HEX decode - how to decode this string?

Question

How i can Decode strings like this?

<?php ${"G\x4c\x4f\x42\x41\x4c\x53"}["\x79\x76\x77\x63\x61\x61"]="chec\x6b\x5f\x6c";${"\x47\x4c\x4f\x42AL\x53"}["\x77\x68\x79\x72\x71\x78\x77\x63\x7a"]="\x75\x73e\x72\x69\x64";${"G\x4c\x4f\x42\x41\x4c\x53"}["\x6a\x71\x67\x72\x6f\x76\x72h\x6f\x73\x65"]

It just part of my code and i can't place whole code.

Answer 1

In this specific case where the only encoding consists of hexadecimal escape sequences ('\\x' followed by two hexadecimal characters), and there is no '%' sign or single quote, the "decoding" is easy enough to achieve with the printf command-line tool that you will find in any decent Unix-like operating systems. printf uses the same kind of escaping. Hence (truncated for easier display):

$ printf '<?php ${"G\x4c\x4f\x42\x41\x4c\x53"}["\x79\x76\x77\x63\x61\x61"]'
<?php ${"GLOBALS"}["yvwcaa"]

If you want to indulge into reverse-engineering of malware, then some experience in such command-line tools is very handy. On Windows, you may want to install Cygwin .

Answer 2

You can often decode such things by modifying the PHP code itself to echo.

$ php -r 'echo "G\x4c\x4f\x42\x41\x4c\x53";'
GLOBALS
$

The stuff is designed to be executable PHP, you just need to defang it and it'll tell you everything.

I will warn you, that looks like standard malware, so a) be careful where you execute it and b) be aware a lot of the strings will be garbage; the code is designed to be not easily readable once you decode it.