Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Decrypt Plesk PHP files (https://forum.exetools.com/showthread.php?t=18972)

alexandernst 09-16-2018 09:12

Decrypt Plesk PHP files
 
This is a simple method for decrypting Plesk PHP files.

Trace "_efree" in "/usr/bin/sw-engine" with Frida, like this:


Code:

cd /usr/bin
frida-trace -i "_efree" ./sw-engine /opt/psa/admin/htdocs/index.php

Then edit the handler that Frida has generated for you. It should be located at

Code:

/usr/bin/__handlers__/sw_engine/_efree.js
Copy this inside the handler:

Code:

{
        onLeave: function (log, retval, state) {
                if (this.returnAddress == 0x9cc2d6) {
                        var s_addr = this.context.r15.add(128);
                        s_addr = Memory.readPointer(s_addr);
                        var s = Memory.readUtf8String(s_addr);
                        var fd = new File("/tmp/decrypted.php", "w");
                        fd.write(s);
                        fd.close();
                }
        }
}

Finally, run again the frida-trace command. You'll get the decrypted file in /tmp/decrypted.php

Note that this is for investigation purposes only. If you like Plesk, pay for it. I'm not responsible for any bad usage of this code.

ymg2006 03-06-2019 05:55

have you considered this approach in windows server ?
i could not locate sw-engine in windows server with plesk installed.
would you mind elaborate where this RVA(0x9cc2d6) comes from ?
thank's in advance

uel888 03-15-2019 00:22

any update of ymg2006 inquiry?

ymg2006 03-15-2019 03:12

Quote:

Originally Posted by uel888 (Post 116655)
any update of ymg2006 inquiry?

@alexandernst does this approach work with windows server to get plesk files decrypted ? anyone done this ?

KNARZ 05-06-2019 00:23

Just wanted to take a look in the plesk stuff but while trying to attach frida.

Code:

Failed to attach: unexpected error while attaching to process with pid XXXX (PTRACE_SEIZE returned 'Input/output error')

Mahmoudnia 05-07-2019 17:24

Hi
upload your php files that you want to decrypt

foosaa 05-12-2019 09:49

Does the same method work for other protection tools like Zend, ioncube etc.? Thanks and please forgive if it's a naive question

ymg2006 05-18-2019 01:42

Not working anymore
 
i fully tried this and confirming this is not working....

Mahmoudnia 05-18-2019 12:23

if you have upload a sample , i can decrypt it for you

KNARZ 05-23-2019 07:13

I'm not sure what I'm looking for.. I just wanted to take a general look into it. Nothing specific. Also it's pretty hard to give you something to decrypt if we can't really point out (on our own) what would be the right file if we only could judge by filename.

ARUBA 05-26-2019 17:05

Quote:

Originally Posted by ymg2006 (Post 116562)
have you considered this approach in windows server ?
i could not locate sw-engine in windows server with plesk installed.
would you mind elaborate where this RVA(0x9cc2d6) comes from ?
thank's in advance

Please, read these:
_https://blog.silentsignal.eu/2013/12/18/plesk-decryption/
_https://gist.github.com/KenanSulayman/9050608

Mahmoudnia 05-26-2019 17:16

Quote:

Originally Posted by ARUBA (Post 117133)
Please, read these:
_https://blog.silentsignal.eu/2013/12/18/plesk-decryption/
_https://gist.github.com/KenanSulayman/9050608

don't work on new version of plesk

ARUBA 05-26-2019 17:29

Quote:

Originally Posted by Mahmoudnia (Post 117134)
don't work on new version of plesk

I know, it works only for versions < 12.


All times are GMT +8. The time now is 10:34.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX