<?php $OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=1132;eval((base64_decode('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDAsNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0cihmcmVhZCgkTzAwME8wTzAwLDM3MiksJ0VudGVyeW91d2toUkhZS05XT1VUQWFCYkNjRGRGZkdnSWlKakxsTW1QcFFxU3NWdlh4WnowMTIzNDU2Nzg5Ky89JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>
kr9NHenNHenNHe1lFMamb3klFoxiC2APk19gOLlHOa9gkZXJkZwVkr9NTznNHr8XHt4JkZwShokiF2A2Yy9LcBYvcoAPF3OZfuwPcmklCBWPkr8XHenNHr8XHtXLT08XHr8XHeEXhUXmOB50cbk5d3a3D2iUUylRTlfNaaOnCAkJW2YrcrcMO2fkDApQToxYdanXAbyTF1c2BuiDGjExHjH0YTC3KeLqRz0mRtfnWLYrOAcuUrlhU0xYTL9WAakTayaBa1icBMyJC2OlcMfPDBpqdo1Vd3nxFmY0fbc3Gul6HerZHzW1YjF4KUSvkZLphUL7cMYSd3YlhtONHeEXTznNHeEpK2a2CBXPkr9NHenNHenNHtL7RZ8IAriWTr9eU0lAT1nAwyYAWakAtJOXfbkjDoyzcBYvcoAINUnWaakeUryTOa9eT0OyKXPLfoyZc2a0b3aZdtE9wtkPfuOXKJ8vf3f3RMpvCmplcBSVC29sR2yXDU9zcByZC2IvN2pvCmplcBS9kopvCmplcBSMDB5LcBaLNUOpdMOlcBWMC2yZcBaZDMa0NUOjCbklcbkQcbWMFuaZC2iiF2ajd2OlNUOXfbkjDoyzcBYvcoAMD2a5f29Zce0LFUcSd2Yifolvdj0Ldtcjdz0LC28MF29Zfe0LF29ZftcZCBOpfbH9kukicol1FZczfe0LF3WMDmO5FoA9kop0kmY0Cbk0NUOzfoyZftcvdoW9kocZd21ic2AJKXPvR2ajDo8IkuOiFMflfy91FMX7tJO1F2aZWBfldmWINUEmO29vc2xlCM90RzwVHUEPDuO0FePvR3f3fZ5md29mdoaJd3WVC29sR2kvft5Pfo1ShUF7tIPvRZnsCBslwuOPcUnjaakHwuklFbalF3WIfo8IkuOiFMflfy91FMXhkoYPwe0IC3aZdy9pdMl0htL7tMY1FMxgF2a0d3n0htOjDtXIW1aUTr9Way9aA0aUWAfyTlWSwtO1F2aZWBfldmWpKXpjfbkSb3Ylfo9XftILC2ISwrYaALxNAyOgaakHRtO0CbkmcbOgfbkShTShC3aZdy9zcbOvFuWPkoYPRtneaakHT1nAb0cnUAxNTLaUAL9URtn0FmalhTShC3aZdy9zcbOvFuWPkoYPRtneaakHT1nAb0cNTrxNa0xNW0yAUA9KRtn0FmalhTShC3aZdy9zcbOvFuWPkoYPRtneaakHT1nAb0yaar9UOAcyALaURtn0FmalhTShC3aZdy9zcbOvFuWPkoYPRtneaakHT1nAb1kyayaUTlOUWA5TOLaURuOZfBApKXpjfbkSb3Ylfo9XftILC2ISwrYaALxNAyOgarlYOA9aatXIYTEXhTShkuisduY0FMlVcz0IC3aZdy9lGoajhtOjDtL7tIPLGo1SF3OZDB5mwe0IkuisduY0FMlVczShkopzd25gFMaXduLINUnQF29Vb2OlC29LcUILGo1SF3OZDB5mRtn0FmalhTShtI==
I can't seem to decode this base64 string which is in the footer of a wordpress theme. I want to be able to add more to the footer.
Any help appreciated, thanks!
Ok, this is the decoded piece of code with readable variables (for educational purposes):
<?php
$the_current_file = __FILE__;
$the_line_number_of_this_line = __LINE__;
$fileResource = fopen($the_current_file, 'rb');
while (--$the_line_number_of_this_line) //For every line of code the code before this line
{
fgets($fileResource, 1024); //
}
fgets($fileResource, 4096);
$codeToEvaluate = (base64_decode(strtr(fread($fileResource, 372), 'EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=', 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));
eval($codeToEvaluate);
return;
So basically, whereever this piece of code is included, it takes every line before it and replaces the characters EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/= with ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/. Then, it base64 decodes that and eval's it. I'd do a die($codeToEvaluate); before eval($codeToEvaluate) to find out what piece of code is executed.
But then, seriously. If the developers of this theme tried to obfuscate something from you, either it's malicious or you're trying to crack past some licensing because you don't want their attribution in the footer. Credit them or pay them.
So bottom line: Buy the goddamn theme or find another.
EDIT
This seems to be the code, thats being executed:
$purchasecode = PURCHASE_CODE;
$target_url = "http://www.jobzeek.com/api/search/?jobzeek=$jobzeek&indeed=$indeed&careerjet=$careerjet&purchasecode=$purchasecode&keyword=$q&location=$l&co=$co&sort=$sort&radius=$radius&st=$st&jtype=$jt&start=$start&old=$fromage";
//echo $target_url;
$userAgent = 'Googlebot/2.1 (http://www.googlebot.com/bot.html)';
// make the cURL request to $target_url
$ch = curl_init();
curl_setopt($ch, CURLOPT_USERAGENT, $userAgent);
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_FAILONERROR, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_AUTOREFERER, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 500);
$xmlstring = curl_exec($ch);
$xmlstring = $xmlstring;
$json_reply = json_decode($xmlstring, true);
Nice try, your base64 look like this:
$O000O0O00=fopen($OOO0O0O00,'rb');
while(--$O00O00O00)
fgets($O000O0O00,1024);
fgets($O000O0O00,4096);
$OO00O00O0(base64_decode(strtr(fread($O000O0O00,372),'EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));
eval($OO00O00O0);%
Ahm.... yeah, i'm not gonna execute eval on that.