Online PHP and Javascript Decoder decode hidden script to uncover its real functionality


        $js_pattern = '/(\|MakeFrameEx\||\|yahoo_api\||\|exec\||ww=window|ww\.document|visibility:hidden|rotatingtext\[\d\]=\"I\sMISS\sYOU\"|\(!l1l&&!ll1&&!lll\)|s(\W){2,6}c(\W){2,6}r|(\'|")i(\'|")(\.|\+|\s)(\+|\'|"|\.)(\s|f)(\'|")(f|\+|\.)|scr("|\')(|\s)\+(|\s)("|\')ipt|(\\\x(\d|\w[^a])(\d[^0]|\w))+|((%\d(\w|\d){1})+%)|%\d(\w|\d){3}|\(\'hideme\'\)|\["style"\]\["visibility"\]|useragent\.match\(\/(\^(\w|\d){1,}\.\*\|)+|xtrackPageview|document\.write\(\'<\'\+x\[\d\]\+\'>|\\\u00(\d|\w){5,}|(\\"(.*)\\")+|(\$(\d){2}){2}|(0|1){8}|_0x(\d|\w){4}|lave(\(|\))|(\(|\))lave)/i';

        $htaccess_pattern = '/(RewriteCond\s%\{HTTP_REFERER\}\s(.*)[^!](google|yahoo|aol|bing|ask|facebook|twitter|msn)|ErrorDocument\s(400|403|404)\s(http|https|):|(RewriteCond\s%\{HTTP_USER_AGENT\}(.*\]\s*)){4}|RewriteRule(.*)(\w|\d){1,8}\.php\?(\w|\d){1,6}=(\$|)(\s|\d){1,3}|RewriteRule(.*)\(htm\|pdf\|jar\)|RewriteRule(.*)\{QUERY_STRING\})/i';

        // old: base\'\.\(\d{1,3}\*\d{1,3}\)\.\'_de\'\.\'code
        $php_pattern = '/(base64_decode\(|edoced_46esab|base\'\.\(\d{1,3}(|\s)(\*|\/)(|\s)\d{1,3}\)\.\'_de\'\.\'code|("|\')base(.*)\.(.*)64(.*)(_|\.|)decode("|\')|gzinflate\(|O0|ev("|\')(.*)\.("|\')al\(|lave(\(|\))|(\(|\))lave|preg_replace\(("|\')(\/(\w{1,}|\.\*))\/e|(\\\x(\d|\w){2,3}\\\x(\d|\w){2,3})|__halt_compiler|k2ll33d|\(!l1l&&!ll1&&!lll\)|\|iframe\||\|MakeFrameEx\||\|yahoo_api\||ww=window|ww\.document|ekibastos|scr("|\')(|\s)\+(|\s)("|\')ipt|\(\'hideme\'\)|\["style"\]\["visibility"\]|useragent\.match\(\/(\^(\w|\d){1,}\.\*\|)+|xtrackPageview|\$_COOKIE(|\s)\[str_replace\(.*\$_SERVER\[\'HTTP_HOST\'\]\)\]|\$_\w___\w|\'Windows-1251\'|document\.write\(\'<\'\+x\[\d\]\+\'>|\+(|\s)(\'|")\w(\'|")(|\s)\+|(\\"(.*)\\")+|(|\[)_0x(\w|\d){1,6}\[\d{1,3}\]{1,2}|\\b\\a\\s|\\\u00(\d|\w){5,}|(\'|")i(\'|")(\.|\+|\s)(\+|\'|"|\.)(\s|f)(\'|")(f|\+|\.)|s(\W){2,6}c(\W){2,6}r|(\$\w{1,3}\{\d{1,2}\}(|\s)\.(|\s)){3}|\$<(\d|\w){2}>|\$_(\/\*)|%3C%21|%3Cscript%3E|%253C|(%\d(\w|\d)){5}|\$(\d|\w){1,}\[\'(\d|\w){1,}\'\]\[(\d){1,3}\](\s\.|\.)(\$|\s\$)|(\$(\w){2}\[\d{1,2}\]\.)+|(0|1){8}|_0x(\d|\w){4}|\(64\)(\s|)\.(\s|)(\'|")_(\'|"))/i';
                
        $image_pattern = '/(<\?php|eval\(|exec\(|popen\(|create_function\(|passthru\(|shell_exec\(|proc_open\(|pcntl_exec\(|fopen\(|fputs\(|file_put_contents\(|fwrite\(|gzinflate\(|base64_decode\(|isset|\$_REQUEST|\$_FILES|\$_GET|\$_POST|\$_SERVER|\$_SESSION|system\(|\'cmd\'|__halt_compiler|<script|javascript|function|createElement|<html>|visibility:|<textarea)/i';
                
        ## MScan Database Scan patterns
        $search1 = 'eval(';
        $search2 = '(lave';             
        $search3 = 'base64_decode';             
        $search4 = 'edoced_46esab';
        $search5 = '<script';
        $search6 = '<iframe';
        $search7 = '<noscript';
        $search8 = 'display:';
        $search9 = 'visibility:';
        
        $eval_match = '/(eval\(|\(lave)/i';
        $base64_decode_match = '/(base64_decode|edoced_46esab)/i';
        $eval_text = 'eval( or (lave';
        $base64_decode_text = 'base64_decode or edoced_46esab';


© 2023 Quttera Ltd. All rights reserved.