├── .gitattributes
├── README.md
├── api
    └── c_api.php
├── functions
    └── functions.php
├── index.php
├── logout.php
├── obfuscator
    └── readme.txt
├── panel.php
├── projects
    └── index.html
└── uploads
    ├── index.html
    └── obfuscated
        └── index.html


/.gitattributes:
--------------------------------------------------------------------------------
1 | # Auto detect text files and perform LF normalization
2 | * text=auto
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # server sided obfuscator base
 2 |  this is a server sided obfuscator base, where you login, select the options, upload the file to the server and it obfuscates it
 3 | 
 4 |  the obfuscator used in this project is ConfuserEx, the authentication service is cauth.me
 5 |  
 6 |  please contact me in case of issues :D
 7 |  
 8 |  to do ->
 9 | ```
10 | use ajax for the form upload
11 | ```
12 | done ->
13 | ```
14 | added support for file dependencies, drop the exe ( must be a single exe ) and the dependencies in a zip file to upload
15 | the confuser ex console output is saved together with the exe in a zip file after the obfuscation (dependencies are added too)
16 | 


--------------------------------------------------------------------------------
/api/c_api.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | //BETA VERSION OF THE PHP's API
  3 | //there's no traffic encryption in here, as php is a server sided language
  4 | if(!isset($_SESSION))
  5 |     session_start();
  6 | 
  7 | class c_api{
  8 |     public static function c_init($c_version, $c_program_key, $c_api_key){
  9 |         try{
 10 |             $ch = curl_init(self::$api_link . "ins_handler.php?type=init");
 11 |             curl_setopt($ch, CURLOPT_USERAGENT, self::$user_agent);
 12 |             curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 13 | 
 14 |             curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
 15 |             curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
 16 |             curl_setopt($ch, CURLOPT_PINNEDPUBLICKEY, self::$pub_key);
 17 | 
 18 |             $_SESSION["program_key"] = $c_program_key;
 19 |             $_SESSION["api_key"] = $c_api_key;
 20 | 
 21 |             $values = [
 22 |                 "version" => $c_version,
 23 |                 "api_version" => "3.1b",
 24 |                 "program_key" => $_SESSION["program_key"],
 25 |                 "api_key" => $_SESSION["api_key"]
 26 |             ];
 27 | 
 28 |             curl_setopt($ch, CURLOPT_POSTFIELDS, $values);
 29 | 
 30 |             $result = curl_exec($ch); curl_close($ch);
 31 | 
 32 |             switch($result){
 33 |                 case "program_doesnt_exist":
 34 |                     die("the program doesnt exist");
 35 |                     break;
 36 | 
 37 |                 case "invalid_api_key":
 38 |                     die("invalid API Key");
 39 |                     break;
 40 | 
 41 |                 case "wrong_version":
 42 |                     die("wrong program version");
 43 |                     break;
 44 | 
 45 |                 case "old_api_version":
 46 |                     die("please download the newest api version on the auth's website");
 47 |                     break;
 48 | 
 49 |                 default:
 50 |                     break;
 51 |             }
 52 |         }
 53 |         catch(Exception $ex){
 54 |             die($ex->getMessage());
 55 |         }
 56 |     }
 57 |     public static function c_login($c_username, $c_password){
 58 |         $ch = curl_init(self::$api_link . "ins_handler.php?type=login");
 59 |         curl_setopt($ch, CURLOPT_USERAGENT, self::$user_agent);
 60 |         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
 61 | 
 62 |         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
 63 |         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
 64 |         curl_setopt($ch, CURLOPT_PINNEDPUBLICKEY, self::$pub_key);
 65 | 
 66 |         $values = [
 67 |             "username" => $c_username,
 68 |             "password" => $c_password,
 69 |             "program_key" => $_SESSION["program_key"],
 70 |             "api_key" => $_SESSION["api_key"]
 71 |         ];
 72 | 
 73 |         curl_setopt($ch, CURLOPT_POSTFIELDS, $values);
 74 | 
 75 |         $result = json_decode(curl_exec($ch)); curl_close($ch);
 76 | 
 77 |         switch($result->{'result'}){
 78 |             case "invalid_username":
 79 |                 c_api::alert("invalid username");
 80 |                 return false;
 81 | 
 82 |             case "invalid_password":
 83 |                 c_api::alert("invalid password");
 84 |                 return false;
 85 | 
 86 |             case "user_is_banned":
 87 |                 c_api::alert("The user is banned");
 88 |                 return false;
 89 | 
 90 |             case "no_sub":
 91 |                 c_api::alert("no sub");
 92 |                 return false;
 93 | 
 94 |             case "logged_in":
 95 |                 $_SESSION["username"] = $result->{'username'};
 96 |                 $_SESSION["email"] = $result->{'email'};
 97 |                 $_SESSION["expires"] = $result->{'expires'};
 98 |                 $_SESSION["rank"] = $result->{'rank'};
 99 |                 //saved to a session because i cant save the values to a static class
100 | 
101 |                 c_api::alert("logged in");
102 |                 return true;
103 | 
104 |             default:
105 |                 die($result);
106 |                 break;
107 |         }
108 |     }
109 |     public static function c_register($c_username, $c_email, $c_password, $c_token){
110 |         $ch = curl_init(self::$api_link . "ins_handler.php?type=register");
111 |         curl_setopt($ch, CURLOPT_USERAGENT, self::$user_agent);
112 |         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
113 | 
114 |         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
115 |         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
116 |         curl_setopt($ch, CURLOPT_PINNEDPUBLICKEY, self::$pub_key);
117 | 
118 |         $values = [
119 |             "username" => $c_username,
120 |             "email" => $c_email,
121 |             "password" => $c_password,
122 |             "token" => $c_token,
123 |             "program_key" => $_SESSION["program_key"],
124 |             "api_key" => $_SESSION["api_key"]
125 |         ];
126 | 
127 |         curl_setopt($ch, CURLOPT_POSTFIELDS, $values);
128 | 
129 |         $result = curl_exec($ch); curl_close($ch);
130 | 
131 |         switch($result){
132 |             case "user_already_exists":
133 |                 c_api::alert("user already exists");
134 |                 return false;
135 | 
136 |             case "email_already_exists":
137 |                 c_api::alert("email already exists");
138 |                 return false;
139 | 
140 |             case "invalid_email_format":
141 |                 c_api::alert("invalid email format");
142 |                 return false;
143 | 
144 |             case "invalid_token":
145 |                 c_api::alert("invalid token");
146 |                 return false;
147 | 
148 |             case "maximum_users_reached":
149 |                 c_api::alert("maximum users reached");
150 |                 return false;
151 | 
152 |             case "used_token":
153 |                 c_api::alert("used token");
154 |                 return false;
155 | 
156 |             case "success":
157 |                 c_api::alert("success");
158 |                 return true;
159 | 
160 |             default:
161 |                 die($result);
162 |                 break;
163 |         }
164 | 
165 |     }
166 |     public static function c_activate($c_username, $c_password, $c_token){
167 |         $ch = curl_init(self::$api_link . "ins_handler.php?type=activate");
168 |         curl_setopt($ch, CURLOPT_USERAGENT, self::$user_agent);
169 |         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
170 | 
171 |         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
172 |         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
173 |         curl_setopt($ch, CURLOPT_PINNEDPUBLICKEY, self::$pub_key);
174 | 
175 |         $values = [
176 |             "username" => $c_username,
177 |             "password" => $c_password,
178 |             "token" => $c_token,
179 |             "program_key" => $_SESSION["program_key"],
180 |             "api_key" => $_SESSION["api_key"]
181 |         ];
182 | 
183 |         curl_setopt($ch, CURLOPT_POSTFIELDS, $values);
184 | 
185 |         $result = curl_exec($ch); curl_close($ch);
186 | 
187 |         switch($result){
188 |             case "invalid_username":
189 |                 c_api::alert("invalid username");
190 |                 return false;
191 | 
192 |             case "invalid_password":
193 |                 c_api::alert("invalid password");
194 |                 return false;
195 | 
196 |             case "user_is_banned":
197 |                 c_api::alert("The user is banned");
198 |                 return false;
199 | 
200 |             case "invalid_token":
201 |                 c_api::alert("invalid token");
202 |                 return false;
203 | 
204 |             case "used_token":
205 |                 c_api::alert("used token");
206 |                 return false;
207 | 
208 |             case "success":
209 |                 c_api::alert("success");
210 |                 return true;
211 | 
212 |             default:
213 |                 die($result);
214 |                 break;
215 |         }
216 |     }
217 |     public static function c_all_in_one($c_token){
218 |         if(c_api::c_login($c_token, $c_token))
219 |             return true;
220 | 
221 |         else if(c_api::c_register($c_token, $c_token . "@gmail.com", $c_token, $c_token))
222 |             return true;
223 | 
224 |         else return false;
225 |     }
226 |     //no need for server sided variables here cause php already is server side
227 |     public static function c_log($c_message){
228 |         if(empty($_SESSION["username"]) || !isset($_SESSION["username"])) $_SESSION["username"] = "NONE";
229 | 
230 |         $ch = curl_init(self::$api_link . "ins_handler.php?type=log");
231 |         curl_setopt($ch, CURLOPT_USERAGENT, self::$user_agent);
232 |         curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
233 | 
234 |         curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
235 |         curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
236 |         curl_setopt($ch, CURLOPT_PINNEDPUBLICKEY, self::$pub_key);
237 | 
238 |         $values = [
239 |             "username" => $_SESSION["username"],
240 |             "message" => $c_message,
241 |             "program_key" => $_SESSION["program_key"],
242 |             "api_key" => $_SESSION["api_key"]
243 |         ];
244 | 
245 |         curl_setopt($ch, CURLOPT_POSTFIELDS, $values);
246 | 
247 |         curl_exec($ch); curl_close($ch);
248 |     }
249 | 
250 |     public static function alert($string){
251 |         echo "<script type=\"text/javascript\">";
252 |             echo "alert(\"$string\")"; //ugly
253 |         echo "</script>";
254 |     }
255 |     private static $api_link = "https://cauth.me/api/";
256 |     private static $user_agent = "Mozilla cAuth";
257 |     private static $pub_key = "sha256//Mk6vhbkCoRzUhXoUryC8tjIxmehtu4uLVhwqGQM9Cmc=";
258 | }
259 | 


--------------------------------------------------------------------------------
/functions/functions.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | function obfuscate($obf_file_location, $proj_file_location, $dependencies = array())
  4 | {
  5 |     //here i perform the obfuscation task and save the output of cfex's console to '$data' ⬇
  6 |     $data = shell_exec(getcwd() . "\obfuscator\Confuser.CLI.exe " . escapeshellarg($proj_file_location));
  7 | 
  8 |     $obf_file = realpath("uploads/obfuscated/" . pathinfo($obf_file_location)['basename']);
  9 | 
 10 |     unlink(realpath($obf_file_location));
 11 | 
 12 |     $zip_file = pack_assembly_with_info($obf_file, $data, $dependencies);
 13 |     //pack the obf file + dependencies (if there are) with the cfex console output
 14 | 
 15 |     download_file($zip_file);
 16 | 
 17 |     unlink($obf_file);
 18 | 
 19 |     unlink(realpath($zip_file));
 20 | 
 21 |     unlink($proj_file_location);
 22 | }
 23 | 
 24 | function pack_assembly_with_info($exe_file, $obf_info, $dependencies = array()){
 25 |     $zip = new ZipArchive;
 26 | 
 27 |     if(!empty(pathinfo($exe_file)['filename'])) //this is in case the obfuscation wasnt successfull
 28 |         $zip_output = "uploads/obfuscated/" . pathinfo($exe_file)['filename'] . '.zip';
 29 |     else
 30 |         $zip_output = "uploads/obfuscated/" . uniqid() . '.zip';
 31 | 
 32 |     $zip->open($zip_output, ZipArchive::CREATE); //creates a zip file with the exe's name.zip
 33 | 
 34 |     $zip->addFile($exe_file, pathinfo($exe_file)['basename']); //add the real exe
 35 | 
 36 |     $zip->addFromString("obf_info.txt", $obf_info); //add the cfex output here
 37 | 
 38 |     if(!empty($dependencies)) //if there are dependencies
 39 |         foreach($dependencies as &$deps) //for each dependencies in the dependency array
 40 |             $zip->addFile($deps, pathinfo($deps)['basename']); //add the dependency to the zip file
 41 | 
 42 |     $zip->close();
 43 | 
 44 |     return $zip_output;
 45 | }
 46 | 
 47 | function unpack_to_return_the_exe($zip_location){ //CAN ONLY CONTAINS ONE EXE
 48 |     $zip = new ZipArchive;
 49 |     $zip->open(realpath($zip_location)); //opens the zip file
 50 | 
 51 |     $result_array = array("file_to_obfuscate" => '', "dependencies" => array());
 52 |     //defines the array return ^
 53 | 
 54 |     for ($i = 0; $i < $zip->numFiles; $i++) { //get all the files in the zip file
 55 |         $filename = $zip->getNameIndex($i); //get the name of the current file
 56 |         $info = pathinfo($filename); //path info of the file
 57 | 
 58 |         if($info["extension"] == "exe"){ //in case the file is an exe, gen a random name to it and save it and link the name to the array return
 59 |             $file_to_obfuscate = "uploads/" . uniqid() . '.' . $info["extension"];
 60 |             fwrite(fopen($file_to_obfuscate, "w"), $zip->getFromName($filename));
 61 |             $result_array["file_to_obfuscate"] = $file_to_obfuscate;
 62 |         }
 63 |         else if($info["extension"] == "dll"){ //add data foreach dll dependency
 64 |             $dll_dependency = "uploads/" . $filename;
 65 |             fwrite(fopen($dll_dependency, "w"), $zip->getFromName($filename));
 66 | 
 67 |             array_push($result_array["dependencies"], $dll_dependency);
 68 |         }
 69 |         else {
 70 |             $zip->close();
 71 | 
 72 |             foreach(@$result_array["dependencies"] as &$val)
 73 |                 @unlink(realpath($val));
 74 |             //im not sure if the arrays are really defined, so i use @ to not throw exceptions
 75 | 
 76 |             @unlink($zip_location);
 77 |             @unlink($result_array["file_to_obfuscate"]);
 78 |             @unlink("uploads/" . $filename);
 79 | 
 80 |             die("there are files that arent .exe/.dll in the zip");
 81 |         }
 82 |     }
 83 |     $zip->close();
 84 |     unlink($zip_location);
 85 | 
 86 |     return $result_array;
 87 | }
 88 | 
 89 | //creates a xml project file to be used with confuser ex cli
 90 | function create_temp_xml($file_path, $protection_options){
 91 |     $path_info = pathinfo($file_path);
 92 |     $dir_name = realpath($path_info["dirname"]);
 93 | 
 94 |     $xml = new SimpleXMLElement("<project></project>");
 95 | 
 96 |     $xml->addAttribute("outputDir", $dir_name . "\obfuscated");
 97 |     $xml->addAttribute("baseDir", $dir_name);
 98 |     $xml->addAttribute("xmlns", "http://confuser.codeplex.com"); // <- i dont think thats needed
 99 | 
100 |     $rules = $xml->addChild("rule");
101 |     $rules->addAttribute("pattern", "true");
102 |     $rules->addAttribute("inherit", "false");
103 | 
104 |     foreach ($protection_options as &$opt) {
105 |         $protections = $rules->addChild("protection");
106 |         $protections->addAttribute("id", $opt);
107 |     }
108 | 
109 |     $mdl = $xml->addChild("module");
110 |     $mdl->addAttribute("path", $path_info["basename"]);
111 | 
112 |     $xml_output_path = "projects/" . uniqid() . ".crproj";
113 | 
114 |     $output = fopen($xml_output_path, "w");
115 |     fwrite($output, explode("\n", $xml->asXML(), 2)[1]);
116 |     fclose($output);
117 | 
118 |     return realpath($xml_output_path);
119 | }
120 | 
121 | function download_file($filename){
122 |     header("Content-Type: application/octet-stream");
123 |     header("Content-Transfer-Encoding: Binary");
124 |     header("Pragma: public");
125 |     header("Cache-Control: no-cache, must-revalidate");
126 |     header("Content-Disposition: attachment; filename=".basename($filename).";");
127 |     header("Content-Length: ".filesize($filename));
128 | 
129 |     @readfile($filename);
130 | }
131 | 


--------------------------------------------------------------------------------
/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | include("api/c_api.php");
 3 | c_api::c_init("program version", "program key", "program api/enc key");
 4 | 
 5 | //guide, create a program at cauth.me, put the version, program key and api key, done
 6 | 
 7 | if(isset($_SESSION["logged_in"]))
 8 |     header("Location: panel.php");
 9 | 
10 | if(isset($_POST["sub"]) && c_api::c_all_in_one($_POST["token"])) {
11 |     $_SESSION["logged_in"] = true;
12 | 
13 |     header("Location: panel.php");
14 | }
15 | ?>
16 | 
17 | <form method="post">
18 |     token : <br>
19 |     <input type="text" name="token"> <br>
20 |     <button name="sub">submit</button>
21 | </form>
22 | 


--------------------------------------------------------------------------------
/logout.php:
--------------------------------------------------------------------------------
1 | <?php
2 | session_start();
3 | session_destroy();


--------------------------------------------------------------------------------
/obfuscator/readme.txt:
--------------------------------------------------------------------------------
1 | here you upload ConfuserEx, for this project ive used the latest release on their github


--------------------------------------------------------------------------------
/panel.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | include("api/c_api.php");
 3 | include("functions/functions.php");
 4 | 
 5 | if(!isset($_SESSION["logged_in"]))
 6 |     header("Location: index.php");
 7 | 
 8 | if(isset($_POST["submit"])) {
 9 |     $file_type = strtolower(pathinfo($_FILES["file_to_upload"]["name"], PATHINFO_EXTENSION));
10 |     if ($file_type == "exe" || $file_type == "dll" || $file_type == "zip") {
11 |         if ($_FILES["file_to_upload"]["size"] <= 10485760) { //10 mb
12 |             $file_new_location = "uploads/" . uniqid() . '.' . $file_type;
13 | 
14 |             move_uploaded_file($_FILES["file_to_upload"]["tmp_name"], $file_new_location);
15 | 
16 |             if ($file_type == 'zip') {
17 |                 $obfuscation_data = unpack_to_return_the_exe($file_new_location);
18 | 
19 |                 $xml_file = create_temp_xml($obfuscation_data["file_to_obfuscate"], $_POST["opts"]);
20 | 
21 |                 obfuscate($obfuscation_data["file_to_obfuscate"], $xml_file, $obfuscation_data["dependencies"]); //file to obfuscate ( in the zip file )
22 | 
23 |                 foreach($obfuscation_data["dependencies"] as &$val)
24 |                     unlink(realpath($val)); //delete the dependencies that was uploaded with the file
25 | 
26 |             } else {
27 |                 $xml_file = create_temp_xml($file_new_location, $_POST["opts"]);
28 | 
29 |                 obfuscate($file_new_location, $xml_file);
30 |             }
31 |         } else {
32 |             die("file size is too big ( more than 10mb )");
33 |         }
34 |     } else {
35 |         die("not supported file type");
36 |     }
37 | }
38 | 
39 | ?>
40 | hello <?php echo $_SESSION["username"]; ?>
41 | <br> <br>
42 | <form method="post" enctype="multipart/form-data">
43 |     options : <br>
44 |     anti tamper : <input type="checkbox" name="opts[]" value="anti tamper"> <br>
45 |     constants : <input type="checkbox" name="opts[]" value="constants"> <br>
46 |     control flow : <input type="checkbox" name="opts[]" value="ctrl flow"> <br> <br>
47 |     <!-- add more protections here if you want !-->
48 | 
49 |     select your file : (only zip, exe and dll files are allowed) <br>
50 |     <input type="file" name="file_to_upload"> <br> <br>
51 |     <button type="submit" name="submit"> submit </button>
52 | </form>
53 | 
54 | 


--------------------------------------------------------------------------------
/projects/index.html:
--------------------------------------------------------------------------------
1 | you shouldnt be here


--------------------------------------------------------------------------------
/uploads/index.html:
--------------------------------------------------------------------------------
1 | you shouldnt be here


--------------------------------------------------------------------------------
/uploads/obfuscated/index.html:
--------------------------------------------------------------------------------
1 | you shouldnt be here


--------------------------------------------------------------------------------