Categories
Crypto Stuff, Uncategorized

What is FOPO?

First of all it stands for :- Free Online PHP Obfuscator. Basically what obfuscation does is it makes Scripts or programs less friendly to the human eye to quickly understand.

This particular one is available online here.

To test it out and see just what it does i wrote a simple Hello World PHP Script . On Passing it through FOPO The resulting Script was as below:

http://filehost.skilledsoft.com/en/file/138/helloworld-obfuscated.txt.html

As is seen this is some pretty Nifty Stuff. But anyway to decode it we will use a couple of steps:

  • Translate the first Variable to extract the Function used
  • Evaluate The Function & Extracting Secondary Variables
  • String Concatenation to rebuild functions
  • Script Rewrite

Translate the first Variable to extract the Function used

Translate First FOPO Variable

Translate First FOPO Variable

Starting From the known, notice the script starts with a variable ($xcd2d14bb6fa) and it is repeated after the eval function. This will most probably get another function. To get the value of the function being evaluated, write a small script to echo the hexadecimal value. The PHP script will be as below:

echo “\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65”;

This returns :

base64_decode

So next thing is to remove the known and replace it with the actual value as below:

First Variable Replace With Function

First Variable Replace With Function

 Evaluate The Function &Extracting Secondary Variables

Replace Eval with Echo so that you can read the output from the front end of the page : i.e.

echo(base64_decode(
“JHA3ZWEyNDI2OTk4ODk2ZmNhODA5ZWRhNzFkMDk1MDUxPSJceDYyIjskczE3ZTczN2FlMGUwYjk3MDE3M…

On Viewing the page source after load you will see the functions demystified a bit into variables as below:.

http://filehost.skilledsoft.com/en/file/139/demistified-vars.txt.html

Vars echoed

Variables Echoed Out from FOPO Eval Function

As is seen from the above Variables are repetitive and each has a hex value that we can echo out. The variables Concatenate into strings as is seen by the (.=) Sign after the first instance of the variable

String Concatenation to rebuild functions

This stage involves getting instances of variables from each point. Using a good IDE can make this less painful. I personally use Code Lobster on Windows and on Linux I use Bluefish Editor. See Below for the sample I have for this from code lobster

Extracting Variables

Identifying FOPO Variables on Codelobster

We will then bundle up all variable instances and echo out their values in order.

$k7659c2486072589cb50cfdd5555accb=”\x6d”;
$k7659c2486072589cb50cfdd5555accb.=”\144″;
$k7659c2486072589cb50cfdd5555accb.=”\x35″;
We script to:
echo “\x6d\144\x35”;

 

The above gives us md5 so we replace the instances of : $k7659c2486072589cb50cfdd5555accb with md5. repeat the same for all other variables.

From this we get the following Functions:

Functions Extracted

Functions Extracted from FOPO Concatenation

http://filehost.skilledsoft.com/en/file/140/functions-found.txt.html

Repeat the same for the heap of Hexadecimal values after the array though not assigned to variables.

Script Rewrite

Now So far if we do all the replacing we are set to the script as below:

http://filehost.skilledsoft.com/en/file/141/almost-final.txt.html

A shortcut from here is focus on the script core:

eval(gzinflate(base64_decode(str_rot13(“Ypt9QbNtQRQudkOTSdP2SXBOv3
EOsfXzb8rKjraYr9n0aE07hRnOTNUX1tvjrDcNUppbkhM05zp+dgq5Xl1ivBXEyyH84K
VVBazMI/VF/b36HQy9”))));

str_rot13 cancels out when passed through itself again, eval is switched to echo to view it on client side and gzinflate and base64_decode are passed through as is this results in our actual script. with hex values:

http://filehost.skilledsoft.com/en/file/142/get-core.html

Lastly Echo the Hex value and we have our hello world script again.

 

Note:

If you have a more complex script, the step “String Concatenation to rebuild functions” Will be done more than once as they are nested

Leave a Reply

Your email address will not be published. Required fields are marked *

October 2024
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
28293031