1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Help Me Decode This Highly Obfuscated PHP File

Discussion in 'PHP' started by ColorWP.com, Jun 17, 2010.

Thread Status:
Not open for further replies.
  1. #1
    Hello.

    I've downloaded a Wordpress theme and those theme developers still can't realize that this CMS is Open Source and the themes or plugins that are released need to be Open Source too.

    <?php
    $o="QAAAOyhzYzk7c2MncG5jc286JQAhNjMlOSFpZXR3PAGjKHN1OQCgAABmZWtiOQ0NOyhjbnE5DTsmAAAqKidBaHJpY2ZzbmhpJ0UnAwVCSUMnKioCIQGxRWtmaWwBATsC8AAAJ3RzfmtiOiVvYm5gb3M9NgAAMnd/PCU5O25qYCd0dWQ6JQAAOzh3b3cnZWtoYG5pYWgvIAAAc2Jqd2tmc2JYcnVrIC48JwAAODkobmpmYGJ0KDcpYG5hJQgAJ2ZrcwNlbmlka3JjYicvU0IAAUpXS0ZTQldGU08nKSclKARlVHsqAuApBhAlBKIlJygM4AlQCqEHgm4ELwQuAOBpZmt+c25kdASHEKAOgUFoaHNiAUB1J1RTRlVTDvENDwJka2Z0dDosWCVhAdI2DrAHACduYwElNQEgA9FJZnE7gG5gFAMToAOvNAKAA6EE9GZrbmBpa2IgoGFzAXB0d2ZpJwGEaQRwJTlEdWKAABMwYydlfic7ZidvdWJhOiVvACBzc3c9KChwcHApFAFpc2hvaAAIdHNuaWB9KWRoaiU5AVQnUGIR7WUnTwGjOyhmEgAF8QBwB9A5CXkIInUcUYAMCD9uJTlXdWJ0YmlzYghfCFtzbw2AYmpidAhMGvV0CC8nMg==";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?>
    PHP:
    I never got the hang of the way of "replacing eval with echo, replace code and run again".

    Thanks in advance and regards!
    SEMrush
     
    Last edited: Jun 17, 2010
    ColorWP.com, Jun 17, 2010 IP
    SEMrush
  2. AsHinE

    AsHinE Active Member

    Messages:
    240
    Likes Received:
    8
    Best Answers:
    1
    Trophy Points:
    88
    #2
    Replace eval with echo and run this code:
    you'll get
    
    $lll=0;eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));$ll=0;eval($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));$llll=0;$lllll=3;eval($lllllllllll("JGw9JGxsbGxsbGxsbGxsKCRvKTs="));$lllllll=0;$llllll=($llllllllll($l[1])<<8)+$llllllllll($l[2]);eval($lllllllllll("JGxsbGxsbGxsbGxsbGw9J3N0cmxlbic7"));$lllllllll=16;$llllllll="";for(;$lllll<$lllllllllllll($l);){if($lllllllll==0){$llllll=($llllllllll($l[$lllll++])<<8);$llllll+=$llllllllll($l[$lllll++]);$lllllllll=16;}if($llllll&0x8000){$lll=($llllllllll($l[$lllll++])<<4);$lll+=($llllllllll($l[$lllll])>>4);if($lll){$ll=($llllllllll($l[$lllll++])&0x0f)+3;for($llll=0;$llll<$ll;$llll++)$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];$lllllll+=$ll;}else{$ll=($llllllllll($l[$lllll++])<<8);$ll+=$llllllllll($l[$lllll++])+16;for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));$lllll++;$lllllll+=$ll;}}else$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);$llllll<<=1;$lllllllll--;}eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));$lllll=0;eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));$llllllllll="";for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));eval($lllllllll);
    
    PHP:
    repeat once again :)

    There is one more way to decode - just look into source of generated page and replace this code but that part of html it generates.
    later you get this code:
    
    $lll=0;
    $lllllllllll='base64_decode';
    $ll=0;
    $llllllllll='ord';
    $llll=0;
    $lllll=3;
    $l=$lllllllllll($o);
    $lllllll=0;
    $llllll=($llllllllll($l[1])<<8)+$llllllllll($l[2]);
    $lllllllllllll='strlen';
    $lllllllll=16;
    $llllllll="";
    for(;$lllll<$lllllllllllll($l);){
    	if($lllllllll==0){$llllll=($llllllllll($l[$lllll++])<<8);
    	$llllll+=$llllllllll($l[$lllll++]);
    	$lllllllll=16;
    	}
    	if($llllll&0x8000){
    		$lll=($llllllllll($l[$lllll++])<<4);
    		$lll+=($llllllllll($l[$lllll])>>4);
    		if($lll){$ll=($llllllllll($l[$lllll++])&0x0f)+3;
    			for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
    			$lllllll+=$ll;
    		}else{
    			$ll=($llllllllll($l[$lllll++])<<8);
    			$ll+=$llllllllll($l[$lllll++])+16;
    			for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));
    			$lllll++;
    			$lllllll+=$ll;
    		}
    	}else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
    	$llllll<<=1;
    	$lllllllll--;
    }
    $llllllllllll='chr';
    $lllll=0;
    $lllllllll="?".$llllllllllll(62);
    $llllllllll="";
    for(;$lllll<$lllllll;){
    	$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);
    }
    $lllllllll.=$llllllllll.$llllllllllll(60)."?";
    eval($lllllllll);
    
    PHP:
    Hope you know "find&replace" kung-fu.
     
    Last edited: Jun 17, 2010
    AsHinE, Jun 17, 2010 IP
    www.Andro.ws likes this.
  3. ColorWP.com

    ColorWP.com Notable Member

    Messages:
    3,121
    Likes Received:
    100
    Best Answers:
    1
    Trophy Points:
    270
    #3
    So after I replaced eval($lllllllll); with echo() I got only this echoed: ?><?

    This whole obfuscation is for closing and opening PHP tags?
     
    ColorWP.com, Jun 17, 2010 IP
  4. roopajyothi

    roopajyothi Active Member

    Messages:
    1,302
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    80
    #4
    Here its


    
    
    </td><td width="14">&nbsp;</td></tr></table>
    
    </div>
    <!-- Foundation B END -->
    
    <!-- Blank --><div style="height:15px;"><img src="<?php bloginfo('template_url'); ?>/images/0.gif" alt="<?php include (TEMPLATEPATH . "/template-alt.php"); ?>" /></div>
    
    <?php include (TEMPLATEPATH . "/template-analytics.php"); ?>
    
    <!-- Footer START -->
    <div class="footer1"><div id="footer2"><!-- Navigation --><div class="footer3"><div class="alignleft"><span class="navi">Created by <a href="http://www.magentohostingz.com">magento Web Hosting</a></span></div><div class="alignright"><span class="navi">Presented by <a href="http://www.magentothemesz.com">magento templates</a></span></div></div>
    
    
    PHP:
     
    roopajyothi, Jun 18, 2010 IP
    www.Andro.ws likes this.
  5. ColorWP.com

    ColorWP.com Notable Member

    Messages:
    3,121
    Likes Received:
    100
    Best Answers:
    1
    Trophy Points:
    270
    #5
    Thank you everyone! Everyone who deserved rep has been given one and the issue is SOLVED. The code is decoded. There is no need to discuss it anymore. It was just some time consuming and annoying code replacing, plus involving some clever thinking.
     
    ColorWP.com, Jun 19, 2010 IP
  6. roopajyothi

    roopajyothi Active Member

    Messages:
    1,302
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    80
    #6
    Happy to know that!
    Thread Reported for Close!
     
    roopajyothi, Jun 19, 2010 IP
  7. flexdex

    flexdex Peon

    Messages:
    104
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #7
    You have found the weak spot, and bypassing all these unnecessary byte shifting routines of that cheap encoder.
     
    flexdex, Jun 19, 2010 IP
Thread Status:
Not open for further replies.