Need help decoding

[iCeR]

I downloaded a free reviews script from http://tinyurl.com/25q47mj

 

One of the files is encoded and I want to ensure it doesn't have anything malicious!

Any help would be much appreciated!

Thank you!!

 

 

<?php
$ve08156dfe67="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";@eval($ve08156dfe67(
"JG4xYjEzMGI0MGZlNDYyZWExYWVmYWVhOGNmMTAwZDIyPSJceDYyIjskbmY5Y2Y4ZTgyNGRmM2I0OWU2NjhhM2U
1MGI0NjA3ZTU9Ilx4NjUiOyRjODEzNTE2ZDlkMDExMmU3MjgwODYwZjlkNzkyOTliNj0iXHg2NiI7JG9jOGM1N2Y
5YzNmNmFhYmQxYjI2NjkxYjUyOTU4OGEyPSJceDY3IjskYTQxMzcyYzgyODQ3MDgzMDM1ZjVmYTJjZjMxNDY5NTc
9Ilx4NmQiOyR1MzVmYWY4Y2I1NWFkZGQ5ODlkMGU0ZTk3MjVjNmU1Yz0iXHg2ZiI7JGw5NzQwNDQyMDFlMDMxNjY
1YjU0OWUyNTQ3ZDM1NWUxPSJceDZmIjskc2Q3MDdhNDY5MWM2YWZlMmU2M2E0Y2M3YmE1N2Y1Zjg9Ilx4NmYiOyR
6MTdkYWM4NjEyZjIyYmQ5ODQ5MWI1ZDVlZDE0OWRlZT0iXHg2ZiI7JGVkMWI5Y2I4YmM0Y2NmMjk2ZDNkMTM2NGQ
zNGZhNTA4PSJceDczIjskaDZhMjE5ODI0Mjg2NDI2NTVkMDk3ODhmZGI1ZDY4NWU9Ilx4NzMiOyRwMDE1NDI5MmM
4MGYwYzdiYjc4MWFhYTNkYjhhYzU4ZD0iXHg3MyI7JHJkNjMxZDUwNjczMWQ4ZTkyNDg4NGFkNzAwMzI5NWJhPSJ
ceDczIjskbjFiMTMwYjQwZmU0NjJlYTFhZWZhZWE4Y2YxMDBkMjIuPSJcMTQxIjskbmY5Y2Y4ZTgyNGRmM2I0OWU
2NjhhM2U1MGI0NjA3ZTUuPSJcMTYyIjskYzgxMzUxNmQ5ZDAxMTJlNzI4MDg2MGY5ZDc5Mjk5YjYuPSJcMTUxIjs
kb2M4YzU3ZjljM2Y2YWFiZDFiMjY2OTFiNTI5NTg4YTIuPSJcMTcyIjskYTQxMzcyYzgyODQ3MDgzMDM1ZjVmYTJ
jZjMxNDY5NTcuPSJcMTQ0IjskdTM1ZmFmOGNiNTVhZGRkOTg5ZDBlNGU5NzI1YzZlNWMuPSJcMTQyIjskbDk3NDA
0NDIwMWUwMzE2NjViNTQ5ZTI1NDdkMzU1ZTEuPSJcMTQyIjskc2Q3MDdhNDY5MWM2YWZlMmU2M2E0Y2M3YmE1N2Y
1ZjguPSJcMTQyIjskejE3ZGFjODYxMmYyMmJkOTg0OTFiNWQ1ZWQxNDlkZWUuPSJcMTQyIjskZWQxYjljYjhiYzR
jY2YyOTZkM2QxMzY0ZDM0ZmE1MDguPSJcMTY0IjskaDZhMjE5ODI0Mjg2NDI2NTVkMDk3ODhmZGI1ZDY4NWUuPSJ
cMTY0IjskcDAxNTQyOTJjODBmMGM3YmI3ODFhYWEzZGI4YWM1OGQuPSJcMTY0IjskcmQ2MzFkNTA2NzMxZDhlOTI
0ODg0YWQ3MDAzMjk1YmEuPSJcMTY0IjskbjFiMTMwYjQwZmU0NjJlYTFhZWZhZWE4Y2YxMDBkMjIuPSJceDczIjs
kbmY5Y2Y4ZTgyNGRmM2I0OWU2NjhhM2U1MGI0NjA3ZTUuPSJceDY1IjskYzgxMzUxNmQ5ZDAxMTJlNzI4MDg2MGY
5ZDc5Mjk5YjYuPSJceDZjIjskb2M4YzU3ZjljM2Y2YWFiZDFiMjY2OTFiNTI5NTg4YTIuPSJceDY5IjskYTQxMzc
yYzgyODQ3MDgzMDM1ZjVmYTJjZjMxNDY5NTcuPSJceDM1IjskdTM1ZmFmOGNiNTVhZGRkOTg5ZDBlNGU5NzI1YzZ
lNWMuPSJceDVmIjskbDk3NDA0NDIwMWUwMzE2NjViNTQ5ZTI1NDdkMzU1ZTEuPSJceDVmIjskc2Q3MDdhNDY5MWM
2YWZlMmU2M2E0Y2M3YmE1N2Y1ZjguPSJceDVmIjskejE3ZGFjODYxMmYyMmJkOTg0OTFiNWQ1ZWQxNDlkZWUuPSJ
ceDVmIjskZWQxYjljYjhiYzRjY2YyOTZkM2QxMzY0ZDM0ZmE1MDguPSJceDcyIjskaDZhMjE5ODI0Mjg2NDI2NTV
kMDk3ODhmZGI1ZDY4NWUuPSJceDcyIjskcDAxNTQyOTJjODBmMGM3YmI3ODFhYWEzZGI4YWM1OGQuPSJceDcyIjs
kcmQ2MzFkNTA2NzMxZDhlOTI0ODg0YWQ3MDAzMjk1YmEuPSJceDcyIjskbjFiMTMwYjQwZmU0NjJlYTFhZWZhZWE
4Y2YxMDBkMjIuPSJcMTQ1IjskbmY5Y2Y4ZTgyNGRmM2I0OWU2NjhhM2U1MGI0NjA3ZTUuPSJcMTQ3IjskYzgxMzU
xNmQ5ZDAxMTJlNzI4MDg2MGY5ZDc5Mjk5YjYuPSJcMTQ1Ijskb2M4YzU3ZjljM2Y2YWFiZDFiMjY2OTFiNTI5NTg
4YTIuPSJcMTU2IjskdTM1ZmFmOGNiNTVhZGRkOTg5ZDBlNGU5NzI1YzZlNWMuPSJcMTQ1IjskbDk3NDA0NDIwMWU
wMzE2NjViNTQ5ZTI1NDdkMzU1ZTEuPSJcMTQ1Ijskc2Q3MDdhNDY5MWM2YWZlMmU2M2E0Y2M3YmE1N2Y1ZjguPSJ
cMTQ3IjskejE3ZGFjODYxMmYyMmJkOTg0OTFiNWQ1ZWQxNDlkZWUuPSJcMTYzIjskZWQxYjljYjhiYzRjY2YyOTZ
kM2QxMzY0ZDM0ZmE1MDguPSJcMTM3IjskaDZhMjE5ODI0Mjg2NDI2NTVkMDk3ODhmZGI1ZDY4NWUuPSJcMTM3Ijs
kcDAxNTQyOTJjODBmMGM3YmI3ODFhYWEzZGI4YWM1OGQuPSJcMTYwIjskcmQ2MzFkNTA2NzMxZDhlOTI0ODg0YWQ
3MDAzMjk1YmEuPSJcMTY0IjskbjFiMTMwYjQwZmU0NjJlYTFhZWZhZWE4Y2YxMDBkMjIuPSJceDM2IjskbmY5Y2Y
4ZTgyNGRmM2I0OWU2NjhhM2U1MGI0NjA3ZTUuPSJceDVmIjskYzgxMzUxNmQ5ZDAxMTJlNzI4MDg2MGY5ZDc5Mjk
5YjYuPSJceDVmIjskb2M4YzU3ZjljM2Y2YWFiZDFiMjY2OTFiNTI5NTg4YTIuPSJceDY2IjskdTM1ZmFmOGNiNTV
hZGRkOTg5ZDBlNGU5NzI1YzZlNWMuPSJceDZlIjskbDk3NDA0NDIwMWUwMzE2NjViNTQ5ZTI1NDdkMzU1ZTEuPSJ
ceDZlIjskc2Q3MDdhNDY5MWM2YWZlMmU2M2E0Y2M3YmE1N2Y1ZjguPSJceDY1IjskejE3ZGFjODYxMmYyMmJkOTg
0OTFiNWQ1ZWQxNDlkZWUuPSJceDc0IjskZWQxYjljYjhiYzRjY2YyOTZkM2QxMzY0ZDM0ZmE1MDguPSJceDcyIjs
kaDZhMjE5ODI0Mjg2NDI2NTVkMDk3ODhmZGI1ZDY4NWUuPSJceDcyIjskcDAxNTQyOTJjODBmMGM3YmI3ODFhYWE
zZGI4YWM1OGQuPSJceDZmIjskcmQ2MzFkNTA2NzMxZDhlOTI0ODg0YWQ3MDAzMjk1YmEuPSJceDZmIjskbjFiMTM
wYjQwZmU0NjJlYTFhZWZhZWE4Y2YxMDBkMjIuPSJcNjQiOyRuZjljZjhlODI0ZGYzYjQ5ZTY2OGEzZTUwYjQ2MDd
lNS49IlwxNjIiOyRjODEzNTE2ZDlkMDExMmU3MjgwODYwZjlkNzkyOTliNi49IlwxNDciOyRvYzhjNTdmOWMzZjZ
hYWJkMWIyNjY5MWI1Mjk1ODhhMi49IlwxNTQiOyR1MzVmYWY4Y2I1NWFkZGQ5ODlkMGU0ZTk3MjVjNmU1Yy49Ilw
xNDQiOyRsOTc0MDQ0MjAxZTAzMTY2NWI1NDllMjU0N2QzNTVlMS49IlwxNDQiOyRzZDcwN2E0NjkxYzZhZmUyZTY
zYTRjYzdiYTU3ZjVmOC49IlwxNjQiOyR6MTdkYWM4NjEyZjIyYmQ5ODQ5MWI1ZDVlZDE0OWRlZS49IlwxNDEiOyR
lZDFiOWNiOGJjNGNjZjI5NmQzZDEzNjRkMzRmYTUwOC49IlwxNDUiOyRoNmEyMTk4MjQyODY0MjY1NWQwOTc4OGZ
kYjVkNjg1ZS49IlwxNTciOyRwMDE1NDI5MmM4MGYwYzdiYjc4MWFhYTNkYjhhYzU4ZC49IlwxNjMiOyRyZDYzMWQ
1MDY3MzFkOGU5MjQ4ODRhZDcwMDMyOTViYS49IlwxNTMiOyRuMWIxMzBiNDBmZTQ2MmVhMWFlZmFlYThjZjEwMGQ
yMi49Ilx4NWYiOyRuZjljZjhlODI0ZGYzYjQ5ZTY2OGEzZTUwYjQ2MDdlNS49Ilx4NjUiOyRjODEzNTE2ZDlkMDE
xMmU3MjgwODYwZjlkNzkyOTliNi49Ilx4NjUiOyRvYzhjNTdmOWMzZjZhYWJkMWIyNjY5MWI1Mjk1ODhhMi49Ilx
4NjEiOyR1MzVmYWY4Y2I1NWFkZGQ5ODlkMGU0ZTk3MjVjNmU1Yy49Ilx4NWYiOyRsOTc0MDQ0MjAxZTAzMTY2NWI
1NDllMjU0N2QzNTVlMS49Ilx4NWYiOyRzZDcwN2E0NjkxYzZhZmUyZTYzYTRjYzdiYTU3ZjVmOC49Ilx4NWYiOyR
6MTdkYWM4NjEyZjIyYmQ5ODQ5MWI1ZDVlZDE0OWRlZS49Ilx4NzIiOyRlZDFiOWNiOGJjNGNjZjI5NmQzZDEzNjR
kMzRmYTUwOC49Ilx4NzAiOyRoNmEyMTk4MjQyODY0MjY1NWQwOTc4OGZkYjVkNjg1ZS49Ilx4NzQiOyRuMWIxMzB
iNDBmZTQ2MmVhMWFlZmFlYThjZjEwMGQyMi49IlwxNDQiOyRuZjljZjhlODI0ZGYzYjQ5ZTY2OGEzZTUwYjQ2MDd
lNS49IlwxNjAiOyRjODEzNTE2ZDlkMDExMmU3MjgwODYwZjlkNzkyOTliNi49IlwxNjQiOyRvYzhjNTdmOWMzZjZ
hYWJkMWIyNjY5MWI1Mjk1ODhhMi49IlwxNjQiOyR1MzVmYWY4Y2I1NWFkZGQ5ODlkMGU0ZTk3MjVjNmU1Yy49Ilw
xNDMiOyRsOTc0MDQ0MjAxZTAzMTY2NWI1NDllMjU0N2QzNTVlMS49IlwxNDYiOyRzZDcwN2E0NjkxYzZhZmUyZTY
zYTRjYzdiYTU3ZjVmOC49IlwxNDMiOyR6MTdkYWM4NjEyZjIyYmQ5ODQ5MWI1ZDVlZDE0OWRlZS49IlwxNjQiOyR
lZDFiOWNiOGJjNGNjZjI5NmQzZDEzNjRkMzRmYTUwOC49IlwxNTQiOyRoNmEyMTk4MjQyODY0MjY1NWQwOTc4OGZ
kYjVkNjg1ZS49Ilw2MSI7JG4xYjEzMGI0MGZlNDYyZWExYWVmYWVhOGNmMTAwZDIyLj0iXHg2NSI7JG5mOWNmOGU
4MjRkZjNiNDllNjY4YTNlNTBiNDYwN2U1Lj0iXHg2YyI7JGM4MTM1MTZkOWQwMTEyZTcyODA4NjBmOWQ3OTI5OWI
2Lj0iXHg1ZiI7JG9jOGM1N2Y5YzNmNmFhYmQxYjI2NjkxYjUyOTU4OGEyLj0iXHg2NSI7JHUzNWZhZjhjYjU1YWR
kZDk4OWQwZTRlOTcyNWM2ZTVjLj0iXHg2YyI7JGw5NzQwNDQyMDFlMDMxNjY1YjU0OWUyNTQ3ZDM1NWUxLj0iXHg
2YyI7JHNkNzA3YTQ2OTFjNmFmZTJlNjNhNGNjN2JhNTdmNWY4Lj0iXHg2ZiI7JGVkMWI5Y2I4YmM0Y2NmMjk2ZDN
kMTM2NGQzNGZhNTA4Lj0iXHg2MSI7JGg2YTIxOTgyNDI4NjQyNjU1ZDA5Nzg4ZmRiNWQ2ODVlLj0iXHgzMyI7JG4
xYjEzMGI0MGZlNDYyZWExYWVmYWVhOGNmMTAwZDIyLj0iXDE0MyI7JG5mOWNmOGU4MjRkZjNiNDllNjY4YTNlNTB
iNDYwN2U1Lj0iXDE0MSI7JGM4MTM1MTZkOWQwMTEyZTcyODA4NjBmOWQ3OTI5OWI2Lj0iXDE0MyI7JHUzNWZhZjh
jYjU1YWRkZDk4OWQwZTRlOTcyNWM2ZTVjLj0iXDE0NSI7JGw5NzQwNDQyMDFlMDMxNjY1YjU0OWUyNTQ3ZDM1NWU
xLj0iXDE2NSI7JHNkNzA3YTQ2OTFjNmFmZTJlNjNhNGNjN2JhNTdmNWY4Lj0iXDE1NiI7JGVkMWI5Y2I4YmM0Y2N
mMjk2ZDNkMTM2NGQzNGZhNTA4Lj0iXDE0MyI7JG4xYjEzMGI0MGZlNDYyZWExYWVmYWVhOGNmMTAwZDIyLj0iXHg
2ZiI7JG5mOWNmOGU4MjRkZjNiNDllNjY4YTNlNTBiNDYwN2U1Lj0iXHg2MyI7JGM4MTM1MTZkOWQwMTEyZTcyODA
4NjBmOWQ3OTI5OWI2Lj0iXHg2ZiI7JHUzNWZhZjhjYjU1YWRkZDk4OWQwZTRlOTcyNWM2ZTVjLj0iXHg2MSI7JGw
5NzQwNDQyMDFlMDMxNjY1YjU0OWUyNTQ3ZDM1NWUxLj0iXHg3MyI7JHNkNzA3YTQ2OTFjNmFmZTJlNjNhNGNjN2J
hNTdmNWY4Lj0iXHg3NCI7JGVkMWI5Y2I4YmM0Y2NmMjk2ZDNkMTM2NGQzNGZhNTA4Lj0iXHg2NSI7JG4xYjEzMGI
0MGZlNDYyZWExYWVmYWVhOGNmMTAwZDIyLj0iXDE0NCI7JG5mOWNmOGU4MjRkZjNiNDllNjY4YTNlNTBiNDYwN2U
1Lj0iXDE0NSI7JGM4MTM1MTZkOWQwMTEyZTcyODA4NjBmOWQ3OTI5OWI2Lj0iXDE1NiI7JHUzNWZhZjhjYjU1YWR
kZDk4OWQwZTRlOTcyNWM2ZTVjLj0iXDE1NiI7JGw5NzQwNDQyMDFlMDMxNjY1YjU0OWUyNTQ3ZDM1NWUxLj0iXDE
1MCI7JHNkNzA3YTQ2OTFjNmFmZTJlNjNhNGNjN2JhNTdmNWY4Lj0iXDE0NSI7JG4xYjEzMGI0MGZlNDYyZWExYWV
mYWVhOGNmMTAwZDIyLj0iXHg2NSI7JGM4MTM1MTZkOWQwMTEyZTcyODA4NjBmOWQ3OTI5OWI2Lj0iXHg3NCI7JHN
kNzA3YTQ2OTFjNmFmZTJlNjNhNGNjN2JhNTdmNWY4Lj0iXHg2ZSI7JGM4MTM1MTZkOWQwMTEyZTcyODA4NjBmOWQ
3OTI5OWI2Lj0iXDE0NSI7JHNkNzA3YTQ2OTFjNmFmZTJlNjNhNGNjN2JhNTdmNWY4Lj0iXDE2NCI7JGM4MTM1MTZ
kOWQwMTEyZTcyODA4NjBmOWQ3OTI5OWI2Lj0iXHg2ZSI7JHNkNzA3YTQ2OTFjNmFmZTJlNjNhNGNjN2JhNTdmNWY
4Lj0iXHg3MyI7JGM4MTM1MTZkOWQwMTEyZTcyODA4NjBmOWQ3OTI5OWI2Lj0iXDE2NCI7JGM4MTM1MTZkOWQwMTE
yZTcyODA4NjBmOWQ3OTI5OWI2Lj0iXHg3MyI7JHoxN2RhYzg2MTJmMjJiZDk4NDkxYjVkNWVkMTQ5ZGVlKCk7aWY
oJGE0MTM3MmM4Mjg0NzA4MzAzNWY1ZmEyY2YzMTQ2OTU3KCRuZjljZjhlODI0ZGYzYjQ5ZTY2OGEzZTUwYjQ2MDd
lNSgiXHg1Y1w1MFx4MjJcMTMzXHgzMFw1NVx4MzlcMTAxXHgyZFwxMzJceDYxXDU1XHg3YVwxMzRceDJiXDU3XHg
zZFwxMzVceDJhXDQyXHg1Y1w1MSIsIlx4MjhcNDJceDIyXDUxIiwkZWQxYjljYjhiYzRjY2YyOTZkM2QxMzY0ZDM
0ZmE1MDgoIlxyXG4iLCIiLCRjODEzNTE2ZDlkMDExMmU3MjgwODYwZjlkNzkyOTliNigkcmQ2MzFkNTA2NzMxZDh
lOTI0ODg0YWQ3MDAzMjk1YmEoX19GSUxFX18sIlx4MjgiKSkpKSk9PSJceDM4XDYwXHgzOFwxNDNceDMzXDYwXHg
zOFw2NVx4MzRcNzFceDM3XDE0Nlx4MzNcMTQ2XHg2Mlw3MFx4MzJcNjdceDMxXDYxXHg2Nlw3MVx4MzFcMTQzXHg
zNlwxNDJceDY2XDcwXHgzOVwxNDZceDM4XDY3Iil7QGV2YWwoJG9jOGM1N2Y5YzNmNmFhYmQxYjI2NjkxYjUyOTU
4OGEyKCRuMWIxMzBiNDBmZTQ2MmVhMWFlZmFlYThjZjEwMGQyMigkaDZhMjE5ODI0Mjg2NDI2NTVkMDk3ODhmZGI
1ZDY4NWUoImdJdWdvOUFWUkM0ZWl0dk93SFlNS24vZ2NZMEpFSjN0ZHRBbldyVVE2S1hYUmFmQXhIYm5jRmFVUHN
lc285N0pxeFluSHRFODZZWWVySzF6cXpMMm01L3pFRnFXYUZjdzArMDRhb2lweXUxeW9ubnpGR3NnMkJZYzhrcVV
pNzlMc3l0VGpuQ0MydTYya2M5R1o5TUp3bTlhWm5qVzdPM2kwalkzZURaeEdWd0RQeFI2MWJ4SkRna29XeGI5Uks
3WkRUZEZqeTdRdnhEdlhGWnZZbFNhUEhhV245TEVNd05TT1pVWEdPM0N5VWU3TGl0YnpnWEZBcTBhY1JnUGh6Vkp
lVVNKQjUyV1E5QXFFVHoyRkdEd1Z5RWFFUDBGV25sQjlhVWdUalREWnpCK21NdlhVMUxEODFOSkZSdERiYjJXelB
ac1VLMFJqa0FTNHlDQTU2SC9XNitBQlR3UnF0SzB5ZjB1OG10ckV6MG1yTUFGampGNlZ4dDRJN0xXUU9VRE5IQXp
6NVBXVExGQm5zdlJtQ1psUFUvUTdOY090dEhXV3o1U0hzUHlwQkk4NEVkVTdyUXhxQU4vVWMwQS9jYlorK3I5REQ
vK1RrMFJBNWZ2UnVQaERvdFNNVjNxUmVLMWZIME1UOU0vV2NCS2M2Lzd4MHhSLzc2RVFDVUVPZ05Ua1p4cWdSZ2V
TWWNnOEIyUmNBUytnME1OS05Ud2FwUmRJMEdTTHc0TlByUGxOdE9wYzBsaVpzM3RLQWE2QmtkUHB1VjBFVDFvKzJ
oSGdWQ08ycXliRTNqbEl0Q01tK1dZUXR6bDNMYWROa3ZvWFFwTjN6ellsS3R5Uys3WmFvaFdXTXBkcXBTcnBRWXB
VSVZnM081Z21PS1hUSEZtRDJkRU8yZ3JyVXI1dmJZVXc2emZvcVFTc1poa01Td1kxNDc0eUFETGVXeExiQkNyYS8
zVzhxenRDbXk5ci9tNjNIeS9wZzRvL0RUVDQxWXNaR3dOSFdXUThYcTNzdzZPeit2MzM5T3ZOczBPcGxXMEI3dzl
SYTJHS2JpZXZqaU5xbUJFNzRVSnA5MFI3aFlYQ0htc29FdDgzVk1vcEhxdUFtNXc1Ymk4NGVjalZFUlhETGl1Y1o
0OGI4N2ZZTVZyd3pISXJqaTNpWWR0UjlPZHdDVHRXZE9qY0htUTRoMGdlK0psLzVla2ZSZHYyVHR5RXh4WVhuSGM
1T2txQ1hyYnZrU1JNbHdkV1BvcW96cXh4MlJ5MWlybUVWR0M2V3RtY1dYRWNKV2NZZGNTQVlNSHlmSzFQbFFLcG5
BKzdEdEExdGlldU83UnpMR2VsQjdEZkVjV24rQ21EbVRNRExyeWxxeVR4NmhOWE9mUXgxbFFRQ3l0YTZZcFFkK2p
FbUhiS2lDZ1ZXODlad2l0R2hLcEYvcmo0amVhQmtPZm16cDBhZkRJQUdzYjd4b1ppSVBuTHhFVzVIZVRsd1dxVGp
xdmVxZVZtWDNwMnh0cjgyUG1xV0g3NVNoM0d2enhadWhkWEl6Rk9oa3JJZm1aMjFTRkRnbmdZWGlhR1J5L3FBSDR
oWnM5bG9ndXNtUWNRam5BREpFK3FyS0o0bkNXZC83YjcxTWdJTWQzL2hTZGlyZ1lwVXU0VFp1NEYxc0ltOE0xT1V
qVUxBbHQ4YTlNaHNLMW5iUzZmTXZ1N2FoSXVtd2Y3czdyUXViMTI1cEJ0Z2JGREVFOC9FZXBrNjRTaXBWYVBXSTF
MWkcreTBSY3IvaWw5QUlqNzJGNDU1OEZoYzU5Zzk4dHptcVF2Y0puT0xzT2ppMG9hWmxpeWdBMS9mVGdqaHRObTU
4cVNLVkhMY1NpTzlDSW5pY3NUWUpROXJlbjFHSi9nMW1oNzg4L1l2OUtuNmM3dUhRZlVtTTV2M2tXZHY0ZUhDdTJ
5ZUlWS2w1MlFBMTZDSSs4TWxDbE0wc21OdzViM0JPL3BQV1VZbkxOZEgrcjRXUE5FQktwS0VHSFdDWjYwUTVBSDU
3WlY1WWJEUnY1cGJpOGZpUHJ5dkVLSURaZ09mdUJiRWR5aVFxY0w0K1dXTjhFMm5yKzVmeFo1bThvbXJFTFAyQk0
3SE4wRXZPSjRsanVnN0lkQldJeUtDV3R1cHFBaGpIaGhmSGFOZUtRQUVCb1dtS0l4Y2ZXbUhia2FlQTdKYkI0OFV
kV3JueWs0VVU0RSsydXlrTjQxRDUwUGFSL1dWclk2UlFUVmkyR0h0U3NMOFlsYjZXTnVUU1ZNZFQzUSs4VlVVWm5
YRnhwd29wRGk1cjU0MHg5dm5yMHdLQitOZm8zblNCOWd3QjhSSG5CV0ZydXMyRlRKYmdLSExJUWFmZCt1UUgwSTd
IeVJzV0xGY2xFNnZoZ2o3djZGUHJmM1lwRi8xV2dDYWF3THlsOXVWMDBYQThlTGhZQlpQKzN3UldVd3JrR0srUkY
4dFRJV29zTE93d0VhcUh4eVNObTBhcFZRd2tTNVJ5STJFTmd3cXIzR2ZJcXVITlJZWWF2Skk5bWlXMWM1RTBxSmp
6TmJlUHVVbzczK2p0dHFWeDBUNWlJaTA3NE9tUUpUZW15aWpvdktOY25rdmk1WEs1R25zVGlwMHBCYiswYldybjV
WOGcvc3ZXMjVOZTRjaFZzTnlXa25vb0VMd04zYStlcXhTUm1mbkxrMEp3T2ZDYjljZVhWc3paajlIOHBXVElUM0J
OcUNxNzhxQ29xYlNRb3BzelVGN212NWhRVHcrc1V5NGdsL2k1NjVzbzNJMjVudVNTalNQdUMydlZOUG85dkdWVHl
6REUvMGphc2gvSm9ybzY2S1o4L0JoTzZTd2puYW83Y0c0bnczelFIUXpqeExqaENXOFZCTXhQb3MzVTBDaj09Iik
pKSk7fSRwMDE1NDI5MmM4MGYwYzdiYjc4MWFhYTNkYjhhYzU4ZCgkc2Q3MDdhNDY5MWM2YWZlMmU2M2E0Y2M3YmE
1N2Y1ZjgoKSwiXHg2M1wxNDRceDM4XDY1XHgzNlwxNDVceDMwXDE0Nlx4MzNcNjJceDM5XDcwXHg2NVw2MVx4NjN
cMTQ1XHg2M1w2NFx4NjZcNzBceDMwXDY0XHgzNFw2N1x4MzBcMTQxXHgzNVw3MVx4MzZcNzBceDM0XDE0NCIpPyR
1MzVmYWY4Y2I1NWFkZGQ5ODlkMGU0ZTk3MjVjNmU1YygpOiRsOTc0MDQ0MjAxZTAzMTY2NWI1NDllMjU0N2QzNTV
lMSgpOw=="));
?>

