1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do I decode encrypted scripts?

Discussion in 'General Programming Chat' started by zx_81, Dec 9, 2008.

  1. zx_81

    zx_81 Newbie

    Joined:
    May 10, 2008
    Messages:
    43
    Likes Received:
    3
    Just wondering... how do I decode an encrypted script? For example, say I pick up a Wordpress theme and want to rip out the encrypted footer - how would I decrypt it?

    (I know I can replace some footers using this method but I want to know how to decode it)

    Code:
    Make this the footer:
    <div class="clear"></div>
     	</div>
     	<div id="footer">		</div>
    </div>
    <?php wp_footer() ?>
    </body>
    </html>
     
  2. HeXeR

    HeXeR Junior Member

    Joined:
    Dec 30, 2007
    Messages:
    121
    Likes Received:
    15
    Occupation:
    Self-employed
    Location:
    EU
    Home Page:
    Well usually it's something like that ...

    function wp_footer() {
    return base64_decode('VGhpcyBpcyBhbiBlbmNvZGVkIHN0cmluZw==');
    }

    so 'VGhpcyBpcyBhbiBlbmNvZGVkIHN0cmluZw==' is your footer encoded in base64, you just create blah.php and put in ...

    <? echo base64_decode('VGhpcyBpcyBhbiBlbmNvZGVkIHN0cmluZw=='); ?>

    load in browser and you'll see the code. Then copy & paste into template file ...

    or sometimes, there's some more crap ... like ..

    eval(base64_decode('VGhpcyBpcyBhbiBlbmNvZGVkIHN0cmluZw=='));

    just change it into ..

    echo base64_decode('VGhpcyBpcyBhbiBlbmNvZGVkIHN0cmluZw==');

    and you'lll see code ... probably ...

    PHP:
    echo '<div>Some html ...';
     
    • Thanks Thanks x 3
  3. zx_81

    zx_81 Newbie

    Joined:
    May 10, 2008
    Messages:
    43
    Likes Received:
    3
    I'm not seeing the first part saying base64 anywhere in the theme (except as described below). :(

    There is a load of garbage in the footer.php file that begins like so -
    Code:
    $o="QAAADg4NDg47Y25xJ2RrZnR0OgA,,, etc
    and in the middle of that somewhere is the following:
    Code:
    eval(base64_decode("sdlkfhldfhlsflsfh
    So are you saying I should change that little bit to
    Code:
    echo base64_decode("sdlkfhldfhlsflsfh
    ?

    How can I change it? Is it possible to replace that encrypted code with my own, for example?
     
  4. disinfect

    disinfect Newbie

    Joined:
    Jan 22, 2008
    Messages:
    17
    Likes Received:
    4
    Give us the full code damnit.........
     
  5. zx_81

    zx_81 Newbie

    Joined:
    May 10, 2008
    Messages:
    43
    Likes Received:
    3
    I can give you the code of an encrypted theme. Here's one I just pulled off the net. What would you do to decode this?
    PHP:
    <?php $_F=__FILE__;$_X='Pz48IS0tRU5EX0VESVRBQkxFLS0+DQo8L2Q0dj4NCjwvZDR2PjxkNHYgY2wxc3M9ImNoMW5jNXEzNGw0ejVyIj48L2Q0dj4NCg0KICAgICAgICAgICAgPGQ0diBjbDFzcz0iY2gxbmM1cTM0bDR6NXIiPjwvZDR2PjxkNHYgY2wxc3M9IjNuZDVybDRuNWw0bjUiPjwvZDR2PjxkNHYgY2wxc3M9ImNoMW5jNXEzNGw0ejVyIj48L2Q0dj4NCg0KICAgICAgICAgIDwvZDR2Pg0KICAgICAgICA8L2Q0dj4NCiAgICAgICAgPGQ0diBjbDFzcz0iYjJ0dDJtbDRuNSI+DQogICAgICAgIDwhLS1CRUdJTl9FRElUQUJMRS0tPg0KICAgICAgICAgIDxwPkMycHlyNGdodCAmYzJweTsgYTAwOCwgPDEgaHI1Zj0iPD9waHAgNWNoMiBnNXRfMnB0NDJuKCdoMm01Jyk7ID8+Ij48P3BocCBibDJnNG5mMignbjFtNScpOyA/PjwvMT4gQWxsIFI0Z2h0cyBSNXM1cnY1ZCA8YnI+DQoJCQlQMnc1cjVkIGJ5IDwxIGhyNWY9Imh0dHA6Ly93d3cudzJyZHByNXNzLjJyZyI+VzJyZFByNXNzPC8xPiBENXM0Z24gYnkgIDwxIGhyNWY9Imh0dHA6Ly93d3cuNWx5bjV4LmMybSI+NUx5bjV4PC8xPiAgQzJkNWQgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy5mNHI1YzFzNG4ycy5jMm0iPk9ubDRuNSBDMXM0bjJzPC8xPiBTM3BwMnJ0NWQgYnkgIDwxIGhyNWY9Imh0dHA6Ly9tMWs0bmctNTFzeS1tMm41eS0ybmw0bjUuNG5mMi8iPk0xazUgTTJuNXkgT25sNG41PC8xPjwvcD4NCiAgICAgICAgPCEtLUVORF9FRElUQUJMRS0tPg0KDQoNCg0KICAgICAgICA8L2Q0dj4NCiAgICAgIDwvZDR2Pg0KICAgIDwvZDR2Pg0KICA8L2Q0dj4NCjwvZDR2Pg0KPC9iMmR5Pg0KPC9odG1sPg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>
    It's different to the other theme but the idea is still the same.

    btw, I got this one from here -
    Code:
    http://www.free*wordpresstheme*.info/2008/10/06/free-wordpress-theme-powerp/
     
  6. HeXeR

    HeXeR Junior Member

    Joined:
    Dec 30, 2007
    Messages:
    121
    Likes Received:
    15
    Occupation:
    Self-employed
    Location:
    EU
    Home Page:
    Your code...

    PHP:

    <?php 

    $_F
    =__FILE__;
    $_X='Pz48IS0tRU5EX0VESVRBQkxFLS0+DQo8L2Q0dj4NCjwvZDR2PjxkNHYgY2wxc3M9ImNoMW5jNXEzNGw0ejVyIj48L2Q0dj4NCg0KICAgICAgICAgICAgPGQ0diBjbDFzcz0iY2gxbmM1cTM0bDR6NXIiPjwvZDR2PjxkNHYgY2wxc3M9IjNuZDVybDRuNWw0bjUiPjwvZDR2PjxkNHYgY2wxc3M9ImNoMW5jNXEzNGw0ejVyIj48L2Q0dj4NCg0KICAgICAgICAgIDwvZDR2Pg0KICAgICAgICA8L2Q0dj4NCiAgICAgICAgPGQ0diBjbDFzcz0iYjJ0dDJtbDRuNSI+DQogICAgICAgIDwhLS1CRUdJTl9FRElUQUJMRS0tPg0KICAgICAgICAgIDxwPkMycHlyNGdodCAmYzJweTsgYTAwOCwgPDEgaHI1Zj0iPD9waHAgNWNoMiBnNXRfMnB0NDJuKCdoMm01Jyk7ID8+Ij48P3BocCBibDJnNG5mMignbjFtNScpOyA/PjwvMT4gQWxsIFI0Z2h0cyBSNXM1cnY1ZCA8YnI+DQoJCQlQMnc1cjVkIGJ5IDwxIGhyNWY9Imh0dHA6Ly93d3cudzJyZHByNXNzLjJyZyI+VzJyZFByNXNzPC8xPiBENXM0Z24gYnkgIDwxIGhyNWY9Imh0dHA6Ly93d3cuNWx5bjV4LmMybSI+NUx5bjV4PC8xPiAgQzJkNWQgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy5mNHI1YzFzNG4ycy5jMm0iPk9ubDRuNSBDMXM0bjJzPC8xPiBTM3BwMnJ0NWQgYnkgIDwxIGhyNWY9Imh0dHA6Ly9tMWs0bmctNTFzeS1tMm41eS0ybmw0bjUuNG5mMi8iPk0xazUgTTJuNXkgT25sNG41PC8xPjwvcD4NCiAgICAgICAgPCEtLUVORF9FRElUQUJMRS0tPg0KDQoNCg0KICAgICAgICA8L2Q0dj4NCiAgICAgIDwvZDR2Pg0KICAgIDwvZDR2Pg0KICA8L2Q0dj4NCjwvZDR2Pg0KPC9iMmR5Pg0KPC9odG1sPg==';

    eval(
    base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));

    ?>

    now try this:


    PHP:

    <?php 

    $_F
    =__FILE__;
    $_X='Pz48IS0tRU5EX0VESVRBQkxFLS0+DQo8L2Q0dj4NCjwvZDR2PjxkNHYgY2wxc3M9ImNoMW5jNXEzNGw0ejVyIj48L2Q0dj4NCg0KICAgICAgICAgICAgPGQ0diBjbDFzcz0iY2gxbmM1cTM0bDR6NXIiPjwvZDR2PjxkNHYgY2wxc3M9IjNuZDVybDRuNWw0bjUiPjwvZDR2PjxkNHYgY2wxc3M9ImNoMW5jNXEzNGw0ejVyIj48L2Q0dj4NCg0KICAgICAgICAgIDwvZDR2Pg0KICAgICAgICA8L2Q0dj4NCiAgICAgICAgPGQ0diBjbDFzcz0iYjJ0dDJtbDRuNSI+DQogICAgICAgIDwhLS1CRUdJTl9FRElUQUJMRS0tPg0KICAgICAgICAgIDxwPkMycHlyNGdodCAmYzJweTsgYTAwOCwgPDEgaHI1Zj0iPD9waHAgNWNoMiBnNXRfMnB0NDJuKCdoMm01Jyk7ID8+Ij48P3BocCBibDJnNG5mMignbjFtNScpOyA/PjwvMT4gQWxsIFI0Z2h0cyBSNXM1cnY1ZCA8YnI+DQoJCQlQMnc1cjVkIGJ5IDwxIGhyNWY9Imh0dHA6Ly93d3cudzJyZHByNXNzLjJyZyI+VzJyZFByNXNzPC8xPiBENXM0Z24gYnkgIDwxIGhyNWY9Imh0dHA6Ly93d3cuNWx5bjV4LmMybSI+NUx5bjV4PC8xPiAgQzJkNWQgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy5mNHI1YzFzNG4ycy5jMm0iPk9ubDRuNSBDMXM0bjJzPC8xPiBTM3BwMnJ0NWQgYnkgIDwxIGhyNWY9Imh0dHA6Ly9tMWs0bmctNTFzeS1tMm41eS0ybmw0bjUuNG5mMi8iPk0xazUgTTJuNXkgT25sNG41PC8xPjwvcD4NCiAgICAgICAgPCEtLUVORF9FRElUQUJMRS0tPg0KDQoNCg0KICAgICAgICA8L2Q0dj4NCiAgICAgIDwvZDR2Pg0KICAgIDwvZDR2Pg0KICA8L2Q0dj4NCjwvZDR2Pg0KPC9iMmR5Pg0KPC9odG1sPg==';

    echo 
    '<!-- blah start blah -->';
    echo 
    base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==');
    echo 
    '<!-- blah end blah -->';

    ?>

    save and execute script, then look source code in your browser, content between <!-- blah start blah --> and <!-- blah end blah --> is:
    Code:
    
    'JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='
    
    
    but decoded of course. Then you can just replace eval(base64_decode(..); with that code (between <!-- blah start blah --> and <!-- blah end blah -->).

