 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| |
|
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9145
 People Online:
 Visitors: 184
 Members: 0
 Total: 184
|
|
|
|
|
|
PacketStorm News |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Help on decoding Footer |
|
 Posted: Fri Jul 24, 2009 4:47 am |
 |
|
| LowMan |
| Beginner |
 |
| |
| Joined: Jul 24, 2009 |
| Posts: 1 |
|
|
|
 |
|
 |
|
Could someone decode this for me?
Quite annoying.
Trying to use the instruction fins on the net. No luck.
Seems that the file is encoded twice.
There are two files, the index file and the footer file.
Posting both of them now:
Index.php:
| Code: | <?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
$o="QAAAOzh3b3cnYGJzWG9iZmNidQAQLy48Jzg5Cg0KDScAEDtjbnEAByduYzolZGhpc2JpcyUBoAFw
ADLhEAIjALECZmpmbmkCOw4ODgYjbmEnLwABb2ZxYlh3aHRzdC8uLic9BoLgnwQBAEUCo3BvbmtiAt9zb
wPDChMDNQCCCKfwEADyAFABLwpCZGtmdHQ6JQSwZWtoYMBtCKEHM3RzbmRsflgB8gYDJQ9iAiEqAjOJbA
NAWE5DAdQ5JwYfDgE/CJAnB4kE8WNiPgBzdBI5AAAAJwRvBGEAQTtmJ291YmE6JYAICRd3YnVqZmtuaWwvLhTQJGRoP+BqahpQ
Bg8D8QBICU0DjwAACicH0wMlWGlyamWAmSNQIDcgKycgNgBRIiAkJAAADCc7KCWQx4UkyAAAACc7KGYB7
wwmEk8BtTtvNTkSj1gSiwApJSdzbnNrYjolVxPxaRMgJ0sUQA4AJ3NoJw3jHsECMlhmc3N1bmVyc3n4Yh
+VAhwBcwrhOygHsAmfCZUBrwGlGNljZnMQAGIlOQZJamIvIEEnbVQrJ14ggEEeQSc7JioqJ2V+CqhmcnN
vaDuAh/8gICcqKjkVvwalAIMIrwGBA28BYQBDAy8BgQuJm+IUMHV+LW8CcScysEBQADANd0TULyBERWBuBH9pcm
InVUfAbmlgI78EMwBlCK8BoQvPAWHw8weRAAAAJwKjFENiaWMnHpBAlROxBfcKDQsWAoB8PnBJIVFzBaM
AYw0TYmt0YkzCAVEEJwDhAhRpHQBjbmED4wH8MEAnR0I6JXdmYGJpZjwDcW4UXQMrBVIDaGZrbmBpa2Jh
WYAGwwoiaWJ/c1YjWEFyIEhrXUAnQmkscGJ+EHQkIhBDBY8BLx4pBqJ1bmBvBrZ3dWJxCD9uaHJ0BvpJYnBidQb/PM8hYAzRAEUJU/z4AOJntQDRAXQvQhiAJ2pmABqdAoEAQRATbmlkAABrcmNiJy9TQkpXS0ZTQldGAAFTTycpJyAodG5jYm
VmdSofEX5hKW9AJs0QAwctKrQHUwoNBlNy4WFoaHNPkIAATsI=";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpH
VmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ
2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3
hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGx
sbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214
bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsb
GwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKT
w8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGx
sbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxs
bGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrX
SkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJG
xsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0
oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10p
KzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsb
GxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbG
xsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31
ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtl
dmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pa
zciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbG
xsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2J
HeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIp
KTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?> |
Footer.php:
| Code: | <?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
$o="QAAADjs4d293J25pZGtyY2InLwAAU0JKV0tGU0JXRlNPJyknIAABKGFiZnNydWJjKmFoaHMpAsAA
QCAuPCc4OQoNDgAwO2NucSduEUBjOiUB0WJ1JQFwJwAUO281OURoAIB3fnVuYG9zJwZjYmRvaCdjZgMAc
2IvJV4lBHIBlGVraGBuaWFoAgEvIGlmamIGIycqJ0ZraydVBAEACXQnVWJ0YnVxYmM7KAWACg0GVAAAJz
t3OVNvYiclRGZhYidXdQAAYnR0JSdzb2JqYidlfj0nOwAAZidvdWJhOiVvc3N3PSgocAEFcHApcG5kbAz
gcGh1Y3cDASoC8gIAdClkaGooA8Buc2tiOiVBdWIUsGInUAI1JwYwamIFoDkBjwGAOyhmOQwAJ2ZpYwb/BvB3dWhtYmRzaWZzFExma2ANwHUGkSU5VwFzJ0kBgQQROyhOQHcT1DsoFVAAxA5xCg0BIyc7JioqJ0AO
YgaAcHVmd3didScqKgJwAfAcInARMHdYYRogYnUvFZIKDQGVF1JgYnNYAABod3NuaGkvIGBoaGBrYlhmA
OBpZmt+c25kdBbzAxIGIFxuYSdOCABCJzFaBcA7dGR1bndzJ3N+d4AiEVBzYn9zKG1mcWYBYyU5JyAgKA
AELUtoZmMnbVZyYnV+JwPAaWgAEHMnZmt1YmZjfidrAbBiYy0opAABgC8EQWhhApU6OicgcmljYmFuAAB
pYmMgLnwnY2hkcmpiaXMpGSBwdW4iAQe6WyUHzFslEaB0dWQ6W4IwHbVmbWZ/KQ2jZnduHPMBQShrbmUIEHQobXYJ8Sg2KTQpNQDUKWpuaQAUKW10WyU5OyglLCUNQzkpYXFmAAB1J1hY
aWhkaGlha25kcyc6AMAnc3VyYjwneg8RAeFOQjFSV0MAFEZTQlhIV1NOSElUAjB8ENAOboBEA0B0WHdmc
289JwmldHNmFmApbgwCYjFydy/BIBEob2h0c2JjKAFWKACvbmpmYGJ0KCUEYHoboCgJBACwAKMYT585GaElJxBRBq8GrwaoCJZtdA/RBgMe4SZcJeAQQG5hWiWFKGVoY34BkShvc2prOQ==";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpH
VmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ
2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3
hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGx
sbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214
bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsb
GwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKT
w8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGx
sbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxs
bGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrX
SkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJG
xsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0
oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10p
KzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsb
GxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbG
xsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31
ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtl
dmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pa
zciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbG
xsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2J
HeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIp
KTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?> |
Thanks guys. I hope someone in this forum can handle this..  Cheers m8! |
|
|
|
|
|
|
|
|
| Posted: Fri Jul 24, 2009 5:35 am |
|
|
| Barney |
| Regular user |
|
| |
| Joined: Jul 16, 2009 |
| Posts: 7 |
|
|
|
|
|
|
|
Index.php
| Code: | <?php get_header(); ?>
<div id="content">
<div id="main">
<?php if (have_posts()) : ?>
<?php while (have_posts()) : the_post(); ?>
<div class="theblogpost<?php sticky_class(); ?>" id="post-<?php the_ID(); ?>">
<div class="postdets">
<a href="<?php the_permalink() ?>#comments">
<div class="postcomments">
<?php comments_number('0', '1', '%'); ?>
</div>
</a>
<h2><a href="<?php the_permalink() ?>" title="Permanent Link to <?php the_title_attribute(); ?>"><?php the_title(); ?></a></h2>
<div class="date"><?php the_time('F jS, Y') ?> <!-- by <?php the_author() ?> --></div>
</div>
<div class="entry">
<?php the_content('Continue Reading'); ?>
</div>
</div> <!-- end theblogpost -->
<?php endwhile; ?>
<?php else : ?>
<?php endif; ?>
<div class="pagenavi">
<div class="alignleft"><?php next_posts_link('Older Entries') ?></div>
<div class="alignright"><?php previous_posts_link('Newer Entries') ?></div>
</div>
</div> <!-- end main -->
<?php include (TEMPLATEPATH . '/sidebar-blog.php'); ?>
</div> <!-- end content -->
<?php get_footer(); ?> |
Footer.php
| Code: | <?php include (TEMPLATEPATH . '/featured-foot.php'); ?>
<div id="footer">
<h2>Copyright <?php echo date("Y"); ?> <?php bloginfo('name'); ?> - All Rights Reserved</h2>
<p>The "Cafe Press" theme by: <a href="http://www.wicked-wordpress-themes.com/" title="Free Wordpress Themes" >Free Wordpress Themes</a> and <a href="http://www.projectnatalgamer.com">Project Natal</a></p>
</div>
</div> <!-- end wrapper -->
<?php wp_footer(); ?>
<?php echo get_option('google_analytics'); ?>
<!--[if IE 6]>
<script type="text/javascript">
/*Load jQuery if not already loaded*/ if(typeof jQuery == 'undefined'){ document.write("<script type=\"text/javascript\" src=\"http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js\"></"+"script>"); var __noconflict = true; }
var IE6UPDATE_OPTIONS = {
icons_path: "http://static.ie6update.com/hosted/ie6update/images/"
}
</script>
<script type="text/javascript" src="http://static.ie6update.com/hosted/ie6update/ie6update.js"></script>
<![endif]-->
</body>
</html> |
|
|
|
|
|
|
|
decoding??? |
|
| Posted: Fri Jul 24, 2009 8:32 am |
|
|
| nitestryker |
| Beginner |
|
| |
| Joined: Jul 24, 2009 |
| Posts: 1 |
|
|
|
|
|
|
|
Barney,
I am curious what did you use to decode that? |
|
|
|
|
|
Re: decoding??? |
|
| Posted: Sat Jul 25, 2009 6:56 am |
|
|
| Barney |
| Regular user |
|
| |
| Joined: Jul 16, 2009 |
| Posts: 7 |
|
|
|
|
|
|
|
| nitestryker wrote: | Barney,
I am curious what did you use to decode that? |
My PC and a text editor.  Let me explain.
This is the most common type of obfuscation I've seen used in WordPress themes. I have several WP installs running locally via XAMPP for testing etc so my PC is already setup to run PHP.
1. Take this code and save it as a PHP file. Call it whatever you want such as coded.php
2. Using a plain text editor (in this example I'll be using TextPad with regular expressions enabled) run a search & replace - find all semi-colons and replace with semi-colon followed by a carriage return like so... ; with ;\n
3. You'll end up with 3 lines of code. The 2nd line starts with eval. Change that to echo.
4. Run the file.
5. The result will be a long line of code containing gibberish that looks like $lllll
6. Replace the entire echo line with that long line of gibberish. Make sure you only replace the echo line, nothing else.
7. Once again do a search & replace. Replace each semi-colon with a semi-colon followed by a carriage return.
8. You'll get a bunch more code. At the end of that code you'll see something like eval($lllllll)
9. Replace that eval with echo.
10. Run the file again.
11. View source. |
|
|
|
|
|
www.waraxe.us Forum Index -> PHP script decode requests
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
