I recently ran across a freeware web application written in PHP that utilized the following method to encrypt its source code: <?php eval(gzinflate(base64_decode(encoded text))); ?>

Fortunately, I was able to decode it with this PHP snippet:

<?php
/*
Taken from http://www.php.net/manual/de/function.eval.php#59862
Directions:
1. Save this snippet as decrypt.php
2. Save encoded PHP code in coded.txt
3. Create a blank file called decoded.txt (from shell do CHMOD 0666 decoded.txt)
4. Execute this script (visit decrypt.php in a web browser or do php decrypt.php in the shell)
5. Open decoded.txt, the PHP should be decrypted if not comment below http://danilo.ariadoss.com/decoding-eval-gzinflate-base64-decode/
*/
echo "\nDECODE nested eval(gzinflate()) by DEBO Jurgen <jurgen@person.be>\n\n";
echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);
echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
    $contents=preg_replace("/< \?|\?>/", "", $contents); eval(preg_replace("/eval/", "\$contents=", $contents)); } echo "3. Writing decoded.txt\n"; $fp2 = fopen("decoded.txt","w"); fwrite($fp2, trim($contents)); fclose($fp2);
?>

Upon decrypting the source code I realized that the freeware application downloaded spyware onto visitors’ computers as well as periodically initiated pop-ups that contained obvious spam. I posted this article in order for others to be able to examine the actual source of these applications in order to prevent them from inadvertently running malicious code on their websites. I hope this helped some of you and I will endeavor to continue to post useful and insightful entries from now on.

Last modified: May 27, 2009