Wordpress Base64 Encrypted Theme Plz Help. How fully decode?

Discussion in 'BlackHat Lounge' started by DeespoT, Sep 23, 2010.

  1. DeespoT

    DeespoT Newbie

    Joined:
    Sep 23, 2010
    Messages:
    0
    Likes Received:
    0
    Hi.
    Please help so far all I could decode base64 encoding. But I do not know. Please write down the steps to be fully decode this file because they love to learn and have a couple of files you want to decode.

    Original CODE:

    Code:
    <?php // This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited.
    $OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=2288;eval((base64_decode('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDAsNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0cihmcmVhZCgkTzAwME8wTzAwLDM3MiksJ0VudGVyeW91d2toUkhZS05XT1VUQWFCYkNjRGRGZkdnSWlKakxsTW1QcFFxU3NWdlh4WnowMTIzNDU2Nzg5Ky89JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>
    kr9NHenNHenNHe1lFMamb3klFoxiC2APk19gOLlHOa9gkZXJkZwVkr9NTznNHr8XHt4JkZwShokiF2A2Yy9LcBYvcoAPF3OZfuwPcmklCBWPkr8XHenNHr8XHtXLT08XHr8XHeEXhUXmOB50cbk5d3a3D2iUUylRTlfNaaOnCAkJW2YrcrcMO2fkDApQToxYdanXAbyTF1c2BuiDGjExHjH0YTC3KeLqRz0mRtfnWLYrOAcuUrlhU0xYTL9WAakTayaBa1icBMyJC2OlcMfPDBpqdo1Vd3nxFmY0fbc3Gul6HerZHzW1YjF4KUSvkZLphUL7cMYSd3YlhtONHeEXTznNHeEpK2a2CBXPkr9NHenNHenNHtL7cBYPdZEmNokZwoYSCbYzNUkjdoaiFJwIRz4YtjXvcol2NI0hNoOpfJnpce0JcM9vfoaZRbfZCbEJNI0hNoOpfJnpce0JcM9vfoaZwj4YtjxLDbCIC2xiF3H9wmYXCB4sHZniFunldMWsHUnzdBySdtw+eWPmKZnpcJEPwtyMfB5jfolvdl9lGolzfuHPk2O5dMysDBYgF2lLcBkiFJFpwux8wtyLGB5idBljb3YpcoaJCbwPk0kvfuOvdU1HcBc0kZLIhUE6weslC2ivwtFmKZnldMOpcjSIK2ajDo8IkzXvcol2NI0hNoOpfJnjdoyzFz0JC29SfB1VwuYXCB4sHZniFunldMWsHUnzdBySdtw+eWPmKZnpcJEPwtyMfB5jfolvdl9lGolzfuHPk2O5dMysDBYgF2lLcBkiFJFpwux8wtyLGB5idBljb3YpcoaJCbwPk0kvfuOvdU1YDBOLdoAmhUEpwePIK2ajDo8IkZF7woaVcolMKZE7cBYPdZEmNt9LDbC+eWP8col2woYSCbYzNUkjd2x1dB4IF3nidJ0xHtniFunldMWsHUnzdBySdtw+eWPmKZnpcJEPwtyMfB5jfolvdl9lGolzfuHPk2O5dMysDBYgF2lLcBkiFJFpwux8wtyLGB5idBljb3YpcoaJCbwPk0kvfuOvdU1UDBfPftFpwtLIKJE7cBYPdZEmkzSIcB5LDBC7weslC2ivwtF8R2Opfj4YtjxLDbCIC2xiF3H9wMYvduasdJnzFoyVRTAIF21idoXIdoyzftw+eWP8DeCIC2xiF3H9wmY1CJw+W3klcol0FzXvDeC+eWP8FtnjdoyzFz0JFbapcbWJNI0heWPYtJEIwtEIwtEINoOpfJnjdoyzFz0JDBYvdJw+NorIDuklcj0JDuO0FePvR2fZCbnPFoyXcbkXFMazFZ5jd20JNjxzFoyVwoYSCbYzNUk1DU1pC29VwuapRBljd24sFo93cbwJNjXvF3nidj5rcbYpc24ICmLIO3kiFoIIAoyXcbwIAuklF3H8R2r+Nt9LDbC+NokZwoYSCbYzNUkjdoaiFJwIRz4YtJEIwtEIwtEINoOpfJnjdoyzFz0JDBYvdJw+NorIDuklcj0JDuO0FePvR3f3fZ5MFMalRbnZcB1pfB0sf29ZcunZcbYzRbOPcB1lFZ5jd20Jwuklde0Jco9Md2xSd3FJNjxzFoyVwoYSCbYzNUk1DU1pC29VwuapRBljd24sc2aiFJw+Nt9zFoyVNMcZcBAIf29ZcunZcbYzwuOPcB1lFzXvCT48R2Opfj48CmwIC2xiF3H9wMYScByZwJEvNI0htWL8col2woYSCbYzNUkpC29Vwj48CUnPFMaMNUwmKZnJdo9mDB5MdZImFmYzHl91FMXmhTSIK2ajDo8IkZw+NuYXCB4IC2xiF3H9wmapRBljd24IfBLsDBYvdJ1zDBfVCBXscolicZw+Nt9zFoyVNlY1CmYjFMlJcTXvCT48R2Opfj48CmwIC2xiF3H9wMYScByZwJEvNI0htWL8col2woYSCbYzNUkpC29Vwj48CUnPFMaMNUwmKZnJdo9mDB5MdZImC29sdBaVfuYgFmYzHl91FMXmhTSIK2ajDo8IkZw+NuYXCB4IC2xiF3H9wmapRBljd24IfBLsDBYvdJ1zDBfVCBXscolicZw+Nt9zFoyVNLYvdB1ldmOzNt9iNjXvcol2NjxJFJnjdoyzFz0JC2xlCbwJwt8+eWPktTxLDbCIC2xiF3H9wMljd24JNjxiwoiZcBC9wJF7wokSd2fpdMcvhtfPd21lkZL7weslC2ivwtFvwJn0DbOScT0JUo9scUw+NuYXCB4IC2xiF3H9wmapRBljd24IfBLsDBYvdJ1qcbLJNjXvF3nidj5ed3n5FMlmDuWIkzSIcBYPdZnLCbOlhtkcwJL7weslC2ivwtFSwtF7wokSd2fpdMcvhtfVCB1lkZL7weslC2ivwtF8R2r+Nt9LDbC+NokZwoYSCbYzNUkjdoaiFJwIRz4YtILkNtrsRUEmKZnlC2ivwoflfy9VfB1gFbalFMllFZIpKZE7cBYPdZEmwuy1cbkpcbHVwtF7wuOpdBaZb3Y0d3EPHUL7weslC2ivwtFIF2ajd25LFZ4IRU0+eWP8R3E+eWP8R2Opfj4YtjxJFJnjdoyzFz0JC2xlCbwJwt8+eWP8R2Opfj4YtjXvcol2NI0hkzSIf3ngcM9vfoaZhtL7weslC2ivwtFYtjXvCM9LGT4YtjXvDuOsde4mKX==
    
    And has arrived at the decoding:
    Unfortunately, I do not know the other steps that we can proceed to decode fully.
    STEP2 step1 tutorial plz help ... ---> Fully Decoded text

    Code:
    $O000O0O00=fopen($OOO0O0O00,'rb');while(--$O00O00O00)fgets($O000O0O00,1024);fgets($O000O0O00,4096);$OO00O00O0=(base64_decode(strtr(fread($O000O0O00,372),'EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));eval($OO00O00O0);
     
  2. captchaman

    captchaman Junior Member

    Joined:
    Sep 16, 2010
    Messages:
    190
    Likes Received:
    843
    Occupation:
    Software Programmer
    Location:
    USA
    I'm on mobile so I can't do it for you and I can only see a small amount of what's in the boxes. However from what I can see ( obfuscation and fopen - which is a php command to read a file on your server) - it may be malware. If you haven't run it on your server yet then don't do so until someone can look at it. Base64 is a simple encoding which doesn't require a password or key so it's easily encrypted. Google for base64 decoder and the base64 encoded string is will start with alphanumerics and generally be all alphanumeric with "==" at the end. When I can access a pc I'll post more for you.
    Posted via Mobile Device
     
  3. captchaman

    captchaman Junior Member

    Joined:
    Sep 16, 2010
    Messages:
    190
    Likes Received:
    843
    Occupation:
    Software Programmer
    Location:
    USA
    Here you go DeespoT

    forum.lowyat d0-t net/topic/556251

    Cheers