EXETOOLS FORUM  

Go Back   EXETOOLS FORUM > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-16-2018, 09:12
alexandernst alexandernst is offline
Friend
 
Join Date: Dec 2017
Posts: 4
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 2
Thanks Rcvd at 9 Times in 2 Posts
alexandernst Reputation: 3
Post Decrypt Plesk PHP files

This is a simple method for decrypting Plesk PHP files.

Trace "_efree" in "/usr/bin/sw-engine" with Frida, like this:


Code:
cd /usr/bin
frida-trace -i "_efree" ./sw-engine /opt/psa/admin/htdocs/index.php
Then edit the handler that Frida has generated for you. It should be located at

Code:
/usr/bin/__handlers__/sw_engine/_efree.js
Copy this inside the handler:

Code:
{
        onLeave: function (log, retval, state) {
                if (this.returnAddress == 0x9cc2d6) {
                        var s_addr = this.context.r15.add(128);
                        s_addr = Memory.readPointer(s_addr);
                        var s = Memory.readUtf8String(s_addr);
                        var fd = new File("/tmp/decrypted.php", "w");
                        fd.write(s);
                        fd.close();
                }
        }
}
Finally, run again the frida-trace command. You'll get the decrypted file in /tmp/decrypted.php

Note that this is for investigation purposes only. If you like Plesk, pay for it. I'm not responsible for any bad usage of this code.

Last edited by alexandernst; 09-16-2018 at 23:24. Reason: Fixing a bug
Reply With Quote
The Following 2 Users Gave Reputation+1 to alexandernst For This Useful Post:
niculaita (09-16-2018), taos (09-18-2018)
The Following 7 Users Say Thank You to alexandernst For This Useful Post:
Mahmoudnia (09-18-2018), niculaita (09-16-2018), nimaarek (09-16-2018), p4r4d0x (10-31-2018), Sir.V65j (09-23-2018), tonyweb (09-16-2018), uranus64 (09-19-2018)
Reply

Tags
decrypt, php, plesk

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 08:26.


ICP05004977
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX