Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-16-2018, 09:12
alexandernst alexandernst is offline
Friend
 
Join Date: Dec 2017
Posts: 4
Rept. Given: 0
Rept. Rcvd 3 Times in 2 Posts
Thanks Given: 2
Thanks Rcvd at 17 Times in 3 Posts
alexandernst Reputation: 3
Post Decrypt Plesk PHP files

This is a simple method for decrypting Plesk PHP files.

Trace "_efree" in "/usr/bin/sw-engine" with Frida, like this:


Code:
cd /usr/bin
frida-trace -i "_efree" ./sw-engine /opt/psa/admin/htdocs/index.php
Then edit the handler that Frida has generated for you. It should be located at

Code:
/usr/bin/__handlers__/sw_engine/_efree.js
Copy this inside the handler:

Code:
{
        onLeave: function (log, retval, state) {
                if (this.returnAddress == 0x9cc2d6) {
                        var s_addr = this.context.r15.add(128);
                        s_addr = Memory.readPointer(s_addr);
                        var s = Memory.readUtf8String(s_addr);
                        var fd = new File("/tmp/decrypted.php", "w");
                        fd.write(s);
                        fd.close();
                }
        }
}
Finally, run again the frida-trace command. You'll get the decrypted file in /tmp/decrypted.php

Note that this is for investigation purposes only. If you like Plesk, pay for it. I'm not responsible for any bad usage of this code.

Last edited by alexandernst; 09-16-2018 at 23:24. Reason: Fixing a bug
Reply With Quote
The Following 2 Users Gave Reputation+1 to alexandernst For This Useful Post:
niculaita (09-16-2018), taos (09-18-2018)
The Following 13 Users Say Thank You to alexandernst For This Useful Post:
ARUBA (03-18-2019), cachito (03-15-2019), goku (05-08-2019), Indigo (07-19-2019), Mahmoudnia (09-18-2018), niculaita (09-16-2018), nimaarek (09-16-2018), NoneForce (03-16-2019), p4r4d0x (10-31-2018), Sir.V65j (09-23-2018), tonyweb (09-16-2018), uranus64 (09-19-2018), ymg2006 (01-05-2019)
  #2  
Old 03-06-2019, 05:55
ymg2006 ymg2006 is offline
Friend
 
Join Date: Jan 2019
Posts: 16
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 31 Times in 13 Posts
ymg2006 Reputation: 1
have you considered this approach in windows server ?
i could not locate sw-engine in windows server with plesk installed.
would you mind elaborate where this RVA(0x9cc2d6) comes from ?
thank's in advance
Reply With Quote
The Following User Says Thank You to ymg2006 For This Useful Post:
Indigo (07-19-2019)
  #3  
Old 03-15-2019, 00:22
uel888 uel888 is offline
Friend
 
Join Date: May 2011
Posts: 44
Rept. Given: 171
Rept. Rcvd 5 Times in 3 Posts
Thanks Given: 245
Thanks Rcvd at 10 Times in 8 Posts
uel888 Reputation: 5
any update of ymg2006 inquiry?
Reply With Quote
The Following User Says Thank You to uel888 For This Useful Post:
Indigo (07-19-2019)
  #4  
Old 03-15-2019, 03:12
ymg2006 ymg2006 is offline
Friend
 
Join Date: Jan 2019
Posts: 16
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 31 Times in 13 Posts
ymg2006 Reputation: 1
Quote:
Originally Posted by uel888 View Post
any update of ymg2006 inquiry?
@alexandernst does this approach work with windows server to get plesk files decrypted ? anyone done this ?
Reply With Quote
The Following User Says Thank You to ymg2006 For This Useful Post:
Indigo (07-19-2019)
  #5  
Old 05-06-2019, 00:23
KNARZ KNARZ is offline
Friend
 
Join Date: Jan 2017
Posts: 32
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 6
Thanks Rcvd at 30 Times in 15 Posts
KNARZ Reputation: 2
Just wanted to take a look in the plesk stuff but while trying to attach frida.

Code:
Failed to attach: unexpected error while attaching to process with pid XXXX (PTRACE_SEIZE returned 'Input/output error')
Reply With Quote
The Following User Says Thank You to KNARZ For This Useful Post:
Indigo (07-19-2019)
  #6  
Old 05-07-2019, 17:24
Mahmoudnia's Avatar
Mahmoudnia Mahmoudnia is offline
Family
 
Join Date: Nov 2012
Posts: 228
Rept. Given: 64
Rept. Rcvd 142 Times in 49 Posts
Thanks Given: 198
Thanks Rcvd at 282 Times in 97 Posts
Mahmoudnia Reputation: 100-199 Mahmoudnia Reputation: 100-199
Hi
upload your php files that you want to decrypt
Reply With Quote
The Following User Says Thank You to Mahmoudnia For This Useful Post:
Indigo (07-19-2019)
  #7  
Old 05-12-2019, 09:49
foosaa foosaa is offline
Friend
 
Join Date: Dec 2005
Posts: 106
Rept. Given: 36
Rept. Rcvd 13 Times in 11 Posts
Thanks Given: 163
Thanks Rcvd at 84 Times in 32 Posts
foosaa Reputation: 14
Does the same method work for other protection tools like Zend, ioncube etc.? Thanks and please forgive if it's a naive question

Last edited by foosaa; 05-12-2019 at 09:49. Reason: Spelling
Reply With Quote
The Following User Says Thank You to foosaa For This Useful Post:
Indigo (07-19-2019)
  #8  
Old 05-18-2019, 01:42
ymg2006 ymg2006 is offline
Friend
 
Join Date: Jan 2019
Posts: 16
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 5
Thanks Rcvd at 31 Times in 13 Posts
ymg2006 Reputation: 1
Not working anymore

i fully tried this and confirming this is not working....
Reply With Quote
The Following User Says Thank You to ymg2006 For This Useful Post:
Indigo (07-19-2019)
  #9  
Old 05-18-2019, 12:23
Mahmoudnia's Avatar
Mahmoudnia Mahmoudnia is offline
Family
 
Join Date: Nov 2012
Posts: 228
Rept. Given: 64
Rept. Rcvd 142 Times in 49 Posts
Thanks Given: 198
Thanks Rcvd at 282 Times in 97 Posts
Mahmoudnia Reputation: 100-199 Mahmoudnia Reputation: 100-199
if you have upload a sample , i can decrypt it for you
Reply With Quote
The Following User Says Thank You to Mahmoudnia For This Useful Post:
Indigo (07-19-2019)
  #10  
Old 05-23-2019, 07:13
KNARZ KNARZ is offline
Friend
 
Join Date: Jan 2017
Posts: 32
Rept. Given: 0
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 6
Thanks Rcvd at 30 Times in 15 Posts
KNARZ Reputation: 2
I'm not sure what I'm looking for.. I just wanted to take a general look into it. Nothing specific. Also it's pretty hard to give you something to decrypt if we can't really point out (on our own) what would be the right file if we only could judge by filename.
Reply With Quote
The Following User Says Thank You to KNARZ For This Useful Post:
Indigo (07-19-2019)
  #11  
Old 05-26-2019, 17:05
ARUBA ARUBA is offline
Friend
 
Join Date: Dec 2018
Posts: 28
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 59
Thanks Rcvd at 54 Times in 23 Posts
ARUBA Reputation: 0
Quote:
Originally Posted by ymg2006 View Post
have you considered this approach in windows server ?
i could not locate sw-engine in windows server with plesk installed.
would you mind elaborate where this RVA(0x9cc2d6) comes from ?
thank's in advance
Please, read these:
_https://blog.silentsignal.eu/2013/12/18/plesk-decryption/
_https://gist.github.com/KenanSulayman/9050608
Reply With Quote
The Following User Says Thank You to ARUBA For This Useful Post:
Indigo (07-19-2019)
  #12  
Old 05-26-2019, 17:16
Mahmoudnia's Avatar
Mahmoudnia Mahmoudnia is offline
Family
 
Join Date: Nov 2012
Posts: 228
Rept. Given: 64
Rept. Rcvd 142 Times in 49 Posts
Thanks Given: 198
Thanks Rcvd at 282 Times in 97 Posts
Mahmoudnia Reputation: 100-199 Mahmoudnia Reputation: 100-199
Quote:
Originally Posted by ARUBA View Post
Please, read these:
_https://blog.silentsignal.eu/2013/12/18/plesk-decryption/
_https://gist.github.com/KenanSulayman/9050608
don't work on new version of plesk
Reply With Quote
The Following User Says Thank You to Mahmoudnia For This Useful Post:
Indigo (07-19-2019)
  #13  
Old 05-26-2019, 17:29
ARUBA ARUBA is offline
Friend
 
Join Date: Dec 2018
Posts: 28
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 59
Thanks Rcvd at 54 Times in 23 Posts
ARUBA Reputation: 0
Quote:
Originally Posted by Mahmoudnia View Post
don't work on new version of plesk
I know, it works only for versions < 12.
Reply With Quote
The Following User Says Thank You to ARUBA For This Useful Post:
Indigo (07-19-2019)
Reply

Tags
decrypt, php, plesk

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 18:36.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )