Ivan Villareal

Using pipes and redirection in the shell we can do backups or restore them, performing compression or decompression on the fly, this are the commands I frequently use:

Create a backup with mysqldump and compress the stream with bzip2

ivan@mini:~$ mysqldump –h dbHost –u dbUser –pdbPass –add-drop-database –databases <dbname> | bzip2 > dbName-02-17-2010.sql.bz2</dbname>

If I want to restore the backup I use:

ivan@mini:~$ bunzip2 < dbName-02-17-2010.sql.bz2 | mysql –h dbHost –u dbUser –pdbPass

I can switch bzip2 compression by changing only the program name for example gzip/gunzip lzma/unlzma

I needed a process to move a table from one database to another, the databases are on separate servers, so renaming the table will not work, I did a little research and found this Table Syncer it seemed fine, the problem is that it was on ruby gem, and I said the problem because the server where this will be running don’t have this installed.

So instead of doing more research I spent that time developing my own php class to sync two tables on different server, I have little time to create this so I’m re-using a class I already did for handling several databases and it already has some useful methods, right now its 3:12pm I plan to finish this in 30 minutes lets see how it goes.

In the end I spent about an hour but I have a working file that can put in a cron job to sync the table on a regular basis.

I’ve changed the way I fetch the entire result, to avoid having problems exhausting the dedicated php memory with large arrays, instead I’m fetching one row at a time, another problem I had, was that the null values came blank so, when I was inserting on a unique index, I had an error, to avoid this I remove the empty values from the insert, and use the default table value instead, this results in a bit different tables Null instead of blanks, but because this isn’t important I didn’t want to spend more with this.

The final file, contains the db class and the sync class, and here it is:

< ?php
 
/**
* The purpose of this file is to sync
* tables between 2 databases
*/
 
class tableSync {
    private $_sourceDbUser = 'ivan';
    private $_sourceDbPass = 'pass';
    private $_sourceDbName = 'bounty';
    private $_sourceDbHost = 'localhost';
 
    private $_targetDbUser = 'ivan';
    private $_targetDbPass = 'pass';
    private $_targetDbName = 'testing';
    private $_targetDbHost = 'localhost';
 
    private $_sourceDb, $_targetDb, $_primaryKey, $_table;
 
    public function __construct($table)
    {
        $this->_sourceDb = new Db($this->_sourceDbUser, $this->_sourceDbPass, $this->_sourceDbName, $this->_sourceDbHost);
        $this->_targetDb = new Db($this->_targetDbUser, $this->_targetDbPass, $this->_targetDbName, $this->_targetDbHost);
        $this->_table = $table;
        $this->begin();
    }
 
    public function begin()
    {
      //Check that the table exists
        $sql = 'SHOW TABLES';
        $tbl = $this->_targetDb->fetchAssoc($sql);
 
        if (!in_array($this->_table, current($tbl))) {
                //create the table
                $sql = "SHOW CREATE TABLE `".$this->_table."`";
                $tbl = $this->_sourceDb->fetchAssoc($sql);
                $createQry = $tbl[0]['Create Table'];
                $res = $this->_targetDb->query($createQry);
        }
 
        //Get The primary Key
        $sql     = "SHOW indexes FROM ".$this->_table." WHERE Key_name = 'PRIMARY'";
        $indexes = $this->_sourceDb->fetchAssoc($sql);
        $this->_primaryKey = $indexes[0]['Column_name'];
        //Query source  table
        $sql     = 'SELECT * FROM '.$this->_table;
        $rowset  = $this->_sourceDb->query($sql);
        while ($row = mysql_fetch_assoc($rowset)) {
            //remove empty fields
            $newRow = array();
            foreach ($row as $field => $value) {
                if ($value != '') {
                    $newRow[$field] = $value;
                }
            }
            if ($this->_primaryKey != '') {
                echo "Inserting row ".$row[$this->_primaryKey] . "\n";
                $res = $this->_targetDb->insertUpdate($this->_table, $newRow, $this->_primaryKey, $row[$this->_primaryKey]);
            } else {
                $res = $this->_targetDb->queryInsert($this->_table, $newRow);
            }
        }
    }
}
 
class Db
{
	private	$_link;
	private $_affectedRows;
	private $_lastQueryStatus;
 
	/**
	* Instantiate the object
	**/
	public function __construct( $user, $pass, $dbName, $host = 'localhost')
	{
            $this->_link = mysql_connect($host, $user, $pass, true);
            mysql_select_db($dbName, $this->_link) or die('Could not select database');
            if (mysql_error()) {
                    printf("Connect failed: %s\n", mysql_error());
                    exit();
            } else {
                $sql = "SET NAMES `utf8`";
                mysql_query($sql, $this->_link);
                mysql_query("SET CHARACTER SET 'utf8';", $this->_link);
            }
	}
 
        public function query($sql)
	{
            $this->_lastQueryStatus = @mysql_query($sql, $this->_link) or die('Query failed: ' . mysql_error() . '<br /> SQL: '. $sql);
            if (!$this->_lastQueryStatus) {
                    $this->error("<b>MySQL Query fail:</b> $sql");
            }
            $this->_affectedRows    = @mysql_affected_rows();
            return $this->_lastQueryStatus;
	}
 
        public function fetchAssoc($sql)
	{
            $result = $this->query($sql);
            $table = array();
            while ($row = mysql_fetch_assoc($result)) {
                    $table[] = $row;
            }
            return $table;
	}
 
        public function escape($string)
	{
		if(get_magic_quotes_gpc()) $string = stripslashes($string);
		return mysql_real_escape_string($string);
	}
 
        public function fetchField($table, $field, $where = '1')
	{
	    $sql = "SELECT `$field` FROM `$table` WHERE $where";
	    $result = $this->query($sql);
	    $field = mysql_fetch_row($result);
	    return $field[0];
	}
 
        public function insertUpdate($table, $data, $field, $uniqueValue)
	{
	    $where = is_int($uniqueValue) ? "$field = $uniqueValue" : "$field = '".$this->escape($uniqueValue)."'";
	    $e = $this->fetchField($table, $field, $where);
	    if ($e) {
	        $res = $this->queryUpdate($table, $data, $where);
	    } else {
	        $res = $this->queryInsert($table, $data);
	    }
	    return $res;
	}
 
        public function queryInsert($table, $data)
	{
            $q="INSERT INTO `".$table."` ";
            $v='';
            $n='';
 
            foreach($data as $key=>$val) {
                    $n.="`$key`, ";
                    if(strtolower($val)=='null') $v.="NULL, ";
                    elseif(strtolower($val)=='now()') $v.="NOW(), ";
                    elseif(strtolower($val)=='utc_timestamp()') $v.="UTC_TIMESTAMP(), ";
                    else $v.= "'".$this->escape($val)."', ";
            }
            $q .= "(". rtrim($n, ', ') .") VALUES (". rtrim($v, ', ') .");";
            if($this->query($q)){
                    $result = mysql_insert_id();
            } else {
                    $result = false;
            }
            return $result;
	}
 
        public function queryUpdate($table, $data, $where='1')
        {
            $q="UPDATE `".$table."` SET ";
 
            foreach($data as $key=>$val) {
                if(strtolower($val)=='null') $q.= "`$key` = NULL, ";
                elseif(strtolower($val)=='now()') $q.= "`$key` = NOW(), ";
                else $q.= "`$key`='".$this->escape($val)."', ";
            }
            $q = rtrim($q, ', ') . ' WHERE '.$where.';';
 
            return $this->query($q);
        }
}
 
//Instantiate the tableSync sending the table name I want to sync
$sync = new tableSync('tod_whois_raider');

I just got a couple of vps servers, that I have to configure to run some apps, this are the tasks I did to have them ready for production use:

 

This servers didn’t came with a control panel (better for me), so the first thing I did was to login:

ivan@mini:~$ ssh root@23.45.12.56

After this I checked the OS, version and architecture

[root@V100205C4HB9V-1 ~]# cat /etc/*release*
CentOS release 5.4 (Final)
[root@V100205C4HB9V-1 ~]# uname -a
Linux V100205C4HB9V-1 2.6.18-028stab064.7 #1 SMP Wed Aug 26 13:11:07 MSD 2009 x86_64 x86_64 x86_64 GNU/Linux
[root@V100205C4HB9V-1 ~]#

Ok, now that I know the OS I create a normal user to avoid using the root account.

[root@V100205C4HB9V-1 ~]# useradd –Gwheel ivan

Then I change the server name to mygdon

[root@V100205C4HB9V-1 /]# sed -i 's/V100205C4HB9V-1/mygdon/g' /etc/sysconfig/network
[root@V100205C4HB9V-1 ~]# sed -i 's/V100205C4HB9V-1/mygdon/g' /etc/hosts
[root@V100205C4HB9V-1 ~]# echo HOST.DOMAIN.com > /etc/hostname
[root@V100205C4HB9V-1 ~]# hostname -F /etc/hostname

Unfortunately I was unable to persist the new hostname, because it is a VPS server, there are ways around this, but didn’t have the time to make the changes so I just moved on, and leave this for later

The next thing I did was update the OS, and add the rpmforge repo because I will need some apps from there

[root@V100205C4HB9V-1 ~]# yum update
[root@V100205C4HB9V-1 ~]# yum upgrade
[root@V100205C4HB9V-1 ~]# wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.1-1.el5.rf.x86_64.rpm
[root@V100205C4HB9V-1 ~]# rpm -Uhv rpmforge-release-0.5.1-1.$dist.rf.$arch.rpm
[root@V100205C4HB9V-1 ~]# yum update
[root@V100205C4HB9V-1 ~]# yum upgrade

Then I installed some packages I often use:

[root@V100205C4HB9V-1 ~]# yum install htop screen vim-enhanced

The VPS already had a web stack installed I just did some configuration:

Configuring Apache Virtual Hosts

[root@V100205C4HB9V-1 ~]# mkdir /var/www/vhosts/{site1, site2} –p
[root@V100205C4HB9V-1 ~]# vi /etc/httpd/conf/httpd.conf

Here I Uncommented the following directive

NameVirtualHost *:80

and Added a default vhost a new vhost

<virtualhost *:80>
    DocumentRoot /var/www/vhosts/default
    ServerName mygdon.site1.net
    <directory /var/www/vhosts/default>
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </directory>
    ErrorLog logs/mygdon.site1.net-error_log
    CustomLog logs/mygdon.site1.net-access_log common
</virtualhost>
 
<virtualhost *:80>
    DocumentRoot /var/www/vhosts/site2
    ServerName appname.site2.net
    <directory /var/www/vhosts/site2>
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        Allow from all
    </directory>
    ErrorLog logs/appname.site2.net-error_log
    CustomLog logs/appname.site2.net-access_log common
</virtualhost>

then restarted the apache server:

[root@V100205C4HB9V-1 ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting  httpd:                                            [  OK  ]

and  I wrote a simple php file to test this out:

[root@V100205C4HB9V-1 ~]# echo '<? phpinfo(); ?>' > /var/www/vhosts/site1/index.php

And because I haven’t configured a DNS server I just temporarily added the server to my hosts file (On my local machine):

root@mini:/etc# echo 'subdomain.site1.net 54.65.74.23' > /etc/hosts

and here is the result:

 

Configuring Mysql

Once I had the virtual hosts configuration in place I added a mysql user and changed the default root password:

 

[root@V100205C4HB9V-1 vhosts]# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.0.77 Source distribution
 
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
 
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| test               |
+--------------------+
3 rows in set (0.00 sec)
 
mysql> UPDATE mysql.user SET Password=PASSWORD('pass-here') WHERE user='root';
Query OK, 3 rows affected (0.02 sec)
Rows matched: 3  Changed: 3  Warnings: 0
 
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)
 
mysql> CREATE USER 'ivan'@'localhost' IDENTIFIED BY 'pass-here';
Query OK, 0 rows affected (0.01 sec)
 
mysql> GRANT ALL PRIVILEGES ON *.* TO 'ivan'@'localhost' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)
 
mysql> CREATE USER 'ivan'@'%' IDENTIFIED BY 'pass-here';
Query OK, 0 rows affected (0.00 sec)
 
mysql> GRANT ALL PRIVILEGES ON *.* TO 'ivan'@'%' WITH GRANT OPTION;
Query OK, 0 rows affected (0.00 sec)
 
mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)
 
mysql>

 

Now the server is  ready for adding some virtual hosts, I just need to configure a DNS server and the mail server, but because the DNS is on another server and already working I just have to add a new zone, as for mail server, this server will be only used to send emails so I don’t need to dig in postfix configuration files for now.

I’ll write another post regarding the security, but for now this will work.

Every once in a while, I receive code that is encrypted using one of many php encoder software out there, so when I face this situation and if the project is worth it, I start playing around with the encrypted files to see how the encoding algorithm works, so far I’ve been able to successful decrypt files encoded with Zend, and ioncube, I don’t remember the versions of the encoders but I remember that the latter one took me some time, but I did it.

I must say that decoding files also becomes a personal challenge, it is like a hobby when I have the time to play with it.

 Yesterday I received a couple of files encoded with an unknown encoder for me, it didn’t require any php modification or extension install, so I tough that it would be easy to break it, because at some point the code must be evaluated, so after I opened the zip file, I noticed a folder called “scopbin“, that contained only 1 php file named “911006.php“, the two encoded files were  including this file so I assumed that this is were the decryption logic had to be.

I was exhausted by a long working day, and when I got this files and saw that they were encrypted I placed them in my laptop for later analysis. This analysis was done while  I was waiting for the local news, I didn’t research the encoding, or did  anything that give me some pointers, I just started to playing around with the code to see how far  could I get.

My objective this time was getting this files decrypted, and not analysing the steps of the algorithm, so with this in mind, this is what I did:

This was the original “911006.php” file:

< ?php ini_set('include_path',dirname(__FILE__));function A4540acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function b5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function c43dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function Xdsf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){return $Xew6e79316561733d64abdf00f8e8ae48;}function y0666f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){$x0b43c25ccf2340e23492d4d3141479dc='';$x71510c08e23d2083eda280afa650b045=0;$x16754c94f2e48aae0d6f34280507be58=strlen($x897356954c2cd3d41b221e3f24f99bba);$x7a86c157ee9713c34fbd7a1ee40f0c5a=hexdec('&H'.substr($x276e79316561733d64abdf00f8e8ae48,0,2));for($x1b90e1035d4d268e0d8b1377f3dc85a2=2;$x1b90e1035d4d268e0d8b1377f3dc85a2<strlen($x276e79316561733d64abdf00f8e8ae48);$x1b90e1035d4d268e0d8b1377f3dc85a2+=2){$xe594cc261a3b25a9c99ec79da9c91ba5=hexdec(trim(substr($x276e79316561733d64abdf00f8e8ae48, $x1b90e1035d4d268e0d8b1377f3dc85a2, 2)));$x71510c08e23d2083eda280afa650b045=(($x71510c08e23d2083eda280afa650b045<$x16754c94f2e48aae0d6f34280507be58)?$x71510c08e23d2083eda280afa650b045 + 1:1);$xab6389e47b1edcf1a5267d9cfb513ce5=$xe594cc261a3b25a9c99ec79da9c91ba5 ^ ord(substr($x897356954c2cd3d41b221e3f24f99bba, $x71510c08e23d2083eda280afa650b045-1, 1));if($xab6389e47b1edcf1a5267d9cfb513ce5<=$x7a86c157ee9713c34fbd7a1ee40f0c5a)$xab6389e47b1edcf1a5267d9cfb513ce5=255+$xab6389e47b1edcf1a5267d9cfb513ce5-$x7a86c157ee9713c34fbd7a1ee40f0c5a;else $xab6389e47b1edcf1a5267d9cfb513ce5=$xab6389e47b1edcf1a5267d9cfb513ce5-$x7a86c157ee9713c34fbd7a1ee40f0c5a;$x0b43c25ccf2340e23492d4d3141479dc=$x0b43c25ccf2340e23492d4d3141479dc.chr($xab6389e47b1edcf1a5267d9cfb513ce5);$x7a86c157ee9713c34fbd7a1ee40f0c5a=$xe594cc261a3b25a9c99ec79da9c91ba5;} return $x0b43c25ccf2340e23492d4d3141479dc;}function f5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function j43dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function hdsf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function tr5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function f0666f0acdeed38d4cd9084ade1739498($x) { return implode('',file($x));} function g0666f0acdeed38d4cd9084ade1739498($s){return (strstr($s,'echo')==false?(strstr($s,'print')==false)?(strstr($s,'sprint')==false)?(strstr($s,'sprintf')==false)?false:exit():exit():exit():exit());}function hyr3dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function uygf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function drfg34f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function jhkgvdsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;}function yrdhhdacdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba,$x276e79316561733d64abdf00f8e8ae48){if(file_exists($x456e79316561733d64abdf00f8e8ae48)){unlink($x456e79316561733d64abdf00f8e8ae48);};return $Xew6e79316561733d64abdf00f8e8ae48;} ini_set('include_path','.');?>

I’ve used a code formatter to make the code  more readable:

ivan@mini:/var/www/copdecrypt/scopbin$ phpCB --space-after-if  \
--space-after-switch                                           \
--space-after-while                                            \
--space-before-srt-angle-bracket                               \
--space-after-end-angle-bracket                                \
--glue-amperscore                                              \
--change-shell-comment-to-double-slashes-comment               \
--force-large-php-code-tag                                     \
--force-true-false-null-contant-lowercase                      \
--align-equal-statements                                       \
--comment-rendering-style PEAR                                 \
--equal-align-position 50                                      \
--padding-char-count 4                                         \
911006.php

And this was the result:

< ?php
ini_set('include_path', dirname(__FILE__));
function A4540acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function b5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function c43dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function Xdsf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function y0666f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    $x0b43c25ccf2340e23492d4d3141479dc = '';
    $x71510c08e23d2083eda280afa650b045 = 0;
    $x16754c94f2e48aae0d6f34280507be58 = strlen($x897356954c2cd3d41b221e3f24f99bba);
    $x7a86c157ee9713c34fbd7a1ee40f0c5a = hexdec('&H' . substr($x276e79316561733d64abdf00f8e8ae48, 0, 2));
    for($x1b90e1035d4d268e0d8b1377f3dc85a2 = 2;$x1b90e1035d4d268e0d8b1377f3dc85a2 < strlen($x276e79316561733d64abdf00f8e8ae48);$x1b90e1035d4d268e0d8b1377f3dc85a2 += 2) {
        $xe594cc261a3b25a9c99ec79da9c91ba5 = hexdec(trim(substr($x276e79316561733d64abdf00f8e8ae48, $x1b90e1035d4d268e0d8b1377f3dc85a2, 2)));
        $x71510c08e23d2083eda280afa650b045 = (($x71510c08e23d2083eda280afa650b045 < $x16754c94f2e48aae0d6f34280507be58)?$x71510c08e23d2083eda280afa650b045 + 1:1);
        $xab6389e47b1edcf1a5267d9cfb513ce5 = $xe594cc261a3b25a9c99ec79da9c91ba5 ^ ord(substr($x897356954c2cd3d41b221e3f24f99bba, $x71510c08e23d2083eda280afa650b045-1, 1));
        if ($xab6389e47b1edcf1a5267d9cfb513ce5 <= $x7a86c157ee9713c34fbd7a1ee40f0c5a)$xab6389e47b1edcf1a5267d9cfb513ce5 = 255 + $xab6389e47b1edcf1a5267d9cfb513ce5 - $x7a86c157ee9713c34fbd7a1ee40f0c5a;
        else $xab6389e47b1edcf1a5267d9cfb513ce5 = $xab6389e47b1edcf1a5267d9cfb513ce5 - $x7a86c157ee9713c34fbd7a1ee40f0c5a;
        $x0b43c25ccf2340e23492d4d3141479dc = $x0b43c25ccf2340e23492d4d3141479dc . chr($xab6389e47b1edcf1a5267d9cfb513ce5);
        $x7a86c157ee9713c34fbd7a1ee40f0c5a = $xe594cc261a3b25a9c99ec79da9c91ba5;
    } 
    return $x0b43c25ccf2340e23492d4d3141479dc;
} 
function f5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
        unlink($x456e79316561733d64abdf00f8e8ae48);
    } ;
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function j43dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
        unlink($x456e79316561733d64abdf00f8e8ae48);
    } ;
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function hdsf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
        unlink($x456e79316561733d64abdf00f8e8ae48);
    } ;
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function tr5434f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
        unlink($x456e79316561733d64abdf00f8e8ae48);
    } ;
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function f0666f0acdeed38d4cd9084ade1739498($x) {
    return implode('', file($x));
} 
function g0666f0acdeed38d4cd9084ade1739498($s) {
    return (strstr($s, 'echo') == false?(strstr($s, 'print') == false)?(strstr($s, 'sprint') == false)?(strstr($s, 'sprintf') == false)?false:exit():exit():exit():exit());
} 
function hyr3dsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
        unlink($x456e79316561733d64abdf00f8e8ae48);
    } ;
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function uygf0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
        unlink($x456e79316561733d64abdf00f8e8ae48);
    } ;
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function drfg34f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
        unlink($x456e79316561733d64abdf00f8e8ae48);
    } ;
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function jhkgvdsd0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
        unlink($x456e79316561733d64abdf00f8e8ae48);
    } ;
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
function yrdhhdacdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
    if (file_exists($x456e79316561733d64abdf00f8e8ae48)) {
        unlink($x456e79316561733d64abdf00f8e8ae48);
    } ;
    return $Xew6e79316561733d64abdf00f8e8ae48;
} 
ini_set('include_path', '.');
 

After a quick review of this file, I saw that it had several functions that had same logic, return an unknow variable or delete the file that this unknown variable had, appart from all this “useless” functions I quickly found what appeared to be the decryption function this was the function named y0666f0acdeed38d4cd9084ade1739498 with this information I headed to check one of the encrypted files, and this is how it looked:

< ?php if(!function_exists('findsysfolder')){function findsysfolder($fld){$fld1=dirname($fld);$fld=$fld1.'/scopbin';clearstatcache();if(!is_dir($fld))return findsysfolder($fld1);else return $fld;}}require_once(findsysfolder(__FILE__).'/911006.php');$REXISTHECAT4FBI='FE50E574D754E76AC679F242F450F768FB5DCB77F34DE341 660C280D176E374DE7FB3B090A782B6B68DBC97BEAD93B681C452F25BE26';g0666f0acdeed38d4cd9084ade1739498(f0666f0acdeed38d4cd9084ade1739498(__FILE__));$REXISTHEDOG4FBI='9CEF6BE117B329ADFC4560538EBF16BB6DAD1748FE354E8EDA7AABFA376EB6938496F43560E4123D85D272E342E363FD51F3181763A3F623 660B6E2369243EE5781CD76A133E272E37DACA198968397F150425B4326A126CD64F051F35287DE7BD3 5354276B880BDEF525247533610 64282D07BA63861F81DB715C115BC1BD57FC5D9C8 225D2 A F177EDC7EA026A7E74D37AC28A125D1B8F73B63C6D1C3A1E137639BEECEDACFDBBD9F8D948CE93D6FCDCDD8CCA98B36AA21A08B8BD87FD8 15143C2C2D37593B82857516FC9ABF9237BDEC9DBB9F92F7BDEB8EE3B6AEA153C9DF3 A2CAE2CD218B1E566C0D274D6 F32DC2A E20 512 062A2F72C 96FB9ED3B6FC9ABF927A34985CAB5D3 65D89B315B3E61076D8 E4488B2127FCEF82C78DDBBED3A6FBB7FCEEACEE04453412363B6E246F05086C7 52E C408CC263E078A53461E0 331B71EB81DC475DB6CAC9531914393D4 22AC9C3D7CE7194438AD638 03D6FCDCDD8CCA98F99211B1177D5C7DEC6A3F427 5 510 461C7D1C51AB492F850FA56FE445EC0154885BDACDC 819BD76A72A419A4D859CFE5A5268CDABFD2A7FAB8DEF227BA3869183E12277A386E03763B6E241F75282CDBFCA187ECE74D7 D1D4881D3C7432177D4 E3F83DA54417EAA8FE93C68BDE94C2E7CA5FD5B4C5E3C9993A98CEA3D69BCE84F2D989C9EEECFDDBFFF15 164C2D471D3 228D3 51CBA75D4 A3C85C1 4618EC5 E6BE91FCD F4D87BE F 56BFB5BFE2A3EA923BDDDBB9D26BE13CD 41F6E584D593C1A C18 D19D29D958C94F12577D5D5C0D4B19781958094F21EB6EF20CC77D87CD0CDC57FA13D8484F61076D47ED5 366F521A6FA2FEFBAF22772A680E23168B0958290F23366B297F12470A5F1543664EF6DA42DAD5E5EB718C569EA2C5F8AE81BBF16BE489E3EE13D7FBD98FE297DA8FC5B396BB2EA4E594B2969D3C7689230A1F4441763B1E83114 31173B3E6331670A6F22672D4B6E43C64C1D6C475FA5AFB2BDF36A83F9F55F8 62A C69BEEC4F4F5A4E2B D1B F1A E68CAD86F44 B1C E6CACF92E B6DDCDDD26437 3';$REXISTHECAT4FBI='94CD76CD371C5A7BC70C186E779C293B9B49BACA5A781A6'; eval(y0666f0acdeed38d4cd9084ade1739498('4EF6454FB298E72B 5',$REXISTHEDOG4FBI));?>

Again I used the code beautifier  to make this file more readable:

ivan@mini:/var/www/copdecrypt$ phpCB --space-after-if  \
--space-after-switch                                           \
--space-after-while                                            \
--space-before-srt-angle-bracket                               \
--space-after-end-angle-bracket                                \
--glue-amperscore                                              \
--change-shell-comment-to-double-slashes-comment               \
--force-large-php-code-tag                                     \
--force-true-false-null-contant-lowercase                      \
--align-equal-statements                                       \
--comment-rendering-style PEAR                                 \
--equal-align-position 50                                      \
--padding-char-count 4                                         \
test.php

And this was the result:

< ?php if (!function_exists('findsysfolder')) {
    function findsysfolder($fld) {
        $fld1 = dirname($fld);
        $fld = $fld1 . '/scopbin';
        clearstatcache();
        if (!is_dir($fld))return findsysfolder($fld1);
        else return $fld;
    } 
} 
require_once(findsysfolder(__FILE__) . '/911006.php');
$REXISTHECAT4FBI = 'FE50E574D754E76AC679F242F450F768FB5DCB77F34DE341 660C280D176E374DE7FB3B090A782B6B68DBC97BEAD93B681C452F25BE26';
g0666f0acdeed38d4cd9084ade1739498(f0666f0acdeed38d4cd9084ade1739498(__FILE__));
$REXISTHEDOG4FBI = '9CEF6BE117B329ADFC4560538EBF16BB6DAD1748FE354E8EDA7AABFA376EB6938496F43560E4123D85D272E342E363FD51F3181763A3F623 660B6E2369243EE5781CD76A133E272E37DACA198968397F150425B4326A126CD64F051F35287DE7BD3 5354276B880BDEF525247533610 64282D07BA63861F81DB715C115BC1BD57FC5D9C8 225D2 A F177EDC7EA026A7E74D37AC28A125D1B8F73B63C6D1C3A1E137639BEECEDACFDBBD9F8D948CE93D6FCDCDD8CCA98B36AA21A08B8BD87FD8 15143C2C2D37593B82857516FC9ABF9237BDEC9DBB9F92F7BDEB8EE3B6AEA153C9DF3 A2CAE2CD218B1E566C0D274D6 F32DC2A E20 512 062A2F72C 96FB9ED3B6FC9ABF927A34985CAB5D3 65D89B315B3E61076D8 E4488B2127FCEF82C78DDBBED3A6FBB7FCEEACEE04453412363B6E246F05086C7 52E C408CC263E078A53461E0 331B71EB81DC475DB6CAC9531914393D4 22AC9C3D7CE7194438AD638 03D6FCDCDD8CCA98F99211B1177D5C7DEC6A3F427 5 510 461C7D1C51AB492F850FA56FE445EC0154885BDACDC 819BD76A72A419A4D859CFE5A5268CDABFD2A7FAB8DEF227BA3869183E12277A386E03763B6E241F75282CDBFCA187ECE74D7 D1D4881D3C7432177D4 E3F83DA54417EAA8FE93C68BDE94C2E7CA5FD5B4C5E3C9993A98CEA3D69BCE84F2D989C9EEECFDDBFFF15 164C2D471D3 228D3 51CBA75D4 A3C85C1 4618EC5 E6BE91FCD F4D87BE F 56BFB5BFE2A3EA923BDDDBB9D26BE13CD 41F6E584D593C1A C18 D19D29D958C94F12577D5D5C0D4B19781958094F21EB6EF20CC77D87CD0CDC57FA13D8484F61076D47ED5 366F521A6FA2FEFBAF22772A680E23168B0958290F23366B297F12470A5F1543664EF6DA42DAD5E5EB718C569EA2C5F8AE81BBF16BE489E3EE13D7FBD98FE297DA8FC5B396BB2EA4E594B2969D3C7689230A1F4441763B1E83114 31173B3E6331670A6F22672D4B6E43C64C1D6C475FA5AFB2BDF36A83F9F55F8 62A C69BEEC4F4F5A4E2B D1B F1A E68CAD86F44 B1C E6CACF92E B6DDCDDD26437 3';
$REXISTHECAT4FBI = '94CD76CD371C5A7BC70C186E779C293B9B49BACA5A781A6';
eval(y0666f0acdeed38d4cd9084ade1739498('4EF6454FB298E72B 5', $REXISTHEDOG4FBI));

So what we have here is more obfuscated code, but a simple to understand, we have 2 variables and 3 functions, the variable that has the encrypted code should be the larger one so I'm assuming that is the "$REXISTHEDOG4FBI" variable, the other one apparently isn't used, so what I did at this point was to print the results of the evaluated function which corresponds to the function where the decrypt logic is (deofuscated):

function ($key, $program) {
    $result = '';
    $position = 0;
    $keyLength = strlen($key);
    $decValue = hexdec('&H' . substr($program, 0, 2));
 
    for($i = 2;$i < strlen($program);$i += 2) {
        $decProgram = hexdec(trim(substr($program, $i, 2)));
        $position   = (($position < $keyLength) ? $position + 1 : 1);
        $ascii = $decProgram^ ord(substr($key, $position-1, 1));
 
        if ($ascii <= $decValue) $ascii = 255 + $ascii - $decValue;
        else $ascii = $ascii - $decValue;
 
        $result   = $result . chr($ascii);
        $decValue = $decProgram;
    } 
    return $result;
} 

unfortunately printing the result didn't work, so I did a review to check why, and I found that the other 2 functions where the problem, let me explain what happens, first a call is made to

function f0666f0acdeed38d4cd9084ade1739498($x) {
 
    return implode('', file($x));
 
}

this function receives the name of the executing file (test.php in my case), read its content in an array, then glues all lines to create a 1 line string, without any new lines, then this result is passed to the following function:

function g0666f0acdeed38d4cd9084ade1739498($s) {
 
    return (strstr($s, 'echo') == false ? (strstr($s, 'print') == false) ? (strstr($s, 'sprint') == false) ? (strstr($s, 'sprintf') == false) ? false : exit() : exit() : exit() : exit());
 
} 

which are a series of nested ternary conditions, looking for the words "echo,print,sprint,sprintf", if any of this words are in the encrypted file, then the script simply exits, that's why I was unable to print the decrypted code after calling the decoding function, so simply avoiding the call to this function will fix the issue and I will get my decrypted code.
However, I didn't want to modify the original encrypted files, so a second approach I took was modifying the decryption function and echoing the output from there, so I've added a couple of lines (15 and 16) to the "y0666f0acdeed38d4cd9084ade1739498" function:

01
function y0666f0acdeed38d4cd9084ade1739498($x897356954c2cd3d41b221e3f24f99bba, $x276e79316561733d64abdf00f8e8ae48) {
02
    $x0b43c25ccf2340e23492d4d3141479dc = '';
03
    $x71510c08e23d2083eda280afa650b045 = 0;
04
    $x16754c94f2e48aae0d6f34280507be58 = strlen($x897356954c2cd3d41b221e3f24f99bba);
05
    $x7a86c157ee9713c34fbd7a1ee40f0c5a = hexdec('&H' . substr($x276e79316561733d64abdf00f8e8ae48, 0, 2));
06
    for($x1b90e1035d4d268e0d8b1377f3dc85a2 = 2;$x1b90e1035d4d268e0d8b1377f3dc85a2 < strlen($x276e79316561733d64abdf00f8e8ae48);$x1b90e1035d4d268e0d8b1377f3dc85a2 += 2) {
07
        $xe594cc261a3b25a9c99ec79da9c91ba5 = hexdec(trim(substr($x276e79316561733d64abdf00f8e8ae48, $x1b90e1035d4d268e0d8b1377f3dc85a2, 2)));
08
        $x71510c08e23d2083eda280afa650b045 = (($x71510c08e23d2083eda280afa650b045 < $x16754c94f2e48aae0d6f34280507be58)?$x71510c08e23d2083eda280afa650b045 + 1:1);
09
        $xab6389e47b1edcf1a5267d9cfb513ce5 = $xe594cc261a3b25a9c99ec79da9c91ba5 ^ ord(substr($x897356954c2cd3d41b221e3f24f99bba, $x71510c08e23d2083eda280afa650b045-1, 1));
10
        if ($xab6389e47b1edcf1a5267d9cfb513ce5 <= $x7a86c157ee9713c34fbd7a1ee40f0c5a)$xab6389e47b1edcf1a5267d9cfb513ce5 = 255 + $xab6389e47b1edcf1a5267d9cfb513ce5 - $x7a86c157ee9713c34fbd7a1ee40f0c5a;
11
        else $xab6389e47b1edcf1a5267d9cfb513ce5 = $xab6389e47b1edcf1a5267d9cfb513ce5 - $x7a86c157ee9713c34fbd7a1ee40f0c5a;
12
        $x0b43c25ccf2340e23492d4d3141479dc = $x0b43c25ccf2340e23492d4d3141479dc . chr($xab6389e47b1edcf1a5267d9cfb513ce5);
13
        $x7a86c157ee9713c34fbd7a1ee40f0c5a = $xe594cc261a3b25a9c99ec79da9c91ba5;
14
    } 
15
    echo $x0b43c25ccf2340e23492d4d3141479dc;
16
    die();
17
    return $x0b43c25ccf2340e23492d4d3141479dc;
18
} 

And voilà, I was able to see the source code , here is a screen shot of the decrypted source:

So in short, just print the output of the decrypt function, and kill the script to get the decrypted code, I don't know if there are any other versions of the "911006.php" file, but I guess that the same logic applies.

Please remember that this isn't a how-to, it is just my experience dealing with this files, also don't use any of these information for any illegal purposes.

I got this new mini 110, it came with Windows 7 Starter, and after a day of using it I was very frustrated because it was very limiting, for example, I was unable to change my Desktop background, the network management is confusing and frustrating, and it had a lot of crapware, except for the hp games, that some of them are fun.

Anyway, right now I don’t have time to spend getting a new OS on this machine, I just want something that works, I don’t plan using this to work, but I would like to have some of the tools I use into this.

So my options were, trying Ubuntu remix or Windows Xp, after checking that hp had the drivers for XP, I was going to change Windows 7 to Xp, but I was reading how to create a USB boot drive, and it was too much hassle for me. (I’m very lazy for any Microsoft stuff).

My next option was Ubuntu remix, I’m not a big fan of Ubuntu, but I wanted something to just worked out of the box, also this little netbook comes with splashtop, a really nice feature for checking stuff online fast, and I didn’t want to loose this so I really didn’t knew how well this was going to work.

I started downloading Ubuntu 9.10 Karmic yesterday night, just in case, Today after more frustrating things, I decided to give Karmic a try.

I grabbed my usb pendrive, a 1gb  kingston traveler, mounted the iso and ran usbinst.exe, it was pretty straightforward, my only advice to you would be to avoid saving space for your documents in the usb, my first try I set this to 30Mb and the boot failed, so I set the do not save feature.

It took about 40 minutes to finish copying the files, after it was done, I restarted the netbook with the pendrive connected, and at the first boot screen I pressed F9 key for booting options, selected the pendrive and that was it.

After testing ubuntu from the pendrive, it ran pretty well and everything but the wifi worked, I did an installation, keeping the windows partition and the hp restore partition, just in case.

The installation was pretty smooth, no issues at all, after the first boot I just installed the broadcom drivers, it was pretty easy with the driver manager in ubuntu, and the wifi was working

Update: My hp mini was stolen by a couple of elderly people, I saw the video , so I’m unable to play more with this, but the time I had this I was very happy with it, it performed well.