Has anyone seen php encryption like this? [closed]

Question

I have seen base64, mcrypt and blowfish, but i am unable to find out what encryption algorithm/method is used for this piece of code.

has anyone seen this kind of php encryption?

<?php include"\x6d\x79sql-\x63\x6f\x6e\x6eec\x74.p\x68\x70";${"\x47\x4c\x4f\x42A\x4c\x53"}["\x6c\x71wwi\x6b\x64\x64v"]="res\x63\x68\x6b\x62i\x6cl";${"\x47L\x4fB\x41\x4cS"}["\x70ve\x6b\x72\x71\x68"]="\x61\x64\x6d\x69n";${"\x47L\x4f\x42\x41\x4cS"}["\x73\x6b\x62\x64\x66\x6dn"]="\x72e\x73\x70\x65\x74\x74\x79";${"\x47\x4c\x4f\x42\x41L\x53"}["\x72\x76r\x61\x77q\x68\x74i\x67"]="d\x61\x74\x65";${"\x47\x4c\x4f\x42ALS"}["\x6d\x6e\x76\x6a\x72\x6c\x78\x70"]="\x73q\x6cp\x65\x74t\x79";include"s\x65ss\x69o\x6e\x2e\x70h\x70";${${"\x47\x4cOB\x41\x4c\x53"}["\x72v\x72\x61wqh\x74\x69\x67"]}=date("Y-m-d");echo "\n";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6dd\x64\x6f\x71spgh"]="c\x6fu\x6e\x74p\x65\x74t\x79";  

 if(${${"\x47\x4cOB\x41\x4c\x53"}["p\x76\x65\x6b\x72\x71\x68"]}==1)
 {
   header("lo\x63at\x69\x6fn:\x6c\x6fg\x6f\x75\x74.\x70hp");
 }
 else
{
   $bbnimsb="c\x6fu\x6e\x74\x63\x68\x6b";
   $silucxpqku="r\x65\x73\x63\x68k\x62\x69\x6c\x6c";
   ${"G\x4cO\x42A\x4cS"}["zjx\x6c\x6d\x65\x73\x72\x67"]="\x63\x6fu\x6et\x63\x68\x6b";
   $wkozfoxln="sq\x6cc\x68kb\x69\x6cl";${$wkozfoxln}="s\x65l\x65\x63t\x20*\x20fro\x6d\x20m\x61s\x74e\x72\x6fut \x77\x68\x65\x72e sto\x72\x65i\x64\x3d\x27$storeid\x27\x20\x61n\x64 d\x61te='$date\x27\x20a\x6ed\x20(kot\x3d0 \x6fr\x20k\x6f\x74\x3d\x31\x20\x6f\x72\x20k\x6f\x74\x3d2)";
   ${"G\x4cO\x42AL\x53"}["\x71\x6dn\x69\x63sb\x6c\x69ct"]="s\x71l\x63\x68kb\x69\x6cl";
   ${$silucxpqku}=mysql_query(${${"\x47\x4cO\x42AL\x53"}["q\x6d\x6ei\x63\x73bl\x69\x63\x74"]});
   ${${"\x47\x4c\x4f\x42ALS"}["\x7a\x6a\x78\x6c\x6desrg"]}=mysql_num_rows(${${"\x47L\x4fB\x41L\x53"}["\x6cqw\x77\x69\x6b\x64d\x76"]});
   if(${$bbnimsb}>0)
   {
      header("l\x6fc\x61\x74i\x6f\x6e:\x65\x72\x72or.p\x68\x70?er\x72\x3d\x31");}
   else{
         ${"G\x4c\x4f\x42\x41\x4cS"}["z\x76\x71\x75\x63\x6c\x76\x66q\x69\x69"]="s\x71\x6cp\x65t\x74\x79";
         ${${"GLOBA\x4cS"}["z\x76q\x75\x63l\x76\x66qi\x69"]}="\x73e\x6c\x65c\x74\x20*\x20\x66r\x6fm\x20\x64\x61y\x63\x6c\x6fse \x77h\x65r\x65\x20s\x74\x6fr\x65\x69d=\x27$storeid'\x20\x61\x6ed\x20\x64\x61\x79clo\x73\x65=\x27$date\x27";
         ${${"\x47\x4c\x4f\x42\x41\x4cS"}["skb\x64fm\x6e"]}=mysql_query(${${"GL\x4f\x42\x41\x4cS"}["\x6dn\x76jrl\x78\x70"]});${${"GL\x4fB\x41LS"}["\x6dd\x64\x6f\x71sp\x67h"]}=mysql_num_rows(${${"GL\x4f\x42\x41\x4cS"}["\x73\x6b\x62\x64f\x6d\x6e"]});
     if(${${"\x47\x4c\x4f\x42\x41\x4cS"}["m\x64do\x71\x73pgh"]}==0)
    {
       header("l\x6f\x63a\x74\x69\x6fn:e\x72r\x6fr.\x70h\x70?err=\x32");
    }
    else{header("l\x6f\x63ati\x6fn:log\x6f\x75\x74\x2ep\x68\x70");}}}
?>

Answer 1

See http://php.net/manual/en/regexp.reference.escape.php:

\xhh – character with hex code hh

Basically it's just using escape codes to look fancy / cyptic.

Decoded:

<?php
include "mysql-connect.php";
${"GLOBALS"}["lqwwikddv"]  = "reschkbill";
${"GLOBALS"}["pvekrqh"]    = "admin";
${"GLOBALS"}["skbdfmn"]    = "respetty";
${"GLOBALS"}["rvrawqhtig"] = "date";
${"GLOBALS"}["mnvjrlxp"]   = "sqlpetty";
include "session.php";
${${"GLOBALS"}["rvrawqhtig"]} = date("Y-m-d");
echo "\n";
${"GLOBALS"}["mddoqspgh"] = "countpetty";
if (${${"GLOBALS"}["pvekrqh"]} == 1) {
    header("location:logout.php");
} else {
    $bbnimsb                     = "countchk";
    $silucxpqku                  = "reschkbill";
    ${"GLOBALS"}["zjxlmesrg"]    = "countchk";
    $wkozfoxln                   = "sqlchkbill";
    ${$wkozfoxln}                = "select * from masterout where storeid='$storeid' and date='$date' and (kot=0 or kot=1 or kot=2)";
    ${"GLOBALS"}["qmnicsblict"]  = "sqlchkbill";
    ${$silucxpqku}               = mysql_query(${${"GLOBALS"}["qmnicsblict"]});
    ${${"GLOBALS"}["zjxlmesrg"]} = mysql_num_rows(${${"GLOBALS"}["lqwwikddv"]});
    if (${$bbnimsb} > 0) {
        header("location:error.php?err=1");
    } else {
        ${"GLOBALS"}["zvquclvfqii"]    = "sqlpetty";
        ${${"GLOBALS"}["zvquclvfqii"]} = "select * from dayclose where storeid='$storeid' and dayclose='$date'";
        ${${"GLOBALS"}["skbdfmn"]}     = mysql_query(${${"GLOBALS"}["mnvjrlxp"]});
        ${${"GLOBALS"}["mddoqspgh"]}   = mysql_num_rows(${${"GLOBALS"}["skbdfmn"]});
        if (${${"GLOBALS"}["mddoqspgh"]} == 0) {
            header("location:error.php?err=2");
        } else {
            header("location:logout.php");
        }
    }
}

I just used javascript to translate it to something sane.

var source  = '...';
var decoded = source.replace(/\\x([a-f0-9][a-f0-9])/g, function(a,b) {
    return String.fromCharCode(parseInt(b, 16));
});

And then if you want to get crazy, you can boil it down (by hand):

<?php
include "mysql-connect.php";
include "session.php";
$date = date("Y-m-d");
echo "\n";
if ($admin) {
    header("location:logout.php");
} else {
    $sql   = "select * from masterout where storeid='$storeid' and date='$date' and (kot=0 or kot=1 or kot=2)";
    $count = mysql_num_rows(mysql_query($sql));
    if ($count > 0) {
        header("location:error.php?err=1");
    } else {
        $sql   = "select * from dayclose where storeid='$storeid' and dayclose='$date'";
        $count = mysql_num_rows(mysql_query($sql));
        if ($count == 0) {
            header("location:error.php?err=2");
        } else {
            header("location:logout.php");
        }
    }
}

P.S. This is pretty terrible code :/ Why they're not using COUNT(*) instead of fetching ALL the results is beyond me.

Answer 2

That's just the hexadecimal representation of the characters, hardly counts as encryption. You can find a good table here

http://web.cs.mun.ca/~michael/c/ascii-table.html