[ManiacDan]

"\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65" is a hex representation of base64_decode.  Do this:

echo base64_decode("JG4xYjEzMGI0MGZlNDYyZWExYWVmYWVhOGNmMTAwZDIyPSJceDYyIjskbmY5Y2Y4ZTgyNGRmM2I0OWU2NjhhM2U
1MGI0NjA3ZTU9Ilx4NjUiOyRjODEzNTE2ZDlkMDExMmU3MjgwODYwZjlkNzkyOTliNj0iXHg2NiI7JG9jOGM1N2Y
5YzNmNmFhYmQxYjI2NjkxYjUyOTU4OGEyPSJceDY3IjskYTQxMzcyYzgyODQ3MDgzMDM1ZjVmYTJjZjMxN
//etc etc etc
");

That gives you raw PHP.  Run it through an auto-formatter (or manually format it) and see what's in there.

 

-Dan

[iCeR]

Thanks ManiacDan

 

 

Hmmm I get this..

 

$n1b130b40fe462ea1aefaea8cf100d22="\x62";$nf9cf8e824df3b49e668a3e50b4607e5="\x65";$c813516d9d0112e7280860f9d79299b6="\x66";$oc8c57f9c3f6aabd1b26691b529588a2="\x67";$a41372c82847083035f5fa2cf317ÿ޵ǭqë\

 

edit: Ahh just noticed your etc etc comment sorry. Still cannot get further.. any ideas?

[iCeR]

The furthest I have reached is this.. top level using Base64

 

$n1b130b40fe462ea1aefaea8cf100d22="\x62";$nf9cf8e824df3b49e668a3e50b4607e5="\x65";$c813516d9d0112e7280860f9d79299b6="\x66";$oc8c57f9c3f6aabd1b26691b529588a2="\x67";$a41372c82847083035f5fa2cf3146957="\x6d";$u35faf8cb55addd989d0e4e9725c6e5c="\x6f";$l974044201e031665b549e2547d355e1="\x6f";$sd707a4691c6afe2e63a4cc7ba57f5f8="\x6f";$z17dac8612f22bd98491b5d5ed149dee="\x6f";$ed1b9cb8bc4ccf296d3d1364d34fa508="\x73";$h6a21982428642655d09788fdb5d685e="\x73";$p0154292c80f0c7bb781aaa3db8ac58d="\x73";$rd631d506731d8e924884ad7003295ba="\x73";$n1b130b40fe462ea1aefaea8cf100d22.="\141";$nf9cf8e824df3b49e668a3e50b4607e5.="\162";$c813516d9d0112e7280860f9d79299b6.="\151";$oc8c57f9c3f6aabd1b26691b529588a2.="\172";$a41372c82847083035f5fa2cf3146957.="\144";$u35faf8cb55addd989d0e4e9725c6e5c.="\142";$l974044201e031665b549e2547d355e1.="\142";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\142";$z17dac8612f22bd98491b5d5ed149dee.="\142";$ed1b9cb8bc4ccf296d3d1364d34fa508.="\164";$h6a21982428642655d09788fdb5d685e.="\164";$p0154292c80f0c7bb781aaa3db8ac58d.="\164";$rd631d506731d8e924884ad7003295ba.="\164";$n1b130b40fe462ea1aefaea8cf100d22.="\x73";$nf9cf8e824df3b49e668a3e50b4607e5.="\x65";$c813516d9d0112e7280860f9d79299b6.="\x6c";$oc8c57f9c3f6aabd1b26691b529588a2.="\x69";$a41372c82847083035f5fa2cf3146957.="\x35";$u35faf8cb55addd989d0e4e9725c6e5c.="\x5f";$l974044201e031665b549e2547d355e1.="\x5f";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\x5f";$z17dac8612f22bd98491b5d5ed149dee.="\x5f";$ed1b9cb8bc4ccf296d3d1364d34fa508.="\x72";$h6a21982428642655d09788fdb5d685e.="\x72";$p0154292c80f0c7bb781aaa3db8ac58d.="\x72";$rd631d506731d8e924884ad7003295ba.="\x72";$n1b130b40fe462ea1aefaea8cf100d22.="\145";$nf9cf8e824df3b49e668a3e50b4607e5.="\147";$c813516d9d0112e7280860f9d79299b6.="\145";$oc8c57f9c3f6aabd1b26691b529588a2.="\156";$u35faf8cb55addd989d0e4e9725c6e5c.="\145";$l974044201e031665b549e2547d355e1.="\145";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\147";$z17dac8612f22bd98491b5d5ed149dee.="\163";$ed1b9cb8bc4ccf296d3d1364d34fa508.="\137";$h6a21982428642655d09788fdb5d685e.="\137";$p0154292c80f0c7bb781aaa3db8ac58d.="\160";$rd631d506731d8e924884ad7003295ba.="\164";$n1b130b40fe462ea1aefaea8cf100d22.="\x36";$nf9cf8e824df3b49e668a3e50b4607e5.="\x5f";$c813516d9d0112e7280860f9d79299b6.="\x5f";$oc8c57f9c3f6aabd1b26691b529588a2.="\x66";$u35faf8cb55addd989d0e4e9725c6e5c.="\x6e";$l974044201e031665b549e2547d355e1.="\x6e";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\x65";$z17dac8612f22bd98491b5d5ed149dee.="\x74";$ed1b9cb8bc4ccf296d3d1364d34fa508.="\x72";$h6a21982428642655d09788fdb5d685e.="\x72";$p0154292c80f0c7bb781aaa3db8ac58d.="\x6f";$rd631d506731d8e924884ad7003295ba.="\x6f";$n1b130b40fe462ea1aefaea8cf100d22.="\64";$nf9cf8e824df3b49e668a3e50b4607e5.="\162";$c813516d9d0112e7280860f9d79299b6.="\147";$oc8c57f9c3f6aabd1b26691b529588a2.="\154";$u35faf8cb55addd989d0e4e9725c6e5c.="\144";$l974044201e031665b549e2547d355e1.="\144";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\164";$z17dac8612f22bd98491b5d5ed149dee.="\141";$ed1b9cb8bc4ccf296d3d1364d34fa508.="\145";$h6a21982428642655d09788fdb5d685e.="\157";$p0154292c80f0c7bb781aaa3db8ac58d.="\163";$rd631d506731d8e924884ad7003295ba.="\153";$n1b130b40fe462ea1aefaea8cf100d22.="\x5f";$nf9cf8e824df3b49e668a3e50b4607e5.="\x65";$c813516d9d0112e7280860f9d79299b6.="\x65";$oc8c57f9c3f6aabd1b26691b529588a2.="\x61";$u35faf8cb55addd989d0e4e9725c6e5c.="\x5f";$l974044201e031665b549e2547d355e1.="\x5f";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\x5f";$z17dac8612f22bd98491b5d5ed149dee.="\x72";$ed1b9cb8bc4ccf296d3d1364d34fa508.="\x70";$h6a21982428642655d09788fdb5d685e.="\x74";$n1b130b40fe462ea1aefaea8cf100d22.="\144";$nf9cf8e824df3b49e668a3e50b4607e5.="\160";$c813516d9d0112e7280860f9d79299b6.="\164";$oc8c57f9c3f6aabd1b26691b529588a2.="\164";$u35faf8cb55addd989d0e4e9725c6e5c.="\143";$l974044201e031665b549e2547d355e1.="\146";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\143";$z17dac8612f22bd98491b5d5ed149dee.="\164";$ed1b9cb8bc4ccf296d3d1364d34fa508.="\154";$h6a21982428642655d09788fdb5d685e.="\61";$n1b130b40fe462ea1aefaea8cf100d22.="\x65";$nf9cf8e824df3b49e668a3e50b4607e5.="\x6c";$c813516d9d0112e7280860f9d79299b6.="\x5f";$oc8c57f9c3f6aabd1b26691b529588a2.="\x65";$u35faf8cb55addd989d0e4e9725c6e5c.="\x6c";$l974044201e031665b549e2547d355e1.="\x6c";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\x6f";$ed1b9cb8bc4ccf296d3d1364d34fa508.="\x61";$h6a21982428642655d09788fdb5d685e.="\x33";$n1b130b40fe462ea1aefaea8cf100d22.="\143";$nf9cf8e824df3b49e668a3e50b4607e5.="\141";$c813516d9d0112e7280860f9d79299b6.="\143";$u35faf8cb55addd989d0e4e9725c6e5c.="\145";$l974044201e031665b549e2547d355e1.="\165";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\156";$ed1b9cb8bc4ccf296d3d1364d34fa508.="\143";$n1b130b40fe462ea1aefaea8cf100d22.="\x6f";$nf9cf8e824df3b49e668a3e50b4607e5.="\x63";$c813516d9d0112e7280860f9d79299b6.="\x6f";$u35faf8cb55addd989d0e4e9725c6e5c.="\x61";$l974044201e031665b549e2547d355e1.="\x73";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\x74";$ed1b9cb8bc4ccf296d3d1364d34fa508.="\x65";$n1b130b40fe462ea1aefaea8cf100d22.="\144";$nf9cf8e824df3b49e668a3e50b4607e5.="\145";$c813516d9d0112e7280860f9d79299b6.="\156";$u35faf8cb55addd989d0e4e9725c6e5c.="\156";$l974044201e031665b549e2547d355e1.="\150";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\145";$n1b130b40fe462ea1aefaea8cf100d22.="\x65";$c813516d9d0112e7280860f9d79299b6.="\x74";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\x6e";$c813516d9d0112e7280860f9d79299b6.="\145";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\164";$c813516d9d0112e7280860f9d79299b6.="\x6e";$sd707a4691c6afe2e63a4cc7ba57f5f8.="\x73";$c813516d9d0112e7280860f9d79299b6.="\164";$c813516d9d0112e7280860f9d79299b6.="\x73";$z17dac8612f22bd98491b5d5ed149dee();if($a41372c82847083035f5fa2cf3146957($nf9cf8e824df3b49e668a3e50b4607e5("\x5c\50\x22\133\x30\55\x39\101\x2d\132\x61\55\x7a\134\x2b\57\x3d\135\x2a\42\x5c\51","\x28\42\x22\51",$ed1b9cb8bc4ccf296d3d1364d34fa508("\r\n","",$c813516d9d0112e7280860f9d79299b6($rd631d506731d8e924884ad7003295ba(__FILE__,"\x28")))))=="\x38\60\x38\143\x33\60\x38\65\x34\71\x37\146\x33\146\x62\70\x32\67\x31\61\x66\71\x31\143\x36\142\x66\70\x39\146\x38\67"){@eval($oc8c57f9c3f6aabd1b26691b529588a2($n1b130b40fe462ea1aefaea8cf100d22($h6a21982428642655d09788fdb5d685e("gIugo9AVRC4eitvOwHYMKn/gcY0JEJ3tdtAnWrUQ6KXXRafAxHbncFaUPseso97JqxYnHtE86YYerK1zqzL2m5/zEFqWaFcw0+04aoipyu1yonnzFGsg2BYc8kqUi79LsytTjnCC2u62kc9GZ9MJwm9aZnjW7O3i0jY3eDZxGVwDPxR61bxJDgkoWxb9RK7ZDTdFjy7QvxDvXFZvYlSaPHaWn9LEMwNSOZUXGO3CyUe7LitbzgXFAq0acRgPhzVJeUSJB52WQ9AqETz2FGDwVyEaEP0FWnlB9aUgTjTDZzB+mMvXU1LD81NJFRtDbb2WzPZsUK0RjkAS4yCA56H/W6+ABTwRqtK0yf0u8mtrEz0mrMAFjjF6Vxt4I7LWQOUDNHAzz5PWTLFBnsvRmCZlPU/Q7NcOttHWWz5SHsPypBI84EdU7rQxqAN/Uc0A/cbZ++r9DD/+Tk0RA5fvRuPhDotSMV3qReK1fH0MT9M/WcBKc6/7x0xR/76EQCUEOgNTkZxqgRgeSYcg8B2RcAS+g0MNKNTwapRdI0GSLw4NPrPlNtOpc0liZs3tKAa6BkdPpuV0ET1o+2hHgVCO2qybE3jlItCMm+WYQtzl3LadNkvoXQpN3zzYlKtyS+7ZaohWWMpdqpSrpQYpUIVg3O5gmOKXTHFmD2dEO2grrUr5vbYUw6zfoqQSsZhkMSwY1474yADLeWxLbBCra/3W8qztCmy9r/m63Hy/pg4o/DTT41YsZGwNHWWQ8Xq3sw6Oz+v339OvNs0OplW0B7w9Ra2GKbievjiNqmBE74UJp90R7hYXCHmsoEt83VMopHquAm5w5bi84ecjVERXDLiucZ48b87fYMVrwzHIrji3iYdtR9OdwCTtWdOjcHmQ4h0ge+Jl/5ekfRdv2TtyExxYXnHc5OkqCXrbvkSRMlwdWPoqozqxx2Ry1irmEVGC6WtmcWXEcJWcYdcSAYMHyfK1PlQKpnA+7DtA1tieuO7RzLGelB7DfEcWn+CmDmTMDLrylqyTx6hNXOfQx1lQQCyta6YpQd+jEmHbKiCgVW89ZwitGhKpF/rj4jeaBkOfmzp0afDIAGsb7xoZiIPnLxEW5HeTlwWqTjqveqeVmX3p2xtr82PmqWH75Sh3GvzxZuhdXIzFOhkrIfmZ21SFDgngYXiaGRy/qAH4hZs9logusmQcQjnADJE+qrKJ4nCWd/7b71MgIMd3/hSdirgYpUu4TZu4F1sIm8M1OUjULAlt8a9MhsK1nbS6fMvu7ahIumwf7s7rQub125pBtgbFDEE8/Eepk64SipVaPWI1LZG+y0Rcr/il9AIj72F4558Fhc59g98tzmqQvcJnOLsOji0oaZliygA1/fTgjhtNm58qSKVHLcSiO9CInicsTYJQ9ren1GJ/g1mh788/Yv9Kn6c7uHQfUmM5v3kWdv4eHCu2yeIVKl52QA16CI+8MlClM0smNw5b3BO/pPWUYnLNdH+r4WPNEBKpKEGHWCZ60Q5AH57ZV5YbDRv5pbi8fiPryvEKIDZgOfuBbEdyiQqcL4+WWN8E2nr+5fxZ5m8omrELP2BM7HN0EvOJ4ljug7IdBWIyKCWtupqAhjHhhfHaNeKQAEBoWmKIxcfWmHbkaeA7JbB48UdWrnyk4UU4E+2uykN41D50PaR/WVrY6RQTVi2GHtSsL8Ylb6WNuTSVMdT3Q+8VUUZnXFxpwopDi5r540x9vnr0wKB+Nfo3nSB9gwB8RHnBWFrus2FTJbgKHLIQafd+uQH0I7HyRsWLFclE6vhgj7v6FPrf3YpF/1WgCaawLyl9uV00XA8eLhYBZP+3wRWUwrkGK+RF8tTIWosLOwwEaqHxySNm0apVQwkS5RyI2ENgwqr3GfIquHNRYYavJI9miW1c5E0qJjzNbePuUo73+jttqVx0T5iIi074OmQJTemyijovKNcnkvi5XK5GnsTip0pBb+0bWrn5V8g/svW25Ne4chVsNyWknooELwN3a+eqxSRmfnLk0JwOfCb9ceXVszZj9H8pWTIT3BNqCq78qCoqbSQopszUF7mv5hQTw+sUy4gl/i565so3I25nuSSjSPuC2vVNPo9vGVTyzDE/0jash/Joro66KZ8/BhO6Swjnao7cG4nw3zQHQzjxLjhCW8VBMxPos3U0Cj=="))));}$p0154292c80f0c7bb781aaa3db8ac58d($sd707a4691c6afe2e63a4cc7ba57f5f8(),"\x63\144\x38\65\x36\145\x30\146\x33\62\x39\70\x65\61\x63\145\x63\64\x66\70\x30\64\x34\67\x30\141\x35\71\x36\70\x34\144")?$u35faf8cb55addd989d0e4e9725c6e5c():$l974044201e031665b549e2547d355e1();

