Obi1-Cannabis Posted December 15, 2010 Share Posted December 15, 2010 Hi i'am having some troble here. see a client asked me to do some changes on his application and the site was originaly made by some company.The thing is i'am not able to do anything, since their classes and functions are all encripted. something like: <?php if (!function_exists("T7FC56270E7A70FA81A5935B72EACBE29")) { function T7FC56270E7A70FA81A5935B72EACBE29($TF186217753C37B9B9F958D906208506E) { $TF186217753C37B9B9F958D906208506E = base64_decode($TF186217753C37B9B9F958D906208506E); $T7FC56270E7A70FA81A5935B72EACBE29 = 0; $T9D5ED678FE57BCCA610140957AFAB571 = 0; $T0D61F8370CAD1D412F80B84D143E1257 = 0; [...] and so on...So my question is - Is there anyway to decrypt this so i can see the code and make the changes? Link to comment Share on other sites More sharing options...
Synook Posted December 15, 2010 Share Posted December 15, 2010 Doesn't look very encrypted to me - they've just used nonsensical symbol names. I do see a base64 decode in there, so they may have obfuscated strings somewhere else in the code, but you can just base64-decode them yourself to get the original. Link to comment Share on other sites More sharing options...
birbal Posted December 15, 2010 Share Posted December 15, 2010 why those company do like this?..i mean encrypting the codes?...what is the benifit of that? i did not see it before.. Link to comment Share on other sites More sharing options...
Obi1-Cannabis Posted December 15, 2010 Author Share Posted December 15, 2010 @synook see the thing is i get errors (ex: Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'user'@'localhost' (using password: YES) in that file on line 1) the file only have one line and is something like what i've showned before.Also i already tried base64 decoding - it doesn't work - and tried searching in all files for mysql user name in it's base64 encoded format and don't get any results... Link to comment Share on other sites More sharing options...
Synook Posted December 15, 2010 Share Posted December 15, 2010 The username being tried is "user", as indicated by the error message.The code you posted is quite simple, if we just make everything a little shorter: <?php if (!function_exists("a")) { function a($b) { $b = base64_decode($b); $c = 0; $d = 0; $e = 0;[...] Link to comment Share on other sites More sharing options...
Obi1-Cannabis Posted December 15, 2010 Author Share Posted December 15, 2010 ok, i organized all de code from one the functions - the one that connects to the data base and it still doesn't make sense to me.although it helped me realize they add this line after the function is closed: eval(a("QAAAPD9waHANCmZ1bmN0aW9uIAAAZGJfcXVlcnkoJHNxbENtZAAAKSB7DQoJJGxpbmsgPSBteYAAAWBfY29ubmVjdCgnbG9jYWwAAGhvc3QnLCdhY2N0YXhfdXMgKGVyAOYuMTIzJyk7BBBtA5JzZWyEOQOAX2RiKAL1QkQnLAXSAmIAoHN0BnbAYAiLBGFyZXR1cm4gAnIBAH0NCj8+")); being "a" the functionand since the function had: if (!function_exists("a")){ function a($b) { $b= base64_decode($b); ... i've tried a print_r(base64_decode([the argument beeing passed to the function])) but what it does is: @�� Link to comment Share on other sites More sharing options...
Synook Posted December 16, 2010 Share Posted December 16, 2010 Well, what happens to $b after that in the function? Link to comment Share on other sites More sharing options...
Obi1-Cannabis Posted December 16, 2010 Author Share Posted December 16, 2010 At first it didn't make any sense it was just a buch of weird chars... but after a lot of hours arround this i found the right var that has the real functions inside them. Even that var at firs wasn't printing ok if i did a print_r($var) the output started like ?> $posicao and apaga=0"; $res = db_query($sql); return $res; }<? ... so isntead of print_r($var) on browser window i saved the print_r to a text file and PUFF light was made! :)thanks for keeping up with this! Link to comment Share on other sites More sharing options...
Synook Posted December 16, 2010 Share Posted December 16, 2010 By the way, have you tried contacting the original company? Link to comment Share on other sites More sharing options...
Obi1-Cannabis Posted December 16, 2010 Author Share Posted December 16, 2010 I asked te client to contact them and ask for the original code without this encodings, but he said they wouldn't give it. I think they might be upset the client dindn't ask them for this changes even though i think thats pretty stupid of them... Link to comment Share on other sites More sharing options...
justsomeguy Posted December 16, 2010 Share Posted December 16, 2010 When you see something like this: eval(a("QAAAPD9waHANCmZ1bmN0aW9uIAAAZGJfcXVlcnkoJHNxbENtZAAAKSB7DQoJJGxpbmsgPSBteYAAAWBfY29ubmVjdCgnbG9jYWwAAGhvc3QnLCdhY2N0YXhfdXMgKGVyAOYuMTIzJyk7BBBtA5JzZWyEOQOAX2RiKAL1QkQnLAXSAmIAoHN0BnbAYAiLBGFyZXR1cm4gAnIBAH0NCj8+")); You can just change that eval to echo to have it print the code instead of execute it. Link to comment Share on other sites More sharing options...
Obi1-Cannabis Posted December 17, 2010 Author Share Posted December 17, 2010 nop, i tried it, in this case it woud return me the same as printig that variable we were calling $b - @�� Link to comment Share on other sites More sharing options...
justsomeguy Posted December 20, 2010 Share Posted December 20, 2010 eval only takes PHP code as input. That means the input to eval needs to be PHP code, so if you're seeing anything other than PHP code then you're doing something wrong. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.