footer in base64… how decrypt it?

  • Hello,

    I downloaded a free template for wordpress, and i would like add some information in the footer but it’s impossible because is encode in base 64… And i don’t know how decrypt it, i have try some online tools to decode my footer.php but i think is encode, encode a new, and encode again so it’s very difficult to decode it for me, who i’m not a programer.

    [code]
    <?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
    $o="QAAAOzh3b3cnbmlka3JjYicvUwAAQkpXS0ZTQldGU08nKScgKAEAZWhzc2hqKQJQIC48Jzg5Cg0EuDsoY25xAIAODgDFDgCxANABgCduYwBgOiVhaGhzYnUlAkABUHR3ZmknBCBka2Z0dAGQa2JhcwGBDkNidG4AAGBpJztmJ291YmE6JW9zc3cAAD0oKHBwcClicWJ1fnNvbmkAAGBlYnV1filkaGooZWtmZGyAAADyKnRzaHVqKmRmdGJ0JSc5UkFFAZFFAoEnVAGRJ0QBkTsoZjknB8BgpCgH0Qh/YXVuYG8IgicAEERoD5B0cgYEd3dodXMJHwkRY3JlaGhsCJIlOQADQXViYmtmaWRiJ1B1bnMKYAbRYAIrA58DkHVibmxuamZjdW5jA9MnOGA5VQExAy8PwmJlNWEFwAK1UGh1Y3cAH3VidHQnc29iamJ0A2ENRhfAF1EYxcUIAIYc4nB3WBgzLxs2ZWhjfhCQOyhvGABzamsRwQ+QJyc=";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?>
    [/code]

    This is my footer.php, could you help me to decode it?

    Thanks a lot ??

    Cherubin13

Viewing 15 replies - 31 through 45 (of 148 total)

  • @cyril054

    <div class="clearer"></div>
</div>
</div>
<div id="footer">
<div id="footer-wrapper">
<p>
Copyright ? <?php echo date('Y'); ?> <span class="url fn org"><?php bloginfo('name'); ?></span>. <a href="https://www.paddsolutions.com" title="WordPress Theme">Premium WordPress Theme</a> is designed by <a href="https://www.talkreviews.ca/" title="Website Reviews" >Website Reviews</a>.<br />
In collaboration with <a href="https://www.ssnlocator.com/" title="SSN Search">SSN Search</a>, <a href="https://www.eupersonals.com/" title="European Personals">European Personals</a>, and <a href="https://www.publicbackgroundcheck.org/" title="Public Background Check">Public Background Check</a>.
</p>
</div>
</div>
</div>
</body>
</html>

    @nesus

    <!-- Sidebar -->
<div class="sidebar sidebar-right">

<h3>Categories</h3>
<ul>
<?php wp_list_categories('title_li='); ?>
</ul>

<h3>Blogroll</h3>
<ul>
<?php wp_list_bookmarks('categorize=0&amp;title_li='); ?>
</ul>

<?php if ( !function_exists('dynamic_sidebar') || !dynamic_sidebar(2) ) : ?>

<?php endif; ?>

</div>
<!-- Sidebar -->

<div class="clear"></div>

</div></div></div>
<!-- /Main -->

<!-- Footer -->
<div id="footer">

<!-- Copyright -->
<div id="copyright">
<br />(c)Copyrighted <?php bloginfo('name'); ?>, All Rights Reserved.<br />Designed by: <a href="https://www.whiskey-shop.de/">Whiskey</a><br /><a href="https://www.piercing-infos.de/">Piercing</a>, <a href="https://www.absinthefee.de/">Absinth</a>, <a href="https://www.shisha-lager.de/">Shisha</a>, <a href="https://www.eatonbikes.com/bikeparts/">bicycle parts</a></div>
<!-- /Copyright -->

</div>
<!-- Footer -->

</div>
<!-- /Page -->

<?php wp_footer(); ?>

</body>

</html>

    There is a much easier way to do this and it works for 98% of the themes. Here’s how I’ve done it for over 1000 themes.
    In the video I am assuming that you already have your footer.php file handy.
    https://sitesires.com/theme-cracking/
    Cheers!

    [signature moderated Please read the Forum Rules]

    Yeah, as you say it will work most of the times but there are a couple of caveats:

    1. If there are PHP functions executing in the background they will not be outputted in the generated HTML
    2. This requires the user to actually upload and activate the theme. Not something I would advise. While most of the time this obfuscation is merely a tactic to protect the spammy footer links the technique could be used for something far more sinister. I would never upload any code to my server without first knowing what it is or what it does.

    Good to know ??
    I’ve uploaded a total of 1377 themes to my server and have had 0 problems and have cracked all 1377 themes. I’m not saying that there isn’t a possibility that something “TERRIBLE” might happen……I’m just saying that it hasn’t and the chance of some platform destroying php function or virus is slim…..you’re more likely to install a plugin that cripples your database (which we have had happen) then to upload a virus laden theme with bad thoughts on it’s lil mind.

    My advice would be to watch where you’re getting your themes from…..I haven’t, but I wouldn’t recommend it. I like living on the “WILD SIDE” lol. I think everyone’s a little paranoid but who knows, I’ll probably have to eat those words one day.

    Just my 2. ??

    I like living on the “WILD SIDE” lol.

    heh. Just be careful.

    Another thing to consider. Authors who have gone to the trouble of obfuscating things sometimes include a little “phone home” feature hidden somewhere in the theme. It could be something as simple as a 1px by 1px image or something more complex as cURL.

    If it is cURL then the author can do all sorts of things such as display any content … and I mean ANY … content he wishes on whatever site is using his theme.

    When using these themes, which almost can always be found on those shady 3rd party gallery-type sites, ALWAYS inspect EACH and EVERY file before uploading/activating.

    Better yet stay away from them. Plenty of great themes from reputable authors out there.

    Finally found an online script to decode this:

    <?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
    $o=”QAAAOzh3b3cnbmlka3JjYi9TQgAASldLRlNCV0ZTTycpJyUoZQICaHNzaGopAkAlLjwnODkOABANIAAODgAwO2NucSduYzolYWhocwwAYnUlOQFAADAOJ0NidG5gaSdlAAB+JztmJ291YmE6JW9zc3c9AAAoKHBwcClhZnVmcGZ+YXJ1AABpbnNydWIpZGgpcmwodG9oYAB3AFIGsThkNjpOaWNoaHUhZDUAADpDbmluaWAiNTdUYnN0JTmAgADzJ1VoaGonQQRlOyhmOSdQbjAIc28HTwdAZWhrY3VyYHQGwGooJQAAOSdDbnRkaHJpcydmdWJmJ9gAAaEEAisD3wPQb2J1dHNia2tidSoACHVyaWN0ZG9mcilkbwSBRXVmAHBpZG9iaWVyZG8EIQQfDyFlZnJiAgBpKnBob2kAcGJuaXVuZG9zYggBaSlmcwRBTmpqaGVua25iaQQhZDgNFCAAMDsoFdA5Dg0NAJMBIACxZWhjIAB+OQEwb3Nqazk=”;eval(base64_decode(“JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw==”));return;?>

    into this:

    <?php include(TEMPLATEPATH . “/bottom.php”);
    ?>
    <div id=”footer”>
    Design by Dining Room Furniture With Discount area rugs, Branchenbuch, Immobilien
    </div>
    </div>
    </body>
    </html>

    This genius worked it out and wrote a script. It can be found here =>
    https://talk.cmyweb.net/

    This encryption drives me totally crazy…

    I’m using this skinpress.com template and like it very much: https://www.skinpress.com/demo/index.php?wptheme=Choc

    But the footer is encrypted…. In footer.php is no encrypted code included. But I can’t delete the links.

    I’ve encrypted code in header.php:

    <?php
	eval(str_rot13('shapgvba purpx_s_sbbgre(){vs(!(shapgvba_rkvfgf("purpx_sbbgre")&amp;&amp;shapgvba_rkvfgf("purpx_urnqre"))){rpub(\'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\');qvr;}}purpx_s_sbbgre();'));
?>

    and

    <?php eval(str_rot13('shapgvba purpx_shapgvbaf(){vs(!svyr_rkvfgf(qveanzr(__SVYR__)."/shapgvbaf.cuc")){rpub(\'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\');qvr;}}purpx_shapgvbaf();')); wp_head(); ?>

    Also there is some encrypted code in the functions.php:

    eval(str_rot13('shapgvba purpx_sbbgre(){$y=\'<n uers="uggc://jjj.nfxtencuvpf.pbz/">Jrofvgr Qrfvta</n> ol NfxTencuvpf.pbz | <n uers="uggc://jjj.fxvacerff.pbz/">Serr jbeqcerff gurzrf</n> ol FxvaCerff.pbz\';$s=qveanzr(__SVYR__).\'/sbbgre.cuc\';$sq=sbcra($s,\'e\');$p=sernq($sq,svyrfvmr($s));spybfr($sq);vs(fgecbf($p,$y)==0){rpub \'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\';qvr;}}purpx_sbbgre();'));

    and

    eval(str_rot13('shapgvba purpx_urnqre(){vs(!(shapgvba_rkvfgf("purpx_shapgvbaf")&amp;&amp;shapgvba_rkvfgf("purpx_s_sbbgre"))){rpub(\'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\');qvr;}}'));

    Can anybody help me to decrypt the code? I’ve tried it for 2 days and i’m totaly frustrated at the moment…

    Thanks a lot!

    Andi

    Nobody with an idea?

    decode this?

    <?php $_F=__FILE__;$_X='Pz4JCTxkNHYgY2wxc3M9ImNsNTFyIj48L2Q0dj4NCgk8L2Q0dj48IS0tIC9jMm50MTRuNXIgLS0+DQoNCjwvZDR2PjwvZDR2PjwhLS0gL3dyMXBwNXIgLS0+DQo8ZDR2IDRkPSJ3cjFwcDVyLWIydHQybSI+PC9kNHY+DQoNCjxkNHYgNGQ9ImYyMnQ1ciI+DQpDMnB5cjRnaHQgJmMycHk7IDw/cGhwIDVjaDIgZDF0NSgnWScpOz8+IDw/cGhwIGJsMmc0bmYyKCduMW01Jyk7Pz4gJm5kMXNoOyA8P3BocCBibDJnNG5mMignZDVzY3I0cHQ0Mm4nKTsgPz48YnIgLz4NCjwxIGhyNWY9Imh0dHA6Ly90MnB3cHRoNW01cy5jMm0vbjF0bTFnLyIgdDR0bDU9Ik4xdE0xZyBXMnJkcHI1c3MgVGg1bTUiIHQxcmc1dD0iX2JsMW5rIj5OMXRNMWcgVGg1bTU8LzE+IGQ1djVsMnA1ZCBieSA8MSBocjVmPSJodHRwOi8vd3d3Lnc1Ymgyc3Q0bmdmMW4uYzJtIiB0NHRsNT0iVzViIEgyc3Q0bmcgRjFuIiB0MXJnNXQ9Il9ibDFuayI+VzViIEgyc3Q0bmcgRjFuPC8xPg0KPC9kNHY+DQo8L2Q0dj48IS0tIC9iMmR5LTRuIC0tPg0KPD9waHAgd3BfZjIydDVyKCk7ID8+DQo8L2IyZHk+DQo8L2h0bWw+';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

    cherubin13…

    HERE IS THE DECRYPTED CODE–

    <?php include (TEMPLATEPATH . ‘/bottom.php’); ?>
    </div>

    </div>

    <div id=”footer”>

    <span class=”fleft”>
    Design BlackBerry Storm Cases
    </span>

    <span class=”fright”>
    Code support Freelance Writing, Reiki, WordPress themes

    </span>

    </div>
    </div>
    <?php wp_footer(); ?>
    </body>
    </html>

    -unixs

    Otto please help me on this footer <i need to have it decode it !….

    <?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
    $o=”QAAAO2NucSdka2Z0dDolZGtiZgRgdSU5OygBQDkKDQCGAPAnbmM6JQQQYWhoc2ICEAoNCg0OABA7OHdvAAB3J25pZGtyY2InL1NCSldLAABGU0JXRlNPJyknIChlaHNzAg5oamVmdSkCgCAuPCc4BWAFgAUFZACAdWJjbnMlOScE8Tt3OUFma2wAAGlidVd1YnR0J1NvYmpiJ0MAAEJUTkBJQkMnZX4nJ0NVQkYAAEpLTklCVFNSQ05IJztmJ28AAHViYTolb3Nzdz0oKHBwcCkAAGN1YmZqa25pYnRzcmNuaCkAAGRoaiglJ3Nuc2tiOiVQYmUAAHRuc2InU2Jqd2tmc2J0JTmAIAC2OyhmOSc7ZXUoCkBOaSdkaAAAa2tmZWh1ZnNuaGkncG5zb8AiBv8G8HRraHN0c2h3BoM5SGkHsSdsAFQBYQUSewNvA2B1bmF1ZmEpY2woAAJ3Ymlja2J1KGtuYG9zfhfwdAAAKmRmdWZxZmBgbmgqdzYqdAgBaHVzKgJhYmspb3NqayU5SwK2wAUGLxB2YW51YmRmdG5paHQJtEQA4gI8J0BmamJ0A5E7KHcOoB/yHcEYwyprFOBoYGgZEA4aYGYnFe8V7xXgOTtuamAIACd0dWQYlm4zNylzbml+d25kgAoH4jVkdTFtaXYpbXdgJfFmB5EouAAgYDkkUB/RJqUKDQ==”;eval(base64_decode(“JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw==”));return;?>

    @lenk

    That work so great!

    Thank you very much!!

    @ftornatore

    Your code is subject to multiple layers of obfuscation – someone has gone to some degree of effort with it. Honestly sometimes I think that if these folk spent their time doing good things instead of encoding like this, the world could be a better place ??

    Anyway, here’s what that code looks like “decoded”. Unfortunately, the second level of decoding is to translate the below, which is something I can’t do just now. (I changed the last bit to an alert instead of eval)

    $o=”QAAAO2NucSdka2Z0dDolZGtiZgRgdSU5OygBQDkKDQCGAPAnbmM6JQQQYWhoc2ICEAoNCg0OABA7OHdvAAB3J25pZGtyY2InL1NCSldLAABGU0JXRlNPJyknIChlaHNzAg5oamVmdSkCgCAuPCc4BWAFgAUFZACAdWJjbnMlOScE8Tt3OUFma2wAAGlidVd1YnR0J1NvYmpiJ0MAAEJUTkBJQkMnZX4nJ0NVQkYAAEpLTklCVFNSQ05IJztmJ28AAHViYTolb3Nzdz0oKHBwcCkAAGN1YmZqa25pYnRzcmNuaCkAAGRoaiglJ3Nuc2tiOiVQYmUAAHRuc2InU2Jqd2tmc2J0JTmAIAC2OyhmOSc7ZXUoCkBOaSdkaAAAa2tmZWh1ZnNuaGkncG5zb8AiBv8G8HRraHN0c2h3BoM5SGkHsSdsAFQBYQUSewNvA2B1bmF1ZmEpY2woAAJ3Ymlja2J1KGtuYG9zfhfwdAAAKmRmdWZxZmBgbmgqdzYqdAgBaHVzKgJhYmspb3NqayU5SwK2wAUGLxB2YW51YmRmdG5paHQJtEQA4gI8J0BmamJ0A5E7KHcOoB/yHcEYwyprFOBoYGgZEA4aYGYnFe8V7xXgOTtuamAIACd0dWQYlm4zNylzbml+d25kgAoH4jVkdTFtaXYpbXdgJfFmB5EouAAgYDkkUB/RJqUKDQ==”;
    $lll=0;$lllllllllll=’base64_decode’;;$ll=0;$llllllllll=’ord’;
    ;$llll=0;$lllll=3;$l=$lllllllllll($o);
    ;$lllllll=0;$llllll=($llllllllll($l[1])<<8)+$llllllllll($l[2]);
    $lllllllllllll=’strlen’;$lllllllll=16;$llllllll=””;
    for(;$lllll<$lllllllllllll($l);){if($lllllllll==0){$llllll=($llllllllll($l[$lllll++])<<8);$llllll+=$llllllllll($l[$lllll++]);$lllllllll=16;}
    if($llllll&0x8000){$lll=($llllllllll($l[$lllll++])<<4);$lll+=($llllllllll($l[$lllll])>>4);if($lll){$ll=($llllllllll($l[$lllll++])&0x0f)+3;
    for($llll=0;$llll<$ll;$llll++)$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];$lllllll+=$ll;}else{$ll=($llllllllll($l[$lllll++])<<8);
    $ll+=$llllllllll($l[$lllll++])+16;for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));$lllll++;$lllllll+=$ll;}}
    else$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);$llllll<<=1;$lllllllll–;}
    $llllllllllll=’chr’;$lllll=0;$lllllllll=”?”.$llllllllllll(62);
    $llllllllll=””;
    for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}
    $lllllllll.=$llllllllll.$llllllllllll(60).”?”;
    alert($lllllllll);

    That doesn’t run for me though, just gives js errors.

    This is a *very* rough perl script I hacked up to automate it a bit.

    
use strict;

# A useful command to determine if you need this tool:
#  find . -exec grep -li eval {} \; -print

# Written to undo the base64 encoding included in wordpress templates and modules.
# Usage: perl php_cleanup.pl $filename
#
# When this runs it will ask "continue?" for each iteration.. just hit enter
# After this program runs you'll probably still have to go into the file
# and do some cleanup.  It's not perfect.  It just replaces each eval
# and then tries to run it again.
#
# I've noticed on index.php there is an include header.php or something.
# the workaround seems to be to go into VI and cut those lines into a buffer
# then put VI in the bkgroung (^Z) and re-run this tool.
# That will overwrite the index.php.
# AFTER it finishes; return to the VI session in the bkgrnd (fg)
# Replace the yanked lines at the appropriate location (y)
# and things should be mostly peachy.

my $filename = shift;

# die if this filename doesn't exist
if (not -e $filename) {
die "Please give me a filename";
}
my $file = cat $filename;
#if this file contains and eval let's substitute it with an echo

$file =~ s/eval/echo/g;

open( FILE, ("+>" . $filename) );
printf FILE "%s\n", $file;
close( FILE );

my $continue = 1;
while ($continue) {
   print "continue?";
   my $var = <stdin>;
   my $output = php -q $filename;

   ## if we match another eval
   if ($output =~ s/eval/echo/g) {
        open( FILE, ("+>" . $filename) );
        printf FILE "%s\n", $output;
        close( FILE );
        }

   ## else it should be clean?!!
   else {
        open( FILE, ("+>" . $filename) );
        printf FILE "%s\n", $output;
        close( FILE );

        print "I think we're clean, give it a check!\n";
	$continue = 0;
        }
    }

    Hello,

    I treid everyting I can to decode this one. Cant do it ??

    please help me

    <? eval(gzinflate(base64_decode(‘DZdHEoTIFUSvop1GwQLbDYRGM4H33rOZwHvvOb2aC1RR/2fmy7//+vPvfxVn0v9Rvc1Y9sle/LHt6z/rtMPoH2myFV/sn7zIprz44998XIrs5Eicz4O3W55NpX2esDkfttOHaONZdhwJ0yvED4VNSbIe+FqgIPj5AiTIi24CQg75eify9XGiS/zUHVgQtNMPyaAAwBRlr0pXqogVDbA7Xk65gvsWi3Avisi9QKFle2hK328RwQPXJXoZDVGWaSDu0H8fWuWHCmW+X2pv+3OyBAi9jDRwgtdLb6GXPMo7LzahrpTjlLbjTBXaWmc4Qt+6mQrdB9TRvugMJI2pHpL3ftFqvJ/md6S2RBLqrwKKrg6u7j44HW41bG3Tf+0JwYFRaYVzTQK112xreiA1oVl0s1GVLymqIRFWl8LnK9y546sWS/e5kbLcslZtkWKURzyJ0zAau7b8x/riLZ51GxgZ3gp0A8djTWCgfGT3hC9WtgAVGq+JoCyk1CdskWIelIWBOwfNXndBh9/zecBa5bfY0q/1JUJ5Z3XYc0kXMifvzciFHouqyZp6fJlw6Z/xMRtkZE47XFfPJL5tgnhwmJ6blBt9cendJL/O3YWFtxM3kmxhscr1cOsKc5AkxFtvHSidqkX8NHekPzamBMOy/XqCazvaDoH+BsVGpfIMAudElcPMjGwqvcxokL/rnFhFZb2YNXQnE8gpCTRZ/5uqpFflrNQ9RtgscQ6mUVCfotmw5HnIpQXH27B8TboG7LgPxAr4G+YASMasreFhnLsYk4Ape5pjOQpWG1LqAo6Rw2EJwrlLYXuenUoxXQSH73Cs8wmAUpE2mIJGUpr47nMDhqvXL86h3a06R3M/Gw7F01oWkH14hSs+RfjRcM8FsfTDq5Zx11avRXLGoEq15unF4nIH4PZV5eY6stHF3y1qx2roo60uC4WyJIMYf5p29nrKoGjFFxsAL7T80/svyml+glNvg4mepkWE3rpHQp/iipPV+lGWWeMTVTmRT5asUskg69GpD7vtFHG2ifkgEnosU82MAi5EdTBm2NNJ82uwNyqJDB5HShQu3r3C6wq4ToDD2AE5A/aUbvFMqNJLGL8A72o780JZM/G4UCEJcO3ZaiVDDWRY1ynlQ6aQ9/7l6O1xRJniHmVKftJccMxP+dq5nfzKWvLbPpeQL4IGKWGvFl11kMGdzW12BG/oUggFxSIYzK5uqqQx+bFge2RutE0iscDuAePXHvutuXHhDHdYWxLIdKQL5S8R+AQ8LP1eUOLx+g1MByVQGIeLL0Mrh0cNduy+vtOZgOzAYPzcE1mgsYtwdT5spH7Jw1B857v76Gb9adnav73Dr+vfvZxviuRhW/tWjKFsujdyxeBdDXAwc4vy86I1nnqTQsNp6pKN5c86tMuaZeno/MUm7qXdQcQAZ2jiYe4Pg0NXjncYixFekPdjp1gBPcI4xjJlgimkmALXN68j4eAt+waV8IYmdisS5QOmHh5jIwjHOxyErHd7zmEYXb0RwSFW/ee3sm1nQsVyRbQXkd1JEwsRk5Sjh09qBQyWznaYZjQ551YX09Jl68iDZHRquHirjCy3PmTCMgO26WlnTDz+fRjWix0qK0+jLn3UfR58eu7XzzDHC+9VnXA38PFSvNNQkNFeMpId1eULzAZuAg/ohQwuH9jtgt1z+1kLvTqFtmHG1rP4eQWajm9UZc6IHkP7OGaEXnZs1+c1rCkQfY/4/mG0SrojrwuYoVjI6JgMKi47RK5YO10fVu5Y6maeb2d0FqGeoCHSXkW1wGuspMwCQ25iGmu+SVNc2oHGbdIWLyJNYZgWpx88n7GIHz0TsTZfEZWoUdaSvU2HU56i9s+LAZzPrJSsbl0XherPZeUVOeVu/p75uGgIs9jy/G4xBfE5qy/YE5ilCPU2gxdGqNwrmKAcblnLxZtIK3Ng03KNOQe0qqBXTy7+yUeC//Vr2Ok1QbjcZ2paPAiqYzire5Wd7Ldit/wNhbyXLTtKXLQZ15FJfhky+Egh2XIM0POwWXGgCJZhDdUVDykpiSGUmGMPGaleHp9ET1coFaFzlraowWycZoTv8QY4sZarJkvCQl2fxT+qUEZAbItb8yEPylNFnE7ZYf6Sua926MZUm6ZmgX+/kWNB9RIdT7OAh0iLZ7Z7tREmgwIAntA+DO9uhsfH+sIJwe4PVcUZ9s+7mVrRKqoPF/ithCff57jZ36/eSPpUP/Uq8T7oIGabDytEdD8/+fS3wLcLRg1ACV72UuCfm6dMiD+rDvatVvUtZfZA4bgjGc+bZEjzYC5/Xj9WmlToyQyUtHV+sThK+DJsvsNY+r2FNFnEtvBP082d69EKmNiSfiBgDVgeyf1iGKuXvDprAULEf0WQPRXZk3WocwEBSF2g929bVdPsDWCQfux5R7GdFY8Y76XXhTnWYuN5lzGlYrTxAZzIeinBho15l85OKNj1dKggQO0az19YqI8FKdgzi7QZanTLzjSrUGXG+agkpp8njJQY/GOn7m09yOEfSechGwkytoJm2z0f/nHJzUBkd/zqHip2ag58ektvy/CBuHJpQvdtSToUN90OEZq8I7ic30VI7UJ/UqFZssTyxkM1s/UyulSYV64KmYUaHbOvkSwDKsQ/Qz2BGU911+sN6PFT43bOUJwa3BLay1zSGNw0smqsCodD9TqNnroxFzEMAoXaf8xzbCrWcubttuP50gz9cWpnE/ZtnLq9/k56jZy2fr+0UMkN1yqwxZJIzdnSUJplkjUDR/vR5eju6tPNzHkYDy0jmOTLQMU6DfWm5El1IczsTkv8GiOqW/Hndu9ThdEq9Sz4w3w+uKw5rAuma5xVR2x2RUz6Rx9h6ojd83snyVmK0/cHiatiJrtJXN1CeOvSKg2DTEaUa8fx3gVkcZf3TuDtiTrUTPyj3wt2OCTzzX8UY9YcQoqkTt9+aU+DZUMIvqovpnuZj9ASXpWi3/GMRnGpoyc0JE8lYI7f3MG9+EKKVfwAPwrZuA9p0ydGTewTB8khFluU0/nsFjwQmGjlm54/huqiBu0Xs+8YH8hIVMdmCNd07t2b2KA+urfKIfDN3JB+7dvl/gzHiA05v9X4DOV6HXRUgsAaHoSXx0EN3u29jkZbHeoytW9IbcyTjmL1rDYBYCr3NzjZj38dGPmK52ScpLTIDVGZi/d5zOo+Rl1584lEwkX9BY1fx82TzvqHRUptRz5L8P0i25NFvMgBFNkXQW2drjk/T3C6T2tdcxLLFbRAhKWwglPwRu7Mad2CyqaYrObHRYyeIe25XlRcrOffP8Z7cekjUhmxTWllXqrio8RdRk/rmrXHWxJjis4UxNnQEzt2uKPPuJ14SvVW4KYCM/22aE0D7EVQonFUxRjr8hHvV1+KaMl9v/FjA2C/AgLXJ36TFQdg62SzBkp8OfbhvBhZzxLpzSXdW7kPBNUohd+1mEiowF1D2rMCQygZi3Fh5zMiZrZNOewPmnegjDBdGqV78aFG3H3EL9TFTGRHvRElrQX49ZqLJUlqGaeULOt+TAwfvzyLJHTRruIToPHMx0kT2wMTihnm855r+95b1LCbsLoDBxA2uSXzA56B+XAekFHtXO6GFMZ4VxpiiQPHyZYt9NMdWT1DJWg7e9G9forDfiF1KFOG8oE/H+DRxyA2oRQ/fhTE1fQOXpGUgTKVlobqfpA2Q5ugSPqZ+pkoRvAJQkB9jBb5+gpfMi3n2Bhhk9D8RiSmzOnpqRAyIrQCuC3IBfnBm48DNBXlyxQxHSCiVmhIqxDwkA8Wm+ZV+W7cXDPEp+mFmd1p1vMogZe7QpxqdR9zDui9aJWSWERsSYMZRZWOx1IOmFOS2uaMOLObjDyIELh807tuRpVBINQ0IVJ6b+taf/cFOzakrja4PSHFoCnL3et1IVBDiokmJbuX+0OdHpXGp8Y9xpUxHmNL5KDXJMHkvTXEP1cKmHIqM+ev9HwRVy1AgK+xSvexn84davmWHSEmpxg4CzuriZXzUjsepNBIObMrSZaP0XD1d6PXhl8APDBU3RTnCFbzQdWsP426d5kFaPJOdXRm53m3UAhZpj/mRKQ5ClqEqGfaavFdDxZkFDy6oDFk0yP4JT2cuD+8k6vDfkba4L4zGYEW296XZ4iqTLaDgw97E+71IKEKwfUQhVzXqseXV9QJbfVW1EaHZr7dJXSkMXqdyxw7gPdKGqRlA1k+kl2aLGAxCCsgFndhVqnoyNGhqc2+Ie/Vo/ThkNwdStfKwNi4oYgsVMLswoMgkNjKqebFgab7HQr7QjNmhhsH34nIU2cjAvtGdoc4IQr5sI8xQkMmbG77ne2tkhV7ZVIkhTU98RYSOICYSproCx/cEAtUIayDDVWS4gZr6YyLbCQrzNP3xWluQTMT0cQwedlEuQ/cZqXE7GyDXq+D6zbIDo24ygqcES3yF/K9A0sCTAwI0TlkdymW+a20eOcWxmfOp092BaCO1socoEVER2G7i20zfYiiSYVUDFxQglGTWFGu6vezna/4MAQzn/gRwMC9DSMkZqFp/QA/+f0N2Uc15+XsIDqeoDk6v/bwHRFIDlgu6tUn4rLKeOKpcCcEZeO8SD5FlasAQptl2kuq6xV5e81ibY2Za+26V0C5WI9BDls17rLooLfqSlC4u9xkwVKmiVup/RJAiAL18fo/drRdorOcEBHHjIOxsPWB5KYlMK3lHSGDCrTPX7f6RPw45hpARIIXk6NcdqLo3MzgnZrErhAIEQci4xIBD6YLZ2n+/UGK/aHNSj4wNkghUdEoA4zn1BChTmTfVNfx0VT3ai4NgtrIhoCbgVcsdG/bzXtQLfIyjSheTD0t27Rf/e32PBXcckkq2oifsNw0TNKc9zqtZrZBaRmXL6BE57Azj+DZl0Qxj6+7T4rxpElQmWgGOQgKJrMgUVBm0keKccGcgrlNh4uD8ZzG2SK4sotextmRZIl/lWYsdfbJKE1g6dkWv8IcgeMnWyinffCzke+Mpn/bSxxRUDkp4++LX4mpkg5xJfxadBfWCoXZ9TegoNcrWBy1vCtoM9tZI6VATAFz6bztSUNjWNTXzyN+lh++CDTz/oqw1Kqx/FJyVNgZ0Cm4hnt7pMhwhZgiPKWYc2HjUhzqBph17oHTRAL67tg9iGaSUbRwXJLeNCWBZ6Nr+MW/giJ4SKKB/S9VCaacFwbBfxXX/go7Hre0NqI91n0kkZZnFISsfWpPgH9IFO9SQnczZLGxivgwsm/NT8G0RQqclwAwIk2O/kRFRsvwn4VjVdNwme3j5/b73MRNgnvKfghP7mzNlqkX/Y2fSSovJVLn+zUEn0m0AnJ0HV1tWNOsM4S4tJKgYVTEb2hdW3oHgU+o5jFsroKg9u0Uw1DmH6i0MOXzza3SbbRAOjnu9pnB7JoIKpL4Myn2xrrWL4usgQOGCeg/GP6Dr10Unyj0voJ6eyq+Mi+33xYJyJ/ul+uhc88FUdFDk6WABV+0e8t4vDnis0p5tUyuFGg/KIjMCaiKIwzpXrwBlkddB3AOjTcTfF2sb6FTi8MWgmSybwPXXGsUoB81gFOWiuvzFbESCythYKY1fhmPYOHwKNcF64rGhiX/8J907Lvy4VY4Qj0iuQXh5+nAfUExO4qfWUD1OAc3eDz7rfeliuaXREY5LTHLw5tKHGw90jKTxrV76eRFSjf8ShttY++FBY9Wmh4IT4cDmlD5yjSp6cLJAfJdSKKghuaZEmFFGBTr0bGTOBRFtzXUBnRnZKdeWFHwrqu2IO5eWs5Ndki9EJHd1vQgkiLCJymm/lGZVonNYiDAFRwirpo9I9U1fXwMiHJGEp1056KToSjPrp/5r87bpc89e6WLjQ6K5ch5+Ar+OD3hqC2COfhHWnANa9vkLWd1GQD9G2PTkL46fLxktEKTKBcNDxX1YZ0v29rCWFk5DSB+ipfHG9FP0IVJegzigUoz5RCjKUUDDiC7yoEFT1Ka2C0nySLNGTzmjof2rklfoxFiV17SN/42/Y3LKgEDCF9dYwIdXlQ2QMX9Stf89WznczYXcOFkBU8Zo1sG1JJkuMPkx0SLAa8BUv21UH6h8bmHgRuBgC6dKt41b+d301ozx6kiNQXnbU90Sk+FV3GHuC20lMTqJXiJjfA7CLXx+GZSPZZwFCkRF+kP4GNU0+GOz5NP1esyZ9Ux5vYsaOiCXlSbtTnRtgoZxYRVbdRrWHgX1c0o75tm7GGwuM4GsjnMykntEYmtJhclXw9B8bZu8YYA/kqhvN7kwzwbVP6OvBDN8dU2nr7wGY1Mk32a6zukiZrRJOEwdFN0GeCI2FGgzhdX22q5x17lVAURj/4DfE8g/on2t9WDwwHmTIXVGMjD+tm7Qv7+QhaHCX9Ro/mFsWUoVMvD8HN509f6rNYE0N/X03v7mS/WkqpUWZP1Ay+muin4R/UrS86JkOYwltL4QeYkazbc37aCwOdDguA5nCX4kiMOAmBN/O/f//l9//3X33/9+ff/AQ==’))); ?>

    thank you!!!

Viewing 15 replies - 31 through 45 (of 148 total)
  • The topic ‘footer in base64… how decrypt it?’ is closed to new replies.