ansaurus

Question

Answer 1

+4 A:

Replace eval by echo and run your script.

This gives (reformatted) :

$lll=0;
eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));
$ll=0;
eval($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));
$llll=0;
$lllll=3;
eval($lllllllllll("JGw9JGxsbGxsbGxsbGxsKCRvKTs="));
$lllllll=0;
$llllll=($llllllllll($l[1])<<8)+$llllllllll($l[2]);
eval($lllllllllll("JGxsbGxsbGxsbGxsbGw9J3N0cmxlbic7"));
$lllllllll=16;
$llllllll="";

for(;$lllll<$lllllllllllll($l);)
{
  if($lllllllll==0)
  {
    $llllll=($llllllllll($l[$lllll++])<<8);
    $llllll+=$llllllllll($l[$lllll++]);$lllllllll=16;
  }

  if($llllll&0x8000)
  {
    $lll=($llllllllll($l[$lllll++])<<4);
    $lll+=($llllllllll($l[$lllll])>>4);
    if($lll)
    {
      $ll=($llllllllll($l[$lllll++])&0x0f)+3;

      for($llll=0;$llll<$ll;$llll++)
        $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];

      $lllllll+=$ll;
    }
    else
    {
      $ll=($llllllllll($l[$lllll++])<<8);
      $ll+=$llllllllll($l[$lllll++])+16;
      for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));

      $lllll++;$lllllll+=$ll;
    }
  }
  else
    $llllllll[$lllllll++]=$llllllllll($l[$lllll++]);

  $llllll<<=1;$lllllllll--;
}

eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));
$lllll=0;
eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));
$llllllllll="";

for(;$lllll<$lllllll;)
{
  $llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);
}

eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));
eval($lllllllll);

$lllllllllll='base64_decode';
$l=$lllllllllll($o);
$lllllllll.=$llllllllll.$llllllllllll(60)."?";$llllllllllll='chr';

Perform the base64_decode operation of the remaining strings, and you'll ahve the complete code. Nice sample of obfuscated code, have fun with it!

gregseth 2010-03-04 10:39:46

Also, `$o` is unused.

Tobias Cohen 2010-03-04 10:42:07

it may be used in the subsequent encrypted code, so keep it. It may be that you'll have to make more echos instead of evals. This is a common way of obfuscation. AND do NOT run the script until you know what it does.

Elzo Valugi 2010-03-04 10:49:50

Answer 2

+1 A:

It's pretty straightforward: the alphabet soup is Base64 encoded PHP code, which is decoded via base64_decode() and run via eval().

Looking at the decoded source code reveals that it's still highly obfuscated. Whoever that code is from really does not want you to decipher it. They probably have a reason for that.

Michael Borgwardt 2010-03-04 10:40:36

That's my fav line: `$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))` :)

Gordon 2010-03-04 10:49:49

Answer 3

A:

You can use this online decryptor for that or just replace eval keyword with echo because it is already getting decrypted using base64_decode function.

Sarfraz 2010-03-04 10:40:54

Answer 4

+3 A:

That's what this code is evaluating:

<?php get_header(); ?>
<?php include (TEMPLATEPATH . '/gallery.php'); ?>
<?php get_footer(); ?>

As this is part of a function (i guess it by "return" statement in the original code) this code makes nothing else but what stated above. I parsed it through step-by-step. Nicely encrypted code thou.

Johnatan 2010-03-04 11:55:28

Answer 5

A:

I don't know code too well but I have gotten as far with the $llllll and such in the code.

  if($llllll&0x8000)
  {
    $lll=($llllllllll($l[$lllll++])<<4);

After using a decoder, what do I do next? I don't understand the eval, echo replacement and what its suppose to do.

Can someone decode the rest the steps on how to do it?

Charles 2010-03-27 03:36:33

ansaurus

tags:

views:

answers:

How to decipher this code?

related questions