[How to] Decode an Encoded PHP Script in Wordpress Themes

Sat, Nov 29, 2008

Tech, Tutorial  

php logo

I adore Wordpress themes! And I like to download and test the themes (free ones) frequently. Few days back I bumped across a plugin - TAC (Theme Authenticity Checker) which checks for any malicious code in the Wordpress themes present in /wp-content/themes folder.

When I ran TAC today, I found that couple of the themes I downloaded yesterday (name withheld) were having some encoded string in the Footer section. TAC projected them as potential threats since some malicious code could have been injected and encoded. The code looked something like this

echo(base64_decode(”PGRpdiBjbGFzcz0iZm9vdGVy
Ij4NCiAgPGRpdiBjbGFzcz0iZm9vdGVyX3R4dCI+IA0KICAgIDxw
PiBEZXNpZ25lZCBieTogPGEgaHJlZj0iaHR0cDovL3d3dy
50YWxrcmV2aWV3cy5jb20vdG9wLXNp
dGVzIj5Ub3AgV2Vic2l0ZSBSZXZpZXdzPC9hPiA8L3A+
DQoNCiAgICA8cD4NCiAgICAgIDxhIGhy
g0KDQo=”))

I started looking out for a tool which can decode this encoded string for me. And I found out this page which can encode as well decode! There is a radio button at the bottom where you need to select the decode option. The output decoded data will be displayed in the same screen within few seconds!

Just replace the encoded code with the decoded one and the theme will continue to work like a charm!

Link: Base-64-encoder-decoder



, , , , , , , , , ,

12 Comments For This Post

  1. stratosg Says:

    if the author wants to be sure though he can use what is called code obfuscation and at that point you are in a deadlock…. also base64 encodings are used in mails ;) nice quick tip!

    stratosgs last blog post..Delete post revisions without any plugin

  2. Raju Says:

    If code is obfuscated, I won’t even care to test the theme unless it’s released by a trusted source. And yeah I do know about base64 encodings, it is there in java as well!

  3. techniqueal t. Says:

    im just learning PHP and this looks like a pretty nifty tip! will definitely keep this in mind. great work, mate!

    techniqueal t.s last blog post..The Singing Google Page Rank

  4. stratosg Says:

    yah it’s just another way of encoding your strings… as for the obfuscation you are right… i wouldn’t use it at all. when people try to hide and become “closed source” i get a bit mad :D
    stratosgs last blog post..WordPress Categories for hardcores or… masochists!

  5. OneLag Says:

    That page didn’t wordked for me, but nice try. I’ll keep looking for some decoder…

    OneLags last blog post..OneLag: @tatato não sei. Tenta lá. Se não tiver, faça o upload. =]

  6. Raju Says:

    @onelag
    It does work, I am 100% sure that it will work if you give the input properly. I hope you are not looking to decode eval().

  7. Jean-Louis Says:

    Hello
    I tried the script on the page.
    It doesn’t work with the code of my footer.

    I get a result yet coded such : eval(base64_decode(”JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs=”));$ll=0; …..

    :(

  8. Raju Says:

    Hi Jean,
    I have focused on echo(base64_decode()) and not eval(base64_decode()). Hence that link is not working for your case. Try out this link and let me know if it was able to decode.
    http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/Default.aspx
    You might have to decode recursively in case the coder has encoded the string recursively.

  9. Jean-Louis Says:

    Thank you for your help. But this time it says “Sorry, it just was not possible to decode that string.”

    Here is the code in a txt file
    footer

    it would be nice if you could throw a glance :)

  10. Raju Says:

    As expected it has multi level encoding. First of all I want to clarify that I am no expert in PHP!In the txt file you have shared, the code has 2 parts. first part is a variable definition ($o) and the other part which has eval method. I was able to decode the eval method using the link I provided above. It returned me a series of code having for loops and more encoded data. So, it’s a recursively encoded code by some smart fellow. If I was you, I wouldn’t be daring to use that theme with such a footer :)

  11. Jean-Louis Says:

    Thank you for having looked at the code. The footer coded it becomes a very bad way. Especially we don’t know if it hides a malicious script.

  12. Trackbacks Says:

Leave a Reply