Decoding eval gzinflate base64_decode

Danilo Stern-Sapad
Jun 18, 2015 · 1 min read

This is an article I originally published on my Tangential Musings blog back in January 2006 when I ran across a freeware web application written in PHP that utilized the following method to obfuscate spam in its source code:

<?php eval(gzinflate(base64_decode(‘encoded text‘))); ?>

Fortunately, I was able to decode it with this PHP snippet:

<?php
/*
Taken from http://www.php.net/manual/de/function.eval.php#59862
Directions:
1. Save this snippet as decrypt.php
2. Save encoded PHP code in coded.txt
3. Create a blank file called decoded.txt (from shell do CHMOD 0666 decoded.txt)
4. Execute this script (visit decrypt.php in a web browser or do php decrypt.php in the shell)
5. Open decoded.txt, the PHP should be decrypted: https://medium.com/@danilosapad/decoding-eval-gzinflate-base64-decode-a4eb07997b87
*/
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <jurgen@person.be>\n\n";
echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);
echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/< \?|\?>/", "", $contents); eval(preg_replace("/eval/", "\$contents=", $contents)); } echo "3. Writing decoded.txt\n"; $fp2 = fopen("decoded.txt","w"); fwrite($fp2, trim($contents)); fclose($fp2);
?>

Originally published at http://danilo.ariadoss.com on January 4, 2006.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade