Php-parser written in Go: v0.5 is realized


(Slizov Vadim) #1

(Anik Hasibul) #2

Good job!

What about a really really good obfuscation?


(Slizov Vadim) #3

What type of obfuscation do you mean?

if you are asking about eval based obfuscation, I must disappoint you

eval(gzinflate(base64_decode(strrev(str_rot13('=RDe1Za8XXAI1A9vlESqYAcHlB5FXFIqmeVI1RwNzYoIC78FEmZmA9ZFlEwZZyplZ3RYgbRHIO7IBalH')))));  

The parser will return AST for the function calls.

Dump output
[*node.Root]
  "Stmts":
    [*stmt.Expression]
      "Expr":
        [*expr.Eval]
          "Expr":
            [*expr.FunctionCall]
              "Function":
                [*name.Name]
                  "NamespacedName": gzinflate;
                  "Parts":
                    [*name.NamePart]
                      "Value": gzinflate;
              "ArgumentList":
                [*node.ArgumentList]
                  "Arguments":
                    [*node.Argument]
                      "Variadic": false;
                      "IsReference": false;
                      "Expr":
                        [*expr.FunctionCall]
                          "Function":
                            [*name.Name]
                              "NamespacedName": base64_decode;
                              "Parts":
                                [*name.NamePart]
                                  "Value": base64_decode;
                          "ArgumentList":
                            [*node.ArgumentList]
                              "Arguments":
                                [*node.Argument]
                                  "IsReference": false;
                                  "Variadic": false;
                                  "Expr":
                                    [*expr.FunctionCall]
                                      "Function":
                                        [*name.Name]
                                          "NamespacedName": strrev;
                                          "Parts":
                                            [*name.NamePart]
                                              "Value": strrev;
                                      "ArgumentList":
                                        [*node.ArgumentList]
                                          "Arguments":
                                            [*node.Argument]
                                              "Variadic": false;
                                              "IsReference": false;
                                              "Expr":
                                                [*expr.FunctionCall]
                                                  "Function":
                                                    [*name.Name]
                                                      "NamespacedName": str_rot13;
                                                      "Parts":
                                                        [*name.NamePart]
                                                          "Value": str_rot13;
                                                  "ArgumentList":
                                                    [*node.ArgumentList]
                                                      "Arguments":
                                                        [*node.Argument]
                                                          "Variadic": false;
                                                          "IsReference": false;
                                                          "Expr":
                                                            [*scalar.String]
                                                              "Value": '=RDe1Za8XXAI1A9vlESqYAcHlB5FXFIqmeVI1RwNzYoIC78FEmZmA9ZFlEwZZyplZ3RYgbRHIO7IBalH';

Otherwise, it must parse any valid PHP code.


(system) #4

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.