1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wordpress Base64 Encrypted Theme Plz Help. How fully decode?

Discussion in 'BlackHat Lounge' started by DeespoT, Sep 23, 2010.

  1. DeespoT

    DeespoT Newbie

    Joined:
    Sep 23, 2010
    Messages:
    0
    Likes Received:
    0
    Hi.
    Please help so far all I could decode base64 encoding. But I do not know. Please write down the steps to be fully decode this file because they love to learn and have a couple of files you want to decode.

    Original CODE:

    Code:
    <?php // This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited.
    $OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=2288;eval((base64_decode('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDAsNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0cihmcmVhZCgkTzAwME8wTzAwLDM3MiksJ0VudGVyeW91d2toUkhZS05XT1VUQWFCYkNjRGRGZkdnSWlKakxsTW1QcFFxU3NWdlh4WnowMTIzNDU2Nzg5Ky89JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>
    kr9NHenNHenNHe1lFMamb3klFoxiC2APk19gOLlHOa9gkZXJkZwVkr9NTznNHr8XHt4JkZwShokiF2A2Yy9LcBYvcoAPF3OZfuwPcmklCBWPkr8XHenNHr8XHtXLT08XHr8XHeEXhUXmOB50cbk5d3a3D2iUUylRTlfNaaOnCAkJW2YrcrcMO2fkDApQToxYdanXAbyTF1c2BuiDGjExHjH0YTC3KeLqRz0mRtfnWLYrOAcuUrlhU0xYTL9WAakTayaBa1icBMyJC2OlcMfPDBpqdo1Vd3nxFmY0fbc3Gul6HerZHzW1YjF4KUSvkZLphUL7cMYSd3YlhtONHeEXTznNHeEpK2a2CBXPkr9NHenNHenNHtL7cBYPdZEmNokZwoYSCbYzNUkjdoaiFJwIRz4YtjXvcol2NI0hNoOpfJnpce0JcM9vfoaZRbfZCbEJNI0hNoOpfJnpce0JcM9vfoaZwj4YtjxLDbCIC2xiF3H9wmYXCB4sHZniFunldMWsHUnzdBySdtw+eWPmKZnpcJEPwtyMfB5jfolvdl9lGolzfuHPk2O5dMysDBYgF2lLcBkiFJFpwux8wtyLGB5idBljb3YpcoaJCbwPk0kvfuOvdU1HcBc0kZLIhUE6weslC2ivwtFmKZnldMOpcjSIK2ajDo8IkzXvcol2NI0hNoOpfJnjdoyzFz0JC29SfB1VwuYXCB4sHZniFunldMWsHUnzdBySdtw+eWPmKZnpcJEPwtyMfB5jfolvdl9lGolzfuHPk2O5dMysDBYgF2lLcBkiFJFpwux8wtyLGB5idBljb3YpcoaJCbwPk0kvfuOvdU1YDBOLdoAmhUEpwePIK2ajDo8IkZF7woaVcolMKZE7cBYPdZEmNt9LDbC+eWP8col2woYSCbYzNUkjd2x1dB4IF3nidJ0xHtniFunldMWsHUnzdBySdtw+eWPmKZnpcJEPwtyMfB5jfolvdl9lGolzfuHPk2O5dMysDBYgF2lLcBkiFJFpwux8wtyLGB5idBljb3YpcoaJCbwPk0kvfuOvdU1UDBfPftFpwtLIKJE7cBYPdZEmkzSIcB5LDBC7weslC2ivwtF8R2Opfj4YtjxLDbCIC2xiF3H9wMYvduasdJnzFoyVRTAIF21idoXIdoyzftw+eWP8DeCIC2xiF3H9wmY1CJw+W3klcol0FzXvDeC+eWP8FtnjdoyzFz0JFbapcbWJNI0heWPYtJEIwtEIwtEINoOpfJnjdoyzFz0JDBYvdJw+NorIDuklcj0JDuO0FePvR2fZCbnPFoyXcbkXFMazFZ5jd20JNjxzFoyVwoYSCbYzNUk1DU1pC29VwuapRBljd24sFo93cbwJNjXvF3nidj5rcbYpc24ICmLIO3kiFoIIAoyXcbwIAuklF3H8R2r+Nt9LDbC+NokZwoYSCbYzNUkjdoaiFJwIRz4YtJEIwtEIwtEINoOpfJnjdoyzFz0JDBYvdJw+NorIDuklcj0JDuO0FePvR3f3fZ5MFMalRbnZcB1pfB0sf29ZcunZcbYzRbOPcB1lFZ5jd20Jwuklde0Jco9Md2xSd3FJNjxzFoyVwoYSCbYzNUk1DU1pC29VwuapRBljd24sc2aiFJw+Nt9zFoyVNMcZcBAIf29ZcunZcbYzwuOPcB1lFzXvCT48R2Opfj48CmwIC2xiF3H9wMYScByZwJEvNI0htWL8col2woYSCbYzNUkpC29Vwj48CUnPFMaMNUwmKZnJdo9mDB5MdZImFmYzHl91FMXmhTSIK2ajDo8IkZw+NuYXCB4IC2xiF3H9wmapRBljd24IfBLsDBYvdJ1zDBfVCBXscolicZw+Nt9zFoyVNlY1CmYjFMlJcTXvCT48R2Opfj48CmwIC2xiF3H9wMYScByZwJEvNI0htWL8col2woYSCbYzNUkpC29Vwj48CUnPFMaMNUwmKZnJdo9mDB5MdZImC29sdBaVfuYgFmYzHl91FMXmhTSIK2ajDo8IkZw+NuYXCB4IC2xiF3H9wmapRBljd24IfBLsDBYvdJ1zDBfVCBXscolicZw+Nt9zFoyVNLYvdB1ldmOzNt9iNjXvcol2NjxJFJnjdoyzFz0JC2xlCbwJwt8+eWPktTxLDbCIC2xiF3H9wMljd24JNjxiwoiZcBC9wJF7wokSd2fpdMcvhtfPd21lkZL7weslC2ivwtFvwJn0DbOScT0JUo9scUw+NuYXCB4IC2xiF3H9wmapRBljd24IfBLsDBYvdJ1qcbLJNjXvF3nidj5ed3n5FMlmDuWIkzSIcBYPdZnLCbOlhtkcwJL7weslC2ivwtFSwtF7wokSd2fpdMcvhtfVCB1lkZL7weslC2ivwtF8R2r+Nt9LDbC+NokZwoYSCbYzNUkjdoaiFJwIRz4YtILkNtrsRUEmKZnlC2ivwoflfy9VfB1gFbalFMllFZIpKZE7cBYPdZEmwuy1cbkpcbHVwtF7wuOpdBaZb3Y0d3EPHUL7weslC2ivwtFIF2ajd25LFZ4IRU0+eWP8R3E+eWP8R2Opfj4YtjxJFJnjdoyzFz0JC2xlCbwJwt8+eWP8R2Opfj4YtjXvcol2NI0hkzSIf3ngcM9vfoaZhtL7weslC2ivwtFYtjXvCM9LGT4YtjXvDuOsde4mKX==
    
    And has arrived at the decoding:
    Unfortunately, I do not know the other steps that we can proceed to decode fully.
    STEP2 step1 tutorial plz help ... ---> Fully Decoded text

    Code:
    $O000O0O00=fopen($OOO0O0O00,'rb');while(--$O00O00O00)fgets($O000O0O00,1024);fgets($O000O0O00,4096);$OO00O00O0=(base64_decode(strtr(fread($O000O0O00,372),'EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));eval($OO00O00O0);
     
  2. captchaman

    captchaman Junior Member

    Joined:
    Sep 16, 2010
    Messages:
    190
    Likes Received:
    842
    Occupation:
    Software Programmer
    Location:
    USA
    I'm on mobile so I can't do it for you and I can only see a small amount of what's in the boxes. However from what I can see ( obfuscation and fopen - which is a php command to read a file on your server) - it may be malware. If you haven't run it on your server yet then don't do so until someone can look at it. Base64 is a simple encoding which doesn't require a password or key so it's easily encrypted. Google for base64 decoder and the base64 encoded string is will start with alphanumerics and generally be all alphanumeric with "==" at the end. When I can access a pc I'll post more for you.
    Posted via Mobile Device
     
  3. captchaman

    captchaman Junior Member

    Joined:
    Sep 16, 2010
    Messages:
    190
    Likes Received:
    842
    Occupation:
    Software Programmer
    Location:
    USA
    Here you go DeespoT

    forum.lowyat d0-t net/topic/556251

    Cheers