The Daily WTF

Rick is supporting a Magento-based e-commerce site. As many such sites, it uses a lot of third party plugins. One of those third party plugins wants to make sure no one “steals” its code, and thus obfuscates the code.

$_F=__FILE__;$_X=”JF9GPV9f…oJF9EKCRfWCkpOw==”;$_D=strrev(‘edoced_46esab’);eval($_D($_X));

This stores the actual code inside that Base64 encoded string. And it “cleverly” hides the fact that it’s Base64 encoded by reversing the name of the decode function into “edoced_46esab”.

But now, as clever hackers, you might be wondering: what is the actual code?

$_F=__FILE__;$_X=”JF9GPV9fRklMRV9fOyR…RfRCgkX1gpKTs=”;$_D=strrev(‘edoced_46esab’);eval($_D($_X));

It’s not a quine, it’s another Base64 encoded string, surrounded by decoding code. And when you decode that?

$_F=__FILE__;$_X=”LyoqDQogKiBA…KCdPSycpOyB9IH0=”;$_D=strrev(‘edoced_46esab’);eval($_D($_X));

Look familiar? When you decode it one more time, it outputs code. But that code has also been altered, so that all the variable names are $_0e91566a8fd5270e1fde008c1f93b7c9.

Every file in the plugin has been run through this obfuscator. It includes many files. So

To read the full article click on the 'post' link at the top.