Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to lose your hair & mind with Ioncube..
06-01-2017, 11:29 AM (This post was last modified: 06-01-2017 11:31 AM by Loomy.)
Post: #1
How to lose your hair & mind with Ioncube..
While I can confirm it mostly possible for loaderless decoding of all ioncube versions through php alone, this just one of many challenges you face (and im failing Big Grin ) . I think only those who know or share(d) my 0x400 obfuscation pains, know Smile Please light candle for my soul, might be here a while !

[Image: working-to-death-business-mans-skeleton-...?s=612x612]

but i am soldier.. so keep going, reminding myself:

[Image: c4y7b.jpg]

[Image: p2HNPtg.png]
Find all posts by this user
Quote this message in a reply
06-01-2017, 11:26 PM
Post: #2
RE: How to lose your hair & mind with Ioncube..
Good!
Find all posts by this user
Quote this message in a reply
08-10-2017, 03:34 AM
Post: #3
RE: How to lose your hair & mind with Ioncube..
I think you need disassembler or debugger to patch loaders, instead of trying to hook opcode via php module.
Find all posts by this user
Quote this message in a reply
08-14-2017, 10:02 AM (This post was last modified: 08-14-2017 10:04 AM by Loomy.)
Post: #4
RE: How to lose your hair & mind with Ioncube..
(08-10-2017 03:34 AM)ggyy1919 Wrote:  I think you need disassembler or debugger to patch loaders, instead of trying to hook opcode via php module.

Have tried tying fat bait to Hook, but ioncube just wont bite Tongue
.
For me though the challenge & fun is trying to achieve through static analysis alone, without loader (or effectively replacing via php/c#)challenges vary, one that keeps cropping up is poor handling of near max value signed int32 by php itself - can skew results, in these cases just switch to c#, and severe lack of debugging skill. Only so far you can go with mashing buttons in IDA. still makes for great learning.

IMO challenge not so much opcodes retrieval. There is a craptonne of things going on within the loader, before it even gets to execution stage, IC has its own internal executor with many many little annoying changes to their structure & handling, optimizing out some, in the end , even for someone well familiar with zend internals can be frustrating.
Find all posts by this user
Quote this message in a reply
12-30-2022, 06:19 PM
Post: #5
RE: How to lose your hair & mind with Ioncube..
(08-14-2017 10:02 AM)Loomy Wrote:  
(08-10-2017 03:34 AM)ggyy1919 Wrote:  I think you need disassembler or debugger to patch loaders, instead of trying to hook opcode via php module.

Have tried tying fat bait to Hook, but ioncube just wont bite Tongue
.
For me though the challenge & fun is trying to achieve through static analysis alone, without loader (or effectively replacing via php/c#)challenges vary, one that keeps cropping up is poor handling of near max value signed int32 by php itself - can skew results, in these cases just switch to c#, and severe lack of debugging skill. Only so far you can go with mashing buttons in IDA. still makes for great learning.

IMO challenge not so much opcodes retrieval. There is a craptonne of things going on within the loader, before it even gets to execution stage, IC has its own internal executor with many many little annoying changes to their structure & handling, optimizing out some, in the end , even for someone well familiar with zend internals can be frustrating.

I have studied many of your posts for quite some time and would like to discuss more about what bait you use and which hooks. As you know, when one goes fishing, some bait works better for some fish and not so good for others. The same goes for hooks. If the hook is too big, the fish cannot bite. If the hook is too small, then hook is useless.... (or is it?).

@admins/mods forgive me for reviving this thread from the grave. as you know, there are not many places to discuss things and sometimes it can be quite difficult for a student to learn
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | Homepage | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication