How to decode this PHP code?

Question

I want to decode this code. I have no idea what it is, except that it is some kind of code. Can someone help me please?

    <?php    if (!function_exists("T7FC56270E7A70FA81A5935B72EACBE29"))  
{
   function T7FC56270E7A70FA81A5935B72EACBE29($TF186217753C37B9B9F958D906208506E)   
    {   
        $TF186217753C37B9B9F958D906208506E = base64_decode($TF186217753C37B9B9F958D906208506E);
        $T7FC56270E7A70FA81A5935B72EACBE29 = 0;
        $T9D5ED678FE57BCCA610140957AFAB571 = 0;
        $T0D61F8370CAD1D412F80B84D143E1257 = 0;
        $TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[1]) << 8) + ord($TF186217753C37B9B9F958D906208506E[2]);
        $T3A3EA00CFC35332CEDF6E5E9A32E94DA = 3;
        $T800618943025315F869E4E1F09471012 = 0;
        $TDFCF28D0734569A6A693BC8194DE62BF = 16;
        $TC1D9F50F86825A1A2302EC2449C17196 = "";
        $TDD7536794B63BF90ECCFD37F9B147D7F = strlen($TF186217753C37B9B9F958D906208506E);
        $TFF44570ACA8241914870AFBC310CDB85 = __FILE__;
        $TFF44570ACA8241914870AFBC310CDB85 = file_get_contents($TFF44570ACA8241914870AFBC310CDB85);
        $TA5F3C6A11B03839D46AF9FB43C97C188 = 0;
        preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $TFF44570ACA8241914870AFBC310CDB85, $TA5F3C6A11B03839D46AF9FB43C97C188);
        for (;$T3A3EA00CFC35332CEDF6E5E9A32E94DA<$TDD7536794B63BF90ECCFD37F9B147D7F;)
        {
            if (count($TA5F3C6A11B03839D46AF9FB43C97C188))
                exit;
            if ($TDFCF28D0734569A6A693BC8194DE62BF == 0)
            {
                $TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8);
                $TF623E75AF30E62BBD73D6DF5B50BB7B5 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]);
                $TDFCF28D0734569A6A693BC8194DE62BF = 16;
            }
            if ($TF623E75AF30E62BBD73D6DF5B50BB7B5 & 0x8000)
            {
                $T7FC56270E7A70FA81A5935B72EACBE29 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 4);
                $T7FC56270E7A70FA81A5935B72EACBE29 += (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA]) >> 4);
                if ($T7FC56270E7A70FA81A5935B72EACBE29)
                {
                    $T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) & 0x0F) + 3;
                    for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571; $T0D61F8370CAD1D412F80B84D143E1257++)
                        $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1D412F80B84D143E1257] = $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012-$T7FC56270E7A70FA81A5935B72EACBE29+$T0D61F8370CAD1D412F80B84D143E1257];
                        $T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571;
                    }
                else{
                    $T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8);
                    $T9D5ED678FE57BCCA610140957AFAB571 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) + 16;
                    for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571;$TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1D412F80B84D143E1257++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA]);       $T3A3EA00CFC35332CEDF6E5E9A32E94DA++; $T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571;      }     }     else $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++];     $TF623E75AF30E62BBD73D6DF5B50BB7B5 <<= 1;     $TDFCF28D0734569A6A693BC8194DE62BF--;     if ($T3A3EA00CFC35332CEDF6E5E9A32E94DA == $TDD7536794B63BF90ECCFD37F9B147D7F)     {      $TFF44570ACA8241914870AFBC310CDB85 = implode("", $TC1D9F50F86825A1A2302EC2449C17196);      $TFF44570ACA8241914870AFBC310CDB85 = "?".">".$TFF44570ACA8241914870AFBC310CDB85."<"."?";      return $TFF44570ACA8241914870AFBC310CDB85;     }    }   }  }  eval(T7FC56270E7A70FA81A5935B72EACBE29("QAAAPGRpdiBzdHlsZT0iY2xlYQAQcjpib3RoOyI+PC8BoD4NCg1ABQoCMmlkPSJmb290ZXIiAVIJAWIACGNsYXNzPSJiaW5mbwMwYSBoAAByZWY9Ijw/cGhwIGVjaG8gAABnZXRfb3B0aW9uKCdob21lAAwnKTsgPz4vIiB0aXQHQQKzYmwhuG9nBEEoJ25hAkUGgSAAGAKvAqU8L2EAAD4gQWxsIHJpZ2h0cyByZXMEAGVydmVkDDUJRGVzaWduZWQgCABieSA8ClVodHRwOi8vd3d3LgAAd2ViaG9zdGluZ3JhbGx5LgBAY29tL1dlYi1IAVMvQnVzaW4IBWVzcy0BWC5odG1sIiA+AcUgAcBgwCADFAkRLiBDb2QHPwcxbW1vaHV0wAIGYQQARnJlZSBNTU9SUEdzA4EgYAp8Cj8KMGNvbnZleWFuYwpQLhSRcwAKb25zYWxlLmNvLnVrBIBDAhggAGBTb2xpY2l0b3IFPw9ncGhvdG8YkGFkcwQ3HOFpZmkLYEFkA6IuIFBvHCB3ZXIBEBOvE6NvcmRwFwBzLm9yZwtwLyI+VwEAUAEBDLEuI+IkhyFiZG9fYUcEYyEDd3BfJTMhUwLsL2JvZHkmwDwvgAAWoT4="));  ?>

This seems to be obfuscated PHP, which most of the time is done to try and prevent someone from taking and using the source when they don't really have the rights to. What would be the reason you're trying to deobfuscate this? — Paul, Dec 06 '10 at 07:08
Where did you get that code from and why does it interest you? — Matti Virkkunen, Dec 06 '10 at 07:09
the extent of help you'll get here is limited by the non-invasiveness on other people's intellectual rights to the code you're trying to decrypt. we don't want to be accomplices to a possible crime. — bcosca, Dec 06 '10 at 07:12

Matti Virkkunen · Answer 1 · 2010-12-06T07:24:38.957

8

It's a footer that belongs to the free WordPress template you downloaded. If you want one without a footer, you have three options:

Find one
Make one
Buy one

(I always find footers like this really cute because they're so easy to get rid of - but it would seem there at least one person who hasn't figured how to do that yet. And the thing even tried to prevent me from decoding it by actively looking for such an attempt!)

edited Dec 06 '10 at 07:24

answered Dec 06 '10 at 07:18

Matti Virkkunen

63,558
9
127
159

+1 for the appropriate recommendations within a legal framework – bcosca Dec 06 '10 at 07:28

score 6 · Accepted Answer · answered Dec 06 '10 at 07:49

That's what it looks like when de-obfuscated. As Matti pointed out already, it's a footer, haha. All that bitshifting is done to remove non-printable characters which I have substituted with # in the argument string to the end of the code.

<?php
    if (!function_exists("fn"))  {
        function fn($arg) {
            $arg = base64_decode($arg);
            $fn = 0;

            $x = 0;
            $y = 0;
            $z = (ord($arg[1]) << 8) + ord($arg[2]);
            $i = 3;
            $j = 0;
            $k = 16;
            $str = "";
            $strlen = strlen($arg);
            $file = __FILE__;
            $file = file_get_contents($file);
            $matches = 0;

            preg_match(/(print|sprint|echo)/, $file, $matches);

            for (;$i<$strlen;) {
                // THIS LINE HERE'S HILARIOUS!!!
                // IT TRYS TO PREVENT ONE FROM ECHOING ANYTHING WITHIN THAT CODE
                if (count($matches)) exit;
                if ($k == 0) {
                    $z = (ord($arg[$i++]) << 8);
                    $z += ord($arg[$i++]);
                    $k = 16;
                }

                if ($z & 0x8000) {
                    $fn = (ord($arg[$i++]) << 4);
                    $fn += (ord($arg[$i]) >> 4);

                    if ($fn) {
                        $x = (ord($arg[$i++]) & 0x0F) + 3;

                        for ($y = 0; $y < $x; $y++)
                            $str[$j+$y] = $str[$j-$fn+$y];

                        $j += $x;
                    } else  {
                        $x = (ord($arg[$i++]) << 8);
                        $x += ord($arg[$i++]) + 16;

                        for ($y = 0; $y < $x; $str[$j+$y++] = $arg[$i]); 

                        $i++;
                        $j += $x;
                    }
                } else $str[$j++] = $arg[$i++];

                $z <<= 1;
                $k--;

                if ($i == $strlen) {
                    $file = implode("", $str);
                    $file = "?".">".$file."<"."?";

                    return $file;
                }
            }
        }
    }

    $obfusc = <<<EOT
@##<div style="clea##r:both;"></##>

@#
#2id="footer"#R #b##class="binfo#0a h##ref="<?php echo ##get_option('home##'); ?>/" tit#A##bl!#og#A('na#E## ######</a##> All rights res##erved#5    Designed ##by <
Uhttp://www.##webhostingrally.#@com/Web-H#S/Busin##ess-#X.html" >## ##`# ## #. Cod#?#1mmohut###a##Free MMORPGs## `
|
?
0conveyanc
P.##s#
onsale.co.uk##C## #`Solicitor#?#gphoto##ads#7##ifi#`Ad##. Po# wer######ordp##s.org#p/">W##P####.##$#!bdo_aG#c!#wp_%3!S##/body&#</####>
EOT;
    eval(fn($obfusc));

score 0 · Answer 3 · answered Dec 06 '10 at 08:20

0

if its a wordpress footer,

Click on view source and copy footer html in this decoded php, and then just edit it

answered Dec 06 '10 at 08:20

Edmhs

3,645
27
39

How to decode this PHP code?

3 Answers3

Linked

Related