Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Decoding php script...
Posted by: larsm99
Date: April 10, 2010 03:43PM

I've tried to decode this php script, but I don't have much luck.
Can someone please try to decode this?
Thanks in advance!

<?php /* Copyright SomeMax */$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$O0O000O0O=$O0O000O00.$OOO000000{11};$O0O000O00=$O0O000O00.$OOO000000{3};$O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=1800;eval($OOO0000O0('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NDhhKTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxZmMpLCdPWVBkRDRWU0tCd25JaDdiM1JGeDVqK3VybXRmc2VhbC8wQ3o5VUFHTEhFSnlwTmdpdm9RTTZYY1pXOFRrMnExPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));return;?>eX0HfV5LeVUpmF/HbzDohz3W7dKMIdOHmVUUwPe5tVUQKShzsAUiePYLruI/mu0ituBUmPZ/5VvUruhUKVhgfGR0rc3/euI/mA2oKV6gsA5/t+WAfcBpruRHfXZNBo9TBD2bIdYbIdYbId6QeSBlsAjifV4zmF/Gu62VF5v4u6kGnPKGKCZ9xM2bIDkixQOinCKGKCi9xM2bIdOiIDkiwPRbxMkiIdOiIDkLBDkixQOixMkiIP/9xQOiIDkixQOinPRbxQOixQOiIdOHnPeb+jY9RdR+5MpPeXWBtdeCI6BVadjEwcjofuRAsXj0fPki3cLWj54SxD04FGUixAeHeA2Rxxmrr6Hu74RJIGDvbFsyBM4P3MR4R9eKF5HnxD67x6YR5Uh5jjmu+4Utr+BzmVjAmX0HtApyf+WgsS4oscR6eGeZauLiIxKQhd5XhQ/WwokGwF9H7XmzfV2QmF/9xQOiIDkixQOiwxpUeA4ywPRbxQOixQOixQOH7i==PAUAKP/0mVjAt+WUmP/GR4IGwF9/aiH9m+mHfA5LBMRxBovDFjB436Rb5UUl5Mj33jBYjD2Fwxywl3HHmCOLK+RUmAUNm+3LB6Bbx63GwF9/aiH9m+mHfA5LB6Bbx63GnVRHsAW0f+5LmVUofA4pmF09tuBNr+6Uw42lR9UIRj2lwF9Hwxywl3HHmCOLK+RUmAUNm+3LBM43542DFjKGwF9/aiH9m+mHfA5LBM43542DFjKGnVB0sXjNr+6UwVRHsAW0f+5LmVUofA4pmF0luMmBxDjluo9HwF9TPGMwt+r/wP49m+mHfAj9wPed35p4uMhb59jlF5Wdx4jDRj233jRKBo9HKSywmVjAt+WUwPed35p4uMhb59jlF5Wdx4jDRj233jRKBovFxM25wxywl3HHmCOLK+RUmAUNm+3LB6e43UBbx6RlRDUFBo9HKSywmVjAt+WUwPeuR5BFxM25uMRB5CsyrA4Qm+W0f+5LmVUofA4pmF0luMmBxDjluo9Hwxywl3HHmCOLK+RUmAUNm+3LB6euj62FxM25Bo9HKSywmVjAt+WUwPeuj6el592bjPsymVUofA4pmF0luMmBxDjluo9/n9Rxwxywl3HHmCOLK+RUmAUNm+3LBMhb59jl5D45FPsHwFYTPAUAKP0Ae+WzeVUgfU2UaVUQeSILBXUNtj2Qmu3GwFOABAUNtj2Qmu3LBXUNrXv6mVjlsV4MtPsy3M4nRj2dx6B4uMU73MvjRDjl5D45FPON5D45F42xRjYY5945x6K/nUBbx63/n9RxKPWY54YlRDUFKPWD5oON5D45F42xRjYY5945x6K/nAUNtj2Gmu3LBXUNrXv6mVjlsV4MtPsHwF9/aiH9m+mHfA5LBM4354233jRKBovNe+vywxywmVjAt+WUwPedx6B4u6YYjD/GnVW6fViH7iH2m+vQmFYTPARUmAUNmF/G3jY3u6YYjD/Gn4Bbx63/n9RxKPWY54YlRDUFKPWD5o9TPARUmAUNmF/G3M2FRj233jRKBovd35p4uMhb59jlF5Wdx4jDRj233jRKKPWD5o9TPGMwl3HHmCOLK+UNrXv6mV5L3M2FRj233jRKKPZGrX4JmFsNR4I/nCeCfX2MscRoruONsV0iBo9HKSyweSBHmXeUsU2UsGBgsC/C3X4JmjYK5PYzfcBUKVhge+v9KVWgePYCmFYAfcjNmPZ/KDhLm+hJKSRLmFYXr+v6mFYgmCYd35p4uMhb59jlF5Wdx4jDRj233jRKKVUNKD435P2cm+BofX2MnXUNmVjZnGYLsPZ/KDUMKShLfcjymPYifXUNePYMfoYMtV5/mVUom+hMfcBWKVhgfGR0t+WHfAs/a+26sCOCn9RxKPZCrX4JmFYzfcBUKVRHsAjzeV2oaFY0fA3/a+26sCOCn9RxKPZCeAjNmV2osoYofX2MKVRHsAjzeV2oaFZCnDjljjh45U245UBb5C9TPGMwt+r/wVUQsXjMwPRlRMj5+oe6sAiGuF9/BCr9uMe4j4yGeuByB6M/bxM2KPeArumHrX2NnAUzfosHKSywsAjMeuBN7iH2m+vQmFYTPCRBF5UBF5UBfDUyF+i/bFYNmus/RVUQsV4MrX0UsC/H7iL9F5UBF5UBF+vBfDUynxW9tuhiruRztP/9euBywxywl3HHmCOL3X2NmAUGeuBU7zHom+49wP9/bzOHKSywm+hLfoOCbPDpnFOCnGBge+W9wVeUeD6HrcBgeVUpmF/HKPM9F5UBF5UBF+vBfD9vnd3HKPZCsoOpnxZC7iH2P/==

Options: ReplyQuote
Re: Decoding php script...
Posted by: barbarianbob
Date: April 10, 2010 05:09PM

First it runs this:
while(time()>1264982400)die('This script has expired. Please contact us for more information.');
1264982400 is Feb 1st, 2010, so none of this code even works anymore.

Later it sets a few constants and tries to load the CakePHP bootstrap. Then it does this:

if (isset($_GET['url']) &&$_GET['url'] === 'favicon.ico') {
return;
}else {
$IIIIIIIlIlIl = new Dispatcher();
$IIIIIIIlIlIl->dispatch($url);
}
if (Configure::read() >0) {
echo "<!-- ".round(getMicrotime() -$IIIIIIIlIlI1,4) ."s -->";
}

Check your access logs for what people are entering as $_GET['url'] for this file. And check the CakePHP docs for what Dispatchers do

Options: ReplyQuote
Re: Decoding php script...
Posted by: larsm99
Date: April 11, 2010 07:51AM

Thanks! Can you tell me how you do it? Because I have 4 more files with the same encoding.

Options: ReplyQuote
Re: Decoding php script...
Posted by: barbarianbob
Date: April 11, 2010 08:55AM

<?php
$str='the text after "?>" in the file';
var_dump(base64_decode(strtr($str,'OYPdD4VSKBwnIh7b3RFx5j+urmtfseal/0Cz9UAGLHEJypNgivoQM6XcZW8Tk2q1=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));
?>

After you read that, look for an equals sign in the text ("QOH7i==PAUAKP" for this file). Delete the contents from the beginning of the text to the end of the equals sign ("PAUAKP" will be the new beginning for this file). Run the code again with the new text and read the output. Delete up to the next equals sign if there is one.

Options: ReplyQuote
Re: Decoding php script...
Posted by: larsm99
Date: April 11, 2010 09:05AM

If I run your code with the same script as in my first post there is no == in my output.

My output is:
string(1728) "while(time()>1264982400)die('This script has expired. Please contact us for more information.');$OO00O00O0=str_replace('__FILE__',"'".$OOO0O0O00."'",$OOO0000O0($OOO00000O($O0O00OO00($O000O0O00,$OO00O0000),'OYPdD4VSKBwnIh7b3RFx5j+urmtfseal/0Cz9UAGLHEJypNgivoQM6XcZW8Tk2q1=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));fclose($O000O0O00);eval($OO00O00O0);&#65533;¦–b‚FVf–æVB‚tE2r’’°¦FVf–æR‚tE2rÄD•$T5Dõ%•õ4U$Dõ"“°§Ð¦–b‚FVf–æVB‚u$ôõBr’’°¦FVf–æR‚u$ôõBrÆF—&æÖR†F—&æÖR†F—&æÖR…õôd”ÄUõò’’’“°§Ð¦–b‚FVf–æVB‚tôD•"r’’°¦FVf–æR‚tôD•"rÆ&6VæÖR†F—&æÖR†F—&æÖR…õôd”ÄUõò’’’“°§Ð¦–b‚FVf–æVB‚t4´Uô4õ$Uô”ä4ÅTDUõD‚r’’°¦FVf–æR‚t4´Uô4õ$Uô”ä4ÅTDUõD‚rÅ$ôõB“°§Ð¦–b‚FVf–æVB‚utT%$ôõEôD•"r’’°¦FVf–æR‚utT%$ôõEôD•"rÆ&6VæÖR†F—&æÖR…õôd”ÄUõò’’“°§Ð¦–b‚FVf–æVB‚uuuuõ$ôõBr’’°¦FVf–æR‚uuuuõ$ôõBrÆF—&æÖR…õôd”ÄUõò’äE2“°§Ð¦–b‚FVf–æVB‚t4õ$UõD‚r’’°¦–b†gVæ7F–öåöW†—7G2‚v–æ•÷6WBr’bf–æ•÷6WB‚v–æ6ÇVFU÷F‚rÄ4´Uô4õ$Uô”ä4ÅTDUõD‚åD…õ4U$Dõ"å$ôõBäE2äôD•"äE2åD…õ4U$Dõ"æ–æ•övWB‚v–æ6ÇVFU÷F‚r’’’°¦FVf–æR‚tõD‚rÆçVÆ“°¦FVf–æR‚t4õ$UõD‚rÆçVÆ“°§ÖVÇ6R°¦FVf–æR‚tõD‚rÅ$ôõBäE2äôD•"äE2“°¦FVf–æR‚t4õ$UõD‚rÄ4´Uô4õ$Uô”ä4ÅTDUõD‚äE2“°§Ð§Ð¦–b‚–æ6ÇVFR„4õ$UõD‚âv6¶RräE2âv&ö÷G7G&ç‡r’’°§G&–vvW%öW'&÷"‚$6¶U…6÷&R6÷VÆBæ÷B&Rf÷VæBâ6†V6²F†RfÇVRöb4´Uô4õ$Uô”ä4ÅTDUõD‚–â÷vV'&ö÷Bö–æFW‚ç‡â—B6†÷VÆBö–çBFòF†RF—&V7F÷'’6öçF–æ–ær–÷W""äE2â&6¶R6÷&RF—&V7F÷'’æB–÷W""äE2â'fVæF÷'2&ö÷BF—&V7F÷'’â"ÄUõU4U%ôU%$õ"“°§Ð¦–b†—76WB‚EôtUE²wW&ÂuÒ’bbEôtUE²wW&ÂuÒÓÓÒvff–6öâæ–6òr’°§&WGW&ã°§ÖVÇ6R°¢D””””””–Ä–Ä–ÂÒæWrF—7F6†W"‚“°¢D””””””–Ä–Ä–ÂÓæF—7F6‚‚GW&“°§Ð¦–b„6öæf–wW&S£§&VB‚’ã’°¦V6†ò#ÂÒÒ"ç&÷VæB†vWDÖ–7&÷F–ÖR‚’ÒD””””””–Ä–Ä“ÃB’â'2ÒÓâ#°§Ð "

EDIT: If I try your code with another encoded page, the ouput I get is: bool(false)



Edited 1 time(s). Last edit at 04/11/2010 09:14AM by larsm99.

Options: ReplyQuote
Re: Decoding php script...
Posted by: barbarianbob
Date: April 11, 2010 03:29PM

Sorry, I meant find the equals sign in the file contents.

eX0HfV5LeVUpmF/HbzDohz3W7dKMIdOHmVUUwPe5tVUQKShzsAUiePYLruI/mu0ituBUmPZ/5VvUruhUKVhgfGR0rc3/euI/mA2oKV6gsA5/t+WAfcBpruRHfXZNBo9TBD2bIdYbIdYbId6QeSBlsAjifV4zmF/Gu62VF5v4u6kGnPKGKCZ9xM2bIDkixQOinCKGKCi9xM2bIdOiIDkiwPRbxMkiIdOiIDkLBDkixQOixMkiIP/9xQOiIDkixQOinPRbxQOixQOiIdOHnPeb+jY9RdR+5MpPeXWBtdeCI6BVadjEwcjofuRAsXj0fPki3cLWj54SxD04FGUixAeHeA2Rxxmrr6Hu74RJIGDvbFsyBM4P3MR4R9eKF5HnxD67x6YR5Uh5jjmu+4Utr+BzmVjAmX0HtApyf+WgsS4oscR6eGeZauLiIxKQhd5XhQ/WwokGwF9H7XmzfV2QmF/9xQOiIDkixQOiwxpUeA4ywPRbxQOixQOixQOH7i==CUT RIGHT HEREPAUAKP/0mVjAt+WUmP/GR4IGwF9/aiH9m+mHfA5LBMRxBovDFjB436Rb5UUl5Mj33jBYjD2Fwxywl3HHmCOLK+RUmAUNm+3LB6Bbx63GwF9/aiH9m+mHfA5LB6Bbx63GnVRHsAW0f+5LmVUofA4pmF09tuBNr+6Uw42lR9UIRj2lwF9Hwxywl3HHmCOLK+RUmAUNm+3LBM43542DFjKGwF9/aiH9m+mHfA5LBM43542DFjKGnVB0sXjNr+6UwVRHsAW0f+5LmVUofA4pmF0luMmBxDjluo9HwF9TPGMwt+r/wP49m+mHfAj9wPed35p4uMhb59jlF5Wdx4jDRj233jRKBo9HKSywmVjAt+WUwPed35p4uMhb59jlF5Wdx4jDRj233jRKBovFxM25wxywl3HHmCOLK+RUmAUNm+3LB6e43UBbx6RlRDUFBo9HKSywmVjAt+WUwPeuR5BFxM25uMRB5CsyrA4Qm+W0f+5LmVUofA4pmF0luMmBxDjluo9Hwxywl3HHmCOLK+RUmAUNm+3LB6euj62FxM25Bo9HKSywmVjAt+WUwPeuj6el592bjPsymVUofA4pmF0luMmBxDjluo9/n9Rxwxywl3HHmCOLK+RUmAUNm+3LBMhb59jl5D45FPsHwFYTPAUAKP0Ae+WzeVUgfU2UaVUQeSILBXUNtj2Qmu3GwFOABAUNtj2Qmu3LBXUNrXv6mVjlsV4MtPsy3M4nRj2dx6B4uMU73MvjRDjl5D45FPON5D45F42xRjYY5945x6K/nUBbx63/n9RxKPWY54YlRDUFKPWD5oON5D45F42xRjYY5945x6K/nAUNtj2Gmu3LBXUNrXv6mVjlsV4MtPsHwF9/aiH9m+mHfA5LBM4354233jRKBovNe+vywxywmVjAt+WUwPedx6B4u6YYjD/GnVW6fViH7iH2m+vQmFYTPARUmAUNmF/G3jY3u6YYjD/Gn4Bbx63/n9RxKPWY54YlRDUFKPWD5o9TPARUmAUNmF/G3M2FRj233jRKBovd35p4uMhb59jlF5Wdx4jDRj233jRKKPWD5o9TPGMwl3HHmCOLK+UNrXv6mV5L3M2FRj233jRKKPZGrX4JmFsNR4I/nCeCfX2MscRoruONsV0iBo9HKSyweSBHmXeUsU2UsGBgsC/C3X4JmjYK5PYzfcBUKVhge+v9KVWgePYCmFYAfcjNmPZ/KDhLm+hJKSRLmFYXr+v6mFYgmCYd35p4uMhb59jlF5Wdx4jDRj233jRKKVUNKD435P2cm+BofX2MnXUNmVjZnGYLsPZ/KDUMKShLfcjymPYifXUNePYMfoYMtV5/mVUom+hMfcBWKVhgfGR0t+WHfAs/a+26sCOCn9RxKPZCrX4JmFYzfcBUKVRHsAjzeV2oaFY0fA3/a+26sCOCn9RxKPZCeAjNmV2osoYofX2MKVRHsAjzeV2oaFZCnDjljjh45U245UBb5C9TPGMwt+r/wVUQsXjMwPRlRMj5+oe6sAiGuF9/BCr9uMe4j4yGeuByB6M/bxM2KPeArumHrX2NnAUzfosHKSywsAjMeuBN7iH2m+vQmFYTPCRBF5UBF5UBfDUyF+i/bFYNmus/RVUQsV4MrX0UsC/H7iL9F5UBF5UBF+vBfDUynxW9tuhiruRztP/9euBywxywl3HHmCOL3X2NmAUGeuBU7zHom+49wP9/bzOHKSywm+hLfoOCbPDpnFOCnGBge+W9wVeUeD6HrcBgeVUpmF/HKPM9F5UBF5UBF+vBfD9vnd3HKPZCsoOpnxZC7iH2P/==

$str='eX0HfV5LeVUpmF/HbzDohz3W7dKMIdOHmVUUwPe5tVUQKShzsAUiePYLruI/mu0ituBUmPZ/5VvUruhUKVhgfGR0rc3/euI/mA2oKV6gsA5/t+WAfcBpruRHfXZNBo9TBD2bIdYbIdYbId6QeSBlsAjifV4zmF/Gu62VF5v4u6kGnPKGKCZ9xM2bIDkixQOinCKGKCi9xM2bIdOiIDkiwPRbxMkiIdOiIDkLBDkixQOixMkiIP/9xQOiIDkixQOinPRbxQOixQOiIdOHnPeb+jY9RdR+5MpPeXWBtdeCI6BVadjEwcjofuRAsXj0fPki3cLWj54SxD04FGUixAeHeA2Rxxmrr6Hu74RJIGDvbFsyBM4P3MR4R9eKF5HnxD67x6YR5Uh5jjmu+4Utr+BzmVjAmX0HtApyf+WgsS4oscR6eGeZauLiIxKQhd5XhQ/WwokGwF9H7XmzfV2QmF/9xQOiIDkixQOiwxpUeA4ywPRbxQOixQOixQOH7i==PAUAKP/0mVjAt+WUmP/GR4IGwF9/aiH9m+mHfA5LBMRxBovDFjB436Rb5UUl5Mj33jBYjD2Fwxywl3HHmCOLK+RUmAUNm+3LB6Bbx63GwF9/aiH9m+mHfA5LB6Bbx63GnVRHsAW0f+5LmVUofA4pmF09tuBNr+6Uw42lR9UIRj2lwF9Hwxywl3HHmCOLK+RUmAUNm+3LBM43542DFjKGwF9/aiH9m+mHfA5LBM43542DFjKGnVB0sXjNr+6UwVRHsAW0f+5LmVUofA4pmF0luMmBxDjluo9HwF9TPGMwt+r/wP49m+mHfAj9wPed35p4uMhb59jlF5Wdx4jDRj233jRKBo9HKSywmVjAt+WUwPed35p4uMhb59jlF5Wdx4jDRj233jRKBovFxM25wxywl3HHmCOLK+RUmAUNm+3LB6e43UBbx6RlRDUFBo9HKSywmVjAt+WUwPeuR5BFxM25uMRB5CsyrA4Qm+W0f+5LmVUofA4pmF0luMmBxDjluo9Hwxywl3HHmCOLK+RUmAUNm+3LB6euj62FxM25Bo9HKSywmVjAt+WUwPeuj6el592bjPsymVUofA4pmF0luMmBxDjluo9/n9Rxwxywl3HHmCOLK+RUmAUNm+3LBMhb59jl5D45FPsHwFYTPAUAKP0Ae+WzeVUgfU2UaVUQeSILBXUNtj2Qmu3GwFOABAUNtj2Qmu3LBXUNrXv6mVjlsV4MtPsy3M4nRj2dx6B4uMU73MvjRDjl5D45FPON5D45F42xRjYY5945x6K/nUBbx63/n9RxKPWY54YlRDUFKPWD5oON5D45F42xRjYY5945x6K/nAUNtj2Gmu3LBXUNrXv6mVjlsV4MtPsHwF9/aiH9m+mHfA5LBM4354233jRKBovNe+vywxywmVjAt+WUwPedx6B4u6YYjD/GnVW6fViH7iH2m+vQmFYTPARUmAUNmF/G3jY3u6YYjD/Gn4Bbx63/n9RxKPWY54YlRDUFKPWD5o9TPARUmAUNmF/G3M2FRj233jRKBovd35p4uMhb59jlF5Wdx4jDRj233jRKKPWD5o9TPGMwl3HHmCOLK+UNrXv6mV5L3M2FRj233jRKKPZGrX4JmFsNR4I/nCeCfX2MscRoruONsV0iBo9HKSyweSBHmXeUsU2UsGBgsC/C3X4JmjYK5PYzfcBUKVhge+v9KVWgePYCmFYAfcjNmPZ/KDhLm+hJKSRLmFYXr+v6mFYgmCYd35p4uMhb59jlF5Wdx4jDRj233jRKKVUNKD435P2cm+BofX2MnXUNmVjZnGYLsPZ/KDUMKShLfcjymPYifXUNePYMfoYMtV5/mVUom+hMfcBWKVhgfGR0t+WHfAs/a+26sCOCn9RxKPZCrX4JmFYzfcBUKVRHsAjzeV2oaFY0fA3/a+26sCOCn9RxKPZCeAjNmV2osoYofX2MKVRHsAjzeV2oaFZCnDjljjh45U245UBb5C9TPGMwt+r/wVUQsXjMwPRlRMj5+oe6sAiGuF9/BCr9uMe4j4yGeuByB6M/bxM2KPeArumHrX2NnAUzfosHKSywsAjMeuBN7iH2m+vQmFYTPCRBF5UBF5UBfDUyF+i/bFYNmus/RVUQsV4MrX0UsC/H7iL9F5UBF5UBF+vBfDUynxW9tuhiruRztP/9euBywxywl3HHmCOL3X2NmAUGeuBU7zHom+49wP9/bzOHKSywm+hLfoOCbPDpnFOCnGBge+W9wVeUeD6HrcBgeVUpmF/HKPM9F5UBF5UBF+vBfD9vnd3HKPZCsoOpnxZC7iH2P/==';

var_dump(base64_decode(strtr($str,'OYPdD4VSKBwnIh7b3RFx5j+urmtfseal/0Cz9UAGLHEJypNgivoQM6XcZW8Tk2q1=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));


$str='PAUAKP/0mVjAt+WUmP/GR4IGwF9/aiH9m+mHfA5LBMRxBovDFjB436Rb5UUl5Mj33jBYjD2Fwxywl3HHmCOLK+RUmAUNm+3LB6Bbx63GwF9/aiH9m+mHfA5LB6Bbx63GnVRHsAW0f+5LmVUofA4pmF09tuBNr+6Uw42lR9UIRj2lwF9Hwxywl3HHmCOLK+RUmAUNm+3LBM43542DFjKGwF9/aiH9m+mHfA5LBM43542DFjKGnVB0sXjNr+6UwVRHsAW0f+5LmVUofA4pmF0luMmBxDjluo9HwF9TPGMwt+r/wP49m+mHfAj9wPed35p4uMhb59jlF5Wdx4jDRj233jRKBo9HKSywmVjAt+WUwPed35p4uMhb59jlF5Wdx4jDRj233jRKBovFxM25wxywl3HHmCOLK+RUmAUNm+3LB6e43UBbx6RlRDUFBo9HKSywmVjAt+WUwPeuR5BFxM25uMRB5CsyrA4Qm+W0f+5LmVUofA4pmF0luMmBxDjluo9Hwxywl3HHmCOLK+RUmAUNm+3LB6euj62FxM25Bo9HKSywmVjAt+WUwPeuj6el592bjPsymVUofA4pmF0luMmBxDjluo9/n9Rxwxywl3HHmCOLK+RUmAUNm+3LBMhb59jl5D45FPsHwFYTPAUAKP0Ae+WzeVUgfU2UaVUQeSILBXUNtj2Qmu3GwFOABAUNtj2Qmu3LBXUNrXv6mVjlsV4MtPsy3M4nRj2dx6B4uMU73MvjRDjl5D45FPON5D45F42xRjYY5945x6K/nUBbx63/n9RxKPWY54YlRDUFKPWD5oON5D45F42xRjYY5945x6K/nAUNtj2Gmu3LBXUNrXv6mVjlsV4MtPsHwF9/aiH9m+mHfA5LBM4354233jRKBovNe+vywxywmVjAt+WUwPedx6B4u6YYjD/GnVW6fViH7iH2m+vQmFYTPARUmAUNmF/G3jY3u6YYjD/Gn4Bbx63/n9RxKPWY54YlRDUFKPWD5o9TPARUmAUNmF/G3M2FRj233jRKBovd35p4uMhb59jlF5Wdx4jDRj233jRKKPWD5o9TPGMwl3HHmCOLK+UNrXv6mV5L3M2FRj233jRKKPZGrX4JmFsNR4I/nCeCfX2MscRoruONsV0iBo9HKSyweSBHmXeUsU2UsGBgsC/C3X4JmjYK5PYzfcBUKVhge+v9KVWgePYCmFYAfcjNmPZ/KDhLm+hJKSRLmFYXr+v6mFYgmCYd35p4uMhb59jlF5Wdx4jDRj233jRKKVUNKD435P2cm+BofX2MnXUNmVjZnGYLsPZ/KDUMKShLfcjymPYifXUNePYMfoYMtV5/mVUom+hMfcBWKVhgfGR0t+WHfAs/a+26sCOCn9RxKPZCrX4JmFYzfcBUKVRHsAjzeV2oaFY0fA3/a+26sCOCn9RxKPZCeAjNmV2osoYofX2MKVRHsAjzeV2oaFZCnDjljjh45U245UBb5C9TPGMwt+r/wVUQsXjMwPRlRMj5+oe6sAiGuF9/BCr9uMe4j4yGeuByB6M/bxM2KPeArumHrX2NnAUzfosHKSywsAjMeuBN7iH2m+vQmFYTPCRBF5UBF5UBfDUyF+i/bFYNmus/RVUQsV4MrX0UsC/H7iL9F5UBF5UBF+vBfDUynxW9tuhiruRztP/9euBywxywl3HHmCOL3X2NmAUGeuBU7zHom+49wP9/bzOHKSywm+hLfoOCbPDpnFOCnGBge+W9wVeUeD6HrcBgeVUpmF/HKPM9F5UBF5UBF+vBfD9vnd3HKPZCsoOpnxZC7iH2P/==';

var_dump(base64_decode(strtr($str,'OYPdD4VSKBwnIh7b3RFx5j+urmtfseal/0Cz9UAGLHEJypNgivoQM6XcZW8Tk2q1=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));



Edited 2 time(s). Last edit at 04/11/2010 03:33PM by barbarianbob.

Options: ReplyQuote
Re: Decoding php script...
Posted by: larsm99
Date: April 12, 2010 09:51AM

Big thanks!

Options: ReplyQuote
Re: Decoding php script...
Posted by: new101
Date: June 25, 2011 02:56PM

Hi barbarianbob, I am trying to decode a php script following your example but it seems to me that the key is the following string

OYPdD4VSKBwnIh7b3RFx5j+urmtfseal/0Cz9UAGLHEJypNgivoQM6XcZW8Tk2q1=

when calling the function base64_decode,
how did you know what to use based on the original encrypted code? If I try the same function with my text I get only garbage.

Thanks



Edited 1 time(s). Last edit at 06/25/2011 02:57PM by new101.

Options: ReplyQuote
Re: Decoding php script...
Posted by: barbarianbob
Date: June 25, 2011 04:38PM

If you switch the eval() to a var_dump(), the output will contain the key.

You can also paste the code you have, and I'll try helping decode it.

Options: ReplyQuote
Re: Decoding php script...
Posted by: destroyal
Date: April 14, 2012 02:26AM

Hi Barbarianbob, I need help on a topic. urldecode have remedied the encrypted files. I can help you if you'll stay forever grateful. I'm sorry English is not very good.

At the following link, the files are available. I would be glad inceleyebilirsen.

Please help me, man.

Thank you.


http://hotfile.com/dl/152452825/2426edb/x.zip.html

Options: ReplyQuote


Sorry, only registered users may post in this forum.