hack3core Posted December 4, 2013 Share Posted December 4, 2013 [align=center]hello brothers, perhaps you have it already knows and who does not know that I will teach, today we will talk about Decode and Encode Php code There are many ways to encode and decode PHP code. From the perspective of site security, there are three PHP functions — str_rot13(), base64_encode(), and gzinflate — that are frequently used to obfuscate malicious strings of PHP code. For those involved in the securing of websites, understanding how these functions are used to encode and decode encrypted chunks of PHP data is critical to accurate monitoring and expedient attack recovery.[/align] [align=center]Encoding and decoding with str_rot13()[/align] As explained in the This is the hidden content, please Sign In or Sign Up , str_rot13() is a simple function used for rotating every letter “13 places in the alphabet” while ignoring non-alphanumeric characters. This type of encoding is called ROT13 encoding and it’s very straightforward using the str_rot13() function. Let’s look at an example.. Let’s say we want to ROT13-encode the following string: This is the hidden content, please Sign In or Sign Up We run this string through str_rot13() and set it as a variable named $encoded like so: This is the hidden content, please Sign In or Sign Up Echoing the $encoded variable to the browser, we get this string of gibberish: This is the hidden content, please Sign In or Sign Up To decode a string encoded with str_rot13(), we simply run it back through the function to restore the original string. Here is an example that returns the original string to a variable named $decoded: This is the hidden content, please Sign In or Sign Up Echoing $decoded, we see the original string as expected: This is the hidden content, please Sign In or Sign Up Example: This is the hidden content, please Sign In or Sign Up [align=center]Encode and decode with base64_encode() & base64_decode()[/align] This encoding is designed to make binary data survive transport through transport layers that are not 8-bit clean, such as mail bodies. Also explained in the This is the hidden content, please Sign In or Sign Up . Ahh, I love taking stuff out of context, but I digress.. Let’s get back on track with a quick example showing how base64_encode() works its magic. Let’s say we want to encode the following string with base64: This is the hidden content, please Sign In or Sign Up We run this string through base64_encode() and set it as a variable named $encoded like so: This is the hidden content, please Sign In or Sign Up Echoing the $encoded variable to the browser, we get this string of gibberish: This is the hidden content, please Sign In or Sign Up As you may count, the base64-encoded string contains around 33% more data than the original. Now to decode a string encoded with base64_encode, we use the converse function, This is the hidden content, please Sign In or Sign Up . Here is an example that returns the original string to a variable named $decoded: This is the hidden content, please Sign In or Sign Up Echoing $decoded, we see the original string as expected: This is the hidden content, please Sign In or Sign Up Example: This is the hidden content, please Sign In or Sign Up [align=center]Deflate and inflate with gzdeflate() & gzinflate()[/align] This is the hidden content, please Sign In or Sign Up Let’s say we want to “gzdeflate” the following string: This is the hidden content, please Sign In or Sign Up We run this string through gzdeflate() and set it as a variable named $compressed: This is the hidden content, please Sign In or Sign Up Echoing the $compressed variable to the browser, we get this bizarre-looking gibberish: This is the hidden content, please Sign In or Sign Up To “decode” this alien-speak, we inflate it with the converse function, gzinflate(), to restore the original string. Here is an example that returns the original string to a variable named $uncompressed: This is the hidden content, please Sign In or Sign Up Echoing $uncompressed, we see the original string as expected: This is the hidden content, please Sign In or Sign Up Example: This is the hidden content, please Sign In or Sign Up [align=center]Combined example: gzinflate(str_rot13(base64_decode()))[/align] Malicious scripts often combine multiple encoding methods to further obfuscate data strings. Using the numerous PHP encoding-type functions (and their various parameters), it’s possible to scramble data with many layers of obfuscation. For example, on common technique for encrypting malicious scripts combines all three of the functions described in this article. The structure of such technique looks like this: This is the hidden content, please Sign In or Sign Up [align=center]Additional resources [/align] Into this decoding/ecoding stuff? You may also enjoy these fine functions.. This is the hidden content, please Sign In or Sign Up — Split a string into smaller chunks This is the hidden content, please Sign In or Sign Up — Uuencode a string This is the hidden content, please Sign In or Sign Up — Compress a string This is the hidden content, please Sign In or Sign Up — Uncompress a compressed string This is the hidden content, please Sign In or Sign Up — Create a gzip compressed string All good hack!! Link to comment Share on other sites More sharing options...
Recommended Posts