Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
May 28, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 417
Members: 0
Total: 417
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PHP script decode requests -> I am having problems decoding this byterun file Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
I am having problems decoding this byterun file
PostPosted: Tue Aug 12, 2008 2:56 pm Reply with quote
ephe
Regular user
Regular user
 
Joined: Aug 12, 2008
Posts: 9




Hi all, I keep trying but its not coming out. I used some code that I found to decode it but its not working. Can someone please decode this?
http://rapidshare.com/files/136796896/encoded.php.html
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 2:59 pm Reply with quote
lenny
Valuable expert
Valuable expert
 
Joined: May 15, 2008
Posts: 275




Well I can't even open it... My antivirus is going crazy... but I doubt that the file is infected, probably a false-positive. I'll take a peek in Linux, bear with me Smile
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:02 pm Reply with quote
ephe
Regular user
Regular user
 
Joined: Aug 12, 2008
Posts: 9




sorry,
try this
http://rapidshare.com/files/136797891/encoded.php.zip.html
i ziped it this time
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:12 pm Reply with quote
lenny
Valuable expert
Valuable expert
 
Joined: May 15, 2008
Posts: 275




Yeah, its still being a pain. Ill use my linux box, much easier than messing around with stupid permissions in windows.

Edit: hang on, this is a Byterun file which is bytecoded... and bytecoded files are undecodable... sombody prove me wrong?
Edit Edit: Only some ByteRun files are encoded, thankfully! Very Happy


Last edited by lenny on Tue Aug 12, 2008 3:44 pm; edited 1 time in total
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:20 pm Reply with quote
ephe
Regular user
Regular user
 
Joined: Aug 12, 2008
Posts: 9




Seriously - unencodeable? I find that hard to believe.

here is a txt version in case you want to still give it a shot.
http://rapidshare.com/files/136801547/encoded.txt.html
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:23 pm Reply with quote
lenny
Valuable expert
Valuable expert
 
Joined: May 15, 2008
Posts: 275




Yes, i can open it now - It seems Windows has a problem with that particular file and the .php extension :S
Oh well, its fine in Linux
Decoding now (or at least attempting to Smile )
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:28 pm Reply with quote
ephe
Regular user
Regular user
 
Joined: Aug 12, 2008
Posts: 9




I quote Mr. Burns: "Excellent"
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:54 pm Reply with quote
lenny
Valuable expert
Valuable expert
 
Joined: May 15, 2008
Posts: 275




Well i have an output, but you're not going to like it. I'll do a little more research, but you can find the output at http://www.media3k.com/decoder.php

Back to the drawing board.
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 3:55 pm Reply with quote
ephe
Regular user
Regular user
 
Joined: Aug 12, 2008
Posts: 9




Yeh, thats what I got when I tried, and unfortunatly, thats where my skills ended.
john
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 4:19 pm Reply with quote
ZiPo
Advanced user
Advanced user
 
Joined: Jul 08, 2008
Posts: 86




well i tried to play a bit and i am no way an expert here...very roughly the begginer, but this is what i have so far...still pretty messy.


Code:
eval(''?><?php\r\nclass ebay_lite{\r\n\r\n  var $title = "";\r\n  var $link_url = "";\r\n  var $image = "";\r\n  var $image_url = "";\r\n  var $price = "";\r\n  var $bids = "";\r\n  var $end_date = "";\r\n  var $bin_price = "";\r\n  var $bid_now_url = "";\r\n  var $buy_now_url = "";\r\n  var $watch_url = "";\r\n  var $html = "";\r\n  var $site_url = "";\r\n  \r\n  var $eb_rss_url = "";\r\n  var $eb_saaff = "";\r\n  var $eb_siteId = 0;\r\n  var $eb_language = "";\r\n  var $eb_pid = "";\r\n  var $eb_cid = "";\r\n  v...'')
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 4:25 pm Reply with quote
ephe
Regular user
Regular user
 
Joined: Aug 12, 2008
Posts: 9




sweet! looks good.
John
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 4:27 pm Reply with quote
ZiPo
Advanced user
Advanced user
 
Joined: Jul 08, 2008
Posts: 86




hmmm there is still something inside...here is complete paste...
(...www\) - is my directory where i test this stuff

Code:
...www\encoded.phpbase64_decode
Fatal error: Call to undefined function add_filter() in ...www\encoded.php(6) : eval()'d code(3) : eval()'d code on line 336

Call Stack:
    0.4875      69536   1. {main}() ...www\encoded.php:0
   13.4670      91040   2. eval(''$_X=base64_decode($_X);$_X=strtr($_X,\'hGQKcLqJWVoC1r0.S/8d=f3MRb\nxIDe5Yk>TiE4wZ]UnXNsgj7l[{p6a}9zPuy FOvABm2t<H\',\'hHoUdRkev2Py<DsFAV15LflY}baGt mEj/J7]C[Qrx3Z\n604c8upO>9izSKwnXMI.qgN=BTW{\');$_R=str_replace(\'__FILE__\',"\'".$_F."\'",$_X);eval($_R);$_R=0;$_X=0;'') ...www\encoded.php:6
   13.4697     244224   3. eval(''?><?php\r\nclass ebay_lite{\r\n\r\n  var $title = "";\r\n  var $link_url = "";\r\n  var $image = "";\r\n  var $image_url = "";\r\n  var $price = "";\r\n  var $bids = "";\r\n  var $end_date = "";\r\n  var $bin_price = "";\r\n  var $bid_now_url = "";\r\n  var $buy_now_url = "";\r\n  var $watch_url = "";\r\n  var $html = "";\r\n  var $site_url = "";\r\n  \r\n  var $eb_rss_url = "";\r\n  var $eb_saaff = "";\r\n  var $eb_siteId = 0;\r\n  var $eb_language = "";\r\n  var $eb_pid = "";\r\n  var $eb_cid = "";\r\n  v...'') ...www\encoded.php(6) : eval()'d code:3
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 4:41 pm Reply with quote
ephe
Regular user
Regular user
 
Joined: Aug 12, 2008
Posts: 9




OK I may have some help on that.
This is the whole file (there was non encrypted php in it, I removed it for the decrypting. Perhaps that will help).
http://rapidshare.com/files/136817847/phpbaylite.txt.html
That functions (add_filter) is not in the non-encrypted section. But thats part of wordpresses api
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 5:34 pm Reply with quote
ZiPo
Advanced user
Advanced user
 
Joined: Jul 08, 2008
Posts: 86




Ok that's everything from me so far...will put more effort in this and hopefuly learn few more thing.
Anyway this still has me puzzled so if any of the experts here want to take a look and tell me what is this Smile

Code:
eval(''$_X=base64_decode($_X);$_X=strtr($_X,\'hGQKcLqJWVoC1r0.S/8d=f3MRb\nxIDe5Yk>TiE4wZ]UnXNsgj7l[{p6a}9zPuy FOvABm2t<H\',\'hHoUdRkev2Py<DsFAV15LflY}baGt mEj/J7]C[Qrx3Z\n604c8upO>9izSKwnXMI.qgN=BTW{\');$_R=str_replace(\'__FILE__\',"\'".$_F."\'",$_X);eval($_R);$_R=0;$_X=0;'')


This should be encoded file name right?
However i am still playing with this so if i find anything new ill post it here Smile

EDIT: Or could be nothing...just encode/decode string added on base64 to avoid direct decoding. However i am sure that one of the experts here will know the answer Smile
View user's profile Send private message
PostPosted: Tue Aug 12, 2008 7:00 pm Reply with quote
mge
Valuable expert
Valuable expert
 
Joined: Jul 16, 2008
Posts: 142




Code:
?><?php
class ebay_lite{

  var $title = "";
  var $link_url = "";
  var $image = "";
  var $image_url = "";
  var $price = "";
  var $bids = "";
  var $end_date = "";
  var $bin_price = "";
  var $bid_now_url = "";
  var $buy_now_url = "";
  var $watch_url = "";
  var $html = "";
  var $site_url = "";
 
  var $eb_rss_url = "";
  var $eb_saaff = "";
  var $eb_siteId = 0;
  var $eb_language = "";
  var $eb_pid = "";
  var $eb_cid = "";
  var $eb_satitle = "";

function listings($keywords, $num) {
  # assign variables
  $this->eb_satitle = $keywords;
  $this->eb_satitle = urlencode($this->eb_satitle);
  $this->eb_cid = urlencode($this->eb_cid);

