One of the things that you see with depressing regularity when hosting crummy PHP scripts for others is this:<\/p>\n
eval&28;base64_decode&28;'aWYgKCFlbXB0eSgkX1JFUVVFU1RbInRoZW<\/code><\/p><\/blockquote>\nWhat’s that? Well it says to decode that gobbledegook into a binary stream (the
base64_decode<\/code> part), and then interpret whatever it turns out to be as PHP code (theeval)<\/code><\/p>\nNow, if you have the time, you can decode this kind of thing yourself, and maybe find out whether it is evil or not. This takes some time (which is why you need to have the time). If you install the php xdebug extension, then you can hack in a bit of code to trace the execution of the process, and print out what it is that is being eval’d and see what it is. That’s the right way to do it. Alternatively you can do a crude search and replace and a few other hacks, and end up with the following abominable PHP code that decodes a stack of php obfuscation. It’s time to tell the world:
\nHere’s the code: deobfuscate.php<\/a> (this is new as of today – get your copy while it’s hot).<\/p>\nOne of the less evil reasons that PHP code may be obfuscated is that the writer of the code is trying to extract payment. This usually means that they have embedded obnoxious advertising in the code (such as for gambling, drugs, SEO and other social ills). Frequently they also add toothless legal threats against removing their obnoxious advertising. <\/p>\n
This one of today takes the cake. It combines all of that good stuff, like putting the copyright notice in the “uncopyable part”, a standard legal threat, but it adds that little something extra:<\/p>\n
<?php
\n<\/span> eval(<\/span>base64_decode<\/span>(<\/span>'ZnVuY3Rpb24gZ2V0X2hlYWRzKCkgeyBpZiAoIWZpbGVf
\nZXhpc3RzKGRpcm5hbWUoX19maWxlX18pIC4gIi9mdW5jdGlvbnMucGhwIikgfHwg<\/span>
\nIWZ1bmN0aW9uX2V4aXN0cygidGhlbWVfdXNhZ2VfbWVzc2FnZSIpICkgeyBlY2hv<\/span>
\nICgiVGhpcyB0aGVtZSBpcyBsaWNlbnNlZCB1bmRlciBDQzMuMCwgeW91IGFyZSBu<\/span>
\nb3QgYWxsb3dlZCB0byBtb2RpZnkvcmVtb3ZlIG91ciBsaW5rIHdpdGhvdXQgcGVy<\/span>
\nbWlzc2lvbi4gPGJyIC8+VGhhbmsgeW91IGZvciBzdXBwb3J0aW5nIHVzIG1ha2lu<\/span>
\nZyBtb3JlIEZSRUUgY3JlYXRpdmUgdGhlbWVzLiIpOyBkaWU7IH0gfQ=='<\/span>));
\n<\/span><\/span><\/code>\n<\/p><\/blockquote>\nWhat does it mean, do I hear you ask? Well, it decodes to this:<\/p>\n
<?php<\/span> function <\/span>get_heads<\/span>() { if (!<\/span>file_exists<\/span>(<\/span>dirname<\/span>(<\/span>__file__<\/span>) .
\n<\/span>\"\/functions.php\"<\/span>) || !<\/span>function_exists<\/span>(<\/span>\"theme_usage_message\"<\/span>) ) {
\necho (<\/span>\"This theme is licensed under CC3.0, you are not allowed
\nto modify\/remove our link without permission. <br \/>Thank you
\nfor supporting us making more FREE creative themes.\"<\/span>); die; } }<\/span><\/span><\/code><\/p><\/blockquote>\nYep. That’s right. It checks that
functions.php<\/code> is still around. It had better be. It also checks whether there is a functiontheme_usage_message<\/code> defined. You must not take out the link. (What link?) And it you don’t like that, thendie<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"One of the things that you see with depressing regularity when hosting crummy PHP scripts for others is this: eval&28;base64_decode&28;’aWYgKCFlbXB0eSgkX1JFUVVFU1RbInRoZW What’s that? Well it says to decode that gobbledegook into a binary stream (the base64_decode part), and then interpret whatever … Continue reading