Created
September 22, 2015 15:17
-
-
Save volpino/5cfcffa4ae592391cd3c to your computer and use it in GitHub Desktop.
Reversing APC cache
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Finding entry points | |
| Branch analysis from position: 0 | |
| Jump found. Position 1 = -2 | |
| filename: /tmp/solve.php | |
| function name: (null) | |
| number of ops: 7 | |
| compiled vars: none | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 2 0 E > SEND_VAL 'cache.data' | |
| 1 DO_FCALL 1 'apc_bin_loadfile' | |
| 5 2 FETCH_W global $1 '_POST' | |
| 3 ASSIGN_DIM $1, 'token' | |
| 4 OP_DATA 'testtoken', $3 | |
| 7 5 INCLUDE_OR_EVAL '%2Fvar%2Fwww%2Fhtml%2Flogin.php', INCLUDE | |
| 9 6 > RETURN 1 | |
| Finding entry points | |
| Branch analysis from position: 0 | |
| Jump found. Position 1 = 5, Position 2 = 55 | |
| Branch analysis from position: 5 | |
| Jump found. Position 1 = 15, Position 2 = 22 | |
| Branch analysis from position: 15 | |
| Jump found. Position 1 = 23, Position 2 = 29 | |
| Branch analysis from position: 23 | |
| Jump found. Position 1 = 30, Position 2 = 54 | |
| Branch analysis from position: 30 | |
| Jump found. Position 1 = 41, Position 2 = 50 | |
| Branch analysis from position: 41 | |
| Jump found. Position 1 = 53 | |
| Branch analysis from position: 53 | |
| Jump found. Position 1 = 54 | |
| Branch analysis from position: 54 | |
| Jump found. Position 1 = 58 | |
| Branch analysis from position: 58 | |
| Jump found. Position 1 = -2 | |
| Branch analysis from position: 50 | |
| Jump found. Position 1 = 54 | |
| Branch analysis from position: 54 | |
| Branch analysis from position: 54 | |
| Branch analysis from position: 29 | |
| Branch analysis from position: 22 | |
| Branch analysis from position: 55 | |
| Jump found. Position 1 = -2 | |
| filename: /var/www/html/login.php | |
| function name: (null) | |
| number of ops: 59 | |
| compiled vars: !0 = $token, !1 = $crypt, !2 = $hash, !3 = $flag | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 3 0 E > NOP | |
| 44 1 FETCH_IS $1 '_POST' | |
| 2 ISSET_ISEMPTY_DIM_OBJ 16777216 ~2 $1, 'token' | |
| 3 BOOL_NOT ~3 ~2 | |
| 4 > JMPZ ~3, ->55 | |
| 45 5 > FETCH_R global $4 '_POST' | |
| 6 FETCH_DIM_R $5 $4, 'token' | |
| 7 ASSIGN !0, $5 | |
| 47 8 INIT_FCALL_BY_NAME 'substr' | |
| 9 SEND_VAR !0 | |
| 10 SEND_VAL 0 | |
| 11 SEND_VAL 4 | |
| 12 DO_FCALL_BY_NAME 3 $7 | |
| 13 IS_IDENTICAL ~8 $7, 'CmxQ' | |
| 14 > JMPZ_EX ~8 ~8, ->22 | |
| 15 > INIT_FCALL_BY_NAME 'substr' | |
| 16 SEND_VAR !0 | |
| 17 SEND_VAL 44 | |
| 18 SEND_VAL 4 | |
| 19 DO_FCALL_BY_NAME 3 $9 | |
| 20 IS_IDENTICAL ~10 $9, 'MgY%2F' | |
| 21 BOOL ~8 ~10 | |
| 22 > > JMPZ_EX ~8 ~8, ->29 | |
| 23 > INIT_FCALL_BY_NAME 'substr' | |
| 24 SEND_VAR !0 | |
| 25 SEND_VAL -4 | |
| 26 DO_FCALL_BY_NAME 2 $11 | |
| 27 IS_IDENTICAL ~12 $11, 'Mg%3D%3D' | |
| 28 BOOL ~8 ~12 | |
| 29 > > JMPZ ~8, ->54 | |
| 48 30 > FETCH_CLASS 4 :13 'AzDGCrypt' | |
| 31 NEW $14 :13 | |
| 32 SEND_VAL 'EKO%7Bthis_is_not_the_flag%7D' | |
| 33 DO_FCALL_BY_NAME 1 | |
| 34 ASSIGN !1, $14 | |
| 49 35 INIT_METHOD_CALL !1, 'decrypt' | |
| 36 SEND_VAR !0 | |
| 37 DO_FCALL_BY_NAME 1 $18 | |
| 38 ASSIGN !2, $18 | |
| 51 39 IS_IDENTICAL ~20 !2, 'e88ef51d4112b999380444ce48488762' | |
| 40 > JMPZ ~20, ->50 | |
| 52 41 > INIT_FCALL_BY_NAME 'sha1' | |
| 42 SEND_VAR !0 | |
| 43 DO_FCALL_BY_NAME 1 $21 | |
| 44 ASSIGN !3, $21 | |
| 53 45 ADD_STRING ~23 'Welcome+master%2C+your+key+is+EKO%7B' | |
| 46 ADD_VAR ~23 ~23, !3 | |
| 47 ADD_CHAR ~23 ~23, 125 | |
| 48 ECHO ~23 | |
| 54 49 > JMP ->53 | |
| 55 50 > INIT_FCALL_BY_NAME 'header' | |
| 51 SEND_VAL 'Location%3A+index.php' | |
| 52 DO_FCALL_BY_NAME 1 | |
| 57 53 > > JMP ->54 | |
| 58 54 > > JMP ->58 | |
| 59 55 > INIT_FCALL_BY_NAME 'header' | |
| 56 SEND_VAL 'Location%3A+index.php' | |
| 57 DO_FCALL_BY_NAME 1 | |
| 61 58 > > RETURN 1 | |
| Class AzDGCrypt: | |
| Function azdgcrypt: | |
| Finding entry points | |
| Branch analysis from position: 0 | |
| Jump found. Position 1 = -2 | |
| filename: /var/www/html/login.php | |
| function name: AzDGCrypt | |
| number of ops: 4 | |
| compiled vars: !0 = $m | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 5 0 E > RECV !0 | |
| 6 1 ASSIGN_OBJ 'k' | |
| 2 OP_DATA !0 | |
| 7 3 > RETURN null | |
| End of function azdgcrypt | |
| Function ed: | |
| Finding entry points | |
| Branch analysis from position: 0 | |
| Jump found. Position 1 = 39, Position 2 = 17 | |
| Branch analysis from position: 39 | |
| Jump found. Position 1 = -2 | |
| Branch analysis from position: 17 | |
| Jump found. Position 1 = 22, Position 2 = 24 | |
| Branch analysis from position: 22 | |
| Jump found. Position 1 = 24 | |
| Branch analysis from position: 24 | |
| Jump found. Position 1 = 14 | |
| Branch analysis from position: 14 | |
| Jump found. Position 1 = 9 | |
| Branch analysis from position: 9 | |
| Branch analysis from position: 24 | |
| filename: /var/www/html/login.php | |
| function name: ed | |
| number of ops: 41 | |
| compiled vars: !0 = $t, !1 = $r, !2 = $c, !3 = $v, !4 = $i | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 8 0 E > RECV !0 | |
| 9 1 INIT_FCALL_BY_NAME 'md5' | |
| 2 FETCH_OBJ_FUNC_ARG $0 'k' | |
| 3 SEND_VAR $0 | |
| 4 DO_FCALL_BY_NAME 1 $1 | |
| 5 ASSIGN !1, $1 | |
| 10 6 ASSIGN !2, 0 | |
| 11 7 ASSIGN !3, '' | |
| 12 8 ASSIGN !4, 0 | |
| 9 > INIT_FCALL_BY_NAME 'strlen' | |
| 10 SEND_VAR !0 | |
| 11 DO_FCALL_BY_NAME 1 $6 | |
| 12 IS_SMALLER ~7 !4, $6 | |
| 13 > JMPZNZ 17 ~7, ->39 | |
| 14 > POST_INC ~8 !4 | |
| 15 FREE ~8 | |
| 16 > JMP ->9 | |
| 13 17 > INIT_FCALL_BY_NAME 'strlen' | |
| 18 SEND_VAR !1 | |
| 19 DO_FCALL_BY_NAME 1 $9 | |
| 20 IS_EQUAL ~10 !2, $9 | |
| 21 > JMPZ ~10, ->24 | |
| 22 > ASSIGN !2, 0 | |
| 23 > JMP ->24 | |
| 14 24 > INIT_FCALL_BY_NAME 'substr' | |
| 25 SEND_VAR !0 | |
| 26 SEND_VAR !4 | |
| 27 SEND_VAL 1 | |
| 28 DO_FCALL_BY_NAME 3 $12 | |
| 29 INIT_FCALL_BY_NAME 'substr' | |
| 30 SEND_VAR !1 | |
| 31 SEND_VAR !2 | |
| 32 SEND_VAL 1 | |
| 33 DO_FCALL_BY_NAME 3 $13 | |
| 34 BW_XOR ~14 $12, $13 | |
| 35 ASSIGN_CONCAT 0 !3, ~14 | |
| 15 36 POST_INC ~16 !2 | |
| 37 FREE ~16 | |
| 16 38 > JMP ->14 | |
| 17 39 > > RETURN !3 | |
| 18 40* > RETURN null | |
| End of function ed | |
| Function crypt: | |
| Finding entry points | |
| Branch analysis from position: 0 | |
| Jump found. Position 1 = 55, Position 2 = 27 | |
| Branch analysis from position: 55 | |
| Jump found. Position 1 = -2 | |
| Branch analysis from position: 27 | |
| Jump found. Position 1 = 32, Position 2 = 34 | |
| Branch analysis from position: 32 | |
| Jump found. Position 1 = 34 | |
| Branch analysis from position: 34 | |
| Jump found. Position 1 = 24 | |
| Branch analysis from position: 24 | |
| Jump found. Position 1 = 19 | |
| Branch analysis from position: 19 | |
| Branch analysis from position: 34 | |
| filename: /var/www/html/login.php | |
| function name: crypt | |
| number of ops: 63 | |
| compiled vars: !0 = $t, !1 = $r, !2 = $c, !3 = $v, !4 = $i | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 19 0 E > RECV !0 | |
| 20 1 INIT_FCALL_BY_NAME 'srand' | |
| 2 INIT_FCALL_BY_NAME 'microtime' | |
| 3 DO_FCALL_BY_NAME 0 $0 | |
| 4 CAST 2 ~1 $0 | |
| 5 MUL ~2 ~1, 1000000 | |
| 6 SEND_VAL ~2 | |
| 7 DO_FCALL_BY_NAME 1 | |
| 21 8 INIT_FCALL_BY_NAME 'md5' | |
| 9 INIT_FCALL_BY_NAME 'rand' | |
| 10 SEND_VAL 0 | |
| 11 SEND_VAL 32000 | |
| 12 DO_FCALL_BY_NAME 2 $4 | |
| 13 SEND_VAR_NO_REF 4 $4 | |
| 14 DO_FCALL_BY_NAME 1 $5 | |
| 15 ASSIGN !1, $5 | |
| 22 16 ASSIGN !2, 0 | |
| 23 17 ASSIGN !3, '' | |
| 24 18 ASSIGN !4, 0 | |
| 19 > INIT_FCALL_BY_NAME 'strlen' | |
| 20 SEND_VAR !0 | |
| 21 DO_FCALL_BY_NAME 1 $10 | |
| 22 IS_SMALLER ~11 !4, $10 | |
| 23 > JMPZNZ 27 ~11, ->55 | |
| 24 > POST_INC ~12 !4 | |
| 25 FREE ~12 | |
| 26 > JMP ->19 | |
| 25 27 > INIT_FCALL_BY_NAME 'strlen' | |
| 28 SEND_VAR !1 | |
| 29 DO_FCALL_BY_NAME 1 $13 | |
| 30 IS_EQUAL ~14 !2, $13 | |
| 31 > JMPZ ~14, ->34 | |
| 32 > ASSIGN !2, 0 | |
| 33 > JMP ->34 | |
| 26 34 > INIT_FCALL_BY_NAME 'substr' | |
| 35 SEND_VAR !1 | |
| 36 SEND_VAR !2 | |
| 37 SEND_VAL 1 | |
| 38 DO_FCALL_BY_NAME 3 $16 | |
| 27 39 INIT_FCALL_BY_NAME 'substr' | |
| 40 SEND_VAR !0 | |
| 41 SEND_VAR !4 | |
| 42 SEND_VAL 1 | |
| 43 DO_FCALL_BY_NAME 3 $17 | |
| 44 INIT_FCALL_BY_NAME 'substr' | |
| 45 SEND_VAR !1 | |
| 46 SEND_VAR !2 | |
| 47 SEND_VAL 1 | |
| 48 DO_FCALL_BY_NAME 3 $18 | |
| 49 BW_XOR ~19 $17, $18 | |
| 50 CONCAT ~20 $16, ~19 | |
| 51 ASSIGN_CONCAT 0 !3, ~20 | |
| 28 52 POST_INC ~22 !2 | |
| 53 FREE ~22 | |
| 29 54 > JMP ->24 | |
| 30 55 > INIT_FCALL_BY_NAME 'base64_encode' | |
| 56 INIT_METHOD_CALL 'ed' | |
| 57 SEND_VAR !3 | |
| 58 DO_FCALL_BY_NAME 1 $24 | |
| 59 SEND_VAR_NO_REF 4 $24 | |
| 60 DO_FCALL_BY_NAME 1 $25 | |
| 61 > RETURN $25 | |
| 31 62* > RETURN null | |
| End of function crypt | |
| Function decrypt: | |
| Finding entry points | |
| Branch analysis from position: 0 | |
| Jump found. Position 1 = 34, Position 2 = 18 | |
| Branch analysis from position: 34 | |
| Jump found. Position 1 = -2 | |
| Branch analysis from position: 18 | |
| Jump found. Position 1 = 15 | |
| Branch analysis from position: 15 | |
| Jump found. Position 1 = 10 | |
| Branch analysis from position: 10 | |
| filename: /var/www/html/login.php | |
| function name: decrypt | |
| number of ops: 36 | |
| compiled vars: !0 = $t, !1 = $v, !2 = $i, !3 = $md5 | |
| line #* E I O op fetch ext return operands | |
| ------------------------------------------------------------------------------------- | |
| 32 0 E > RECV !0 | |
| 33 1 INIT_METHOD_CALL 'ed' | |
| 2 INIT_FCALL_BY_NAME 'base64_decode' | |
| 3 SEND_VAR !0 | |
| 4 DO_FCALL_BY_NAME 1 $1 | |
| 5 SEND_VAR_NO_REF 4 $1 | |
| 6 DO_FCALL_BY_NAME 1 $2 | |
| 7 ASSIGN !0, $2 | |
| 34 8 ASSIGN !1, '' | |
| 35 9 ASSIGN !2, 0 | |
| 10 > INIT_FCALL_BY_NAME 'strlen' | |
| 11 SEND_VAR !0 | |
| 12 DO_FCALL_BY_NAME 1 $6 | |
| 13 IS_SMALLER ~7 !2, $6 | |
| 14 > JMPZNZ 18 ~7, ->34 | |
| 15 > POST_INC ~8 !2 | |
| 16 FREE ~8 | |
| 17 > JMP ->10 | |
| 36 18 > INIT_FCALL_BY_NAME 'substr' | |
| 19 SEND_VAR !0 | |
| 20 SEND_VAR !2 | |
| 21 SEND_VAL 1 | |
| 22 DO_FCALL_BY_NAME 3 $9 | |
| 23 ASSIGN !3, $9 | |
| 37 24 POST_INC ~11 !2 | |
| 25 FREE ~11 | |
| 38 26 INIT_FCALL_BY_NAME 'substr' | |
| 27 SEND_VAR !0 | |
| 28 SEND_VAR !2 | |
| 29 SEND_VAL 1 | |
| 30 DO_FCALL_BY_NAME 3 $12 | |
| 31 BW_XOR ~13 $12, !3 | |
| 32 ASSIGN_CONCAT 0 !1, ~13 | |
| 39 33 > JMP ->15 | |
| 40 34 > > RETURN !1 | |
| 41 35* > RETURN null | |
| End of function decrypt | |
| End of class AzDGCrypt. | |
| branch: # 0; line: 2- 9; sop: 0; eop: 6; out1: -2 | |
| path #1: 0, | |
| branch: # 0; line: 3- 44; sop: 0; eop: 4; out1: 5; out2: 55 | |
| branch: # 5; line: 45- 47; sop: 5; eop: 14; out1: 15; out2: 22 | |
| branch: # 15; line: 47- 47; sop: 15; eop: 21; out1: 22 | |
| branch: # 22; line: 47- 47; sop: 22; eop: 22; out1: 23; out2: 29 | |
| branch: # 23; line: 47- 47; sop: 23; eop: 28; out1: 29 | |
| branch: # 29; line: 47- 47; sop: 29; eop: 29; out1: 30; out2: 54 | |
| branch: # 30; line: 48- 51; sop: 30; eop: 40; out1: 41; out2: 50 | |
| branch: # 41; line: 52- 54; sop: 41; eop: 49; out1: 53 | |
| branch: # 50; line: 55- 57; sop: 50; eop: 52; out1: 53 | |
| branch: # 53; line: 57- 57; sop: 53; eop: 53; out1: 54 | |
| branch: # 54; line: 58- 58; sop: 54; eop: 54; out1: 58 | |
| branch: # 55; line: 59- 61; sop: 55; eop: 57; out1: 58 | |
| branch: # 58; line: 61- 61; sop: 58; eop: 58; out1: -2 | |
| path #1: 0, 5, 15, 22, 23, 29, 30, 41, 53, 54, 58, | |
| path #2: 0, 5, 15, 22, 23, 29, 30, 50, 53, 54, 58, | |
| path #3: 0, 5, 15, 22, 23, 29, 54, 58, | |
| path #4: 0, 5, 15, 22, 29, 30, 41, 53, 54, 58, | |
| path #5: 0, 5, 15, 22, 29, 30, 50, 53, 54, 58, | |
| path #6: 0, 5, 15, 22, 29, 54, 58, | |
| path #7: 0, 5, 22, 23, 29, 30, 41, 53, 54, 58, | |
| path #8: 0, 5, 22, 23, 29, 30, 50, 53, 54, 58, | |
| path #9: 0, 5, 22, 23, 29, 54, 58, | |
| path #10: 0, 5, 22, 29, 30, 41, 53, 54, 58, | |
| path #11: 0, 5, 22, 29, 30, 50, 53, 54, 58, | |
| path #12: 0, 5, 22, 29, 54, 58, | |
| path #13: 0, 55, 58, | |
| branch: # 0; line: 5- 7; sop: 0; eop: 3; out1: -2 | |
| path #1: 0, | |
| branch: # 0; line: 8- 12; sop: 0; eop: 8; out1: 9 | |
| branch: # 9; line: 12- 12; sop: 9; eop: 13; out1: 39; out2: 17 | |
| branch: # 14; line: 12- 12; sop: 14; eop: 16; out1: 9 | |
| branch: # 17; line: 13- 13; sop: 17; eop: 21; out1: 22; out2: 24 | |
| branch: # 22; line: 13- 13; sop: 22; eop: 23; out1: 24 | |
| branch: # 24; line: 14- 16; sop: 24; eop: 38; out1: 14 | |
| branch: # 39; line: 17- 18; sop: 39; eop: 40 | |
| path #1: 0, 9, 39, | |
| path #2: 0, 9, 17, 22, 24, 14, 9, 39, | |
| path #3: 0, 9, 17, 24, 14, 9, 39, | |
| branch: # 0; line: 19- 24; sop: 0; eop: 18; out1: 19 | |
| branch: # 19; line: 24- 24; sop: 19; eop: 23; out1: 55; out2: 27 | |
| branch: # 24; line: 24- 24; sop: 24; eop: 26; out1: 19 | |
| branch: # 27; line: 25- 25; sop: 27; eop: 31; out1: 32; out2: 34 | |
| branch: # 32; line: 25- 25; sop: 32; eop: 33; out1: 34 | |
| branch: # 34; line: 26- 29; sop: 34; eop: 54; out1: 24 | |
| branch: # 55; line: 30- 31; sop: 55; eop: 62 | |
| path #1: 0, 19, 55, | |
| path #2: 0, 19, 27, 32, 34, 24, 19, 55, | |
| path #3: 0, 19, 27, 34, 24, 19, 55, | |
| branch: # 0; line: 32- 35; sop: 0; eop: 9; out1: 10 | |
| branch: # 10; line: 35- 35; sop: 10; eop: 14; out1: 34; out2: 18 | |
| branch: # 15; line: 35- 35; sop: 15; eop: 17; out1: 10 | |
| branch: # 18; line: 36- 39; sop: 18; eop: 33; out1: 15 | |
| branch: # 34; line: 40- 41; sop: 34; eop: 35 | |
| path #1: 0, 10, 34, | |
| path #2: 0, 10, 18, 15, 10, 34, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment