Jump to content

Encrypted code...


Obi1-Cannabis
 Share

Recommended Posts

Hi i'am having some troble here. see a client asked me to do some changes on his application and the site was originaly made by some company.The thing is i'am not able to do anything, since their classes and functions are all encripted. something like:

<?php    if (!function_exists("T7FC56270E7A70FA81A5935B72EACBE29"))  {   function T7FC56270E7A70FA81A5935B72EACBE29($TF186217753C37B9B9F958D906208506E)   {    $TF186217753C37B9B9F958D906208506E = base64_decode($TF186217753C37B9B9F958D906208506E);    $T7FC56270E7A70FA81A5935B72EACBE29 = 0;    $T9D5ED678FE57BCCA610140957AFAB571 = 0;    $T0D61F8370CAD1D412F80B84D143E1257 = 0; [...]

and so on...So my question is - Is there anyway to decrypt this so i can see the code and make the changes?

Link to comment
Share on other sites

Doesn't look very encrypted to me - they've just used nonsensical symbol names. I do see a base64 decode in there, so they may have obfuscated strings somewhere else in the code, but you can just base64-decode them yourself to get the original.

Link to comment
Share on other sites

why those company do like this?..i mean encrypting the codes?...what is the benifit of that? i did not see it before..

Link to comment
Share on other sites

@synook see the thing is i get errors (ex: Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'user'@'localhost' (using password: YES) in that file on line 1) the file only have one line and is something like what i've showned before.Also i already tried base64 decoding - it doesn't work - and tried searching in all files for mysql user name in it's base64 encoded format and don't get any results...

Link to comment
Share on other sites

The username being tried is "user", as indicated by the error message.The code you posted is quite simple, if we just make everything a little shorter:

<?php	if (!function_exists("a"))  {		function a($b) {			$b = base64_decode($b);			$c = 0;			$d = 0;			$e = 0;[...]

Link to comment
Share on other sites

ok, i organized all de code from one the functions - the one that connects to the data base and it still doesn't make sense to me.although it helped me realize they add this line after the function is closed:

eval(a("QAAAPD9waHANCmZ1bmN0aW9uIAAAZGJfcXVlcnkoJHNxbENtZAAAKSB7DQoJJGxpbmsgPSBteYAAAWBfY29ubmVjdCgnbG9jYWwAAGhvc3QnLCdhY2N0YXhfdXMgKGVyAOYuMTIzJyk7BBBtA5JzZWyEOQOAX2RiKAL1QkQnLAXSAmIAoHN0BnbAYAiLBGFyZXR1cm4gAnIBAH0NCj8+"));

being "a" the functionand since the function had:

if (!function_exists("a")){	function a($b)	{		$b= base64_decode($b);				...

i've tried a print_r(base64_decode([the argument beeing passed to the function])) but what it does is: @��

Link to comment
Share on other sites

At first it didn't make any sense it was just a buch of weird chars... but after a lot of hours arround this i found the right var that has the real functions inside them. Even that var at firs wasn't printing ok if i did a print_r($var) the output started like

?>	$posicao and apaga=0";	$res = db_query($sql);	return $res;	}<?	...

so isntead of print_r($var) on browser window i saved the print_r to a text file and PUFF light was made! :)thanks for keeping up with this!

Link to comment
Share on other sites

When you see something like this:

eval(a("QAAAPD9waHANCmZ1bmN0aW9uIAAAZGJfcXVlcnkoJHNxbENtZAAAKSB7DQoJJGxpbmsgPSBteYAAAWBfY29ubmVjdCgnbG9jYWwAAGhvc3QnLCdhY2N0YXhfdXMgKGVyAOYuMTIzJyk7BBBtA5JzZWyEOQOAX2RiKAL1QkQnLAXSAmIAoHN0BnbAYAiLBGFyZXR1cm4gAnIBAH0NCj8+"));

You can just change that eval to echo to have it print the code instead of execute it.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...