<?php
 
function getPayload($app_secret_key, $data) {
  // Get the encryption key (16 first bytes of the app's client_secret key)
  $encryption_key = substr($app_secret_key, 0, 16);
 
  // Decrypt payload
  $json_data = aes_128_decrypt($encryption_key, $data);
 
  // Decode json
  $json_decoded = json_decode($json_data, true);
  return $json_data;
}
 
function aes_128_decrypt($key, $data) {
  // Ecwid sends data in url-safe base64. Convert the raw data to the original base64 first
  $base64_original = str_replace(array('-', '_'), array('+', '/'), $data);
 
  // Get binary data
  $decoded = base64_decode($base64_original);
 
  // Initialization vector is the first 16 bytes of the received data
  $iv = substr($decoded, 0, 16);
 
  // The payload itself is is the rest of the received data
  $payload = substr($decoded, 16);
 
  // Decrypt raw binary payload
  $json = openssl_decrypt($payload, "aes-128-cbc", $key, OPENSSL_RAW_DATA, $iv);
  //$json = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $key, $payload, MCRYPT_MODE_CBC, $iv); // You can use this instead of openssl_decrupt, if mcrypt is enabled in your system
 
  return $json;
}
 
// Get payload from the GET and process it
$ecwid_payload = "ng7W9c9jLhkX7ATMpafNAd5Vt_skEaFAqnQaw0Ing1iwYQOwB0Q_CuCS8yQeHeorTdCpZWDTNrzhcq_umX7IaAFUPPgs0zyddY7Er1tA0aze5kWGHUV54fJHoVEJHMmVEi-G5g8ZnNopIFu0YQgQqLpCq8TP2zFJunSTA7VXHTmqHNAD2JXaUb-VylcJWzgV0vaCoGyHqaPbsNNw6HSWkAzhh8dLmsYB0uzsZ_zl3wVXubCL4p2N53PmNPBLCgoC";
$client_secret = "zcKf1Zt0UsO43S46Un3pxIgs91R1xMGs"; 
 
$result = getPayload($client_secret, $ecwid_payload);
 
print($result);
 

PD9waHAKCmZ1bmN0aW9uIGdldFBheWxvYWQoJGFwcF9zZWNyZXRfa2V5LCAkZGF0YSkgewogIC8vIEdldCB0aGUgZW5jcnlwdGlvbiBrZXkgKDE2IGZpcnN0IGJ5dGVzIG9mIHRoZSBhcHAncyBjbGllbnRfc2VjcmV0IGtleSkKICAkZW5jcnlwdGlvbl9rZXkgPSBzdWJzdHIoJGFwcF9zZWNyZXRfa2V5LCAwLCAxNik7CgogIC8vIERlY3J5cHQgcGF5bG9hZAogICRqc29uX2RhdGEgPSBhZXNfMTI4X2RlY3J5cHQoJGVuY3J5cHRpb25fa2V5LCAkZGF0YSk7CgogIC8vIERlY29kZSBqc29uCiAgJGpzb25fZGVjb2RlZCA9IGpzb25fZGVjb2RlKCRqc29uX2RhdGEsIHRydWUpOwogIHJldHVybiAkanNvbl9kYXRhOwp9CgpmdW5jdGlvbiBhZXNfMTI4X2RlY3J5cHQoJGtleSwgJGRhdGEpIHsKICAvLyBFY3dpZCBzZW5kcyBkYXRhIGluIHVybC1zYWZlIGJhc2U2NC4gQ29udmVydCB0aGUgcmF3IGRhdGEgdG8gdGhlIG9yaWdpbmFsIGJhc2U2NCBmaXJzdAogICRiYXNlNjRfb3JpZ2luYWwgPSBzdHJfcmVwbGFjZShhcnJheSgnLScsICdfJyksIGFycmF5KCcrJywgJy8nKSwgJGRhdGEpOwoKICAvLyBHZXQgYmluYXJ5IGRhdGEKICAkZGVjb2RlZCA9IGJhc2U2NF9kZWNvZGUoJGJhc2U2NF9vcmlnaW5hbCk7CgogIC8vIEluaXRpYWxpemF0aW9uIHZlY3RvciBpcyB0aGUgZmlyc3QgMTYgYnl0ZXMgb2YgdGhlIHJlY2VpdmVkIGRhdGEKICAkaXYgPSBzdWJzdHIoJGRlY29kZWQsIDAsIDE2KTsKCiAgLy8gVGhlIHBheWxvYWQgaXRzZWxmIGlzIGlzIHRoZSByZXN0IG9mIHRoZSByZWNlaXZlZCBkYXRhCiAgJHBheWxvYWQgPSBzdWJzdHIoJGRlY29kZWQsIDE2KTsKCiAgLy8gRGVjcnlwdCByYXcgYmluYXJ5IHBheWxvYWQKICAkanNvbiA9IG9wZW5zc2xfZGVjcnlwdCgkcGF5bG9hZCwgImFlcy0xMjgtY2JjIiwgJGtleSwgT1BFTlNTTF9SQVdfREFUQSwgJGl2KTsKICAvLyRqc29uID0gbWNyeXB0X2RlY3J5cHQoTUNSWVBUX1JJSk5EQUVMXzEyOCwgJGtleSwgJHBheWxvYWQsIE1DUllQVF9NT0RFX0NCQywgJGl2KTsgLy8gWW91IGNhbiB1c2UgdGhpcyBpbnN0ZWFkIG9mIG9wZW5zc2xfZGVjcnVwdCwgaWYgbWNyeXB0IGlzIGVuYWJsZWQgaW4geW91ciBzeXN0ZW0KCiAgcmV0dXJuICRqc29uOwp9CgovLyBHZXQgcGF5bG9hZCBmcm9tIHRoZSBHRVQgYW5kIHByb2Nlc3MgaXQKJGVjd2lkX3BheWxvYWQgPSAibmc3VzljOWpMaGtYN0FUTXBhZk5BZDVWdF9za0VhRkFxblFhdzBJbmcxaXdZUU93QjBRX0N1Q1M4eVFlSGVvclRkQ3BaV0RUTnJ6aGNxX3VtWDdJYUFGVVBQZ3MwenlkZFk3RXIxdEEwYXplNWtXR0hVVjU0ZkpIb1ZFSkhNbVZFaS1HNWc4Wm5Ob3BJRnUwWVFnUXFMcENxOFRQMnpGSnVuU1RBN1ZYSFRtcUhOQUQySlhhVWItVnlsY0pXemdWMHZhQ29HeUhxYVBic05OdzZIU1drQXpoaDhkTG1zWUIwdXpzWl96bDN3Vlh1YkNMNHAyTjUzUG1OUEJMQ2dvQyI7CiRjbGllbnRfc2VjcmV0ID0gInpjS2YxWnQwVXNPNDNTNDZVbjNweElnczkxUjF4TUdzIjsgCgokcmVzdWx0ID0gZ2V0UGF5bG9hZCgkY2xpZW50X3NlY3JldCwgJGVjd2lkX3BheWxvYWQpOwoKcHJpbnQoJHJlc3VsdCk7Cg==