Forums » Web Hacking and Security

Need help decoding a PHP script

    • 2 posts
    September 14, 2017 7:02 AM EDT

    Found this Shell by looking up on how to deface a website: https://github.com/Anon-Exploiter/An0n-3xPloiTeR-Shell/blob/master/Shell.php

    It's fully encoded and there has to be a reason. I don't trust the author at all, so I started decoding it, but I'm new to PHP so that's  a lil hard for me.

    What I've done so far:

    <?php
    /*
          some comments
    */
    $UeXploiT = #Base64
    $An0n_3xPloiTeR = Base64
    eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT))));
    exit;
    ?>


    So I started off decoding $UeXploiT. Result:
    eval("?>".str_rot13(gzinflate(gzuncompress(gzinflate(gzuncompress(gzinflate(gzuncompress(gzinflate(gzuncompress(base64_decode(strrev($An0n_3xPloiTeR))))))))))));

    I'll try to explain it as far I understand it:

    eval just runs the following Line,
    Runs ?>; end of a php script,
    converts all that gzinfalte(gzuncompress)) stuff to ROT13,
    gzinflate/gzuncompress compresses/uncompresses the code, so we got gzinfalte 4x times and gzuncompress 4x times too. which would make a total of 0, right? So it shouldn't do anything at all.
    base64_decode: selfexplaining,
    strrev($An0n_3xPloiTeR) reverses the string in the variable $An0n_3xPloiTeR, so I guess it's a reversed Bas64 code.


    eval(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT))));

    Basically the code decodes the variable $UeXploiT which contains the variable $An0n_3xPloiTeR, but reversed. My goal is to find out what $An0n_3xPloiTeR contains. Sure it's the main code, but I want to decode it.

    I used following commands to decode:
    $UeXploiT = Base64
    $An0n_3xPloiTeR = Base64
    $ReTiolPx3_n0nA = strrev($An0n_3xPloiTeR);

    #works and shows the decoded code.
    print(htmlspecialchars_decode(gzinflate(base64_decode($UeXploiT))));

    #shows encrypted Code
    #print(htmlspecialchars_decode((base64_decode($An0n_3xPloiTeR))));

    #shows "gzinflate(): data error in FILE on line 16"
    #print((gzinflate(gzuncompress(gzinflate(gzuncompress(gzinflate(gzuncompress(gzinflate(gzuncompress(base64_decode(strrev($An0n_3xPloiTeR))))))))))));

    #Shows the Base64 code reversed.
    #print (strrev($An0n_3xPloiTeR));

    #shows "gzinflate(): data error in FILE on line 18"
    print(gzinflate(base64_decode($ReTiolPx3_n0nA)));

    #shows encrypted Code
    print(gzuncompress(base64_decode($ReTiolPx3_n0nA)));

    Encrypted Code looks like this: https://pastebin.com/dAUhpdFA



    I'm still learning, so please don't judge me if there's a simple mistake. I'm not looking for a solution, I'm looking for some tips :)

    • 1 posts
    October 21, 2017 2:52 AM EDT

    Thats  my shell there boi :)

    if you wanted the decoded version of it you should've commented on the video. I would've given you that :D

    I obfuscated it because of some modules i added in it. I didn't wanted to make them public

    P.S ~ I also wanted to share the shell with the world thats why obfuscated it with my own obfuscater :)

    Hasta La Viesta :)

    ~ An0n 3xPloiTeR :)

    • 2 posts
    October 27, 2017 4:13 AM EDT

    Awesome to see you here dude! Would be nice if you could send me the source code decrypted via pn ^-^ I won't share it with anybody :)

    Greets!