I just downloaded a php script, one of the file in the script is encoded and I want to ensure it doesn't have anything malicious! Any help would be much appreciated! <?php /* Obfuscation provided by FOPO - Free Online PHP Obfuscator: http://www.fopo.com.ar/ This code was created on Friday, May 5th, 2017 at 8:50 UTC from IP 119.30.32.75 Checksum: 82d7d2ff182bd644af9f894ac11882edadb14f75 */ $uf8e059e="\142\141\163\x65\66\x34\137\144\x65\143\x6f\144\145";@eval($uf8e059e( "Ly9ORE5QLy8wSXZnTjd1cm9XQ1pDVVlKRmpVdXg1Kzk2dzJWbUo3c2hIK0YvNGZWa1JMTXF1QStJTVd OZlhicUdBQWJyUXZlL3VlUzU5YkdidGNYQ2UxUmdMc0N6aXJTRXo1WTdKZ2hhTmtneHVKREg2V3orTk1 ZNFpMRW0wbEU1U05OQzlFMWhhUmhRNUZBdjZWYkpSMmV5aXNsMENYQjV2M2pxN3BlY3FjVm9uMWVTSUV EbTVnS05YUGczZm1PUmJxQ2JpVEFTMWJXN3JQTXJ5REVWcHpqTHd6c1FIUjZTeG9yMU5oT3BHQmZ0Rjh yMnh3SXdqZFk3bUVBVHFqK2p4Y01kUjVHQ013SlY2NWdJcnFreXcweTE2NjBFSUhqRldHTlk0dFJ3cTF wZFM4ZkpVdFQzbW9HMzhCMHVybDYzYW0zbXJyZ0YzZU9QS0V3dlBHdHROMUZzR1VWV09OT28zMWE4MXF 1RVpuc2gvWTZ3WFpvNmlDV3pjSk1ZWVRSRHBJaGxPRXpQNTdJS2o0RXA1Nm9WaE9BRldxcDVCUE5PVXF zV1p5bXdUNHl3Zlg0TVoyQ3ZBbXFxWEQwaVAxVVM0M2xKTFBDK2lKT200MHlVb0I2TVo4MStQakFZMVl 2dFNwbG5MN1g0ank4Y1EvKy9CRHp0YnM2TlJmMVlDMVFsQVdoT3d2Z0t1UFBuUC83cE93djIzeVNTV3R HZCtWMnBZWnhKTllsVTduNGk3eDNVQmFPUmIvTUx2eiszOG5GR1I2TFd3MVl3bWxDdHBacGMwL3UrTjd KaVpLa08zdkEyeFErcDR3RUpla3JmV0hjNTdzNkRrTjB1c1EvNXZtSmV6WVFhNmxVM1pkeW4va01jQzN aYmFEQUMxVWozSGw2YXR1b2ZzUDkzYkwvYWhOZzdDMUQ9PTp4bGtDdm92L0tUSVE1aFZaSWZvKzJKcE8 6czY2b3NvOXAKJGoxZDhkYWUwPSJcMTYzIjskYWMzZjg0NDE9Ilx4NjciOyRnMDQxOGFmYj0iXHg3MCI 7JGwzMTdiYTUzPSJceDY1IjskdWY4ZTA1OWU9IlwxNDIiOyRqNTZlNWEwMT0iXDE2MyI7JHI2YjNmZGY wPSJcMTYzIjskZWMyZWFlZmU9IlwxNDYiOyR5YThmNmIyYT0iXHg3MiI7JGoxZDhkYWUwLj0iXHg3NCI 7JGo1NmU1YTAxLj0iXHg3NCI7JHVmOGUwNTllLj0iXDE0MSI7JGcwNDE4YWZiLj0iXHg3MiI7JHI2YjN mZGYwLj0iXDE1MCI7JGFjM2Y4NDQxLj0iXHg3YSI7JHlhOGY2YjJhLj0iXDE0NSI7JGVjMmVhZWZlLj0 iXDE1MSI7JGwzMTdiYTUzLj0iXHg3OCI7JGVjMmVhZWZlLj0iXDE1NCI7JGcwNDE4YWZiLj0iXDE0NSI 7JHVmOGUwNTllLj0iXHg3MyI7JHlhOGY2YjJhLj0iXDE2MyI7JHI2YjNmZGYwLj0iXDE0MSI7JGFjM2Y 4NDQxLj0iXHg2OSI7JGoxZDhkYWUwLj0iXDE2MiI7JGo1NmU1YTAxLj0iXHg3MiI7JGwzMTdiYTUzLj0 iXHg3MCI7JGoxZDhkYWUwLj0iXDE0MyI7JGcwNDE4YWZiLj0iXHg2NyI7JHlhOGY2YjJhLj0iXHg2NSI 7JGVjMmVhZWZlLj0iXHg2NSI7JGo1NmU1YTAxLj0iXDEzNyI7JHVmOGUwNTllLj0iXHg2NSI7JHI2YjN mZGYwLj0iXHgzMSI7JGFjM2Y4NDQxLj0iXHg2ZSI7JGwzMTdiYTUzLj0iXHg2YyI7JGoxZDhkYWUwLj0 iXHg2ZCI7JGwzMTdiYTUzLj0iXHg2ZiI7JGcwNDE4YWZiLj0iXDEzNyI7JGo1NmU1YTAxLj0iXDE2MiI 7JGVjMmVhZWZlLj0iXDEzNyI7JHlhOGY2YjJhLj0iXHg3NCI7JGFjM2Y4NDQxLj0iXDE0NiI7JHVmOGU wNTllLj0iXDY2IjskdWY4ZTA1OWUuPSJcNjQiOyRlYzJlYWVmZS49IlwxNDciOyRqNTZlNWEwMS49Ilw xNTciOyRnMDQxOGFmYi49Ilx4NzIiOyRsMzE3YmE1My49Ilx4NjQiOyRqMWQ4ZGFlMC49Ilx4NzAiOyR hYzNmODQ0MS49Ilx4NmMiOyRnMDQxOGFmYi49IlwxNDUiOyRqNTZlNWEwMS49Ilx4NzQiOyR1ZjhlMDU 5ZS49Ilx4NWYiOyRhYzNmODQ0MS49IlwxNDEiOyRsMzE3YmE1My49IlwxNDUiOyRlYzJlYWVmZS49Ilw xNDUiOyR1ZjhlMDU5ZS49Ilx4NjQiOyRlYzJlYWVmZS49IlwxNjQiOyRqNTZlNWEwMS49Ilx4MzEiOyR nMDQxOGFmYi49IlwxNjAiOyRhYzNmODQ0MS49IlwxNjQiOyR1ZjhlMDU5ZS49Ilx4NjUiOyRqNTZlNWE wMS49Ilw2MyI7JGVjMmVhZWZlLj0iXHg1ZiI7JGFjM2Y4NDQxLj0iXDE0NSI7JGcwNDE4YWZiLj0iXDE 1NCI7JHVmOGUwNTllLj0iXDE0MyI7JGcwNDE4YWZiLj0iXDE0MSI7JGVjMmVhZWZlLj0iXHg2MyI7JHV mOGUwNTllLj0iXHg2ZiI7JGVjMmVhZWZlLj0iXHg2ZiI7JGcwNDE4YWZiLj0iXHg2MyI7JHVmOGUwNTl lLj0iXHg2NCI7JGcwNDE4YWZiLj0iXHg2NSI7JGVjMmVhZWZlLj0iXHg2ZSI7JGVjMmVhZWZlLj0iXDE 2NCI7JHVmOGUwNTllLj0iXDE0NSI7JGVjMmVhZWZlLj0iXDE0NSI7JGVjMmVhZWZlLj0iXHg2ZSI7JGV jMmVhZWZlLj0iXHg3NCI7JGVjMmVhZWZlLj0iXHg3MyI7JHA3ZjdhMjk3PSRsMzE3YmE1MygiXHgyOCI sX19GSUxFX18pO0BldmFsKCRqMWQ4ZGFlMCgkcjZiM2ZkZjAoJGcwNDE4YWZiKCJceDJmXDEzNFx4Mjh ceDVjXHgyMlx4MmVcNTJcMTM0XHgyMlx4NWNcNTFceDJmIiwiXDUwXHgyMlw0Mlw1MSIsJGcwNDE4YWZ iKCJceDJmXHhkXHg3Y1wxMlw1NyIsIiIsJGVjMmVhZWZlKCR5YThmNmIyYSgkcDdmN2EyOTcpKSkpKSw iXHgzOVw2NFx4NjVcNjVceDM5XDcxXDYwXHgzOFx4MzVcNjZcNzBcMTQxXDE0MVwxNDZceDM2XDY2XHg 2Mlx4NjZcNzFceDMwXHgzNVwxNDRceDY1XHgzMFw2NFw3MFx4NjNceDY1XDcwXDE0Nlx4MzhcNjBcNzB cNjRceDM5XDE0NVwxNDNcNzFcNjdceDM5Iik/JGFjM2Y4NDQxKCR1ZjhlMDU5ZSgkajU2ZTVhMDEoIkN JQ1VkaEdWU2lsS0ZsOTYwUllyMEdqTHJNSVpGRmM1cEdzbDNjSjhpYTZkK21UR1JQREVGSER4Rk00c0o wVXlSUjdhLy9pNnV3VXhOL3RvV2dRQ3dhOEdrQ3JXTGc4YUthamI5eHJQWnNHN1dWYkNDd2RPcy8zNlJ ucWJESlJML1pxQ3NjOXgvTjN3OEJwai8vT0NOV1MrOEJVeGk0TFRXM1Y4dWE0b0dpV0c5UWhXRUM3c0R 2Ty8wYTllaW0wYitpS2U3M2xDaDUvLzFzbTg4citTcy82SzlDQlkwbEgxbTZHTkZmTVNJODRYRzlNRDI xNkRIOTM4aW9MWnc3Q0RKQms0YmdwRXVBUDNGUVd1ZktwZGRTWElWZGR0OHhqVmJHUnlSUERXTEwyWWR Pb1ZTWUdQU0RTUnhaU29ZUDdwSWF2ODQxSUhJc1M2dHViUFl3S3ZsSkYzemFrTjAxb2NkM0JCT3N6ZDZ GNzJIQ3lhTytjaS80amMya1hBL3pIbGJaVGhQNVdGZTF5RmFvUVlzU1BoeStOcXdSV1YrbE9vZGxOTGp KRVpOd1B0a3RwVzFoT2xZdEQ3ZEZaek5Jc2hpY2gyaHp4S1dkaW5CTUZ5OWJXSENFK0YwR25ZSGlnSkM 1NkxUd1ZuNnJmRVNFUkMvUnZCTmRwUGFRQ1owZnZIWFFBZ3RIU1ZjVE1uYy9yM0VKL0V4Z0hwQ0lXSHZ NbXdsS0ozYlUyVXNPQ3QrSkE4aDVoUzBFWVNqSUU0WVFtSVV0WUhCVzZvd0w4Y3pZMjdlRlc1U1ZKbUF nQnlVSEF6dDJma0svRDRGZEdrWVdXSGxodFZaQ2RvVWUzM3REKzc1andGUXpaQkI2bE1DVDllYno5RGp 6UG1qckhMTjNLSThadmdZaCtjN2hHWXFKK3hZSm0wM3hCVENCVlZuVkgyY0xiN3dJeWZGUm5SREcwVzN nMzBwcmRnNXlVdm5PM1hsc0pKbGZGdVBVaFJselp3WE1idm80eXB5SHlwMTkwR1BnWGg3eGMvaEIxaEo xQnNQeCtMYXBvdmlVY2VKbEV2WFQ1QXlwVFpmZ3dVNG9CeENCQlBKMWJsZzNaa2ZFKzB1a2N3TGRuamd nTEdYY1Q1bURXMHY1QmxlbjU4dEl3dkxBa0tQbHBIUzBWbmJ6bHhCN3RyQkh0enhUSVdodzhXYVRJNnh CNlp0YThWZVVkSGtIZnNITzNNSmVoNFRmVUlTQzNXaTcwN3hTdGVFL1FqOFNsd2x3dzlvdk5zazlYK3N vOWN4Zk1HY3RTMVRUQ0FFVmx3RkhiRTU1ajQ3V2toaHB0aSs3ZWlXQW5uRXJkSEZTOEFmL0hSeU5FQnF 6T2Q0ZTBWRWFNQkcybVVxeW51ZERWQ2NuWEk3RFViazdzNDFUM1FyR0l1alJUeDRzWGdjVVYzckIxZTB zYWYrQVBqajR5VmIwbHRBT0MxNVZJTmFldG1kZHBRaytyL0o3WVk5dzdOOElQZmt1MXRCbDRLTFpSTlc 2SzAwWmowdWwrL3BVcTY4UEpiM29lSXM0S2E1TUl0MEFVYlZoaDlabUFYemxJMzY3VDJDZjFVY1pZVlh WSStqbTRmRVQwR3ErTU1hU3Y2UEFrOGcyQnFhTlR6WG5BblRycHQveGVOZ3FnOVo0cnpQazJoMjJIdEZ ndVd5eThseUhTRG10anJwOVZKb3dsQzhFQTk3SUgyRGY4VFYyMmUvd2ppeXBlNzJHRXZPbDR3cmNOVXl CZE9HVGtkY2pVRWJJMjhpMUlXSjR6YWQwVkxLN1B0cHRFbGVYR01YREZ5Zjc2dDd6YVZqdDV5aWQ1TE9 ON3hWOU1kTklLcDNPTzVwQ2NGcnNXSlY0d3A1NGRxRmtDSnFNOGMzcmxUZkpwT25WOHpkQmN2YnpzUWp PSWxNTzljTWhrbXM5U3dEeWFFUFNaSU5EMndVME4zZnFOV05iOWdNWlg1UTF6YTdRRG5ucjZpTTh3QXF 6eEhmYjR5ZGdsSWZ4RGpYNHRMM2l4blFudU9CZUhGUjVNekVrOXIrUkd3bWpSSHVrcFp4TEtIcFFlYUZ lMEhUOTFtdHJyeFcwNG5EWG5Yem0zOEtMMnZoSXZZeW12S1hPM25Qay9HNlF0NktVaDQ4SVhlcE9hV1Q 4bnJsNFRnclp1ZXVleCthYXMycnRiQ0I5K2tYTFBqSnVEb0N2ODNsZUpCd25LeVpld1ZKMXRPNlRtQU4 wNEh6SnR6MUhiYlRGYXBOWXhLYWVHSGVHamhXYjJkN1Y2ajBOWnY2Nm1mWmM5RGtLTEpwRXFwY1J3alJ KMUZqaU11SmVFdHFuZlIxS01KZHFNODBNSXdpMDF0VDQrREU2L0dQZkRsQW9mUzZDS0JWYkRVVXVhQjZ lVm5nb3dXNjZBRTVHYnN1ZTA1QXZaWkloMFJwRmNKclhKYmdmNHF6TFYzZDVVT21YQW1kQlpiNmFKZFB mTGJWT3ZZMFZzK1daZFlkRlJab2FFRXJ1UnU2L2FtVlBoS2s5cEdBRWtKdHQzNDQrbmZBdGJSMTRvRnQ wOXRONTFzSXk1Z1dncXp4dnhhNzRpOEdCZ2czSlAzM29UY1M5ZXBJT0hhY050TGFwVklVQ0Rld2c0SmF jL2kwU0xpNTU3UnYwQmt5NDNNSW94QWF4TTJzSko5aFRRamNibm51YVJRSm4xSzRpN2xhaGNhQ2I0K3E yQUhvcjhZZ2R6RkY5WTRZeXNITW1QSXZERDZqbVZ4ZS91ajZheXE4QmpkbnJFUk1BZHk2czNCZGtPeVB EdGtFQ0xNU04vQWtyL0liVjJXaUxUeUV6UkRkUHZ0Slk3Kytka3Mvak49IikpKTokYWMzZjg0NDEoJHV mOGUwNTllKCRqNTZlNWEwMSgiQ0lHTWVkWjRSQzJLZDM3YkhFN0x3TlQxSmNkamVrcFBXUk8wSzF3WlJ pTGdSWTUrMHczZGd6RklHNTA2SUZLTTVKOWVtdlhwNWdRQ3dsOFB4Uzg3V1k0VkZZMGcvREt1U2pFc0I 1Mi9Sc3dnMks4bXMvVVV3MjlrRmhIZk5aRWlCc0IxWi9SS0RFQWlSZTAzc1cvTzIvL1RtTy9PdDRuVnd pU3N0YzJ1M2VLck9SQytLK0pLL01LOUltUTFTeVVIazQ5LzBHQWhpaStnOC8zb2E0bi8vMDMxL0hCak9 OZ3lxK1FyK2NhaHl6ZVhXTC8wVTBkdVdNM2ZZc1g0M2NveDNRakwwdzI3TkszdlkyRkttM1dYQjR3d2d RV3dSNDVkYXZZdGFENmVuQk5kUmtRb0pjQ25KYXBQVk5hbHVHQTJhZW56TXA1SXkzSkZ2VlYwa3VORFU wRUlzeTFqSXZsQWtiQWhmdDJOcHpDRnFPeXBNQmJ0TmkxUTUya1UvM0QrZDBManVNekJJeHNSbWlCWU1 sQXBWRXhRMkRlT0dJSXlzR1dNd1RSOVdlRDFFRUhMSXpOY21wM2NONzA3Z2tKeDJuTUFYNXl6MXZqRUp DSzVZemZvYUxXemM1aEdLNXNjSDBScTcxdlNoajRGUitkUHFVWlJtc25OZlc0NjI0a2I2cHVabjIyNzR KVFJzVFdveWZpT1hjV0xYdlVaeHA0VENWQmsyQWphYkptSys5eGxqYlhSZmlwMG9xMzVNUmMwZEpGaGR QaDVIWWFDYnF3aWw1M1k2dHNWM25nejkrZWFZQllNQlhFZWNxQmRoTGVrcVQ0c0xySjJRTmNEZWFjTWd nQkdTRDA1MXFLalhxNGxnZnJLMWEzMXVFeG9rampWckFSejdlQjYwSkt3TDNveWI3QXJCOE93am5iZ3F 3aXcxMVRGVGVveCs5TkZrQzFMa0pneUpBUXRwd3Z5RW1EQUNQcFdWdlB5WWYxbnI4Z1plT0xpcFA2aU0 yQzJmZDFYMVYyUTJsaFgxaXBBV0hkSmxPZ21iSmo1aGxRTFNDRFZoRmhub2lRUmJXditJZml5U1lTM2x uRXZybG1NcGZHaWM5STYwcHQvdzR4NU9TbXRpeFB4VUZEb21VYk5naEtISnRLakE1YVRONUkzd1VsN0V pdU1IcUNUNGJsWklKL3gxU3c1MndUZzU4QWtGdWF3YlpnYU0raGRNcmdLbVBxczZkREpMaHBmeDJQWGZ OcGMveWpRdGxWR0pMNEx3eC9aKytOVkdlS3BlV0J5VlkzTDZPcC84dXo3SEJhVEtnSmFhNTFSbXQycVI yNE9JVUwwT1phKzhPZHRVdzdDZ1FEbER6eVVQbHNwdzRJY2tOM2wwVjloOXF0RDB1RndXRGVuQ0lDQmV kWm94Rm9BZkpNQ1Bib0ZCODN2bkorOE80U3VtY3NLSmR2TFg3bnFWMktnWDNkdUZpT1lxOTlXeERlOGV 5OEF1TEJZREYzTFlkMmFQc1dHVDc0c2l1dUZEL2NSYXNKUmRmLzBJUVdMNXpyVitLejFRYitoSlpHZDh OWFBUL21XOEw0ZkRIR0h6ZGltQlVFSFUzQWpKM1VKZytsSGhEWlNHNlRhNVVWN2xDZnFZL0xaamtzMjZ KU0twakRaZlViL24wZ2tZdkJycElXbGRvcllkSFZxZmJQNitQK1pHbW9QMmxMd2F4cFZuekovci9OMkV xckwzUGs4YTNCZ3NYb2tNV1VkbFNISzYrbmx2U2p5cGRRNDE2ZGRqTGEzT25janFQVittY2VSVTBHbys zSU5NYm9makRkV2xlSkpWNW8xbTlKejNmeUpBODlxVzRmSzNORUhUY3g4Q3ZkM1Y0WTJuWWF2akd5N2R tK3pyRldTampTSlcyaCtVMUlyNjN5ZGhjZmFxYzY5SGF6cmRZN2hhTXJ0Mi9VTGRkakw0ZUloeHRUZTc 3UmM5SmZRK2FsdGtiUjlVYTVmZDNmcStXUm9rcmgrVWFBMVl2c3FTWnlseTdZV0wwWm5TZXB6R2dTakV IVVBFQ3FSb0tLbktzYTd1R0VQVk9SQkhPaW1wdGVTMmxnb2UzUkxLZUl2TjJzVEpDY0VQOWY1VFlZeUN JT0N1NUtHRUNyelVxRVRKK0dRYk1qdm05RDdNVGRPcGhKTkJHOW1vVEtkSjF2blEyOHVnaXc5eEpTSXZ 0RFRCMzJYQzM5Ky9DQXJDLzRRIikpKSk7")); ?> PHP: The reason why I want to decode is to check what's being run and then edit if necessary.
Without the decipher-key, you will not be able to de-obfuscate the code, unfortunately. Unless you start manually deciphering the content of the code - it is possible to reverse, but it will take quite a bit of work. Unfortunately, I don't know FOPO, so I can't help you there.
<?php $data = pkgrab('http://m.egyoutube.com/ytapi.php?id='.$vid.'&site='.$siteName); echo $data; function pkgrab($url) { $agent= 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322)'; $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_VERBOSE, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_USERAGENT, $agent); curl_setopt($ch, CURLOPT_URL,$url); return curl_exec($ch); curl_close($ch); } ?> PHP: Does that look about right? Obviously I can't confirm whether this is accurate as I have no idea what the script is supposed to do?
If you had the cipher key it wouldn't be an issue. I assume you don't have it. http://fopo.com.ar/ As @PoPSiCLe suggested, try do de-cipher it manually: