Created
February 19, 2024 09:09
-
-
Save crazywhalecc/1ed53fa80844e2b708e65c0e41e36a2d to your computer and use it in GitHub Desktop.
Extract micro.sfx and PHP code from combined phpmicro executable
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// Copy this code into your phar project and execute it, it will split micro.sfx and code.phar!! | |
if ( | |
!function_exists('micro_get_sfx_filesize') | |
|| !function_exists('micro_get_self_filename') | |
|| !function_exists('micro_open_self') | |
) { | |
echo 'This part of code may not run in micro SAPI!' . PHP_EOL; | |
exit(1); | |
} | |
// get sfx and file size | |
$stream = micro_open_self(); | |
$file_self_name = micro_get_self_filename(); | |
$file_self = file_get_contents($file_self_name); | |
$sfx_size = micro_get_sfx_filesize(); | |
$file_code_size = filesize($file_self_name); | |
$file_total = stream_get_contents($stream); | |
$file_total_size = strlen($file_total); | |
echo "Executable name:\t{$file_self_name}" . PHP_EOL; | |
echo "micro.sfx size:\t\t{$sfx_size}" . PHP_EOL; | |
echo "PHP code size:\t\t{$file_code_size}" . PHP_EOL; | |
echo "executable size:\t{$file_total_size}" . PHP_EOL; | |
// echo strlen(file_get_contents($file_self_name)); | |
// detect INI injection object | |
if (($pos = strrpos($file_total, "\xfd\xf6\x69\xe6")) !== false) { | |
$ini_part = substr($file_total, $pos); | |
// check if everything is right | |
$ini_part = substr($file_total, $pos + 4, 4); | |
$ini_length = hexdec(bin2hex($ini_part)); | |
$ini_obj_len = $ini_length + 8; | |
$ini_content = str_replace(["\r", "\n"], ['\\r', '\\n'], substr($file_total, $pos + 8, $ini_length)); | |
if (strlen(substr($file_total, $pos + $ini_obj_len)) !== $file_code_size) { | |
echo 'Corrupted PHP Code file or structure!' . PHP_EOL; | |
exit(1); | |
} | |
echo PHP_EOL; | |
echo 'Detected INI inject object!' . PHP_EOL; | |
echo "INI size:\t\t{$ini_length}" . PHP_EOL; | |
echo "INI object size:\t{$ini_obj_len}" . PHP_EOL; | |
echo "INI content:\t\t{$ini_content}" . PHP_EOL; | |
echo PHP_EOL; | |
echo 'Note: INI inject object will be removed, if you want to keep INI injection, just set `$remove_ini = false;` !' . PHP_EOL; | |
$remove_ini = true; | |
if ($remove_ini === true) { | |
$sfx_size = $sfx_size - $ini_obj_len; | |
} | |
} | |
// extract micro.sfx | |
$sfx_final = substr($file_total, 0, $sfx_size); | |
file_put_contents('micro.sfx', $sfx_final); | |
// extract php code | |
$code_part = $file_self; | |
// try to detect if it is php or phar | |
if (strpos($file_self, '__HALT_COMPILER') !== false && substr($file_self, -4) === "\x47\x42\x4d\x42") { | |
echo "Code part probably is phar, output file: code.phar" . PHP_EOL; | |
file_put_contents('code.phar', $file_self); | |
} else { | |
echo "Code part probably is pure php, output file: code.php" . PHP_EOL; | |
file_put_contents('code.php', $file_self); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment