Decode base64 encrypted PHP Wordpress Theme files
By rockia on Jan 08, 2010 with Comments 55
[Update]: A new version of this guide has been posted at Guide to decode based64 encrypted WordPress theme . I have introduced a trick so that you are now no longer required to use online base64 decoder. It’s even more straight forward. Have fun! 
I really like the theme I am using right now; it’s called WP-Chatter Basic. I was actually hopping to do some modification to the theme itself. So I check the source files that I have. The root folder contains index.php, index1.php, index2.php and index3.php. It’s very interesting that the index.php and footer have been encrypted. You can click on my image to enlarge to take a look at the code. I don’t think anyone one earth can understand the code and I worried about the encrypted code might contain harmful code to my site visitors. So I spent an hour and got the index decoded. Before you work on it, make sure you have basic PHP background so that at least you can understand the structure of this program.
All the code was enclosed by <?php and ?> tags. These two tags simply imply that the code in between is PHP code.
Now we look at what’s inside:
$_F=__FILE__;
This is the first line, but it’s not very important, and I didn’t take care of it.
$_X='PzNhP21abTRjLlNBMC40JFNtb09TREw7NHVTbk0wSFo0KCRTbW9PU0RMNDBMNCRwMC5KTSk0S
zRPdTQoY01vX0xNb29PRGNMKDQkcDAuSk1nJ09FJ040KTRmZmY0d1JxNkIpNEs0JCRwMC5KTWcnT0U
nTjRmNCRwMC5KTWcnTG9FJ047NFQ0TS5MTTRLNCQkcDAuSk1nJ09FJ040ZjRjTW9fTE1vb09EY0woN
CRwMC5KTWcnT0UnTjQpOzRUNFQ0PzMNYg1iYT9tWm00T3U0KDQkXW1fSFowb29Nbl91TTBvSm5NTF9
TRDRmZjQnNU1MJzQmJjQkXW1fSFowb29Nbl9aUyBNX21TTG9MX0E1X0gwbzRmZjQnNU1MJzQmJjQkX
W1fSFowb29Nbl91TTBvSm5NX0VPTG0uMDU0ZmY0J1ZPTG0uMDU0Nk1tMG4wb00uNSc0KTRLND8zDWJ
hP21abTRPREguSkVNNChbQjd0cVJbQnRSW1A0WDQneU9ERU09c1htWm0nKTs0PzMNYmE/bVptNFQ0T
S5MTU91NCg0JF1tX0haMG9vTW5fdU0wb0puTUxfU0Q0ZmY0JzVNTCc0JiY0JF1tX0haMG9vTW5fWlM
gTV9tU0xvTF9BNV9IMG80ZmY0JzVNTCc0JiY0JF1tX0haMG9vTW5fdU0wb0puTV9FT0xtLjA1NGZmN
CdWT0xtLjA1NE9ENDkuT0VNbic0KTRLND8zDWJhP21abTRPREguSkVNNChbQjd0cVJbQnRSW1A0WDQ
neU9ERU09elhtWm0nKTs0PzMNYmE/bVptNFQ0TS5MTU91NCg0JF1tX0haMG9vTW5fdU0wb0puTUxfU
0Q0ZmY0J0RTJzQmJjQkXW1fSFowb29Nbl9aUyBNX21TTG9MX0E1X0gwbzRmZjQnNU1MJzQpNEs0PzM
NYmE/bVptNE9ESC5KRU00KFtCN3RxUltCdFJbUDRYNCd5T0RFTT16WG1abScpOzQ/Mw1iYT9tWm00V
DRNLkxNNEs0PzMNYmE/bVptNE9ESC5KRU00KFtCN3RxUltCdFJbUDRYNCd5T0RFTT17WG1abScpOzQ
/Mw1iYT9tWm00VDQ/Mw==';
(Note: for better reading, I format the code a little bit. The original one should be on the same line)
This is actually the main body of the code, but you are not able to understand what it means, yet. We will take it down very soon.
$_D=strrev('edoced_46esab');
eval($_D('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCdPL2JwdXcza002QjJ0
eEQxLlJvWF1sVlkgPkpBRUdUZno3SwpRSD1qc31acVVjZTh2NW5tPFs5YTRpMENyV3tOZ2hkSUxQeV
NGJywnaUMKdmZGPnplU0U3UDVucWxBdC53V0RPbUt1YmRVfT0zTXtSa2N4OTJKaExaZ1gwNnlycFFU
RzwgVmFqSUIxXVtZNDhzSC9vTicpOyRfUj1zdHJfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIi
ciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));
It’s very interesting that they actually use the “strrev” function, if you look at what this function does, it simply reverse your string and output it back:
<?php
echo strrev("Hello world!"); // outputs "!dlrow olleH"
?>
So now we know $_D=strrev(‘edoced_46esab’) actually means “base64_decode”. Then we can just replace the $_D to ‘base64_decode’ in the following line enclosed in eval().
After this I have to leave the work to the computers. Good that I found some very good base64 decoders online. Here is one that I used : Base64 Decoder. Just copy everything inside $_D(‘encoded_text‘), that is, the red part of the code, and paste them onto the decode box like what I did.
Once you hit decode, you should be able to see the decrypted code:
$_X=base64_decode($_X);$_X=strtr($_X,'O/bpuw3kM6B2txD1.RoX]lVY >JAEGTfz7K
QH=js}ZqUce8v5nm<[9a4i0CrW{NghdILPySF','iC
vfF>zeSE7P5nqlAt.wWDOmKubdU}=3M{Rkcx92JhLZgX06yrpQTG< VajIB1][Y48sH/oN');
$_R=str_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);$_R=0;$_X=0;
Now the code makes sense to me. First the programmer set the PHP main body to $_X, then they use base64_decode to transform it. And then they replace the string in $_X, last but not least, they do another replacement and finally get $_R. And the final outcome is eval($_R). And they even reset $_R and $_X to 0 so that you are not able to simply output it. But who cares? If you know a bit PHP, you should understand that the $_R is actually the program itself, we just simply change the eval to echo, then PHP will output the program for you.
When I did that, and refreshed my WordPress, I only see a closing tag of PHP, “?>”. Don’t worry, just use your browser and check the source code, the whole index.php is right there. Just copy the source code and replace everything in index.php. Now when you go and look at your WordPress, nothing should has been changed, but at least now you understand what is the index.php doing.
In my case, decrypting the code doesn’t help much other than letting me know this main index.php is actually a template selector. I must say, though, developers who encode the source code are just trying to protect their copyright especially when footer file is encrypted. However, in some cases, the footer files that are encrypted could include some harmful information. If you are not aware of it, your website could be affected or even helping the bad guys to spread out virus online.
Post Note:
Using the same method, you could decode footer.php as well. I really don’t understand why the theme designer would encrypt the index.php — if they encrypted footer.php to protect the copyright. However, I didn’t remove the copyright info just because I really respect the work they have done and they should take the credits for this WordPress theme.
Filed Under: General
$_X=strtr($_X,’O/bpuw3kM6B2txD1.RoX]lVY >JAEGTfz7K
QH=js}ZqUce8v5nmzeSE7P5nqlAt.wWDOmKubdU}=3M{Rkcx92JhLZgX06yrpQTG< VajIB1][Y48sH/oN');
There are two line break after "JAEGTfz7K" and "iC", so strtr can't work properly.
Now I use "#" to replace link break, and before echo $_R, I use str_replace( '#', '', $_R ). I was wondering if there exits a much better way to solve it.
// Windows + Appserv
Can you send me the file and I do it for you and show you how to do?
Hi very interesting post, you’re the master!!! But last paragraph is still not clear, it woulde be nice if oyu at the end add you full php code that you put and open to view at your browser.
