What is FOPO?
First of all it stands for :- Free Online PHP Obfuscator. Basically what obfuscation does is it makes Scripts or programs less friendly to the human eye to quickly understand.
This particular one is available online here.
To test it out and see just what it does i wrote a simple Hello World PHP Script . On Passing it through FOPO The resulting Script was as below:
http://filehost.skilledsoft.com/en/file/138/helloworld-obfuscated.txt.html
As is seen this is some pretty Nifty Stuff. But anyway to decode it we will use a couple of steps:
- Translate the first Variable to extract the Function used
- Evaluate The Function & Extracting Secondary Variables
- String Concatenation to rebuild functions
- Script Rewrite
Translate the first Variable to extract the Function used
Starting From the known, notice the script starts with a variable ($xcd2d14bb6fa) and it is repeated after the eval function. This will most probably get another function. To get the value of the function being evaluated, write a small script to echo the hexadecimal value. The PHP script will be as below:
echo “\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65”;
This returns :
base64_decode
So next thing is to remove the known and replace it with the actual value as below:
Evaluate The Function &Extracting Secondary Variables
Replace Eval with Echo so that you can read the output from the front end of the page : i.e.
echo(base64_decode(
“JHA3ZWEyNDI2OTk4ODk2ZmNhODA5ZWRhNzFkMDk1MDUxPSJceDYyIjskczE3ZTczN2FlMGUwYjk3MDE3M…
On Viewing the page source after load you will see the functions demystified a bit into variables as below:.
http://filehost.skilledsoft.com/en/file/139/demistified-vars.txt.html
As is seen from the above Variables are repetitive and each has a hex value that we can echo out. The variables Concatenate into strings as is seen by the (.=) Sign after the first instance of the variable
String Concatenation to rebuild functions
This stage involves getting instances of variables from each point. Using a good IDE can make this less painful. I personally use Code Lobster on Windows and on Linux I use Bluefish Editor. See Below for the sample I have for this from code lobster
We will then bundle up all variable instances and echo out their values in order.
$k7659c2486072589cb50cfdd5555accb=”\x6d”;
$k7659c2486072589cb50cfdd5555accb.=”\144″;
$k7659c2486072589cb50cfdd5555accb.=”\x35″;
We script to:
echo “\x6d\144\x35”;
The above gives us md5 so we replace the instances of : $k7659c2486072589cb50cfdd5555accb with md5. repeat the same for all other variables.
From this we get the following Functions:
http://filehost.skilledsoft.com/en/file/140/functions-found.txt.html
Repeat the same for the heap of Hexadecimal values after the array though not assigned to variables.
Script Rewrite
Now So far if we do all the replacing we are set to the script as below:
http://filehost.skilledsoft.com/en/file/141/almost-final.txt.html
A shortcut from here is focus on the script core:
eval(gzinflate(base64_decode(str_rot13(“Ypt9QbNtQRQudkOTSdP2SXBOv3
EOsfXzb8rKjraYr9n0aE07hRnOTNUX1tvjrDcNUppbkhM05zp+dgq5Xl1ivBXEyyH84K
VVBazMI/VF/b36HQy9”))));
str_rot13 cancels out when passed through itself again, eval is switched to echo to view it on client side and gzinflate and base64_decode are passed through as is this results in our actual script. with hex values:
Lastly Echo the Hex value and we have our hello world script again.
Note:
If you have a more complex script, the step “String Concatenation to rebuild functions” Will be done more than once as they are nested