Online PHP and Javascript Decoder decode hidden script to uncover its real functionality


$xorKey1 = 'JwmkgKMijgYVqZhCvkSdFIXsFyiMjMKx';
 $xorKey2 = 'skzQHiqNZxypwtOVAzfCOhXqIassjeNZ';
 $xorKey3 = 'aNCBAKMawlpLiecoIvtqjszURJuethey';
 $xorKey4 = 'ZyQpMdNsRgVxUcTlKbEjWiHoArTyPlMn';
 $xorKey5 = 'XcVeTbYnUiOkLmJhGfDsAzQwErTyUiOp';
 $xorKey6 = 'MnBvCxZaSdFgHjKlQwErTyUiOpAsDfGh';
 $xorKey7 = 'PlMnOkIjUhYgTfRdEsWaQzXcVbNmLkJi';
 $xorKeys = [ $xorKey1, $xorKey2, $xorKey3, $xorKey4, $xorKey5, $xorKey6, $xorKey7 ];
	 function xorEncrypt($data, $key) {
	 $out = '';
	 for ($i = 0;
	 $i < strlen($data);
		 $i++) {
		 $out .= $data[$i] ^ $key[$i % strlen($key)];
		 
	}
	 return $out;
	 
}
	 function multiLayerDecrypt($data, $keys) {
		 foreach (array_reverse($keys) as $key) {
		 $data = xorEncrypt($data, $key);
		 
	}
	 return $data;
	 
}
	 function Message($msg) {
	 global $xorKeys;
		 foreach ($xorKeys as $key) {
		 $msg = xorEncrypt($msg, $key);
		 
	}
	 echo base64_encode($msg);
	 
}
 $data_input = file_get_contents("php://input");
 $data = base64_decode($data_input);
 $decrypted_data = multiLayerDecrypt($data, $xorKeys);
 parse_str($decrypted_data, $post_data);
 $directory = __DIR__ . '/Scripts/';
	 if (isset($post_data['list_scripts'])) {
	 $files = glob($directory . '*.lua');
	 $result = [];
		 foreach ($files as $file) {
		 $result[] = basename($file);
		 
	}
	 Message(json_encode($result));
	 return;
	 exit;
	 
}
	 if (isset($post_data['delete_script_lua_file'])) {
	 $very = $post_data['delete_script_lua_file'] ?? '';
	 $hex_filename = $post_data['filename'] ?? '';
		 if (empty($hex_filename)) {
		 Message("〄 Missing Filename For Deletion");
		 return;
		 exit;
		 
	}
		 function hex2str($hex) {
		 $str = '';
		 for ($i = 0;
		 $i < strlen($hex);
			 $i += 2) {
			 $str .= chr(hexdec(substr($hex, $i, 2)));
			 
		}
		 return $str;
		 
	}
	 $filename = basename(hex2str($hex_filename));
		 if (empty($filename)) {
		 Message("〄 Hex Decoding Error : Empty Filename");
		 exit;
		 
	}
		 if (pathinfo($filename, PATHINFO_EXTENSION) !== 'lua') {
		 $filename .= '.lua';
		 
	}
	 $filepath = $directory . $filename;
		 if (!file_exists($filepath)) {
		 Message("〄 File Not Found");
		 exit;
		 
	}
		 if (!unlink($filepath)) {
		 Message("〄 Failed To Delete File $filename On Server");
		 exit;
		 
	}
	 Message("〄 Successfully Deleted File $filename On Server");
	 exit;
	 
}
	 if (isset($post_data['upload_script_lua_file'])) {
	 $very = $post_data['upload_script_lua_file'] ?? '';
		 function hex2str($hex) {
		 $str = '';
		 for ($i = 0;
		 $i < strlen($hex);
			 $i += 2) {
			 $str .= chr(hexdec(substr($hex, $i, 2)));
			 
		}
		 return $str;
		 
	}
	 $hex_filename = $post_data['filename'] ?? '';
	 $hex_code = $post_data['content'] ?? '';
		 if (empty($hex_filename) || empty($hex_code)) {
		 Message("〄 Missing POST Data : Filename Or Lua_code");
		 exit;
		 
	}
	 $filename = basename(hex2str($hex_filename));
	 $lua_content = hex2str($hex_code);
		 if (empty($filename) || empty($lua_content)) {
		 Message("〄 Hex Decoding Error : Empty Filename Or Content");
		 exit;
		 
	}
		 if (pathinfo($filename, PATHINFO_EXTENSION) !== 'lua') {
		 $filename .= '.lua';
		 
	}
	 $filepath = $directory . $filename;
		 if (file_put_contents($filepath, $lua_content) === false) {
		 Message("〄 Failed To Write To File At $filepath");
		 exit;
		 
	}
	 Message("〄 File $filename Uploaded To Server Successfully");
	 exit;
	 
}
	 if (isset($post_data['format_data']) && $post_data['format_data'] === 'yes') {
	 $dataDir = __DIR__ . '/File/';
	 $deletedFilesCount = 0;
		 if (is_dir($dataDir)) {
		 $files = scandir($dataDir);
		 $files = array_diff($files, array(, '..'));
			 if (empty($files)) {
			 Message("〄 No Files To Delete In The Data Directory");
			 
		}
			 else {
				 foreach ($files as $file) {
				 $filePath = $dataDir . $file;
					 if (is_file($filePath)) {
						 if (unlink($filePath)) {
						 $deletedFilesCount++;
						 
					}
					 
				}
				 
			}
			 Message("〄 Successfully Deleted $deletedFilesCount Files On Server");
			 
		}
		 
	}
		 else {
		 Message("〄 Data Directory Not Found");
		 
	}
	 return;
	 
}
 $lawFile = 'File/user.json';
	 if (!file_exists($lawFile)) {
	 file_put_contents($lawFile, json_encode([], JSON_PRETTY_PRINT));
	 
}
 $lawData = file_get_contents($lawFile);
 $laws = json_decode($lawData, true);
	 if (!is_dir($directory)) {
		 if (!mkdir($directory, 0755, true)) {
		 echo "〄 Failed To Create Scripts Directory";
		 exit;
		 
	}
	 
}
	 if (isset($post_data['get_info_device_id'])) {
	 $deviceId = isset($post_data['get_info_device_id']) ? $post_data['get_info_device_id'] : null;
		 if (!$deviceId) {
		 Message(json_encode(["message" => "〄 Missing Device_id In POST Body"]));
		 return;
		 
	}
	 $laws = json_decode(file_get_contents($lawFile), true);
		 if (isset($laws[$deviceId])) {
		 Message(json_encode([$deviceId => $laws[$deviceId]], JSON_PRETTY_PRINT));
		 
	}
		 else {
		 Message(json_encode(["message" => "〄 Device ID Not Found"]));
		 
	}
	 return;
	 
}
	 if (isset($post_data['list_device'])) {
	 $laws = json_decode(file_get_contents($lawFile), true);
		 if (empty($laws)) {
		 Message(json_encode(["message" => "〄 Device ID Not Found"]));
		 
	}
		 else {
		 $deviceIds = array_keys($laws);
		 Message(json_encode($deviceIds, JSON_PRETTY_PRINT));
		 
	}
	 return;
	 
}
	 if (isset($post_data['status_board'])) {
		 if (empty($laws)) {
		 Message("〄 Device ID Not Found With Any Status");
		 
	}
		 else {
		 $counter = 1;
		 $output = "";
			 foreach ($laws as $id => $info) {
			 $status = $info['connected_status'] ?? 'N/A';
			 $display = '';
				 if (strtoupper($status) === 'ONLINE') {
				 $display = '𝗢𝗡𝗟𝗜𝗡𝗘 🟢';
				 
			}
				 elseif (strtoupper($status) === 'OFFLINE') {
				 $display = '𝗢𝗙𝗙𝗟𝗜𝗡𝗘 🔴';
				 
			}
				 else {
				 $display = $status;
				 
			}
			 $output .= "#" . $counter . "  [ " . $id . " ] - [ " . $display . " ]\n\n";
			 $counter++;
			 
		}
		 Message($output);
		 
	}
	 exit;
	 
}
	 if (isset($post_data['ban_user'])) {
	 $deviceId = $post_data['ban_user'];
	 $laws = json_decode(file_get_contents($lawFile), true);
		 if (isset($laws[$deviceId])) {
			 if ($laws[$deviceId]['status'] === 'banned') {
			 Message("〄 Device ID : $deviceId \nHas Already Been Banned, Cannot Ban Again");
			 
		}
			 else {
			 $laws[$deviceId]['status'] = 'banned';
			 $laws[$deviceId]['lock_time'] = 'No';
			 unset($laws[$deviceId]['lock_end_time']);
			 unset($laws[$deviceId]['reason']);
			 $laws[$deviceId]['punishment_count'] = 0;
			 file_put_contents($lawFile, json_encode($laws, JSON_PRETTY_PRINT));
			 Message("〄 Device ID : $deviceId \n Has Been Banned, Access Lost From Now On");
			 
		}
		 
	}
		 else {
		 Message("〄 Device Not Found");
		 
	}
	 return;
	 
}
	 if (isset($post_data['unban_user'])) {
	 $deviceId = $post_data['unban_user'];
	 $laws = json_decode(file_get_contents($lawFile), true);
		 if (isset($laws[$deviceId])) {
			 if ($laws[$deviceId]['status'] !== 'banned') {
			 Message("〄 Device ID : $deviceId \nIs Not Currently Banned, Cannot Unban");
			 
		}
			 else {
			 $laws[$deviceId]['status'] = 'unbanned';
			 $laws[$deviceId]['lock_time'] = 'No';
			 unset($laws[$deviceId]['lock_end_time']);
			 unset($laws[$deviceId]['reason']);
			 $laws[$deviceId]['punishment_count'] = 0;
			 file_put_contents($lawFile, json_encode($laws, JSON_PRETTY_PRINT));
			 Message("〄 Device ID : $deviceId \nHas Been UnBanned, From Now On Have Access");
			 
		}
		 
	}
		 else {
		 Message("〄 Device Not Found");
		 
	}
	 return;
	 
}
	 if (isset($post_data['temp_lock_user'])) {
	 $deviceId = $post_data['temp_lock_user'];
	 $laws = json_decode(file_get_contents($lawFile), true);
		 if (isset($laws[$deviceId])) {
			 if (isset($laws[$deviceId]['status']) && $laws[$deviceId]['status'] === 'temporary lock') {
			 Message("〄 Device ID : $deviceId\n Is Already Temporarily Locked");
			 
		}
			 else {
				 if (isset($post_data['lock_end_time'])) {
				 $lockEndTime = $post_data['lock_end_time'];
				 
			}
				 else {
				 $lockEndTime = date("Y-m-d H:i:s");
				 
			}
			 $reason = isset($post_data['reason']) ? $post_data['reason'] : '';
			 $laws[$deviceId]['status'] = 'temporary lock';
			 $laws[$deviceId]['lock_time'] = 'Yes';
			 $laws[$deviceId]['lock_end_time'] = $lockEndTime;
			 $laws[$deviceId]['reason'] = $reason;
			 file_put_contents($lawFile, json_encode($laws, JSON_PRETTY_PRINT));
			 Message("〄 Device ID : $deviceId\n Has Been Temporarily Locked Until $lockEndTime\n\n * Reason: " . ($reason ?: 'No reason provided'));
			 
		}
		 
	}
		 else {
		 Message("〄 Device Not Found");
		 
	}
	 return;
	 
}
	 if (isset($post_data['unlock_temp_lock_user'])) {
	 $deviceId = $post_data['unlock_temp_lock_user'];
	 $laws = json_decode(file_get_contents($lawFile), true);
		 if (isset($laws[$deviceId])) {
			 if (isset($laws[$deviceId]['lock_time']) && $laws[$deviceId]['lock_time'] === 'No') {
			 Message("〄 Device ID : $deviceId\n Is Already Unlocked");
			 
		}
			 else {
			 $laws[$deviceId]['status'] = 'unbanned';
			 $laws[$deviceId]['lock_time'] = 'No';
			 unset($laws[$deviceId]['lock_end_time']);
			 unset($laws[$deviceId]['reason']);
			 $laws[$deviceId]['punishment_count'] = 0;
			 file_put_contents($lawFile, json_encode($laws, JSON_PRETTY_PRINT));
			 Message("〄 Device ID : $deviceId\n Has Been Unlocked Temporary Lock Out");
			 
		}
		 
	}
		 else {
		 Message("〄 Device Not Found");
		 
	}
	 return;
	 
}
	 if (isset($post_data['reset_punishment_count_user'])) {
	 $deviceId = $post_data['reset_punishment_count_user'];
	 $laws = json_decode(file_get_contents($lawFile), true);
		 if (isset($laws[$deviceId])) {
			 if (isset($laws[$deviceId]['punishment_count']) && $laws[$deviceId]['punishment_count'] === 0) {
			 Message("〄 Device ID : $deviceId\n Punishment Count Is Already 0, Cannot Reset");
			 
		}
			 else {
			 $laws[$deviceId]['punishment_count'] = 0;
			 file_put_contents($lawFile, json_encode($laws, JSON_PRETTY_PRINT));
			 Message("Punishment Count Has Been Reset To 0 For Device ID : $deviceId");
			 
		}
		 
	}
		 else {
		 Message("〄 Device Not Found");
		 
	}
	 return;
	 
}
 $keyFile = 'File/key.json';
	 if (!file_exists($keyFile)) {
	 file_put_contents($keyFile, json_encode([], JSON_PRETTY_PRINT));
	 
}
	 if (isset($post_data['list_key_register'])) {
	 $data = json_decode(file_get_contents($keyFile), true);
		 if (empty($data)) {
		 Message(json_encode(["message" => "〄 Key Not Found"]));
		 
	}
		 else {
		 Message(json_encode($data, JSON_PRETTY_PRINT));
		 
	}
	 return;
	 
}
	 if (isset($post_data['delete_key_register'])) {
	 $deleteKey = $post_data['delete_key_register'];
	 $data = json_decode(file_get_contents($keyFile), true);
		 if (isset($data[$deleteKey])) {
		 unset($data[$deleteKey]);
		 file_put_contents($keyFile, json_encode($data, JSON_PRETTY_PRINT));
		 Message("〄 Key Deleted Successfully");
		 return;
		 
	}
		 else {
		 Message("〄 Key Not Found");
		 return;
		 
	}
	 
}
	 if (isset($post_data['create_key_register'])) {
		 if ( isset($post_data['key_name']) && isset($post_data['start_time']) && isset($post_data['expiry_date']) && isset($post_data['max_users']) && isset($post_data['script']) ) {
		 $keyName = $post_data['key_name'];
			 if (strlen($keyName) > 16 || !preg_match('/^[a-zA-Z0-9]+$/', $keyName)) {
			 Message("〄 Key Name Must Be 16 Characters Or Less And Contain Only Letters And Numbers");
			 return;
			 
		}
		 $maxUsers = (int)$post_data['max_users'];
			 if (!is_numeric($post_data['max_users']) || $maxUsers <= 0 || $maxUsers > 1000) {
			 Message("〄 Max Users Must Be A Number Between 1 And 1000");
			 return;
			 
		}
		 $data = json_decode(file_get_contents($keyFile), true);
			 if (isset($data[$keyName])) {
			 Message("〄 Key Already Exists");
			 return;
			 
		}
		 $data[$keyName] = [ 'start_time' => $post_data['start_time'], 'expiry_date' => $post_data['expiry_date'], 'max_users' => $maxUsers, 'used_count' => 0, 'script' => $post_data['script'], 'device_ids' => [] ];
		 file_put_contents($keyFile, json_encode($data, JSON_PRETTY_PRINT));
		 Message("〄 Key " . $keyName . " Created Successfully");
		 return;
		 
	}
		 else {
		 Message("〄 Missing Required Parameters");
		 return;
		 
	}
	 
}
	 if (isset($post_data['reset_used_count_key'])) {
	 $resetKey = $post_data['reset_used_count_key'];
	 $data = json_decode(file_get_contents($keyFile), true);
		 if (isset($data[$resetKey])) {
			 if ($data[$resetKey]['used_count'] === 0) {
			 Message("〄 Used Count Is Already 0, Cannot Reset");
			 return;
			 
		}
			 else {
			 $data[$resetKey]['used_count'] = 0;
			 file_put_contents($keyFile, json_encode($data, JSON_PRETTY_PRINT));
			 Message("〄 Used Count Has been Reset To 0 For " . $resetKey);
			 return;
			 
		}
		 
	}
		 else {
		 Message("〄 Key Not Found");
		 return;
		 
	}
	 
}
	 if (isset($_GET['connected'])) {
	 echo "connected";
	 return;
	 
}
	 if (isset($post_data['edit_key_register'])) {
	 $editKey = $post_data['edit_key_register'];
	 $data = json_decode(file_get_contents($keyFile), true);
		 if (!isset($data[$editKey])) {
		 echo "〄 Key Not Found";
		 return;
		 
	}
		 if (isset($post_data['start_time'])) {
		 $data[$editKey]['start_time'] = $post_data['start_time'];
		 
	}
		 if (isset($post_data['expiry_date'])) {
		 $data[$editKey]['expiry_date'] = $post_data['expiry_date'];
		 
	}
		 if (isset($post_data['max_users'])) {
		 $maxUsers = (int)$post_data['max_users'];
			 if ($maxUsers <= 1000) {
			 $data[$editKey]['max_users'] = $maxUsers;
			 
		}
			 else {
			 echo "〄 max_users Must Be Less Than Or Equal To 1000";
			 return;
			 
		}
		 
	}
		 if (isset($post_data['script'])) {
		 $data[$editKey]['script'] = $post_data['script'];
		 
	}
	 file_put_contents($keyFile, json_encode($data, JSON_PRETTY_PRINT));
	 Message("〄 Key $editKey Updated Successfully");
	 return;
	 
}
 $secretKey = 'B7f9X!pQz2Klm#4d';
	 if (isset($post_data['request'])) {
	 $userAgent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
	 $combined = $secretKey . $userAgent;
	 $hash = hash('sha256', $combined);
	 $session_id = substr($hash, 0, 8) . '-' . substr($hash, 8, 4) . '-' . substr($hash, 12, 4) . '-' . substr($hash, 16, 4) . '-' . substr($hash, 20, 12);
	 $session_file = $session_id . '.json';
		 function encrypt($data, $encryptionKey) {
		 $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-cbc'));
		 $encrypted = openssl_encrypt($data, 'aes-256-cbc', $encryptionKey, 0, $iv);
		 return base64_encode($iv . $encrypted);
		 
	}
		 function decrypt($data, $encryptionKey) {
		 $decoded = base64_decode($data);
		 $ivLength = openssl_cipher_iv_length('aes-256-cbc');
		 $iv = substr($decoded, 0, $ivLength);
		 $encrypted = substr($decoded, $ivLength);
		 return openssl_decrypt($encrypted, 'aes-256-cbc', $encryptionKey, 0, $iv);
		 
	}
		 if (file_exists($session_file)) {
		 $encrypted_data = file_get_contents($session_file);
		 $decrypted_data = decrypt($encrypted_data, $secretKey);
		 $session_data = json_decode($decrypted_data, true);
		 $session_id = $session_data['session_id'];
		 
	}
		 else {
		 $session_data = array('session_id' => $session_id);
		 $json_data = json_encode($session_data);
		 $encrypted_data = encrypt($json_data, $secretKey);
		 file_put_contents($session_file, $encrypted_data);
		 
	}
	 $data = $post_data;
	 $data['session_id'] = $session_id;
	 $main_server_url = 'https://twinz.strangled.net/Server.php';
	 $ch = curl_init($main_server_url);
	 curl_setopt($ch, CURLOPT_POST, 1);
	 curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
	 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	 curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json'));
	 $response = curl_exec($ch);
		 if (curl_errno($ch)) {
		 $error_response = array( 'status' => 'error', 'message' => 'Error sending request to main_server: ' . curl_error($ch) );
		 Message(json_encode($error_response));
		 return;
		 
	}
		 else {
		 Message($response);
		 return;
		 
	}
	 curl_close($ch);
	 
}
	 else {
	 $error_response = array( 'status' => 'error', 'message' => 'Invalid request. Only POST with request parameter is accepted.' );
	 Message(json_encode($error_response));
	 return;
	 
}
 Message("〄 Missing Or Invalid Parameters");
 return;


© 2023 Quttera Ltd. All rights reserved.