  $this->eb_rss_url = "http://rss.api.ebay.com/ws/rssapi?FeedName=SearchResults&siteId=" . $this->eb_siteId . "&language=". $this->eb_language . "&output=RSS20&catref=C5&sacqy=&sacur=0&fsop=1&fsoo=1&from=R6&sacqyop=ge&saslc=0&floc=1&saprclo=&saprchi=";
  $this->eb_rss_url .= "&saaff=" . $this->eb_saaff . "&ftrv=1&ftrt=1&fcl=3&" . $this->eb_saaff . "=" . $this->eb_pid;
  if ($this->eb_saaff == "afepn") {
    $this->eb_rss_url .= "&customid=" . urlencode($this->eb_cid);
  }
  $this->eb_rss_url .= "&frpp=10&nojspr=y&satitle=" . $this->eb_satitle . "&sacat=-1&saslop=1&afmp=&fss=0";
  if (!isset($num)) {$num = 10;}
  error_reporting(0);
 
  # setup the RSS class
  $rss = new rss;
  $rss_html = "";
  $count = 0;
  $rss->get($this->eb_rss_url);
    foreach ($rss->itemInfo as $item) {
     $count++;
     # break up html onto lines so we can search it by line below and preg match the urls
     $item['description'] = $this->makelines($item['description']);
    
     # get the item title
     $this->title = str_replace("&", "&amp;", $item['title']);
    
     # get the ebay thumbnail image url
     preg_match('/(?<=src=")(.*?)(?=")/', $item['description'], $match);
     $this->image = $match[0];
     # This preg_match has been inconsistent on some servers for getting the image
     # so I've added a second attempt to get the thumbnail image if the preg_match fails
     if ($this->image == "") {
       $img = strstr($item['description'], 'http://thumbs.');
       $pos = strpos($img, '.jpg');
       $pos = $pos + 4;
       $img = substr($img, 0, $pos);
       $this->image = $img;
     }
         
     # get the item price
     preg_match('%(?<=<strong>)(.+?)(?=</strong>)%', $item['description'], $match);
     $this->price = $match[0];
    
     # get the number of bids
     preg_match('%(?<=</strong>)(.+?)(?=\r\n)%', $item['description'], $match);
     $this->bids = $match[0];
    
     # get the item auction end date
     preg_match('%(?<=End Date: )(.+?)(?=\r\n)%', $item['description'], $match);
     $this->end_date = $match[0];
         
     # get main link
     $this->link_url = $item['link'];
     $this->link_url = str_replace("&", "&amp;", $this->link_url);
    
     # put lines into array so we can walk through and base64_encode the a href urls to obfuscate
     $html = explode("\r\n", $item['description']);
    
     for ($i = 0; $i <= count($html); $i ++) {
       $line = $html[$i];
      $pos = strpos($line, '<a href="');
      
      if ($pos === false) {
        # do nothing
      } else {
        # find the urls for the auction item
        $epos = strpos($line, '">');
        $match[1] = substr($line, $pos + 9, $epos - $pos - 9);
       
        # Going to copy this too, Peter?
        $match[1] = str_replace(" ", "+", $match[1]);

        $pos = strpos($match[1], 'A102');
          if ($pos) {
           $this->image_url = str_replace("&", "&amp;", $match[1]);
         }
         
        $pos = strpos($match[1], 'A103');
          if ($pos) {
           $this->bid_now_url = str_replace("&", "&amp;", $match[1]);
         }          

        $pos = strpos($match[1], 'A104');
          if ($pos) {
           $this->watch_url = str_replace("&", "&amp;", $match[1]);
         }          

        $pos = strpos($match[1], 'A105');
          if ($pos) {
           $this->buy_now_url = str_replace("&", "&amp;", $match[1]);
         }          
      }
     }

     $this->formatHTML();
    
     # ebay has a bug where, as of the date this source was published, the &frpp= parameter
     # (which represents the number of results to return) is not functioning correctly.
     # It will erroneously return 100 results regardless of the value set.  To correct for this
     # I've put in a counter to return no more than ten of those listings.  You could alter
     # this value below, if desired.
     if (($count) >= $num) {break;}
    }
   
   if (get_option("PBL_ebay_logo") == "1") {$this->html .= '<p align="center"><img src="wp-content/plugins/phpbaylite/logo.gif" alt="" /></p>';}

    if ($rss->counter <= 0) {
      $this->html = "No items matching your keywords were found.<br>\r\n";
    }
  }

function makelines($lines) {
  $lines = str_replace("<tr>", "\r\n  <tr>\r\n", $lines);
  $lines = str_replace("<td>", "    <td>\r\n", $lines);
  $lines = str_replace("</a>", "</a>\r\n", $lines);
  $lines = str_replace("</td>", "    </td>\r\n", $lines);
  $lines = str_replace("</tr>", "  </tr>\r\n", $lines);
  $lines = str_replace("</table>", "</table>\r\n", $lines);
  $lines = str_replace("<br />", "\r\n    <br />\r\n", $lines);
  return $lines;
}

function formatHTML() {
  $crlf = "\r\n";
  $html = '<table width="100%" border="0" cellspacing="5" cellpadding="5">' . $crlf;
  $html .= '  <tr>' . $crlf;
  $html .= '    <td width="100" align="left"><a href="' . $this->image_url . '" rel="nofollow" target="_blank"><img src="' . $this->image . '" alt="' . $this->prepText($this->title) . '" border="0" /></a></td>' . $crlf;
  $html .= '    <td>' . $crlf;
  $html .= '      <a href="' . $this->link_url . '" rel="nofollow" target="_blank">' . $this->title . '</a><br />' . $crlf;
  $html .= '      <span style="color:#FF0000;font-weight:bold">' . $this->price . '</span> <span style="font-weight:bold">' . $this->bids . '</span><br />' . $crlf;
  $html .= '      <span style="font-weight:bold">Auction Ends:</span> ' . $this->end_date . '<br />' . $crlf;
if ($this->bid_now_url > "") {
  $html .= '      <a href="' . $this->bid_now_url . '" rel="nofollow" target="_blank">' . "Bid on this Item" . '</a>';
}
if ($this->buy_now_url > "") {
  if ($this->bid_now_url > "") {
    $html .= "      ;; | ";
  } else {
    $html .= "      ";
  }
  $html .= '<a href="' . $this->buy_now_url . '" rel="nofollow" target="_blank">' . "Buy this Item" . '</a>';
}
  $html .= '      ;; | <a href="' . $this->watch_url . '" rel="nofollow" target="_blank">' . "Watch this Item" . '</a>' . $crlf;
  $html .= '    </td>' . $crlf;
  $html .= '  </tr>' . $crlf;
  $html .= '</table>' . $crlf . $crlf;
 
  $this->html .= $html;
}

function prepText($text) {
  $text = str_replace('/',' ',$text);
  $text = str_replace('-',' ',$text);
  $text = str_replace(' & ',' ',$text);
  $text = str_replace('"',' ',$text);
  $text = str_replace(".",' ',$text);
  $text = str_replace("'",' ',$text);
  $text = str_replace(",",' ',$text);
  $text = str_replace(' ','-',$text);
  $text = str_replace('-----','-',$text);
  $text = str_replace('----','-',$text);
  $text = str_replace('---','-',$text);
  $text = str_replace('--','-',$text);
  $text = str_replace(':','',$text);
  $text = str_replace('#','',$text);
  $text = str_replace('(','',$text);
  $text = str_replace('%','',$text);
  $text = str_replace(')','',$text);
  $text = strtolower($text);
  return $text;
}

} # end eBay class

#################################################
#               XML RSS Class                   #
#################################################

class rss {
  var $counter = 0;
  var $type = 0;
  var $tag = "";
  var $itemInfo = array();
  var $channelInfo = array();

function opening_element($xmlParser, $name, $attribute) {
  $this->tag = $name;
  if($name == "CHANNEL"){
    $this->type = 1;
  } else if($name == "ITEM") {
    $this->type = 2;
  }
}

function closing_element($xmlParser, $name){
  $this->tag = "";
  if($name == "ITEM") {
    $this->type = 0;
    $this->counter++;
  } else if($name == "CHANNEL") {
    $this->type = 0;
  }
}

function c_data($xmlParser, $data){
  if($this->tag == "TITLE" || $this->tag == "DESCRIPTION" || $this->tag == "LINK") {
    if($this->type == 1) {
      $this->channelInfo[strtolower($this->tag)] = $data;
    } else if($this->type == 2) {
      $this->itemInfo[$this->counter][strtolower($this->tag)] .= $data;
    }
  }
}

function get($xml_file) {
  $xmlParser = xml_parser_create();
  xml_set_object ($xmlParser, $this);
  xml_parser_set_option($xmlParser, XML_OPTION_CASE_FOLDING, TRUE);
  xml_parser_set_option($xmlParser, XML_OPTION_SKIP_WHITE, TRUE);
  xml_set_element_handler($xmlParser, "opening_element", "closing_element");
  xml_set_character_data_handler($xmlParser, "c_data");

  $fp = file($xml_file);

  # if the file() function fails, then try curl
  # some shared hosts prevent the use of file() for security reasons
  if ($fp == false) {
    $ch = curl_init($xml_file);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    $xml = curl_exec($ch);
    curl_close($ch);
    $fp = explode("\n", $xml);
  }

  foreach($fp as $line){
    if(!xml_parse($xmlParser, $line)) {
      die("Could not parse file.");
    }
  }
}

} # end RSS XML class

function phpBayLite($text) {
   #if WP is erroneously adding <p></p> tags, let's catch them
    $text = str_replace("<p>[phpbay]", "[phpbay]", $text);
    $text = str_replace("[/phpbay]</p>", "[/phpbay]", $text);
   
  if (preg_match('%(\\[phpbay\\](.*?)\\[\\/phpbay\\])%', $text, $match)) {
    $params = $match[0];
    $params = str_replace("[phpbay]", "", $params);
    $params = str_replace("[/phpbay]", "", $params);
    $values = explode(",", $params);
    $kw = trim($values[0]);
    $num = trim($values[1]);

    if ($kw) {
     $ebay_lite = new ebay_lite();
    
     # Set global options that are stored in the phpBay Lite Admin Panel
    
     $ebay_lite->eb_saaff = get_option("PBL_aff_type");
     $ebay_lite->eb_pid = get_option("PBL_ebay_pid");
     $ebay_lite->eb_cid = get_option("PBL_ebay_cid");
    
   # Set Country Code Information
   $ebay_lite->eb_siteId = get_option("PBL_siteId");
   if ($ebay_lite->eb_siteId == "") {$ebay_lite->eb_siteId = "0";}
   if ($ebay_lite->eb_siteId == "0") {$ebay_lite->eb_language = "en-US";}
   if ($ebay_lite->eb_siteId == "15") {$ebay_lite->eb_language = "en-AU";}
   if ($ebay_lite->eb_siteId == "16") {$ebay_lite->eb_language = "de-AT";}
   if ($ebay_lite->eb_siteId == "123") {$ebay_lite->eb_language = "nl-BE";}
   if ($ebay_lite->eb_siteId == "2") {$ebay_lite->eb_language = "en-CA";}
   if ($ebay_lite->eb_siteId == "71") {$ebay_lite->eb_language = "fr-FR";}
   if ($ebay_lite->eb_siteId == "77") {$ebay_lite->eb_language = "de-DE";}
   if ($ebay_lite->eb_siteId == "203") {$ebay_lite->eb_language = "en-IN";}
   if ($ebay_lite->eb_siteId == "205") {$ebay_lite->eb_language = "";}
   if ($ebay_lite->eb_siteId == "101") {$ebay_lite->eb_language = "it-IT";}
   if ($ebay_lite->eb_siteId == "146") {$ebay_lite->eb_language = "nl-NL";}
   if ($ebay_lite->eb_siteId == "186") {$ebay_lite->eb_language = "es-ES";}
   if ($ebay_lite->eb_siteId == "193") {$ebay_lite->eb_language = "de-CH";}
   if ($ebay_lite->eb_siteId == "3") {$ebay_lite->eb_language = "en-GB";}

     # We do some error checking here.  If either of the two values directly abovve
     # are not set, then we need to display a message to the WP Blog owner and exit
    
     if ($ebay_lite->eb_saaff == "") {
       echo "Please set the Affiliate Type and Ebay PID in your <strong>admin -> options -> phpBay Lite</strong> control panel.";
      return $text;
      exit;
     }

     $ebay_lite->listings($kw, $num);
     $ebay_lite->html = "<div>\r\n" . $ebay_lite->html . "\r\n</div>\r\n";
     $text = str_replace($match[0], $ebay_lite->html, $text);
   }
  }    
  return $text;
}

function pb_add_button() {
  $insert_this = '[phpbay]keyword(s), 10[/phpbay]';
  phpbay_textbutton_post("", 'pBL', "", $insert_this);
  phpbay_textbutton_page("", 'pBL', "", $insert_this);
}

# Add phpBay auctions to page
add_filter('the_content', 'phpBayLite');
# Add the phpBay Pro Admin Panel
add_action('admin_menu','add_admin_panel');
# Add the phpBay button to the editor
include('phpbaysnap.php');
add_action('init', 'pb_add_button');
?>


Smile
View user's profile Send private message
I am having problems decoding this byterun file
  www.waraxe.us Forum Index -> PHP script decode requests
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.186 Seconds