Our good friends over at XHost.ch felt the need to obfuscate the source code for their WHMCS module. Properly-done obfuscation can make reverse engineering nontrivial (thought certainly not impossible); deobfuscating source code when the obfuscating function is provided is trivial. This obfuscation uses two parts- renaming functions and variables to nonsense characters, and encoding strings. Below is a snippet of the original encoded source:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
function n97($r36, $r37) { $this->r37 = 'Server ' . $r37; if (!$this->n90($r36)) return $this->end(); if (!$this->r2c($r36)) return $this->end(); $rce = false; switch ($r37) { case __phpenc_s_func('J3N0YXJ0Jw%3D%3D'): $rce = 'startServer'; break; case __phpenc_s_func('J3N0b3An'): $rce = 'stopServer'; break; case __phpenc_s_func('J3Jlc3RhcnQn'): $rce = 'restartServer'; break; default: $this->n7c(__phpenc_s_func('J1VuaGFuZGxlZCBhY3Rpb24gIic%3D') . $r37 . __phpenc_s_func('JyIn')); } if ($rce) { $this->rda(__phpenc_s_func('J1NlcnZlciAn') . $this->rfd . __phpenc_s_func('JzogJw%3D%3D') . $r37); $r41 = $this->r3c->$rce($this->rfd); if (!$r41[__phpenc_s_func('J3N1Y2Nlc3Mn')]) $this->n7c(__phpenc_s_func('J0ZhaWxlZCB0byBydW4gJw%3D%3D') . $rce . __phpenc_s_func('JyBmb3Igc2VydmVyICc%3D') . $this->rfd . __phpenc_s_func('JzogJw%3D%3D') . $this->n5d($r41)); } return $this->end(); } |
We can see that function and variable names are limited to 3 and 4 characters in length, and do not convey any meaningful information. String values are encapsulated in a custom function __phpend_s_func, which will return an eval’d, base64 decoded, URL encoded string; URL encoding will present special characters as their ASCII values (e.g. “=” becomes %3D); this could be useful in avoiding scanner searching for Base64 encoded values (or attempting to trip up reverse engineering efforts). Regardless, it’s trivial. Below will deobfuscate all strings by simply reversing the obfuscation function:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 |
<?php function __phpenc_s_func($s){ return eval( 'return ' . base64_decode( urldecode( $s ) ) . ';' ); } // http://tinyurl.com/o3cr8vf function preg_replace_extended( $search_pattern, $replacement, $subject, $limit = 1, &$count = null ) { if ( is_array( $replacement ) && ! is_array( $search_pattern ) ) { //run alternate code for one pattern and multiple replacements $result = preg_replace( array_fill( 0, sizeof( $replacement ), $search_pattern ), $replacement, $subject, 1, $count ); } else { //otherwise just pass arguments through to preg_replace() $result = preg_replace( $search_pattern, $replacements, $subject, $limit, $count ); } return $result; } function single_quote( $s ) { return "'" . $s . "'"; } $file = file_get_contents( "multicraft-whmcs.php.orig" ); $matches = array(); preg_match_all( "/__phpenc_s_func\((.*?)\)/", $file, $matches ); $matches = $matches[0]; // the regex is matching the param as well, need to tweak it more. for now this works. foreach( $matches as &$m ) { $p = array(); preg_match( "/\'.*\'/", $m, $p ); $m = single_quote( __phpenc_s_func( $p[0] ) ); } $file = preg_replace_extended( "/__phpenc_s_func\((.*?)\)/", $matches, $file ); file_put_contents( "multicraft-whmcs-deob.php", $file ); ?> |
Which gives us the following:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
function n97($r36, $r37) { $this->r37 = 'Server ' . $r37; if (!$this->n90($r36)) return $this->end(); if (!$this->r2c($r36)) return $this->end(); $rce = false; switch ($r37) { case 'start': $rce = 'startServer'; break; case 'stop': $rce = 'stopServer'; break; case 'restart': $rce = 'restartServer'; break; default: $this->n7c('Unhandled action "' . $r37 . '"'); } if ($rce) { $this->rda('Server ' . $this->rfd . ': ' . $r37); $r41 = $this->r3c->$rce($this->rfd); if (!$r41['success']) $this->n7c('Failed to run ' . $rce . ' for server ' . $this->rfd . ': ' . $this->n5d($r41)); } return $this->end(); } |
So, we can conveniently recover string literals. Variable and function names must be manually reverse engineered, which can be a time consuming process. I’m about halfway done and will post the complete output once I’ve finished.
How is this going?
To be quiet honest, I haven’t had time to pursue this. I’ve been busy with personal exploits (getting married, no big deal 😉 ) and working at $dayjob (heading to LISA next week). I may come back to this in the future, but for now, it hasn’t been a priority. Is there something specific you’re looking for with this?