PHP Forum

**dansgalaxy** · 09-19-2007, 03:33 PM

hey, im looking at a script which has been "encrypted"

but it looks like a fairly simple algarithum

PHP Code:


			
<?php $GLOBALS['HTTP_SERVER_VARS']["\104\117\103\125\115\105\116\124\137\122\117\117\124"]="\56\56\57"; require_once "\56\56\57\164\167\141\164\143\150\137\151\156\143\154\165\144\145\57\147\145\156\145\162\141\154\56\160\150\160"; require_once "\56\56\57\164\167\141\164\143\150\137\151\156\143\154\165\144\145\57\155\165\154\164\151\165\163\145\162\56\160\150\160"; $GLOBALS['vs9ns2uy']=false; $GLOBALS['vxls96qn']=true; vne1kf1x(true); echo "\120\110\120\40\126\145\162\163\151\157\156\72\40".phpversion()."\40\55\40".php_sapi_name(); echo "\40\55\40\127\145\142\40\123\145\162\166\145\162\72\40".$HTTP_SERVER_VARS["\123\105\122\126\105\122\137\123\117\106\124\127\101\122\105"]."\40\55\40".php_uname(); $vh55baox=vfolgqw1(); foreach($vh55baox as $vivy561h=> $v7ekwth8) { $GLOBALS['adl_alt_instance']=$vivy561h; vncasydp(false); echo "\74\142\162\40\57\76\111\156\163\164\141\156\143\145"; if(!vsskumkc()) { echo "\105\122\122\117\122\40\103\117\116\116\105\103\124\111\116\107\40\124\117\40\104\101\124\101\102\101\123\105"; continue; } echo "\40\115\171\123\121\114\72\40".mysql_get_server_info(); if(!$vb1cxalr=vaqc694a("\163\145\154\145\143\164\40\146\151\145\154\144\54\151\146\50\146\151\145\154\144\40\151\156\40\50\47\144\141\166\141\151\154\47\54\47\156\144\143\154\145\141\162\47\54\47\146\151\162\163\164\47\54\47\154\144\143\154\145\141\162\137\163\47\54\47\154\155\143\154\145\141\162\137\163\47\51\54\146\162\157\155\137\165\156\151\170\164\151\155\145\50\166\141\154\165\145\51\54\166\141\154\165\145\51\40\146\162\157\155","\147\145\156\145\162\141\154","\157\162\144\145\162\40\142\171\40\146\151\145\154\144")) { echo "\74\142\162\40\57\76\105\162\162\157\162\40\147\145\164\164\151\156\147\40\151\156\146\157\40\146\162\157\155\40\147\145\156\145\162\141\154\40\164\141\142\154\145"; } else { echo "\74\142\162\40\57\76"; while($vxtcw136=mysql_fetch_row($vb1cxalr)) { if(!preg_match("\57\144\157\156\164\143\157\165\156\164\174\167\156\141\155\145\174\162\145\154\157\147\151\156\174\164\172\156\141\155\145\57",$vxtcw136[0])) { echo "\133".$vxtcw136[0]."\135\40".$vxtcw136[1]."\40"; } } } if(!$vb1cxalr=vaqc694a("\163\145\154\145\143\164\40\143\157\165\156\164\40\146\162\157\155","\150\151\164\163","\157\162\144\145\162\40\142\171\40\144\164\40\144\145\163\143\40\154\151\155\151\164\40\67")) { echo "\74\142\162\40\57\76\105\162\162\157\162\40\147\145\164\164\151\156\147\40\154\157\141\144\40\151\156\146\157\162\155\141\164\151\157\156"; } else { while($vxtcw136=mysql_fetch_row($vb1cxalr)) { echo "\133\154\157\141\144\61\135\72"; while($vxtcw136=mysql_fetch_row($vb1cxalr)) { echo "\55".$vxtcw136[0]."\40"; } } } if(!$vb1cxalr=vaqc694a("\163\145\154\145\143\164\40\163\165\155\50\143\157\165\156\164\51\40\146\162\157\155","\160\141\147\145\163\143","\147\162\157\165\160\40\142\171\40\144\164\40\157\162\144\145\162\40\142\171\40\144\164\40\144\145\163\143\40\154\151\155\151\164\40\67")) { echo "\74\142\162\40\57\76\105\162\162\157\162\40\147\145\164\164\151\156\147\40\154\157\141\144\40\151\156\146\157\162\155\141\164\151\157\156"; } else { while($vxtcw136=mysql_fetch_row($vb1cxalr)) { echo "\133\154\157\141\144\62\135\72"; while($vxtcw136=mysql_fetch_row($vb1cxalr)) { echo "\55".$vxtcw136[0]; } } } if(!$vb1cxalr=vaqc694a("\163\150\157\167\40\164\141\142\154\145\40\163\164\141\164\165\163\40\154\151\153\145\40\47{$adl_pre}\_\45\47")) { echo "\74\142\162\40\57\76\105\162\162\157\162\40\147\145\164\164\151\156\147\40\164\141\142\154\145\163\40\163\164\141\164\165\163"; } else { echo "\74\142\162\40\57\76"; for($vxdg2sdk=0;$vxdg2sdk<mysql_num_fields($vb1cxalr);$vxdg2sdk++) { $vypo7kth=mysql_field_name($vb1cxalr,$vxdg2sdk); if($vypo7kth=="\116\141\155\145"||$vypo7kth=="\111\156\144\145\170\137\154\145\156\147\164\150"||$vypo7kth=="\104\141\164\141\137\154\145\156\147\164\150"||$vypo7kth=="\103\157\155\155\145\156\164") { echo $vypo7kth."\55"; } } while($vxtcw136=mysql_fetch_row($vb1cxalr)) { foreach($vxtcw136 as $v2y8fsh6=> $vjazm6in) { $vypo7kth=mysql_field_name($vb1cxalr,$v2y8fsh6); if($vypo7kth=="\116\141\155\145") $vjazm6in=substr($vjazm6in,strlen($adl_pre)+1); if($vypo7kth=="\116\141\155\145"||$vypo7kth=="\111\156\144\145\170\137\154\145\156\147\164\150"||$vypo7kth=="\104\141\164\141\137\154\145\156\147\164\150"||$vypo7kth=="\103\157\155\155\145\156\164") { if($vypo7kth=="\116\141\155\145") $vjazm6in="\133".$vjazm6in."\135"; echo $vjazm6in."\55"; } } } } } ?>

anyone got any idea what kind of thing has been done?
</B>

**coolkbk585** · 09-19-2007, 07:12 PM

It looks like all of the information for the un-encryption would be in the MySQL database. o_O

**dansgalaxy** · 09-19-2007, 07:25 PM

thanks, ill have to have a look... but i think the install is encrypted too, so how could that work? maybe install isnt. thanls

**Christopher** · 09-19-2007, 07:51 PM

They are just a bunch of characters expressed in octal notation. In double-quotes the escape sequences are evaluated to real characters. Just copy and paste the strings into a php script and echo them out to find the value.

PHP Code:


			
$str = "\104\117\103\125\115\105\116\124\137\122\117\117\124";
echo $str; // DOCUMENT_ROOT

See http://ca3.php.net/manual/en/languag....syntax.double

**dansgalaxy** · 09-20-2007, 07:53 AM

So how could i write a script to decode it?

what function or what ever could i use to convert

**Inet411** · 07-06-2008, 10:17 PM

Your decoded script:

I just echo'd out the entire file.

ie. echo "{the file here}";

PHP Code:


			


    $GLOBALS['HTTP_SERVER_VARS']['DOCUMENT_ROOT']='../';
    echo '../twatch_include/general.php';
    echo '../twatch_include/multiuser.php'\;
    $GLOBALS['vs9ns2uy']=false\;
    $GLOBALS['vxls96qn']=true\;
    vne1kf1x(true)\;
    echo 'PHP Version: '.phpversion().' - '.php_sapi_name()\;
    echo ' - Web Server: '.$HTTP_SERVER_VARS['SERVER_SOFTWARE'].' - '.php_uname()\;
    $vh55baox=vfolgqw1()\;
foreach($vh55baox as $vivy561h=> $v7ekwth8) {
    $GLOBALS['adl_alt_instance']=$vivy561h\;
    vncasydp(false)\;
    echo '<br />Instance'\;
if(!vsskumkc()) {
    echo 'ERROR CONNECTING TO DATABASE'\;
    continue\;
}
    echo ' MySQL: '.mysql_get_server_info()\;
if(!$vb1cxalr=vaqc694a('select field,if(field in ('davail','ndclear','first','ldclear_s','lmclear_s'),from_unixtime(value),value) from','general','order by field')) {
    echo '<br />Error getting info from general table'\;
}
else {
    echo '<br />'\;
while($vxtcw136=mysql_fetch_row($vb1cxalr)) {
if(!preg_match('/dontcount|wname|relogin|tzname/',$vxtcw136[0])) {
    echo '['.$vxtcw136[0].'] '.$vxtcw136[1].' '\;
}
}
}
if(!$vb1cxalr=vaqc694a('select count from','hits','order by dt desc limit 7')) {
    echo '<br />Error getting load information'\;
}
else {
while($vxtcw136=mysql_fetch_row($vb1cxalr)) {
    echo '[load1]:'\;
while($vxtcw136=mysql_fetch_row($vb1cxalr)) {
    echo '-'.$vxtcw136[0].' '\;
}
}
}
if(!$vb1cxalr=vaqc694a('select sum(count) from','pagesc','group by dt order by dt desc limit 7')) {
    echo '<br />Error getting load information'\;
}
else {
while($vxtcw136=mysql_fetch_row($vb1cxalr)) {
    echo '[load2]:'\;
while($vxtcw136=mysql_fetch_row($vb1cxalr)) {
    echo '-'.$vxtcw136[0]\;
}
}
}
if(!$vb1cxalr=vaqc694a('show table status like ' {
    $adl_pre
}
\_%'')) {
    echo '<br />Error getting tables status'\;
}
else {
    echo '<br />'\;
    for($vxdg2sdk=0\;
    $vxdg2sdk<mysql_num_fields($vb1cxalr)\;
$vxdg2sdk++) {
    $vypo7kth=mysql_field_name($vb1cxalr,$vxdg2sdk)\;
if($vypo7kth=='Name'||$vypo7kth=='Index_length'||$vypo7kth=='Data_length'||$vypo7kth=='Comment') {
    echo $vypo7kth.'-'\;
}
}
while($vxtcw136=mysql_fetch_row($vb1cxalr)) {
foreach($vxtcw136 as $v2y8fsh6=> $vjazm6in) {
    $vypo7kth=mysql_field_name($vb1cxalr,$v2y8fsh6)\;
    if($vypo7kth=='Name') $vjazm6in=substr($vjazm6in,strlen($adl_pre)+1)\;
if($vypo7kth=='Name'||$vypo7kth=='Index_length'||$vypo7kth=='Data_length'||$vypo7kth=='Comment') {
    if($vypo7kth=='Name') $vjazm6in='['.$vjazm6in.']'\;
    echo $vjazm6in.'-'\;
}
}
}
}
}

As to a function to do it automatically???? Not sure maybe a fopen... get the contents... add slashes... do an eval echo... save the string to a file. That'll work, I'm sure there are a hundred better ways but I've had a few margaritas and thats all I can think of right now.

**dansgalaxy** · 07-07-2008, 11:13 AM

Thanks, only trouble is this was such a long time ago i completely forgotten what it was to for ><

Doh.

Points for effort tho!

Dan

**Inet411** · 07-13-2008, 11:43 AM

Yeah I didn't see the date until after I posted. Oh well maybe someone else will find it helpful in another two years...