Introduction
I was contacted a few days ago by a person who had knowledge of a small Electronik Tribulation Army botnet. You might remember these guys as being GhostExodus’ old group. The contact sent me the source code of a PHP bot that connects to an IRC command & control. The source was was obfuscated using the Free Online PHP Obfuscator. To find the C&C server, I went through a process of stripping away the obfuscator’s layers of encoding, which I’m documenting here. This information might be useful if you’re doing similar reverse-engineering work on this PHP obfuscator (or others).
Note: At each stage, I have stripped the “<?php” tags to prevent the code from running accidentally. If you are following along, you’ll need to re-insert them (and preferably do so within a sandbox environment).
Stage 1
Here’s the original chunk of code:
On the first line, a variable is being set to a string that’s being represented by a mix of hexadecimal (‘\x’) and octal (‘\’) escape sequences. This obfuscator makes extensive use of this technique. Python uses the same escapes as PHP for hex and octal, so it’s easy to use my always-open python shell to see a “normalized” ascii representation of these strings:
>>> "\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65" 'base64_decode'
PHP allows strings to be used as function names with a very easy syntax, so the variable $v539ded4bc2c gets set to “base64_decode”, which is then called with a large string of base64-encoded code. The decoded string of code then gets passed to eval() to execute. We’d rather just see what the decoded string is, so the easiest thing to do is replace the eval() with a print(). Then we can dump out the next stage:
hacbooknano:php_reverse wesley$ php original_print.txt > stage2_1.txt
Stage 2
Here’s what we have now:
The lack of line breaks is annoying, so a little dirty python code to split that up:
#!/usr/bin/python
import sys
fp = open(sys.argv[1])
data = fp.read()
fp.close()
for i in data:
sys.stdout.write(i)
if i == ';':
sys.stdout.write('\n')
Running this:
hacbooknano:php_reverse wesley$ ./breaklines.py stage2_1.txt > stage2_2_linebreaks.txt
We now have this:
The first 133 lines set up obfuscated names for the rest of the code in this stage. It builds them a character at a time, interleaving them.
We can decode these names by copying those assignments out to another file, and printing the obfuscated names out at the end:
hacbooknano:php_reverse wesley$ php stage2_3_displaynames.txt x24b0884a06dee76da986eb65ba2940d = base64_decode t104a34fab793aa8acc27101aa69e16d = ereg_replace f28748ed1b08d4ce5faba4c5bbe478a2 = file_get_contents sba02b7a6e9217c818bda90209467b6b = gzinflate k9c9e40dc7cf4574c577417cdc8ae8a4 = md5 fafd3e80e124e1f5d45522b2e31e3eab = ob_end_clean n8ad08ea0791139ed748c49d82092979 = ob_end_flush v077b05ec0999fba76a979f188a32e32 = ob_get_contents gb6e4eb13daf014a331ffe0376f2357b = ob_start ff29e8f9567141dfd9b4c31c83a38d63 = str_replace gb4ceeb3708efd3539d845de0b7fd52e = str_rot13 g52eba32e62d0a481f8e5efd196b27b8 = strpos n8af683210c35ad36253a33d28a3fbde = strtok
Now, you can take this and go back to stage2_2_linebreaks to rename all the functions to their more readable names. I did this manually with search-and-replace in TextMate, since I wanted to see what was being replaced and when. I also normalized the strings as I did in stage 1. You wind up with the following code:
There’s what appears to be a tamper check, though I didn’t really play with it much since there’s no reason to. All we’re interested in at this point is the body of that “if” clause. A chunk of encoded text is ROT-13′d, base64 decoded, gunzipped, and finally eval()’d. If we chop out the tamper check, and replace the eval() with a print() again, we get to move on.
Stage 3
Here’s what we have now:
This is close to the original code. The obfuscator has encoded the strings, done away with whitespace, and randomized variable names. We can normalize the strings, as above, and reformat the code. For variable names, that’s where we have to do some more human-eyes analysis. By looking at what the variables are set to, what functions they are being passed into, and other contextual information, we can give most variables much more reader-friendly names.
