HackDatKiwiCTF 2015 - GaychalCategory: writeups
Tags: reversing kiwictf-2015
Web - 80 Points
I found some suspicious PHP code on my website. The code was attached to my theme’s footer file. It’s either the DRM of the theme, or a virus; however it’s encoded and I can’t figure it out. Do that for me please :)
The challenge starts with an obfuscated php code. We started manually decoding each encoding layer, each using a slightly different encoding function. After 4 levels we realized it was not the best approach (php started complaining about memory allocation and we needed to put
ini_set('memory_limit', '-1'); in every decoded level).
That’s when we used evalhook, a PHP extension that “hooks” into eval() calls in PHP, displays a code to be executed and asks for a confirmation to run it. This article well covers its usage.
The flag is