This is a simple method for decrypting Plesk PHP files.
Trace "_efree" in "/usr/bin/sw-engine" with Frida, like this:
Code:
cd /usr/bin
frida-trace -i "_efree" ./sw-engine /opt/psa/admin/htdocs/index.php
Then edit the handler that Frida has generated for you. It should be located at
Code:
/usr/bin/__handlers__/sw_engine/_efree.js
Copy this inside the handler:
Code:
{
onLeave: function (log, retval, state) {
if (this.returnAddress == 0x9cc2d6) {
var s_addr = this.context.r15.add(128);
s_addr = Memory.readPointer(s_addr);
var s = Memory.readUtf8String(s_addr);
var fd = new File("/tmp/decrypted.php", "w");
fd.write(s);
fd.close();
}
}
}
Finally, run again the frida-trace command. You'll get the decrypted file in /tmp/decrypted.php
Note that this is for investigation purposes only. If you like Plesk, pay for it. I'm not responsible for any bad usage of this code.