Decoding eval gzinflate base64_decode

This is an article I originally published on my Tangential Musings blog back in January 2006 when I ran across a freeware web application written in PHP that utilized the following method to obfuscate spam in its source code:

<?php eval(gzinflate(base64_decode(‘encoded text‘))); ?>

Fortunately, I was able to decode it with this PHP snippet:

<?php
/*
Taken from http://www.php.net/manual/de/function.eval.php#59862
Directions:
1. Save this snippet as decrypt.php
2. Save encoded PHP code in coded.txt
3. Create a blank file called decoded.txt (from shell do CHMOD 0666 decoded.txt)
4. Execute this script (visit decrypt.php in a web browser or do php decrypt.php in the shell)
5. Open decoded.txt, the PHP should be decrypted: https://medium.com/@danilosapad/decoding-eval-gzinflate-base64-decode-a4eb07997b87
*/
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <jurgen@person.be>\n\n";
echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);
echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/< \?|\?>/", "", $contents); eval(preg_replace("/eval/", "\$contents=", $contents)); } echo "3. Writing decoded.txt\n"; $fp2 = fopen("decoded.txt","w"); fwrite($fp2, trim($contents)); fclose($fp2);
?>

Originally published at http://danilo.ariadoss.com on January 4, 2006.