I've written several posts on the topic of WordPress themes that contain encrypted code and why you should avoid them like the plague, the most recent being Say No To Encrypted Footers. It seems as if at least once a week someone in the forums posts a footer.php file belonging to one of these shitty themes. My usual response is to tell the person to dump the theme and find a real one from a reputable author and not some shady fly-by-nighter. However I must admit I do find a great deal of satisfaction in deciphering the gibberish.
I realize that not everyone can, or is willing to learn how to decode these files but I'll show you a quick and dirty way to get around the problem that pretty much accomplishes the same thing. First thing you need to do is open up index.php in a plain text editor and look for the call to the footer. It will look like this ...
<?php get_footer(); ?>
Next we wrap that in a couple of lines of commented code so that it looks like this ...
<!--- START FOOTER --->
<?php get_footer(); ?>
<!--- END FOOTER --->
Save the file and upload it. Next, load up your site and view its source code. Make note of everything within the commented out lines. In other words, copy everything between ...
<!--- START FOOTER --->
code
<!--- END FOOTER --->
... and paste it in to your theme's footer.php file replacing the nonsense currently there. Save the file and you're done!
Now this isn't going to work in all cases but it should most of the time.
About Len Kutchma
I'm with you halfway on this one. If someone has their themes up for grabs, but only wants people to use them if they agree not to decipher the code, then you should respect that or find another theme.
Yes, some people put advertisements and/or malicious code in their encrypted themes, but there are people who have legitimate reasons for wanting you not to decrypt it (like the blogger removing the credit line from the bottom of the page). It doesn't matter what their reasoning is, though. If you find out that your theme is encrypted, delete it and move on.
Hi p1nk g33k,
I agree that theme authors have the right to do what they will with their themes however I'm of the opinion that obfuscation has no legitimate use in a theme, a point every real theme author will tell you. It's only the shady fly-by-nighters who do it in a feeble attempt to try to protect their spammy links.
Can someone please decode this for me? Or even better; tell me how to do it.
TNX
<?php if (!function_exists("T7FC56270E7A70FA81A5935B72EACBE29")) { function T7FC56270E7A70FA81A5935B72EACBE29() { $TF186217753C37B9B9F958D906208506E = base64_decode("QAAAPGRpdiBjbGFzcz0iU2hlZQCCdC10bCI+PC8BcD4NCiAgAg90fuJyAgAB8QJTAGMCvwSxYgSxAr8Fb3QtYgVvdt3uCB8KE2MIHwK/ArJiAr8FYQrvCuFjCu8C0QrvdDuQLWMK7wK/FPNjCDEU9BLFDQoVcmlkPSIGAGZvb3RlBOABMCEtLSBJZiB5bwAAdSdkIGxpa2UgdG8gc3VwcAAAb3J0IFdvcmRQcmVzcywgaAAAYXZpbmcgdGhlICJwb3dlcgIAZWQgYnkiAzBuayBzb21ld2iIAgFAIG9uBLFyIGJsb2cgaXMDAmIAAGVzdCB3YXk7IGl0J3Mgb3VACHICcGx5IHByb21vdGkDMG9yIACEYWR2ZXJ0aXMGUC4gLS0VsDxwAQA+RGVzaWduBqI6IDxhIGhyZQAAZj0iaHR0cDovL3d3dy5nYQAAcmRlbi1mdXJuaXR1cmUtZAAEaXJlY3QuY29tLyI+RwHiIEZAAHUB5DwvYT4gYW5kIHNwb25zcARvDDMFnwWRaG9zdHN2YXVsBMVDaAB4ZWFwIFdlYiBIAbAKYATSCU93LncAAHBza2lucy5vcmcvIiB0aXQAqGxlPSJGcmVlFPJwFPEgFHBtZXOAAAHgYXJnZXQ9Il9ibGFuayIgAAFyZWw9Im5vZm9sbG93Ij4DbB9AVGhlA2AHkRuQEO8HqnQXUHJ1bi8/ZgAAZWVkPXJzczIiPkVudHJpZQG8cyAoUlNTKQRxENI8BK8ErwSmFaBtZQjGbnRzLQUzQ29tAPIFRy4NCgngJXExBAA1IHF1ZQchLiAwLjI0NSBzZQEYY29uZHMuIB4QPC9wHlEqXy9ibyAAZHkBsmh0bWw+s"); $T7FC56270E7A70FA81A5935B72EACBE29 = 0; $T9D5ED678FE57BCCA610140957AFAB571 = 0; $T0D61F8370CAD1D412F80B84D143E1257 = 0; $TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[1]) <<
+ ord($TF186217753C37B9B9F958D906208506E[2]); $T3A3EA00CFC35332CEDF6E5E9A32E94DA = 3; $T800618943025315F869E4E1F09471012 = 0; $TDFCF28D0734569A6A693BC8194DE62BF = 16; $TC1D9F50F86825A1A2302EC2449C17196 = ""; $TDD7536794B63BF90ECCFD37F9B147D7F = strlen($TF186217753C37B9B9F958D906208506E); $TFF44570ACA8241914870AFBC310CDB85 = __FILE__; $TFF44570ACA8241914870AFBC310CDB85 = file_get_contents($TFF44570ACA8241914870AFBC310CDB85); $TA5F3C6A11B03839D46AF9FB43C97C188 = 0; preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $TFF44570ACA8241914870AFBC310CDB85, $TA5F3C6A11B03839D46AF9FB43C97C188); for (;$T3A3EA00CFC35332CEDF6E5E9A32E94DA<$TDD7536794B63BF90ECCFD37F9B147D7F;) { if (count($TA5F3C6A11B03839D46AF9FB43C97C188)) exit; if ($TDFCF28D0734569A6A693BC8194DE62BF == 0) { $TF623E75AF30E62BBD73D6DF5B50BB7B5 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8); $TF623E75AF30E62BBD73D6DF5B50BB7B5 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]); $TDFCF28D0734569A6A693BC8194DE62BF = 16; } if ($TF623E75AF30E62BBD73D6DF5B50BB7B5 & 0x8000) { $T7FC56270E7A70FA81A5935B72EACBE29 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) <> 4); if ($T7FC56270E7A70FA81A5935B72EACBE29) { $T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) & 0x0F) + 3; for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571; $T0D61F8370CAD1D412F80B84D143E1257++) $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1D412F80B84D143E1257] = $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012-$T7FC56270E7A70FA81A5935B72EACBE29+$T0D61F8370CAD1D412F80B84D143E1257]; $T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571; } else { $T9D5ED678FE57BCCA610140957AFAB571 = (ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) << 8); $T9D5ED678FE57BCCA610140957AFAB571 += ord($TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]) + 16; for ($T0D61F8370CAD1D412F80B84D143E1257 = 0; $T0D61F8370CAD1D412F80B84D143E1257 < $T9D5ED678FE57BCCA610140957AFAB571; $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012+$T0D61F8370CAD1D412F80B84D143E1257++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA]); $T3A3EA00CFC35332CEDF6E5E9A32E94DA++; $T800618943025315F869E4E1F09471012 += $T9D5ED678FE57BCCA610140957AFAB571; } } else $TC1D9F50F86825A1A2302EC2449C17196[$T800618943025315F869E4E1F09471012++] = $TF186217753C37B9B9F958D906208506E[$T3A3EA00CFC35332CEDF6E5E9A32E94DA++]; $TF623E75AF30E62BBD73D6DF5B50BB7B5 <".$TFF44570ACA8241914870AFBC310CDB85."Hi Aavar. Decoding this stuff is really tedious and time consuming. If you want to learn how to do it I suggest visiting any good PHP forum.
The best I could do is here. As you can see there are issues with the character encoding. The beginning of that code also calls an unknown function.
Where did you get that theme?
themes-online.com/2008/12/wooden-bedroom-free-wordpress-theme
I got the theme from here.
Maybe someone would like to recreate the footer.php for me. Instead of decoding it?
Aavar
Hi Aavar.
I took another stab at it. I think I got it this time. You can see the file here. If it doesn't work I'll see if I download that theme later.
Thank you so much! I don´t know how you did it, and right now I dont care (might care soon
).
Anyways, thank you again!
Aavar
Glad it all worked out.
Can you teach us what you did (algorithm) for Aavar ?
Really curious, and i know a little php.
Alex,
Learning how to do this is not easy. Once you have the basics actually decoding this stuff is a long and tedious process which requires much practice and patience. There have been many times where I failed to decode something. If you really want to learn how to do this the best I can suggest is visit any good php forum.
Also, there is a great thread in the WP Support Forums here. Pay attention to Otto's replies.
hi all try to decode code from aavar but i cant can you help how to decode it ?
Hi riot. Post the code to a pastebin service like http://wordpress.pastebin.com then post the link here. I'll try to have a look this week.
http://wordpress.pastebin.com/m50c21a64
Hi Will. This is what I got …
http://wordpress.pastebin.com/m2884972f
May I ask where you got this theme?
Thanks for that Yanzen.
I cannot thank you enough. This "fix" you wrote about worked perfectly. The theme was perfect for what we wanted and I really didn't want to go looking for another. So thank you thank you thank you...I really like putting it to those dirty rats! But I also have learned and will not use another theme with encrypted footers!
Again...thanks...see I told you I can't say it enough!
Hi jr0131,
I really should update this post. While this "fix" will work in most cases there are times it may not. By viewing the source code, you only see the generated HTML. This will not reveal any PHP or javascript running in the background.
It may also be potentially dangerous. You're taking a chance on uploading and running unknown code on your server. A much better course of action is this thread from the official WordPress support forum.
hi Len,
can u help me to decode this http://wordpress.pastebin.com/ew6NR4MY
thanks
Oh wow felix. That's a tough one to crack. If you can't find help at the WordPress support forum may I suggest the following forum. http://www.waraxe.us There are a lot of good folk over there who know this stuff like the back of their hands.