Decode base64 encrypted PHP Wordpress Theme files
By Rockia on Jan 08, 2010 with Comments 31
[Update]: A new version of this guide has been posted at Guide to decode based64 encrypted WordPress theme . I have introduced a trick so that you are now no longer required to use online base64 decoder. It’s even more straight forward. Have fun! 
I really like the theme I am using right now; it’s called WP-Chatter Basic. I was actually hopping to do some modification to the theme itself. So I check the source files that I have. The root folder contains index.php, index1.php, index2.php and index3.php. It’s very interesting that the index.php and footer have been encrypted. You can click on my image to enlarge to take a look at the code. I don’t think anyone one earth can understand the code and I worried about the encrypted code might contain harmful code to my site visitors. So I spent an hour and got the index decoded. Before you work on it, make sure you have basic PHP background so that at least you can understand the structure of this program.
All the code was enclosed by <?php and ?> tags. These two tags simply imply that the code in between is PHP code.
Now we look at what’s inside:
$_F=__FILE__;
This is the first line, but it’s not very important, and I didn’t take care of it.
$_X='PzNhP21abTRjLlNBMC40JFNtb09TREw7NHVTbk0wSFo0KCRTbW9PU0RMNDBMNCRwMC5KTSk0S
zRPdTQoY01vX0xNb29PRGNMKDQkcDAuSk1nJ09FJ040KTRmZmY0d1JxNkIpNEs0JCRwMC5KTWcnT0U
nTjRmNCRwMC5KTWcnTG9FJ047NFQ0TS5MTTRLNCQkcDAuSk1nJ09FJ040ZjRjTW9fTE1vb09EY0woN
CRwMC5KTWcnT0UnTjQpOzRUNFQ0PzMNYg1iYT9tWm00T3U0KDQkXW1fSFowb29Nbl91TTBvSm5NTF9
TRDRmZjQnNU1MJzQmJjQkXW1fSFowb29Nbl9aUyBNX21TTG9MX0E1X0gwbzRmZjQnNU1MJzQmJjQkX
W1fSFowb29Nbl91TTBvSm5NX0VPTG0uMDU0ZmY0J1ZPTG0uMDU0Nk1tMG4wb00uNSc0KTRLND8zDWJ
hP21abTRPREguSkVNNChbQjd0cVJbQnRSW1A0WDQneU9ERU09c1htWm0nKTs0PzMNYmE/bVptNFQ0T
S5MTU91NCg0JF1tX0haMG9vTW5fdU0wb0puTUxfU0Q0ZmY0JzVNTCc0JiY0JF1tX0haMG9vTW5fWlM
gTV9tU0xvTF9BNV9IMG80ZmY0JzVNTCc0JiY0JF1tX0haMG9vTW5fdU0wb0puTV9FT0xtLjA1NGZmN
CdWT0xtLjA1NE9ENDkuT0VNbic0KTRLND8zDWJhP21abTRPREguSkVNNChbQjd0cVJbQnRSW1A0WDQ
neU9ERU09elhtWm0nKTs0PzMNYmE/bVptNFQ0TS5MTU91NCg0JF1tX0haMG9vTW5fdU0wb0puTUxfU
0Q0ZmY0J0RTJzQmJjQkXW1fSFowb29Nbl9aUyBNX21TTG9MX0E1X0gwbzRmZjQnNU1MJzQpNEs0PzM
NYmE/bVptNE9ESC5KRU00KFtCN3RxUltCdFJbUDRYNCd5T0RFTT16WG1abScpOzQ/Mw1iYT9tWm00V
DRNLkxNNEs0PzMNYmE/bVptNE9ESC5KRU00KFtCN3RxUltCdFJbUDRYNCd5T0RFTT17WG1abScpOzQ
/Mw1iYT9tWm00VDQ/Mw==';
(Note: for better reading, I format the code a little bit. The original one should be on the same line)
This is actually the main body of the code, but you are not able to understand what it means, yet. We will take it down very soon.
$_D=strrev('edoced_46esab');
eval($_D('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCdPL2JwdXcza002QjJ0
eEQxLlJvWF1sVlkgPkpBRUdUZno3SwpRSD1qc31acVVjZTh2NW5tPFs5YTRpMENyV3tOZ2hkSUxQeV
NGJywnaUMKdmZGPnplU0U3UDVucWxBdC53V0RPbUt1YmRVfT0zTXtSa2N4OTJKaExaZ1gwNnlycFFU
RzwgVmFqSUIxXVtZNDhzSC9vTicpOyRfUj1zdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIi
ciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));
It’s very interesting that they actually use the “strrev” function, if you look at what this function does, it simply reverse your string and output it back:
<?php
echo strrev("Hello world!"); // outputs "!dlrow olleH"
?>
So now we know $_D=strrev(‘edoced_46esab’) actually means “base64_decode”. Then we can just replace the $_D to ‘base64_decode’ in the following line enclosed in eval().
After this I have to leave the work to the computers. Good that I found some very good base64 decoders online. Here is one that I used : Base64 Decoder. Just copy everything inside $_D(‘encoded_text‘), that is, the red part of the code, and paste them onto the decode box like what I did.
Once you hit decode, you should be able to see the decrypted code:
$_X=base64_decode($_X);$_X=strtr($_X,'O/bpuw3kM6B2txD1.RoX]lVY >JAEGTfz7K
QH=js}ZqUce8v5nm<[9a4i0CrW{NghdILPySF','iC
vfF>zeSE7P5nqlAt.wWDOmKubdU}=3M{Rkcx92JhLZgX06yrpQTG< VajIB1][Y48sH/oN');
$_R=str_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);$_R=0;$_X=0;
Now the code makes sense to me. First the programmer set the PHP main body to $_X, then they use base64_decode to transform it. And then they replace the string in $_X, last but not least, they do another replacement and finally get $_R. And the final outcome is eval($_R). And they even reset $_R and $_X to 0 so that you are not able to simply output it. But who cares? If you know a bit PHP, you should understand that the $_R is actually the program itself, we just simply change the eval to echo, then PHP will output the program for you.
When I did that, and refreshed my WordPress, I only see a closing tag of PHP, “?>”. Don’t worry, just use your browser and check the source code, the whole index.php is right there. Just copy the source code and replace everything in index.php. Now when you go and look at your WordPress, nothing should has been changed, but at least now you understand what is the index.php doing.
In my case, decrypting the code doesn’t help much other than letting me know this main index.php is actually a template selector. I must say, though, developers who encode the source code are just trying to protect their copyright especially when footer file is encrypted. However, in some cases, the footer files that are encrypted could include some harmful information. If you are not aware of it, your website could be affected or even helping the bad guys to spread out virus online.
Post Note:
Using the same method, you could decode footer.php as well. I really don’t understand why the theme designer would encrypt the index.php — if they encrypted footer.php to protect the copyright. However, I didn’t remove the copyright info just because I really respect the work they have done and they should take the credits for this WordPress theme.
Filed Under: General
$_X=strtr($_X,’O/bpuw3kM6B2txD1.RoX]lVY >JAEGTfz7K
QH=js}ZqUce8v5nmzeSE7P5nqlAt.wWDOmKubdU}=3M{Rkcx92JhLZgX06yrpQTG< VajIB1][Y48sH/oN');
There are two line break after "JAEGTfz7K" and "iC", so strtr can't work properly.
Now I use "#" to replace link break, and before echo $_R, I use str_replace( '#', '', $_R ). I was wondering if there exits a much better way to solve it.
// Windows + Appserv
[Reply]
Rockia Reply:
February 12th, 2010 at 9:07 PM
Can you send me the file and I do it for you and show you how to do?
[Reply]
Hi very interesting post, you’re the master!!! But last paragraph is still not clear, it woulde be nice if oyu at the end add you full php code that you put and open to view at your browser.
I have done till this, so it’s not clear what to do next in my code and how code should look in the end, please reply me back into my email. Thank you!:
$_X=base64_decode($_X);$_X=strtr($_X,’SgPO9YZWFKmqyfxcjLJRzuM5vNts1b.{B4nC]i/2Dl0EheA
[d8=Qp>VXo H}6GIw7ka3TrU<','=R9odmplAEPyk8gv[53xrMezqZHi7YhWCcX}1N/afj6]JtuS
.BUnwVKLQO20ITF4b’);$_R=str_replace(‘__FILE__’,”‘”.$_F.”‘”,$_X);echo($_R);$_R=0;$_X=0;
[Reply]
Rockia Reply:
February 17th, 2010 at 8:24 AM
Hi Sally, thanks for your interest.
If you would like to decode the original $_x. You will need to send me the whole encrypted source file; otherwise we won’t be able to get anything because your $_X is not defined.
[Reply]
Hi Rockia!!
Great site and nice theme i use this theme to wp-chater.
Can you plzz help do decoding this code
[Reply]
Rockia Reply:
April 4th, 2010 at 6:20 PM
Hi Alex, if you are using the same theme. Do you want me to just send you the files instead? Please let me know what files you want. You can use the “Contact” page to contact me if you don’t want to email to be visible by public.
[Reply]
Hello there Rockia!
Nice post but since I’m not a programmer most of it is over my head. I’ve download a theme with a encrypted footer and tried many times to decode it with no success. It seems it has a combination of encoding methods but I’m far from sure. I was wondering if you could give me hand with this one, the footer code I pasted in:
http://wordpress.pastebin.com/djsJP3M6
I would appreciate it a lot, thanks in advance
[Reply]
Rockia Reply:
April 22nd, 2010 at 4:43 PM
Hi John, I will take a look as soon as possible. Once I got the decoded script, I will contact you via email.
[Reply]
John Reply:
April 23rd, 2010 at 6:09 AM
Thank you, Rockia. I appreciate your help.
[Reply]
Rockia Reply:
April 23rd, 2010 at 9:15 AM
Done. Enjoy!
Hi rockia! I agree, wp-chatter is simply an amazing theme, but i’ve been trying to get index.php decrypted to no success. i’m really no programmer but i would like to get a piece of javascript in the body, and i don’t know how to do that without decrypting it. would it be okay to see a sample of your own index.php decryption for this theme? I would really, really appreciate it.
I think my code’s the same as yours, but here is mine.
http://wordpress.pastebin.com/smkPwuEQ
[Reply]
Rockia Reply:
April 24th, 2010 at 10:05 AM
Hi Pauline, I will contact you via email with the index.php as soon as possible.
[Reply]
Rockia Reply:
April 25th, 2010 at 6:22 PM
I have sent you the file. Please check your inbox.
[Reply]
Pauline Reply:
April 25th, 2010 at 7:02 PM
Hello Rockia! I found the email you sent. Thank you so much! You’ve really been a great help! This encryption thing has been bugging me for a while and I’m really really glad I’ve found your site.
Kudos to you!
[Reply]
Rockia Reply:
April 25th, 2010 at 8:07 PM
You are welcome, Pauline. Thanks for visiting my blog.
Rockia is an absolute legend! He helped me so quickly and efficiently with a particularly difficult file, using the techniques outlined in this post.
Thanks Rockia, here’s to your success!
[Reply]
Rockia Reply:
May 27th, 2010 at 7:18 AM
You are welcome, TJ. Enjoy,
.
[Reply]
so after we echo the base64_decode and we get the code displayed on the site we just copy paste it and replace the whole “$_D=strrev(‘edoced_46esab’);eval(….” shazam with another echo on “($_R)”
hmmm… thx
[Reply]
Hello,can you send me the footer.php.I have tried many times but failed.thanks!
[Reply]
Rockia Reply:
June 9th, 2010 at 12:59 PM
What footer.php? Are you using the same theme?
[Reply]
can you decode this…pls
$_X=base64_decode($_X);$_X=strtr($_X,’SgPO9YZWFKmqyfxcjLJRzuM5vNts1b.{B4nC]i/2Dl0EheA
[d8=Qp>VXo H}6GIw7ka3TrU<','=R9odmplAEPyk8gv[53xrMezqZHi7YhWCcX}1N/afj6]JtuS
.BUnwVKLQO20ITF4b’);$_R=ereg_replace(‘__FILE__’,”‘”.$_F.”‘”,$_X);eval($_R);$_R=0;$_X=0;
[Reply]
Rockia Reply:
August 9th, 2010 at 7:14 AM
Hi Olando, I am on my vacation right now. Will get back to you in about 4 days.
[Reply]
I think people who do all this are just pretentious twits abusing a toy. I get it about leaving in a copyright but this is just irritating nonsense. There should be a site displaying all the creators of the themes, with the themes, exposing them for installing this code and pointing out it may well be malicious. If I have to go to the trouble to decode all that crap, I’ll remove the copyright on sheer principle, they deserve what they get.
[Reply]
hellow,
i think you can do this. I’ve got some encoded code form a WP theme and i want to decode it. but unfortunately I cant do this with my code…( i think it’s my understand problem ) Can You Help me…??? please send mail to me.. plz plz I’m waiting 4 u.
thanks
Your comment is awaiting moderation.
[Reply]
Rockia Reply:
August 17th, 2010 at 1:57 AM
I have already sent you the decoded file; check your inbox.
[Reply]
nuwan Reply:
August 17th, 2010 at 7:25 AM
Thank you very much…. you are G R E A T !!
[Reply]
Hi, I tried your outlined approach, but it doesn’t work for me. My issue is that my footer.php contains some widgets which I would like to change but cannot see the source code. Also, it looks like the encrypted code has 2 parts: 1 beginning with “$o=” and another with the “eval(base64_decode” Any chance you could help? Thanks very much!!
[Reply]
Rockia Reply:
August 18th, 2010 at 4:49 PM
Hi Remington, if you would like some help, just do it as other people who commented on this post (simply send me the file), I will try my best to help you out. So far I have decoded all sent in, no guarantee tho.
[Reply]
Rockia,
you’re awesome! Thanks so much for helping me with the decoded file. You’re help is much appreciated!
[Reply]
Rockia Reply:
August 20th, 2010 at 11:35 AM
You are welcome. Enjoy!
[Reply]
very nice rockia..
Thanks
[Reply]