View Single Post
  #1  
Old 09-16-2018, 09:12
alexandernst alexandernst is offline
Friend
 
Join Date: Dec 2017
Posts: 4
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 2
Thanks Rcvd at 17 Times in 3 Posts
alexandernst Reputation: 3
Post Decrypt Plesk PHP files

This is a simple method for decrypting Plesk PHP files.

Trace "_efree" in "/usr/bin/sw-engine" with Frida, like this:


Code:
cd /usr/bin
frida-trace -i "_efree" ./sw-engine /opt/psa/admin/htdocs/index.php
Then edit the handler that Frida has generated for you. It should be located at

Code:
/usr/bin/__handlers__/sw_engine/_efree.js
Copy this inside the handler:

Code:
{
        onLeave: function (log, retval, state) {
                if (this.returnAddress == 0x9cc2d6) {
                        var s_addr = this.context.r15.add(128);
                        s_addr = Memory.readPointer(s_addr);
                        var s = Memory.readUtf8String(s_addr);
                        var fd = new File("/tmp/decrypted.php", "w");
                        fd.write(s);
                        fd.close();
                }
        }
}
Finally, run again the frida-trace command. You'll get the decrypted file in /tmp/decrypted.php

Note that this is for investigation purposes only. If you like Plesk, pay for it. I'm not responsible for any bad usage of this code.

Last edited by alexandernst; 09-16-2018 at 23:24. Reason: Fixing a bug
Reply With Quote
The Following 2 Users Gave Reputation+1 to alexandernst For This Useful Post:
niculaita (09-16-2018), taos (09-18-2018)
The Following 13 Users Say Thank You to alexandernst For This Useful Post:
ARUBA (03-18-2019), cachito (03-15-2019), goku (05-08-2019), Indigo (07-19-2019), Mahmoudnia (09-18-2018), niculaita (09-16-2018), nimaarek (09-16-2018), NoneForce (03-16-2019), p4r4d0x (10-31-2018), Sir.V65j (09-23-2018), tonyweb (09-16-2018), uranus64 (09-19-2018), ymg2006 (01-05-2019)