Tuesday, February 24, 2015

How to Decode PhpLockIt 2.2.0

I recently saw an entire WordPress theme encoded with PhpLockIt 2.2.0 and I realized that this encryption is still widely used and that someone could be interested to find out a way to decrypt it.

Since PhpLockIt 2.2.0 is practically a base64 encoding, it can be decoded without errors, 100% clean, and the output script will work without the need to correct syntax errors or make additional changes to the code.

How to decode PhpLockIt 2.2.0:

Original file – This is the original test file, unedited:

Step 1 - Determine the values ​​of the variables above "eval"
Below, you will see the edited file so that it can be read more easily. You will notice that I added "print_r ($ GLOBALS);”
Running this file will give you an array, and at the end of it you will notice the variables we are interested in:

  • $ GLOBALS ['OOO000000'] = 'fg6sbehpra4co_tnd';
  • $ GLOBALS ['OOO0000O0'] = 'base64_decode';
  • $ GLOBALS ['OOO000O00'] = 'fopen';
  • $ GLOBALS ['O0O000O00'] = 'fgets';
  • $ GLOBALS ['O0O00OO00'] = 'fread';
  • $ GLOBALS ['OOO00000O'] = 'strtr';
  • $ OOO0O0O00 = 'C: \ Documents and Settings \ mla \ Desktop \ How to decode phpLockIt 2.2.0 \ original.php';
  • $ OO00O0000 = 0xa8;

Step 2 - See what "eval" contains
I replaced the variables in the file above and as you see, "eval" is followed by a variable "$ GLOBALS ['OOO0000O0']" with the value "base64_decode".
I replaced it and changed also "eval" with "echo". Let’s run the file again.

Step 3 - Replace "eval"
I replaced "echo base64_decode ..." with the result obtained after running the file above. For clarity, I added two variables:

  • $ O000O0O00 = $ data;
  • $ OO00O00O0 = $ result;

Step 4 - Replace variables in "eval"
Replace $ GLOBALS ['OOO000O00'], $ GLOBALS ['OOO00000O'], etc. with corresponding values ​​"fopen", "strtr", etc.

Step 5 - Getting the decoded file
At the first glance, to obtain the decoded file we would need to replace "eval ($ result)" with "echo $result". By running the program you will see that this does not work, you will not get anything as a result. We need to add something.
In Step 1, we have obtained the variable "$ OO00O0000 = 0xa8".

  • I will change the "$ result = base64_decode (strtr (fread ($ date, 0x3a8)" with "$ result = base64_decode (strtr (fread ($ date, 0xa8)"
  • Also I will add "fread ($ date, 0x3a8)" under existing "fread ($ date, 0x501);"

Note: Before running this php file, make sure to change the path to the original file "C:\Documents and Settings\mla\Desktop\How to decode phpLockIt 2.2.0\original.php" with your own path.

Decoded file - if you run the file above, you will get you the decoded file below. You need to add "<? Php" and "?>".

I hope the explanation above is clear enough and useful at the same time. Download the example files presented in the steps above, here.

No comments:

Post a Comment