PHP How can I decode multiple layers of encoded php code?

[AliGh]

My cousin gave me this file

The commands eval(gzinflate(base64_decode())); decodes the entered code and run it as a php code .
The problem is that its not the only decoding command there are several of this command in the code .
I used this command for the code and put the result in a variable and commanded to save whatever there is in the variable into .txt file (Couldn't show it in the browser page because its php code it will execute instead of apearing)
Now does anyone know how to write a code in php that decodes this several time until it gets the final code ?

 

[mfb]

The commands eval(gzinflate(base64_decode())); decodes the entered code and run it as a php code .

It also means you will run arbitrary code sent by someone - including potential malware. Don't do the eval().

What do you mean with "decode this several times"? It is possible to send the result of base64-encoding through the same algorithm again, but this is quite pointless. It can be reverted by applying the decode function again on the result as often as necessary. The same applies to gzdeflate and gzinflate.

 

[AliGh]

It also means you will run arbitrary code sent by someone - including potential malware. Don't do the eval().

What do you mean with "decode this several times"? It is possible to send the result of base64-encoding through the same algorithm again, but this is quite pointless. It can be reverted by applying the decode function again on the result as often as necessary. The same applies to gzdeflate and gzinflate.

I have tried removing eval and doing this before but the problem is that it gives a some weird chinese or japanese letters
Its not malware its a shell i think
When i decode it there is another <?php eval(gzinflate(base64_decode("blah blah blah"))); ?> inside
While running on a server it will continue decoding until the main code executed how can i stop it there ?

 

[mfb]

Remove the eval, make a loop that applies the gzinflate and base64_decode as often as you like and removes those characters from the decoded string (so only the things in " " gets decoded), print each result and check which one has some readable code.

 

[AliGh]

I did it about 14 times still needs to decode
I wrote a program to do it but it seems it doesn't work
$thecode=gzinflate(base64_decode('blah blah blah'));
$time=0;
while ($time=0){
$exists1 = strpos($thecode, "?><?phpeval(gzinflate(base64_decode('");
$exists2 = strpos($thecode, "')));?><?");
if ($exists1=== true and $exists2 === true){
str_replace("?><?phpeval(gzinflate(base64_decode('","",$thecode);
str_replace("')));?><?","",$thecode);
$decodedtext = gzinflate(base64_decode($thecode));}
else {$time=1;}
}
$myfile = fopen("text/textfile.txt",w);
fwrite($myfile, $decodedtext);
fclose($myfile);

it just jumps to $myfile's line

 

[mfb]

while ($time=0){

That will set $time to 0 and get always evaluated as true.
strpos returns an integer or false, but never true.

 

[AliGh]

That will set $time to 0 and get always evaluated as true.
strpos returns an integer or false, but never true.

There is "else {$time=1}" at the end of while loop
I edited my code still jumps to $myfile with only one time passing the while loop
$time=0;
while ($time=0){
$exists1 = strpos($thecode, "?><?phpeval(gzinflate(base64_decode('");
$exists2 = strpos($thecode, "')));?><?");
if ($exists1 == 1 and $exists2 == 1){
str_replace("?><?phpeval(gzinflate(base64_decode('","",$thecode);
str_replace("')));?><?","",$thecode);
$decodedtext = gzinflate(base64_decode($thecode));}
else {$time=1;}
}
$myfile = fopen("text/textfile.txt",w);
fwrite($myfile, $decodedtext);
fclose($myfile);

errors : Notice: Use of undefined constant w - assumed 'w' in C:\wamp\www\autodecode.php on line 15
Notice: Undefined variable: decodedtext in C:\wamp\www\autodecode.php on line 16

 

[mfb]

There is "else {$time=1}" at the end of while loop

Which does not do anything as it gets overwritten again with the while condition.
I don't think you want to check if strpos returns 1.

 

[AliGh]

Which does not do anything as it gets overwritten again with the while condition.
I don't think you want to check if strpos returns 1.

Sorry I am a begginer ...
Checked and it returns nothing the problem is the command in smaller scales it returns a value but here it returns nothing . The code is a 12 kb text file .

 

[AliGh]

At last finished
Using this code substr($decodedtext, 39, -10);
It doesn't decode all of these kind of codes automatically but if you give it the exact numbers it will ...
However its not the proper way to do it ... It would be better to use str_replace but whatever i did that code didn't work