#1
|
|||
|
|||
Decrypt Plesk PHP files
This is a simple method for decrypting Plesk PHP files.
Trace "_efree" in "/usr/bin/sw-engine" with Frida, like this: Code:
cd /usr/bin frida-trace -i "_efree" ./sw-engine /opt/psa/admin/htdocs/index.php Code:
/usr/bin/__handlers__/sw_engine/_efree.js Code:
{ onLeave: function (log, retval, state) { if (this.returnAddress == 0x9cc2d6) { var s_addr = this.context.r15.add(128); s_addr = Memory.readPointer(s_addr); var s = Memory.readUtf8String(s_addr); var fd = new File("/tmp/decrypted.php", "w"); fd.write(s); fd.close(); } } } Note that this is for investigation purposes only. If you like Plesk, pay for it. I'm not responsible for any bad usage of this code. Last edited by alexandernst; 09-16-2018 at 23:24. Reason: Fixing a bug |
The Following 13 Users Say Thank You to alexandernst For This Useful Post: | ||
ARUBA (03-18-2019), cachito (03-15-2019), goku (05-08-2019), Indigo (07-19-2019), Mahmoudnia (09-18-2018), niculaita (09-16-2018), nimaarek (09-16-2018), NoneForce (03-16-2019), p4r4d0x (10-31-2018), Sir.V65j (09-23-2018), tonyweb (09-16-2018), uranus64 (09-19-2018), ymg2006 (01-05-2019) |
#2
|
|||
|
|||
have you considered this approach in windows server ?
i could not locate sw-engine in windows server with plesk installed. would you mind elaborate where this RVA(0x9cc2d6) comes from ? thank's in advance |
The Following User Says Thank You to ymg2006 For This Useful Post: | ||
Indigo (07-19-2019) |
#4
|
|||
|
|||
@alexandernst does this approach work with windows server to get plesk files decrypted ? anyone done this ?
|
The Following User Says Thank You to ymg2006 For This Useful Post: | ||
Indigo (07-19-2019) |
#5
|
|||
|
|||
Just wanted to take a look in the plesk stuff but while trying to attach frida.
Code:
Failed to attach: unexpected error while attaching to process with pid XXXX (PTRACE_SEIZE returned 'Input/output error') |
The Following User Says Thank You to KNARZ For This Useful Post: | ||
Indigo (07-19-2019) |
#7
|
|||
|
|||
Does the same method work for other protection tools like Zend, ioncube etc.? Thanks and please forgive if it's a naive question
Last edited by foosaa; 05-12-2019 at 09:49. Reason: Spelling |
The Following User Says Thank You to foosaa For This Useful Post: | ||
Indigo (07-19-2019) |
#8
|
|||
|
|||
Not working anymore
i fully tried this and confirming this is not working....
|
The Following User Says Thank You to ymg2006 For This Useful Post: | ||
Indigo (07-19-2019) |
#10
|
|||
|
|||
I'm not sure what I'm looking for.. I just wanted to take a general look into it. Nothing specific. Also it's pretty hard to give you something to decrypt if we can't really point out (on our own) what would be the right file if we only could judge by filename.
|
The Following User Says Thank You to KNARZ For This Useful Post: | ||
Indigo (07-19-2019) |
#11
|
|||
|
|||
Quote:
_https://blog.silentsignal.eu/2013/12/18/plesk-decryption/ _https://gist.github.com/KenanSulayman/9050608 |
The Following User Says Thank You to ARUBA For This Useful Post: | ||
Indigo (07-19-2019) |
Tags |
decrypt, php, plesk |
Thread Tools | |
Display Modes | |
|
|