How to Decode PhpCipher

PhpCipher is an encryption without a loader that can be decoded 100% correctly. It doesn’t matter if the files have been encoded with a license or not, they can be decoded without errors.

As you know, a script encoded with PhpCipher comes with an auxiliary file named “phpcipher.bin”. This files is loaded by all the php files encoded with PhpCipher like a functions file and, for a better protection, “phpcipher.bin” is encoded with Zend Guard and php 5.2

To decode a php file encrypted with PhpCipher you will have to make the following steps:

• Decode “phpcipher.bin” and extract from it an encryption key, an array actually.
• Extract the encrypted code from the target php file.
• Place the two variables from above in a function which will give the decoded file.

Decode “phpcipher.bin”.

Phpcipher.bin is encoded with Zend Guard and php 5.2 and it can be decoded by any decoder made for IonCube and php 5.2. You can find, free on the internet, the following programs: iDezender_40 or iDezender8.

• Change the extension “phpcipher.bin” to “phpcipher.php”.
• Put the file into one of the decoders above and it will be decoded.

You can extract then this array: “$phpCipher2873a7e1e7e09b518d6c49ad2391d5d0“. Keep in mind that this key is unique for each script.

$phpCipher2873a7e1e7e09b518d6c49ad2391d5d0 = array( "d" => "A", "7" => "B", "W" => "C", "h" => "D", "8" => "E", "w" => "F", "X" => "G", "y" => "H", "V" => "I", "o" => "J", "C" => "K", "u" => "L", "n" => "M", "B" => "N", "I" => "O", "m" => "P", "5" => "Q", "/" => "R", "l" => "S", "R" => "T", "z" => "U", "e" => "V", "p" => "W", "0" => "X", "=" => "Y", "N" => "Z", "9" => "a", "S" => "b", "f" => "c", "Q" => "d", "J" => "e", "T" => "f", "D" => "g", "4" => "h", "H" => "i", "v" => "j", "j" => "k", "2" => "l", "3" => "m", "c" => "n", "Y" => "o", "Z" => "p", "P" => "q", "6" => "r", "U" => "s", "q" => "t", "K" => "u", "k" => "v", "G" => "w", "x" => "x", "r" => "y", "b" => "z", "1" => "0", "M" => "1", "A" => "2", "a" => "3", "O" => "4", "+" => "5", "s" => "6", "t" => "7", "L" => "8", "E" => "9", "g" => "+", "F" => "/", "i" => "=" );

Extract the code from the php file.

In each php file encode with PhpCipher, you will find this variable: “$phpCipher“. Extract all the code.

