Dezendeing php codes encodeed by zend guard ioncube

WHY REQUIRED

Some time due to loss of zened code licence the only way to run a code is by dezending it. it has been a very secret technique so far . But for a php,java programmer it should not be that hard to do it. The technique has been explained below

Feature
Decode binary files encoded by Zend Encoder, Zend SafeGuard into PHP plain text.
The result file can perform the same functions of the original file.
Support of decompile for time-expired files.
Support of decompile for files lost licenses.
Support of decompile for files with expired licenses.
Support of decompile for files with licenses for certain IP’s or Domains.
Support of decompile for large files (size more than 500 Kb)
Support of decompile for files optimized by Zend SafeGuard 3.6.x
Support of decompile for files encoded by ionCube 6.5 New!
Support of decompile for files encoded by phpcipher New!
Support of decompile for files encoded by codelock New!
the coding is the php is compiled by the coding software and needs to be decompiled

Looking at the basic premise of converting these bytecodes back into PHP, while it is definatly feasible, there would be significant limitations to the end result.

uncommented! - if any of the encodes obsfucate the variable names or function names on compilation, you are in real trouble here..
layout and formating. - no whitespace or formating by a programmer..
optimizations my modify the code - chances are after decompiling it, a few bytecode optimizations would have occured, often making the code even more difficult to understand.

If you want to play with a potential decompiler, have a google for Derick’s VLD, this can dump the opcodes to a readable format, from there, it’s not totally impossible to create the code from it.

Vulcan Logic Disassembler
The Vulcan Logic Disassembler hooks into the Zend Engine and dumps all the opcodes (execution units) of a script. It was written as as a beginning of an encoder, but I never got the time for that. It can be used to see what is going on in the Zend Engine.

VLD can not decrypt any encoded files.

If you have problems compiling or using this extension, please do not send me email about it. If you can’t make it work then this tool is not for you. If you are certain there is a bug, then provide a patch.

New Features in 0.8

PHP 5.0 / PHP 5.1 support.
vld will only show opcodes if the setting vld.active is set to 1.

New Features in 0.6

Class methods info is only dumped if they contain some user defined functions.
Clean up the framework for better opcode display.
Print extended value for function calls (# of args in that case).
Op code elements are only printed when they are actually used.

Download and Installation Instructions
The extension is not totally finished yet, but it works fine for me. If you have questions, feel free to send me an e-mail (but read this first) at derick at php dot net. If you like this piece of software, feel free to checkout my wishlist or Andrei’s. This improves chances that we will be continuing developing VLD.

You can download the source here or get it from CVS. The CVS root is “srmread@cvs.vl-srm.net:/repository”, the module is “vle” (not “vld”) and the password is “srmread”.

It’s not hard to use this extension, but it might not work with all PHP versions. Here are the instructions to get it to work:

Unpack the tarball: tar -xzf vld-0.8.0.tgz.
cd into the newly created directory.
Create the configure script: phpize
Now run “./configure” followed by “make install”.

That’s it, if you now run PHP from the command line and add the -dvld.active=1 parameter VLD will spit out the opcodes:

php -dvld.active=1 program.php

2 0 FETCH_CONSTANT tempvar1, ‘FALSE’
1 FETCH_DIM_W tempvar0, $_CONFIG, ‘modules’
2 FETCH_DIM_W tempvar2, tempvar0, ‘mod_license’
3 FETCH_DIM_W tempvar0, tempvar2, ‘enabled’
4 ASSIGN tempvar0, tempvar1
24 5 FETCH_CONSTANT tempvar0, ‘TRUE’
6 ASSIGN $tier2, tempvar0
25 7 ASSIGN tempvar0, $current_version, ‘4.2.1′
8 ASSIGN $version, tempvar0
26 9 ASSIGN $build_type, ‘DEMO:Z’
27 10 ASSIGN $version_name, ‘ModernBill .:. Client Billing System’
28 11 ASSIGN $mbchecksum, ‘ljhgerot782075ghv7092cceewwwegse3e3e4ersg987jnhg6tsdasdas3jgu9766r6f3g4f65gr89GVRCETFO’
42 12 INIT_FCALL_BY_NAME ‘function_exists’
13 SEND_VAL ‘ini_get’
14 DO_FCALL_BY_NAME 1 tempvar0, ‘function_exists’, 0
15 JMPZ tempvar0, ->21
43 16 INIT_FCALL_BY_NAME ‘ini_get’
17 SEND_VAL ‘register_globals’
18 DO_FCALL_BY_NAME 1 tempvar0, ‘ini_get’, 0
19 ASSIGN $onoff, tempvar0
44 20 JMP ->25
45 21 INIT_FCALL_BY_NAME ‘get_cfg_var’
22 SEND_VAL ‘register_globals’
23 DO_FCALL_BY_NAME 1 tempvar0, ‘get_cfg_var’, 0
24 ASSIGN $onoff, tempvar0
47 25 IS_NOT_EQUAL tempvar0, $onoff, 1
26 JMPZ tempvar0, ->115
48 27 BEGIN_SILENCE
28 INIT_FCALL_BY_NAME ‘extract’
29 FETCH_FUNC_ARG tempvar1, ‘HTTP_SERVER_VARS’
30 SEND_VAR tempvar1
31 FETCH_CONSTANT tempvar1, ‘EXTR_SKIP’
32 SEND_VAL tempvar1
33 DO_FCALL_BY_NAME 2 ‘extract’, 0
34 END_SILENCE tempvar0,
49 35 BEGIN_SILENCE
36 INIT_FCALL_BY_NAME ‘extract’
37 FETCH_FUNC_ARG tempvar1, ‘HTTP_COOKIE_VARS’
38 SEND_VAR tempvar1
39 FETCH_CONSTANT tempvar1, ‘EXTR_SKIP’
40 SEND_VAL tempvar1
41 DO_FCALL_BY_NAME 2 ‘extract’, 0
42 END_SILENCE tempvar0,
50 43 BEGIN_SILENCE
44 INIT_FCALL_BY_NAME ‘extract’
45 FETCH_FUNC_ARG tempvar1, ‘HTTP_POST_FILES’
46 SEND_VAR tempvar1
47 FETCH_CONSTANT tempvar1, ‘EXTR_SKIP’
48 SEND_VAL tempvar1
49 DO_FCALL_BY_NAME 2 ‘extract’, 0
50 END_SILENCE tempvar0,
51 51 BEGIN_SILENCE
52 INIT_FCALL_BY_NAME ‘extract’
53 FETCH_FUNC_ARG tempvar1, ‘HTTP_POST_VARS’
54 SEND_VAR tempvar1
55 FETCH_CONSTANT tempvar1, ‘EXTR_SKIP’
56 SEND_VAL tempvar1
57 DO_FCALL_BY_NAME 2 ‘extract’, 0
58 END_SILENCE tempvar0,
52 59 BEGIN_SILENCE
60 INIT_FCALL_BY_NAME ‘extract’
61 FETCH_FUNC_ARG tempvar1, ‘HTTP_GET_VARS’
62 SEND_VAR tempvar1
63 FETCH_CONSTANT tempvar1, ‘EXTR_SKIP’
64 SEND_VAL tempvar1
65 DO_FCALL_BY_NAME 2 ‘extract’, 0
66 END_SILENCE tempvar0,
53 67 BEGIN_SILENCE
68 INIT_FCALL_BY_NAME ‘extract’
69 FETCH_FUNC_ARG tempvar1, ‘HTTP_ENV_VARS’
70 SEND_VAR tempvar1
71 FETCH_CONSTANT tempvar1, ‘EXTR_SKIP’
72 SEND_VAL tempvar1
73 DO_FCALL_BY_NAME 2 ‘extract’, 0
74 END_SILENCE tempvar0,
54 75 BEGIN_SILENCE
76 INIT_FCALL_BY_NAME ‘extract’
