Article: Decoding a User Space Encoded PHP Script

May 13th, 2010

Today we present you a short article about how to decode a PHP file encoded with the php-crypt.com PHP encoder. This article was written today by Stefan Esser after having seen an advertisement for php-crypt in the Xing PHP Development Forum.

Decoding a User Space Encoded PHP Script

Stefan Esser, 2010-05-13

Introduction

Every once in a while a new PHP encryption tool/service pops up and offers PHP “encryption”. Therefore the idea behind php-crypt that was announced today in the PHP Development forum of Xing is nothing new. Infact there are two types of PHP encryption systems source code obfuscators/encryptors/encoders and bytecode obfuscators/encryptors/encoders. The first type is usually implemented in PHP user space and the second type requires a PHP extension written in C/C++ that hooks into the Zend Engine and provides an encryption of the executed Zend Engine bytecode.

PHP-Crypt is one of the type one obfuscators/encryptors/encoders that is implemented in PHP user space only. Because I have yet to see a user space PHP encoding tool that is hard to break I took a quick look into it and present my results here in order to show how useless this type of encrypters is usually.

The encrypted Code

In order to play around with the crypter I wrote a very simple Hello World script in PHP and let it be encoded by the demo version of the php-crypt online encoder.

<?php
echo 'Hello World';
?>

The resulting encoded PHP script looks like this.

<?php
 /* Demo by www.php-crypt.com - Simple Script */
$keystroke1 = base64_decode("d2RyMTU5c3E0YXllejd4Y2duZl90djhubHVrNmpoYmlvMzJtcA==");
eval(gzinflate(base64_decode('hY69DsIgFIVf5QwMENGUuWH0QZTeKrFekgsMxvTdLWlqTBfX8/uNlUOJiSGpEIc0kFa5SOSbVZdnqlwM3lAPesEj1+vifQPoLJzpEUe9KBPx5hjvXasJlSqMcBedZNBtxeCAbbjHDJoy/U/i1PjOK9+ewlns7o/O2N+X+QM=')));
$O0O0O0O0O0O0=$keystroke1[2].$keystroke1[32].$keystroke1[20].$keystroke1[11].$keystroke1[23].$keystroke1[15].$keystroke1[32].$keystroke1[1].$keystroke1[11];
$keystroke2 = $O0O0O0O0O0O0("<84>q^?>BF<80>~An<86>r<87>D<85>pt{sl<81><83>E{y<82>xCwuov|@?z}", -13);
$OO000OO000OO=$keystroke2[16].$keystroke2[12].$keystroke2[31].$keystroke2[23].$keystroke2[18].$keystroke2[24].$keystroke2[9].$keystroke2[20].$keystroke2[11];
$O0000000000O=$keystroke1[30].$keystroke1[9].$keystroke1[6].$keystroke1[11].$keystroke1[27].$keystroke1[8].$keystroke1[19].$keystroke1[1].$keystroke1[11].$keystroke1[15].$keystroke1[32].$keystroke1[1].$keystroke1[11];
eval($OO000OO000OO(base64_decode('LdA3sq
NIAADQy2zVzC8CbGNqIxBGeCdssoVHQAsJaBCcfi
bY5B3gNXsx/f7HdQmC+J/fZbE2LPNf3VRz3fz+Zd
WyQcAtE0W5mzD4aXDstO3EZ5fZ6o1+uM21ozLcG4
oviaCrvdlt4VDbtWhbbhEaS9cHHMupqeDvDT6rqr
daT+HkHxDNJwXmzuOunr217Kp8Lc6Gz6niMUJWgy
aJz2jBt08FFvHcpWZPJ2yX7Fkpp8dwKG4bHJbKI8
uLHi8Pq7zw4KTKlbrcVKdZUIpkRRI+C2raVY29RH
cRvd+0KAJTUYZtNdp0PxuWK4XqIIP07csc7LDjyO
jyHWZUXGkAOc/l5SQwb0FYU4BFAohVOddtT6t13l
Pq0Svrg8TKOgpZFial/NFaFNS9eJUzKWkH+c30MA
5zM+tYk0aOSHEQA1OBi6x2u9y/P+I5GcMYCOsY+1
CUs4+SeZ70eFlOa94otqFgPpBNnqpTRJiZYkr5FC
Tf4GCWd/UdqQ5N0i0HG9+lpL7b4WAakYYFVsookf
GOMJlQVMWfafs5ObbUp+7GE7o0f8u2vYQIkt2QoI
mpqY6NKTTK7hWMnUEhXp6UtY6VSmNVlvoGe5t8QT
8k2zL7MV/7IeH29eab38y7ICMFxMYfrzf92EcFO2
ciagFgZNhUbIH+cgX+fis4EmE20LuXC7TzMeDxag
YZO4Dm41XX3ne693l79ySwtISgE4l/0kI45w39sk
lPQGAJVBKPuVViivYZI+pxpjtFsIJ+HS9S+rTAuk
2pwd1CwVFxxwyeQ8ub5yV1y0VaFCemmxHDSHehEC
fgUpkrUQUqdW9DEbHJRE2WHBnjV6UZTABkfi/qGc
CJ6eQVQjru7w9Pkpcj0U2E1Zpee54WmE1U0M5M8h
TrK/MjN448JrDrrVAtsbvj2GbfHbfvxASzEk/1Hh
FvykLz1J1RiUu+57ywZH3mW+z6buQU8krlkMnluX
+2F+Y92m2s49U1xLLbWCILbHvYNye/D/k+ymdFOa
kaMgzNNbLsZod01KubNKEEUXK7RiUJUgXxV+HU33
DzpZLBfTuPM480nv50NjpMCeiwmxtvHFoqAO7wid
uGmqmaI3fNtiAfRnBlXdsZXKbtXZLEcPwCQutdPN
7gv35+fv79Aw=='
)));
?>

