0

I obfuscated a code with this (I got it from another SO question) via CLI

<?php
$infile=$_SERVER['argv'][1];
$outfile=$_SERVER['argv'][2];
if (!$infile || !$outfile) {
    die("Usage: php {$_SERVER['argv'][0]} <input file> <output file>\n");
}
echo "Processing $infile to $outfile\n";
$data="ob_end_clean();?>";
$data.=php_strip_whitespace($infile);
// compress data
$data=gzcompress($data,9);
// encode in base64
$data=base64_encode($data);
// generate output text
$out='<?ob_start();$a=\''.$data.'\';eval(gzuncompress(base64_decode($a)));$v=ob_get_contents();ob_end_clean();?>';
// write output text
file_put_contents($outfile,$out);

The obfuscated code is this

<?php ob_start();$a='eNq1UtFq2zAUfS/0Hy4mUItkrVdIHuaqobCUwdKnPpUxjC1fx6KaZCR5JZTt2ycpspMm3d72Zt97zrnnHl1VFSjrggksZUry5e3Nsmu78zPUWulCY6e05XKT/l4Vd+s1yWGCkn3FLdDrzP0ILhEoNFxgsUFbMCUtSmvSxKl8urrisuttEml629mVLCvhKaavjNVpUJhls49kr/am5Ru8Sd/yKU2eEvI6MmpkoVs4nncb6iT/BZNWGet3OJ24CCMrVW8/l7Y87i8ODF1c5DuhA9Cg64TmmYceDRn7c7dbAHBjkPUa3wMtsnHPATauGAcnxggXaHIZCjm43Rqjnn34RrFn1aFM3fI/dqoEZsCl/VmKWPRjCNnNuL9bP66A0qhA4BVZqyB5UJULrwRu4AtqTHLQaHstwQXZvGhuMQ2M2UFs+9VdStHr8OXrFPzfAA9RvrTuWiAdb0djWQ/C1/Msy4hz9Lc3h2A1No6eG1AY3AFCxYfUMKFM9O0QTS+Z5UqeKIRD9XM3QlWlGM483gBNXBiNck/GaZZP+I2jCRd4pLnKdDqe4yUF1upU6Tr2v034dzKNisS7irnuXQ62Tg75v/v68C9fy9vzsz+nc1ZO';eval(gzuncompress(base64_decode($a)));$v=ob_get_contents();ob_end_clean();?>

I ran the code on CLI it responded appropriately, but in my browsers it didn't echo anything, just blank. Both are PHP 5.3.0 from WAMP. Why is it not echoing anything on web?

I also ran it on ideone http://ideone.com/o6PAw and it works properly. What could be the problem?

Community
  • 1
  • 1
Mob
  • 10,958
  • 6
  • 41
  • 58
  • Perhaps your CLI php configuration does not have output buffering enabled? – Frank Farmer Oct 07 '11 at 21:19
  • Have you checked for any PHP errors? That's usually the cause of a blank page being echoed. Turn on `error_reporting`, and look for any possible errors. – Kevin Ji Oct 07 '11 at 21:19
  • Is error reporting turned on? – Pekka Oct 07 '11 at 21:20
  • 2
    You are aware that this kind of obfuscation is 100% reversible and thus pretty much worthless? If you want to properly obfuscate your code, you need to screw up variable names and such – Pekka Oct 07 '11 at 21:20
  • @Pekka I'm not obfuscating it security wise. Its just a random thing I'm doing, not for production. – Mob Oct 07 '11 at 21:24
  • @Pekka @mc10 Error Reporting is turned I did `error_reporting(E_ALL);` and still nothing is being echoed – Mob Oct 07 '11 at 21:26
  • What happens if you remove all `ob_*` function calls, and leave only the variable assignment and the eval? – Frank Farmer Oct 07 '11 at 21:28
  • @FrankFarmer It worked. I removed the `ob` calls and it works well. Answer so I can accept, but do you have any reason why it should work without the `ob` function calls? – Mob Oct 07 '11 at 21:36

1 Answers1

1

The reason it doesn't output anything is that you capture all the output into $v and then do nothing with it.

I'm not sure why it would work from the CLI, though, because it certainly shouldn't. Perhaps, as Frank Farmer suggests, your PHP CLI doesn't have output buffering enabled, and so all the ob_*() calls are failing silently.

Ilmari Karonen
  • 49,047
  • 9
  • 93
  • 153