To begin with, I was given an obfuscated PHP file, so my first task was to figure out what the code was doing. Since the original code was so hard to follow, I deobfuscated it.
Exclusive OR (XOR)
The first part of the code is a function that takes in as an argument the obfuscated malware and a string. The two are then XORed together, and in the end, the malware is returned.
The malware is heavily obfuscated; not only is it XORed with some string, but it is also encrypted with base64 twice.
This line of code takes the malware and passes it into the base64_decode function. Then it gets XORed with this string “tVEwfwrN302”. It is lastly getting passed through another base64_decode which completes the decoding. Once $source is printed, it outputs more PHP code is displayed.
Within the malware are two variables named $back_connect_p and $bind_port_p. Both contain data that has been encrypted with base64.
After decrypting bind_port_p, I found Perl code with nothing really interesting in it so next, I took a look at back_connect_p.
Flag maybe 🤔
The highlighted code seemed more interesting, after some research I found that this is a binary-to-text encoding.
begin 644 /dev/stdout
Bash has a function to decode this data called uudecode. This utility takes a file as input so I stored the above code block into a file and named it “flag.txt”.
This challenge was by far one of my favorites. I liked the layers of encryption put in place to solve this challenge. I will definitely be doing more malware analysis in the future.