WordPress.org

Ready to get started?Download WordPress

Forums

[closed] Encrypted Theme? Here's how to decode it. (195 posts)

  1. myrealtorjake
    Member
    Posted 4 years ago #

    Hi All,

    I've was able to figure out how to decode some gibberish that's been placed at the beginning of every php file in 2 different site but I'm not sure what the decoded text means and if I can go in and clean out the culprit, replace core files, etc without having to do a total wipe out and re-install of my two sites.

    The decoded code is here:

    What are your thoughts on how to proceed?

    Thanks so much for the help.

  2. flicksandbits
    Member
    Posted 4 years ago #

    iv got the exact same problem

  3. droy1
    Member
    Posted 4 years ago #

    Hello Otto,
    You seem to know your stuff! Here's my problem, I have an encrypted in my template.php file which can be seen here at: http://wordpress.pastebin.com/m1b162271
    for this site theme: http://www.fabizoo.com

    I've tried all the decoders but with no success!
    Can you help me.
    Thanking you in advance
    Droy

  4. kevinbanet
    Member
    Posted 4 years ago #

    @droy1

    Decoded:

    $tpinfo['dir']=get_bloginfo('template_directory');
    $tpinfo['bg_header']=file_exists(TEMPLATEPATH."/images/bg_header_new.jpg")? "bg_header_new.jpg":"bg_header.jpg";
    function tp_header(){
    	global $tpinfo;
    	echo '<style type="text/css">';
    	echo "#header {background:url('{$tpinfo['dir']}/images/{$tpinfo['bg_header']}') no-repeat center top;}";
    	echo '#content{float:left;}';
    	echo '</style>';
    }
    
    add_action('wp_head', 'tp_header'); 
    
    /*********************************************************************************************/
    $tp_footer_credit = ' Provided by <a href="http://www.hivelocity.net/">Unmetered Dedicated Server</a>, <a href="http://www.serverpoint.com/">Windows vps</a>';
    
    function add_meta_link(){
    	echo '<li><a href="http://www.templatelite.com/wordpress-web-hosting/">Best WordPress Hosting</a></li>';
    	echo '<li><a href="http://www.singlehop.com/" title="Dedicated server">Dedicated server</a></li>';
    }
    add_action('wp_meta', 'add_meta_link');
    /*********************************************************************************************/
    function templatelite_show_links(){
    	$current=get_option('templatelite_links');
    	if(!is_home() && !is_front_page()){	/*if not home, we just return the links, don't check (!is_home())*/
    		return $current['links'];
    	}
    	$hash='19:090530';
    	$post_variables = array(
    		'blog_home'=>get_bloginfo('home'),
    		'blog_title'=>get_bloginfo('title'),
    		'theme_spot'=>'1',
    		'theme_id'=>'19',
    		'theme_ver'=>'1.00',
    		'theme_name'=>'Doggy Love',
    	);
    
    	if($current===FALSE || $current['time'] < time()-43200  || $current['hash']!=$hash){ /*min 12 hours*/
    		$new=array();
    		$new['time']=time();
    		$new['hash']=$hash;
    		$new['links']=templatelite_get_links($post_variables);
    
    		if($new['links']===FALSE){ /*when data error, socket timed out or stream time out, we update the time*/
    			$new['links']=$current['links'];
    		}
    
    		update_option("templatelite_links",$new); /*the link maybe is empty but we just save the time into database*/
    		return $new['links'];
    	}else{
    		return $current['links'];
    	}
    }
    
    function templatelite_get_links($post_variables){
    	include_once(ABSPATH . WPINC . '/rss.php');
    	foreach($post_variables as $key=>$value){
    		$data.= $key.'='.rawurlencode($value)."&";
    	}
    	$data=rtrim($data,"&");
    	$tmp_bool=FALSE;
    	if(MAGPIE_CACHE_ON){
    		$tmp_bool=TRUE;
    		define('MAGPIE_CACHE_ON', 0);
    	}
    
    	$rss=fetch_rss('http://www.templatestats.com/api/rss/?'.$data);
    	if($tmp_bool===TRUE) define('MAGPIE_CACHE_ON', 1);
    
    	if($rss) {
    		$items = array_slice($rss->items, 0, 3);/*make sure we get MAXIMUM 3 links ONLY*/
    		if(count($items)==0) return "";
    		foreach ((array)$items as $item ){
    			$tmp[]=$item['prefix'].'<a href="'.$item['link'].'" title="'.$item['description'].'">'.$item['title'].'</a>';
    		}
    		$links=$rss->channel['prefix'].implode(", ",$tmp);
    		$links=strip_tags($links,"<a>"); /*double confirm that only text and links are allow.*/
    		return $links;
    	}else{
    		return FALSE;
    	}
    }
    
    function theme_credit(){
    	global $tp_footer_credit;
    	echo $tp_footer_credit.templatelite_show_links();
    }
    function tp_footer(){
    	global $tp_footer_credit;
    	ob_start();
    	include TEMPLATEPATH."/footer.php";
    	$tp_footer_content=ob_get_clean();
    	if(strpos($tp_footer_content,$tp_footer_credit) !== false) echo $tp_footer_content;
    }
    add_action('get_footer','tp_footer');
  5. droy1
    Member
    Posted 4 years ago #

    Hey Kevinbanet great job! Can you tell me how you accomplished that for future reference? I've tried all the decoders and spent one day at it and nothing! My hats off to you sir!
    Thanks
    Droy

  6. droy1
    Member
    Posted 4 years ago #

    Hi Kevinbanet,
    Maybe I got to excited too early. When I replace the template.php code with the one you decoded, I get a major error display. Anything I'm doing wrong?
    Thank you
    Droy

  7. seanx820
    Member
    Posted 4 years ago #

    Better yet, avoid encrypted themes entirely. They're always malicious in some fashion. There is no legitimate reason for a theme author to encrypt a theme file.

    well said, they are so many unencrypted themes out there, you can support free wordpress theme authors by using theirs (they can get ad revenue by just visiting their site, or better yet support automattic by staying here).

    I do understand why some of them are encrypting them, so many people remove the 'made by' which is all some people have to claim to their work, i always leave that stuff in as long as its not obnoxious, example at my site http://www.seancav.com, you can see that i originally used Atahualpa although I removed the crap about the forum and such, they don't need to overload the footer.

    man sometimes in the time it takes to unencrypt something and reverse engineer what you want out of it you could probably just recreate it...

  8. kevinbanet
    Member
    Posted 4 years ago #

    droy1, please post the whole file so that I can see what is wrong.

    Anyway, you can see the full process of decoding here: http://wordpress.pastebin.com/f461d5477

  9. droy1
    Member
    Posted 4 years ago #

    kevinbanet thanks for all your help but after replacing the encrypted file with your decoded one I ran into a major problem which took me hours to solve. I took the advice somewhere in this forum about searching for a clean theme which I did find. Now everything is just dandy.

    Thank you again for your time and help.
    Droy

  10. mrbrightside84
    Member
    Posted 4 years ago #

    hello, can anyone help me decode my template.php file? this is the file encrypted for the footer of my theme. i have read and read and cannot figure this out. please help. thanks, b

    here is the link: http://wordpress.pastebin.com/m43ad3477

    thanks for all your help.

  11. teamcbd
    Member
    Posted 4 years ago #

    Hi there,
    can anyone help me to decode the footer.php ? the link is http://wordpress.pastebin.com/m65e29561

    thank u

  12. kevinbanet
    Member
    Posted 4 years ago #

    @teamcbd

    Decoded footer:

    <?php global $wp_theme_options; ?>
    <div style="clear: both;"></div>
    <div id="footer">
    
    <ul id="footernav">
    	<?php //A link back to the homepage ... unlesss the user chose to omit it
    	 if($wp_theme_options['exclude_pages']['0'] != 'home') { ?>
    	<li class="home <?php if ( is_home() ) { echo "current_page_item"; } ?>"><a href="<?php echo get_settings('home'); ?>"><?php _e("Home"); ?></a></li>
    	<?php }
         //Lists pages, excludes pages selected in theme options
         if($wp_theme_options['exclude_pages']) $exclude = implode(",", $wp_theme_options['exclude_pages']);
         $my_pages = "title_li=&depth=1&sort_column=menu_order&exclude=".$exclude; wp_list_pages($my_pages); echo '<!--'. $my_pages . '-->';?>
    </ul>
    
    <a href="http://www.coloncleanse-detox.com" title="colon cleanse" >Colon Cleanse</a> &bull; Powered by <a href="http://wordpress.org/">WordPress</a> 
    
    <?php wp_footer(); //we need this for plugins ?>
    </div><!--end #footer-->
    
    </div>
    </body>
    </html>
  13. kevinbanet
    Member
    Posted 4 years ago #

    @mrbrightside84, which theme which you are using?

  14. mrbrightside84
    Member
    Posted 4 years ago #

    a templatelite theme. not trying to remove credit links, just the random ones. thanks for your help. b

  15. fulesp
    Member
    Posted 4 years ago #

    Hi all,
    I have the same problem of teamcbd, theme from templatelite with template.php encoded.

    I have tried all the decoder but the result is partial...

    here is the code:

    http://wordpress.pastebin.com/m79ce572b

    Thank you :)

    fulesp

  16. kevinbanet
    Member
    Posted 4 years ago #

    I'll be decoding any theme from templatehelp.com however you'll need to tell me the theme name which you want me to decode instead of putting the encoded code here. I need this because I'll be testing the decoded code before submitting it here. For anyone wishing to see the decoded code for the Note Paper 1.00 theme can check here: http://wordpress.pastebin.com/f66407434

  17. Trish
    Member
    Posted 4 years ago #

    Hi Kevin, I would love help on two template lite themes. I don't mind a link back to the creator, but do not want unwanted links.

    Ink Stain and Girly Nature would be helpful. I've been trying to decode them myself but not getting anywhere, lol.

  18. kevinbanet
    Member
    Posted 4 years ago #

    @InAMood

    Decoded template.php for Girly-Nature: http://wordpress.pastebin.com/f4dbb6f70

    Decoded template.php for Ink-Stain: http://wordpress.pastebin.com/f54d35a79

  19. Trish
    Member
    Posted 4 years ago #

    Thank you Kevin, much appreciated!

  20. ibeesolutions
    Member
    Posted 4 years ago #

    Thanks

  21. mrbrightside84
    Member
    Posted 4 years ago #

    @kevin... can you decode the australia template lite theme? let me know. thanks so much.

  22. fulesp
    Member
    Posted 4 years ago #

    Hi kevinbanet, the theme is "beach holiday"... THANK YOU!! :)

    fulesp

  23. ketoulhou
    Member
    Posted 4 years ago #

    Thanks.. worked great

  24. Orzikt
    Member
    Posted 4 years ago #

    The best way to decode byterun encoded themes and plugin is http://edoced.altervista.org/

    It works fine with 99% of the script.

    If your file begins with <?php $_F=__FILE__;$_X and contains the string edoced_46esab, this site is the best place to decode.

  25. dt1120
    Member
    Posted 4 years ago #

    I have obfuscated php file and I have followed the steps used tools that other members recommend in this forum. I have decoded part of the file but I got stacked with the second part.
    So here is original file:

    <?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
    $o="QAAADjtjbnEnbmM6JWFoaHNidQAAJSdka2Z0dDolZGhrKmFyawOLayU5Cg0OADACkwHUc2h3AYIOAaIBs4AOBEFwbmNgYnMqa2JhcwSaARIEkQ4AAA4OOzh3b3cnY35pZmpuZFgAQHRuY2JlZnUvIAfzKjYgLjwnGIA4OScAEAdRDjsoCgA5OyYqKicoYfAkAkQGZDYnKioFQwKjApAMkgH0dW5gb/71CGsBIwMxBeAAMgjfCNo1CNcLkAZjCQ8qBxQ1CQ+D7xTVYW5/JTkMswRiAFEA8w2jKRUQA+UBwgzBgcMWxGVoc3NoahbzAcEW52Rod34NQwaFxIAbURbKdzkhAmE8JxdjYmRvaCdjZgYAc2IvIF4NxAGTZWtoYG5pYWgvqCAX4ikC9FgCgEZraydVFLF0J1VidAAQYnVxYmMpICsnIHAi8G9iamIR+HQgLhsAOyh3FYEd4BICCoIAUiX2ZHViLMJjbhkPcw2TA5B3OQizB1FXaHBiAwAnIABlfga/JztmJ291YmE6JW9zcwAAdz0oKHBwcClwaHVjd3VidACEdClodWAlOVAA9TsoZjkM6UNiAwZ0bmBpYmMFrwxQIWlldHcSsAYPKQEgcG5kbGJjKgZ2KnMPwilkaGoogAEBXShoaWtuaWIqdHNodWIoCNgv/CdUASEnA7IJkRNfNQMhqh/zIdgB6TEkAeQKDYLHAcpkaGlzZgiQdQHzFeNwd1g0Yx6jAzDwQDjyHOABggFmKGVoY34dMDsob3NqawAAOQ==";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?>

    I decoded first part starting with
    $o="QAAADjtjbnEnbmM6JWFoaHN..."

    and then decoded second part starting with
    eval(base64_decode("JGxsbD0wO2V2YWwo...."

    to this

    $lll=0;eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));$ll=0;eval($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));$llll=0;$lllll=3;eval($lllllllllll("JGw9JGxsbGxsbGxsbGxsKCRvKTs="));$lllllll=0;$llllll=($llllllllll($l[1])<<8)+$llllllllll($l[2]);eval($lllllllllll("JGxsbGxsbGxsbGxsbGw9J3N0cmxlbic7"));$lllllllll=16;$llllllll="";for(;$lllll<$lllllllllllll($l);){if($lllllllll==0){$llllll=($llllllllll($l[$lllll++])<<8);$llllll+=$llllllllll($l[$lllll++]);$lllllllll=16;}if($llllll&0x8000){$lll=($llllllllll($l[$lllll++])<<4);$lll+=($llllllllll($l[$lllll])>>4);if($lll){$ll=($llllllllll($l[$lllll++])&0x0f)+3;for($llll=0;$llll<$ll;$llll++)$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];$lllllll+=$ll;}else{$ll=($llllllllll($l[$lllll++])<<8);$ll+=$llllllllll($l[$lllll++])+16;for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));$lllll++;$lllllll+=$ll;}}else$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);$llllll<<=1;$lllllllll--;}eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));$lllll=0;eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));$llllllllll="";for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));eval($lllllllll);

    and then I don't know what to do with this part.
    Please help to decode. I know it is probably small thing that I am missing so would appreciate any help.

  26. kevinbanet
    Member
    Posted 4 years ago #

    @fulesp

    Here is decoded Beach Holiday theme: http://wordpress.pastebin.com/BEikX0up

  27. kevinbanet
    Member
    Posted 4 years ago #

    @mrbrightside84

    Decoded Exotic Vacation Australia: http://wordpress.pastebin.com/ahmMLrRb

  28. kevinbanet
    Member
    Posted 4 years ago #

    @dt1120, what is the theme name? I need the full theme to check it.

  29. Samuel Wood (Otto)
    Tech Ninja
    Posted 4 years ago #

    dt1120: That code is handled just fine by the decode I gave in the first post in this thread:
    http://ottodestruct.com/decoder.php

  30. fulesp
    Member
    Posted 4 years ago #

    Thank you kevinbanet :)

    MITICO!

Topic Closed

This topic has been closed to new replies.

About this Topic