I only partially went through this process with this file, as I found what I needed, and had a good idea of the rest of the file. The partial cleanup is here:
Here’s where it’s assigns the botnet C&C server settings:
error_reporting(0); set_time_limit(0); $filename = "./a73v9.php"; $current_dir = "./"; $channel = "#nobotshere"; $host = "complexity.razorhack.org"; $port = 65000;
The system, at the time, had been compromised by the ETA member, MR^E, giving shoutouts to the other ETA members:
(Real smart, defacing your own botnet C&C)
Conclusions
I’d like to thank my twitter followers for being very rapid in getting back-channels in-gear to get the C&C hosting and domain taken out. While they’re back to much more typical skiddie activities (as opposed to backdooring hospital HVAC systems), it’s obvious that these guys haven’t learned much of a lesson. One can only hope that one day they’ll realize that they can build on the skills they’re using to run nets like this to get a start in legitimate security work, before it’s too late and they manage to burn their bridges and/or get busted.
Hopefully this will help some folk get a start in reversing PHP (and other interpreted language) de-obfuscation as well. It’s pretty easy, and I think that files like this would serve as a good introduction for students to the concepts involved in reverse engineering in general. After a few baby-steps like this we can move them up to compiled code 
.
Update: Looks like the original author of the bot code found out about this post, and decided to post the original source, along with a rant about how I “pick on retards”:
The end justifies the means. That skid who dumped the dox here, well lets just say he got his ass owned so hard he had no alternative but to snitch to you. Its sort of like a smaller rat sucking the anus of a larger rat.
http://blip.tv/file/1794612
Lol, that skid. Right. Thats why your comcast shit is crippled and your VPS’s/DNS evicted/banned. Thats also why you where after my code. Cool story bro, glad I could dish out your ass
Actually, your little slowlaris shit failed to disable my comcast, try harder failtard.
I guess you open your mouth before you look, and good luck ddosing my asshole, since you want to make this a public forum demonstrating your stupidity, you can ddos my pipes here, just FYI, I have 3 high powered access points on the external of the building, within minutes I will have 3 ip adresses and be back online, so I invite you to fail more.
And BTW, our host didnt drop us, you downed the whole hosting services, but thats ok, they have your dox, they know whos doing it, so keep it up kid.
Inb4 I hijack the whole net back. Oh wait I already have.
thats so very true
Actually, a little googling will show that A) Fixer you did not control the little botnet, “Complexity” was formed and used by BlueMagick and Mr^E so stop trying to take credit for other skids are useless work. I mean there are countless posts made by them just two weeks ago offering the botnet, and your handle does not appear in a single one of them. Now I may be wrong, but looks like your just trying to boost your rep to look cool, dude do something other then a botnet or a fake FBI seizure, that was just pathetic man
“Actually, your little slowlaris shit failed to disable my comcast, try harder failtard.
I guess you open your mouth before you look, and good luck ddosing my asshole, since you want to make this a public forum demonstrating your stupidity, you can ddos my pipes here, just FYI, I have 3 high powered access points on the external of the building, within minutes I will have 3 ip adresses and be back online, so I invite you to fail more.
And BTW, our host didnt drop us, you downed the whole hosting services, but thats ok, they have your dox, they know whos doing it, so keep it up kid.”
BEEP wrong again, see I talked to d0ped from doxsters, you guys were using HIS VPS for your site, someone man, who are you trying to fool, your not that good.
ooohh noooz, teh fbi! lawlz
perhaps you did not see the “FAKE” part of my post, blah nevermind, your one of those people that only see what they want. which is why your suck a dork. no better word for you. have fun mr l33t h3x0r d00d.
