If all is good, the blob at the bottom gets uncompressed, rot13'd, etc.Īlthough I have only have a brief understanding of what the script does, I think I have enough to deobfuscate the blob. It looks like it's using MD5 to ensure the script isn't modified. The section right below that has some interesting variables as well. That last line is interesting as it reads a copy of itself. This is probably where the prize is.Īfter studying this a bit, I go back up to the second function and echo out the variables to see what they contain (look at the comments). If you look at the second function, you can see what looks like variable assignments.Īt the bottom of the script, you can see a blob of obfuscated text. Let me clean up the script so we can see what it's doing. This means there's some kind of anti-tampering function in the script. Now when I run the script, nothing happens. Let me change the uppercase "P" in "PHP" to lowercase. When you run it, you can see what the protected script does.Īt the top there's a comments section. PHPJiami is a decent PHP obfuscator that appears to be able to bypass several online deobfuscators. I was sent a PHP script that was protected by PHPJiami which you can find here.
0 Comments
Leave a Reply. |