Ioncube

[splitice]

Ok after a bit of crawling I dont have much of a lead on the developer of a partially finished ioncube decoder, I found this forum as the download was hosted on http://winsupport.co.cc/downloads/Other/tmp/ Which has you as the title.

Anyway I was wondering if someone here developed "Ironcube_Decoder_alpha03". Hope ive found the right place as I need assistance with some of the final steps in finnishing my decryptor.

Thanks,
SplitIce

[Hazar]

I'm not entireley sure, but your best bet would probably be to contact cw2k via an email (CW2K[at]gmx[dot]de) or send him a private message, and he will most certainly help you out.

[splitice]

Thanks, contacted him today. Hopefully he will grant some insight into my problems.

[cw2k]

I liked to make a new homepage and upload it there - however till that happens though in meanwhile why not post it here -
maybe the one or other who really looked for it might discover it here.



And so far only half the way of the decompiler is done - still an 'alpha-version' that is only meant to run under the development IDE with source code - you can fix bugs, doing improvements and additions.

Forum
http://www.wjunction.com/showthread.php?t=15443

Online Version(Php)
http://decod.in
(http://thewarezscene.org/ioncube)

[sumsebum]

i installed the php script today at my space. First of all i got "500 internal Failjure" ...

then i fixed some permissions at some files

an then i got it running.

Then i had to fix this

Code: Select all

Warning: file(C:\Users\SplitIce\Documents\htdocs\ioncube\ioncude_Known_php_functions_list.txt) [function.file]: failed to open stream: No such file or directory in /var/www/..../htdocs/decoder/includes/decrypt/ioncube.php on line 619

just set the full path to ioncude_Known_php_functions_list.txt at line 619 .... and then you will see some funktions ... with a lot of DEBUG Code.

At the end of the output you will get an .bin File. What happens with this?

[cw2k]

An other update - the IC-Loader now also reader php5 files - however in a php5 file with many functions / classes it may still 'runout of sync' and get stuck - however I'm still about to elaborate the code to work read the data just as the original - the Ioncube-dll

To run the *.vbp you need to have VB6 installed - or just use this:
http://free.pages.at/mytools/Visual_Bas ... rtable.zip

If the program stop at a runtime errror rightclick on the sourcecode window and choose 'toggle/Break on Unhandled Error'.

[sumsebum]

Anyone knows this Problem, after clicking .exe File?

[cw2k]

Ya I know about this error - that's what I wrote

... To run the *.vbp you need to have VB6 installed

It's some issue relate to that deflate ocx I use. It some initialisation problem that happens before any 'written' VB code is execute. However I haven't put much efforts in to fix it since in the current state a 'standalone' exe is of no big use.

[Hmm anyway I'll remove the *.exe from the package until I fixed that problem - since it useless and missleading.]

[sumsebum]

hm i've installed vb6 runtime, but how to use? Error is still the same ...

next was i tryed it wit your vb6 portable, i opened the vb file but nothing happens, then i pressed the "Play" Button and a new Window came up, but what to do with this ....?

I want to understand this, so plz explain shortly ...

[DaRkLiFe]

cw2k bro any updates regarding the ioncube decoder with new functions and classes ?
will it support 5?

[cw2k]

In the current state the VB6-part is of no use for ppl how like to decompile some Ioncube encoded file.
(and the php-part is a little outdated)
If that is the input for the ioncube encoder

Code: Select all

<?
Line1:
Line2: $Result=3+7;
Line3: debug_print_backtrace();
Line4: $Result=3.5+0x12345678;
Line5: mysql_connect('localhost','df');
?>

You'll get that as output:

Code: Select all

=========> S t a g e  9  -  Interpreting IC_body/ByteCode

Command #0000: 0x01 (Encry: 0x25)   Flags: 0x07 LineNo(cmd): 0x0002
000002B9 -> Type1: 00000002->TMP_VAR 00000001   00000000   00 00 0000
000002B9 -> Type2: 00000001->CONST   00000003   00000006   01 01 0002
000002B9 -> Type4: 00000001->CONST   00000007   00000006   01 01 0002
______________________________________________________________________
Command #0001: 0x53 (Encry: 0x15)   Flags: 0x07 LineNo(cmd): 0x0002
000002B9 -> Type1: 00000004->VAR     00000000   00000000   00 00 0000
000002B9 -> Type2: 00000001->CONST   00000002   00000006   03 01 0002
000002B9 -> KeyWord: Result
000002B9 -> Type4: 00000008->UNUSED  00000001   00000000   00 00 0000
______________________________________________________________________
Command #0002: 0x26 (Encry: 0x2D)   Flags: 0x07 LineNo(cmd): 0x0002
000002B9 -> Type1: 00000004->VAR     00000002   00000001   00 00 0000
000002B9 -> Type2: 00000004->VAR     00000000   00000000   00 00 0000
000002B9 -> Type4: 00000002->TMP_VAR 00000001   00000000   00 00 0000
______________________________________________________________________
Command #0003: 0x3B (Encry: 0x20)   Flags: 0x04 LineNo(cmd): 0x0003
000002B9 -> Type4: 00000001->CONST   0000000A   00000015   03 01 0002
000002B9 -> KeyWord: debug_print_backtrace
______________________________________________________________________
Command #0004: 0x3D (Encry: 0x8D)   Flags: 0x03 LineNo(cmd): 0x0003
000002B9 -> Type1: 00000004->VAR     00000003   00000001   00 00 0000
000002B9 -> Type2: 00000001->CONST   00000020   00000015   03 01 0002
000002B9 -> KeyWord: debug_print_backtrace
______________________________________________________________________
Command #0005: 0x01 (Encry: 0x3A)   Flags: 0x07 LineNo(cmd): 0x0004
000002B9 -> Type1: 00000002->TMP_VAR 00000005   00000000   00 00 0000
000002B9 -> Type2: 00000001->CONST   00000000   400C0000   02 01 0002
000002B9 -> Type4: 00000001->CONST   12345678   400C0000   01 01 0002
______________________________________________________________________
Command #0006: 0x53 (Encry: 0xD4)   Flags: 0x07 LineNo(cmd): 0x0004
000002B9 -> Type1: 00000004->VAR     00000004   00000000   00 00 0000
000002B9 -> Type2: 00000001->CONST   00000036   00000006   03 01 0002
000002B9 -> KeyWord: Result
000002B9 -> Type4: 00000008->UNUSED  00000001   00000000   00 00 0000
______________________________________________________________________
Command #0007: 0x26 (Encry: 0xD7)   Flags: 0x07 LineNo(cmd): 0x0004
000002B9 -> Type1: 00000004->VAR     00000006   00000001   00 00 0000
000002B9 -> Type2: 00000004->VAR     00000004   00000000   00 00 0000
000002B9 -> Type4: 00000002->TMP_VAR 00000005   00000000   00 00 0000
______________________________________________________________________
Command #0008: 0x3B (Encry: 0x6B)   Flags: 0x04 LineNo(cmd): 0x0005
000002B9 -> Type4: 00000001->CONST   FFFFFECE   0000000D   03 01 0002
000002B9 -> KeyWord: mysql_connect
______________________________________________________________________
Command #0009: 0x41 (Encry: 0x0A)   Flags: 0x1E LineNo(cmd): 0x0005
000002B9 -> Type2: 00000001->CONST   0000003E   00000009   03 01 0002
000002B9 -> KeyWord: localhost
000002B9 -> Type4: 00000008->UNUSED  00000001   00000000   00 00 0000
CmdAdd: 003D
______________________________________________________________________
Command #000A: 0x41 (Encry: 0x9F)   Flags: 0x1E LineNo(cmd): 0x0005
000002B9 -> Type2: 00000001->CONST   00000048   00000002   03 01 0002
000002B9 -> KeyWord: df
000002B9 -> Type4: 00000008->UNUSED  00000002   00000000   00 00 0000
CmdAdd: 003D
______________________________________________________________________
Command #000B: 0x3D (Encry: 0xBE)   Flags: 0x1B LineNo(cmd): 0x0005
000002B9 -> Type1: 00000004->VAR     00000007   00000001   00 00 0000
000002B9 -> Type2: 00000001->CONST   FFFFFECE   0000000D   03 01 0002
000002B9 -> KeyWord: mysql_connect
CmdAdd: 0002
______________________________________________________________________
Command #000C: 0x3E (Encry: 0xF0)   Flags: 0x02 LineNo(cmd): 0x0006
000002B9 -> Type2: 00000001->CONST   00000001   00000038   01 01 0002
[ZEND_RETURN]
______________________________________________________________________
FunctionsCount: 0000
Classes: 0000
File sucessfully processed!

That raw data contains all information that is need to reconstruct the php-source code. However it no php code yet. Well splitice is working at the part that transforms that raw data into php-code and he's nearly finished with implementing nearly all of the ~100 php opcodes(commands).

[DaRkLiFe]

well thats amazing news ! hope to see it on fast !

[cw2k]

Fixed that 0x80004005 Error when you compile that project to an exe.

The reason for that error is a bug in ZlibTool.ocx.
In detail it's the call CreateWindowEx(...Class = "msctls_progress32"...) that fails with invalid INVALID_WNDCLASS.

ZlibTool uses a progressbar control to show it's status - but a progressbar is no standard windows control like for example a label or editbox and so you have to call comctl32.dll!InitCommonControls() before you're these WindowsClasses become available.

In the VB6-IDE that that bug don't shows any effects because there the file is executed in the context of vb6.exe - that has done the Call InitCommonControls some before since it self makes use of commonControls.

Adding that code to a from that as uses ZlibTool will fix the problem

Code: Select all

Private Declare Sub InitCommonControls Lib "comctl32.dll" ()
Private Sub Form_Initialize()
   InitCommonControls
End Sub

-> Of course it will be much better to add InitCommonControls to the ZlibTool C-Code - but I currently don't have visual studio installed.


Finally I set up a small site:

http://decube.tk/
http://decod.in/cw2k/

...and DL for the 'guests' (24. jan 2010)
http://www.sendspace.com/file/g3vf0l

[Mustang97]

Firstly, I want to say great work here. So far this is the only decoder that I have messed with that actually works.. I am getting 90% of the file decoded but with a few lil problems here and there.

I get this on all files so far.

Code: Select all

24.24."components".96."com_jmrphpbb".168."helper.php"defined("_JEXEC");

If you need a copy of the file I am decoding let me know. Hope to see a fix for this. Again great job...

Mustang97

[DaRkLiFe]

hi cw2k

wile decoding one file i get this error : Run Time error 5
Invalid call or argument

when i click debug :

shows error at :

Code: Select all

Err.Raise Err, , Err.description

hope u can solve it ?
if u want i will send file too

[forexrx]

hi cw2k

while decoding files i get this error :-> ERROR: Subscript out of range
I can post the orignal file or log file
thanks

shows error at :

=========> S t a g e 8 - Read function body data
Reading Body
00000008 -> 00000002
S2[Fixed Size 0x70]:
0000007A -> 04010002
Skipped3 -> 00000000
FuncNameStart -> 00000000 02D34B10
CmdData -> 00000000
Args -> 00000000
ArgsMin -> 00000000
php4Extra -> 02D152D8 74610070 02BEE2D0 02D3A238 00000006 00000006
Skipped1 -> 00000004 00000000 00000000
PHPFileNamePtr -> FFFFFFFF
Php5-O1 00000000
Php5-O1Count 00000000 00000000 00000000 00000000 02D30000 02C43950 0000000A 00000001 00000000 00000000
00000079 -> FunctionName: function {MainFunction}
00000082 -> 00000006<-CmdCount
byteCmds[Elementsize=0x2] Elements: 00000006
Command
-------
07ED
07ED
0725
019D
0236
0095
CmdParams[Elementsize=0x14] Elements: 0000000B
Type Op1 Op2 Flags5 Flags
---------------------------------------------
00000004 00000000 00000001 00000000 00000000
00000001 00000002 00000019 00000002 00000103
00000008 00000010 00000000 00000000 00000000
00000004 00000018 00000000 00000000 00000000
00000001 0000001C 00000015 00000002 00000103
00000008 00000000 00000001 00000000 00000000
00000004 00000030 00000000 00000000 00000000
00000004 00000018 00000010 00000000 00000000
00000001 00000032 0000001A 00000002 00000103
00000004 00000048 00000001 00000000 00000000
00000001 00000001 00000038 00000002 00120101
StringData [0000004D]
000001C3 -> C0 DE 69 6E 63 6C 75 64 65 73 2F 78 61 6E 61 72 69 6F 5F 63 6F 72 65 2E 70 68 70 00 78 61 6E 61 72 69 6F 5F 50 61 6B 65 74 74 72 61 63 6B 69 6E 67 00 76 65 72 61 72 62 65 69 74 65 5F 55 50 53 5F 45 69 6E 7A 65 6C 70 61 6B 65 74 00
ÀÞincludes/core.php.Pakettracking.verarbeite_UPS_Einzelpaket.
Length of unprocessed data: 00000004

=========> S t a g e 9 - Interpreting IC_body/ByteCode

-> ERROR: Subscript out of range

[cw2k]

Interesting bug, please attach one of these php-files that cause the error.

Even when the Interpret-function is not complete and so the resulting *_Decoded.php, the file interpreting should run until the end of file.

I though I wrote about useful bugreports on decod.in - but since the forum there is not up yet - some words about:
Stage I open each version of Ioncube encoded files and split out -> IC_body.bin.
Stage II run through/interpret the binary data and write it into *.log
So far it should run - plz report bugs.

Stage III decompile the phpByte Code data and transform it back into normal php source code
That is incomplete - and so can't really work completely. So plz don't report bugs related to incomplete or wrong php code. I know and see myself too good what is missing, not working so far - and needs to be done.
When I completed that stage and consider it as 'working' - ya bugreports will be welcomed and helpful to make it perfect.

However that vb6-ioncube decoder is a kind of prototype a kind of live 'document' for the Ioncube data format, and to try out some approaches on how to interpret the php-byte code.

Splitice started a new version of this decoder written in php and it looking really good - so I'll to get more involved in it.

So I'll primarily focus on problems related to Stage I + II of the VB-Ioncube Decoder and for the rest I'll help/support splitice in making Ioncube decoder v2.

[forexrx]

hi cw2k

I am attaching few php files thay all give the same error also attaching the log file
I get the same error with vb and ioncube_decoder exercise Build 31
if you need other files or I can help in testing please let me know.

Thanks

[cw2k]

The problem with these Ioncube php files is that they use/require a license file.
I just figured out that the byteCodeKey - required to decode the php byte opcodes was moved into the license file. So now I'm about to write some code to decode these license files to read out that data from there.

Without the byteCodeKey the opcodes are just chaotic like that
#0000: 0x91 ZEND_VERIFY_INSTANCEOF LineNo: 0x0000 Flags: 0x07()
result: 04->VAR 00000000 00000001 00 00->NULL 00->val 0000
op1 : 01->CONST 00000002 00000019 02 03->STRING 01->ref FFFF
KeyWord: includes/xanario_core.php
op2 : 08->UNUSED 00000010 00000000 00 00->NULL 00->val 0000
______________________________________________________________________
#0001: 0x41 ZEND_SEND_VAL LineNo: 0x0000 Flags: 0x05()
result: 02->TMP_VAR 00000018 00000000 00 00->NULL 00->val 0000
op2 : 01->CONST 0000001C 00000022 02 03->STRING 01->ref FFFF
KeyWord: MODULE_SETUP_SONSTIGES_ADMIN_LOGIN
....................................................................
Comment: Arg["MODULE_SETUP_SONSTIGES_ADMIN_LOGIN"] = includes/xanario_core.php
______________________________________________________________________
#0002: 0xFA UNKNOWN Command LineNo: 0x0000 Flags: 0x07()

So far I correct the bug that made the decoding stop because of invalid/unexpected opcode data.
(-IoncubeDecoder_VB6_version-15.7z on http://decube.tk)
The new License File Decoder just uses the makelicensefile.exe(and patches in the required registrationID before decoding) at comes with the Ioncube Encoder package - however this doesn't show up the byte code key - so I'll do need to decode that that by hand so I get access to all the data in the license file.

[forexrx]

hi cw2k

Thanks for the new decoder it reads the license files
while decoding files i get this error :-> ERROR: Overflow
I can post the orignal file I tried on few diffrent files

thanks

shows error at:

Code: Select all

=========> S t a g e  8  -  Read function body data

Reading Body
00000008 -> 00000002
S2[Fixed Size 0x40]:
0000004A ->  00000002
Skipped3 ->  00000000
FuncNameStart ->  00000000 012AAAD0
CmdData ->  01408630
Args ->  00000045
ArgsMin ->  00000045
php4Extra ->  00000031 00000000 00000000 FFFFFFFF 00000000 00000000
Skipped1 ->  00000000 00000000 00000000
PHPFileNamePtr ->

00000049 -> FunctionName:  function {MainFunction}

00000052 -> 00000045<-CmdCount
byteCmds[Elementsize=0x2] Elements: 00000056
Command
-------
07C3
03E0
073C
....
07D8
0212
-> ERROR: Overflow

[cw2k]

Sorry I don't like to fix all these sloppy errors right now.

So if it's really important try it yaself.
Get VB6 portable and run it inside VB6.
In the function were the error happens paste at the beginning the line
'on error resume next'

That will make the program to just contiune to run on the next source codeline when some runtime error happens (like an overflow).

[forexrx]

Hi cw2k,

Thanks a lot cw2k, you are doing a great work Thanks for
a patched Ioncube loader for windows which donot care for expiry date
any chance if you got Ioncube loader for Linux (ioncube_loader_Lin_5.2)
which donot care for expiry date

Thanks

[cw2k]

Okay get I actually had a look on ioncube php for the 'encoders view'(looking into the loader you just see how stuff is read). Seeing how stuff is build. Also saw the byte code key is created.
...and how to calculate it.

Beside I improved my ollyscript stringsDecrypt scripts - You'll find it them together with the already decrypted Ioncube binaries here:
http://decod.in/cw2k/Ioncube%20loader%2 ... +%20IDA5.5
(^- Hehe plus I upped the latest IDA5.5 with hexrays there) So happy tripping in da binary space.

But what does that finally means
Well finally the decoder is independent from License files !
So even if you've no license file, it got lost, corrupted or whatever, the decoder will be able to correctly decrypt the php-byte code, upon which any further decompilation is based on.

->'IoncubeDecoder_VB6_version-17.7z' on
http://decube.tk

[cw2k]

Someone send me 'Dezend for PHP5.2.1'
since the reply maybe of general interest I'll post it here.
There might be a change to combine the VB Ioncube decoder and the ‘Dezend’ VB Ioncube decoder does the part to decrypt ioncube data and ‘Dezend’ the part to decompile the bytecode.
At all IC_body.bin is just the same format as normal php – since the IC ppl just tooked the normal opensource php code, did some small modification and then use it for ioncube loader.
So these small modification are probably only applies to encrypted CmdBytes in ‘IC_body.bin’ on the one hand - and to EncryptStrings (or more correct just the pointer to them) when IC-loader reads in ‘IC_body.bin’ decrypts the CmdBytes to from 'CmdItem-objects' in memory that are later executed.

So if you see these two flags it will indicate that ‘Dezend’ will fail – since it expects unencrypted php-bytecode
=========> S t a g e 5 - Interpreting IC_HeaderEx

0001 <-IC_Type_Minor
0005 <-IC_Type_Major
The file [%s] was encoded with the PHP 5 ionCube Encoder, and requires PHP 5 to be installed.
00000CE7 <-PhpFlags
…
0x0080 CmdBytesAreEncrypted
0x0400 EncryptStrings[KeyWord.c_Object] in memory during Compile& Execute

About ‘0x0400 EncryptStrings’ you’ll don’t need to care when using ‘IC_body.bin’.
The 0x0080 CmdBytesAreEncrypted can be undone by adding some code the will write back the unencrypted bytecodebytes into ‘IC_body.bin’.(or a copy of it) during bytecode disassembling.

When going the other way and the dezend goes by grabbing and decompiling these -I called them-'CmdItem-objects', this ‘0x0400 EncryptStrings’ is in the way. But this can be easily patch/remove by modifying ioncube_loader_win_5.2.dll and hack in some ASM that deletes that flag when it's read.(OR [PhpFlags], 0xFFFFFBFF)


But so far I've tomorrow I'll start again with my backpack to a journey exploring the Canaries and will be back in maybe a month - if it's nice maybe in three -

[NewEraCracker]

I've been trying your decoders without success unfortunately

Can you please take a look at the php files on attached zip and decode them if possible.

Thank you.