HackDatKiwiCTF 2015 - Gaychal
Category: writeupsTags: reversing kiwictf-2015
Gaychal
Web - 80 Points
I found some suspicious PHP code on my website. The code was attached to my theme’s footer file. It’s either the DRM of the theme, or a virus; however it’s encoded and I can’t figure it out. Do that for me please :)
Writeup
The challenge starts with an obfuscated php code. We started manually decoding each encoding layer, each using a slightly different encoding function. After 4 levels we realized it was not the best approach (php started complaining about memory allocation and we needed to put ini_set('memory_limit', '-1'); in every decoded level).
<php eval(gzuncompress(base64_decode('eNrs/cuSNEuyXgc+DiiUHvjFzCPjDfgaaEiPmgOO+PysqoNzw ....That’s when we used evalhook, a PHP extension that “hooks” into eval() calls in PHP, displays a code to be executed and asks for a confirmation to run it. This article well covers its usage.
The flag is 6523359abf1fc63b2bde16fefbc60bc1.