$phpCipher='PHPCipher Free Account, for personal use only. Distribution is not allowed. CPSeLnEdfo/czHexD98MEY+pfIp5pep4PdqnaXygKwsJ/OFkGgXdOSdCrhspZ9QRZRN6HgFY5 6+yY7AtRGpnjKceSPaHjZDdo+t5bEypordfBSP5DHBj8atprE1PSfLTAJ1AOTG/a1pbU1U=fl TFZn7fcVvoQYKFbhUyghxJWgkcAUOZAEy6tXjTfgle2UOkAdy7HrxUJ16UlWjpGxjvOTEWVqb T4qFOltf9NJsylxxrdnDTNCTNnoERGr+/bpLmroW7BWFKvGSrTpaVcRVLd1ax8lb=ZmFOd5X= P5p+2TZa5DqYHZK6gl7czE+s682kpaHkfqXAb=7SPKZGtyewNCy/d3aU6ILKCWdP/0hr7w1Z9 enh8dOQARwaa5VmcZ//5F2mvMRUN46R+2NkNvucNmXbd6fGpmeVmd0fyI5duleYxEevpq1Hfd bjLUNy8oy69BvA=OoS/L0axRXbYfljK=TVZvr8bfAarf=wKf3Ps5hxzjgWgLxbLDWju8ae4=q RIB8jKcrQD24b8cb//uG63Z+VMysR4owqU2o5aYUQofcGGUK0sKlFErBo2J6wywz8gx3FwfnO b3X03CP2T+qRtzeqR9trmwBAM4jHk02eubp8o0lZ93At5EoCttjHDgblUfATop/Kq6CC5bdzg XxIFAlwAvZ5JcGwRuNOUTa+OQy5oyzY7P7GVDfWnv54NNDAa3nIQDr5ZWfmHKFIWq4h5ogJJn rJkEIOpIohj9UFPy8BRLhaWAytCBDpzDpzxPJ9BPaoKaIIUA8oN7axINbBx1q1v195oQCODGA SzR408FBkT4NpTbbL2EmSePjtQDB12tjHkOvFkpJPyVEP6RNNmDpftrwP5NK92hvhqDgBTa9x 3Yt873A7nf2wOQmDEzm19OzgztC4ULCxFOhFwVFMPMNg==5/5WuAtVP6IDD+HHyGjnU3fDhxW wyYIzER=MJz8lfbmd4Zmaqs==1DgMEJD2nYONgz21rWZzdBJVfjfPTB05xBpW8zH1lO38fq=7 =K3Kvo6/Egnn8kFkckN/YomrepuP0J7X7ETUW2mazcXPE/7RDCIabWQuDLvE3jAauuF0ONRP6 stzwMZKr/uueCMH79OeZeDHcYCU8kejRSh30dAVqD1dh=23347Zd5lCG5c3w=jwul7nDiEM9O WLw+sf1tadOfWW1hAJALSJE1WsOJ^V92WO8pSTzYlBGUhArNI5gt3=hJJeBsUu8OukTFOz/nQ AZmRE1PKhrLDsLNXVzVkO0cA=gGLYyxnpy0hX=dOtLXP+9xBZ9dPu5jdJhq+=Z+4+IOoc1nWR +GAgdHLef=E/zWL=/PhpY2YtCoxdb7E4ecnnJ2UOzUE8Z7nKmdTxQsFrf5PJsTTkNJXAcof4e aS7vEaOc/n6p6+cCg5nDd/lg2toZAKnhIFrCM/EPrDYM58OF1tjRBSWD1sR/ezSWYNoF+/3KU 76hdjh8Ybfb+aZv0=StJ=IQwM1vGdtlBv02ravdJVnE3jmv91mGmoj=RD8+tCEem0Yr1QRjdV KWxnP9gV+sTdOyuI3AFJJN24+BHSjzka3W=aHgda3+ET6Y4r8YUtYRtqbV1K3fK1xZ/E2dFT5 3G5mG19Y5wIOARvoKmncm71D0BN+CIYqOfrtnQ+Hwu51FbWmwdE96n=GPpY+RKARrmhbp3Cwo cq1fc7qZzWqYLdN38xzsfnkMhCBveyXmDnJFqOpF3ZVR6lz1TFjLTUFIExqEwOqRkRkTtYCeL FlKOC4frUfY3xCAVyQBeh+CqJc7dx7V/WbLTTgFa1+8/QVcLkx9oxdbCfdcArmLpXvWeVEITC JogXWWgRBju1K+sbmh31u8mlTBe=NfL6RqV3Ju8DeF=+mjI81fHbNaRVYVS4dzmLq7MbWMosY Yjd9ON=eIX9wrvko31jH=/pF4ZU4UpdNK3pv+ytJQ83zX5s1pnvgycl3QYWlUyvRmErCWQt5Q aCl=XckT87dmgyEl1Z76eLRS1qo6seRSNS9FOFp3w9npl5ozU19MNnkE7KVYZvNw84wfsUPOr 0N+S/tc4LqKnJ=UwO=LWOZMtA2wNkbXO5GQ1vnbNj1OX+uK5fhEPl89WAATom7SzrmogUbune G7yQMmaR4zpLGSk=3od//SZ85s2Gxyg31C6HobKK6HUI0/B=JWgqYsRxdmN5rBJKUY=u7m0oF tIVAu4pYGEGrPkI3wLvCoMh1/KzFWlBn+9yA1SId1NudUmmp69/nWwqSFUELXYpZ2FpmQ9hEL pdkS01LLVxTq8pJeGSbuurKaSkNlEyyHrPm7S0qmseyz5Io5EtUEF+qMbCQ/pNUGnu3dncr9h NwP=NPF81wtHV9pcoLGfcC1=ZtneYvK5de7zI3GEKb0ocu84hnnSNTs3nYJJ56mcv0GX0ft19 mpbnPkufmBco1ZtwO3K3dV+IcZ=3bt2IQGF5n+BuoFZPDUQQnAA0bQSJtIEWRowxc5PB=FY3a fw1Te9I8LVaHfV2n+QLQHr==FyRryFcGHgGOHl2CqZstH6vhkPUAIyHmRC0vIHj8jSzKtvgSg /oKdGVl9x8R9UJSDSwIKIKzyduPYqp+u5JHCPuhaeslUPosWbu0=dR8JCYY47UC0j+sV6O5Ef 5YlKRw70CcOHkgdhwnQdW=ucdNgr75XL5lrD5k66Kvo0dQ+ehm9sw/SSe+00UJ/C7AVlJRGeW uw9GbMXAvxjtJJ+VPBypIFgDe/M2tnCojuUkJtd6uf5sqsU1OCZ4+F=b58Q54nYhRhnmc1GcI 3Tfw1ADIIRKpP1PhlAWNbB7x6SQ=QHQfEH=1c4h9EXhW2auwh3T88WopBbz/VcQc8VY0HT1Jw Tsph/1exZVN2zI7CIvzJa09DV7xfYQNLfTYnO2RqdgB7R6vQTnKLJd9zQyOrVQnlGXDZOD+rA TS=mnttosqcxx8w6Hl8dvhDueuu29fUJLlw46DmOXF69UIJdBw2YD=bLDKga6OWZ4czgSj2Q/ YyEuMYQ3QJrC7lweT0GJk/G61vTyDZQIPaJQN=eOdKbt1g6QE0q+Nl7XfQJns=1NjbEvkvOZj JS0gg5dpk1fERfY69zcKwOzTE4wHOU7=yudLt3x5nLG8BTFG=FL6d0ZSEfqbb+GzYC8gce5SR 9JOR1aD1yscgYPvyDnhfRVabCsBPgEEyPQhc4gA6sd0Bn7ZnHHKBkt7wSuRxI=DEF1AGLZh0z wpzZy2fyVuAIK73wvFValM5IbLF5qHoH82ho54B4nWApQSzw9OLjl7cyfRF7fQ5N3Dzxbjt47 LKOaMra+39AdMF/j/=fc+9bmhElFoOvOValuJAgUNmdfbgxOFDii9s1wWtddESOswwaOd+7WE ttQALL1AOWa';

PhpCipher Decoding Function

You will have to put the two variables from above in this function and to run it. You will get the decoded file, 100% accurately decoded.

function PhpCipher($phpCipher, $phpCipher2873a7e1e7e09b518d6c49ad2391d5d0) { $phpCipher495b0e88f11e7f4692006ad1102c1a09 = explode("^", $phpCipher); if (count($phpCipher495b0e88f11e7f4692006ad1102c1a09) != 2) { return; } $phpCipherbe43ac3e56a07f3ed33349832d27f51b = $phpCipher495b0e88f11e7f4692006ad1102c1a09[0]; $phpCipher232780c0747f8021101fb3c58b99c2f9 = $phpCipher495b0e88f11e7f4692006ad1102c1a09[1]; $phpCipher5eb117562d34aa3a1012d4b16fff4ed4 = explode("\n", $phpCipherbe43ac3e56a07f3ed33349832d27f51b); $phpCipher3dd9cf6c4e0d6b4317de839af39d1f26 = trim($phpCipher5eb117562d34aa3a1012d4b16fff4ed4[0]); $phpCipher3b21b9634684b19785b7ef4584385120 = substr($phpCipherbe43ac3e56a07f3ed33349832d27f51b, strlen($phpCipher5eb117562d34aa3a1012d4b16fff4ed4[0]) + 1); $phpCipher3b21b9634684b19785b7ef4584385120 = str_replace(chr(10), null, $phpCipher3b21b9634684b19785b7ef4584385120); $phpCipher3b21b9634684b19785b7ef4584385120 = str_replace(chr(13), null, $phpCipher3b21b9634684b19785b7ef4584385120); $phpCipher3b21b9634684b19785b7ef4584385120 = str_replace(" ", null, $phpCipher3b21b9634684b19785b7ef4584385120); $phpCipher1d754dcc0de76929b7357489a5fd0f47 = array( chr(0) => chr(134), chr(1) => chr(194), chr(2) => chr(215), chr(3) => chr(175), chr(4) => chr(141), chr(5) => chr(182), chr(6) => chr(34), chr(7) => chr(148), chr(8) => chr(202), chr(9) => chr(120), chr(10) => chr(178), chr(11) => chr(164), chr(12) => chr(156), chr(13) => chr(60), chr(14) => chr(250), chr(15) => chr(85), chr(16) => chr(48), chr(17) => chr(202), chr(18) => chr(173), chr(19) => chr(93), chr(20) => chr(245), chr(21) => chr(39), chr(22) => chr(211), chr(23) => chr(116), chr(24) => chr(80), chr(25) => chr(114), chr(26) => chr(29), chr(27) => chr(91), chr(28) => chr(145), chr(29) => chr(12), chr(30) => chr(118), chr(31) => chr(29), chr(32) => chr(38), chr(33) => chr(251), chr(34) => chr(218), chr(35) => chr(149), chr(36) => chr(15), chr(37) => chr(145), chr(38) => chr(107), chr(39) => chr(48), chr(40) => chr(146), chr(41) => chr(72), chr(42) => chr(194), chr(43) => chr(244), chr(44) => chr(48), chr(45) => chr(241), chr(46) => chr(131), chr(47) => chr(194), chr(48) => chr(215), chr(49) => chr(14), chr(50) => chr(52), chr(51) => chr(216), chr(52) => chr(89), chr(53) => chr(124), chr(54) => chr(79), chr(55) => chr(153), chr(56) => chr(29), chr(57) => chr(85), chr(58) => chr(149), chr(59) => chr(145), chr(60) => chr(21), chr(61) => chr(20), chr(62) => chr(166), chr(63) => chr(180), chr(64) => chr(240), chr(65) => chr(250), chr(66) => chr(207), chr(67) => chr(230), chr(68) => chr(144), chr(69) => chr(177), chr(70) => chr(35), chr(71) => chr(193), chr(72) => chr(190), chr(73) => chr(47), chr(74) => chr(205), chr(75) => chr(146), chr(76) => chr(29), chr(77) => chr(222), chr(78) => chr(164), chr(79) => chr(164), chr(80) => chr(92), chr(81) => chr(250), chr(82) => chr(0), chr(83) => chr(194), chr(84) => chr(176), chr(85) => chr(58), chr(86) => chr(204), chr(87) => chr(247), chr(88) => chr(130), chr(89) => chr(178), chr(90) => chr(221), chr(91) => chr(152), chr(92) => chr(100), chr(93) => chr(248), chr(94) => chr(130), chr(95) => chr(132), chr(96) => chr(74), chr(97) => chr(134), chr(98) => chr(93), chr(99) => chr(171), chr(100) => chr(247), chr(101) => chr(95), chr(102) => chr(113), chr(103) => chr(205), chr(104) => chr(181), chr(105) => chr(245), chr(106) => chr(123), chr(107) => chr(132), chr(108) => chr(73), chr(109) => chr(75), chr(110) => chr(134), chr(111) => chr(133), chr(112) => chr(38), chr(113) => chr(87), chr(114) => chr(186), chr(115) => chr(35), chr(116) => chr(225), chr(117) => chr(170), chr(118) => chr(117), chr(119) => chr(20), chr(120) => chr(229), chr(121) => chr(82), chr(122) => chr(156), chr(123) => chr(120), chr(124) => chr(104), chr(125) => chr(0), chr(126) => chr(52), chr(127) => chr(23), chr(128) => chr(157), chr(129) => chr(102), chr(130) => chr(44), chr(131) => chr(235), chr(132) => chr(44), chr(133) => chr(227), chr(134) => chr(125), chr(135) => chr(222), chr(136) => chr(223), chr(137) => chr(98), chr(138) => chr(117), chr(139) => chr(212), chr(140) => chr(158), chr(141) => chr(127), chr(142) => chr(80), chr(143) => chr(236), chr(144) => chr(157), chr(145) => chr(236), chr(146) => chr(9), chr(147) => chr(3), chr(148) => chr(212), chr(149) => chr(20), chr(150) => chr(111), chr(151) => chr(122), chr(152) => chr(176), chr(153) => chr(254), chr(154) => chr(123), chr(155) => chr(58), chr(156) => chr(8), chr(157) => chr(115), chr(158) => chr(225), chr(159) => chr(245), chr(160) => chr(82), chr(161) => chr(99), chr(162) => chr(229), chr(163) => chr(174), chr(164) => chr(23), chr(165) => chr(133), chr(166) => chr(112), chr(167) => chr(123), chr(168) => chr(164), chr(169) => chr(62), chr(170) => chr(99), chr(171) => chr(138), chr(172) => chr(2), chr(173) => chr(196), chr(174) => chr(43), chr(175) => chr(98), chr(176) => chr(41), chr(177) => chr(131), chr(178) => chr(150), chr(179) => chr(107), chr(180) => chr(113), chr(181) => chr(192), chr(182) => chr(229), chr(183) => chr(177), chr(184) => chr(73), chr(185) => chr(124), chr(186) => chr(34), chr(187) => chr(229), chr(188) => chr(43), chr(189) => chr(155), chr(190) => chr(180), chr(191) => chr(164), chr(192) => chr(207), chr(193) => chr(69), chr(194) => chr(48), chr(195) => chr(252), chr(196) => chr(160), chr(197) => chr(141), chr(198) => chr(114), chr(199) => chr(45), chr(200) => chr(108), chr(201) => chr(80), chr(202) => chr(237), chr(203) => chr(172), chr(204) => chr(95), chr(205) => chr(96), chr(206) => chr(63), chr(207) => chr(110), chr(208) => chr(50), chr(209) => chr(226), chr(210) => chr(8), chr(211) => chr(98), chr(212) => chr(160), chr(213) => chr(245), chr(214) => chr(253), chr(215) => chr(63), chr(216) => chr(26), chr(217) => chr(148), chr(218) => chr(56), chr(219) => chr(129), chr(220) => chr(187), chr(221) => chr(190), chr(222) => chr(210), chr(223) => chr(174), chr(224) => chr(126), chr(225) => chr(212), chr(226) => chr(180), chr(227) => chr(222), chr(228) => chr(175), chr(229) => chr(66), chr(230) => chr(170), chr(231) => chr(122), chr(232) => chr(159), chr(233) => chr(97), chr(234) => chr(185), chr(235) => chr(68), chr(236) => chr(156), chr(237) => chr(156), chr(238) => chr(179), chr(239) => chr(152), chr(240) => chr(32), chr(241) => chr(210), chr(242) => chr(8), chr(243) => chr(241), chr(244) => chr(73), chr(245) => chr(252), chr(246) => chr(223), chr(247) => chr(174), chr(248) => chr(137), chr(249) => chr(16), chr(250) => chr(102), chr(251) => chr(23), chr(252) => chr(159), chr(253) => chr(37), chr(254) => chr(102), chr(255) => chr(155) ); $phpCipher3b21b9634684b19785b7ef4584385120 = strtr($phpCipher3b21b9634684b19785b7ef4584385120, $phpCipher2873a7e1e7e09b518d6c49ad2391d5d0); $phpCipher209594e812629e824c2be452d2de2e9c = substr($phpCipher3b21b9634684b19785b7ef4584385120, 0, strlen($phpCipher3b21b9634684b19785b7ef4584385120) - 32); $phpCipher6022a02b72aeb98a13451bbc220a2362 = strtolower(substr($phpCipher3b21b9634684b19785b7ef4584385120, - 32)); $phpCipher209594e812629e824c2be452d2de2e9c = base64_decode($phpCipher209594e812629e824c2be452d2de2e9c); $phpCiphera09fe38af36f6839f4a75051dc7cea25 = 0; for (; $phpCiphera09fe38af36f6839f4a75051dc7cea25 < 31; ++$phpCiphera09fe38af36f6839f4a75051dc7cea25) { $phpCipherf413f06aebbcef5e1c8b1019dee6fe6b[$phpCiphera09fe38af36f6839f4a75051dc7cea25] = chr(("0x" . $phpCipher6022a02b72aeb98a13451bbc220a2362[$phpCiphera09fe38af36f6839f4a75051dc7cea25]) * 11 + ("0x" . $phpCipher6022a02b72aeb98a13451bbc220a2362[$phpCiphera09fe38af36f6839f4a75051dc7cea25 + 1]) * 5); } $phpCipherf413f06aebbcef5e1c8b1019dee6fe6b[31] = chr(("0x" . $phpCipher6022a02b72aeb98a13451bbc220a2362[31]) * 11 + ("0x" . $phpCipher6022a02b72aeb98a13451bbc220a2362[0]) * 5); $phpCipherfaecc15079c78773962b25c27c149734 = $phpCipher1d754dcc0de76929b7357489a5fd0f47[$phpCipherf413f06aebbcef5e1c8b1019dee6fe6b[15]]; $phpCiphera1d44c0654a40984a103c270ffb9bf33 = count($phpCipherf413f06aebbcef5e1c8b1019dee6fe6b); $phpCipherfed47d15719ef82bd3f83b580230da5b = strlen($phpCipher209594e812629e824c2be452d2de2e9c); $phpCipher9e32000ba1842d5acec6563dcf853684 = ""; $phpCiphera09fe38af36f6839f4a75051dc7cea25 = 0; for (; $phpCiphera09fe38af36f6839f4a75051dc7cea25 < $phpCipherfed47d15719ef82bd3f83b580230da5b; ++$phpCiphera09fe38af36f6839f4a75051dc7cea25) { $phpCipher6b887b1992b49586e27f0dc59cb33240 = $phpCipher209594e812629e824c2be452d2de2e9c[$phpCiphera09fe38af36f6839f4a75051dc7cea25]; $phpCipher6b887b1992b49586e27f0dc59cb33240 ^= $phpCipherf413f06aebbcef5e1c8b1019dee6fe6b[$phpCiphera09fe38af36f6839f4a75051dc7cea25 % $phpCiphera1d44c0654a40984a103c270ffb9bf33]; $phpCipher49b97f9124da3b098339b66dcdb8936e = $phpCipher1d754dcc0de76929b7357489a5fd0f47[$phpCipher6b887b1992b49586e27f0dc59cb33240]; $phpCipher6b887b1992b49586e27f0dc59cb33240 ^= $phpCipherfaecc15079c78773962b25c27c149734; $phpCipherfaecc15079c78773962b25c27c149734 = $phpCipher49b97f9124da3b098339b66dcdb8936e; $phpCipher9e32000ba1842d5acec6563dcf853684 .= $phpCipher6b887b1992b49586e27f0dc59cb33240; } $phpCipher5734f7952b1b95ff47482fc1e676f8c9 = gzinflate($phpCipher9e32000ba1842d5acec6563dcf853684); $phpCiphere5f888798fe93b58af54c5b6f40c694a = explode("\n", $phpCipher5734f7952b1b95ff47482fc1e676f8c9); $phpCiphere5f888798fe93b58af54c5b6f40c694a = $phpCiphere5f888798fe93b58af54c5b6f40c694a[0]; $phpCipher2873a7e1e7e09b518d6c49ad2391d5d0 = array("8" => "A", "b" => "B", "y" => "C", "X" => "D", "+" => "E", "v" => "F", "p" => "G", "H" => "H", "k" => "I", "s" => "J", "j" => "K", "A" => "L", "d" => "M", "M" => "N", "Q" => "O", "3" => "P", "K" => "Q", "C" => "R", "z" => "S", "V" => "T", "=" => "U", "x" => "V", "t" => "W", "Y" => "X", "1" => "Y", "m" => "Z", "F" => "a", "u" => "b", "g" => "c", "S" => "d", "I" => "e", "c" => "f", "2" => "g", "l" => "h", "f" => "i", "5" => "j", "e" => "k", "7" => "l", "9" => "m", "P" => "n", "R" => "o", "h" => "p", "/" => "q", "6" => "r", "r" => "s", "0" => "t", "O" => "u", "q" => "v", "o" => "w", "D" => "x", "i" => "y", "L" => "z", "w" => "0", "4" => "1", "Z" => "2", "G" => "3", "E" => "4", "W" => "5", "n" => "6", "J" => "7", "U" => "8", "a" => "9", "N" => "+", "B" => "/", "T" => "="); unset($phpCipherData); unset($phpCipherExpiry); return $phpCipher5734f7952b1b95ff47482fc1e676f8c9; }

The decoded file

Below, you will see the decoded file.

//My Project{free} <?php session_start(); $ip = $_SERVER['REMOTE_ADDR']; $dane = unserialize(file_get_contents('http://api.ip2geo.pl/php/?ip=' . $_SERVER['REMOTE_ADDR'])); $country = $dane['country']; require_once './configuration/config.php'; $wszystkie = Array(); $db->query("SELECT * FROM `offers` WHERE `country` LIKE '%$country%' ORDER BY RAND();"); while ($row = $db->fetch_row()) { $link = $row['link']; $wszystkie[] = Array("name" => $row['name'], "link" => $link . $_GET['sid']); } $html = " <div id=\"gateway-main\"> <div id=\"gateway-header\"> You must complete some easy survey to get access <br> (They will show up below this text) </div> <div id=\"gateway-offers\">"; $e = 0; $max = count($wszystkie); while ($e < 4) { $name = $wszystkie[$e]["name"]; $link = $wszystkie[$e]["link"]; $html = $html . "<br>"; $html = $html . "<a href=\"{$link}\" onClick=\"offer();\" target=\"_blank\" class=\"offer\">{$name}</a>"; $e++; } $html = $html . " <br> <center><a id=\"reload\" onClick=\"reload();\">RELOAD OFFERS</p></center> </div> <center> <div id=\"waiting\" style=\"display:none;\"> <img src=\"./img/waiting.gif\"><br> Waiting for offer completion <br> <p class=\"comeback\">Back to offers list</p> </div> </center> </div> "; $status = "ok"; $arr = array('status' => $status, 'html' => $html); print(json_encode($arr)); ?>

The files used in this article can be downloaded from here.

Paid PhpCipher decoding.

How to Decode PhpLockIt 2.2.0

I recently saw an entire WordPress theme encoded with PhpLockIt 2.2.0 and I realized that this encryption is still widely used and that someone could be interested to find out a way to decrypt it.

Since PhpLockIt 2.2.0 is practically a base64 encoding, it can be decoded without errors, 100% clean, and the output script will work without the need to correct syntax errors or make additional changes to the code.

How to decode PhpLockIt 2.2.0:

Original file - This is the original test file, unedited. Save it please in a php file "1.php".

<?php /* . */$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$GLOBALS['OOO0000O0']=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}.$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$GLOBALS['OOO0000O0'].=$GLOBALS['OOO0000O0']{3}.$OOO000000{11}.$OOO000000{12}.$GLOBALS['OOO0000O0']{7}.$OOO000000{5};$GLOBALS['OOO000O00']=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$GLOBALS['O0O000O00']=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$GLOBALS['O0O000O00']=$O0O000O00.$OOO000000{3};$GLOBALS['O0O00OO00']=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$GLOBALS['OOO00000O']=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0xa8;eval($GLOBALS['OOO0000O0']('JE8wMDBPME8wMD0kR0xPQkFMU1snT09PMDAwTzAwJ10oJE9PTzBPME8wMCwncmInKTskR0xPQkFMU1snTzBPMDBPTzAwJ10oJE8wMDBPME8wMCwweDUwMSk7JE9PMDBPMDBPMD0kR0xPQkFMU1snT09PMDAwME8wJ10oJEdMT0JBTFNbJ09PTzAwMDAwTyddKCRHTE9CQUxTWydPME8wME9PMDAnXSgkTzAwME8wTzAwLDB4M2E4KSwnblBESmV4VzJML21vU2dNWk9RQUdLNE5jRmI2YWtZMDM4cGhxaTFVZEJmbHd2UnJUdElYN3lINXNWenVDK2pFOT0nLCdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDEyMzQ1Njc4OSsvJykpO2V2YWwoJE9PMDBPMDBPMCk7'));return;?>MEY5pfaWKBLcPXbNY3aNxyF58B/Xg0mD8rm1trmGjw0NjX67LtcDzqa5yf/Dgf/XtiG7ntSejZSJPZZApfksg1YD8icHgxK1bxK1vdKy4A4i4AcyzPGKKdcAi9/xjGQ4/NQ4/a/HgxK1bxK1jMOKHx/HyumW17k54ymDQ3Ky4A4i4ANXYL4xQOcypZKHOdcAi9/xjGQ4/NQ4/a/ypK4xP3AejG4DYYMhpfksg1YD8iAxQKKxjGQ4/NQ4/34ixAKHvdKy4A4i4AcyzPGKKdcAi9/epK4xP3Ky4A4i4AcHbPK1ga/HgxK1bxK1jMOKHx/HyumW17k54ymDQL4xQOcHgxK1bxK1jNO4/GNXYL4xQOcypZKHOdcAi9/epK4xP3Ky4A4i4AcHbPK1ga/ypK4xP3AejG4DYYMhkdmAifmAifbW11mDQZSJntGy+tSe+r/7B8JOfPaWITY54iLWH1aNjX0AP76cf1LWjUL2pV0DPh0cQ1kXP10WppYcgybNOr/XiC/ejZSJPZSJPZSJH7Y2/3kU4taWxqbA8dcHjWAKIxcH+doDLdLhViGyjZSe+tG7ntohLdLhtiQyIZOixSKHvdGyjZSJntSe+t/HyB/eYSGy/PGxga/yjZG7ntSJntGXYYmDQ2GejDOKIGNXYZSe+tSejZSJndcA8iG7ntSe+tG7ntoDQZG7ntG7ntSJnfoDYrKeQmbcpcSitTaNjGbyH6GHxPQyvyGUgWFqbp6HitS7pt62xfS44iOUbvYsbAk1QyA48s0K8HkHbuYKSw6iKzZAkv/yxDOyQxQiYLAKfoGeHMGHPQK1gK44bcNx16FN/qbW4Ub5pf6URvaNzTk2xXksQHYdYV0cBtSGL7gJK5g78zmX+dmAifM5bqaWj7bA8iG7ntSe+tG7ntmGR1YUxvmDQZG7ntG7ntG7nfMt==LnfXbcxH6c/1c5jrF5K8/51rF5IHbW47o5gTaUbfbXzt62ndMtffbhpfksg1YD8icHPZKHQa/5jh6U4qYxjfbDYYmA1CDU4q6W+8bW4vbcQ1KU4pbD8icHPZKHQa/5jh6U4qYxjfbDYYmGvm3N4vk54CDU4q6W+8SJvm3Gv=_~OBkWGHEAf]p@

Step 1 - Write down the hex variable before eval. You will use it later.
$start = 0xa8;

Step 2 - See what "eval" contains.
Replace "eval" with "echo" and run the file. You will get the result below.

<?php $O000O0O00 = $GLOBALS['OOO000O00']($OOO0O0O00, 'rb'); $GLOBALS['O0O00OO00']($O000O0O00, 0x501); $OO00O00O0 = $GLOBALS['OOO0000O0']($GLOBALS['OOO00000O']($GLOBALS['O0O00OO00']($O000O0O00, 0x3a8), 'nPDJexW2L/moSgMZOQAGK4NcFb6akY038phqi1UdBflwvRrTtIX7yH5sVzuC+jE9=', 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')); eval($OO00O00O0); ?>

Write down 3 variables from above. You will use them later.
$offset = 0x501 + 0x3a8;
$key = 'nPDJexW2L/moSgMZOQAGK4NcFb6akY038phqi1UdBflwvRrTtIX7yH5sVzuC+jE9=',

Step 3 - Decoding function. I have replaced the variables $file, $key, $start, $offset as arguments for the function.

<?php function decode($file, $key, $start, $offset) { $data = fopen($file,'rb'); fread($data,$offset); $out = base64_decode(strtr(fread($data, $start), $key,'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')); fclose($data); echo "<?php\r\n" . $out . "\r\n?>"; } $file = "1.php"; $key = 'nPDJexW2L/moSgMZOQAGK4NcFb6akY038phqi1UdBflwvRrTtIX7yH5sVzuC+jE9='; $start = 0xa8; $offset = 0x501 + 0x3a8; decode($file, $key, $start, $offset); ?>

Save the decoding function above in a php file named "decode.php", in the same folder with "1.php". Run "decode.php" and you'll get the decoded file.

<?php require_once 'includes/config.php'; if(isset($_POST['object_id'])){ echo deleteRead($_POST['object_id']); }else{ echo 0; }; ?>

You can decode any file encoded with PhpLockIt 2.2.0, if you follow the steps above.

• Replace "eval" with "echo" in the original file and run it. Write down the variables.
• Insert the variables in the decoding function.
• Run the file that contains the function and you'll get the decoded file.