Phonetic — HacktivityCon 2021

To begin with, I was given an obfuscated PHP file, so my first task was to figure out what the code was doing. Since the original code was so hard to follow, I deobfuscated it.

The first part of the code is a function that takes in as an argument the obfuscated malware and a string. The two are then XORed together, and in the end, the malware is returned.

The malware is heavily obfuscated; not only is it XORed with some string, but it is also encrypted with base64 twice.

This line of code takes the malware and passes it into the base64_decode function. Then it gets XORed with this string “tVEwfwrN302”. It is lastly getting passed through another base64_decode which completes the decoding. Once $source is printed, it outputs more PHP code is displayed.

Within the malware are two variables named $back_connect_p and $bind_port_p. Both contain data that has been encrypted with base64.

After decrypting bind_port_p, I found Perl code with nothing really interesting in it so next, I took a look at back_connect_p.

The highlighted code seemed more interesting, after some research I found that this is a binary-to-text encoding.

begin 644 /dev/stdout
F9FQA9WLY8C5C-#,Q,V0Q,CDU.#,U-&)E-C(X-&9C9#8S9&0R-GT``
end

Bash has a function to decode this data called uudecode. This utility takes a file as input so I stored the above code block into a file and named it “flag.txt”.

This challenge was by far one of my favorites. I liked the layers of encryption put in place to solve this challenge. I will definitely be doing more malware analysis in the future.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store