You know the scripts I'm talking about. You open them up and all they have is one line of PHP that begins "eval(gzinflate(base64_decode(". You change the eval to a print and try again and it turns out that it's being encoded again and again... where will it end? Well, I wrote some code to deal with those scripts. Now firstly be aware that this will only reverse scripts that do straight eval's on code (in theory it shouldn't matter what forms of 'encoding' they have used or in what order... so long as each 'layer' just does a straight eval call on it). Also be aware that you should test running the encoded script first. I don't want anyone complaining that my script deleted files when all it did was eval a specific piece of code. Anyway, so here's the deal. You take the file and place the following code before the eval call: $counter = 0; function evali( $string ) { global $counter; $string = trim( $string ); if ( preg_match( '/^eval\s*\(/im', $string ) ) { $counter++; $inner = array(); preg_match_all( '/^eval\s*\((.*)\)\s*;/im', $string, $inner, PREG_PATTERN_ORDER ); eval( '$string = ' . trim( $inner[1][0] ) . ';' ); evali( $string ); } else { print 'After only ' . $counter . ' loops, we ended up with...'; print "\n"; print $string; } } PHP: Then, change the eval function call to evali, instead. Now, run the code through your favourite PHP parser / web server. If you're running it through a web server you will need to view the page source as it doesn't do any <pre> type formatting. In fact, it really shouldn't even print out that counter information, but I found it interesting. Anyway, would like to hear what you think...