Skip to content

Instantly share code, notes, and snippets.

@volpino

volpino/opcodes

Created September 22, 2015 15:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save volpino/5cfcffa4ae592391cd3c to your computer and use it in GitHub Desktop.
Save volpino/5cfcffa4ae592391cd3c to your computer and use it in GitHub Desktop.
Download ZIP
Reversing APC cache
Raw
opcodes
Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = -2
filename: /tmp/solve.php
function name: (null)
number of ops: 7
compiled vars: none
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
2 0 E > SEND_VAL 'cache.data'
1 DO_FCALL 1 'apc_bin_loadfile'
5 2 FETCH_W global $1 '_POST'
3 ASSIGN_DIM $1, 'token'
4 OP_DATA 'testtoken', $3
7 5 INCLUDE_OR_EVAL '%2Fvar%2Fwww%2Fhtml%2Flogin.php', INCLUDE
9 6 > RETURN 1
Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = 5, Position 2 = 55
Branch analysis from position: 5
Jump found. Position 1 = 15, Position 2 = 22
Branch analysis from position: 15
Jump found. Position 1 = 23, Position 2 = 29
Branch analysis from position: 23
Jump found. Position 1 = 30, Position 2 = 54
Branch analysis from position: 30
Jump found. Position 1 = 41, Position 2 = 50
Branch analysis from position: 41
Jump found. Position 1 = 53
Branch analysis from position: 53
Jump found. Position 1 = 54
Branch analysis from position: 54
Jump found. Position 1 = 58
Branch analysis from position: 58
Jump found. Position 1 = -2
Branch analysis from position: 50
Jump found. Position 1 = 54
Branch analysis from position: 54
Branch analysis from position: 54
Branch analysis from position: 29
Branch analysis from position: 22
Branch analysis from position: 55
Jump found. Position 1 = -2
filename: /var/www/html/login.php
function name: (null)
number of ops: 59
compiled vars: !0 = $token, !1 = $crypt, !2 = $hash, !3 = $flag
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
3 0 E > NOP
44 1 FETCH_IS $1 '_POST'
2 ISSET_ISEMPTY_DIM_OBJ 16777216 ~2 $1, 'token'
3 BOOL_NOT ~3 ~2
4 > JMPZ ~3, ->55
45 5 > FETCH_R global $4 '_POST'
6 FETCH_DIM_R $5 $4, 'token'
7 ASSIGN !0, $5
47 8 INIT_FCALL_BY_NAME 'substr'
9 SEND_VAR !0
10 SEND_VAL 0
11 SEND_VAL 4
12 DO_FCALL_BY_NAME 3 $7
13 IS_IDENTICAL ~8 $7, 'CmxQ'
14 > JMPZ_EX ~8 ~8, ->22
15 > INIT_FCALL_BY_NAME 'substr'
16 SEND_VAR !0
17 SEND_VAL 44
18 SEND_VAL 4
19 DO_FCALL_BY_NAME 3 $9
20 IS_IDENTICAL ~10 $9, 'MgY%2F'
21 BOOL ~8 ~10
22 > > JMPZ_EX ~8 ~8, ->29
23 > INIT_FCALL_BY_NAME 'substr'
24 SEND_VAR !0
25 SEND_VAL -4
26 DO_FCALL_BY_NAME 2 $11
27 IS_IDENTICAL ~12 $11, 'Mg%3D%3D'
28 BOOL ~8 ~12
29 > > JMPZ ~8, ->54
48 30 > FETCH_CLASS 4 :13 'AzDGCrypt'
31 NEW $14 :13
32 SEND_VAL 'EKO%7Bthis_is_not_the_flag%7D'
33 DO_FCALL_BY_NAME 1
34 ASSIGN !1, $14
49 35 INIT_METHOD_CALL !1, 'decrypt'
36 SEND_VAR !0
37 DO_FCALL_BY_NAME 1 $18
38 ASSIGN !2, $18
51 39 IS_IDENTICAL ~20 !2, 'e88ef51d4112b999380444ce48488762'
40 > JMPZ ~20, ->50
52 41 > INIT_FCALL_BY_NAME 'sha1'
42 SEND_VAR !0
43 DO_FCALL_BY_NAME 1 $21
44 ASSIGN !3, $21
53 45 ADD_STRING ~23 'Welcome+master%2C+your+key+is+EKO%7B'
46 ADD_VAR ~23 ~23, !3
47 ADD_CHAR ~23 ~23, 125
48 ECHO ~23
54 49 > JMP ->53
55 50 > INIT_FCALL_BY_NAME 'header'
51 SEND_VAL 'Location%3A+index.php'
52 DO_FCALL_BY_NAME 1
57 53 > > JMP ->54
58 54 > > JMP ->58
59 55 > INIT_FCALL_BY_NAME 'header'
56 SEND_VAL 'Location%3A+index.php'
57 DO_FCALL_BY_NAME 1
61 58 > > RETURN 1
Class AzDGCrypt:
Function azdgcrypt:
Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = -2
filename: /var/www/html/login.php
function name: AzDGCrypt
number of ops: 4
compiled vars: !0 = $m
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
5 0 E > RECV !0
6 1 ASSIGN_OBJ 'k'
2 OP_DATA !0
7 3 > RETURN null
End of function azdgcrypt
Function ed:
Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = 39, Position 2 = 17
Branch analysis from position: 39
Jump found. Position 1 = -2
Branch analysis from position: 17
Jump found. Position 1 = 22, Position 2 = 24
Branch analysis from position: 22
Jump found. Position 1 = 24
Branch analysis from position: 24
Jump found. Position 1 = 14
Branch analysis from position: 14
Jump found. Position 1 = 9
Branch analysis from position: 9
Branch analysis from position: 24
filename: /var/www/html/login.php
function name: ed
number of ops: 41
compiled vars: !0 = $t, !1 = $r, !2 = $c, !3 = $v, !4 = $i
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
8 0 E > RECV !0
9 1 INIT_FCALL_BY_NAME 'md5'
2 FETCH_OBJ_FUNC_ARG $0 'k'
3 SEND_VAR $0
4 DO_FCALL_BY_NAME 1 $1
5 ASSIGN !1, $1
10 6 ASSIGN !2, 0
11 7 ASSIGN !3, ''
12 8 ASSIGN !4, 0
9 > INIT_FCALL_BY_NAME 'strlen'
10 SEND_VAR !0
11 DO_FCALL_BY_NAME 1 $6
12 IS_SMALLER ~7 !4, $6
13 > JMPZNZ 17 ~7, ->39
14 > POST_INC ~8 !4
15 FREE ~8
16 > JMP ->9
13 17 > INIT_FCALL_BY_NAME 'strlen'
18 SEND_VAR !1
19 DO_FCALL_BY_NAME 1 $9
20 IS_EQUAL ~10 !2, $9
21 > JMPZ ~10, ->24
22 > ASSIGN !2, 0
23 > JMP ->24
14 24 > INIT_FCALL_BY_NAME 'substr'
25 SEND_VAR !0
26 SEND_VAR !4
27 SEND_VAL 1
28 DO_FCALL_BY_NAME 3 $12
29 INIT_FCALL_BY_NAME 'substr'
30 SEND_VAR !1
31 SEND_VAR !2
32 SEND_VAL 1
33 DO_FCALL_BY_NAME 3 $13
34 BW_XOR ~14 $12, $13
35 ASSIGN_CONCAT 0 !3, ~14
15 36 POST_INC ~16 !2
37 FREE ~16
16 38 > JMP ->14
17 39 > > RETURN !3
18 40* > RETURN null
End of function ed
Function crypt:
Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = 55, Position 2 = 27
Branch analysis from position: 55
Jump found. Position 1 = -2
Branch analysis from position: 27
Jump found. Position 1 = 32, Position 2 = 34
Branch analysis from position: 32
Jump found. Position 1 = 34
Branch analysis from position: 34
Jump found. Position 1 = 24
Branch analysis from position: 24
Jump found. Position 1 = 19
Branch analysis from position: 19
Branch analysis from position: 34
filename: /var/www/html/login.php
function name: crypt
number of ops: 63
compiled vars: !0 = $t, !1 = $r, !2 = $c, !3 = $v, !4 = $i
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
19 0 E > RECV !0
20 1 INIT_FCALL_BY_NAME 'srand'
2 INIT_FCALL_BY_NAME 'microtime'
3 DO_FCALL_BY_NAME 0 $0
4 CAST 2 ~1 $0
5 MUL ~2 ~1, 1000000
6 SEND_VAL ~2
7 DO_FCALL_BY_NAME 1
21 8 INIT_FCALL_BY_NAME 'md5'
9 INIT_FCALL_BY_NAME 'rand'
10 SEND_VAL 0
11 SEND_VAL 32000
12 DO_FCALL_BY_NAME 2 $4
13 SEND_VAR_NO_REF 4 $4
14 DO_FCALL_BY_NAME 1 $5
15 ASSIGN !1, $5
22 16 ASSIGN !2, 0
23 17 ASSIGN !3, ''
24 18 ASSIGN !4, 0
19 > INIT_FCALL_BY_NAME 'strlen'
20 SEND_VAR !0
21 DO_FCALL_BY_NAME 1 $10
22 IS_SMALLER ~11 !4, $10
23 > JMPZNZ 27 ~11, ->55
24 > POST_INC ~12 !4
25 FREE ~12
26 > JMP ->19
25 27 > INIT_FCALL_BY_NAME 'strlen'
28 SEND_VAR !1
29 DO_FCALL_BY_NAME 1 $13
30 IS_EQUAL ~14 !2, $13
31 > JMPZ ~14, ->34
32 > ASSIGN !2, 0
33 > JMP ->34
26 34 > INIT_FCALL_BY_NAME 'substr'
35 SEND_VAR !1
36 SEND_VAR !2
37 SEND_VAL 1
38 DO_FCALL_BY_NAME 3 $16
27 39 INIT_FCALL_BY_NAME 'substr'
40 SEND_VAR !0
41 SEND_VAR !4
42 SEND_VAL 1
43 DO_FCALL_BY_NAME 3 $17
44 INIT_FCALL_BY_NAME 'substr'
45 SEND_VAR !1
46 SEND_VAR !2
47 SEND_VAL 1
48 DO_FCALL_BY_NAME 3 $18
49 BW_XOR ~19 $17, $18
50 CONCAT ~20 $16, ~19
51 ASSIGN_CONCAT 0 !3, ~20
28 52 POST_INC ~22 !2
53 FREE ~22
29 54 > JMP ->24
30 55 > INIT_FCALL_BY_NAME 'base64_encode'
56 INIT_METHOD_CALL 'ed'
57 SEND_VAR !3
58 DO_FCALL_BY_NAME 1 $24
59 SEND_VAR_NO_REF 4 $24
60 DO_FCALL_BY_NAME 1 $25
61 > RETURN $25
31 62* > RETURN null
End of function crypt
Function decrypt:
Finding entry points
Branch analysis from position: 0
Jump found. Position 1 = 34, Position 2 = 18
Branch analysis from position: 34
Jump found. Position 1 = -2
Branch analysis from position: 18
Jump found. Position 1 = 15
Branch analysis from position: 15
Jump found. Position 1 = 10
Branch analysis from position: 10
filename: /var/www/html/login.php
function name: decrypt
number of ops: 36
compiled vars: !0 = $t, !1 = $v, !2 = $i, !3 = $md5
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
32 0 E > RECV !0
33 1 INIT_METHOD_CALL 'ed'
2 INIT_FCALL_BY_NAME 'base64_decode'
3 SEND_VAR !0
4 DO_FCALL_BY_NAME 1 $1
5 SEND_VAR_NO_REF 4 $1
6 DO_FCALL_BY_NAME 1 $2
7 ASSIGN !0, $2
34 8 ASSIGN !1, ''
35 9 ASSIGN !2, 0
10 > INIT_FCALL_BY_NAME 'strlen'
11 SEND_VAR !0
12 DO_FCALL_BY_NAME 1 $6
13 IS_SMALLER ~7 !2, $6
14 > JMPZNZ 18 ~7, ->34
15 > POST_INC ~8 !2
16 FREE ~8
17 > JMP ->10
36 18 > INIT_FCALL_BY_NAME 'substr'
19 SEND_VAR !0
20 SEND_VAR !2
21 SEND_VAL 1
22 DO_FCALL_BY_NAME 3 $9
23 ASSIGN !3, $9
37 24 POST_INC ~11 !2
25 FREE ~11
38 26 INIT_FCALL_BY_NAME 'substr'
27 SEND_VAR !0
28 SEND_VAR !2
29 SEND_VAL 1
30 DO_FCALL_BY_NAME 3 $12
31 BW_XOR ~13 $12, !3
32 ASSIGN_CONCAT 0 !1, ~13
39 33 > JMP ->15
40 34 > > RETURN !1
41 35* > RETURN null
End of function decrypt
End of class AzDGCrypt.
branch: # 0; line: 2- 9; sop: 0; eop: 6; out1: -2
path #1: 0,
branch: # 0; line: 3- 44; sop: 0; eop: 4; out1: 5; out2: 55
branch: # 5; line: 45- 47; sop: 5; eop: 14; out1: 15; out2: 22
branch: # 15; line: 47- 47; sop: 15; eop: 21; out1: 22
branch: # 22; line: 47- 47; sop: 22; eop: 22; out1: 23; out2: 29
branch: # 23; line: 47- 47; sop: 23; eop: 28; out1: 29
branch: # 29; line: 47- 47; sop: 29; eop: 29; out1: 30; out2: 54
branch: # 30; line: 48- 51; sop: 30; eop: 40; out1: 41; out2: 50
branch: # 41; line: 52- 54; sop: 41; eop: 49; out1: 53
branch: # 50; line: 55- 57; sop: 50; eop: 52; out1: 53
branch: # 53; line: 57- 57; sop: 53; eop: 53; out1: 54
branch: # 54; line: 58- 58; sop: 54; eop: 54; out1: 58
branch: # 55; line: 59- 61; sop: 55; eop: 57; out1: 58
branch: # 58; line: 61- 61; sop: 58; eop: 58; out1: -2
path #1: 0, 5, 15, 22, 23, 29, 30, 41, 53, 54, 58,
path #2: 0, 5, 15, 22, 23, 29, 30, 50, 53, 54, 58,
path #3: 0, 5, 15, 22, 23, 29, 54, 58,
path #4: 0, 5, 15, 22, 29, 30, 41, 53, 54, 58,
path #5: 0, 5, 15, 22, 29, 30, 50, 53, 54, 58,
path #6: 0, 5, 15, 22, 29, 54, 58,
path #7: 0, 5, 22, 23, 29, 30, 41, 53, 54, 58,
path #8: 0, 5, 22, 23, 29, 30, 50, 53, 54, 58,
path #9: 0, 5, 22, 23, 29, 54, 58,
path #10: 0, 5, 22, 29, 30, 41, 53, 54, 58,
path #11: 0, 5, 22, 29, 30, 50, 53, 54, 58,
path #12: 0, 5, 22, 29, 54, 58,
path #13: 0, 55, 58,
branch: # 0; line: 5- 7; sop: 0; eop: 3; out1: -2
path #1: 0,
branch: # 0; line: 8- 12; sop: 0; eop: 8; out1: 9
branch: # 9; line: 12- 12; sop: 9; eop: 13; out1: 39; out2: 17
branch: # 14; line: 12- 12; sop: 14; eop: 16; out1: 9
branch: # 17; line: 13- 13; sop: 17; eop: 21; out1: 22; out2: 24
branch: # 22; line: 13- 13; sop: 22; eop: 23; out1: 24
branch: # 24; line: 14- 16; sop: 24; eop: 38; out1: 14
branch: # 39; line: 17- 18; sop: 39; eop: 40
path #1: 0, 9, 39,
path #2: 0, 9, 17, 22, 24, 14, 9, 39,
path #3: 0, 9, 17, 24, 14, 9, 39,
branch: # 0; line: 19- 24; sop: 0; eop: 18; out1: 19
branch: # 19; line: 24- 24; sop: 19; eop: 23; out1: 55; out2: 27
branch: # 24; line: 24- 24; sop: 24; eop: 26; out1: 19
branch: # 27; line: 25- 25; sop: 27; eop: 31; out1: 32; out2: 34
branch: # 32; line: 25- 25; sop: 32; eop: 33; out1: 34
branch: # 34; line: 26- 29; sop: 34; eop: 54; out1: 24
branch: # 55; line: 30- 31; sop: 55; eop: 62
path #1: 0, 19, 55,
path #2: 0, 19, 27, 32, 34, 24, 19, 55,
path #3: 0, 19, 27, 34, 24, 19, 55,
branch: # 0; line: 32- 35; sop: 0; eop: 9; out1: 10
branch: # 10; line: 35- 35; sop: 10; eop: 14; out1: 34; out2: 18
branch: # 15; line: 35- 35; sop: 15; eop: 17; out1: 10
branch: # 18; line: 36- 39; sop: 18; eop: 33; out1: 15
branch: # 34; line: 40- 41; sop: 34; eop: 35
path #1: 0, 10, 34,
path #2: 0, 10, 18, 15, 10, 34,
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment