Comments on: TAC v1.1 Released (Minor Fixes) http://builtbackwards.com/2008/06/28/tac-v11-released-minor-fixes/ Reverse Engineering is in Our Nature Tue, 13 Jul 2010 01:49:31 +0000 hourly 1 http://wordpress.org/?v=3.0 By: sam http://builtbackwards.com/2008/06/28/tac-v11-released-minor-fixes/comment-page-1/#comment-25 sam Wed, 20 Aug 2008 19:35:55 +0000 http://builtbackwards.com/?p=16#comment-25 OTTO, Thanks for that information. We are adding that to the plug-in in the next few days. OTTO,
Thanks for that information. We are adding that to the plug-in in the next few days.

]]> By: Otto http://builtbackwards.com/2008/06/28/tac-v11-released-minor-fixes/comment-page-1/#comment-17 Otto Tue, 19 Aug 2008 19:34:41 +0000 http://builtbackwards.com/?p=16#comment-17 Interesting idea. I had considered something along these lines, but I was thinking about a more generic approach, by detecting the obfuscated code directly, not looking for the unobfuscator. Looking at the source, I see that you're mainly checking for "base64". You might also want to check for "uudecode" or "uuencode" as these can also hide code in the same manner. See the convert_uudecode() function in PHP. You might also check for "urldecode" too. It can't hide code, but it can be used to make it less obvious. Interesting idea. I had considered something along these lines, but I was thinking about a more generic approach, by detecting the obfuscated code directly, not looking for the unobfuscator.

Looking at the source, I see that you’re mainly checking for “base64″. You might also want to check for “uudecode” or “uuencode” as these can also hide code in the same manner. See the convert_uudecode() function in PHP.

You might also check for “urldecode” too. It can’t hide code, but it can be used to make it less obvious.

]]>