Waraxe IT Security Portal
Login or Register
November 22, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 102
Members: 0
Total: 102
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PHP script decode requests -> Help on decoding Footer
Post new topicReply to topic View previous topic :: View next topic
Help on decoding Footer
PostPosted: Fri Jul 24, 2009 4:47 am Reply with quote
LowMan
Beginner
Beginner
Joined: Jul 24, 2009
Posts: 1




Could someone decode this for me?
Quite annoying.

Trying to use the instruction fins on the net. No luck.
Seems that the file is encoded twice.

There are two files, the index file and the footer file.

Posting both of them now:

Index.php:
Code:
<?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
$o="QAAAOzh3b3cnYGJzWG9iZmNidQAQLy48Jzg5Cg0KDScAEDtjbnEAByduYzolZGhpc2JpcyUBoAFw
ADLhEAIjALECZmpmbmkCOw4ODgYjbmEnLwABb2ZxYlh3aHRzdC8uLic9BoLgnwQBAEUCo3BvbmtiAt9zb
wPDChMDNQCCCKfwEADyAFABLwpCZGtmdHQ6JQSwZWtoYMBtCKEHM3RzbmRsflgB8gYDJQ9iAiEqAjOJbA
NAWE5DAdQ5JwYfDgE/CJAnB4kE8WNiPgBzdBI5AAAAJwRvBGEAQTtmJ291YmE6JYAICRd3YnVqZmtuaWwvLhTQJGRoP+BqahpQ
Bg8D8QBICU0DjwAACicH0wMlWGlyamWAmSNQIDcgKycgNgBRIiAkJAAADCc7KCWQx4UkyAAAACc7KGYB7
wwmEk8BtTtvNTkSj1gSiwApJSdzbnNrYjolVxPxaRMgJ0sUQA4AJ3NoJw3jHsECMlhmc3N1bmVyc3n4Yh
+VAhwBcwrhOygHsAmfCZUBrwGlGNljZnMQAGIlOQZJamIvIEEnbVQrJ14ggEEeQSc7JioqJ2V+CqhmcnN
vaDuAh/8gICcqKjkVvwalAIMIrwGBA28BYQBDAy8BgQuJm+IUMHV+LW8CcScysEBQADANd0TULyBERWBuBH9pcm
InVUfAbmlgI78EMwBlCK8BoQvPAWHw8weRAAAAJwKjFENiaWMnHpBAlROxBfcKDQsWAoB8PnBJIVFzBaM
AYw0TYmt0YkzCAVEEJwDhAhRpHQBjbmED4wH8MEAnR0I6JXdmYGJpZjwDcW4UXQMrBVIDaGZrbmBpa2Jh
WYAGwwoiaWJ/c1YjWEFyIEhrXUAnQmkscGJ+EHQkIhBDBY8BLx4pBqJ1bmBvBrZ3dWJxCD9uaHJ0BvpJYnBidQb/PM8hYAzRAEUJU/z4AOJntQDRAXQvQhiAJ2pmABqdAoEAQRATbmlkAABrcmNiJy9TQkpXS0ZTQldGAAFTTycpJyAodG5jYm
VmdSofEX5hKW9AJs0QAwctKrQHUwoNBlNy4WFoaHNPkIAATsI=";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpH
VmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ
2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3
hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGx
sbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214
bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsb
GwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKT
w8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGx
sbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxs
bGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrX
SkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJG
xsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0
oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10p
KzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsb
GxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbG
xsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31
ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtl
dmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pa
zciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbG
xsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2J
HeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIp
KTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?>


Footer.php:
Code:
<?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
$o="QAAADjs4d293J25pZGtyY2InLwAAU0JKV0tGU0JXRlNPJyknIAABKGFiZnNydWJjKmFoaHMpAsAA
QCAuPCc4OQoNDgAwO2NucSduEUBjOiUB0WJ1JQFwJwAUO281OURoAIB3fnVuYG9zJwZjYmRvaCdjZgMAc
2IvJV4lBHIBlGVraGBuaWFoAgEvIGlmamIGIycqJ0ZraydVBAEACXQnVWJ0YnVxYmM7KAWACg0GVAAAJz
t3OVNvYiclRGZhYidXdQAAYnR0JSdzb2JqYidlfj0nOwAAZidvdWJhOiVvc3N3PSgocAEFcHApcG5kbAz
gcGh1Y3cDASoC8gIAdClkaGooA8Buc2tiOiVBdWIUsGInUAI1JwYwamIFoDkBjwGAOyhmOQwAJ2ZpYwb/BvB3dWhtYmRzaWZzFExma2ANwHUGkSU5VwFzJ0kBgQQROyhOQHcT1DsoFVAAxA5xCg0BIyc7JioqJ0AO
YgaAcHVmd3didScqKgJwAfAcInARMHdYYRogYnUvFZIKDQGVF1JgYnNYAABod3NuaGkvIGBoaGBrYlhmA
OBpZmt+c25kdBbzAxIGIFxuYSdOCABCJzFaBcA7dGR1bndzJ3N+d4AiEVBzYn9zKG1mcWYBYyU5JyAgKA
AELUtoZmMnbVZyYnV+JwPAaWgAEHMnZmt1YmZjfidrAbBiYy0opAABgC8EQWhhApU6OicgcmljYmFuAAB
pYmMgLnwnY2hkcmpiaXMpGSBwdW4iAQe6WyUHzFslEaB0dWQ6W4IwHbVmbWZ/KQ2jZnduHPMBQShrbmUIEHQobXYJ8Sg2KTQpNQDUKWpuaQAUKW10WyU5OyglLCUNQzkpYXFmAAB1J1hY
aWhkaGlha25kcyc6AMAnc3VyYjwneg8RAeFOQjFSV0MAFEZTQlhIV1NOSElUAjB8ENAOboBEA0B0WHdmc
289JwmldHNmFmApbgwCYjFydy/BIBEob2h0c2JjKAFWKACvbmpmYGJ0KCUEYHoboCgJBACwAKMYT585GaElJxBRBq8GrwaoCJZtdA/RBgMe4SZcJeAQQG5hWiWFKGVoY34BkShvc2prOQ==";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpH
VmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ
2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3
hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGx
sbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214
bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsb
GwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKT
w8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGx
sbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxs
bGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrX
SkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJG
xsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0
oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10p
KzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsb
GxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbG
xsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31
ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtl
dmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pa
zciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbG
xsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2J
HeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIp
KTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?>


Thanks guys. I hope someone in this forum can handle this.. Smile Cheers m8!
View user's profile Send private message
PostPosted: Fri Jul 24, 2009 5:35 am Reply with quote
Barney
Regular user
Regular user
Joined: Jul 16, 2009
Posts: 7




Index.php

Code:
<?php get_header(); ?>

<div id="content">

<div id="main">

<?php if (have_posts()) : ?>
<?php while (have_posts()) : the_post(); ?>

<div class="theblogpost<?php sticky_class(); ?>" id="post-<?php the_ID(); ?>">

<div class="postdets">

<a href="<?php the_permalink() ?>#comments">
<div class="postcomments">

<?php comments_number('0', '1', '%'); ?>
</div>
</a>

<h2><a href="<?php the_permalink() ?>" title="Permanent Link to <?php the_title_attribute(); ?>"><?php the_title(); ?></a></h2>

<div class="date"><?php the_time('F jS, Y') ?> <!-- by <?php the_author() ?> --></div>

</div>

<div class="entry">

<?php the_content('Continue Reading'); ?>


</div>

</div> <!-- end theblogpost -->

<?php endwhile; ?>
<?php else : ?>
<?php endif; ?>

<div class="pagenavi">

<div class="alignleft"><?php next_posts_link('Older Entries') ?></div>

<div class="alignright"><?php previous_posts_link('Newer Entries') ?></div>


</div>

</div> <!-- end main -->

<?php include (TEMPLATEPATH . '/sidebar-blog.php'); ?>

</div> <!-- end content -->

<?php get_footer(); ?>



Footer.php

Code:
<?php include (TEMPLATEPATH . '/featured-foot.php'); ?>

<div id="footer">
<h2>Copyright <?php echo date("Y"); ?> <?php bloginfo('name'); ?> - All Rights Reserved</h2>
<p>The "Cafe Press" theme by: <a href="http://www.wicked-wordpress-themes.com/" title="Free Wordpress Themes" >Free Wordpress Themes</a> and <a href="http://www.projectnatalgamer.com">Project Natal</a></p>

</div>

</div> <!-- end wrapper -->

<?php wp_footer(); ?>

<?php echo get_option('google_analytics'); ?>

<!--[if IE 6]>
<script type="text/javascript">
/*Load jQuery if not already loaded*/ if(typeof jQuery == 'undefined'){ document.write("<script type=\"text/javascript\" src=\"http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js\"></"+"script>"); var __noconflict = true; }
var IE6UPDATE_OPTIONS = {
icons_path: "http://static.ie6update.com/hosted/ie6update/images/"
}
</script>
<script type="text/javascript" src="http://static.ie6update.com/hosted/ie6update/ie6update.js"></script>
<![endif]-->

</body>
</html>
View user's profile Send private message
decoding???
PostPosted: Fri Jul 24, 2009 8:32 am Reply with quote
nitestryker
Beginner
Beginner
Joined: Jul 24, 2009
Posts: 1




Barney,

I am curious what did you use to decode that?
View user's profile Send private message ICQ Number
Re: decoding???
PostPosted: Sat Jul 25, 2009 6:56 am Reply with quote
Barney
Regular user
Regular user
Joined: Jul 16, 2009
Posts: 7




nitestryker wrote:
Barney,

I am curious what did you use to decode that?


My PC and a text editor. Wink Let me explain.

This is the most common type of obfuscation I've seen used in WordPress themes. I have several WP installs running locally via XAMPP for testing etc so my PC is already setup to run PHP.

1. Take this code and save it as a PHP file. Call it whatever you want such as coded.php
2. Using a plain text editor (in this example I'll be using TextPad with regular expressions enabled) run a search & replace - find all semi-colons and replace with semi-colon followed by a carriage return like so... ; with ;\n
3. You'll end up with 3 lines of code. The 2nd line starts with eval. Change that to echo.
4. Run the file.
5. The result will be a long line of code containing gibberish that looks like $lllll
6. Replace the entire echo line with that long line of gibberish. Make sure you only replace the echo line, nothing else.
7. Once again do a search & replace. Replace each semi-colon with a semi-colon followed by a carriage return.
8. You'll get a bunch more code. At the end of that code you'll see something like eval($lllllll)
9. Replace that eval with echo.
10. Run the file again.
11. View source.
View user's profile Send private message
Help on decoding Footer
www.waraxe.us Forum Index -> PHP script decode requests
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.054 Seconds