Dump PHP 8.1 OPCodes using Vulkan Logic Dumper with Bonus

The VLD a.k.a Vulkan Logic Dumper extension must be installed, we can compiling if from source.

git clone https://github.com/derickr/vld.git

cd vld

phpize

./configure

sudo make && sudo make install

git clone https://github.com/derickr/vld.git cd vld phpize ./configure sudo make && sudo make install

	git clone https://github.com/derickr/vld.git
	cd vld
	phpize
	./configure
	sudo make && sudo make install

with the sudo make && sudo make install command, our vld extension is compilied and copied directly to the php extensions folder. The next step is to active the plugin in the php.ini file

Let’s find our php.ini file.

kzorluoglu@kzorluoglu:~/projects/vld-0.18.0$ php -i | grep 'Loaded Configuration File '

Loaded Configuration File => /etc/php/8.1/cli/php.ini

kzorluoglu@kzorluoglu:~/projects/vld-0.18.0$ php -i | grep 'Loaded Configuration File ' Loaded Configuration File => /etc/php/8.1/cli/php.ini

kzorluoglu@kzorluoglu:~/projects/vld-0.18.0$ php -i | grep 'Loaded Configuration File '
Loaded Configuration File => /etc/php/8.1/cli/php.ini

we found our php.ini file, now let’s active our vld extension with a text editor

sudo vim /etc/php/8.1/cli/php.ini

sudo vim /etc/php/8.1/cli/php.ini

at the bottom of file, find the ;extension= section. Let’s add extension=vld, and save it.. We are all set!.

and we can dump any php file with this vld.active=1 parameter.

kzorluoglu@kzorluoglu:~/projects/vld-0.18.0$ php -d vld.active=1 test.php

Finding entry points

Branch analysis from position: 0

1 jumps found. (Code = 62) Position 1 = -2

filename: /home/kzorluoglu/projects/vld-0.18.0/test.php

function name: (null)

number of ops: 6

compiled vars: !0 = $test

line #* E I O op fetch ext return operands

-------------------------------------------------------------------------------------

3 0 E > ASSIGN !0, 'test'

4 1 NOP

2 FAST_CONCAT ~2 !0, '+ist+gut'

3 ECHO ~2

5 4 ECHO '%0A'

6 5 > RETURN 1

branch: # 0; line: 3- 6; sop: 0; eop: 5; out0: -2

path #1: 0,

test ist gut

kzorluoglu@kzorluoglu:~/projects/vld-0.18.0$ php -d vld.active=1 test.php Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 62) Position 1 = -2 filename: /home/kzorluoglu/projects/vld-0.18.0/test.php function name: (null) number of ops: 6 compiled vars: !0 = $test line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 3 0 E > ASSIGN !0, 'test' 4 1 NOP 2 FAST_CONCAT ~2 !0, '+ist+gut' 3 ECHO ~2 5 4 ECHO '%0A' 6 5 > RETURN 1 branch: # 0; line: 3- 6; sop: 0; eop: 5; out0: -2 path #1: 0, test ist gut

kzorluoglu@kzorluoglu:~/projects/vld-0.18.0$ php -d vld.active=1 test.php
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename:       /home/kzorluoglu/projects/vld-0.18.0/test.php
function name:  (null)
number of ops:  6
compiled vars:  !0 = $test
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
    3     0  E >   ASSIGN                                                   !0, 'test'
    4     1        NOP
          2        FAST_CONCAT                                      ~2      !0, '+ist+gut'
          3        ECHO                                                     ~2
    5     4        ECHO                                                     '%0A'
    6     5      > RETURN                                                   1

branch: #  0; line:     3-    6; sop:     0; eop:     5; out0:  -2
path #1: 0,
test ist gut

Bonus: The die() and exit() functions calling the same action thats means: both of them the exact same thing.