Web - 80 Points

I found some suspicious PHP code on my website. The code was attached to my theme’s footer file. It’s either the DRM of the theme, or a virus; however it’s encoded and I can’t figure it out. Do that for me please :)


The challenge starts with an obfuscated php code. We started manually decoding each encoding layer, each using a slightly different encoding function. After 4 levels we realized it was not the best approach (php started complaining about memory allocation and we needed to put ini_set('memory_limit', '-1'); in every decoded level).

<php eval(gzuncompress(base64_decode('eNrs/cuSNEuyXgc+DiiUHvjFzCPjDfgaaEiPmgOO+PysqoNzw ....

That’s when we used evalhook, a PHP extension that “hooks” into eval() calls in PHP, displays a code to be executed and asks for a confirmation to run it. This article well covers its usage.


The flag is 6523359abf1fc63b2bde16fefbc60bc1.