I have MRR rights to a script, but this function is old and does not work properly. Can anyone break it down into usable function code so I can fix the problem. I think that there are multiple functions in the script.
function d($s, $k = '') {
if ($k == '') {
for ($i = 0; $i < strlen($s); $i) {
$d. = chr(hexdec(substr($s, $i, 2)));
$i = (float)($i) + 2;
}
return $d;
} else {
$r = '';
$f = d('6261736536345f6465636f6465');
$u = $f('Z3ppbmZsYXRl');
$s = $u($f($s));
for ($i = 0; $i < strlen($s); $i++) {
$c = substr($s, $i, 1);
$kc = substr($k, ($i % strlen($k)) - 1, 1);
$c = chr(ord($c) - ord($kc));
$r. = $c;
}
return $r;
}
}
eval(d("lZTpbts4FIXfq2iQZJIHcGWb1GJZkdekSRxrcdo0M5gZoEU3pIkXWQtpUdZOKm6D9rHmJUZ23EHR/pq/JC9573cOj4+bEomYXcjifQNoby6hcG8MewL8+329SVJqFaJEFWC+NiEodAPPwghLRw8ecZrwoxfkgM5zN0uhT0GUk8L2KPKqDoUDp07ZfWiZnwQnCcP8uVc40YSv+iF2zDHvZyzQ1N79aqUurMRKXZSrdN4NMJ3wmj4ZDRZxzKouiZZUn/DgpN1vDQfl1h/y74EXeyjRlcUyoabecgaG6hiyMvhWY7aTuX7VqLCUznIUhWPPViDgFcC1am2Bolk+JZL+256YojG1SN0AKQvnMU5Ce454QRBUwNdb23sa2s7+7n6nC976FtTXA2ZJhWVZhmgKYmJDVMRz5qbBP3WUJ0nIdvfLm920YnIvUJI6MS8F+J5iB83aXDMrOwQ7+5T4IZLgHC8XsogjRfjKHe4CAHPymevq4NJdWEWiCDhVQKd/et7UwN7eCu7uj7BLkgiLEkrLeyqHTw93CZaARW3fb8oXJMZkJHeOGroSpDg0ZQXU6PKzCsQkydYrQKkqlfVbB3tV0S3suJzd+RxES+R9L2+0Nm2gwovG7amgbw5Dct4/31TdOIGPZZFU9YpEnBX1w5UAV5ut/9pgbuFjo9mRlbNeGtAQaXIDgoCi6JPottqzsp+MxJENN3NVSkf5LHTAOUyKzMqdFDsWlnm9NjaujY+X47VwQhMKjGShdXS+AbV54mfhbmcG36ryXJuTKGEECfpaC1BFIXYDWdZJSX2otI+Uiy4OgtCQW48Q7kTS7N+UVSwPq8ppybkOxDzH8ALmLJ/kVuY7DmrW9WeT0fXlhxef+AaslSZZn9n2U4QRZ5ZWT6wQh9HcRRJ/Mxs+GqkiZXSpaHt7O/sc9HLkEb45QB51ExIUKI3MpnokGOqPK2vh1nqNRayqs3J2186QncaBp2jVgyeQkxybOQtC0S8QBvzd1Svzgzaptet8ia7mTQtvkSTkOzp3XNh+nJNfgE/vzBKdAFs/nFFOD5/CuujOmOUvqY/AEESl3zOUEnuKRUEK2WBNw/h/VYvHqtEvVVsjeV5al/WRebb+3YDiB8vsQGS7jpHiGM1jW7HDYBoZuv2YJFAGKqjdx9Fdf1rtVJo1SO3cQ7E5dpd27JsQHm39M2nP6h0g6oozNDo4WbIyN64MIJdVkuVQtAhzF98cT0CnKp+5MeyY8vajlSZRNx2Cb9WuggNUX/k4tKCfxunBzsETKcFlBqKfqaqlAQROUEXq2KHnHQ0P9krPY4vEvD5HfmFTQ3/5xjy7Ghq+qc+AQ+1FmXWIxdlZr5MnFIVd251/6cyTRS9OC5S3+sqgfdw6Oz57Lp+cDs7bvVb/4u31tS66i4b216XZ652cXPSOe/K7P18NGzi1zAVj0VDpPXbYsdzpQ9tNgm7GVObZ+dxXPkwj7/0mGLVFmWLDPlgkaWL0BRyzi2PJZ8MeYNPNPzW2wXjLV4opxYgNJ9x8Fs3j5S0/MJw0YsAtVb5Yebk3i8cwCb4gowumqZ9mRu54gxuE74FNwsp3Yus/mINkCayr6YPWxWEcjwa9eZnqpFTH3fJ5PdJevtN0xbNLJrnGb7TYUoU6oFl+S+1sWZqkycG1+dWfMvwr6LaQj7gAAZQgO+AYjdi/", 663607275));
$d is undefined on line 5. Fix:
function d($s, $k = '') {
if ($k == '') {
$d = "";
...
Just for fun, I decoded the string. Here is what it is trying to eval. Pretty basic. Why so obfuscated?
if((isset($v) AND $v==0) OR (isset($t) AND $t==false)){
die('This script is protected by G-Encoder');
}
$search = str_replace(" ", "+",$search);
$search = str_replace("'", "", $search);
// The @ is to supress the function? errors
$fp = @fopen($newsfeed, 'r');
while(!feof($fp)){
$row .= @fgets($fp, 4096);
}
@fclose($fp);
if( eregi('(.*)', $row, $rowitem ) ) {
$item = explode('', $rowitem[0]); $i=0;
While($i < $maxshow) {
eregi('', $item[$i+1], $title );
$title = str_replace("", "", $title);
eregi('(.*)', $item[$i+1], $url );
$url = str_replace("", "", $url);
eregi('(.*)', $item[$i+1], $categorie);
$categorie = str_replace("", "", $categorie);
$categorie = str_replace("<", "<", $categorie);
$categorie = str_replace(">", ">", $categorie);
echo '' . $title[1] . ' ' . $categorie[1] . '';
$i++;
} //end while loop
$search = str_replace("+", " ",$search);
echo "View all $search items on eBay";
$search = str_replace(" ", "+",$search);
} //end if eregi stmt
I forgot to mention I had to change ". = " to ".=" everywhere.
The only thing the first branch of the if is used for is to decode
$f = d('6261736536345f6465636f6465');
as a simple sequence of hex ASCII codes, which becomes:
$f = 'base64_decode';
It then uses this to decode the base64 string Z3ppbmZsYXRl, which becomes:
$u = 'gzinflate';
So it eventually does:
$s = gzinflate(base64_decode($s));
where $s is the long input string at the bottom.
Finally, the for loop at the bottom is decoding using a simple substitution cipher, where the second argument to d() is the key. However, it has a syntax error (maybe PHP used to allow it):
$r. = $c;
should be:
$r .= $c;
Here's the final result (Johnny Mopp was close, but he missed the HTML codes in some of the strings):
if((isset($v) AND $v==0) OR (isset($t) AND $t==false)){
die('This script is protected by <a style=\"color:cyan\"
href=\"http://www.gencoder.sf.net\"><b><font color=\"#330099\">G-Encoder</font></b></a>');}
$search = str_replace(" ", "+",$search);
$search = str_replace("'", "",$search);
// The @ is to supress the function\264 errors
$fp = @fopen($newsfeed, 'r');
while(!feof($fp)){
$row .= @fgets($fp, 4096);
}
@fclose($fp);
if( eregi('<item>(.*)</item>', $row, $rowitem ) ) {
$item = explode('<item>', $rowitem[0]);
$i=0;
While($i < $maxshow) {
eregi('<title>(.*)</title>', $item[$i+1], $title );
$title = str_replace("<![CDATA[", "", $title);
$title = str_replace("]]>", "", $title);
eregi('<link>(.*)</link>', $item[$i+1], $url );
$url = str_replace("<![CDATA[", "", $url);
$url = str_replace("]]>", "", $url);
eregi('<description>(.*)</description>', $item[$i+1], $categorie);
$categorie = str_replace("<![CDATA[", "", $categorie);
$categorie = str_replace("]]>", "", $categorie);
$categorie = str_replace("<", "<", $categorie);
$categorie = str_replace(">", ">", $categorie);
echo '<B><font size=2 face=verdana,arial><a href="' .
$url[1] . '" target=_blank>' . $title[1] . '</a></font></B> ' .
$categorie[1] . '<br />';
$i++;
} //end while loop
$search = str_replace("+", " ",$search);
echo"<center><BR><B><i><a href=\"http://rover.ebay.com/rover/1/711-6294-2978-0/1?PID=$cj&AID=10369614&SID=&loc=http://search.ebay.com/ws/search/SaleSearch?fsoo=1&fsop=1&fts=1&ht=0&satitle=$search\"
target=\"_blank\"><font face=verdana size=2 color=red>
View all $search items on eBay</font></a></i></b><BR><BR><BR></center>";
$search = str_replace(" ", "+",$search);
} //end if eregi stmt