2 Likes
Good job!
What about a really really good obfuscation?
What type of obfuscation do you mean?
if you are asking about eval based obfuscation, I must disappoint you
eval(gzinflate(base64_decode(strrev(str_rot13('=RDe1Za8XXAI1A9vlESqYAcHlB5FXFIqmeVI1RwNzYoIC78FEmZmA9ZFlEwZZyplZ3RYgbRHIO7IBalH')))));
The parser will return AST for the function calls.
Dump output
[*node.Root]
"Stmts":
[*stmt.Expression]
"Expr":
[*expr.Eval]
"Expr":
[*expr.FunctionCall]
"Function":
[*name.Name]
"NamespacedName": gzinflate;
"Parts":
[*name.NamePart]
"Value": gzinflate;
"ArgumentList":
[*node.ArgumentList]
"Arguments":
[*node.Argument]
"Variadic": false;
"IsReference": false;
"Expr":
[*expr.FunctionCall]
"Function":
[*name.Name]
"NamespacedName": base64_decode;
"Parts":
[*name.NamePart]
"Value": base64_decode;
"ArgumentList":
[*node.ArgumentList]
"Arguments":
[*node.Argument]
"IsReference": false;
"Variadic": false;
"Expr":
[*expr.FunctionCall]
"Function":
[*name.Name]
"NamespacedName": strrev;
"Parts":
[*name.NamePart]
"Value": strrev;
"ArgumentList":
[*node.ArgumentList]
"Arguments":
[*node.Argument]
"Variadic": false;
"IsReference": false;
"Expr":
[*expr.FunctionCall]
"Function":
[*name.Name]
"NamespacedName": str_rot13;
"Parts":
[*name.NamePart]
"Value": str_rot13;
"ArgumentList":
[*node.ArgumentList]
"Arguments":
[*node.Argument]
"Variadic": false;
"IsReference": false;
"Expr":
[*scalar.String]
"Value": '=RDe1Za8XXAI1A9vlESqYAcHlB5FXFIqmeVI1RwNzYoIC78FEmZmA9ZFlEwZZyplZ3RYgbRHIO7IBalH';
Otherwise, it must parse any valid PHP code.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.