The code uses base64_decode(), gzinflate() and eval(), a lot of base64 encoded strings, some variable function calls and some non printable characters that will cause problems for anyone loading and saving the file in an editor. In order to analyse this encoded script I will use my evalhook PHP extension, which is presented in the next section.

evalhook PHP extension

Whenever encoders like php-crypt have to be analysed the task is usually the same. You take the script, replace all calls to eval() with die() and check what it tries to eval(). When it looks safe you will replace the eval() with the evaluated code and repeat. This is a very stupid and time consuming work, especially when there are multiple wrappers of eval(). Therefore I wrote a short PHP extension called evalhook that helps with this task. The core functionality of this extension is very simple.

static zend_op_array *(*orig_compile_string)(zval *source_string, char *filename TSRMLS_DC);
static zend_bool evalhook_hooked = 0;

static zend_op_array *evalhook_compile_string(zval *source_string, char *filename TSRMLS_DC)
{
    int c, len, yes;
    char *copy;
   
    /* Ignore non string eval() */
    if (Z_TYPE_P(source_string) != IS_STRING) {
        return orig_compile_string(source_string, filename TSRMLS_CC);
    }
   
    len  = Z_STRLEN_P(source_string);
    copy = estrndup(Z_STRVAL_P(source_string), len);
    if (len > strlen(copy)) {
        for (c=0; c<len; c++) if (copy[c] == 0) copy[c] == '?';
    }
   
    printf("Script tries to evaluate the following string.\n");
    printf("----\n");
    printf("%s\n", copy);
    printf("----\nDo you want to allow execution? [y/N]\n");
   
    yes = 0;
    while (1) {
        c = getchar();
        if (c == '\n') break;
        if (c == 'y' || c == 'Y') {
            yes = 1;
        }
    }

    if (yes) {
        return orig_compile_string(source_string, filename TSRMLS_CC);
    }
   
    zend_error(E_ERROR, "evalhook: script abort due to disallowed eval()");
}


PHP_MINIT_FUNCTION(evalhook)
{
    if (evalhook_hooked == 0) {
        evalhook_hooked = 1;
        orig_compile_string = zend_compile_string;
        zend_compile_string = evalhook_compile_string;
    }
    return SUCCESS;
}

