Either he noticed effects of running the exploit (lic.log file?) or just downloaded the zip to read the code (I do this when some project's VCS doesn't have 'browse source' component or it's web component has no decent syntax highlighting), noticed base64 encoded chunks and got curious. I'd get curious for sure.
All this is really simple and not the real question, which instead is: where were checksums and why not in a safe place?
