Decode Those Encrypted Footers
I've written several posts on the topic of WordPress themes that contain encrypted code and why you should avoid them like the plague, the most recent being Say No To Encrypted Footers. It seems as if at least once a week someone in the forums posts a footer.php file belonging to one of these shitty themes. My usual response is to tell the person to dump the theme and find a real one from a reputable author and not some shady fly-by-nighter. However I must admit I do find a great deal of satisfaction in deciphering the gibberish.
I realize that not everyone can, or is willing to learn how to decode these files but I'll show you a quick and dirty way to get around the problem that pretty much accomplishes the same thing. First thing you need to do is open up index.php in a plain text editor and look for the call to the footer. It will look like this ...
<?php get_footer(); ?>
Next we wrap that in a couple of lines of commented code so that it looks like this ...
<!--- START FOOTER --->
<?php get_footer(); ?>
<!--- END FOOTER --->
Save the file and upload it. Next, load up your site and view its source code. Make note of everything within the commented out lines. In other words, copy everything between ...
<!--- START FOOTER --->
code
<!--- END FOOTER --->
... and paste it in to your theme's footer.php file replacing the nonsense currently there. Save the file and you're done!
Now this isn't going to work in all cases but it should most of the time.
Len has been blogging for over 10 years and is a rabid WordPress fan. In addition to blogging here you can find him writing the occasional article and toiling away in the forums at WeblogToolsCollection.com. He also hangs out at the WordPress support forums lending a hand where he can. You can find his political scribblings at RiteTurnOnly.com
I'm with you halfway on this one. If someone has their themes up for grabs, but only wants people to use them if they agree not to decipher the code, then you should respect that or find another theme.
Yes, some people put advertisements and/or malicious code in their encrypted themes, but there are people who have legitimate reasons for wanting you not to decrypt it (like the blogger removing the credit line from the bottom of the page). It doesn't matter what their reasoning is, though. If you find out that your theme is encrypted, delete it and move on.
p1nk g33k’s last blog post..Why you should get out of that traffic exchange or link exchange program ASAP!
Hi p1nk g33k,
I agree that theme authors have the right to do what they will with their themes however I'm of the opinion that obfuscation has no legitimate use in a theme, a point every real theme author will tell you. It's only the shady fly-by-nighters who do it in a feeble attempt to try to protect their spammy links.
Can someone please decode this for me? Or even better; tell me how to do it.
TNX
Aavar Magnus Stava’s last blog post..Ny Levono Thinkpad-reklame
<?php if (!function_exists("T7FC56270E7A70FA81A5935B72EACBE29")) { function T7FC56270E7A70FA81A5935B72EACBE29() { $TF186217753C37B9B9F958D906208506E = base64_decode("QAAAPGRpdiBjbGFzcz0iU2hlZQCCdC10bCI+PC8BcD4NCiAgAg90fuJyAgAB8QJTAGMCvwSxYgSxAr8Fb3QtYgVvdt3uCB8KE2MIHwK/ArJiAr8FYQrvCuFjCu8C0QrvdDuQLWMK7wK/FPNjCDEU9BLFDQoVcmlkPSIGAGZvb3RlBOABMCEtLSBJZiB5bwAAdSdkIGxpa2UgdG8gc3VwcAAAb3J0IFdvcmRQcmVzcywgaAAAYXZpbmcgdGhlICJwb3dlcgIAZWQgYnkiAzBuayBzb21ld2iIAgFAIG9uBLFyIGJsb2cgaXMDAmIAAGVzdCB3YXk7IGl0J3Mgb3VACHICcGx5IHByb21vdGkDMG9yIACEYWR2ZXJ0aXMGUC4gLS0VsDxwAQA+RGVzaWduBqI6IDxhIGhyZQAAZj0iaHR0cDovL3d3dy5nYQAAcmRlbi1mdXJuaXR1cmUtZAAEaXJlY3QuY29tLyI+RwHiIEZAAHUB5DwvYT4gYW5kIHNwb25zcARvDDMFnwWRaG9zdHN2YXVsBMVDaAB4ZWFwIFdlYiBIAbAKYATSCU93LncAAHBza2lucy5vcmcvIiB0aXQAqGxlPSJGcmVlFPJwFPEgFHBtZXOAAAHgYXJnZXQ9Il9ibGFuayIgAAFyZWw9Im5vZm9sbG93Ij4DbB9AVGhlA2AHkRuQEO8HqnQXUHJ1bi8/ZgAAZWVkPXJzczIiPkVudHJpZQG8cyAoUlNTKQRxENI8BK8ErwSmFaBtZQjGbnRzLQUzQ29tAPIFRy4NCgngJXExBAA1IHF1ZQchLiAwLjI0NSBzZQEYY29uZHMuIB4QPC9wHlEqXy9ibyAAZHkBsmh0bWw+s"); $T7FC56270E7A70FA81A5935B72EACBE29 = 0; $T9D5ED678FE57BCCA610140957AFAB571 = 0; $T0D61F8370CAD1D412F80B84D143E1257 = 0; $TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[1]) <<