I have done till this, so it’s not clear what to do next in my code and how code should look in the end, please reply me back into my email. Thank you!:
$_X=base64_decode($_X);$_X=strtr($_X,’SgPO9YZWFKmqyfxcjLJRzuM5vNts1b.{B4nC]i/2Dl0EheA
[d8=Qp>VXo H}6GIw7ka3TrU<','=R9odmplAEPyk8gv[53xrMezqZHi7YhWCcX}1N/afj6]JtuS
.BUnwVKLQO20ITF4b’);$_R=str_replace(‘__FILE__’,”‘”.$_F.”‘”,$_X);echo($_R);$_R=0;$_X=0;
Hi Sally, thanks for your interest.
If you would like to decode the original $_x. You will need to send me the whole encrypted source file; otherwise we won’t be able to get anything because your $_X is not defined.
Hi Rockia!!
Great site and nice theme i use this theme to wp-chater.
Can you plzz help do decoding this code
Hi Alex, if you are using the same theme. Do you want me to just send you the files instead? Please let me know what files you want. You can use the “Contact” page to contact me if you don’t want to email to be visible by public.
Hello there Rockia!
Nice post but since I’m not a programmer most of it is over my head. I’ve download a theme with a encrypted footer and tried many times to decode it with no success. It seems it has a combination of encoding methods but I’m far from sure. I was wondering if you could give me hand with this one, the footer code I pasted in:
http://wordpress.pastebin.com/djsJP3M6
I would appreciate it a lot, thanks in advance
Hi John, I will take a look as soon as possible. Once I got the decoded script, I will contact you via email.
Thank you, Rockia. I appreciate your help.
Done. Enjoy!
Hi rockia! I agree, wp-chatter is simply an amazing theme, but i’ve been trying to get index.php decrypted to no success. i’m really no programmer but i would like to get a piece of javascript in the body, and i don’t know how to do that without decrypting it. would it be okay to see a sample of your own index.php decryption for this theme? I would really, really appreciate it.
I think my code’s the same as yours, but here is mine.
http://wordpress.pastebin.com/smkPwuEQ
Hi Pauline, I will contact you via email with the index.php as soon as possible.
I have sent you the file. Please check your inbox.
Hello Rockia! I found the email you sent. Thank you so much! You’ve really been a great help! This encryption thing has been bugging me for a while and I’m really really glad I’ve found your site.
Kudos to you!
You are welcome, Pauline. Thanks for visiting my blog.
Rockia is an absolute legend! He helped me so quickly and efficiently with a particularly difficult file, using the techniques outlined in this post.
Thanks Rockia, here’s to your success!
You are welcome, TJ. Enjoy,
.
so after we echo the base64_decode and we get the code displayed on the site we just copy paste it and replace the whole “$_D=strrev(‘edoced_46esab’);eval(….” shazam with another echo on “($_R)”
hmmm… thx
Hello,can you send me the footer.php.I have tried many times but failed.thanks!
What footer.php? Are you using the same theme?
can you decode this…pls
$_X=base64_decode($_X);$_X=strtr($_X,’SgPO9YZWFKmqyfxcjLJRzuM5vNts1b.{B4nC]i/2Dl0EheA
[d8=Qp>VXo H}6GIw7ka3TrU<','=R9odmplAEPyk8gv[53xrMezqZHi7YhWCcX}1N/afj6]JtuS
.BUnwVKLQO20ITF4b’);$_R=ereg_replace(‘__FILE__’,”‘”.$_F.”‘”,$_X);eval($_R);$_R=0;$_X=0;
Hi Olando, I am on my vacation right now. Will get back to you in about 4 days.
I think people who do all this are just pretentious twits abusing a toy. I get it about leaving in a copyright but this is just irritating nonsense. There should be a site displaying all the creators of the themes, with the themes, exposing them for installing this code and pointing out it may well be malicious. If I have to go to the trouble to decode all that crap, I’ll remove the copyright on sheer principle, they deserve what they get.
hellow,
i think you can do this. I’ve got some encoded code form a WP theme and i want to decode it. but unfortunately I cant do this with my code…( i think it’s my understand problem ) Can You Help me…??? please send mail to me.. plz plz I’m waiting 4 u.
thanks
Your comment is awaiting moderation.
I have already sent you the decoded file; check your inbox.
Thank you very much…. you are G R E A T !!
Hi, I tried your outlined approach, but it doesn’t work for me. My issue is that my footer.php contains some widgets which I would like to change but cannot see the source code. Also, it looks like the encrypted code has 2 parts: 1 beginning with “$o=” and another with the “eval(base64_decode” Any chance you could help? Thanks very much!!
Hi Remington, if you would like some help, just do it as other people who commented on this post (simply send me the file), I will try my best to help you out. So far I have decoded all sent in, no guarantee tho.
Rockia,
you’re awesome! Thanks so much for helping me with the decoded file. You’re help is much appreciated!
You are welcome. Enjoy!
very nice rockia..
Thanks
hi, rorckia,
firstable, thanx for your interest;this is really interesting post. i could decode a little part of code, but not exactly decoded all of it.
it is not important for me, to decode it BUT, when i active this theme website getting error: ss: http://img545.imageshack.us/i/ekranalntspe.jpg/ ( “503 Service Unavailable / The server is temporarily busy, try again later! ” i asked my server administrator, he send me this output:
“on request #0, confirmed, 1, associated process: 20096, running: 1, error: Connection reset by peer!”
and said: “your index file trying to connect somewhere else, or trying to get data ”
i can access category pages, pages or wp-admin, but when i try to access index, it is giving this error.
How can i fix that? Can u help me? Maybe, if i use your index.php could be fixed?
Thanx for your help…
@sene1983, if it’s OK, please upload the source code somewhere and send me the link to it at http://www.rockia.com/contact . I can help you take a look.
Hi,
I also using the theme but the problem is that on the home page when u click on more from “category” it goes to mysite.com/category/categoryx when it should have been mysite.com/index.php//category/categoryx
Can u plesase help me how to figure that out…
Hi Angad, have you made sure you got the right permalinks setting?
@Pauline
Here is your decrypted code:
http://pastebin.com/fdssQTJu
@olando
If you need something decrypted, then better for you to paste the entire code. You are missing the primary part. It looks like PHPLockIt encoded.
Hi Rockia,
First of thanks a lot for your great post.
I have followed all steps but still not success, Can you help to decrypt one of mine file.
You can find it at here http://pastebin.com/uBbKRQYJ
It would be great help if you can help me on this. My email address is [email protected]
Looking forward hear for your positive response.
Thanks, Sanjay
Hello Sanjay, I have sent you email with the decrypted file. Hope you can find it helpful.
Hey Rockia,
It’s works great and you are great.
Thanks a lot for everything.
Regards,
Sanjay
Hi,
can you decode this script for me? http://pastebin.com/E42TmnNk
please sent to my email:[email protected] thank’s
email sent to you. please check.
Can anyone help me with this?:
hi! can you help me with this: http://pastebin.com/Z4gL59TL
I tried but it’s beyond my knowledge
thanks in advance
I have decoded it for you and send it to your email. Please check. Enjoy!
oooh many many thanks, I really appreciate that
thanks again
H4sICMYlnU4AA21lc3NhZ2UucG5nAAE8BMP7iVBORw0KGgoAAAANSUhEUgAAAE8AAAAUCAMAAAD7
o5CAAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAAZQTFRF////Hx8fAuo0
WAAAAIBJREFUeNrslEEOwCAIBJn/f7oHEVGxISmHHiQpdomZbIFU5EZFAC3T8yTQ2nI/Eq3SHkz0
3A8hum9v7LhRTvCsAh7+yiPBQ9I8BX7j+XnILHRC1vvR8qQ/P6LdHwU872/ogHfal7M/ti6G+zzN
17Y6+KDVZzixGz/4UdXiHgEGAHg1ALn620wBAAAAAElFTkSuQmCC/Td6WFoAAATm1rRGAgAhARMA
AABG3zuU4Cf/AwpdADmbyxHv7EEm6Ezir60XitsdtRRrcFYOeoyKaQGRM6JfT27/v5Mu2rjkXgoR
EpmSjPE2vjsLiuhW8f7zH8yMiz3FYbtquMWduhO8rY4ZuR7zj2AgHLIM8JKRBVGA9QVswgLp3R8T
2JuFH3cZ5Iw3EaaQzHSzTaFMbASpWm0SR19uWU84P/oH/0fiCBojOHJWMCgorKi+cxFkxgr5nQnL
Rv8JjIXpQAfqq76kwaYgazlkYq74AU3k7RAILN6GzKZe0lgdVl3Yyhi9Bk3ZRXbqrTowDJezvqQF
XMCnslG+8DL08Ry3qBKblxyClOSIQwge7DTmpvaoHrqgSXJj6Wz/vlBeKedHpD4TlRwAfT/y6I6J
B3ymleb+ry+Ra+YDW6kBhpWCv0LpAzabMAdGCi+FPueQXw2KraguPxnrlPuVAw8k9hzNbG3dWKEw
Wz0h/yXVnI9vejlu5k+WVuHLrLoZI8YlYwimwMHHlrPqL8klWPQorBTidbBGytNDL9/+szWZPolB
Ti/ZnQyyinGdTQapFZ9ry782UEchpfwhhYbkSjWzcEoPtWC9xa4+pQsJH2Cet1/RWcO/fK7PZKfi
YIxN6sLNMbTMPKPVfiIJkcJXNE6qnGlOKpJ2KKocDBNfOWFHcOHsM40624rQimQQ+qdhanHLgBSS
G3Xe40fvjK+o7S2HomwSR82v1wrtHagxY6OlOP+OqEJtj2VOy4KJ07s7rtmYLrjMgZDemIzLrflV
a1/9WSNQ2oaD/9XWXz/OHokJBcEKcs/27xXbXWh90q3F9oc8nXkP52s8N1XVxmXr0M3MTJIxtXIl
2q/gICH8t/92KRIBJd4TWu6/ofBCiOxc68GUA9P5jcYzIl9j6s0IfA/BNMWFuAZXDIuS1+ozoYT7
krnK9RjDkobr7niCNh7MZyyVFY+t5rv4y2VXh2uZUOq0owFu6e19bMLVOISONEfYlwXyPJg39heh
Yd4f9CYNE2DHSzjbNqQMV6NPEEfg+dJIalhYKleJOH7qQyxTmP9iuW37Rb9DiCUOjgAAAADncmYV
yuE6lgABpgaAUAAABUu1ArHEZ/sCAAAAAARZWgoy6Xg8BAAA
This is in base64 decode this as an png file.. or can you say this is an image or text after decoding? i want to know what message it says?
please mail me if you found this.. thanks
I am not quite sure about your question. Do you have the original file? Please send it over and I can take a look for you as some of the encrypted code will combine with other “salt” that I will need to take in consideration in decoding.
Hi,
Rockia,
thanks for your post,
but I am really can’t do that step, because I don’t enough skill php programing.
I need your help,
I want send you file of php that encrypt like this.
So.. I need your email.
thanks before
Send me the file to info (at) rockia (dot) com .
Thanks,
The files just emailed to your email.
Are You very busy, Rockia…?
he he he…
I wait my files..
Thanks
Yes, sorry. I got your files but just didn’t have a chance to take a look at them. Will get back to you ASAP. Sorry about that.
Oh. . .Thanks
I am still with my files with decoded them.
I have tried, I found one variable but repeated forth times in one file.
Eq.
$a=abcabcabc
$a=abcabcabc
$a=abcabcabc
$a=abcabcabc
you should make separate, i have done but next step. I didnt know.