Well lets see here asshole, narc, whatever your name is, I never once claimed to run that shit, where did I say that? You need to take your meds moron.
psst hey einstien…
“BEEP wrong again, see I talked to d0ped from doxsters, you guys were using HIS VPS for your site, someone man, who are you trying to fool, your not that good.”
Which VPS were you talking about, there are many we are discussing here, I suggest you actually know what your talking about before you begin putting the dicks of strangers in your mouth.
keep playing dumb, that will really help you save face.
um yeah coz saving face is a priority for me
Isn’t this all getting just a bit stupid? I mean it is sort of obvious ETA is on the verge of self destruction or disbandment. Narcotic, you need to shut up, you sound like a broken record, ETA Guys, perhap you all need to idk, give up the whole group thing and try a solo project or two. Because frankly you all sound like idiots (all being everyone involved not just the ETA guys)
why thanks Nogaria for pointing that out , now go fuck yourself
aww whats wrong fixer? not going to be able to get your 5 minutes of fame like Jesse? get iover it dude, your group is more or less done. This is what the 2-3 time you guys changed domains, went from kryptic forums, then used eoeta then moved to hackserver, your got paranoid thinking Xon was a fed or a traitor or whatever then you made Electroniktribulationarmy.com, then when that failed you tried to make it look like the feds got you, THEN when that failed to work, you make a domain called wesleymcgrew.com in order to try and look cool. do you not see a pattern of failure? I mean you got Mr^E talking with Xon as recent as June 1st. You got Dev/null’s dox getting dropped, then the little arguement you two had over who was in ETA longer. I mean call me crazy but when I work with other hackers in a group, i tend to try and keep them IN the group over trying to be a dick to them. I mean I will admit I have no idea what is going on behind the scenes, but your attitude alone leaves one plenty of room to wonder why ANY other hacker would want to work with such a egotistical little snot like yourself. No humility, no direction, you post useless tuts on different lame forums, and honestly you have to be pretty lame to get banned from HackForums.org that place is FILLED with newbs, boasters and retards, I thought someone like you would have fit right in. But keep talking your shit, sooner of later your ego will come back to bite you on the ass. BTW you still sound like a idiot.
Ok three things I will respond about.
1.”, you make a domain called wesleymcgrew.com in order to try and look cool. do you not see a pattern of failure? ”
Yes I see you have a pattern of failure.
2. “you post useless tuts on different lame forums,”
What the fuck are you referring too?
3.”I mean I will admit I have no idea what is going on behind the scenes”
Thats clearly a fact.
lol, keep up all the good work fixer, onl a matter of time before other other domains get suspended. enjoy the Failed Life.
Well who-ever you are, your apparently ass hurt enough to go on here rambling under a bullshit name going on and on, you know me, but you wont tell me who u are because you are a coward. Btw, im used to wesley mcgrew crying and snitching to get sites and domains suspended, its what he does, its not like its a big surprise.Hes the kid in grade school who kept snitching and snitching and some how never had his ass kicked. A grown ass man who has never tasted a mouthful of his own blood, now thats not a man at all…. Lol and thats the last message im going to grace this with, Ive got a journey ahead of me, see you later.
Actually your buddy Ghost for himself busted for being a retard and recording himself doing shit then posting it on youtube. Epically Stupid.
thanks for pointing out the obvious
Can’t we all just smoke a bong?
fire it up dawg im down
fixer says:
June 6, 2010 at 8:56 pm
ooohh noooz, teh fbi! lawlz
Beat you were not lolzing when they came into your door and took your PC. I bet you were like that Joey kid from hackers crying because the big bad Fed to little Joe’s computer. AWWWWWWW poor Fixer. Don’t worry you will not have any criminal charges against you, you obviously do not have any skill set to do anything besides talk crap and ride on the media attention of your ex-leader (friend?!?!?!?) getting arrested, had that not happened, no one would know who you or ETA were. You should thank Wesley, he got you some attention.
It’s interesting to see how hard the content side is for some. Although, I find it funny that you wasted this much time in doing it.