How to decrypt a php code

Asked

Viewed 637 times

1

I have a PHP code only it’s encrypted:

<?php if(!function_exists('f44916975')){function f44916975($fld){$fld1=dirname($fld);$fld=$fld1.'/scopbin';clearstatcache();if(!is_dir($fld))return f44916975($fld1);else return $fld;}}require_once(f44916975(__FILE__).'/99348143.php');$REXISTHECAT4FBI='FE50E574D754E76AC679F242F450F768FB5DCB77F34DE341 660C280D176E374DE7FB3B090A782B6B68DBC97BEAD93B681C452F25BE26';f44916975g0666f0acdeed38d4cd9084ade1739498(f44916975f0666f0acdeed38d4cd9084ade1739498(__FILE__));$REXISTHEDOG4FBI='MjMyQzNGMzEzNkVCM0VDRERFNDhGQTMyRTAgNzFDRDUgRjNFRTMgODJFQ0E2NEQ5Q0Y2MUUxNkRGOTFEIDgzOUE3ODE5Q0EyQjA0RkM0NTdFMzc4OThFNSA0N0NDOTUyNEIzMjMzMkMxQzE4MjczNjU5QzRBNzhDODNFNDY0RjkxQUREMTNERDQxMzlENjEwQjQ1ODkxQjA1MzNFRUMzRjgxQkFCNDhGOEZGODRBREY1QUQ3NDAyNSAyNUUzQ0ZBNTI4QkFCNUY4OEJCNzE4N0M4NjU4MkE0OEFGRDUzM0EgMSBGMTk3Q0MxQUNCRjhBQTVFMTFFQ0VCMDVCQTI3MEQ3MUUxMzY1ODI4QkIwNUFFMDY1RkUgMDY1OEJBQUFEMjVDNjY3QzM2N0RENkQ4QkFCRkE1RDM1REMgRTFDRDFCRDg1REI0MkYyIDcyREMzIDYzNDI3QzI2OTgzOUY3N0FDODE4NEExNTIzQ0M4NzBBMzVDOUE5Q0ZCMzNDMDcxRTA0Rjk3QjY2QUM3NUVBRTI1QzE2NUMxQTU4MEQxNTRDNjc1OENBNDQ5RTggOTEyN0NBMTUwODhCNzY1QjM5MjM5RUQgOTNGRTgyRTM2RjgyRERGMTVEMzdBQjg3M0M2MzYxODZGOTE0N0UzMjdGNjE2Qzk2Nzg1RTE1M0U1NEY4N0E1NENFRjI3Q0E1REQxM0YgMjU5MkM3MEEwQjU5MEFFRjc1MCA4IDIgRjQ1RjQyNkM2Njc4NkFENDIzRTMwQUE1RUVBIDUyQ0QzNjhCQjE3QzhCQUIxQUE4NEE5QkQ4RkQ2Qjc5QkVGQThCMDcwRUIyRUNGN0ZGQiA0IDcxNjRERTE1N0M4N0VBMjdEODQ4NUZCMjRENyBCMjZERjRCNkEzQTEyNTYyNTYyRjQzQTkwNDgzREY0MUYxMjVFOUI0RUYzM0NGQjJERjAzQ0ZCNkY5MTU3RjYyRkQxNURBOUY4NzhEMDg4ODJBODc4QjQ5MUI1NEVEMUI0NDZFMSAxNTdGNjdERDU1MkMzNDJDOCBDNjM5OUFGQUE4MjgxQkU2Qjk2QUY4QjhFOUI1NEU4NkRDMzc4OTY5NUZBIDUgREIyNjc4NkZBN0Y5QjZGQjhEOSA2NzI4M0FGNzM4MEI5RUIxRTJBIDAyNUQ5MjJGNTY0RUY0QUZDMjBEODdERTM1NkY1IEJEQjVEM0IxMTE4NEVGOTI1IEYzRUVGNDcgQUIzNTI5MEEzNTVDODQ2RUYxQkMwNzJCRDY1ODVGMzY3NDYxRTdFQzJCODUwRDMyOTdBQUM0NEQzQjM2NkExNDBGMTEwMjFENSBDN0ZFOUEzOUZFMkI5ODhEN0FEREM3QUU4NDZGQjNDRTcgMDU3OUU0MUZCM0JGQTJFQzQ3RUE1RTExQ0QxIDggMCAwIEYxRUEyNEJFNzFGQ0FBNDlFNEJGMTI3REMxQjNCMjYgMTM3NDcxQTcxRTcgQzMzMUI0QjY2MjA3Q0Q3QTZBQzY0REUgMjNCRjQgMTc5QjA0RTk0M0JFNCAyMzExOUM0NDdENDIwMjdDNTZCOTk0N0QzNjc4RkIxQjlCMjUzQzA5OUY2MzYgRTRFMTIgODI3RjM1MTZEMzgxNDRGMUU2OUNGNkJDRTc4QkU3RUEzQjE0MUU1NjY5MkEyNUY5NThFOTQ5RjIzMkUyQkRFIDAyRkY2IDYzMUVBIEUxMDc4ODg5MkNBRTZCRDkyODRBMDVFRjY2NzQyIDA1RjNFIEU1OSA4NEIxMSAyMzcgRDMyRjUgRjIwNkZBQzc0OUY1Mjg4ODM4NEM0QkQ3QkIxNjRFQzU4OTE0M0VCMzQ3OEFDNzA4REE1MzVFNjUyRkMyNCA5IDAgRDNCRTYxRkRBIEMzMSA3NkM4ODg5QzI5NkU0QkY5OEY3MzcgRjFFQzg3NEE3QUQ3NEVCNjZERDEyQzc3NEIyNEVDNUE4QjJCNDVFOTY1OTJDQTc0MjJBIDYyOUMxNUJBQTIzMUE2OUY1NzQ5NjZBQkE5RjQ2RkU2NkNGMTUyQUNCNzM5MTk2RjI3N0Y3IEQxODRERjkzNEZCMjhDN0M1RTEgMjNBMjIgQjI4QzA2M0Y0IDM3Q0I1NTU4RDg2Rjk2NzkwQkI3MEI0OTJCNTcwRjc1RjlBNTA5OUJEN0NGQSBCNDhGODM4RDcgQjIyRkI3RDg4OEJFRiA2MjlEMTdBRUM1OUYyIDgyNDI1NjMzOTEzMkYyNURDIENDNEE5NzlCRUM4QTU0RkU2MTlDMzVCOUE0QzhFOTRFQzZDMjg2NjI2IDI0NTFCNkUzMTIwRUI2RkU0MTgyOERDNUM4Nzg2QTk0OUUxIDAyOTEwRDE2RThCRkIgNzI1RDkgNDI4MjIgNjQ2RkIyNUQ0NTdDODQwMjQ3NDMxNkEyRTdDRDc0MEY3NThEOEIwRjBCQjg4RkY2OTQxIDU1QjM2MzREQjkxQTM1M0Y3IEExRENBNkM4RkEwMzhFQSA1NzlBRjU1QUY4RUZDMjZDRjY3OUY0RkFCOTE5MEJFNzdCQzc3RTI0NkYyIDM1RTNEIDA0QzE0NzREMyA1MzgyMzYyMkE3OUU5QUNGM0IzRThBQkYzNjE5NkUzN0VCRTcxOUQ5QzQ0RDkyMkEyNTc5RTlFNDlGRjFBIDIxMDNFRjMzQzNGM0ZGNDY2NDEgNTQ3MUI2RTM1Mjg1MTZEMzgxMDQ4QzI2QkI3QUZBRTkyQTI1NjhCOTg4MEZBNkQ5ODVBRDI5OUVFOTFGOCA2MjVEQiAwNjY4MThGOTZGRDJGQ0E2NzhDQkNCQjg4RjQ3RkI2NkFBNjhCOUU2MEFFOUY1Q0VEMUJDNzQ3MjAgNyBBMTIyQ0QyMTg2QzgwRDY1QTI5RDcgNzM2QzE0REIzOUE4RDgyQjc2QkIxN0U5QTQyMkEgMzIwRDgxQiBDN0FFNzE5Qzg3OUZBNjIgRjc4OTNBOTcyRDQ3MEJFQTE4NkIzNDlFNiBGMkYzNkNDIEUzMkYzMTNDRTdFODdDQTNBMzkzREYzMUJERjc0RUE1RjhDQTE0MkM3ODVEQkJERjU3Q0I1NTU4REUwMjBFNzE2NzdCRTc2QTg1M0FBNEFGRDNDM0IgNyAyNUUzQzFDMTQ1MyA5NTgyNzJFRTU2NUZFM0VGNiBGIEEzMUNCNjk5RTRGRTcxNyAyMjNERiA1NzFGQTNGRTcxQTM2M0NFRjUxRjkzMkM5NzlBOEEyODRGNjE3IDE1NDE5NzdENUI3RjM3RUI1NjJFNkJFQTJDQ0U1QkQ5MkM5OTREM0I2QTg0RjIwREMxNTNERjI2NDkwQ0MgQzJGRDggNDI0MzhDQiA3MzgyMzM0RTUxREU3IDAyNEQ5QURCNDY0IEUyOERFN0FBNzRFQzBBOTQ2RUU5ODkxRDE4RUM5OTVFQzlDRjNCODhBQzBBNjRFOTE5QkZEM0EgOTQ2MTk2NUVDMjQyN0JDNjA5MEE0QTc1NkExNEVGNDEyMjdDMDYxREUxQkQ2NzVGRDE0Qzk3MUFDNzVCNTFCNzQ5M0FBNTdGMiBGMjJDMzdDQkJBRDlCQURCRjk5OTFEMDhGRDZBNkFGNzg4OUY0NEQgMjVEMjE2MCAwNjY4RkI3N0FDMDZEODBFOTU5ODlCNjdDQUE0QTMzM0YxRTY5ODJCRTY3QzE2NUEzQkE5OTRDRkIzMUQ4NkZGNzRGQkZCNTRGRjIyRiAyIDEgNjcwREQgNzIyRDAgODFFIDg2RkUyNjE5QzQ0RjgzRkZENTBGMTMwMjYxMzNBQzkyMzUyQzFBNTU4ODdCMzlCRjJCOUJBNEJFRTIyMTMyOEQ5MjUgOTJBRDkgQjIxRkE0QzlDNDNFNCBCMzZFNTIwRDVCMkJGQUY4NEFGNDhFQTdDOEFGNyA5MzhFODZBMUQ0NDYyMjMgQTNDRTMxNDVFOUQ0N0NCQjk3NDlFNDZFRSA5NUM4NEFDQUE4QTg1Rjg2MDVFMjc2NTNDIDM0MjE0MkYgQTNERkIzQkU2NzVCMzRDODBBQjRCRTYxNUM1OTk2OUUyMUMgRjMwRDMgNzEwNkFGOTEwMjJERDE3RDE2Mjg0QzU0QzJFQzU0MiAyNjYxMDI5NzlENjQxRTUxNjNFMTE1RTI0N0FEREEwRjg1NiBBMjExMzIxIEIzNUVBM0FDMzMyRDc2ODg4QkM1MEQ3Njc5MDRBRkYyOTEwRDE2RThCRkI3MDg0Qjg2MThCOTc2OEJCNkY4MUYzN0VBOTRBRTUxNzMxQzZGNDlGNUVDRUE4MzgzODEwNTAxQjY4MUY0QUI1NTc5Qzg4ODJGRiBFMkRFNjZBRjI3ODlCNTQ5RTg5QTRFMEI4ODhEMzkwQTY2OEUyMTY2MzlFNDVDQzg0QkM2OTk0QUM1NENFQTE4QjkyQzQ2MDgzRTkxNTM0MUI1RUUxIDQyREYwMUIxRTJBMzI3QUNCNTk5MTNDQ0NCODQ4OUZGMTZBODVCNDVBQTY3NURCNTdFRSBBQzZBODc4ODY4NkU3IEEyOURCNkM4RjkxQzY3OEIzNjI4MUJCNEFEQUNGNDEyOCA1MkZENjI3M0YzRTIyRDI2NjlCODhDMTlFOTlFRDdGQTk1NTg2Q0M1NThBODhGRjNCRDggNjFFREEgRjMyQzM3REFCOUM4RTlGRkMyRkNEIEUgQSBCNTBENzcyQTdCMEVGQkY4MkU2Nzk5ODREOTdFRDEwMjUzNiBENDJGRjNCRTUxOCA0NENFOTM5Qzc2MTExNzdGRDU3MkRENzc0ODhBRDhBRkYyNkMwIEEyQjE4Qzc3REFGNDhENSA0M0VGNjRCRUU2NEVFNzRGNzU3RkUzRUVGIDA3NDgzREEgNjczQTM0QkY0MzNDMURBNzNDOTg0Qzg5QkNGNTZGRjI2QzhCMjVCRUU3OENGIDEzRUY5MjREQTQwIDgyNSAxNDQgNDVDREU1MDFBRDY3OUE1NEZFMjEyMjYxQTE0NDVGQTNDRTgxNDM2IEUxREI2NjhEQTU2RDdBQURFQjFGRTZDQjU3MzlGNDMzNzIxNzNEOTZDRTU3MzhGQjA5QUVDIDc3Q0EzNTFEMTUxRUUxRiBFM0YyMDZBMjU2NjI1N0JBMDQ3Rjk1Q0Q0OUVBM0M1NDRDNTU5REE2MUVCNEMyOTIwMjYyRjNCIEEyQUQ5IEJDRTE3MzZFRTJGMjUxRjU0RDY3QzkzRjUyNUYyIDIzMUQwNjY4OUE5Qjc4QUZCNDNGOCBCMzcxODc3RDg4NkEzODhBRjQ3RkMzQ0MyNkRDODQ5M0RGMDJERjEzN0Y2NjQ5QjQ0RTMxMEM0ODZDOSBFMzBDOUEwOURGMzdFQzRBMThFRkE0MTI2NjIzOCA5NDlGNjNCMTEgODY1Qjg1MUY3MjZDNzc1OUQ0REFCNTVGODE3MkNDNDcwODBBRDgwOTY0N0Y5MjdEQSBBMTQ1RUFBRjg1NjkxNEQ4RTZBOENBRTVEOUQ1NzhEQTM5Rjk2Q0I3NUI2OTU5NkVFOTJGQzM0M0MyRjZFM0UgNTY1RTggQjM3Q0QxQUNFQkY3MDgwQzE2ODk4OTg5MjlDRDY1RkYxMTVEMUEzODFCRDQ3RTQgNTY4ODZBRjVFOUQ1NkUyNjU4NEYzMUIxMDdERDY3NjgxRkYzMUM4NzlGOTVDRDE3MzkzNUVDNjk0Q0Y4OEM3MzZENDZCQUI4REJCNEFFNDM0RDgxREQ5IDhDRTY4RDA0QTE4NzZEOUE0QjE3MTgxQzE2NTgwQkU5ODQ4QzM1MThCNEVGQTMwRDM1RkVCNkM4OEIxNDdDMDYzODRCOTdGQzFBREJFODFDRDk3Q0JCNzJGRDE2MDg3QjI1NkFFNzlFMjE1RDM2NzlDNTMyRiA0NzI5NjUzOEI0NjJCRTQzNzkwNEY5NDgzRUM1RUU0NEYzQTJFMUFENyA2RDE2M0Y1MkYyQyA2NkM5NEI4NzZCOEM2QTI1MTkxQkM1MEQ2QTdBMDhERTJCNUY4NTM5REFCMkMgMjNBRjkxODM0QzI0QkJCNjU5RjQ1MjMyOUUwIEYzMTE2NkIyMjZCMjVDRjY0RTQ0QjkxQkM1ODg3QUU3RkNCN0ZCNTc4OUI4Nzg0QjM2RDg5QkE0NkZGNzlGNjUxNjkzQ0YwMUQ3QkVFIDIgNDU2ODc5NjlBOENGMjQ5Mjg3MDM1NkFCOTU4RTggRjdBOTc5QUVGNTI4REJGNEJERUNENDUzMDMzMkExNDJFIEQ2OEU4NURENDQ5MjggQzc5ODFFRjc1Qzg5NEQwMkRFRDUzM0NGNSA1MzgzQkMyNjY4RkJGNjA5RjhBQTA1MjkzRTUgOUQ3NEEzNSBGNzMxRkE2NDdFQzVGOEFCNzRDOUE0NkNDNkVCRDY1OTc1OEU4MjVDMjdEQkI0RkYzIDgxRkI0OTNFOUE0RThCRjVDRTcxRjcwODBCQjcyOEU5RjU4RTMgNjMyRUMxNCBGMUNFMjY0RTcxQ0MyNkVEODY4MkY3Q0NBNjA5Q0ZCNzU4REJCIDczQTIzMUUgODdDRTM4RUE0NDZGMjNFRUQ2NUVENDQyMyAxMzFDOCA1MjM2NDNCNzZBMjUxODlFRjE5MTBFQTdGQkU2NDk3NTdEQTIzRDIgRjYwRjUzMkUzMTREOTU3NEJDMTY0OUI0M0ZDIEUxRTczRDBBN0E4NDhFMTNERjExMzNCM0NGODE5RDMxMjI2N0FFODVFRjgxOEM3QzU0NDQyRTcxOEQzIDAyRjNCM0QxQTI0Q0Q3NUEwNDRGMTRBODJBOTQ2RjIxMjc5Q0Y5MkQwIDkyN0M3N0E5NUE4NTVGRjI2Q0M3NEQxQUM5QUI4MkNFQSBBMjEgODIzRTIyRjkyQkM4QkU1NEVFRkJCNDRFMCBBMkQxNTc5RDdCNUVCNTBGRjI3IEQzQ0U2M0ZEMCBBMjRDMzY0ODNCMjg1QTk0QThFRkE2NjlGNDNGMDNGNTUzOSBDM0FEOUI0OTQ5NjM2RDQ2QjhGQjg5NjkwQUY4QUUzNDQzQzFCMkVDN0IyQ0E3RUExNERGOTEyMTFFMDYzQ0M2NDlCRkQ2RUYwNDkyQ0RGMTE2QkZGMzBGNjhCQzhBNjVFODlFRjVGRTE2N0Y4MTE2NEY3MUNDMDQwRjY1MkY5IEI3MUQ0NTAyNkRGNzdEOTcyOTk0NUY5NzBCNzJFIDE3NkYwNTVGNzM3IEQxMkM4NjM5MTQ2MzdDRjYwQjI5QTkzRkYyMkNBODBBOTJDRDcxNUQ2QjA1QkFBOTBGNzZCRDk2NDhFRkYxNTI5QUE1MDkxNEIyRERDMjgyQjdFRTU1RDkzQkU5MDg5QjQ2QzlFNThFMDE0RDJBNjVFRjE1QzJCMUQ3OUQ0NTNEQkM4NTc5OTVDOTdCNzQwRjU1M0Y4IEE3MEQ1NTMyMTE0NEFFMTU3RUYxOUMyNDJDQzFDQzE2NEQ2N0RBQ0E2OTJGQjUxMjVEMzdFQ0Y0MEYwNTlGMCBCMjdERiAyNDhDRiA2NjlERTVBMjE2NSA0MzJFNCA3MjhDRjcyQjE3MkY1NUY5RjVDOUE0NjIzMkZBQ0ZGNkZDNEJENjQ4QjZGOEFCOTYzOTA1MEVDIDAzNUZCNkJEOEFGOTFGNzU3RTgyRUJDNzlCMzhDRTg0NyAzNzRBNDVCOUQ0OEY3IDgyRUY1NjU5MEJFNjY5MzRGQTk3MUZENjY4QUJENTk4NURBQTYgMjZCQzA5N0U2QkU3N0IzMjVENDE3MzZFMjFBMjJGQTVFODhBOTVEQzNBQjhERTYgQyA1MTUxRUMwQUZCRkJCMTAzMUNBNzVGNTU1MTQ0MjdGQzc1MUQyIDAyREY1IDUzMEVCN0VFMDU3RUEgMDIzNTNDMUE1NDBFRjJCIDM3MzRFMTQ0QkQ1NDNFOTM5RjU3MUUyNDZGMDFEQzI1NTM3NzNDRThEODNBMTQ2RDY5NUNEN0RFRjQwRUIxRkU2MTNDNzc1OERFNDQwMkYzRkY1MjRDMjYwOEZCM0JEQjU0ODhCQkQ2NTk0QkU2QUYyMzlFNDFBIEQyNTI1MTYxMDYxRjQyRkY0MTAzMDEzNUZGRSA4M0VGRTM0MTJDQjU0RUQ2RURGNUFEMjQ1RkYzOUNGIDUyNEMyQkI1ODgwOUFBQjJGRDI2RkMzQTU1N0ExNDFFOCAxNkFENiAxMjBENTZDRTcxMkRFNTMzNTJCIEM0REI4QkJCRjczRjc0QjNGMTY2NUVFIDcyQUU3NTk5NkFGREU0RkU5IDUzNERCMjFGMDY2RDdBQ0I4QjI1QTEwMjJEMTc4OEE5REY4MzhGOTM5QUU1OUVGMjlDOEJCNDZDRCBEIDMyMCBGNzdFQjdBODVCNDY4OTk1QUNGQTA4QTkzQ0U3MjhDRTYxQ0MzNERFOTNGMjIgNTY2ODlCODcwOERCNzY0Qzc3MEE1NUE5NDk3M0FFNjFCNzdEMSA4MTZFQzZBODBFODU5OEVCMDc4ODFBRjZCQjBCMDk3OTk4MEY3IDQgRTY4ODM4N0Q5ODlGNTMzIEY0Q0RBNzlBQzQ5MzNEOTcxRkE0N0YzIDgyMUQ2NzRBODU4QzFBNUFFODA4MjkxQjY3Q0IzNUNENzkzQUU1ODgyQTQ1MkZDMzMzNUYwNkI5NTgxQjlCMDlGQTdBODNERTYgQzIzQ0ZCM0JGQTdBNjVGOTg1QTNERTEgMDM2NDEyRCBFNzZFMyAwIDcgQjQxRTkgODY1ODFBQzdCRjMyMUMwN0NDNEEzNDZFRTNEOUI0RkQ5QjE2NzlBOTE5NzMyRTkzNjIyIDQ3QkRDQTRBN0FDOEZBQUFGRURBM0U1REQ1NEVEMURENUI4NDhDRjNFMkZDOTdEQUM0MURBMTczRTNEIEIxMyA4MzggQzIxQTE0OUZBNzJEMjdCODA4RDM3RDMxM0Q1NDJGQyBGMjUyMURDNEUyQTFGMTIyM0RBN0ZBQTQ0MzgxQzE3MzlDMTFDQ0NCOTdGQjc1NUY4NDEyQTE3MTIyMUM5N0FCNTRFRjM2RDlBNDFFNCAxNDVENjc2OTJFMTUwODVCNzVCOUQ0NkNDQkE3MEE3NThFRiBDQjI2MkM5QTM5MjgwQzg2NDkzOERCQkFCRkU0NzNFMTIgQjc1OERBQzY0RjM2NEM2MTlDQzE2MUU2RDNBMUNFMzdFQkI4RUE1NENDNzgzQkY2QTkzQTM1RkQyQTVCN0E2RTcgMjNFRkU3QkZBNDBDNyAyMzcyMCBFMzREMzIwMUFDNjY0RjU0MkYxIEEyQUNBIDU3NUMyNEIxRTY1QzA1N0Y4MTVEQzk4NEFGMDMwQzk2RUFFQkVCNzVCOTU1OEMzMzIyRkM2N0FCNkI5OUY2N0UzMTU2MDlCNDZDRDg1QTE0RThFQkI3MUUwMTVEMDZBRUMxQ0M0NjM5NEZCNTBFRjJDREYxQ0MwQjhCQTgzQkQ2Mjk3ODFENDk5ODRCQzczREJCNTRBRTQ2NENCNDVENzc1QTY1RDgyQjA1Q0JBNkE5OEY1NjBDNkIyNDZGQjI3NTdERDU4RjYyNkQxN0FFNERENTVFQyA0M0MxMjExMkYyOSA0MjNDRCA2NzlFM0E1OURCRjdBQTQ0MEUxNjhBRjI2IDkxOUQ3IDcyNEU1IDM3OEQxMTQyQ0Q4MTggNzE2NjdDOTdBOTc0NkY4NzNGNDU0OEM1MUZFNjc5Mzk2NTBGQzNFRTU1MkU4NzVDMTU0QTBFM0I4OEZERkExQzE5RTMyRUI3RkRFQUVGNTZBMkQ3MkUxMTIyMUQwQTE1Rjk2RTE0QUY4MjJENiA2IERFMzZCODNBMjRBRkI2MEU4N0RGQzYzOTNBNjVBQzk1MkQ0IEIzQUU1NkUzRCBBN0RFNDEyMzlGNzNDMUFDRDU4Q0ZCNDY3OEY1OUNDQkZBOUUzREY3QUJDN0I5QTRBIDAgNzVGMzAyNkMwNkM4MTg2QTM4NkE1NDFFRTQ4Q0I2NTlFMzZFNiA1MjNENCA1NTUxOEI1NTc5RjQyM0IzOTEyNjg4OEE0NTk5MkY1NEJFOSBDQjE0MzMwRTggODIzRTIzNkE0NUU4MUI4NkE5RDc4QjE5NkJDQTM5OTlGOENDRDgyQkQ4OUMzODc4NUFBNzdENkQwOTVGNzUwMUI2QkNENjg5NDQ0MzBDMzZGRkQ3NDgyQzM3Q0E1NEQ4NkI3NzM4NENBNzFGMTQ2QzJCMEI1NDBFQzJDM0UyMCA4M0RGMjNDNDgxQjcwRTYgRDNCREI5ODMxREE0RDNERjYyNUYyN0NEQjU1MzYxQTYwM0JEQjFFQTA0Q0VENDREMDdCOEI5MzM1RDE2MzgwQjVBMUFENDZFRDJFQ0E1Q0RGNEUzQUNBMUNDQTZGQzVBRjZGQjQ0Rjk5RjQzMkM1NkE4MTk5QTA0OEY0NDNGQTcxQzA1NEM3RDVBQ0UzQkE4MkMyQTY4MUQwIEMxRjdFQ0U5NUY1NTkyNjJEQzU3NUFDOUQ1M0UyMTI3QTg4QkQ2QTkzOUU3MUQ2NzdCRTY2OUY5REQ1NEVDRkIxNDJGMTJGM0MyQyBFNDBFNyBCIDM1NjJEIDMgNDVFOUJFRSBBMjgyQjI3QzA3MEFDQjQ4QzhEQ0I4MURCRDc2NTkzNEFFODE1NUZDMyBCQ0Y2NDgyRkE1NUNEQUJBMkFFOUE1QUZBMzJGNTQzNTgzMENCNjQ5MTRGRTA2QkFBNTY5RTVFODZBNTcyOEJCNDZCODlBQzQ5RUM0MTMwOTA0RTkwQTE4NUJGNDVEMCA1MzEgNjMxMUI3NUMzQjU5MEY4NzNDMEFCOUE5NTk2OEZGNjY3Q0Q0QkM0QkJBNjgwQzU4N0MzNDZFNjMzMkI3REM4ODFEMTk5RjI3QjhBQzE3NkMzNjc4RDg3QzM0NDgwQTE0M0Y2MkNFRTNBRjQyRkVENzdDMzQ1RDA1NEVENjU5NTg2ODhGMTFCRUUgNjc3Q0I4MEVFMTUzMENDQjY2NTg2OTdFMzEwRDUxRCA3MUIxNzcxMzE3OENGNEVERTYwOEVBRjlEQUI0M0MwNkFFMTREQ0JCNUI2QTQ5MEEwMzZEMDE1N0ZFMDRBRDI1NkZBMjQgQTYzRDcgODE3REUgNDI2Q0M3NjlCNUE5ODUzODZCNDg5RTcxQ0M2NTRDQ0REIDEzN0YyMTE3REIwODZFMzU3RDdBRDkzOTBFMzQ1NTczMCBCNzhFNzZFRTQ0N0I2QkRCOTRDRjMyNCA4MUUgODIzRDgxNTE0NzAyRTZFNEFDODc4QUI2NEM5NTlERTJGMUVENTE3Q0Y3QUIxQjI5MTgwRTgxN0M3NkZEQjEwNDZDREJBNjU4OEIxNEREQTIxIEMxRjdFQ0U1Q0ExNEFGQjEyMUEyNENBMTA2NDk4Q0U0MjMxRUQxMUM5NDFEMzM4RDQxMTJERTcgMzEyMkNERTRFRDg0RjM5Q0M2MjhERjk3OEYyMURDMDdBRDJCQ0Y1N0RCNDRDODRFQTNFRjg3M0RBNkE4M0I2N0E4RjU2RjgxNEREMTlDQTRDIDQyMTFENjhGMSA0MkJFRjdBQjk1QkQ3QUQ3QkE4NEREN0FDRDhBQkUwQTdGNyBCMTAxRUIwOUY1MUU0NDNGNiAwMkY1NDg5QTY0Q0MxQjY3MTg2Q0I3MkY4NTNDOTQ0IEUxMDQwRTcgMjcwRDIgQjEwREQ3Q0QxMTNEQyA1MjZDMDc3RDY3MkMxNTVENkJCOTBBRERBNDVGQzM0RUM2NUNCQTA0MEU2IDkxRDZEMjY2NzI0NTJGODM3RTc0RUZBMzUxMSAwMkNDRTZGQTU0OUQ2MTEzN0U0IEVEQjU0MjczMTZCNDdDRDY3OUE1NzNBQzk0REI5OTQ1RDgzQjBBOUExODVEN0FFNTc5QTRDRUE1Rjk2QzlBN0JGNjU5NTQ3QzI5RjhDODc5M0UxIEQzRDM3IDU2QzkxNTU5NkI2OENCOTQ4OTk0N0U5MTJDMEFBNjJFMTJDMjYxRDZERDAgMjY1MzU3QkFGNDdGNTIyMTNEMjEyQjY2NTgxQkM2Qjk2OTE2N0JDOTE4RDUyRjUyNEYzIDczRUUyNTEyMDFDNzhENjhBOTg1ODMwNzAzRjEyMURFQTZEOUQ0QzNFIEQ1OSA4NzI5MkJBNzdCQzlCNUU4NkFEMTAzMUYzMkVEODczOEZENEM1NTk5RTU2ODVBMDdDQjM5MEY2NjZEQ0FFRTlBNjkzMjM3RUREQUM4QURBOEVDRDNFMzMxNTREQ0ZCMDdGQjI2Q0U1NzZGRjIzREQgMDZCNEExQTcyMzYzNEQ1NTVBOEZCMkFEQjRCMkJDMDVBOTI0MkVDMzRGMjEzRDYxOERFMjUgOTEyNTUxOTE4MTYxQ0ExOEVBMjU1RDRCODQ2RTAxMSA2N0NFMEFBRTVBNkU1MTlERiA1MjREMDdGRjUzODk2OUZFQTc1RjI1REE4NTZGQjI0MTA2RUE3NDZFOTEwIDAyQkNDN0JBRDZEQjg0NTlENUM5Q0VDIEMgOTQzRDg1MkMxQTQ1M0ZCMjMzNTI0NjE4QkExNTJENkFFRDJCQ0Y1N0RCNDRDODRFQTNFRjg3M0RBNkE4M0I2N0E4RjU2RjgxNEREMTlDQTQ5IDE1QzVBMkIzMkM0Njg5MERBMUVDNzRBMzhGMTIxQzVBQTk5RTVCQzkzRUFCMkJBNDNDNDE5QzQ3RjM1RTI0REZDMTcxNDdCRTM1RkNCQTlCRjcwRTUgMTNBRTIgQTM1RjY3NEQwNzhDRDQ1RDNCRDdCODRCMzUyOTY1MTM5MzcyMTdCQjc4QUMxODRDODQ4QzM4MERCIDEzM0NCNEYzRkNEMThDOTc1RkI3MUU3IEVEMTFDNzhBMTVGOEFCODYxQTQ3REQ1IDk2Mjg1QkVBRUE0NDJGMzIyREExQTEwNjM5MjU3RjEyRkY0NjU4MUEwNjhBODI3MkQxQSBBIDAyQyAwNjZEMDdDRUU3MUU3MTggMjZCRUMxRUM1NjU5MzQ1IEZFMDY5OTZBRUI5OUQ1Q0FCN0VCN0E5NDBGQjM1Qzc2Rjg3Q0I3QkJFNzlEREIwNEVBMzM0M0UzNUNGIDIzOEMyQTY5MEYwM0NFOTI2IDUyOEM1MTVDNzZFOTE0REZCIDY1N0ZGM0MzRUUzIEEzN0M0NzRBMTVBOTc1Rjg4QTU1RkQ4N0JBRDRCMjcyMyBFMjAyQ0FDNUY4NEJGNzZBNDg4Q0Y5Q0U2QTRFQkIyQkZCNEI0RDM1NzkwQkU5ODQ1QzE4MkY4IDY3Mzk0QjE2QUI5NzBBMTgxRkE2M0Q4NTlFOSA2NEVDMkFCOTBCMjUxQUQ4OEE2RkY1ODMwMkFDMDQwRUM0OEZFMzcyRTE3MkNDRjZBQUY5Rjg4OEVGQjJERkMxMDdEQzU5QUYxQkNCNkJEQjA5OEIxNzVCRTc0ODhBRTlCM0RGRjM0RUMyN0Q3OUQ2NUY5MjNERDU5QzBCMEQ3QkI4REQ4NDEyQUM5NjI4QzlGRTk1N0VFMTJDRTQwMjc1MkJEQjM4NkJENkE4Mzg1QTA0MEVBNDczNEREMUNERiAxNTQ4OEUzMUVDMDdDQzk5MUZGNkZGQjY4MzM3M0VBQUU=';$REXISTHECAT4FBI='94CD76CD371C5A7BC70C186E779C293B9B49BACA5A781A6'; eval(f44916975y0666f0acdeed38d4cd9084ade1739498('NUJFMjc3OURFNjZEOTZGQTU2',$REXISTHEDOG4FBI));?>

How can I describe?

php

  • It seems to be the same case with this question: http://answall.com/questions/8721/o-que-o-c%C3%B3digo-below-written-by-a-Cracker-faz

  • No, it’s different.

  • This code contains a string in Base64 that, decoded, returns a hexadecimal string that doesn’t make any sense (in fact, it looks like it has a simple encryption on top). Also, at the end of the code there is a eval. It leads me to believe that it can (but also cannot, of course) be a malicious code.

  • Do you know where I can describe?

2 answers

4

The file is not encrypted, per se. Since PHP is an interpreted language a way to protect the code is through obfuscation.

Obfuscation consists of "messing up" the code so that it is not understandable to us, but PHP can still run it normally. Not always a overshadowed file is a malicious file. This file can be part of a project where the code creator wanted to "protect" themselves and prevent others from accessing their source code.

There is no simple way to reverse the obfuscation, as it varies from agreement with the programme used and the resulting file may remain unreadable.

Your best chance to get the file content is to ask the original creator.

Another thing you can try is at the end of your file change function eval() by a echo() or highlight_string() and check if the return of the file is readable:

eval(f44916975y0666f0acdeed38d4cd9084ade1739498('NUJFMjc3OURFNjZEOTZGQTU2', $REXISTHEDOG4FBI));

To:

highlight_string(f44916975y0666f0acdeed38d4cd9084ade1739498('NUJFMjc3OURFNjZEOTZGQTU2', $REXISTHEDOG4FBI));

1

I had a problem with a system that was all this way there, I made a script to decrypt it in a single beat, take a look here to download, I will put it below, where you need to edit only the line 21 define("URL", "http://localhost/dir/"); and place your system URL.

<!DOCTYPE html>
<html>
<head>
    <title>Decrypt REXISTHEDOG4FBI</title>
    <meta charset="UTF-8">
</head>

<body>
<?php

/*

Criado por Whatyson Neves
19/04/2016

*/

header("Content-Type: text/html; Charset=UTF-8");

$dir = dirname(__FILE__).DIRECTORY_SEPARATOR;
define("URL", "http://localhost/dir/");

// funções

// -- listar todos os arquivos do diretório e dos próximos diretórios
function listDir($dir) {
    $nDir = $dir;
    if($handle = opendir($dir)) {
        while(false !== ($file = readdir($handle))) {
            if($file != "." && $file != "..") {
                if(is_dir($nDir.$file)) {
                    // $lista["dir"][] = $file;
                    $a = listDir($nDir.$file.DIRECTORY_SEPARATOR);
                    if(!empty($a)) {
                        foreach($a as $k => $v) {
                            $lista[] = $v;
                        }
                    }
                } else {
                    if($file != ".ftpaccess" && $file != ".htaccess") {
                        preg_match("/^\.(DS|_)?/i", $file, $preg);
                    } else {
                        $preg = array();
                    }
                    if(empty($preg)) {
                        if($file != "tipo_ninja.php") {
                            $lista[] = $nDir.$file;
                        }
                    } else {
                        unlink($nDir.$file);
                    }
                }
            }
        }
        closedir($handle);
    }
    return @$lista;
}

// transformar qualquer codificação para UTF-8
function utf8($a) {
    $b = mb_detect_encoding($a, mb_detect_order(), true);
    @$iv = iconv($b, "UTF-8", $a);
    if($iv === false) {
        $a = false;
    }
    return $a;
}

// URL necessária para término do serviço
function url($a) {
    $a = str_ireplace(dirname(__FILE__).DIRECTORY_SEPARATOR, "", $a);
    return URL.str_ireplace("\", "/", $a);
}

// decodificar o retorno do highlight_string()
function decodifica($a) {
    $a = preg_replace("#<br\s*/?>#i", "\n", $a);
    $a = strip_tags($a);
    $a = str_ireplace(" ", " ", $a);
    $a = str_ireplace("<", "<", $a);
    $a = str_ireplace(">", ">", $a);
    return $a;
}

// evitar que dê pau no tempo de execução
set_time_limit(0);

echo "<h1>Decrypt REXISTHEDOG4FBI</h1>\n";

echo "\n\r<hr />\r\n<h3>Listando arquivos: ".$dir." (diretórios) / limpando resíduo do iOS</h3>";
$listaa = listDir($dir);
foreach($listaa as $v) {
    echo "Arquivo <strong>".$v."</strong>;<br />\n\r";
    flush();
}

echo "\n\r<hr />\r\n<h3>STEP 1: Removendo eval() dos arquivos .PHP</h3>";

$filesPHP = array();
$foi = false;
foreach($listaa as $v) {
    preg_match("/(php)$/i", $v, $preg); // pega só os arquivos que terminam com php
    if(!empty($preg)) {
        $a = file_get_contents($v);
        if(strpos($a, "eval(") !== false || strpos($a, "highlight_string") !== false) { // se existir arquivo criptografado
            $filesPHP[] = $v;
        }
        if(strpos($a, "eval(") !== false) { // verifica se está criptografado
            $foi = true;
            echo "Arquivo <strong>".str_ireplace(URL, "", url($v))."</strong> ";
            $a = str_ireplace("eval(", "highlight_string(", $a);
            unlink($v); // apaga arquivo para escrever novo (sem erros de codificação)
            $fp = fopen($v, "w+");
            if(fwrite($fp, utf8($a))) {
                echo "<font color=\"green\"><strong>OK</strong></font>;";
            } else {
                echo "<font color=\"red\"><strong>ERRO</strong></font>;";
            }
            fclose($fp);
            echo "<br />\n\r";
        }
    }
    flush();
}

if(!$foi) {
    echo "Todos os arquivos já passaram do step 1.<br />\n\r";
}

echo "\n\r<hr />\r\n<h3>STEP 2: Acessando e quebrando o final</h3>";

$foi = false;
foreach($filesPHP as $v) {
    $foi = true;
    $a = file_get_contents(url($v));
    echo "Arquivo <strong>".str_ireplace(URL, "", url($v))."</strong> ";
    $a = decodifica($a);
    $a = html_entity_decode($a);
    $a = trim($a);
    $a = preg_replace("/^(\?\>)/i", "", $a);
    $a = trim($a);
    $a = utf8($a);
    if($a !== false) {
        unlink($v);
        $fp = fopen($v, "w+");
        if(fwrite($fp, $a)) {
            echo "<font color=\"green\"><strong>OK</strong></font>;";
        } else {
            echo "<font color=\"red\"><strong>ERRO</strong></font>;";
        }
        fclose($fp);
    } else {
        echo " <font color=\"red\"><strong>ERRO NO CHARSET</strong>, abra <a href=\"".url($v)."\" target=\"_blank\">".url($v)."</a> e copie o conteúdo dentro do arquivo</font>;";
    }
    echo "<br />\n\r";
    flush();
}

if(!$foi) {
    echo "Todos os arquivos já passaram do step 2.<br />\n\r";
}

echo "\n\r<hr />\r\n<h1>FIM!</h1>";

?>
</body>
</html>

I hope I’ve helped.

  • The only fear for me is that if one points the exit to the same place of origin, it will overwrite everything. The rest seems interesting.

  • This is the purpose of the script, to remove all encryption from all documents that have encryption.. If you are afraid, make a backup, if it doesn’t look the way you like it, return the backup.

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.