Article 6CYPK CodeSOD: edoced_46esab

CodeSOD: edoced_46esab

by
Remy Porter
from The Daily WTF on (#6CYPK)

Rick is supporting a Magento-based e-commerce site. As many such sites, it uses a lot of third party plugins. One of those third party plugins wants to make sure no one "steals" its code, and thus obfuscates the code.

$_F=__FILE__;$_X="JF9GPV9f...oJF9EKCRfWCkpOw==";$_D=strrev('edoced_46esab');eval($_D($_X));

This stores the actual code inside that Base64 encoded string. And it "cleverly" hides the fact that it's Base64 encoded by reversing the name of the decode function into "edoced_46esab".

But now, as clever hackers, you might be wondering: what is the actual code?

$_F=__FILE__;$_X="JF9GPV9fRklMRV9fOyR...RfRCgkX1gpKTs=";$_D=strrev('edoced_46esab');eval($_D($_X));

It's not a quine, it's another Base64 encoded string, surrounded by decoding code. And when you decode that?

$_F=__FILE__;$_X="LyoqDQogKiBA...KCdPSycpOyB9IH0=";$_D=strrev('edoced_46esab');eval($_D($_X));

Look familiar? When you decode it one more time, it outputs code. But that code has also been altered, so that all the variable names are $_0e91566a8fd5270e1fde008c1f93b7c9.

Every file in the plugin has been run through this obfuscator. It includes many files. So each file needs to be Base64 evaled and decoded three times.

"Needless to say," Rick writes, "I'll be removing it and looking for another extension."

buildmaster-icon.png [Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!
External Content
Source RSS or Atom Feed
Feed Location http://syndication.thedailywtf.com/TheDailyWtf
Feed Title The Daily WTF
Feed Link http://thedailywtf.com/
Reply 0 comments