Obfuscated code - please help!

Discussion in 'PHP' started by barnaby, Jun 17, 2011.

0
  1. #1
    Hi Everybody!
    I've been trying to de-obfuscate this code by myself for a couple of days using all the resources I could find over the internets, but with no success :(
    Any ideas how it might be approached? Every bit of help most appreciated!
    Here is the code:

    
<?php
$OOO000000 = urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');
$OOO0000O0 = $OOO000000{4} . $OOO000000{9} . $OOO000000{3} . $OOO000000{5};
$OOO0000O0 .= $OOO000000{2} . $OOO000000{10} . $OOO000000{13} . $OOO000000{16};
$OOO0000O0 .= $OOO0000O0{3} . $OOO000000{11} . $OOO000000{12} . $OOO0000O0{7} . $OOO000000{5};
$OOO000O00 = $OOO000000{0} . $OOO000000{12} . $OOO000000{7} . $OOO000000{5} . $OOO000000{15};
$O0O000O00 = $OOO000000{0} . $OOO000000{1} . $OOO000000{5} . $OOO000000{14};
$O0O000O0O = $O0O000O00 . $OOO000000{11};
$O0O000O00 = $O0O000O00 . $OOO000000{3};
$O0O00OO00 = $OOO000000{0} . $OOO000000{8} . $OOO000000{5} . $OOO000000{9} . $OOO000000{16};
$OOO00000O = $OOO000000{3} . $OOO000000{14} . $OOO000000{8} . $OOO000000{14} . $OOO000000{8};
$OOO0O0O00 = __FILE__;
$OO00O0000 = 0xbe0;
eval($OOO0000O0('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NGZkKTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxYzQpLCdFbnRlcnlvdXdraFJIWUtOV09VVEFhQmJDY0RkRmZHZ0lpSmpMbE1tUHBRcVNzVnZYeFp6MDEyMzQ1Njc4OSsvPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));
return;
?>BIEMoHvf2ipdoAPfolscUIpNjrzHzHZHzrZHeEpcollhtfADolzwuYjFMlXftnPCbHIcbiXDbklct4mhTSLT08XHr8XHr8XNbY0Fl9ZcbnSCBYlhtfgb0ckTragbZFSwJFJRJONT08XTznNHeEVwJFJRtONT08XHeEXTzEPkr9NTzEXHeEXTZILTznNHenNTzEXhtONHeEXTznNHeESkr9NHenNHeEXHtLSk0aVfoaZGB91f2sPALicU05bT1aAWBytCLYjOoOocLfmUBlhDLxSTB1WFyyxA3YBfli4BmPXHTwzYeA2YzI5hZ89kZXmWAkeOraoO0ikULsHTA5NAyyUA1OaalfCBapiCMYLcBcmDolQD2xsdM9XFbkzfua2f3i5GjExHjH0YTC3KeLqRZFphUL7cMYSd3YlhtONHeEXTznNHeEpK2a2CBXPkr9NHenNHenNHtL7wEpZcby1Dbklb29VC2AIk2YSCbYzRLcpdo1td3IVFoiXkzShULiATAX6KmY0GBxlF2ilcbWPk0cpdo1td3IVC3YzkZxhaakkKjpJCbYlhtLVk21vcuaScbHvdB9Lb2cZCB1vf2sib3nZcbcpcbFvkZL7tMc1dMY0DB9Vwo1iD2aUd3FPkykvfZXLa29ZcuYed3aVftXLW3aZFMaVftE9wo51doXpwuShDBCPC291dmWPFuklc19zFoxpftIJR1xzRZwShtOUd3fdk3Opfoxlk10phUL+kyfvFMOzW291dmWpwuShkuO5fuaSao1Xwe0IDM9pdJIJwtwSCbkZCblgF2xpC2APcbiXdo9LcUIJwtwSkuO5fuaSao1XhUXXRtOMb2YvdMcpc1SJFMysd3fqCUkfBZkpdo9zC193GbkiGM93b3fgFo9Lc2xicuppcUkfhULVwJ4VRJw7tJOUd3fdk3Opfoxlk10INUnQd2lVhtwIwJxiFmkiGa9zdoljcUiXFMamb3YXdol0htFvbuHvkZXLAM93BZf0DbOScUffhUXXRtObd3kLF0YvfB50hULVwJ4VRJw7tm0hkykvf1Smcoy0cUffwe0IFuklc19zFoxpftIJR1xzRZwSkykvf1Smcoy0cUffhTShkykvf1Smcoy0cUffwe0Ikykvf1Smcoy0cUffBzyfKXppcJipF3YlftILW3aZFMaVftLptJOUd3FINUEJNoOpfJnjdoyzFz0mcMwscMlSdU1SDB5qwtwVholzF2a0htOefbkZcB50hUE/k3kvfZ1MDBxsRBY1FmkldmWmKJEmkZLVwJF+NoOpfJnjdoyzFz0mGZOefbkZcB50gUF+NorIDuklcj0mwJ5haakkKjpJCbYlhtn0FmalwtLVwJ9MDBxsd3OlD2rvDbOldU97kykvf1SmDBWmbb0sGZOUd3fdk2ySDByzk119kZnjdoyzFz0mC3aZkz57kykvf1Smcoy0cUffgTXvCT48R2Opfj48CUnPFMaMNUFJRLpaALL6KMkiF2APwuOZfBAIhU4JR2cpdo1vfoaqCU9pfoasR3SLAM93BZfpctffgU17kykvf1SmCBxpCbHmbb0mwoYSCbYzNUf7krY1FmkldmO9kz57kykvf1Smfol0doAmbb08R2r+Nt9LDbC+wjShcBxzcWPLAM93we0IwjxLDbCIC2xiF3H9k2cJRBcpdo0sdolVDZEJRJipF3YlftILW3aZFMaVftLINZfZd3FscMlSdU1jfbkZcB50kzPIkZFpRJwmNjxLDbCIC2xiF3H9k3SLW3aZFMaVfu0mNmSLAM93BZfLCbOlk119Nt9LDbC+NorIDuklcj0mwJ5haakkKjpJCbYlhtn0FmalwtLVwJ9MDBxsd3OlD2rvDbOldU97kykvf1SmDBWmbb0sGZOUd3fdk2ySDByzk119kZnjdoyzFz0mGZOefbkZcB50gUF+GZOUd3fdk3Opfoxlk119Nt9iNjXvcol2NJw7tmklfuaZdJELAM93KXp9tJOed250cB50we0IkrctRT5nCM91feShcM9ZcByjDtILOLwsNLYPCB5VcBxzwoyzwtOeDoyVdMaShUn7tJOpcy9jF3HINUnpF3YlftILW2iidM5ldySmDBWsC3Yzk10pkJCicB1XfuLPkrYPCB5VcBxdk2lLRBYzFZffhUE/kZnpce0JkZ4LW2iidM5ldySJDBWsC3Yzwl0VkZwmKJEmkzShkrYPCB5VcBxoDBxsFZE9wtOoWJ0+c2a0OMlSdbYoFM9sW2iidM5ldtILW2iidM5ldySmDBWmbUL7tMlMhoYvfB50htOeDoyVdMaSOMlSdbHpNjEpwuShkrYvdmOldmWIRj0IwjxLDbCIC2xiF3H9k2cpdo1Jd3IsC2iidM5ldt1Jdo9jDZF+wjShkrYvdmOldmWIRj0IwjxLDbCIGZOpcy9jF3Y9woYSCbYzNUfpC29VRBYzFZF+NorIfol0doA9k1pvCMyjGJnXcFBtcB4IFukvc3kidUnVCUnLGMmyMZFIDuklcj0mR3nZd2fZCB0sfuCvGZOeDoyVdMaSBZfSDB5qk119kZnzfulScT0mcolzFoxiGTpJdo9jDzSIf2lLfoI6HTEXkTSmNJcVCmYXKZcVCmYXKZcVCmYXKZcVCmYXKZcVCmYXK3SLW2iidM5ldySmdoyJcBXmbb08R2r+Nt9LDbC+wjShkrctRT5WFMaXCbklAuklfMllfZIpKXPLW29VfoaVftEVNUnsCBslAM93htOoWJ0+OMlSdanZcbcpcbFSkocgC29VcMlmBZkZCB1vf2siwl1dwMlSd3Yjb3f5FMy6d3fgf19Xd2OmdoyLGMllwl0pKXPLW29VfoaVftEVNUnsCBslAM93htOoWJ0+OMlSdAY1FmkldmWSkocgC29VcMlmBZkZCB1vf2siwl1dwMlSd3Yjb3f5FMy6d3fgf19Xd2OmdoyLGMllwl0SkrctRT5oDBxsW3aZFMaVfySmfolscbY0CB1Xk108NUOoWJ0+W3aZFMaVfyOpdBaTfoysFtE/k2cpdo0sC3aZFMaVftF6wtFmhTShkrYvdmOldmWIRj0IdByqcakvfZILOLwsNLcpdo1Kcbi0RtOMb2YvdMcpc1SJFMysd3fqCUkfBZkpdo9zC193GbkiGM93b3fgFo9Lc2xicuppcUkfhTShDBCPhtOoWJ0+OMlSdA5lGuOdk2OifoAmbUr9krctRT5oDBxsUBcKd1nZcbcpcbfdk2OifoAmbUCMkrctRT5oDBxsTMa4fySmcoy0cUffwT0LOLwsNLcpdo1efbkZcB50BZfLCbOlk10phWPLW29VfoaVftEVNUnsCBslAM93htOoWJ0+OMlSdAlMTM9WFMa2DBa3RtOMb2YvdMcpc1SJFMysd3fqCUkfBZkpdo9zC193GbkiGM93b3fgFo9Lc2xicuppcUkfhTShkrYvdmOldmWIRj0IwjXvcol2NJw7tm0hgWpXFMlVftELW29VfoaVfeShKX==oeO_y~e|AEvZv|Istd
    Code (markup):
    I know that the first it is quite simple, as all it does is hiding the real functions under all those letters changed to %xx's but still after going through that part I was not able to fix the rest...
     
    barnaby, Jun 17, 2011 IP
  2. The Webby

    The Webby Peon

    Messages:
    1,852
    Likes Received:
    30
    Best Answers:
    1
    Trophy Points:
    0
    #2
    Its not the original script, there's a good part missing in this script...Post the original script, in the original form, unedited, untouched..
    This is what I got so far, after decoding it.
    
ript has expired.');
 require_once 'class.FilmBox.php'; JHTML::stylesheet('FilmBox.css',JURI::base().'modules/mod_framowka_preview/'); function makeRow($Row,$WordsCount,$Current = null) { if(count(preg_split("/\s/",($Row['title'])))>$WordsCount) { $tytulTmp = join(" ",array_slice(explode(" ",$tytulTmp),0,$f_config["ramowka"]["ilosc_wyrazow_w_podgladzie"]))."..."; $Row['title'] = join(" ",array_slice(preg_split('/\s/',$Row['title']),0,$WordsCount))."..."; } $Row['date'] = preg_split("/\s/",$Row['date']); $Row['date'] = $Row['date'][1]; if(isset($Current)) $Row = "
{$Row['date']}
{$Row['title']}
"; else $Row = "
{$Row['date']}
{$Row['title']}
"; return $Row; } $Content = $FB->About; foreach($FB->Channels as $Channel) { $id_css = isset($Channel['id-css'])&&!empty($Channel['id-css']) ?' id="'.$Channel["id-css"].'"': ''; $ChannelFilms = $FB->getFilmsFromChannel($Channel['id']); if(count($ChannelFilms)>0) { $Content .= "
"; $Content .= "
     {$Channel['label']}
"; $FB->PreparePreview(); $Content .= makeRow($FB->FilmPreview,$f_config["ramowka"]["ilosc_wyrazow_w_podgladzie"]); $Content .= makeRow($FB->FilmCurrent,$f_config["ramowka"]["ilosc_wyrazow_w_podgladzie"],$FB->FilmCurrent['timestamp']<=$FB->CurrentTimeStamp ?'film-current': ''); $Content .= makeRow($FB->FilmN
    PHP:
     
    Last edited: Jun 19, 2011
    The Webby, Jun 19, 2011 IP