Has anyone seen such php encryption?

Question

Has anyone seen such php encryption?

I saw base64, mcrypt and blowfish, but I can’t find out which encryption algorithm / method is used for this part of the code.

<?php include"\x6d\x79sql-\x63\x6f\x6e\x6eec\x74.p\x68\x70";${"\x47\x4c\x4f\x42A\x4c\x53"}["\x6c\x71wwi\x6b\x64\x64v"]="res\x63\x68\x6b\x62i\x6cl";${"\x47L\x4fB\x41\x4cS"}["\x70ve\x6b\x72\x71\x68"]="\x61\x64\x6d\x69n";${"\x47L\x4f\x42\x41\x4cS"}["\x73\x6b\x62\x64\x66\x6dn"]="\x72e\x73\x70\x65\x74\x74\x79";${"\x47\x4c\x4f\x42\x41L\x53"}["\x72\x76r\x61\x77q\x68\x74i\x67"]="d\x61\x74\x65";${"\x47\x4c\x4f\x42ALS"}["\x6d\x6e\x76\x6a\x72\x6c\x78\x70"]="\x73q\x6cp\x65\x74t\x79";include"s\x65ss\x69o\x6e\x2e\x70h\x70";${${"\x47\x4cOB\x41\x4c\x53"}["\x72v\x72\x61wqh\x74\x69\x67"]}=date("Ymd");echo "\n";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6dd\x64\x6f\x71spgh"]="c\x6fu\x6e\x74p\x65\x74t\x79"; if(${${"\x47\x4cOB\x41\x4c\x53"}["p\x76\x65\x6b\x72\x71\x68"]}==1) { header("lo\x63at\x69\x6fn:\x6c\x6fg\x6f\x75\x74.\x70hp"); } else { $bbnimsb="c\x6fu\x6e\x74\x63\x68\x6b"; $silucxpqku="r\x65\x73\x63\x68k\x62\x69\x6c\x6c"; ${"G\x4cO\x42A\x4cS"}["zjx\x6c\x6d\x65\x73\x72\x67"]="\x63\x6fu\x6et\x63\x68\x6b"; $wkozfoxln="sq\x6cc\x68kb\x69\x6cl";${$wkozfoxln}="s\x65l\x65\x63t\x20*\x20fro\x6d\x20m\x61s\x74e\x72\x6fut \x77\x68\x65\x72e sto\x72\x65i\x64\x3d\x27$storeid\x27\x20\x61n\x64 d\x61te='$date\x27\x20a\x6ed\x20(kot\x3d0 \x6fr\x20k\x6f\x74\x3d\x31\x20\x6f\x72\x20k\x6f\x74\x3d2)"; ${"G\x4cO\x42AL\x53"}["\x71\x6dn\x69\x63sb\x6c\x69ct"]="s\x71l\x63\x68kb\x69\x6cl"; ${$silucxpqku}=mysql_query(${${"\x47\x4cO\x42AL\x53"}["q\x6d\x6ei\x63\x73bl\x69\x63\x74"]}); ${${"\x47\x4c\x4f\x42ALS"}["\x7a\x6a\x78\x6c\x6desrg"]}=mysql_num_rows(${${"\x47L\x4fB\x41L\x53"}["\x6cqw\x77\x69\x6b\x64d\x76"]}); if(${$bbnimsb}>0) { header("l\x6fc\x61\x74i\x6f\x6e:\x65\x72\x72or.p\x68\x70?er\x72\x3d\x31");} else{ ${"G\x4c\x4f\x42\x41\x4cS"}["z\x76\x71\x75\x63\x6c\x76\x66q\x69\x69"]="s\x71\x6cp\x65t\x74\x79"; ${${"GLOBA\x4cS"}["z\x76q\x75\x63l\x76\x66qi\x69"]}="\x73e\x6c\x65c\x74\x20*\x20\x66r\x6fm\x20\x64\x61y\x63\x6c\x6fse \x77h\x65r\x65\x20s\x74\x6fr\x65\x69d=\x27$storeid'\x20\x61\x6ed\x20\x64\x61\x79clo\x73\x65=\x27$date\x27"; ${${"\x47\x4c\x4f\x42\x41\x4cS"}["skb\x64fm\x6e"]}=mysql_query(${${"GL\x4f\x42\x41\x4cS"}["\x6dn\x76jrl\x78\x70"]});${${"GL\x4fB\x41LS"}["\x6dd\x64\x6f\x71sp\x67h"]}=mysql_num_rows(${${"GL\x4f\x42\x41\x4cS"}["\x73\x6b\x62\x64f\x6d\x6e"]}); if(${${"\x47\x4c\x4f\x42\x41\x4cS"}["m\x64do\x71\x73pgh"]}==0) { header("l\x6f\x63a\x74\x69\x6fn:e\x72r\x6fr.\x70h\x70?err=\x32"); } else{header("l\x6f\x63ati\x6fn:log\x6f\x75\x74\x2ep\x68\x70");}}} ?>

+4

php

Streamer 25 sept. '12 at 5:23

source share

2 answers

brianreavis · Answer 1 · 2012-09-25T05:25:47+0000

See http://php.net/manual/en/regexp.reference.escape.php :

\xhh - character with hex code hh

Basically, it's just using escape codes to look fantastic / cryptic.

decoded:

 <?php include "mysql-connect.php"; ${"GLOBALS"}["lqwwikddv"] = "reschkbill"; ${"GLOBALS"}["pvekrqh"] = "admin"; ${"GLOBALS"}["skbdfmn"] = "respetty"; ${"GLOBALS"}["rvrawqhtig"] = "date"; ${"GLOBALS"}["mnvjrlxp"] = "sqlpetty"; include "session.php"; ${${"GLOBALS"}["rvrawqhtig"]} = date("Ymd"); echo "\n"; ${"GLOBALS"}["mddoqspgh"] = "countpetty"; if (${${"GLOBALS"}["pvekrqh"]} == 1) { header("location:logout.php"); } else { $bbnimsb = "countchk"; $silucxpqku = "reschkbill"; ${"GLOBALS"}["zjxlmesrg"] = "countchk"; $wkozfoxln = "sqlchkbill"; ${$wkozfoxln} = "select * from masterout where storeid='$storeid' and date='$date' and (kot=0 or kot=1 or kot=2)"; ${"GLOBALS"}["qmnicsblict"] = "sqlchkbill"; ${$silucxpqku} = mysql_query(${${"GLOBALS"}["qmnicsblict"]}); ${${"GLOBALS"}["zjxlmesrg"]} = mysql_num_rows(${${"GLOBALS"}["lqwwikddv"]}); if (${$bbnimsb} > 0) { header("location:error.php?err=1"); } else { ${"GLOBALS"}["zvquclvfqii"] = "sqlpetty"; ${${"GLOBALS"}["zvquclvfqii"]} = "select * from dayclose where storeid='$storeid' and dayclose='$date'"; ${${"GLOBALS"}["skbdfmn"]} = mysql_query(${${"GLOBALS"}["mnvjrlxp"]}); ${${"GLOBALS"}["mddoqspgh"]} = mysql_num_rows(${${"GLOBALS"}["skbdfmn"]}); if (${${"GLOBALS"}["mddoqspgh"]} == 0) { header("location:error.php?err=2"); } else { header("location:logout.php"); } } }

I just used javascript to translate it to something normal.

 var source = '...'; var decoded = source.replace(/\\x([a-f0-9][a-f0-9])/g, function(a,b) { return String.fromCharCode(parseInt(b, 16)); });

And then, if you want to go crazy, you can weld it (manually):

 <?php include "mysql-connect.php"; include "session.php"; $date = date("Ymd"); echo "\n"; if ($admin) { header("location:logout.php"); } else { $sql = "select * from masterout where storeid='$storeid' and date='$date' and (kot=0 or kot=1 or kot=2)"; $count = mysql_num_rows(mysql_query($sql)); if ($count > 0) { header("location:error.php?err=1"); } else { $sql = "select * from dayclose where storeid='$storeid' and dayclose='$date'"; $count = mysql_num_rows(mysql_query($sql)); if ($count == 0) { header("location:error.php?err=2"); } else { header("location:logout.php"); } } }

PS This is a pretty awful code: / Why don't they use COUNT(*) instead of getting ALL results outside of me.

Erik · Answer 2 · 2012-09-25T05:26:47+0000

This is just a hexadecimal representation of characters, hardly considered encryption. Here you can find a good table.

http://web.cs.mun.ca/~michael/c/ascii-table.html

Has anyone seen such php encryption?

decoded:

More articles: