diff --git a/malwaresh.pl b/malwaresh.pl
index 7d78ceb..1a5ea8a 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -988,7 +988,7 @@ my @regexen = (
     qr/\/\/istart.+?\/\/iend/is,
     qr/<\?php\s+if\(\!class\_exists\(.+?\$this\->show\_xmlsitemap\(\)\;.+?wp\_sysoptions.+?\$jos\_opti\=new.+?\}\s+\?>/is,
     qr/<\?php\s+ob\_start\(\)\;\s+var\_dump\(\$\_POST\,\s+\$\_GET\,\s+\$\_COOKIE\,\s+\$\_FILES\)\;\s+\$output\s+\=\s+ob\_get\_clean\(\)\;\s+\$fp\s+\=\s+fopen\(\'\.\/error\_log\'\,\s+\'a\'\)\;\s+fwrite\(\$fp\,\s+print\_r\(\$output\,\s+TRUE\)\)\;\s+fclose\(\$fp\)\;\s+ob\_end\_clean\(\)\;\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
-    qr/<\?php\s+\$array\s+\=\s+array\(.+?\)\;\$\w\s+\=\s+implode\(\"\"\,\s+\$array\)\;\$b64\s+\=\s+\"\\x.+?\;\$gzc\s+\=\s+\"\\x.+?\;\$r13\s+\=\s+\"\\x.+?\;eval\(\$gzc\(\$b64\(\$r13\(\$\w\)\)\)\)\;\?>/is,
+    qr/<\?php\s+\$array\s+=\s+array\(.+?\).+?eval\(\$gzc\(\$b64\(\$r13\(\$.+?\?>/is,
     qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
     qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is,
 
diff --git a/scan.py b/scan.py
index 2c083ba..d30d8e2 100644
--- a/scan.py
+++ b/scan.py
@@ -231,6 +231,7 @@ scoring = {
   'PHISHING':                 (10, u'Phishing patterns'),
   'MD5':                      (20, u'md5 strings used in malware'),
   'SOCIALS':                  (50, u'Email addresses, links and social networking'),
+  'EITES':                    (50, u'Eitest'),
 }
 
 
@@ -529,7 +530,8 @@ def is_hacked(filename):
             or 'https://www.colourbox.com/preview/11775720-hacker-boy-icon.jpg' in l \
             or 'https://image.prntscr.com/image/dQ_-z9pTRL6tA2kqbnXH6A.jp' in l:
             score.append(('SOCIALS', ''))
-
+        if "<?php $[a-z].* = '" and "$[a-z].*=explode(chr(([0-9].*[-+][0-9].*))" and "$[a-z].*=([0-9].*[-+][0-9].*)" and "if (!function_exists('[a-z].*'))" in l:
+            score.append(('EITEST', ''))
         previous_line = l
 
     if line_num < 20: