JF8xXz1vcmQocHJl'.
'Z19yZXBsYWNlKCcvLipcKiguKS4qLy'.
'csJ1xcMScsJHJlbCkpOwokYT1zdWJz'.
'dHIoJF8xXywwLDEpOyRiPXN1YnN0ci'.
'gkXzFfLC0xKTskeD0xOyRnPSYkZjsk'.
'bD1jaHIoJGEuJHgpOyR4Kz0yOyRyPW'.
'NocigkYi4keCk7JHgrPTI7CiR1PWNo'.
'cigocG93KCRhLDIpLyRiKS4keCk7Ci'.
'R3cz0mJGFuczskeT05OyRnPWV2YWwo'.
'c3RyX3JlcGxhY2UoY2hyKCR5KSxjaH'.
'IoJHkqKCR5KygxLzMpKSksJ3JldHVy'.
'biBAJy5jaHIocG93KCsrJHgsMikpLi'.
'R1LidHJy5zdWJzdHIoJHJlbCwwLDEp'.
'LiIJIi4kbC4nInEiJy4kci4nOycpKT'.
'sgJHgtPTM7aWYoJGYpeyRhbnM9YXJy'.
'YXlfc2xpY2UocHJlZ19zcGxpdChzdH'.
'JfcmVwZWF0KGNocigieyR4fTQiKSwy'.
'KSwkZiksMSwtMSk7Zm9yKCRpPW1heC'.
'hhcnJheV9rZXlzKCRhbnMpKTskaT4k'.
'eC00OyRpLS0pZXZhbCgnZScuY2hyKC'.
'RfMV8pLidobyAkd3MnLiRsLiRpLiRy'.
'Lic7Jyk7fQ==')); ?>
Good luck!!
EDIT | You run it as
http://foo/script.php?q=word
Very Nice! Though extra eval(base64_decode()) kills all the fun until you base64_decode() it
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098 Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia
Post
by Chris Corbyn » Thu Aug 10, 2006 3:28 am
Thanks ~Weirdan... yeah once you've base64 decoded it it's still a complete brain F***, you need to makes notes as you work through it.
Weirdan
Moderator
Posts: 5978 Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine
Post
by Weirdan » Thu Aug 10, 2006 11:30 am
you need to makes notes as you work through it.
The particular thing I liked is your usage of references, brilliant idea
E = m * c^2 is funny as well
Weirdan
Moderator
Posts: 5978 Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine
Post
by Weirdan » Thu Aug 10, 2006 11:33 am
BTW, is it only me who deobfuscates code posted here? Or other deobfuscators prefer to be silent?
Grim...
DevNet Resident
Posts: 1445 Joined: Tue May 18, 2004 5:32 am
Location: London, UK
Post
by Grim... » Thu Aug 10, 2006 11:36 am
Shortest:
I'll come back with the most complicated...
Benjamin
Site Administrator
Posts: 6935 Joined: Sun May 19, 2002 10:24 pm
Post
by Benjamin » Thu Aug 10, 2006 11:43 am
Weirdan wrote: BTW, is it only me who deobfuscates code posted here? Or other deobfuscators prefer to be silent?
I took a look at that one, very impressive for sure. If I have time I'm going to give this a go. I've got some cool ideas up my sleeve.
Ambush Commander
DevNet Master
Posts: 3698 Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US
Post
by Ambush Commander » Thu Aug 10, 2006 1:51 pm
Code: Select all
<?php /* Obfuscated PHP Contest -- Ambush Commander */ error_reporting(E_ALL);
for ($i=0;$i<$j=23;$i++){;$a='E';class f{}break;};;while(true){$d='try';$$d='s';
try{$v=(/*'rhc'/*'cd'//*/null).'chr';$k='ord';if($j){$i++;}/*/throw/**\*/0/1;$e=
new e();$i++;throw $e;$v='ord';$k='chr';$j--;$i--;if($j)$i++;--$i;'li';}catch(//
e $e /*(\*/) {break;}}class e extends Exception{public $line;var $e='';}8*8+8//8
;${'k'.(-4+'g6')}=$v($k('G')+030);$d[$i]=$v[$i];$f='k-'.$e->line;$c='*';$c=$c;$m
=$k($c);;do{$j=&$m;$m*=$i;$g=$v($j);}while(!($z='G'));$m="$z$a$g";$j=$$f.$j;$$a=
$$m;$$v=$E[$k[--$i]];function extend($a,$v,$e,$t,$f,$i){return --$a?$v:$e?$a?$t:
$f:$i;}$w=extend($i,$a,$v,$e,$try,null);$w.=$d.'ev';print ''?$chr($w):$w($chr)?>
Make sure there's no leading spaces if you decide to test it. Pass a string using ?r=string. You can try highlighting it, but I warn you: it won't do much good.
