EXETOOLS FORUM

EXETOOLS FORUM (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Decrypt Plesk PHP files (https://forum.exetools.com/showthread.php?t=18972)

alexandernst 09-16-2018 09:12

Decrypt Plesk PHP files
 
This is a simple method for decrypting Plesk PHP files.

Trace "_efree" in "/usr/bin/sw-engine" with Frida, like this:


Code:

cd /usr/bin
frida-trace -i "_efree" ./sw-engine /opt/psa/admin/htdocs/index.php

Then edit the handler that Frida has generated for you. It should be located at

Code:

/usr/bin/__handlers__/sw_engine/_efree.js
Copy this inside the handler:

Code:

{
        onLeave: function (log, retval, state) {
                if (this.returnAddress == 0x9cc2d6) {
                        var s_addr = this.context.r15.add(128);
                        s_addr = Memory.readPointer(s_addr);
                        var s = Memory.readUtf8String(s_addr);
                        var fd = new File("/tmp/decrypted.php", "w");
                        fd.write(s);
                        fd.close();
                }
        }
}

Finally, run again the frida-trace command. You'll get the decrypted file in /tmp/decrypted.php

Note that this is for investigation purposes only. If you like Plesk, pay for it. I'm not responsible for any bad usage of this code.

ymg2006 03-06-2019 05:55

have you considered this approach in windows server ?
i could not locate sw-engine in windows server with plesk installed.
would you mind elaborate where this RVA(0x9cc2d6) comes from ?
thank's in advance

uel888 03-15-2019 00:22

any update of ymg2006 inquiry?

ymg2006 03-15-2019 03:12

Quote:

Originally Posted by uel888 (Post 116655)
any update of ymg2006 inquiry?

@alexandernst does this approach work with windows server to get plesk files decrypted ? anyone done this ?

KNARZ 05-06-2019 00:23

Just wanted to take a look in the plesk stuff but while trying to attach frida.

Code:

Failed to attach: unexpected error while attaching to process with pid XXXX (PTRACE_SEIZE returned 'Input/output error')

Mahmoudnia 05-07-2019 17:24

Hi
upload your php files that you want to decrypt

foosaa 05-12-2019 09:49

Does the same method work for other protection tools like Zend, ioncube etc.? Thanks and please forgive if it's a naive question

ymg2006 05-18-2019 01:42

Not working anymore
 
i fully tried this and confirming this is not working....

Mahmoudnia 05-18-2019 12:23

if you have upload a sample , i can decrypt it for you


All times are GMT +8. The time now is 14:40.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX