PHP nonalpha tutorial

My first post on PHP non-alpha numeric code was a bit brief, in the excitement of the discovery I failed to detail in depth the process. I’ve decided to follow up with a tutorial and hopefully explain the process better for anyone wanting to learn or improve the technique.

The basis of PHP non-alphanumeric code is to take advantage of the fact that PHP automatically converts Arrays into a string “Array” when using in a string context. A simple example would be:


$x = array(1,2,3);
echo $x;//output Array

$x is now the string “Array”. But you will notice we used alphanumeric characters, we can also create an array without using array() like the following:


$_="";
$_[+""]='';
echo $_;//output Array

The first part creates a variable “$_” the second part references 0 by using the prefix operator on a blank string to convert to 0, the assignment creates the array. This was a first attempt to hack together an array when I first wrote it but all sorts of tricks can be used for example you don’t need the “0″ part.


$_="";
$_[+$_]++;
echo $_;//output Array

I’ll leave you to experiment for ways to create arrays but you get the idea. Right we have the characters “A”, “r”, “r” and so on now we need to access them and fortunately PHP is very similar to JavaScript in that respect. The first step is to force our array into an actual string by concatenating it with a blank string like so:


$_=$_."";//$_ contains our array previously and forces it into a string

The next step is to actually access a letter and PHP conveniently provides the same accessor method as JavaScript. To do that we need zero, as I showed before using the prefix operator with a blank string can convert to zero (also like JavaScript).


echo +"";// output 0

Using the 0 we can now access our letter “A” from the converted array.


echo $_[+""]// output "A"

Now originally because I was just discovering the technique I did some crazy math operations on multiple characters to obtain other characters than Array but this wasn’t necessary as Stefan Esser pointed out you can simply increment/decrement strings. But anyway I figured the letters out by doing nested for loops of all the characters, I’ll post the script if I’ve still got it later. For now though we’ll simply increment/decrement the characters we need. I’ll show you how to get the letter “B” first.


$_="";//we need a blank string to start
$_[+$_]++;//access part of the string to convert to an array
$_=$_."";//convert the array into a string of "Array"
$_=$_[+""];//access the 0 index of the string "Array" which is "A"
echo ++$_;//increment "A" to "B"

That is the basis of how it works, we just need to construct a string that calls a function such as “chr” or generate characters manually and then an eval based function to call our code. The original post used GET but since that is already documented I’ll show you how to generate different code. We’ll use the PHP function “assert” since it evaluates code and it is allowed to be called using string references of it’s name. For example:


$_="assert";
$_("print 1+1;")//output 2

We therefore need to generate “assert” and our code to call. Using the template from before were we generated “Array” we simply create new references and increment the characters we need.


$_="";//we need a blank string to start
$_[+$_]++;//access part of the string to convert to an array
$_=$_."";//convert the array into a string of "Array"
$__=+"";//make zero
$__++;//increment to 1
$___=$_[+""];//access the 0 index of the string "Array" which is "A"
$____=$____=$_[$__];//access the 1 index of the string "Array" which is "r"
$_____=$____;// assign "r" to a new variable
$_____++;//increment to "s"
$______=$___;//new variable for "e"
$______++;$______++;$______++;$______++;//increment to "e"
$_=$___.$_____.$_____.$______.$____.++$_____;//concat the strings to form "AssErt"
$_("p".$____."in".$_____." $__+$__");//call print 1+1

You will notice there are missing characters at the end “p”, “i” and “n” are alpha those are for you to generate using the techniques described. There are separate challenges to do after that for example a question to ask yourself is “How many characters are the minimum required to generate non-alphanumeric code?” another challenge is “What is the smallest amount of characters need to create a generator of non-alphanumeric code. Hope you enjoyed the write up and enjoy creating and finding new things with non-alpha php!

Challenges

1. Complete the “print 1+1″ code at the end of the last example (Basic)
2. Find the minimum number of characters to generate required to generate non-alpha code e.g. using only $_ + etc (Hard).
3. Create a PHP non-alpha generator in the smallest amount of code possible such as: The Hackvertor non-alpha tag (Hard)

Challenge leaderboard

1. @insertScript
Challenge 1 – done
Challenge 2 – done (using $_()[]+=.;)

15 Responses to “PHP nonalpha tutorial”

  1. what writes:

    What is this post about? What is this code?

  2. Rotac writes:

    Interesting post. Thanks!

  3. Gareth Heyes writes:

    @what I thought I explained that :/ it’s PHP.

  4. beachcoder writes:

    Will you release a non-alpha generator that doesn’t use special characters off the back of this experiment?

  5. Gareth Heyes writes:

    @beachcoder

    Nope that is a challenge for you guys, I might get involved if it becomes a cool challenge to reduce the amount of chars used.

  6. beachcoder writes:

    If only I had the time! It’d certainly be an interesting challenge. I assume it’d be harder to write a deobfuscator :)

  7. Gareth Heyes writes:

    Yeah de-obfuscation is always harder, I found the easiest way was to overwrite the functions that produce chars and return them instead of executing.

  8. bate writes:

    $_[+$_]++; will cause a php notice … skip the +$_ part .. ;) result is the same

  9. Per Persson writes:

    “the second part references 0 by using the infix operator on a blank string to convert to 0″

    The code in question: $_[+""]=”;

    In this case + is not infix but prefix. There’s no expression left of it, only to the right.

  10. Gareth Heyes writes:

    @per

    Thanks I’ll correct

    @bate

    What other characters do you not need? :) What is the minimum number of characters required to produce non-alpha code?

  11. wheelq writes:

    you got too much time :)

  12. Ripper writes:

    Hey thanks man..I’m ripper ….I can’t thank you enough.. Cheers.. I didn’t expect to actually understand a lil of this shit :D

  13. Gareth Heyes writes:

    @Ripper

    No probs

  14. Ripper writes:

    So I tried making code thanks to u of course..Tell me if this is the way it’s intended to be

  15. Simon Schick writes:

    Hey, I saw exactly that in JavaScript not long ago while I got hacked! It just wrote a document.write() which included an iframe into the DOM :D

    Too bad, I removed the code …