The name of the theme and a link to the site may get a response. But most people prefer not to use themes with encoded content.
The name of the theme is : zinmag-primus
http://web2feel.com/zinmag-primus/
This theme is free, and very interesting for my project (i’m a student) but the footer is … incomprensible.
I will keep all links, i even could give the link of my site to show it http://www.sans-os.fr
Thanks for your help
I hate it when theme authors do that.
That code decodes to this. You can replace the entire file with the code I’ve pasted here:
http://wordpress.pastebin.com/f653b2cb9
For reference, decoding it can usually be done like this:
1. Find the “eval” and change it to an “echo”.
2. Run it. This will likely give you some more code. Replace the big eval line with that code.
3. For each eval, repeat step 1. Do it one at a time, not running the rest of the code (comment it out) until you replace that eval line. This is for safety reasons, you never want the eval to run on your system. It could do anything, you have no idea.
Eventually, you get the final code output.
Sometimes you have to do this sort of thing in a loop. I wrote a script to do it once for a particular bit of code, since it had 75 iterations of obfuscation. Really. How annoying is that?
Thanks a lot for your help, and the explanation to decode π
I will test soon, because several themes use the base64 π
If your script is able to decode any footer encoded in base64, i would like it if you share it… π Sometimes i had a problem with the decoding, the letters “a, e, i, o, u …” other were replaced by numbers “2, 5, 7, …”.
Thanks a new Otto42
Otto42, please, can you help me too? i have a similar encoded footer and i dont have a clue how to decode it…
<?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
$o=”QAAAJztjbnEnZGtmdHQ6JWRrYgIFZnUlOTsoAUA5DQ4ODQ4Asw4AsCAIDQ0Com5jOiVhaGhzYgKADQ0NAAAhZGh3fjwnOzh3b3cnYmRvAAJoJ2Nmc2IvIF4gLjw4OQGEZQAEa2hgbmlhaC8gaWZqYgGkZXUAACg5DSc7ZidvdWJhOiVvc3MAAHc9KChzaHdwd3NvYmpidCkEAmRoaih1AKBjfiglJzkgVQCyJwgAUFcnUwIBIDsoZjknJ0NidG4BAGBpYmMnZX4E3nBiZW9odHNuAwRpYGBiYmwFEgSRUGJlJ08BgydAvxABkSAEsg8BDvMAqQ9wDcJwd1gPcy8uPCcAQDg5DTsoZWhjfgCBb3NqazknMAANJwARAGI=”;eval(base64_decode(“JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw==”));return;?>
lestat82: The decoded version of that can be found here:
http://wordpress.pastebin.com/f10913fdf
MichealH: While that works, some of the decoded bits I’ve seen make extra PHP calls. Sometimes they put an include in there, or a get_sidebar, etc. They almost always include a bloginfo call, and usually a wp_footer() call as well. So decoding it all the way to HTML can make it difficult to change your theme properly later, as well as making plugins which rely on wp_footer not work (most stats plugins, for example).
The eval/echo trick almost always works. Almost.
Hello Otto42….
Can you plz help me also to decode the script below………
<?php $_F=__FILE__;$_X=’Pz48ZDR2IDRkPSJmMjJ0NXIiPg0KCQ0KPDEgaHI1Zj0iaHR0cDovL3dwajNuY3Q0Mm4uYzJtLyIgY2wxc3M9IndwajNuYyI+VzViIEQ1czRnbjwxLz4gYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy5jMmwybWI0MWgyc3Q0bmcuYzJtLmMyIj5IMnN0NG5nPC8xPiA0biBDMmwybWI0MSBmMnIgPDEgaHI1Zj0iaHR0cDovL3d3dy5oMnQ1bC1yNXM1cnYxdDQybi1tMnIyY2MyLmMybS8iPkMybXAxcjUgTTJyMmNjMiBIMnQ1bCBSMXQ1czwvMT4sIDwxIGhyNWY9Imh0dHA6Ly93d3cubDJnMi0ybnR3NXJwNXJzLmI1Ij5MMmcyIE0xazVuPC8xPiAxbmQgPDEgaHI1Zj0iaHR0cDovL3d3dy41djVybDJzc3I1djQ1dy5jMm0iPkV2NXJsMnNzIHI1djQ1dzwvMT4uDQoJDQoJPC9kNHY+DQoNCjwvZDR2Pg0KPC9iMmR5Pg0KPC9odG1sPg0K’;eval(base64_decode(‘JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’));?>
tebetensing: That translates to this. It’s mostly just spam links.
<div id="footer">
<a href="http://wpjunction.com/" class="wpjunc">Web Design<a/> by <a href="http://www.colombiahosting.com.co">Hosting</a> in Colombia for <a href="http://www.hotel-reservation-morocco.com/">Compare Morocco Hotel Rates</a>, <a href="http://www.logo-ontwerpers.be">Logo Maken</a> and <a href="http://www.everlossreview.com">Everloss review</a>.
</div>
</div>
</body>
</html>
Clearly, I need to make a script that does this sort of thing automatically.
Or better yet, people need to stop using themes with any of this kind of code in them, period. Find another theme instead. Why trust a spammy theme?
hm, i tried your method otto but my encypted footer also contains gzipinflate and i don’t seem to be able to decode it.
here it is, thank you in advance if you can help:
<?php echo(gzinflate(base64_decode(“bZJNb+MgEIbPza8YceiHVEOlSpW2cYiibqoeuqtq5fsKm7FBxWABXiv59SX+0LZVfDAwzDzzAu+W50zqf/N/BenL0wy03JCgJZbCkyl8biuLriNLbb7tVAfaVqaXCNfF/tfb667Yv+2KF6BA2FxDUxa5WcP2G7YyIoQNqYwnX9TM8HlYBNTORVykfYtmrdD2s+qOX1auO6whL/mTM87XvYFXXSMUClvMWclBYtCNRQnlAXIBymO9ISrG7pGxYRiociFq21CLMYtY0VIfCf+9L7Ji/wQv02bOBAdXn61vhI9olegDVehDRGOSUt9bGaoUpRIJf0YfdZMyRYP2BKPQinSXtUdMuh7PguuxaAQ7fHdCegwBbQKyhaguRd+adR/QjxKFlWdR89kyZ422SEVkra6865KcwGpthT2izRo0kr17lDoi8yKdalrcPvxIHf/8D4y9lj5Xn/pEhdFZDPcPd7RyLSu9GwKmF8ZM+GOiXvGfGmF3moNPFztmn3A5677YYvHF6uJist/Q/Z1McD1ZLL2tk4fTqGJr+OoD”))); ?>
Umm.. I don’t see what you mean, that method does work. The code you posted works perfectly and gives you the results you want.
Here’s the result on a pastebin:
http://wordpress.pastebin.com/m2a4edb6d
I didn’t even change anything, all I did was run the code you posted.
Hi Otto,
I think it’s worthwhile to work on a script that undoes this type of obfuscation. There are several perfectly legitimate ways to encrypt PHP code (Ioncube and Zend loaders, etc), but this type of thing is not one of them, this isn’t even “encryption”. I’ve got this basic script that will decode some of the more basic types of obfuscation, but it doesn’t do very well with loops. I’m working on another version to actually parse through the PHP code and identify the loop structures that will do a find and replace similar to the manual method. If you have anything to add to this, please do, I’ll check back here. This version will strip PHP tags and comments, and do a find and replace on eval.
<?php
$orig = $unpack = '';
if (isset($_POST['original']))
{
$orig = $_POST['original'];
$code = trim(preg_replace(array(
'/<\?php/mi',
'/\?>/m',
'/^\s*#.*$/m',
'#^\s*//.*$#m',
'#/\*.*?\*/#ms'
),
'', $orig));
if (strpos($code, 'eval') !== false)
{
$code = str_replace('eval', 'echo', $code);
ob_start();
eval($code);
$code = ob_get_contents();
ob_end_clean();
}
$unpack = str_replace(array(' ', "\n"), array(' ', '<br />'), htmlentities($code));
}
?>
<html>
<body>
<form method="post">
Original:
<textarea name="original" rows="10" cols="80"><?php echo $orig; ?></textarea>
<br /><br /><input type="submit" value="Unpack">
<br /><br />Unpacked:
<div style="width: 800px; height: 300px; overflow: auto; border: 1px solid black; font-family: monospace;"><?php echo $unpack; ?></div>
</form>
</body>
</html>
Suggestion for loop handling:
When you find more than one eval statement in the code, consider doing this logic:
1. Replace the first eval with an echo. Add a “return” immediately after that eval statement.
2. Run the code, capture the output using output buffering.
3. Replace that echo (and the return) with the new output, since it will be from that one echo only.
4. Start over with your new code.
Done correctly, that should work for most cases.
Sorry to bump this topic, but I’m dealing a particularly difficult footer and it is absolutely impossible to modify in its current form.
Would you mind offering any help on this?
<?php // This file is protected. Reverse engineering of this file is strictly prohibited.
$OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%6e%72');$OO00O0000=704;$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';eval(($$O0O0000O0('JE9PME9PMDAwMD0kT09PMDAwMDAwezE3fS4kT09PMDAwMDAwezEyfS4kT09PMDAwMDAwezE4fS4kT09PMDAwMDAwezV9LiRPT08wMDAwMDB7MTl9O2lmKCEwKSRPMDAwTzBPMDA9JE9PME9PMDAwMCgkT09PME8wTzAwLCdyYicpOyRPTzBPTzAwME89JE9PTzAwMDAwMHsxN30uJE9PTzAwMDAwMHsyMH0uJE9PTzAwMDAwMHs1fS4kT09PMDAwMDAwezl9LiRPT08wMDAwMDB7MTZ9OyRPTzBPTzAwTzA9JE9PTzAwMDAwMHsxNH0uJE9PTzAwMDAwMHswfS4kT09PMDAwMDAwezIwfS4kT09PMDAwMDAwezB9LiRPT08wMDAwMDB7MjB9OyRPTzBPTzAwME8oJE8wMDBPME8wMCwxMjE2KTskT08wME8wME8wPSgkT09PMDAwME8wKCRPTzBPTzAwTzAoJE9PME9PMDAwTygkTzAwME8wTzAwLDM4MCksJzU4MUFhQmJDY0RkRWVGZkdnSGhJaUpqS2tMbE1tTm5Pb1BwUXFSclNzVHRVdVZ2V3dYeFl5WnowMjM0Njc5Ky89JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>
Da9GeA8GeA8GeAZYNCDOmrJwMbBQLhoSKZ9bhiXBKZ7SE1cScp2qIy9Gea7wIY5wEpcScpwsDa9GIY5weA8Ge1oqIy7wIy7wea7wd1HGIY8GIY5wea7sDa7weA8Gea7we1wqIy7wea7weA5wdhwSFIoXgjB1kqFQHbHBLiLrHzNclaRThrTElyXuIjZfMq9WiC8HmJDxi0FiNBJZJSLKNZP2jKRlnQ5xeYgzFYqUEYySE1N8gqFaHiLChaRdhyXFIq9giJDIJBJjJZPLjrBpkzHRLrNsljTUMbZvM08XmSFyNKL0nCR4eAaxeYgZFQm2fhuWDxqTdhq6LrFuM0FRd1HGeA5wIY8GeA5TfzJzkjwsDa9GeA8GeA8Ge1q6LjFsMx5SGbHTNp8TLAypLr9WNbJxcQ2F1oydG19qlKk+AgsoG19qlKk+G1aVEh8KmrBwcaJvL15VEI2F1QXqlKkoljg9crFxLjHTNCepGqFWmCRxljNsN15rkz9wnIuoDYVRkzPWcbHPNbisDZqSdIu6LjFsMx5ScAXYNCDWMrm+Agsoc1m6krXWLzRvLr7sDz3PMjiSdIu6LjFsMx5SG19YNCDWMrm+Ep87caHRmzRSMrJqcbD3fp57kh8smrJrGhDsNCHwfp7WN0N0ESHsLjZRkrRvErFWMhc+JbPRMjJ1lj27Eza+cCwoi08WMSFWmSe4cAXPcbPxLjk9crPyNC54Ex90N0mvLjPWm0HTMrLWErFWMhc+JzJpcaPWm0HTMrm7Eza+E157kh8smrJrGhDsNCHwfp7WN0N0ESFskjVykKcvMSiWcQ3IMKeVM1LPmrRvLYVvG19PGpwoGbaolCDRLQyplCHymAsWE0N0Nx30lbRYlzJ3EKFsM05vLbiWcQ3KlbRYlzJ3G19PGQwWLbRzGoydGbHTNp8TLAypNz9xLC8xLKFYcQ3gM0NRmrJqcbD3cAXPcbPxLjk9crPyNC54Ex90M0DqmCDRm0evM0DScQ3KM0DqmCDRm0e7Eza+G19qlKk+AgsSf0NwKzLWM0HRmpoTfYVRkzPWc1m7EzDWLCq+Ags7EzPyMjw+DYu=
