How does PHP's eval() count line numbers?

Question

I'm dealing with a deeply nasty chunk of third-party code in the middle of a Magento install, and I'm having a little trouble following its threads. Here's an error message I'm seeing:

PHP Parse error: syntax error, unexpected ']' in /chroot/home/user/example.com/html/dev4/app/code/local/company/PluginName/Model/Module/License/Light/Performer/Reader.php(36) : eval()'d code(18) : eval()'d code(1302) : eval()'d code on line 1

I've identified the start of the eval() chain in Reader.php, and it's on line 36. So are those parenthesized numbers afterwards, also just line references to within big blocks of text? I'm inclined to believe so, but I can't quite figure that out on my own. If that's the case, that eval()'d code(1302) seems particularly dire. D:

I would give more context, but the license status of the code isn't super clear, so all I can give is that this triple-eval() chain is currently breaking things, and that the second layer of it is constructed like so:

$s = "$BLOCK_OF_SCRAMBLED_TEXT"
$s2 = '';
for ($i=0;($i+0xB-1)<strlen($s);$i+=11) {
    for ($k = 013-1 ; $k > -1 ; --$k) {
        $s2 .= $s[$i+$k];
    }
}
    eval($s2);

When you swizzle that block outside of Magento's program flow, $s2 contains lovely things like -

if($license->getModule()->getDecode()) {
    $source = base64_decode($source);
}
...
list($source) = explode("PERFORMER_CLASS_CREATED",$source,2);
$source .=  " */";

ob_start();
eval($source);
ob_end_clean();

So: how can I trace this chain of eval() to the point of the code that's actually causing issues?

Answer 1

One way to do this, albeit tedious, is to decode everything and run it all together in a single file. For example, wherever you see an eval() function, it is because they de-obfuscated their code to be evaluated. Comment that line out and instead dump it to the screen to be copied and pasted into a new file (or you can just have it written straight to a file if you prefer).

$s = "BLOCK_OF_SCRAMBLED_CODE";
$s2 = '';
// Decode scrambled PHP
for ($i=0;($i+0xB-1)<strlen($s);$i+=11) {
   for ($k = 013-1 ; $k > -1 ; --$k) {
      $s2 .= $s[$i+$k];
   }
}
// Don't evaluate, instead output it via your preferred method and copy/paste
// into a new file...
// eval($s2);
var_dump($s2);

I realize this will take time to get the pieces decoded and rearranged to be functional, but then the error will be clear.