Bypassing Webshell Detection with Branch‑Based Obfuscation and Puzzle Logic

The author presents a technique for creating a PHP webshell that is difficult for security products to detect. The core idea is to embed a puzzle inspired by the "Inazuma" element block arrangement from the game Genshin Impact. The InazumaPuzzle class defines four blocks (A‑D) with states ranging from 0 to 2. The setBackBlock() method attempts to reset a block to the minimum state; it succeeds only when the block is at its maximum, returning true, otherwise the state is unchanged and false is returned. The hit() method processes a block identifier, calls setBackBlock() for the target block and its associated blocks, and increments the state by 1 when the reset fails.

The article walks through the exact effect of the input string ABBCCD on the block states:

Step 1 (A): blockA resets to 0, blockB increments to 1 → A=0, B=1, C=0, D=2

Step 2 (B): blockA → 1, blockB → 2, blockC → 1 → A=1, B=2, C=1, D=2

Step 3 (B): blockA → 2, blockB resets to 0, blockC → 2 → A=2, B=0, C=2, D=2

Step 4 (C): blockB → 1, blockC resets to 0, blockD resets to 0 → A=2, B=1, C=0, D=0

Step 5 (C): blockB → 2, blockC → 1, blockD → 1 → A=2, B=2, C=1, D=1

Step 6 (D): blockC → 2, blockD → 2 → A=2, B=2, C=2, D=2

When all blocks reach the same value, getLockerStatus() returns true, indicating the puzzle is solved.

To turn the solved puzzle into a functional webshell, the author combines it with a PerlinNoise class. This class generates a large numeric array ( perlin_noise) based on configurable parameters. By carefully controlling the $userans value (the sum of the four block states) and slicing perlin_noise, the script extracts a sequence of ASCII codes that spell the string "system". The extracted string is concatenated with a variable $b (set to "s") to form the function name system, which is then invoked with the user‑supplied command ( $pcs), e.g., whoami.

The complete payload is sent via a POST request with parameters wpstring=ABBCCD, b=s, and pcs=whoami. The article includes screenshots showing that the resulting webshell bypasses several commercial antivirus engines and cloud sandboxes, confirming the effectiveness of the branch‑based obfuscation.

Finally, the author advises adding irrelevant code, comments, and dummy variables to further confuse static analysis tools, emphasizing that complexity and unreadability increase the chances of evading detection.