Help me decode php code

I am trying to decode a Base64-encoded string in PHP, but the output I get appears partially readable and partially corrupted.

Encoded Original code :

<?php
$a='JG1vYl91YT1hcnJheSgnaVBob25lJywnQW5kcm9pZCcsJ0JsYWNrQmVycnknLCdPcGVyYSBNaW5pJywnSUVNb2JpbGUnKTskY3VycmVudF91YT1pc3NldCgkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pPyRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsnJztmb3JlYWNoKCRtb2JfdWEgYXMgJGFnZW50KXtpaChzdHJpcG9zKCRjdXJyZW50X3VhLCRhZ2VudCk !==IGZhbHNlKSl7aGVhZGVyKCdMb2NhdGlvbjogaHR0cHM6Ly9nb29nbGUuY29tL3NlYXJjaD9xPW1vYmlsZS1yZWRpcmVjdCcpO2V4aXQ7fX0=';$b='base'.'64'.'_decode';$c='a'.'ss'.'ert';@$c($b($a));

Here is my decoding code:

<?php

$a = 'JG1vYl91YT1hcnJheSgnaVBob25lJywnQW5kcm9pZCcsJ0JsYWNrQmVycnknLCdPcGVyYSBNaW5pJywnSUVNb2JpbGUnKTskY3VycmVudF91YT1pc3NldCgkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pPyRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsnJztmb3JlYWNoKCRtb2JfdWEgYXMgJGFnZW50KXtpaChzdHJpcG9zKCRjdXJyZW50X3VhLCRhZ2VudCk !==IGZhbHNlKSl7aGVhZGVyKCdMb2NhdGlvbjogaHR0cHM6Ly9nb29nbGUuY29tL3NlYXJjaD9xPW1vYmlsZS1yZWRpcmVjdCcpO2V4aXQ7fX0=';


echo base64_decode($a);


?>

I expected base64_decode() to return a clean, readable PHP script.
But the output is partially readable PHP , but the rest appears garbled or syntactically incorrect. For example: the logic seems incomplete or malformed

Questions:

  • Is this Base64 string multilayered (e.g. requires gzinflate() or another decoding step)?

  • Or is the string malformed/corrupted?

  • If corrupted, how can I reliably determine that and extract the valid portion?

Any help understanding why the decoded output is not clean PHP would be appreciated

Hi, the Base64 string is corrupted. The problem is this fragment:

!==IGZhbHNl

Base64 only allows a specific set of characters:

  • A–Z, a–z, 0–9, +, /
  • = only for padding at the end

See: Base64 – Wikipedia (Alphabet section)

Because ! is not a valid Base64 character decoding works fine up to that point then the 4-character grouping breaks and everything afterwards becomes garbage output.

Everything before that point is fine and decodes cleanly, e.g.:

$mob_ua=array('iPhone','Android','BlackBerry','Opera Mini','IEMobile');
$current_ua=isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT']:'';
foreach($mob_ua as $agent){

How do i decode the corrupted part ?

You don’t. It’s not valid Base64.

Where did you obtain this base64 encoded string? The start looks like a cloaking script (serving different content on different devices).

It is if you strip off the malformed byte.

IGZhbHNlKSl7aGVhZGVyKCdMb2NhdGlvbjogaHR0cHM6Ly9nb29nbGUuY29tL3NlYXJjaD9xPW1vYmlsZS1yZWRpcmVjdCcpO2V4aXQ7fX0=

= false)){header('Location: https://google.com/search?q=mobile-redirect');exit;}}

I surmise the string was SUPPOSED to encode the !==, and failed to do so.

It also butchers one of the letters in the original code. The first half of the string doesnt end where James puts it.

If i reconstruct what the code should have read, it comes out as:

$mob_ua=array('iPhone','Android','BlackBerry','Opera Mini','IEMobile');
$current_ua=isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT']:'';
foreach($mob_ua as $agent){
ih(stripos($current_ua,$agent) !== false)){header('Location: https://google.com/search?q=mobile-redirect');exit;}}
//my note: the "h" here i assume is supposed to be an f, making it "if".

Basically, it’s supposed to be code sniffing for mobile devices, and shunting them off to Google.

EDIT: Clarify what you did, Marc
JG1vYl91YT1hcnJheSgnaVBob25lJywnQW5kcm9pZCcsJ0JsYWNrQmVycnknLCdPcGVyYSBNaW5pJywnSUVNb2JpbGUnKTskY3VycmVudF91YT1pc3NldCgkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pPyRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsnJztmb3JlYWNoKCRtb2JfdWEgYXMgJGFnZW50KXtpaChzdHJpcG9zKCRjdXJyZW50X3VhLCRhZ2VudCk !==IGZhbHNlKSl7aGVhZGVyKCdMb2NhdGlvbjogaHR0cHM6Ly9nb29nbGUuY29tL3NlYXJjaD9xPW1vYmlsZS1yZWRpcmVjdCcpO2V4aXQ7fX0=

Assume the !== is unencoded.

JG1vYl91YT1hcnJheSgnaVBob25lJywnQW5kcm9pZCcsJ0JsYWNrQmVycnknLCdPcGVyYSBNaW5pJywnSUVNb2JpbGUnKTskY3VycmVudF91YT1pc3NldCgkX1NFUlZFUlsnSFRUUF9VU0VSX0FHRU5UJ10pPyRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsnJztmb3JlYWNoKCRtb2JfdWEgYXMgJGFnZW50KXtpaChzdHJpcG9zKCRjdXJyZW50X3VhLCRhZ2VudCk 
!==
IGZhbHNlKSl7aGVhZGVyKCdMb2NhdGlvbjogaHR0cHM6Ly9nb29nbGUuY29tL3NlYXJjaD9xPW1vYmlsZS1yZWRpcmVjdCcpO2V4aXQ7fX0=

Base64 the actual encoded parts:

$mob_ua=array('iPhone','Android','BlackBerry','Opera Mini','IEMobile');$current_ua=isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT'];'';foreach($mob_ua as $agent){ih(stripos($current_ua,$agent) 
!==
 false)){header('Location: https://google.com/search?q=mobile-redirect');exit;}}

Smash the strings back together to form code in pretty formatted self:

$mob_ua=array('iPhone','Android','BlackBerry','Opera Mini','IEMobile');
$current_ua=isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT'];'';
foreach($mob_ua as $agent){
   ih(stripos($current_ua,$agent) !== false)){
      header('Location: https://google.com/search?q=mobile-redirect');
      exit;
   }
}

Fix code errors: one of the ;'s should have been a :, the ih should have been an if.

$mob_ua=array('iPhone','Android','BlackBerry','Opera Mini','IEMobile');
$current_ua=isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
foreach($mob_ua as $agent){
   if(stripos($current_ua,$agent) !== false)){
      header('Location: https://google.com/search?q=mobile-redirect');
      exit;
   }
}

[EDIT 2: Apparently the forum’s pre formatter doesnt handle overflow correctly. Whee.]

1 Like

Nice catch by @m_hutley :+1:

Yeah this is just messy/partially broken encoding. Once you fix the Base64 and small syntax issues, it turns into a simple user-agent check that redirects mobile users.

Nothing complex, just obfuscated a bit poorly.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.