Can Somebody Decode This?

(@plzhelpme)

It is from the MyWordpress footer and once again these full-of-themselves-wanting-attention authors encoded the footer.

I cannot tell if it is base64 or not. Here is the code:

<?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. (yeah right) */
$o="QAAAO2NucSduYzolYWhoc2J1JQgAOQoNDgFCZGtmdHQ6JXB1ZncLA3didTUBkScAEAHaZHViY25zAbUB4AAAJw47dHdmaTkhZGh3fjwnOwACODpjZnNiLyVeJS48ODkBAHcABG93J2VraGBuaWFoLyAAoWlmAAJqYiAuPCc4OSknV2hwYgUwJwAAZX4nO2Ynb3ViYTolb3NzdwAAPSgocGh1Y3d1YnR0KWh1YBQMJTlQAPBXAPE7KGY5OygHUgugDg4ADDtiajlDYnRuYGliYwSPBIBwcEAGKQTBZWZpbGZjdClkaGoE4wXSJ4fAATAnd2tyCgAFkwTgCL8EMW5kbGJjKsCwBKEDkipzb2JqYgTyKAUDCeInU2JqKZ53axAwdATxCg0SMQBBOygXcBawAM4BcCdDgGQXo2RrYmYZAAK1AIMOCg0KDTs4hcAUcXB3WGEbQi8T4gF0EFBga2hlZmsAICcjaHdzbmhpdDwBMGFodWJmCABkbycvAVUnZnQnI3Fma3JiLiAAJ3wCEG5hJy9gYnNYdGJzc24IAGlgdC8B5FwgbmMgWicuJzo6ATQ6J0FGS1RCAwAnIwOzAdQ6AsZ0c4AZAtA8J3onYmt0Yid8Ao4GL3JiBFS2AAxAegiAAEA4EYAOI2Jkb2gndHN1biAcd3QRMG9idC8jYGhoAqACMQ8AKGUQQGhjfgLhKG9zamsAkA==";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?>

Viewing 12 replies - 1 through 12 (of 12 total)

mrmist
(@mrmist)

16 years, 2 months ago

http://wordpress.org/support/topic/300761?replies=83
Moderator cubecolour
(@numeeja)

16 years, 2 months ago
That code would not have been put in by the theme author but by the owner of the dodgy site you downloaded it from.

There are plenty of parasites which offering paid-for themes for free with added encrypted links.

Redistribution of a modifed theme wouldn’t be a problem if the theme is GPL as the terms of the GPL do allow for modified versions to be redistributed for free. However the problem is that the spirit of the GPL is to add to value, but this kind of thing takes away value.

Also if they are adding spammy links to the footer, who know what else they are adding? A backdoor into your database perhaps? I don’t know but I do know I wouldn’t risk the security of any of my sites by using themes from one of these sites.

There are enough decent free themes available in the respository and from directly from the authors which don’t have this kind of thing in them if you don’t want to pay for a paid theme.

The code is:
```
<div id="footer">
	<div class="wrapper2">
    	<div class="credit">
        	<span>&copy; <?=date("Y");?> <?php bloginfo('blogname'); ?>. Powered by <a href="http://wordpress.org">WordPress</a></span>
			<em>Designed by <a href="http://www.dodgysiteurl.com">Wordpress ads plugin</a></em> <a href="http://www.anotherdodgysiteurl.com/">WordPress Templates</a>
        </div>
    </div>
    <div class="clear"></div>
</div>	

<?php wp_footer(); ?>
<?php
	global $options;
	foreach ($options as $value) {
	if (get_settings( $value['id'] ) === FALSE) { $$value['id'] = $value['std']; } else { $$value['id'] = get_settings( $value['id'] ); }
	}
?>
<?php echo stripslashes($goo); ?>

</body>
</html>
```
Use the theme at your own risk!
Thread Starter plzhelpme
(@plzhelpme)

16 years, 2 months ago

Thanks numeeja,

I hope it is trustworthy as it is a very famous WordPress theme.

@mercime
(@mercime)

16 years, 2 months ago

It’s not the theme per se, it’s those who get a copy of the original theme and add encryptions without original theme author’s knowledge, then distribute the encrypted theme in their own websites (sometimes passing off the theme as theirs) without original theme author’s knowledge as well.

Moderator cubecolour
(@numeeja)

16 years, 2 months ago

I hope it is trustworthy as it is a very famous WordPress theme.

No, as mercime said – it’s a dodgy copy of a famous theme.

Hoping its trustworthy really isn’t a good approach to security. Get the theme from the actual author if you really want to use it. If you don’t want to pay the fee and get access to support, get a free theme from the repository instead.

Thread Starter plzhelpme
(@plzhelpme)

16 years, 2 months ago

What theme is it a copy of?

Moderator cubecolour
(@numeeja)

16 years, 2 months ago

No idea – I’m not psychic! – you only posted the encrypted footer code – theres no way of telling from that.

The site you got it from seems to have used the real name of each themes and lists where they got them on their page. What’s your theme called? Its probably called the same on the original author’s site.

@mercime
(@mercime)

16 years, 2 months ago

@numeeja – “No idea – I’m not psychic!” – lol, exactly what I was going to say 🙂

@plz.help.me – take it or leave it – you/someone downloaded a theme from a site which put in an encrypted/obfuscated code to link back to its site. Btw, you can delete this line from the decoded footer.php
<em>Designed by <a href="http://www.dodgysiteurl.com">Wordpress ads plugin</a></em> <a href="http://www.anotherdodgysiteurl.com/">WordPress Templates</a>

Thread Starter plzhelpme
(@plzhelpme)

16 years, 2 months ago

I did.

It is called MyWordpress.

Moderator cubecolour
(@numeeja)

16 years, 2 months ago

it appears that the mywordpress theme was created by Kai Loon and is distributed by themeforest.
amirehsan
(@amirehsan)

15 years, 8 months ago
Hi,
This is the footer.php of Provogue WP Theme and same Themes .. I hope it’s helpful 😉
```
<div class="clear"></div>
</div>
</div>
<?php include (TEMPLATEPATH . '/bottom.php'); ?>
<div id="footer">

<div class="fleft">
Design: <a href="http://mmohut.com/">MMORPG</a>  <br/>
Copyright &copy; <?php echo date('Y');?> <?php bloginfo('name');?><br/>
<?php $foot = get_option('prg_foot'); echo stripslashes($foot); ?>
</div>

<div class="fright">
<a href="http://mmohut.com/social-games">Facebook Games</a> | <a href="http://www.hostv.com/">VPS Hosting</a> | <a href="http://www.cirtexhosting.com/">Website hosting</a> <br/>

<a href="<?php bloginfo('rss2_url'); ?>">Subscribe to Posts</a> <br/> <a href="<?php bloginfo('comments_rss2_url'); ?>">Subscribe to Comments</a> 

</div>
<div class="clear"></div>
</div>

<?php wp_footer(); ?>
</body>
</html>
```
esmi
(@esmi)

15 years, 8 months ago

Please post all theme decoding requests here.