 ____      ___         _   _         
|    \ ___|  _|___ ___| |_|_|___ ___ 
|  |  | -_|  _| -_| .'|  _| |   | . |
|____/|___|_| |___|__,|_| |_|_|_|_  |
                                |___|
                                         
 _____                     _____         
|   __|___ _ _ ___ ___ ___|     |___ ___ 
|__   | . | | |  _|  _| -_|   --| . | . |
|_____|___|___|_| |___|___|_____|___|  _|
                                    |_|  
                                                                         
      [- defeating sourcecop -]

SourceCop is an obfuscation tool provided by its creators at 
http://www.sourcecop.com. It's cropping up in various PhishKits 
that have surfaced. The info on sourcecop.com's website make the 
following claim: "SourceCop for PHP encrypts your PHP code using 
a special encryption method. This encryption makes it almost 
impossible for a human to understand." Does it live up to the hype? 
Challenge accepted...

Well, since the dudes over at sourcecop.com claim it's almost 
impossible for a human to understand, I must test this theory. 
This is purely in the interests of science and for educational 
purposes.

Encryption is definitely a good means to secure your data. However, 
if certain environmental factors are not adhered to when employing 
such a means of security, encryption can be useless. In the case of 
scripting languages, this becomes very important since the source 
code can be obtained and reviewed. Most importantly, if the entire 
encryption algorithm and key are also included in the script... 
you're gonna have a bad time! This happens to be the fundamental 
flaw in sourcecop.com's design. Although the source provided does 
look daunting, it's just a tricky means of obfuscating the source.

The begging of each encoded file begins with something like the 
following:

     1	< ?php
     2	
     3	if (!function_exists('f29179060'))
     4	{
     5	  function f29179060($fld)
     6	  {
     7	    $fld1 = dirname($fld);
     8	    $fld = $fld1 . '/scopbin';
     9	    clearstatcache();
    10	    if (!is_dir($fld)) return f29179060($fld1);
    11	    else return $fld;
    12	  }
    13	}
    14	
    15	require_once (f29179060(__FILE__) . '/83610228.php');

The oddly named file on line 15 is what interests us. This file 
includes some homebrewed crypto used for the decoding of the 
data which contains the page ($REXTHEDOG4FBI). Let's keep 
scrolling down in the file:

    16	
    17	$REXISTHECAT4FBI = 'A5544FC4FC57239757239797E54EB9A68E3';
    18	f29179060g0666f0acdeed38d4cd9084ade1739498
       (f29179060f0666f0acdeed38d4cd9084ade1739498(__FILE__));
    19	$REXISTHEDOG4FBI = '63825363638253636382536362536363825363';
    20	$REXISTHECAT4FBI = '94CD76CD371C5A7BC70C186E779C2935A781A6';
    21	eval(f29179060y0666f0acdeed38d4cd9084ade1739498
              ('MzAxQjNCNDQ0RkY0MUU2MkY0', $REXISTHEDOG4FBI));
    22	? >
    23	

There are 2 variables that immediately stick out due to their 
amusingly interesting names: $REXTHECAT4FBI, $REXTHEDOG4FBI. These
are telltale signs that sourcecop has been used in the encoding
of the file. Please note that values for variables have 
changed as this was part of a live phish.

The first call is to a function denoted:
f29179060g0666f0acdeed38d4cd9084ade1739498 listed on line 18. Its
argument is another function call:
f29179060f0666f0acdeed38d4cd9084ade1739498. The combination of these
two functions provide a quite interestingly devised anti-debugging
measure for those trying to dump the contents of variables in the
encoded file. The inner-most function grabs the entire contents of
a file and builds a giant string containing the document; while the 
outer function searches the file being decoded for the following 
PHP function calls:

1. echo
2. print
3. sprint
4. sprintf

If one of these keyword patterns exist in the file being decoded, 
the rendering of the document is halted. It seem this is used as 
a means to deter someone with rudimentary skills to try and 
reverse engineer the algorithm.

Last but most definitely not least, you see an eval call with the
function f29179060y0666f0acdeed38d4cd9084ade1739498 as an argument.
This function is our decryption function. The first argument is the
key for the decryption, while the second argument is the document 
itself ($REXISTHEDOG4FBI) in encoded form. The decryption function
contains a homebrewed algorithm encompassing a combination of an 
encoding scheme coupled with 3 ciphers: base64 encoding, the xor 
cipher, and some simple substitutions. The decryption algorithm
returns a valid PHP document containing the contents that are to
be rendered in the browser, thus the eval.

Checkmate!

A quick little hack for those professionals looking to dump the
contents of the document quickly. Simply just replace the eval
function call with a call to highlight_string. Reload the 
document in the web browser and violah!

thus this:

eval(f29179060y0666f0acdeed38d4cd9084ade1739498
      ('MzAxQjNCNDQ0RkY0MUU2MkY0', $REXISTHEDOG4FBI));

becomes this:

highlight_string(f29179060y0666f0acdeed38d4cd9084ade1739498
                  ('MzAxQjNCNDQ0RkY0MUU2MkY0', $REXISTHEDOG4FBI));

The function highlight_string returns a syntax highlighted version 
of the given PHP code. In this case, the HTML document encompassing 
the Phish is dumped into the browser without rendering. The reason 
this works is remember the decryption algorithm is returning a 
fully valid PHP document.However, the downside of this workaround 
is that each encoded file must receive the change. Obviously, this 
can be scripted very easily.

- King

 _____     ___                             
| __  |___|  _|___ ___ ___ ___ ___ ___ ___ 
|    -| -_|  _| -_|  _| -_|   |  _| -_|_ -|
|__|__|___|_| |___|_| |___|_|_|___|___|___|

SourceCop
 - http://www.sourcecop.com
Base64 Encoding
- http://en.wikipedia.org/wiki/Base64
XOR cipher
- http://en.wikipedia.org/wiki/XOR_cipher
Substitution cipher
- http://en.wikipedia.org/wiki/Substitution_cipher