+ ord($TF186217753C37B9B9F958D906208506E[2]); $T3A3EA00CFC35332CEDF6E5E9A32E94DA = 3; $T800618943025315F869E4E1F09471012 = 0; $TDFCF28D0734569A6A693BC8194DE62BF = 16; $TC1D9F50F86825A1A2302EC2449C17196 = ""; $TDD7536794B63BF90ECCFD37F9B147D7F = strlen($TF186217753C37B9B9F958D906208506E); $TFF44570ACA8241914870AFBC310CDB85 = __FILE__; $TFF44570ACA8241914870AFBC310CDB85 = file_get_contents($TFF44570ACA8241914870AFBC310CDB85); $TA5F3C6A11B03839D46AF9FB43C97C188 = 0; preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $TFF44570ACA8241914870AFBC310CDB85, $TA5F3C6A11B03839D46AF9FB43C97C188); for (;$T3A3EA00CFC35332CEDF6E5E9A32E94DA<$TDD7536794B63BF90ECCFD37F9B147D7F;) { if (count($TA5F3C6A11B03839D46AF9FB43C97C188)) exit; if ($TDFCF28D0734569A6A693BC8194DE62BF == 0) { $TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8); $TF623E75AF30E62BBD73D6DF5B50BB7B5 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]); $TDFCF28D0734569A6A693BC8194DE62BF = 16; } if ($TF623E75AF30E62BBD73D6DF5B50BB7B5 & 0x8000) { $T7FC56270E7A70FA81A5935B72EACBE29 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) <> 4); if ($T7FC56270E7A70FA81A5935B72EACBE29) { $T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) & 0x0F) + 3; for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571; $T0D61F8370CAD1D412F80B84D143E1257++) $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1D412F80B84D143E1257] = $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012-$T7FC56270E7A70FA81A5935B72EACBE29+$T0D61F8370CAD1D412F80B84D143E1257]; $T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571; } else { $T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8); $T9D5ED678FE57BCCA610140957AFAB571 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) + 16; for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571; $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1D412F80B84D143E1257++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA]); $T3A3EA00CFC35332CEDF6E5E9A32E94DA++; $T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571; } } else $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]; $TF623E75AF30E62BBD73D6DF5B50BB7B5 <".$TFF44570ACA8241914870AFBC310CDB85."
Aavar Magnus Stava’s last blog post..Ny Levono Thinkpad-reklame
Hi Aavar. Decoding this stuff is really tedious and time consuming. If you want to learn how to do it I suggest visiting any good PHP forum.
The best I could do is here. As you can see there are issues with the character encoding. The beginning of that code also calls an unknown function.
Where did you get that theme?
themes-online.com/2008/12/wooden-bedroom-free-wordpress-theme
I got the theme from here.
Maybe someone would like to recreate the footer.php for me. Instead of decoding it?
Aavar
Aavar Magnus Stava’s last blog post..Stereobrigade Extravaganza
Hi Aavar.
I took another stab at it. I think I got it this time. You can see the file here. If it doesn't work I'll see if I download that theme later.
Thank you so much! I don´t know how you did it, and right now I dont care (might care soon
).
Anyways, thank you again!
Aavar
Aavar Magnus Stava’s last blog post..Stereobrigade Extravaganza
Glad it all worked out.
Can you teach us what you did (algorithm) for Aavar ?
Really curious, and i know a little php.
Alex,
Learning how to do this is not easy. Once you have the basics actually decoding this stuff is a long and tedious process which requires much practice and patience. There have been many times where I failed to decode something. If you really want to learn how to do this the best I can suggest is visit any good php forum.
Also, there is a great thread in the WP Support Forums here. Pay attention to Otto's replies.
hi all try to decode code from aavar but i cant can you help how to decode it ?
http://wordpress.pastebin.com/m50c21a64
Hi Will. This is what I got …
http://wordpress.pastebin.com/m2884972f
May I ask where you got this theme?
Coba pake ini
Cool Decode-Encode script php
By http://www.yanzen.co.cc
Thanks for that Yanzen.
Hi riot. Post the code to a pastebin service like http://wordpress.pastebin.com then post the link here. I'll try to have a look this week.