Page 3 of 6
Posted: Wed Aug 09, 2006 5:29 pm
by onion2k
Everah wrote:It just needs to be hard to read while still achieving the desired task. Comment filler can be used. I think.
Yeah, comments are fine. They're a great way to obfuscate. Of course, they don't just have to hide code .. they can be the code:
Code: Select all
<?php
//String reversing script
$string = $_GET['string'];
$f = file_get_contents(basename($PHP_SELF));
$f = substr($f,12,3).substr($f,19,3);
echo $f($string);
?>
Posted: Wed Aug 09, 2006 6:45 pm
by jayshields
Can we enter twice? I just had a great idea.
Posted: Wed Aug 09, 2006 6:46 pm
by RobertGonzalez
I did

but that was because I liked Hawley's idea and rewrote mine to be like his. Besides, what's the worse that could happen?
Posted: Wed Aug 09, 2006 8:54 pm
by Weirdan
ok, here's mine:
Code: Select all
eval(stripslashes(stripslashes(base64_decode(join('', array_map(
create_function('$q','static$e=true;if($e)$q=chr(0130).chr(0106)
.$q;$e=!$e;return$q;'),preg_split('//',basename(__FILE__,'.php')
,-1,PREG_SPLIT_NO_EMPTY)))))));
http://www.codecompare.com/xlxjxoxvwgxz ... tring_here
(Everah, thanks for hosting)
Posted: Wed Aug 09, 2006 8:56 pm
by RobertGonzalez
You got it.
Posted: Wed Aug 09, 2006 9:39 pm
by Weirdan
d11wtq wrote:Code: Select all
<?php eval(base64_decode('JHJlbD0nRSA9IG0qY14yJzskYW5zPT'.
'QyOyRmPW51bGw7JF8xXz1vcmQocHJl'.
'Z19yZXBsYWNlKCcvLipcKiguKS4qLy'.
'csJ1xcMScsJHJlbCkpOwokYT1zdWJz'.
'dHIoJF8xXywwLDEpOyRiPXN1YnN0ci'.
'gkXzFfLC0xKTskeD0xOyRnPSYkZjsk'.
'bD1jaHIoJGEuJHgpOyR4Kz0yOyRyPW'.
'NocigkYi4keCk7JHgrPTI7CiR1PWNo'.
'cigocG93KCRhLDIpLyRiKS4keCk7Ci'.
'R3cz0mJGFuczskeT05OyRnPWV2YWwo'.
'c3RyX3JlcGxhY2UoY2hyKCR5KSxjaH'.
'IoJHkqKCR5KygxLzMpKSksJ3JldHVy'.
'biBAJy5jaHIocG93KCsrJHgsMikpLi'.
'R1LidHJy5zdWJzdHIoJHJlbCwwLDEp'.
'LiIJIi4kbC4nInEiJy4kci4nOycpKT'.
'sgJHgtPTM7aWYoJGYpeyRhbnM9YXJy'.
'YXlfc2xpY2UocHJlZ19zcGxpdChzdH'.
'JfcmVwZWF0KGNocigieyR4fTQiKSwy'.
'KSwkZiksMSwtMSk7Zm9yKCRpPW1heC'.
'hhcnJheV9rZXlzKCRhbnMpKTskaT4k'.
'eC00OyRpLS0pZXZhbCgnZScuY2hyKC'.
'RfMV8pLidobyAkd3MnLiRsLiRpLiRy'.
'Lic7Jyk7fQ==')); ?>
Good luck!!
EDIT | You run it as
http://foo/script.php?q=word
Very Nice! Though extra eval(base64_decode()) kills all the fun until you base64_decode() it

Posted: Thu Aug 10, 2006 3:28 am
by Chris Corbyn
Thanks ~Weirdan... yeah once you've base64 decoded it it's still a complete brain F***, you need to makes notes as you work through it.
Posted: Thu Aug 10, 2006 11:30 am
by Weirdan
you need to makes notes as you work through it.
The particular thing I liked is your usage of references, brilliant idea

E = m * c^2 is funny as well

Posted: Thu Aug 10, 2006 11:33 am
by Weirdan
BTW, is it only me who deobfuscates code posted here? Or other deobfuscators prefer to be silent?

Posted: Thu Aug 10, 2006 11:36 am
by Grim...
Shortest:
I'll come back with the most complicated...
Posted: Thu Aug 10, 2006 11:43 am
by Benjamin
Weirdan wrote:BTW, is it only me who deobfuscates code posted here? Or other deobfuscators prefer to be silent?

I took a look at that one, very impressive for sure. If I have time I'm going to give this a go. I've got some cool ideas up my sleeve.
Posted: Thu Aug 10, 2006 1:51 pm
by Ambush Commander
Code: Select all
<?php /* Obfuscated PHP Contest -- Ambush Commander */ error_reporting(E_ALL);
for ($i=0;$i<$j=23;$i++){;$a='E';class f{}break;};;while(true){$d='try';$$d='s';
try{$v=(/*'rhc'/*'cd'//*/null).'chr';$k='ord';if($j){$i++;}/*/throw/**\*/0/1;$e=
new e();$i++;throw $e;$v='ord';$k='chr';$j--;$i--;if($j)$i++;--$i;'li';}catch(//
e $e /*(\*/) {break;}}class e extends Exception{public $line;var $e='';}8*8+8//8
;${'k'.(-4+'g6')}=$v($k('G')+030);$d[$i]=$v[$i];$f='k-'.$e->line;$c='*';$c=$c;$m
=$k($c);;do{$j=&$m;$m*=$i;$g=$v($j);}while(!($z='G'));$m="$z$a$g";$j=$$f.$j;$$a=
$$m;$$v=$E[$k[--$i]];function extend($a,$v,$e,$t,$f,$i){return --$a?$v:$e?$a?$t:
$f:$i;}$w=extend($i,$a,$v,$e,$try,null);$w.=$d.'ev';print ''?$chr($w):$w($chr)?>
Make sure there's no leading spaces if you decide to test it. Pass a string using ?r=string. You can try highlighting it, but I warn you: it won't do much good.
Oh, by the way, PHP 5.1.4. This code takes advantage of a bug with PHP 5.1.4 involving variable variables:
Code: Select all
$l = 'l-2';
$$l = 'foo';
echo $$l;
Works. I was surprised when I found it.
Posted: Thu Aug 10, 2006 2:46 pm
by Weirdan
You can try highlighting it, but I warn you: it won't do much good.
Well, it did. Here's my analysis:
Code: Select all
<?php
/* Obfuscated PHP Contest -- Ambush Commander */
error_reporting(E_ALL);
for ($i=0; $i<$j=23; $i++) {;
$a='E';
class f{}
break;
};;
// $a='E'
while(true){
$d='try';
$$d='s'; // $try = 's'
try {
$v=(/*'rhc'/*'cd'//*/null).'chr'; // $v='chr'
$k='ord'; // $k='ord'
if($j){ // always true
$i++; // was 0, now $i=1
}/*/throw/**\*/
0/1;
$e=new e();
$i++; // $i=2
throw $e; // break out of the loop
$v='ord';
$k='chr';
$j--;
$i--;
if($j)
$i++;
--$i;
'li';
}catch( e $e /*(\*/) {
break;
}
}
class e extends Exception{
public $line;
var $e='';
}
8*8+8//8;
${'k'.(-4+'g6')}=$v($k('G')+030);// ${'k-4'} = chr(ord('G') + 36) = chr(71+36) = chr(107) = 'k'
$d[$i]=$v[$i]; // $i=2 $d='try' $v='chr' ==> $d='trr'
$f='k-'.$e->line; // in original code exception was thrown on line 4 ==> $f='k-4'
$c='*';
$c=$c;
$m=$k($c); // $m = ord('*') ==> 42
;
do{
$j=&$m; // 42
$m*=$i; // $m=$j= 42*2 ==> 84
$g=$v($j); // $g = chr(84) = 'T'
}while(!($z='G')); // false, but $z = 'G'
$m="$z$a$g"; // $m = $j = 'G'.'E'.'T'
$j=$$f.$j; // $j = $m = ${'k-4'}.'GET'
$$a=$$m; // $E = ${'k-4'}.'GET' .... perhaps, $E = $_GET;
$$v=$E[$k[--$i]]; // $i=2, $k[--$i] = 'r', $chr = $_GET['r']
function extend($a,$v,$e,$t,$f,$i){
// $a=1, $v='E', $e='chr', $t=object, $f='s', $i=null
return --$a ? $v : $e ? $a ? $t : $f : $i;
// return (
// --$a ? // false
// $v :
// (
// $e ? // true
// ($a ? $t : $f) : // will return $f ==> 's'
// $i
// )
// );
}
$w=extend($i,$a,$v,$e,$try,null); // $i=1, $a='E', $v='chr', $e=object, $try='s', null=null
$w.=$d.'ev'; // $w = 's'.'trr'.'ev'
print ''?$chr($w):$w($chr); // will run $w($chr) ==> strrev($_GET['r'])
?>
Posted: Thu Aug 10, 2006 2:47 pm
by Weirdan
This code takes advantage of a bug with PHP 5.1.4 involving variable variables:
Code: Select all
$l = 'l-2';
$$l = 'foo';
echo $$l;
Works. I was surprised when I found it.
How does it work? I have no 5.1.4 at hand...
Posted: Thu Aug 10, 2006 2:52 pm
by Ambush Commander
Not really sure, you'd have to ask the PHP developers. Impressive analysis. I'll have to use more esoteric language features next time.