EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-16-2018, 09:12
alexandernst alexandernst is offline
Friend
 
Join Date: Dec 2017
Posts: 4
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 2
Thanks Rcvd at 13 Times in 2 Posts
alexandernst Reputation: 3
Post Decrypt Plesk PHP files

This is a simple method for decrypting Plesk PHP files.

Trace "_efree" in "/usr/bin/sw-engine" with Frida, like this:


Code:
cd /usr/bin
frida-trace -i "_efree" ./sw-engine /opt/psa/admin/htdocs/index.php
Then edit the handler that Frida has generated for you. It should be located at

Code:
/usr/bin/__handlers__/sw_engine/_efree.js
Copy this inside the handler:

Code:
{
        onLeave: function (log, retval, state) {
                if (this.returnAddress == 0x9cc2d6) {
                        var s_addr = this.context.r15.add(128);
                        s_addr = Memory.readPointer(s_addr);
                        var s = Memory.readUtf8String(s_addr);
                        var fd = new File("/tmp/decrypted.php", "w");
                        fd.write(s);
                        fd.close();
                }
        }
}
Finally, run again the frida-trace command. You'll get the decrypted file in /tmp/decrypted.php

Note that this is for investigation purposes only. If you like Plesk, pay for it. I'm not responsible for any bad usage of this code.

Last edited by alexandernst; 09-16-2018 at 23:24. Reason: Fixing a bug
Reply With Quote
The Following 2 Users Gave Reputation+1 to alexandernst For This Useful Post:
niculaita (09-16-2018), taos (09-18-2018)
The Following 11 Users Say Thank You to alexandernst For This Useful Post:
ARUBA (03-18-2019), cachito (03-15-2019), Mahmoudnia (09-18-2018), niculaita (09-16-2018), nimaarek (09-16-2018), NoneForce (03-16-2019), p4r4d0x (10-31-2018), Sir.V65j (09-23-2018), tonyweb (09-16-2018), uranus64 (09-19-2018), ymg2006 (01-05-2019)
  #2  
Old 03-06-2019, 05:55
ymg2006 ymg2006 is offline
Friend
 
Join Date: Jan 2019
Posts: 11
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 4
Thanks Rcvd at 17 Times in 5 Posts
ymg2006 Reputation: 1
have you considered this approach in windows server ?
i could not locate sw-engine in windows server with plesk installed.
would you mind elaborate where this RVA(0x9cc2d6) comes from ?
thank's in advance
Reply With Quote
  #3  
Old 03-15-2019, 00:22
uel888 uel888 is offline
Friend
 
Join Date: May 2011
Posts: 40
Rept. Given: 173
Rept. Rcvd 5 Times in 3 Posts
Thanks Given: 144
Thanks Rcvd at 3 Times in 2 Posts
uel888 Reputation: 5
any update of ymg2006 inquiry?
Reply With Quote
  #4  
Old 03-15-2019, 03:12
ymg2006 ymg2006 is offline
Friend
 
Join Date: Jan 2019
Posts: 11
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 4
Thanks Rcvd at 17 Times in 5 Posts
ymg2006 Reputation: 1
Quote:
Originally Posted by uel888 View Post
any update of ymg2006 inquiry?
@alexandernst does this approach work with windows server to get plesk files decrypted ? anyone done this ?
Reply With Quote
Reply

Tags
decrypt, php, plesk

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 08:34.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX