rgksugan
Reputation: 3582
How to decode this PHP code?
I want to decode this code. I have no idea what it is, except that it is some kind of code. Can someone help me please?
<?php if (!function_exists("T7FC56270E7A70FA81A5935B72EACBE29"))
{
function T7FC56270E7A70FA81A5935B72EACBE29($TF186217753C37B9B9F958D906208506E)
{
$TF186217753C37B9B9F958D906208506E = base64_decode($TF186217753C37B9B9F958D906208506E);
$T7FC56270E7A70FA81A5935B72EACBE29 = 0;
$T9D5ED678FE57BCCA610140957AFAB571 = 0;
$T0D61F8370CAD1D412F80B84D143E1257 = 0;
$TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[1]) << 8) + ord($TF186217753C37B9B9F958D906208506E[2]);
$T3A3EA00CFC35332CEDF6E5E9A32E94DA = 3;
$T800618943025315F869E4E1F09471012 = 0;
$TDFCF28D0734569A6A693BC8194DE62BF = 16;
$TC1D9F50F86825A1A2302EC2449C17196 = "";
$TDD7536794B63BF90ECCFD37F9B147D7F = strlen($TF186217753C37B9B9F958D906208506E);
$TFF44570ACA8241914870AFBC310CDB85 = __FILE__;
$TFF44570ACA8241914870AFBC310CDB85 = file_get_contents($TFF44570ACA8241914870AFBC310CDB85);
$TA5F3C6A11B03839D46AF9FB43C97C188 = 0;
preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $TFF44570ACA8241914870AFBC310CDB85, $TA5F3C6A11B03839D46AF9FB43C97C188);
for (;$T3A3EA00CFC35332CEDF6E5E9A32E94DA<$TDD7536794B63BF90ECCFD37F9B147D7F;)
{
if (count($TA5F3C6A11B03839D46AF9FB43C97C188))
exit;
if ($TDFCF28D0734569A6A693BC8194DE62BF == 0)
{
$TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8);
$TF623E75AF30E62BBD73D6DF5B50BB7B5 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]);
$TDFCF28D0734569A6A693BC8194DE62BF = 16;
}
if ($TF623E75AF30E62BBD73D6DF5B50BB7B5 & 0x8000)
{
$T7FC56270E7A70FA81A5935B72EACBE29 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 4);
$T7FC56270E7A70FA81A5935B72EACBE29 += (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA]) >> 4);
if ($T7FC56270E7A70FA81A5935B72EACBE29)
{
$T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) & 0x0F) + 3;
for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571; $T0D61F8370CAD1D412F80B84D143E1257++)
$TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1D412F80B84D143E1257] = $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012-$T7FC56270E7A70FA81A5935B72EACBE29+$T0D61F8370CAD1D412F80B84D143E1257];
$T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571;
}
else{
$T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8);
$T9D5ED678FE57BCCA610140957AFAB571 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) + 16;
for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571;$TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1D412F80B84D143E1257++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA]); $T3A3EA00CFC35332CEDF6E5E9A32E94DA++; $T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571; } } else $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]; $TF623E75AF30E62BBD73D6DF5B50BB7B5 <<= 1; $TDFCF28D0734569A6A693BC8194DE62BF--; if ($T3A3EA00CFC35332CEDF6E5E9A32E94DA == $TDD7536794B63BF90ECCFD37F9B147D7F) { $TFF44570ACA8241914870AFBC310CDB85 = implode("", $TC1D9F50F86825A1A2302EC2449C17196); $TFF44570ACA8241914870AFBC310CDB85 = "?".">".$TFF44570ACA8241914870AFBC310CDB85."<"."?"; return $TFF44570ACA8241914870AFBC310CDB85; } } } } eval(T7FC56270E7A70FA81A5935B72EACBE29("QAAAPGRpdiBzdHlsZT0iY2xlYQAQcjpib3RoOyI+PC8BoD4NCg1ABQoCMmlkPSJmb290ZXIiAVIJAWIACGNsYXNzPSJiaW5mbwMwYSBoAAByZWY9Ijw/cGhwIGVjaG8gAABnZXRfb3B0aW9uKCdob21lAAwnKTsgPz4vIiB0aXQHQQKzYmwhuG9nBEEoJ25hAkUGgSAAGAKvAqU8L2EAAD4gQWxsIHJpZ2h0cyByZXMEAGVydmVkDDUJRGVzaWduZWQgCABieSA8ClVodHRwOi8vd3d3LgAAd2ViaG9zdGluZ3JhbGx5LgBAY29tL1dlYi1IAVMvQnVzaW4IBWVzcy0BWC5odG1sIiA+AcUgAcBgwCADFAkRLiBDb2QHPwcxbW1vaHV0wAIGYQQARnJlZSBNTU9SUEdzA4EgYAp8Cj8KMGNvbnZleWFuYwpQLhSRcwAKb25zYWxlLmNvLnVrBIBDAhggAGBTb2xpY2l0b3IFPw9ncGhvdG8YkGFkcwQ3HOFpZmkLYEFkA6IuIFBvHCB3ZXIBEBOvE6NvcmRwFwBzLm9yZwtwLyI+VwEAUAEBDLEuI+IkhyFiZG9fYUcEYyEDd3BfJTMhUwLsL2JvZHkmwDwvgAAWoT4=")); ?>
Upvotes: 1
Views: 4741
Answers (3)
Edmhs
Reputation: 3731
if its a wordpress footer,
Click on view source and copy footer html in this decoded php, and then just edit it
Upvotes: 0
aefxx
Reputation: 25249
That's what it looks like when de-obfuscated. As Matti pointed out already, it's a footer, haha. All that bitshifting is done to remove non-printable characters which I have substituted with # in the argument string to the end of the code.
<?php
if (!function_exists("fn")) {
function fn($arg) {
$arg = base64_decode($arg);
$fn = 0;
$x = 0;
$y = 0;
$z = (ord($arg[1]) << 8) + ord($arg[2]);
$i = 3;
$j = 0;
$k = 16;
$str = "";
$strlen = strlen($arg);
$file = __FILE__;
$file = file_get_contents($file);
$matches = 0;
preg_match(/(print|sprint|echo)/, $file, $matches);
for (;$i<$strlen;) {
// THIS LINE HERE'S HILARIOUS!!!
// IT TRYS TO PREVENT ONE FROM ECHOING ANYTHING WITHIN THAT CODE
if (count($matches)) exit;
if ($k == 0) {
$z = (ord($arg[$i++]) << 8);
$z += ord($arg[$i++]);
$k = 16;
}
if ($z & 0x8000) {
$fn = (ord($arg[$i++]) << 4);
$fn += (ord($arg[$i]) >> 4);
if ($fn) {
$x = (ord($arg[$i++]) & 0x0F) + 3;
for ($y = 0; $y < $x; $y++)
$str[$j+$y] = $str[$j-$fn+$y];
$j += $x;
} else {
$x = (ord($arg[$i++]) << 8);
$x += ord($arg[$i++]) + 16;
for ($y = 0; $y < $x; $str[$j+$y++] = $arg[$i]);
$i++;
$j += $x;
}
} else $str[$j++] = $arg[$i++];
$z <<= 1;
$k--;
if ($i == $strlen) {
$file = implode("", $str);
$file = "?".">".$file."<"."?";
return $file;
}
}
}
}
$obfusc = <<<EOT
@##<div style="clea##r:both;"></##>
@#
#2id="footer"#R #b##class="binfo#0a h##ref="<?php echo ##get_option('home##'); ?>/" tit#A##bl!#og#A('na#E## ######</a##> All rights res##erved#5 Designed ##by <
Uhttp://www.##webhostingrally.#@com/Web-H#S/Busin##ess-#X.html" >## ##`# ## #. Cod#?#1mmohut###a##Free MMORPGs## `
|
?
0conveyanc
P.##s#
onsale.co.uk##C## #`Solicitor#?#gphoto##ads#7##ifi#`Ad##. Po# wer######ordp##s.org#p/">W##P####.##$#!bdo_aG#c!#wp_%3!S##/body&#</####>
EOT;
eval(fn($obfusc));
Upvotes: 6
Matti Virkkunen
Reputation: 65136
It's a footer that belongs to the free WordPress template you downloaded. If you want one without a footer, you have three options:
- Find one
- Make one
- Buy one
(I always find footers like this really cute because they're so easy to get rid of - but it would seem there at least one person who hasn't figured how to do that yet. And the thing even tried to prevent me from decoding it by actively looking for such an attempt!)
Upvotes: 8
Related Questions
- What is this encoding, and how do I decode it?
- What encoding is this?
- How to convert this PHP code to normal look?
- Decoding this PHP?
- Which encoding is this?
- How to decode this php code in one of my script
- How to decode the following code in Json?
- Decode a special character...?
- Is there a way to decode this PHP code?
- How to read this php code?