    So, if you decode eval(base64_decode(..); you'll get ...

    PHP:

    $_X
    =base64_decode($_X);
    $_X=strtr($_X,'123456aouie','aouie123456');
    $_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
    eval(
    $_R);
    $_R=0;
    $_X=0;

    Now you can see what's $_X for ... and when you decode $_X you see something like that:

    HTML:
    
    
    ?><!--END_EDITABLE-->
    </d4v>
    </d4v><d4v cl1ss="ch1nc5q34l4z5r"></d4v>
    
                <d4v cl1ss="ch1nc5q34l4z5r"></d4v><d4v cl1ss="3nd5rl4n5l4n5"></d4v><d4v cl1ss="ch1nc5q34l4z5r"></d4v>
    
              </d4v>
            </d4v>
            <d4v cl1ss="b2tt2ml4n5">
            <!--BEGIN_EDITABLE-->
              <p>C2pyr4ght &c2py; a008, <1 hr5f="<?php 5ch2 g5t_2pt42n('h2m5'); ?>"><?php bl2g4nf2('n1m5'); ?></1> All R4ghts R5s5rv5d <br>
    			P2w5r5d by <1 hr5f="http://www.w2rdpr5ss.2rg">W2rdPr5ss</1> D5s4gn by  <1 hr5f="http://www.5lyn5x.c2m">5Lyn5x</1>  C2d5d by <1 hr5f="http://www.f4r5c1s4n2s.c2m">Onl4n5 C1s4n2s</1> S3pp2rt5d by  <1 hr5f="http://m1k4ng-51sy-m2n5y-2nl4n5.4nf2/">M1k5 M2n5y Onl4n5</1></p>
            <!--END_EDITABLE-->
    
    
    
            </d4v>
          </d4v>
        </d4v>
      </d4v>
    </d4v>
    </b2dy>
    </html>
    
    
    
    and this code is then parsed with strtr and you get


    Code:
    
    
    
    ?><!--END_EDITABLE-->
    </div>
    </div><div class="chancequilizer"></div>
    
                <div class="chancequilizer"></div><div class="underlineline"></div><div class="chancequilizer"></div>
    
              </div>
            </div>
            <div class="bottomline">
            <!--BEGIN_EDITABLE-->
              <p>Copyright © 2008, <a href="<?php echo get_option("home"); ?>"><?php bloginfo("name"); ?></a> All Rights Reserved <br>
    
    			Powered by <a href="http://www.wordpress.org">WordPress</a> Design by  <a href="http://www.elynex.com">eLynex</a>  Coded by <a href="http://www.firecasinos.com">Online Casinos</a> Supported by  <a href="http://making-easy-money-online.info/">Make Money Online</a></p>
            <!--END_EDITABLE-->
    
    
            </div>
          </div>
        </div>
      </div>
    </div>
    </body>
    </html>
    
    
    
    
    your decoded footer ;)
     
    • Thanks Thanks x 1
  7. HeXeR

    HeXeR Junior Member

    Joined:
    Dec 30, 2007
    Messages:
    121
    Likes Received:
    15
    Occupation:
    Self-employed
    Location:
    EU
    Home Page:
    And ...


    just rename footer.php in footer_backup.php then create new file footer.php and put in this:

    Code:
    ?><!--END_EDITABLE-->
    </div>
    </div>
    
    	<div class="chancequilizer"></div><div class="chancequilizer"></div><div class="underlineline"></div><div class="chancequilizer"></div>
    
              </div>
            </div>
            <div class="bottomline">
            <!--BEGIN_EDITABLE-->
              <p>Copyright © 2008, <a href="<?php echo get_option("home"); ?>"><?php bloginfo("name"); ?></a> All Rights Reserved <br />
    
    			Powered by <a href="http://www.wordpress.org">WordPress</a></p>
            <!--END_EDITABLE-->
    
    
            </div>
          </div>
        </div>
      </div>
    </div>
    </body>
    </html>
     
    • Thanks Thanks x 1