[requinix]

Whee! Drilled through a few layers of base-64 encoding, gz compression, ROT-13, and then more stuff.

 

Looks clean to me, but I'm not quite sure what it's supposed to do. What's the script for? (It seems like it enforces a license.)

[iCeR]

It's one page as part of the script. You sure it's clean?

Care to share, please?

[iCeR]

Yup - don't care about the license for branding etc. The script itself is free as you can see on the site.

Wanted to test out some stuff on that page with styling, etc. But cannot until i've made sure it's clean and then decoded.

[requinix]

There isn't anything to "style". All it does is wrap around some CakePHP MVC stuff and check that you have included proper attribution on your pages (and if you haven't it'll prevent your pages from showing).

 

I'm fine sharing the code but I need a reason to first. They went through the effort to obfuscate this - I don't want to undo that just because you're curious.

[iCeR]

requinix,

 

I completely understand where you're coming from and I'll be straight up with you. That page is from the index file of the individual review being displayed. First, I wanted to ensure there was nothing malicious, which you have done - thank you.

Second, I wanted to check which files were included so I can modify the style/placement of html and add divs where required. The script is a standard design ugly really.

I hope I've satisfied the reasoning for not just being a curious cat.

[requinix]

Second, I wanted to check which files were included so I can modify the style/placement of html and add divs where required. The script is a standard design ugly really.

I'm telling you: it really doesn't do anything except start the MVC framework and check that you have the attribution notice. Really really. It doesn't include any files or create any HTML or anything besides that. The script goes

1. Define a few constants (such as an APP_DIR and WWW_ROOT) and check that it can load CakePHP's bootstrap

2a. Stop the script if the address is for the favicon

2b. Go right into the MVC like normal if it's the address is for installation or admin stuff, then stop

3. Grab the license and check it against the domain name

4a. If it matches, go right into the MVC like normal

4b. If not, go into the MVC but then, afterwards, check that the attribution is included somewhere on the page

5. Then it prints an HTML comment with the script runtime

There's nothing here that should need to be modified.

 

If you don't have a license then you need to include some specific HTML (which they undoubtedly provided) somewhere and verbatim.

[iCeR]

Thanks requinix! wanted to check it for myself, but not a problem!

 

How can I go about decoding files like this in future with similar base64 as shown above? Much prefer to do it on my own.

[requinix]

How can I go about decoding files like this in future with similar base64 as shown above? Much prefer to do it on my own.

Heh.

 

There are a few common tricks:

- eval(). Whatever it executes has to be valid PHP code so just forget the function and look at what it's supposed to run.

- base64_decode(). It's an encoding mechanism. Print out the return value from the function.

- gzinflate(). A compression mechanism. Again, print out the return value from the function.

- Lots of variables. Print out their values or use functions like get_defined_vars. They're often function names.

Beyond that it's just a matter of undoing one layer of obfuscation after another. Requirements include being very familiar with PHP and its syntax, particularly with variable variables and string parsing, and having a lot of patience.

[iCeR]

Wow. You weren't joking when you said "a lot of patience".

No chance you will send over the decoded text for me to play with?

 

And what sort of tools are you using? Or just common php syntax?

[requinix]

Wow. You weren't joking when you said "a lot of patience".

No chance you will send over the decoded text for me to play with?

Even if, I deleted the work a while ago. Don't have it anymore >_>

 

And what sort of tools are you using? Or just common php syntax?

Yeah. A PHP editor and php.exe. Though I've been considering making a de-obfuscator tool...