EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-16-2018, 09:12
alexandernst alexandernst is offline
Friend
 
Join Date: Dec 2017
Posts: 4
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 2
Thanks Rcvd at 14 Times in 2 Posts
alexandernst Reputation: 3
Post Decrypt Plesk PHP files

This is a simple method for decrypting Plesk PHP files.

Trace "_efree" in "/usr/bin/sw-engine" with Frida, like this:


Code:
cd /usr/bin
frida-trace -i "_efree" ./sw-engine /opt/psa/admin/htdocs/index.php
Then edit the handler that Frida has generated for you. It should be located at

Code:
/usr/bin/__handlers__/sw_engine/_efree.js
Copy this inside the handler:

Code:
{
        onLeave: function (log, retval, state) {
                if (this.returnAddress == 0x9cc2d6) {
                        var s_addr = this.context.r15.add(128);
                        s_addr = Memory.readPointer(s_addr);
                        var s = Memory.readUtf8String(s_addr);
                        var fd = new File("/tmp/decrypted.php", "w");
                        fd.write(s);
                        fd.close();
                }
        }
}
Finally, run again the frida-trace command. You'll get the decrypted file in /tmp/decrypted.php

Note that this is for investigation purposes only. If you like Plesk, pay for it. I'm not responsible for any bad usage of this code.

Last edited by alexandernst; 09-16-2018 at 23:24. Reason: Fixing a bug
Reply With Quote
The Following 2 Users Gave Reputation+1 to alexandernst For This Useful Post:
niculaita (09-16-2018), taos (09-18-2018)
The Following 12 Users Say Thank You to alexandernst For This Useful Post:
ARUBA (03-18-2019), cachito (03-15-2019), goku (05-08-2019), Mahmoudnia (09-18-2018), niculaita (09-16-2018), nimaarek (09-16-2018), NoneForce (03-16-2019), p4r4d0x (10-31-2018), Sir.V65j (09-23-2018), tonyweb (09-16-2018), uranus64 (09-19-2018), ymg2006 (01-05-2019)
  #2  
Old 03-06-2019, 05:55
ymg2006 ymg2006 is offline
Friend
 
Join Date: Jan 2019
Posts: 13
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 17 Times in 5 Posts
ymg2006 Reputation: 1
have you considered this approach in windows server ?
i could not locate sw-engine in windows server with plesk installed.
would you mind elaborate where this RVA(0x9cc2d6) comes from ?
thank's in advance
Reply With Quote
  #3  
Old 03-15-2019, 00:22
uel888 uel888 is offline
Friend
 
Join Date: May 2011
Posts: 40
Rept. Given: 173
Rept. Rcvd 5 Times in 3 Posts
Thanks Given: 144
Thanks Rcvd at 3 Times in 2 Posts
uel888 Reputation: 5
any update of ymg2006 inquiry?
Reply With Quote
  #4  
Old 03-15-2019, 03:12
ymg2006 ymg2006 is offline
Friend
 
Join Date: Jan 2019
Posts: 13
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 17 Times in 5 Posts
ymg2006 Reputation: 1
Quote:
Originally Posted by uel888 View Post
any update of ymg2006 inquiry?
@alexandernst does this approach work with windows server to get plesk files decrypted ? anyone done this ?
Reply With Quote
  #5  
Old 05-06-2019, 00:23
KNARZ KNARZ is offline
Friend
 
Join Date: Jan 2017
Posts: 10
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 4
Thanks Rcvd at 13 Times in 5 Posts
KNARZ Reputation: 0
Just wanted to take a look in the plesk stuff but while trying to attach frida.

Code:
Failed to attach: unexpected error while attaching to process with pid XXXX (PTRACE_SEIZE returned 'Input/output error')
Reply With Quote
  #6  
Old 05-07-2019, 17:24
Mahmoudnia's Avatar
Mahmoudnia Mahmoudnia is offline
Family
 
Join Date: Nov 2012
Location: Iran
Posts: 188
Rept. Given: 54
Rept. Rcvd 137 Times in 45 Posts
Thanks Given: 80
Thanks Rcvd at 102 Times in 42 Posts
Mahmoudnia Reputation: 100-199 Mahmoudnia Reputation: 100-199
Hi
upload your php files that you want to decrypt
__________________
All about software security references
https://t.me/securebyte
Reply With Quote
  #7  
Old 05-12-2019, 09:49
foosaa foosaa is offline
Friend
 
Join Date: Dec 2005
Posts: 76
Rept. Given: 34
Rept. Rcvd 11 Times in 9 Posts
Thanks Given: 103
Thanks Rcvd at 57 Times in 19 Posts
foosaa Reputation: 11
Does the same method work for other protection tools like Zend, ioncube etc.? Thanks and please forgive if it's a naive question

Last edited by foosaa; 05-12-2019 at 09:49. Reason: Spelling
Reply With Quote
  #8  
Old 05-18-2019, 01:42
ymg2006 ymg2006 is offline
Friend
 
Join Date: Jan 2019
Posts: 13
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 17 Times in 5 Posts
ymg2006 Reputation: 1
Not working anymore

i fully tried this and confirming this is not working....
Reply With Quote
  #9  
Old 05-18-2019, 12:23
Mahmoudnia's Avatar
Mahmoudnia Mahmoudnia is offline
Family
 
Join Date: Nov 2012
Location: Iran
Posts: 188
Rept. Given: 54
Rept. Rcvd 137 Times in 45 Posts
Thanks Given: 80
Thanks Rcvd at 102 Times in 42 Posts
Mahmoudnia Reputation: 100-199 Mahmoudnia Reputation: 100-199
if you have upload a sample , i can decrypt it for you
__________________
All about software security references
https://t.me/securebyte
Reply With Quote
Reply

Tags
decrypt, php, plesk

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 04:50.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX