AntiWPA Forum

AntiWPA Forum > Community Grounds > Reverse Engineering > Problems decoding files
Full Version: Problems decoding files
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

iks

06-21-2013, 08:19 AM
Hey everyone,
I've been trying to decode some site I got but ran into troubles.
I downloaded and tested with every decode I could find up to a point that I even tried malware infected files in hope of getting it.

I am having 2 problems that any help with would be dearly appreciated.
The first:
Most versions I downloaded are incompatible (Fatal error: Incompatible file format: The encoded file has format major ID 65540, whereas the Optimizer expects 2 ). Assuming I only have the files how can I identify which version should be used?

My second issue, I was able with iDezender 8.1 (from leakforums) to decode most of the files, but some of them are still a little messed up like this:
function index()
{
$í´'±Òº~8ûnš ŠÉÏþ = &$GLOBALS["__rootadminNoHTML"];
$í´'±Òº~8ûnš ŠÉÏþ = false;
$¦éY = &$GLOBALS["_UI"];
$Æ»ükl<Þù = UcPhotoComments::find_all();
$¦éY->assign("comments", $Æ»ükl<Þù);
return "rootadmin/uc_photo_comments/index.tpl";
}

attached is a sample file.

I am not looking for someone to decrypt my files, but rather educate me as to what my problems are and recommend on what should I do?

iks

06-21-2013, 01:41 PM
Sorry, thought I was uploading the original file.
Updated the first post with the original file.

sidxx55

06-22-2013, 10:27 AM
looks Xcache work, hmm you files ended with Zend for php53 NTS ithink it has Marker for that version like 3074 identificator for Zend loader (not Zend Optimizer its php52), that code example its obfuscation, you need change this on any you like code (..)
PHP Code:
<?php

function index()
{
    $нґ'±Тє~8ыnљ    ЉЙПю = &$GLOBALS["__rootadminNoHTML"];
    $нґ'±Тє~8ыnљ    ЉЙПю false;
    $¦йY = &$GLOBALS["_UI"];
    $Ж»ьkl<Ющ UcPhotoComments::find_all();
    $¦йY->assign("comments"$Ж»ьkl<Ющ);
    return "rootadmin/uc_photo_comments/index.tpl";
}

function create()
{
    $¦йY = &$GLOBALS["_UI"];
    $e» Ш‡ = new UcPhotoComments($_POST);
    $e» Ш‡->save();
    echo "<div id=\"comment_" $e» Ш‡->id "\" class=\"comment\">" $e» Ш‡->display() . "</div>";
}

function delete()
{
    $¦йY = &$GLOBALS["_UI"];
    $e» Ш‡ UcPhotoComments::find($_REQUEST["id"]);
    $e» Ш‡->destroy();
    header("Location: uc_photo_comments.php");
}

function update()
{
    $¦йY = &$GLOBALS["_UI"];
    $e» Ш‡ UcPhotoComments::find($_REQUEST["id"]);
    $e» Ш‡->update_attributes($_POST);
    echo $e» Ш‡->display();
}

$__rootadminNoHTML true;
require_once ($CONFIG["absolute_path"] . "/includes/class.UcPhotoComments.php");

if (isset($_REQUEST["action"])) {
    $action $_REQUEST["action"];
}
else {
    $action "index";
}

$p $action();

if (isset($p)) {
    require_once ("rootadmin.inc");
    $_UI->render($p);
}

?>

iks

06-22-2013, 07:29 PM
So I was doing everything correctly and it simply obfuscated?

Thanks Smile
AntiWPA Forum > Community Grounds > Reverse Engineering > Problems decoding files
Reference URL's