Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
August 19, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 244
Members: 0
Total: 244
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Php -> obfuscate file
Post new topic  Reply to topic View previous topic :: View next topic 
obfuscate file
PostPosted: Sat Dec 22, 2012 6:18 pm Reply with quote
amin
Regular user
Regular user
 
Joined: Aug 08, 2012
Posts: 10




hello there

i have multiple files that are encoded with zend guard

when i decode them with dezender.net.2011

they become like this :
http://pastebin.com/1040ND6s

there are some codes like this :
_obfuscate_CXIZARoUBQt7HD8’( $sql )

can they be decoded?

with prior thanks
View user's profile Send private message
dezend
PostPosted: Thu Dec 27, 2012 10:10 pm Reply with quote
amin
Regular user
Regular user
 
Joined: Aug 08, 2012
Posts: 10




can any one decode this file?

http://nanoweb.ir/template.class.zip
View user's profile Send private message
PostPosted: Thu Dec 27, 2012 10:14 pm Reply with quote
pirate-sky
Advanced user
Advanced user
 
Joined: Dec 17, 2012
Posts: 75




http://pastebin.com/M3U6y5Ky
View user's profile Send private message
PostPosted: Fri Dec 28, 2012 6:08 am Reply with quote
amin
Regular user
Regular user
 
Joined: Aug 08, 2012
Posts: 10




thank you but as you see there is some names that is not decoded properly
such as _obfuscate_eGVobXo4aWIя
in here
http://pastebin.com/M3U6y5Ky

and i have bunch of this files and i need the decoder to decode them.


thanks
View user's profile Send private message
opf db
PostPosted: Fri Dec 28, 2012 4:09 pm Reply with quote
amin
Regular user
Regular user
 
Joined: Aug 08, 2012
Posts: 10




i have found a opf db like this ;

array('jdate','_obfuscate_ZC8rHHo’'),
array('$ip','$_obfuscate_As’'),
array('$get_user_info','$_obfuscate_amyM0UI2ZB2Hlodoxw’’'),
array('get_user_info','_obfuscate_bh16aDByCiogAWBubQ’’'),

that i can replace obfuscated names with real ones:

for example $ip=$_obfuscate_As’;

does any body have complete db?

thanks
View user's profile Send private message
Re: opf db
PostPosted: Fri Dec 28, 2012 8:51 pm Reply with quote
Cyko
Moderator
Moderator
 
Joined: Jul 21, 2009
Posts: 375




amin wrote:
i have found a opf db like this ;

array('jdate','_obfuscate_ZC8rHHo’'),
array('$ip','$_obfuscate_As’'),
array('$get_user_info','$_obfuscate_amyM0UI2ZB2Hlodoxw’’'),
array('get_user_info','_obfuscate_bh16aDByCiogAWBubQ’’'),

that i can replace obfuscated names with real ones:

for example $ip=$_obfuscate_As’;

does any body have complete db?

thanks


I have not bothered to look at your file, but...


If the file was originally encoded with zend:

If you run the file through the db you have - at least all obfuscated internal functions should be replaced to there equivalents (assuming the db you have, has not been changed from the original publication). Any remaining obfuscates will be user defined - so these could equate to almost anything! (which means the db can never be 'complete' Sad).

If the file was originally encoded with ioncube:

Unfourtanetly this makes it slightly more difficult then the above - as a unique key is used for the obfuscation, so the db you have will not even replace the obfuscated internal functions!

So how do you deobfuscate the obfuscates not covered?

Analyse the whole PHP script - looking for trends, and then add to the db - this should not be too difficult if you have sufficient PHP knowledge.
View user's profile Send private message
PostPosted: Fri Dec 28, 2012 9:01 pm Reply with quote
amin
Regular user
Regular user
 
Joined: Aug 08, 2012
Posts: 10




thank you cyko
i know that the file was originally encoded with zend

all i want is a bigger db of this dictionary because there is many obfuscated names yet.

some one told me :
Quote:
eg. under NWS-core and run the cmd line:
php.exe /level:4,3 /dic
and then you can get the dic file php_info.log, Making them to obs's php array by Base64 encoder...


but i did not know what he said.
View user's profile Send private message
PostPosted: Sun Jan 27, 2013 5:14 pm Reply with quote
anandinvit
Regular user
Regular user
 
Joined: Jan 26, 2013
Posts: 6




it is hard to decode some php if they are coded again and again i.e if there are many layers. so if we decode 1 layer we will find the second layer and this may continue to some steps.
View user's profile Send private message
obfuscate file
  www.waraxe.us Forum Index -> Php
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.066 Seconds