PHP_MSHUTDOWN_FUNCTION(evalhook)
{
    if (evalhook_hooked == 1) {
        evalhook_hooked = 0;
        zend_compile_string = orig_compile_string;
    }
    return SUCCESS;
}

This extension just hooks the zend_compile_string() hook inside PHP which is called whenever a string is evaluated. This includes not only eval() but all other kinds of dynamic PHP code evaluation like inside create_function(). You can download your copy of evalhook here.

Deprotection

In order to demonstrate how powerful evalhook is when it comes to remove encoders like php-crypt we will now try to deprotect the above hello world script. We do this by just executing the encoded script with the evalhook extension being loaded.

$ php -d extension=evalhook.so encoded_script.php
Script tries to evaluate the following string.
----
function rotencode($string,$amount) { $key = substr($string, 0, 1); if(strlen($string)==1) { return chr(ord($key) + $amount); } else { return chr(ord($key) + $amount) . rotEncode(substr($string, 1, strlen($string)-1), $amount); }}
----
Do you want to allow execution? [y/N]

We can see that the first eval() just defines a new function that provides ROT encoding. There is nothing dangerous about it so we let it execute. And wait for the next eval().

Script tries to evaluate the following string.
----
eval($OO000OO000OO(base64_decode('LdDJ0mtYAADgl+mqe/+yMMWQ6roLhJhjCodNF47pmAnB03cvevM9wFfsaff7r9eLIIj/+Z2la8He/oFFPsLi9y8Tmuoy25ogP7zh6Cf6sExL7Mmilc8+0DFReWVyUr/tqc5rAyvBevXl+vBMoEblTjwEOfRwLF8uLPUTnP+cPSw7BcOBgZKFlo9EaWsuB/o9FXgceMrUHAupp3AA5KEEjtsJfXvye67b9cw1RXpQD7mg+wwY3bpSY2VcG5uNirnNWmZf5Sd256u95VFDZIMPGdI8PEdkPbdw1+bdUS66mWbDqGfuRdhAzbo1BGw1xYISVSZKYg6K3uNA27m+5la/A6GCzOf7rAylJjkR9skVQmADYqEYPPBTnLNfKC26e2mZj1eZXFlU0KYEKBZlRWxRw4rpcxk2gulBCZ5t8gX1IvMSjKJUG+RLX4EUJpU+D0EFEQo3MilNMBhXOt80IBoxbffz9Um1gjWul4d2g6V2ukDOzRkgJ2u8DlEsdVEcG6F62xRvfWx5hjWtroQV8dQS0OhdtQKxYPzm4BR0t8wnp3TvkE+yo0Uf554Dmec6auec6zRQvCa71u+M5IgnO5GyTj/VsKRY6j5eqPczvhgIPqpPHWRLGW03WB8i39SoZe3nM1P9u5rRF1/V7sB4afiVu2TyXv2069Izwn1Bqf5LClXJ7CS9NF/NKRijf8KyzBgrz1L27AXtJVmUIOm9VW5zF4zWF92XOCjaU6Wl2lLDUJkxF34+951ZHado5ml4gDsmm3VhHTPBDrwWIKu+dGIdPPGRKeUa3No1826QEoTZJwZV0+zpE2f0vOkkfYxv/MH0lmYb/XIhu0p2LuolgyUb/BQPNn+WsiZtVOQOUNaDs2Zm4ZDohifz+PTftkdVsOJAbgt60YRMMjvtNZHjZvkDyc2NXFS4437eDDOYwBwdsOWeSBmuWCzkEWRXEu8zaNdxStQBb4/QMZVYP1JiQlyeImX0mN6tOVt7urc55Hmi/MJFYFGNDgetruQmUms6OMNjO4fhO11+//z59fPz8/e/')));
----
Do you want to allow execution? [y/N]

We can see that the code tries to eval() another piece of code that does eval() again. Infact there is also a call to a variable function inside $OO000OO000OO. This is harmless in this case because it just contains the string gzinflate(). However if the code to decrypt is actually malware you should not allow execution here and first check the content of this variable. Therefore use evalhook() not on malware. For malware you need to hook all “dangerous” functions first.

But in this case we do not deal with malware and therefore we will just allow execution, which will reveal another eval() layer. And therefore we just continue until something changes.

Script tries to evaluate the following string.
----
eval($OO000OO000OO(base64_decode('LdLHrqNIAEDRnxmp3xMLMBm1ekEymTJ+BFObEZhUNphchK+fXszmfsDRLXHWfv0DAEVR/+crz+aSZ/8tymdflF+/XKjZr3ExZFkh7cXJ9aA8/XRFpixr1JadnX1xFTPQlAmky8vcJNhq7ieax2DEe3mbXKlss2ogKzu6boFLuqIbNzftYQqzk4cWi0bnSd51LxRPB6RQeQsiUl2Qj4LLi5HycRW+n2qJMnT6gpYAFWgLjZY7dBRDxjuysOqkJ9XAgd5twGgKFh17BdmZzVdXNX0r25/TSa/7NOjael9fMLDOfZzbWe3LCX26jbeYM2ns+JqfViALRdCdykZwXhrE8CdWWaInEzJsXCVZgJqnTgdjjVu1ZfLXnKzaq4IXBKY3NmqztaIe6KzORjvK62v3ejP4Pnd7EI8JdjYClWYYKVH4uFRsDucb+ikJFVg0GIZXiJlgsXBe5Six7Fj9MLG7FlUV8ZbxkjtP9cXE87l2v7PzyKjYsZvImv5CPBy6p1EJ3GHVf2629ozjmSb8en08WhyJXbrfWu4dhxB8ihjk6NGGbHS9Hb3z8ghQn5RaVwElZpROmpvJCGW/SAFgOfZVHCLlCJfLOiyAKoSydffb5Mcba6ymAIOCM2ACJmMfuqlToMwj9rYTekyH3ChMHVVFq+Qdtt9v5sPPeiqpnDX9+ELheMxq06n8ITjMhzJ0snRBDbFfsT4ksbR4d2AAqS0nHIINptYb3quJ13xoU/D5mMINKmrzjNgZv7WmCK61i/yBx6cGfEICu2WQndEJTyh5qAxC3i81cYySUNR2gdg7XcNAJeiV5ZqPkzp1ouMSn17qiEeg/PQtU55nLXLoPXucRB2KQBer1xTbzZYvqXksopZHn/kxVPLFYJxa0pj7cajFoR5mQh7NIGQ4qV880fwdrA6jhjxPjsQCQZCkLP/58+v7+/v3fw==')));
----
Do you want to allow execution? [y/N]
y
Script tries to evaluate the following string.
----
eval($OO000OO000OO(base64_decode('LZDJjqtGAAB/JtKbEQezNYuiHAAD0wazmJ1LBHQDBrOYtjHw9ZlDLnUsqQqvxePrL9elafp/fJUFwQL/L8LVhPDXH7sKbTI4iqKc/REMT8zKOYZBk78iCLObq7L68UBnLB6org90GE21itQidiwTGl5yEiVZ3MyaTfm9c0hZp2xJO3DBv8KJuOazasFLCHNIaxcrz2uxrpEDuRujZQIzxqslsCoerinmw6I3zWhJVFbzIQA7dQmzBw+5MYQVZSVC4+o/W/ThLBWtOCbYKmZVD5uDtrNub/flFBvtiOrkvGgHlIUoOE4E4UxibgFmjk3vRsmxQVqWvKw+ieHTUBUTX1f4bZsPiSe+COI2OppjTv3QtIvbfbiWIJVCn3VLudffU6IGjAmMCN8WMN5lxR4sq3CvKJhUIrl5yXK2o2ieOLpuESPJDcVVs2+NguXXlvU8mYxPl5kVTZOndVObiXlT4UFPyoKjM+Ogz0CgfQ08a0E/HwH37eot9QO454jdy80K711uptO0d7elLxPrNVw4GuH7ZQd5GZWOrGxpmrmBZA6i4Px+EV2T5q7rm0fUu9MyJNowHXNao0WfKuYnN7dKM3uJ2YAn+5v6TAZKaYtih+xFvEpWV9tMROGO9lervTOwZYIkZRfr6DNZJ0ZcXrTwZBChcU4svkDhdQFgLiNp6vzDON+9OxIG/mGm7cZ9MieQT6NeD8qUWT8Dx7+xmEDvOC+2u45hnKYKgWEvevzMYK8yQBSol3ezzg85iksM590yB72duMhdwPJA1YHyt8DbUnsXpfA1G3Kg9D3RyyCdyCyHW/yhp7avWgj6+hCoegTUh/zz5/v7++//AA==')));
----
Do you want to allow execution? [y/N]
y
Script tries to evaluate the following string.
----
eval($OO000OO000OO(base64_decode('LcTLsmNAAADQn5mqe29ZeISgZtUIIYROB2EzldDe7zdffzdzFgcv7+r7j21TFPW/7897xGf2X4yjNsbfX2b0NIreAAAosOGqch5t6TZI0CJKZZf7ffdNI3R1CY61nVvK62BemMXe4TakGGUrWB2CQI55y+JTYl4I3nTIc+KW6gOEHxUw3KBdveVseKapBETgz0LYjyhyr/VFhndfWDrCzI96USz/sdeY81RSe1zxEjn8NL5Xbb49BqsFQ0IB7WQEA4xxpz84sQ75VhUzgzpXQTGLaRimMb5X8TQ2Ob9kEuoWBS1G5FUeRr5ni9ALmKKaOMdSoBs8OZb23LNACP7nOOaVd8OT7vCLRgAe9txYk4soFwjYGc00sqKRBgo1u+Tz0oAreUD1NdwmsILMSPKrdHw6ekhvPrfl5ODU2ybxKTijZGXooyjRrkbWKtmJ30deiJy5ZbUbN9AxXXYOS8Gm76Ngz07OG03Mvu4d+ujCYd7LIXnZ0C07Q+apq3phAgpPWGg5q2mMbqWm+AhaayI2J7M8KjfL1U+ej0QvKhi1Ih1SWX2rKzkY9EsFVbJCT/Fs6gN/2eJI6tJ55pbU8ojQzFDiPid6m4lGXhx3wYNS9/nEfmAoYKHm34ue7WIPzDrLOvnTVXXAsITk7P4p1ePcF5USBJugvpl9UVbeIpyKGmEho3UOr5rldczdZu64L8hi78TtpF9SAkksEbSXosp9TxVw0ohkchI5kfz6+fn5+ws=')));
----
Do you want to allow execution? [y/N]
y
Script tries to evaluate the following string.
----
eval($OO000OO000OO(base64_decode('LcTJjqJAAADQn5lkusOBKrBQM+kDyCqyyWLJZUIBQsmOiMDXz2Xe4eVzUn/9chwAwP++SPLKhd3fLE+7LP/6fUkFRAZbFA25rGHVv6JVLLDY+YWu8ZqsScUHmECQNW8vp+LizmvDMWRyme5VF/GRHevcP7tsawGuKRrMoArf0AG3JYrQdepIR59mZ7oF9hJ06lYju9gZZgdeNldtsni7vhBSpvDSvJcVlVeSWVO9QVY2jlt5PMDQUYT541VU68+8Wbzzuw7UZ3IP7vG+A7Qq5sm/v9CjSAOh12nCDG/JSZGOk7ikJQw/zQFXrKtAwAhJfiHBzbp1rgKW5xi/rPmxxB7gA6Sfw21zjkSyFcMwBOfWqcVZSPuo4GK5r1d1kpP40QnqqcYyh3PaSt2ywypSbI8zLNkrfXOQUkpJC70HFE2Y0ete8o5MnnJpw0tdzYoMt+xPhMV0iLkwWfTRfIjlQco91Z0hmKmlCYrIElQF/lST96LIr7ExdcBpguu5vgMV+ZLhSfUTt1xu+nCvPUverDmqit4bQZ8e8m7avIhy9qALmhhpCbplmY24+BPyW3gIdiW9DkAYx8Fa2yvDw7M+Pl0sQjCSwuZHGMVp2NO2Neqj/jyp9x3IEg+SB4+YoEjliWVF8efn9/f3959/')));
----
Do you want to allow execution? [y/N]
y
Script tries to evaluate the following string.
----
eval($OO000OO000OO(base64_decode('Lc65bqNAAIDhl1kpsVyAgXAoSgHG3GDGBgw0K06DGQ7DcAxPvym2+btP+oslgZ9/rleSJP/nM02mgmX+5kXW58Xnh5V5RtoboijKoKPgXQa5CoyIdLNdX/q3DKyGtM3NlLbbhc1Lmuxy5hRbdMtlz1/DI9zh981UOE6vwQkiGpJ3KgueYH0FjaYTYZ7o0ikgvtSYs5fgcT6pHia+quBOc5HXaZhih1Uwm8Xk/PE10+6aeLbTWMWoPE0xjrZsMvfxZQ03T5HJUzzO9bBNEIII6OWoFgJ6cpVg2ZDplyFtDaZfo6FClXD2XeinBox4XF5ENQ2IMDQhSKqBciibn1Qf1AK1diR7BQ9+ec2cm3Bol/A+2x7Cb/XiqZ2UaxHrKfAh8BeQFPv10viMG6EA/b5kTStlbuxEDsrmKH02G6PQPSO1EDLdXtFSaPhxWHqYlQMDzMvVkgpQr0pc8eotzQVi2NqH6GAVGa5WddN52ZwU3zU8T4hiRq06rrqMynR+31JHrjPXA10rbgN3r1VZcUpinnIl9HjCFY40daQ1bf35+TgcDt//AA==')));
----
Do you want to allow execution? [y/N]
y
Script tries to evaluate the following string.
----
eval($OO000OO000OO(base64_decode('LcTJboJAAADQn2lSDQdGQJY0PczIvoqDQLk0MKxKBxRE6df30nd41ZL3m7cgAAD8tynyqRKF77IiQ1lt3l0S2cVgQwjVkHI/XdaIB1V/5GZ7MvVWC1GTy/5hVS37YTnHy26pw9KkvK7Urju3PwaTMNkLerFgKAZYxcsKzrjLpRTFD01ZruipxsllQYQIfrGe9tg7h9LMl4ovpbmJ4owYphth9CUPlUbJlY8yfEAGbV/XXKlQahp2N2M8sGUQi92wn06OQW8vju7Pa7tzByzuMTtyqGETGnBdHY6TFlW98EQaezOEkU4PYtVtD01ckmBcPZNYNtcuYbgkx4F3o4Bmll4nzh3BXJUZXfTy6DVJQuvOLBeQiwFZh8GRbd9/pxmWANyGtJPHhnsCvxNbySHyust24rHh+wIDtfbuqRbNDicPTQnmAxp7SiGDFNf/usdFXT8/P9+32+3HHw==')));
----
Do you want to allow execution? [y/N]
y
Script tries to evaluate the following string.
----
eval($OO000OO000OO(base64_decode('LcTJboJAAADQn2miZg6CDFuaHhRHFhEQBga8NCyDIJuIKPj1vfQdHn3F9fLLthmG+W+ZxAMV4G9G0y6jy0USia7XBVuE9vkBwDVWjvBcc4NbyR5SMUQ7t3d9N7XaHBVZcGHLTSBY8oeEnck3TZSCBGnhxka9eBXHGJitSSo/dOV6io5sRKGnqx2n5Uyh1LoS65S/p2Bg/WnO2ifQpsETel4wBE/qG4pnsucIfhlAHSdcOpyMHcIJ2hvQQvWPo3LTOnZIFfWKrBAaD8+F6MaTxs74hLt/2OcjGA/K+STJJrzstAd00qoXi8pg2w0Ni6h7Kc8y1Z16Pg3lbS0DfMrXETtK28ogd0tCBplnnA+B9LNYrVbffw==')));
----
Do you want to allow execution? [y/N]
y
Script tries to evaluate the following string.
----
eval($OO000OO000OO(base64_decode('bY7RSoVAEEDfF+4/TCK4Ql3sRk9SEGT4EBRqRURcNnfEhdVZ1i2V6N9zWXoL5mmYc+bEHX2OEq7g7ua+LnLWkUXR9lxYK1Ye4SIGo3Hf0hClICaIe5pc+s1Uxydnt+HxsS6q56J6S8qmeTyWD3WTvJ+GuxTiP39TPW36Hw+ehGUKuCjHo1scCGgENX4JrSR4Ej5WmOd5b3pz1trVuFCQM89L4ZBHr4Pckq7hkJ1n2eXhYovCticIPlyMsij/9+TMf/Y1u8AkJWpN8EJWyyTfsV8=')));
----
Do you want to allow execution? [y/N]
y
Script tries to evaluate the following string.
----
$found = FALSE;
foreach(array("example.com") as $host){
if(strstr($_SERVER['HTTP_HOST'],$host)) $found = TRUE;
}
if(!$found) exit("Demo on invalid host by www.php-crypt.com");

if(date("Ymd") > 20100523){
echo "Demo expired by www.php-crypt.com";
exit;
}

echo 'Hello World';

----
Do you want to allow execution? [y/N]

As we can see there are a lot of eval() layers, but in the end there is pretty much the original code that was protected. In addition to the original code we also see the domain verification and time limit functionality. It should be obvious that at this point we can just copy the original code and just forget about all the previous layers of protection.

Conclusion

As I have demonstrated php-crypt does not provide any serious challenge when it comes to removing it. And it will never do unless the author comes up with a protection that does not rely on eval(). A future MOPS article by one of my colleagues at SektionEins will show that this is possible.




  • Jesse
    Well, I came to php-crypt.com, and downloadd the encrypted "hello world" like below
    <?php
    echo "hello world";
    ?>
    But the error still occurs, here is the screenshot i39.tinypic.com/1pc7yq.jpg
    Regards,
    Jesse
  • stefanesser
    I am not sure how you download the files and how you execute them. However the error you describe always happens when the unprintable characters in the PHP script gets destroyed.
  • Jesse
    hehe, I want to know the answer too.
    However, when I put the encrypted php into windows, it works well and output "hello world".
    It just doesn't work at my linux box. IMO, this might be caused by locale environment.
    Sorry to bother you.
  • Jesse
    The "hello world" doesn't work at my box.
    Fatal error: Call to undefined function a#c++*91+() in /usr/local/webserver/php/bin/temp.php on line 9
    a#c++*91+ is the value of $OO000OO000OO.
    Can you help me? My php compiling params ./configure --enable-shared --without-pear --without-sqlite --with-zlib
    yeah, I compile the php from scratch in order to test this.
    Regards,
    Jesse
  • stefanesser
    This does not work for you because the encoded PHP contains a bunch of non printable characters that cannot be displayed in the HTML. Therefore your copy of the script is incomplete. If you want to reproduce this test you have to go to php-crypt.com and encode your own demo script.
  • Nifty script. I've done a couple by hand like that, but it was pretty painful.
blog comments powered by Disqus