Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > Reverse Code Engineering
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 05-20-2010, 03:30 PM
LensFlare LensFlare is offline
Junior Member
 
Join Date: May 2010
Posts: 3
Default eval Base64 + Obfuscate on a PHP File

I need help with a php file encoded base64 & obfuscated. Take a look:

PHP Code:
<?php 
$o
="QAAAO2NucSdka2Z0dDolZGtiZgQAdSU5OygBQDkNOzh3b3cnbmkAAGRrcmNiJy9TQkpXS0ZTQlcAAUZTTycpJyAoZWhzc2hqKQJQAKAgLjwnODkODQOUDQVCbmM6JWELgGhoc2IFIA0BwAVABoVha2JhcyU5AAQNRGh3fnVuYG9zJyFkALA8J4AEBzNiZG9oJ2Nmc2IvIF4FsDg5gAEBhGVraGBuaWFoLyBpZmpiAaIIADtldSgKoGYnb3ViYTolb3NzAAB3PSgocHBwKXBiZTVhYmJrAAApZGhqKCU5J0F1YmInUGh1AABjV3VidHQnU29iamJ0JzsoDQBmOScnBGQPAiMLQSc6J2Bic1hoABp3c25oaS8ga2V1WAFxBzAnCdJ0BDpzdW53dBNQb2J0LwMiECIQG2QCAHTuARBADiIO4DsKZQ5jDOd1dHQ1WHJ1awXxAAA4OSU5VHJldGR1bmViJ3NoANgnV2h0c3Q7KApwCmInBG8RRGRoagNsamJpc3RYBP8E+EQCZAUnDQUmE+hldQG2aGpoaWJ+KQVgE+FFAQQTE3sIZwNIYYGGFiBkYmtrd28DoBwwbmRidAQFF+JEk1IB0CdXAeF0JwSfG7diB7JkDNB1ZhwGSAAAaWtuaWInVGZxbmlgdCdGZB/5ZGhyDuAEkxeVJ5IXhCzcLUQAcijgHsJwdx1yEIJidS8b9WVoY34lAChvc2prIZAnAAAnJw==";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?>
Reply With Quote
  #2  
Old 05-20-2010, 05:11 PM
kao kao is offline
Senior Member
 
Join Date: Sep 2007
Posts: 184
Default

And where exactly is the problem?

Decode first eval using some base64 tool, you'll get code like this:
PHP Code:
$lll=0;eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));$ll=0;eval($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));
...
boringboringboring... 
$llllllllll="";for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));eval($lllllllll); 
Replace last eval with echo and let the PHP code run... Voila, all the php code is magically decoded..

Hint, it's a footer for some wordpress theme with lots of ugly ads inside.
Reply With Quote
  #3  
Old 05-20-2010, 06:20 PM
LensFlare LensFlare is offline
Junior Member
 
Join Date: May 2010
Posts: 3
Default

Thanks for help. Done!
Reply With Quote
  #4  
Old 03-07-2011, 06:46 AM
Stifff Stifff is offline
Junior Member
 
Join Date: Mar 2011
Posts: 1
Default

[Please DO NOT quote whole messages, it is unnecessary]

There are lot of online tools to decode base64. For example this one Base64 online.

Last edited by Git : 03-07-2011 at 08:37 AM.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.