Oh, by the way, PHP 5.1.4. This code takes advantage of a bug with PHP 5.1.4 involving variable variables:
Code: Select all
$l = 'l-2';
$$l = 'foo';
echo $$l;
Works. I was surprised when I found it.
Weirdan
Moderator
Posts: 5978 Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine
Post
by Weirdan » Thu Aug 10, 2006 2:46 pm
You can try highlighting it, but I warn you: it won't do much good.
Well, it did. Here's my analysis:
Code: Select all
<?php
/* Obfuscated PHP Contest -- Ambush Commander */
error_reporting(E_ALL);
for ($i=0; $i<$j=23; $i++) {;
$a='E';
class f{}
break;
};;
// $a='E'
while(true){
$d='try';
$$d='s'; // $try = 's'
try {
$v=(/*'rhc'/*'cd'//*/null).'chr'; // $v='chr'
$k='ord'; // $k='ord'
if($j){ // always true
$i++; // was 0, now $i=1
}/*/throw/**\*/
0/1;
$e=new e();
$i++; // $i=2
throw $e; // break out of the loop
$v='ord';
$k='chr';
$j--;
$i--;
if($j)
$i++;
--$i;
'li';
}catch( e $e /*(\*/) {
break;
}
}
class e extends Exception{
public $line;
var $e='';
}
8*8+8//8;
${'k'.(-4+'g6')}=$v($k('G')+030);// ${'k-4'} = chr(ord('G') + 36) = chr(71+36) = chr(107) = 'k'
$d[$i]=$v[$i]; // $i=2 $d='try' $v='chr' ==> $d='trr'
$f='k-'.$e->line; // in original code exception was thrown on line 4 ==> $f='k-4'
$c='*';
$c=$c;
$m=$k($c); // $m = ord('*') ==> 42
;
do{
$j=&$m; // 42
$m*=$i; // $m=$j= 42*2 ==> 84
$g=$v($j); // $g = chr(84) = 'T'
}while(!($z='G')); // false, but $z = 'G'
$m="$z$a$g"; // $m = $j = 'G'.'E'.'T'
$j=$$f.$j; // $j = $m = ${'k-4'}.'GET'
$$a=$$m; // $E = ${'k-4'}.'GET' .... perhaps, $E = $_GET;
$$v=$E[$k[--$i]]; // $i=2, $k[--$i] = 'r', $chr = $_GET['r']
function extend($a,$v,$e,$t,$f,$i){
// $a=1, $v='E', $e='chr', $t=object, $f='s', $i=null
return --$a ? $v : $e ? $a ? $t : $f : $i;
// return (
// --$a ? // false
// $v :
// (
// $e ? // true
// ($a ? $t : $f) : // will return $f ==> 's'
// $i
// )
// );
}
$w=extend($i,$a,$v,$e,$try,null); // $i=1, $a='E', $v='chr', $e=object, $try='s', null=null
$w.=$d.'ev'; // $w = 's'.'trr'.'ev'
print ''?$chr($w):$w($chr); // will run $w($chr) ==> strrev($_GET['r'])
?>
Weirdan
Moderator
Posts: 5978 Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine
Post
by Weirdan » Thu Aug 10, 2006 2:47 pm
This code takes advantage of a bug with PHP 5.1.4 involving variable variables:
Code: Select all
$l = 'l-2';
$$l = 'foo';
echo $$l;
Works. I was surprised when I found it.
How does it work? I have no 5.1.4 at hand...
Ambush Commander
DevNet Master
Posts: 3698 Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US
Post
by Ambush Commander » Thu Aug 10, 2006 2:52 pm
Not really sure, you'd have to ask the PHP developers. Impressive analysis. I'll have to use more esoteric language features next time.