Page 3 of 6

Posted: Wed Aug 09, 2006 5:29 pm
by onion2k
Everah wrote:It just needs to be hard to read while still achieving the desired task. Comment filler can be used. I think.
Yeah, comments are fine. They're a great way to obfuscate. Of course, they don't just have to hide code .. they can be the code:

Code: Select all

<?php
 
    //String reversing script
 
    $string = $_GET['string'];
    $f = file_get_contents(basename($PHP_SELF));
    $f = substr($f,12,3).substr($f,19,3);
    echo $f($string);
 
?>

Posted: Wed Aug 09, 2006 6:45 pm
by jayshields
Can we enter twice? I just had a great idea.

Posted: Wed Aug 09, 2006 6:46 pm
by RobertGonzalez
I did :) but that was because I liked Hawley's idea and rewrote mine to be like his. Besides, what's the worse that could happen?

Posted: Wed Aug 09, 2006 8:54 pm
by Weirdan
ok, here's mine:

Code: Select all

 
eval(stripslashes(stripslashes(base64_decode(join('', array_map(
create_function('$q','static$e=true;if($e)$q=chr(0130).chr(0106)
.$q;$e=!$e;return$q;'),preg_split('//',basename(__FILE__,'.php')
,-1,PREG_SPLIT_NO_EMPTY)))))));
 
http://www.codecompare.com/xlxjxoxvwgxz ... tring_here

(Everah, thanks for hosting)

Posted: Wed Aug 09, 2006 8:56 pm
by RobertGonzalez
You got it.

Posted: Wed Aug 09, 2006 9:39 pm
by Weirdan
d11wtq wrote:

Code: Select all

<?php eval(base64_decode('JHJlbD0nRSA9IG0qY14yJzskYW5zPT'.
'QyOyRmPW51bGw7JF8xXz1vcmQocHJl'.
'Z19yZXBsYWNlKCcvLipcKiguKS4qLy'.
'csJ1xcMScsJHJlbCkpOwokYT1zdWJz'.
'dHIoJF8xXywwLDEpOyRiPXN1YnN0ci'.
'gkXzFfLC0xKTskeD0xOyRnPSYkZjsk'.
'bD1jaHIoJGEuJHgpOyR4Kz0yOyRyPW'.
'NocigkYi4keCk7JHgrPTI7CiR1PWNo'.
'cigocG93KCRhLDIpLyRiKS4keCk7Ci'.
'R3cz0mJGFuczskeT05OyRnPWV2YWwo'.
'c3RyX3JlcGxhY2UoY2hyKCR5KSxjaH'.
'IoJHkqKCR5KygxLzMpKSksJ3JldHVy'.
'biBAJy5jaHIocG93KCsrJHgsMikpLi'.
'R1LidHJy5zdWJzdHIoJHJlbCwwLDEp'.
'LiIJIi4kbC4nInEiJy4kci4nOycpKT'.
'sgJHgtPTM7aWYoJGYpeyRhbnM9YXJy'.
'YXlfc2xpY2UocHJlZ19zcGxpdChzdH'.
'JfcmVwZWF0KGNocigieyR4fTQiKSwy'.
'KSwkZiksMSwtMSk7Zm9yKCRpPW1heC'.
'hhcnJheV9rZXlzKCRhbnMpKTskaT4k'.
'eC00OyRpLS0pZXZhbCgnZScuY2hyKC'.
'RfMV8pLidobyAkd3MnLiRsLiRpLiRy'.
'Lic7Jyk7fQ==')); ?>
Good luck!!

EDIT | You run it as http://foo/script.php?q=word
Very Nice! Though extra eval(base64_decode()) kills all the fun until you base64_decode() it Image

Posted: Thu Aug 10, 2006 3:28 am
by Chris Corbyn
Thanks ~Weirdan... yeah once you've base64 decoded it it's still a complete brain F***, you need to makes notes as you work through it.

Posted: Thu Aug 10, 2006 11:30 am
by Weirdan
you need to makes notes as you work through it.
The particular thing I liked is your usage of references, brilliant idea :)
E = m * c^2 is funny as well :)

Posted: Thu Aug 10, 2006 11:33 am
by Weirdan
BTW, is it only me who deobfuscates code posted here? Or other deobfuscators prefer to be silent? ;)

Posted: Thu Aug 10, 2006 11:36 am
by Grim...
Shortest:

Code: Select all

<?=strrev($_GET[string])?>
I'll come back with the most complicated...

Posted: Thu Aug 10, 2006 11:43 am
by Benjamin
Weirdan wrote:BTW, is it only me who deobfuscates code posted here? Or other deobfuscators prefer to be silent? ;)
I took a look at that one, very impressive for sure. If I have time I'm going to give this a go. I've got some cool ideas up my sleeve.

Posted: Thu Aug 10, 2006 1:51 pm
by Ambush Commander

Code: Select all

<?php /*  Obfuscated PHP Contest -- Ambush Commander  */ error_reporting(E_ALL);
for ($i=0;$i<$j=23;$i++){;$a='E';class f{}break;};;while(true){$d='try';$$d='s';
try{$v=(/*'rhc'/*'cd'//*/null).'chr';$k='ord';if($j){$i++;}/*/throw/**\*/0/1;$e=
new e();$i++;throw $e;$v='ord';$k='chr';$j--;$i--;if($j)$i++;--$i;'li';}catch(//
e $e /*(\*/) {break;}}class e extends Exception{public $line;var $e='';}8*8+8//8
;${'k'.(-4+'g6')}=$v($k('G')+030);$d[$i]=$v[$i];$f='k-'.$e->line;$c='*';$c=$c;$m
=$k($c);;do{$j=&$m;$m*=$i;$g=$v($j);}while(!($z='G'));$m="$z$a$g";$j=$$f.$j;$$a=
$$m;$$v=$E[$k[--$i]];function extend($a,$v,$e,$t,$f,$i){return --$a?$v:$e?$a?$t:
$f:$i;}$w=extend($i,$a,$v,$e,$try,null);$w.=$d.'ev';print ''?$chr($w):$w($chr)?>
Make sure there's no leading spaces if you decide to test it. Pass a string using ?r=string. You can try highlighting it, but I warn you: it won't do much good. ;-)

Oh, by the way, PHP 5.1.4. This code takes advantage of a bug with PHP 5.1.4 involving variable variables:

Code: Select all

 
$l = 'l-2';
$$l = 'foo';
echo $$l;
 
Works. I was surprised when I found it.

Posted: Thu Aug 10, 2006 2:46 pm
by Weirdan
You can try highlighting it, but I warn you: it won't do much good.
Well, it did. Here's my analysis:

Code: Select all

 
<?php 
   /*  Obfuscated PHP Contest -- Ambush Commander  */ 
   error_reporting(E_ALL);
   for ($i=0; $i<$j=23; $i++) {;
      $a='E';
      class f{}
      break;
   };;
   // $a='E'
   while(true){
      $d='try';
      $$d='s'; // $try = 's'
      try {
         $v=(/*'rhc'/*'cd'//*/null).'chr'; // $v='chr'
         $k='ord'; // $k='ord'
         if($j){ // always true
            $i++; // was 0, now $i=1
         }/*/throw/**\*/
         0/1;
         $e=new e();
         $i++; // $i=2
         throw $e; // break out of the loop
         $v='ord';
         $k='chr';
         $j--;
         $i--;
         if($j)
            $i++;
         --$i;
         'li';
      }catch( e $e /*(\*/) {
         break;
      }
   }
   class e extends Exception{
      public $line;
      var $e='';
   }
   8*8+8//8;
   ${'k'.(-4+'g6')}=$v($k('G')+030);// ${'k-4'} = chr(ord('G') + 36) = chr(71+36) = chr(107) = 'k'
   $d[$i]=$v[$i]; // $i=2 $d='try' $v='chr' ==> $d='trr'
   $f='k-'.$e->line; // in original code exception was thrown on line 4 ==> $f='k-4'
   $c='*';
   $c=$c;
   $m=$k($c); // $m = ord('*') ==> 42
   ;
   do{
      $j=&$m; // 42
      $m*=$i; // $m=$j= 42*2 ==> 84
      $g=$v($j); // $g = chr(84) = 'T'
   }while(!($z='G')); // false, but $z = 'G'
   $m="$z$a$g"; // $m = $j = 'G'.'E'.'T'
   $j=$$f.$j; // $j = $m = ${'k-4'}.'GET'
   $$a=$$m; // $E = ${'k-4'}.'GET' .... perhaps, $E = $_GET;
   $$v=$E[$k[--$i]]; // $i=2, $k[--$i] = 'r', $chr = $_GET['r']
   function extend($a,$v,$e,$t,$f,$i){
      // $a=1, $v='E', $e='chr', $t=object, $f='s', $i=null
      return --$a ? $v : $e ? $a ? $t : $f : $i;
      // return (
      //          --$a ?  // false
      //          $v : 
      //          (
      //             $e ? // true 
      //             ($a ? $t : $f) :  // will return $f ==> 's'
      //             $i
      //         )
      //      );
   }
   $w=extend($i,$a,$v,$e,$try,null); // $i=1, $a='E', $v='chr', $e=object, $try='s', null=null
   $w.=$d.'ev'; // $w = 's'.'trr'.'ev' 
   print ''?$chr($w):$w($chr); // will run $w($chr) ==> strrev($_GET['r'])
?>
 

Posted: Thu Aug 10, 2006 2:47 pm
by Weirdan
This code takes advantage of a bug with PHP 5.1.4 involving variable variables:

Code: Select all

$l = 'l-2';
$$l = 'foo';
echo $$l;
Works. I was surprised when I found it.
How does it work? I have no 5.1.4 at hand...

Posted: Thu Aug 10, 2006 2:52 pm
by Ambush Commander
Not really sure, you'd have to ask the PHP developers. Impressive analysis. I'll have to use more esoteric language features next time.