77 FETCH_FUNC_ARG global tempvar1, ‘_SERVER’
78 SEND_VAR tempvar1
79 FETCH_CONSTANT tempvar1, ‘EXTR_SKIP’
80 SEND_VAL tempvar1
81 DO_FCALL_BY_NAME 2 ‘extract’, 0
82 END_SILENCE tempvar0,
55 83 BEGIN_SILENCE
84 INIT_FCALL_BY_NAME ‘extract’
85 FETCH_FUNC_ARG global tempvar1, ‘_COOKIE’
86 SEND_VAR tempvar1
87 FETCH_CONSTANT tempvar1, ‘EXTR_SKIP’
88 SEND_VAL tempvar1
89 DO_FCALL_BY_NAME 2 ‘extract’, 0
90 END_SILENCE tempvar0,
56 91 BEGIN_SILENCE
92 INIT_FCALL_BY_NAME ‘extract’
93 FETCH_FUNC_ARG global tempvar1, ‘_POST’
94 SEND_VAR tempvar1
95 FETCH_CONSTANT tempvar1, ‘EXTR_SKIP’
96 SEND_VAL tempvar1
97 DO_FCALL_BY_NAME 2 ‘extract’, 0
98 END_SILENCE tempvar0,
57 99 BEGIN_SILENCE
100 INIT_FCALL_BY_NAME ‘extract’
101 FETCH_FUNC_ARG global tempvar1, ‘_GET’
102 SEND_VAR tempvar1
103 FETCH_CONSTANT tempvar1, ‘EXTR_SKIP’
104 SEND_VAL tempvar1
105 DO_FCALL_BY_NAME 2 ‘extract’, 0
106 END_SILENCE tempvar0,
58 107 BEGIN_SILENCE
108 INIT_FCALL_BY_NAME ‘extract’
109 FETCH_FUNC_ARG global tempvar1, ‘_ENV’
110 SEND_VAR tempvar1
111 FETCH_CONSTANT tempvar1, ‘EXTR_SKIP’
112 SEND_VAL tempvar1
113 DO_FCALL_BY_NAME 2 ‘extract’, 0
114 END_SILENCE tempvar0,
68 115 JMPZ_EX tempvar0, $DIR, ->142
116 FETCH_CONSTANT tempvar1, ‘DIR’
117 FETCH_DIM_R tempvar2, $HTTP_COOKIE_VARS, tempvar1
118 JMPNZ_EX tempvar1, tempvar2, ->141
119 FETCH_CONSTANT tempvar3, ‘DIR’
120 FETCH_DIM_R tempvar2, $HTTP_POST_VARS, tempvar3
121 BOOL tempvar1, tempvar2
122 JMPNZ_EX tempvar1, tempvar1, ->141
123 FETCH_CONSTANT tempvar3, ‘DIR’
124 FETCH_DIM_R tempvar2, $HTTP_GET_VARS, tempvar3
125 BOOL tempvar1, tempvar2
126 JMPNZ_EX tempvar1, tempvar1, ->141
127 FETCH_CONSTANT tempvar4, ‘DIR’
128 FETCH_R global tempvar3, ‘_COOKIE’
129 FETCH_DIM_R tempvar2, tempvar3, tempvar4
130 BOOL tempvar1, tempvar2
131 JMPNZ_EX tempvar1, tempvar1, ->141
132 FETCH_CONSTANT tempvar4, ‘DIR’
133 FETCH_R global tempvar3, ‘_POST’
134 FETCH_DIM_R tempvar2, tempvar3, tempvar4
135 BOOL tempvar1, tempvar2
136 JMPNZ_EX tempvar1, tempvar1, ->141
137 FETCH_CONSTANT tempvar4, ‘DIR’
138 FETCH_R global tempvar3, ‘_GET’
139 FETCH_DIM_R tempvar2, tempvar3, tempvar4
140 BOOL tempvar1, tempvar2
141 BOOL tempvar0, tempvar1
142 JMPZ tempvar0, ->221
143 FETCH_CONSTANT tempvar1, ‘REMOTE_ADDR’
144 FETCH_DIM_R tempvar0, $HTTP_SERVER_VARS, tempvar1
145 ASSIGN $ip, tempvar0
146 INIT_FCALL_BY_NAME ‘gethostbyaddr’
147 FETCH_FUNC_ARG tempvar0, ‘ip’
148 SEND_VAR tempvar0
149 DO_FCALL_BY_NAME 1 tempvar0, ‘gethostbyaddr’, 0
150 ASSIGN $host, tempvar0
using decompiler similar to java class files to java source files these bye codes are converted to php code

<?php

// file: d:\Program Files\Apache Group\Apache2\htdocs\mb43\include\functions.inc.php - 04/31/05 23:42:27

global $rc;
$_CONFIG[“modules”][“mod_license”][“enabled”] = FALSE;
$tier2 = TRUE;
$version = $current_version = “4.3.1″;
$build_type = “Commercial Product”;
$version_name = “Modern Bill .:. Hosting Management System”;
$mbchecksum = “ljhgerot782075ghv7092cceewwwegse3e3e4ersg987jnhg6tsdasdas3jgu9766r6f3g4f65gr89GVRCETFO”;
if (function_exists(“ini_get”))
{
$onoff = ini_get(“register_globals”);
}
else
{
$onoff = get_cfg_var(“register_globals”);
}
if (($onoff) != (1))
{
@ extract($HTTP_SERVER_VARS, EXTR_SKIP);
@ extract($HTTP_COOKIE_VARS, EXTR_SKIP);
@ extract($HTTP_POST_FILES, EXTR_SKIP);
@ extract($HTTP_POST_VARS, EXTR_SKIP);
@ extract($HTTP_GET_VARS, EXTR_SKIP);
@ extract($HTTP_ENV_VARS, EXTR_SKIP);
global $_SERVER;
@ extract($_SERVER, EXTR_SKIP);
global $_COOKIE;
@ extract($_COOKIE, EXTR_SKIP);
global $_POST;
@ extract($_POST, EXTR_SKIP);
global $_GET;
@ extract($_GET, EXTR_SKIP);
global $_ENV;
@ extract($_ENV, EXTR_SKIP);
}

if (($DIR && $HTTP_COOKIE_VARS[DIR]) || ($DIR && $HTTP_POST_VARS[DIR]) || ($DIR && $HTTP_GET_VARS[DIR]) || ($DIR && $_COOKIE[DIR]) || ($DIR && $_POST[DIR]) || ($DIR && $_GET[DIR]))
{
$ip = $HTTP_SERVER_VARS[REMOTE_ADDR];
$host = gethostbyaddr($ip);
$url = $HTTP_SERVER_VARS[“HTTP_HOST”] . $HTTP_SERVER_VARS[“REQUEST_URI”];
$admin = ($GLOBALS[SERVER_ADMIN]?$GLOBALS[SERVER_ADMIN]:“security@modernbill.com”);
$body = “IP: “ . $ip . “
HOST: “ . $host . “
URL: “ . $url . “
VER: “ . $version . “
TIME: “ . date(“Y/m/d: h:i:s”) . “
“;
@ mail($admin, “Possible breakin attempt.”, $body, “From: “ . $admin . “

“);
echo str_repeat(” “, 300) . “
“;
str_repeat(” “, 300);
flush();
echo ” <html><head><body><center><h3><tt><b><font color=RED>Security violation from: “;
echo $ip;
echo ” @ “;
echo $host;
echo “</font></b></tt></h3></center><hr><pre>”;
@ system(“traceroute “ . escapeshellcmd($ip) . ” 2>&1″);
echo “</pre><hr><center><h2><tt><b><font color=RED>The admin has been alerted.</font></b></tt></h2></center></body></html>”;
exit ();
}

this dezended and will run as the original file

Read Related Post

Dezender A Recurring Money Maker _Download It A Dezender for PHP 5 Now Avaliable For Free Download Set up the dezender online for free/paid online service

This entry was posted on Sunday, October 28th, 2007 at 6:28 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

You must be logged in to post a comment.

REVENUE SHARING A FREE FOREVER WEBSITE FOR EVERYONE