Tag: hacking
Hacking eval and base64 php “encrypt”
by z3n on Nov.17, 2010, under Coding
Problem:
There are some paranoid coders that nest many eval + base64 one inside the other in order to protect the code. This is not a real ecrypt method, just a lame way to avoid users from removing the annyoing banner by the cost or overloading the server.
example of this type of scheme:
<?php eval(gzinflate(base64_decode('DZbHsqRYEkR/pXddZSxINFhPTxlaa81m7CY6E63h6+ftw3xx3CPC//z3P3+mZvqrPED3q37aoerAVv56g7Uk8f8VZT4W5a+/hQggyx6r7LFHVJLJeq5/q2LyaNXPeiQZG214mBKO3/XtUwEMwzvsJCYDd3EFYHIps+NByYiC7k3fNEOA249etYeRYNjt+/bqV9PH9t4SodpQemOi7fJHwyoCI5X+5zHNQ1BItfskwcnGsApP0glEui2i0OBZtvL9fqdEsSkSI9zJ29cRLlliDmSc0IS9QSOKolZm4bSxqS1Wo4VXW+vSfpfYxEJxxzMivV7mzr1GeB7zvrLumPQYQ4kryUKsQfqs8t1llujDJGoyfCg1/lfej7S6DZqQm5+5LDL2Ouef5HykumQi9sWi+yVjQKwhMddtzBLBsPo7kKb6M7w56jmKUk4DrO/Mcp2cBI0YpHga8ul2BAT3tkiI9Zr8rfrGjAmIdWW7vltXCL1c/fUD59vFpSNXdHmj5GBrX/nO1ldluWsNguWuJHU+KZRlzIToiZ69RL5mFrt1AxiSxLGRM9UDyP6g/QddWHQ8J9sVq6/2iPFRSBtiV61rIE8kkOvw3Ru04fkTR7qvT23W0hqnqOv3mgCmlpVkXCqDpAOK0qtNN6t7/iThLOJfZUpSuOynLmLlS79cSYyXtOHwrmaHx2o2kpyI/DoHWT0vpJeRahQ588NmBnLFmp27UsekjsYF73nROcey9hkqqf5KtHvlZgMiMSosr/uDko2NHol1TvKFWjTXFkqUnLKLRqG2F90pO4XFglJvX5lnFmJMLX0ToCKNbKnRrNdsZ55fqMm3PdiApfaH2TTF4tn3J1j4cWyDct69BiQyQ+wiuXVRtwb2fOqc+zRKJaExcjud5O51mkggXPqRFsFHfSOHWRDDUJtv/m6S6qU+BBF+Z/dTDtmjRowWMyc4Bm2BtEWng4je1wW55OBR5D2UHO70Kx+Kmw+a1Xn+PQZ2LUWjGNfmxqFQpe/Yelgcl2yhm7nxg7OhaS90rWj0eFxhlHI482DEHdW6+96lYP/q7DsLg0AmhdCDblQqLYDbh5nT1irZlb7E3gaCoJ/QOK8Hy65OtcPVqXzEnkSRK3TkUR1+dv8UHG9JkA7XFi6ax8YU96Ejp97rWIrODdiIJySRdUcVXvVz1smYAl9eoCsZqTcuxsze7hXqqSoFvfzWyuiV4Sh5KJvsYCFg/pBCw0yFaTMPAOFuh7Q2rzPXvoeaxfyR9FkBP2bVtHE90hFP8WBJ5cmX3pHAjH2PBHXp2qIsT2JsVmMxJ/zQYON+MgICkd5D997b90iuEK93/gZQh7SCOLJIC/ipppZJATJ6KOi+onjLBNLDdbYPZNCIW4I89mBRQnUfKCXpO1xLyX2/gdROPTSY7+jRr0UcsukLpRcmh5XvBJjMv9NFBKXs6X7O+tBcBvV6IACC2LP02h81J84ORhZObsOk60rKfbiy1YatyvPQi2Zokc8UxtH1uIO+pq2lHKR/N7NUvsRyAYXXfuIkC8IVweuIOsLkvoa7zjayWoR0rQiXNoSDMmjSIezydb8gqSootA3SiqmdlB4yRaR8H00KNuxf4jNA/gmq8cR6oKz9iL0UvF5AYMjZAfXK9/DKCU+ptYnGn0OXmhSEA9ilPBmU+6U4AFV4N1dQTFIawCknvKdIUqKK6VyypD6o1aKR2DYgyHk6d273dWatnzQOKCAbgdCN9xjWLJtguuklftOlAQ3xGQEIzBUivQNA+zPurDUsWTpczD2xaUHkU5bmZK4hGybrGPu4KpyNoT2PlxzlKpmjwgULrXcWZzLl5Y7XFZGkhpfAr6APSOiOIghWZvzq79f6BMFrFvzogOoblye+tfoxR2Qjby3GTLGzqAY9HMtya+6mICRsEff4beoSnQ+x20XFjJUf/cyGPVWIddtwbEpkYZjxAhEsjwnDkG0olgafeYrJOAzhoYSxTBUarwzhTr5JiBz875cWavW8g5FJFUreiUDqjPZ75Tam/PxDVDdvR6noi3UI8iEToySCtUCItjKkPOLKNX9PkRSoFUs9mgqx7OXLEHUI2ZHLZQyY3QudPX59zdrZ+fvFG0q3+WyRT7fmhZB6Z0LbihCpOp1n4XsbhxOweJkEGYSoRqZyanzVnD2P+OKva1lYLuHOcUXPh6+zR5jc3BzLll0GHnporrjAL+Hq8tDEcF6d9H7rEPFVfa44RRDlB90kBmJM4DkRbD/mnbOJBM+7O2QBi4he6UPmjkLv6yMJekDmSTZD/tCRXoAQiLMlVfhGC8id6mHF72SZf2SnXqZLLEqNznVBc6/L5XFjM5X4hdiv5Nsp9XvzCeOMhE/B3wPWihKIGQwHvZDqm80HLyHrjuYaQqIOOFTr5fgVaqrsZmyOEDn/46AAwxQDwTlcwRgBBQ7Mnf/++/fv37//+evPT4f6Pw=='))); ?>
Solution:
I wrote a little function for this before, to break reviewitonline.net’s “protection”. Now i have a full class with better handling and able to decode subfolders.
There you go:
<?php
// (c) z3n - R1V1@100503 - www.overflow.biz - rodrigo.orph@gmail.com
class eval_hack {
protected $temp;
protected $dest;
protected $tdir = array();
protected $tfile = array();
protected $ext = array("php");
public function __construct($folder, $temp = "temp/", $dest = "decoded/") {
$this->o("(c) z3n - R1V1@100503 - www.overflow.biz - rodrigo.orph@gmail.com");
$this->temp = $temp;
$this->dest = $dest;
if ($this->check())
$this->process($folder);
}
protected function check() {
if (file_exists($this->temp) && is_writable($this->temp)) {
if (file_exists($this->dest) && is_writable($this->dest)) {
return true;
} else {
$this->o("Destination path (".$this->dest.") is not writable / don't exists");
}
} else {
$this->o("Temp path (".$this->temp.") is not writable / don't exists");
}
return false;
}
protected function save($fn, $content) {
$fn = $this->dest . $fn;
@ mkdir (dirname($fn), 0777, true);
return file_put_contents($fn, $content);
}
protected function process($folder) {
if (file_exists($folder) && is_readable($folder)) {
for ($this->tdir[0] = $folder, $i = 0;$i < count($this->tdir);$i++) {
$this->o("Processing: ".$this->tdir[$i]."...");
$this->rddir($this->tdir[$i]);
for ($j = 0,$k = count($this->tfile), $this->o("Found: ".$k." files");$j < $k;$j++) {
$fn = $this->tdir[$i] . "/" . $this->tfile[$j];
if (file_exists($fn) && !is_dir($fn) && filesize($fn) > 0) {
$ext = strtolower(substr($fn,strrpos($fn,".")-strlen($fn)+1));
if (in_array($ext,$this->ext)) {
$this->o("Decoding: ".$fn);
$str = $this->decode(file_get_contents($fn));
if ($str === false) {
$this->o("Error decoding: ".$fn);
} else { // save file to new path
$this->save($fn, $str);
}
}
} elseif (is_dir($fn) && $this->tfile[$j] != "." && $this->tfile[$j] != "..") {
$this->tdir[] = $fn;
}
}
$this->tfile = array();
}
} else {
$this->o("Process path (".$folder.") is invalid");
}
}
protected function rddir($dir) { /* v2.17-OO */
if (is_dir($dir)) {
if ($dh = opendir($dir)) {
while (($file = readdir($dh)) !== false) {
if ($file != "." && $file != "..") {
if (is_dir($dir . $file))
$this->tdir[] = $dir . $file;
else
$this->tfile[] = $file;
}
}
closedir($dh);
}
}
}
public function decode($x, $cut_crap = true) {
/**
* @param $x string with the file
* @return false | string
*/
for ($i = 0;strpos($x,"eval(") !== false;$i++) {
$this->o(".", false);
file_put_contents($this->temp . "x" . $i . ".php",str_replace("eval(","file_put_contents('".$this->temp."y".$i.".php',",$x));
exec("php ".$this->temp."x".$i.".php");
unlink($this->temp . "x".$i.".php");
if ($i > 0)
unlink($this->temp . "y".($i - 1).".php");
$x = file_get_contents($this->temp . "y".$i.".php");
}
$this->o($i . " nested");
if (file_exists($this->temp . "y". ($i - 1).".php")) {
unlink($this->temp . "y" . ($i - 1) . ".php");
if ($cut_crap) {
if (substr($x, 0, 7) == "?><?php")
$x = substr($x, 2);
if (substr($x, -4) == "?><?")
$x = substr($x, 0, -4);
}
return $x;
} else {
return false;
}
}
private function o($msg, $nl = true) {
echo $msg.($nl ? "\n" : "");
}
}
if (php_sapi_name() != "cli")
die("You must run this on CLI");
if (!isset($argv[1]))
die("Usage: ".$_SERVER['PHP_SELF']." <folder/to/hack/> [temp folder] [destination folder]");
$hack = new eval_hack($argv[1], isset($argv[2]) ? $argv[2] : "temp/", isset($argv[3]) ? $argv[3] : "decoded/");
?>
As for the people who really want to protect their code, you might want to have it on zend or ioncube, although they are also engineering reverible, just a bit harder.
Faking Google Analytics Statistics
by z3n on Jun.17, 2009, under Coding, Tips & Hints
Problem:
Let’s assume you want to build up fake statistics on google analytics using a php script.
Solution:
You just need to input the google analytics UA code and you’re ready to go:
-
-
// (c) z3n – R1V1@090617 – z3n666@gmail.com – www.overflow.biz
-
-
// Fake Resolutions
-
$resolutions=array("1024×768","1280×800","1280×1024","1440×900","1680×1050");
-
// Fake Flash Versions
-
$flash=array("10.0%20r2","10.0%20r1","9.0%20r12");
-
// Fake Languages
-
$languages=array("en-us","de","ja","ko","pt-br");
-
-
// functions
-
-
function baseurl($x) { //v1.03
-
$y=str_replace("http://","",$x);
-
$s=strpos($y,"/");
-
if ($s === false) {
-
$s=strpos($y,"?");
-
}
-
if ($s !== false) {
-
$y=substr($y,0,$s);
-
}
-
return "http://".$y;
-
}
-
function getmicrotime() { list($usec, $sec) = explode(" ",microtime());return ((float)$usec + (float)$sec); }
-
function ga_fake($url,$ua) {
-
global $resolutions,$flash,$languages;
-
$gmt=round(getmicrotime(),0); // timestamp
-
$uid=mt_rand(70710490,92710490); // unique id number
-
$bid=mt_rand(21234567,91234567).mt_rand(1018864,9999999).mt_rand(1021,9999); // big random number
-
$java=(rand(0,100) > 85) ? 0 : 1; // java enabled?
-
$x="http://www.google-analytics.com/__utm.gif?utmwv=4.3&utmn=".mt_rand(64045995,94045995)."&utmhn=".str_replace("http://","",baseurl($url))."&utmcs=ISO-8859-1&utmsr=".$resolutions[array_rand($resolutions,1)]."&utmsc=32-bit&utmul=".$languages[array_rand($languages,1)]."&utmje=".$java."&utmfl=".$flash[array_rand($flash,1)]."&utmhid=".mt_rand(1650046796,1890046796)."&utmr=-&utmp=".str_replace(baseurl($url),"",$url)."&utmac=".$ua."&utmcc=__utma%3D".$uid.".".$bid.".".$gmt.".".$gmt.".".$gmt.".1%3B%2B__utmz%3D".$uid.".".$gmt.".1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B";
-
@file_get_contents($x);
-
}
-
-
// now you just need to call it
-
-
ga_fake("http://someurl/where/the/hit/happened/","UA-123456-78");
