Annoying Coding Methods (solved)

Posted on Saturday, March 22, 2008 in Coding

So I finally figured out how to decrypt the insanity of the footer for this theme.

To see what I started out with see the first post –> Annyoing Coding Methods

Simply changing the eval() to echo just printed out a ?> because I found out the first thing in the code was a ?>, so it ended the PHP tag and simply printed out the ending ?> tag.

So… I decided to remove all PHP tags… like <?php <? and ?> with:


<?php
$remove = array(">","<");
$replace = array("&gt;","&lt;");
$string = 'FREAKISHLY LONG ENCRYPTED STRING HERE';
echo str_replace($remove,$replace,gzinflate(str_rot13(base64_decode($string))));
# echo str_replace($remove,$replace,gzinflate(base64_decode($string)));<br />
?>

So that worked liked I hoped it would, BUT it prints out nearly the exact same thing I had to begin with, just with another random string. So I keep replacing cryptic code in the $string variable over and over. The output varied from eval(gzinflate(str_rot13(base64_decode($string)))); to eval(gzinflate(base64_decode($string))); Hence the extra (commented) line in the above code. I probably repeated this method at least 50 times until I actually saw the real source code. (And yes, after doing that I realize that I could have just written a little code to loop through it, but I had no idea how many iterations it would take)

The string of data got smaller and smaller each time. The last string before the real code is only about a fifth of the length of the original:

tVRdb5swFH3OpP2HOx6WRCrQZm8ZpdKkVX1opCqNtr5FBi7g1djMNk3z73exE5q0Vbs97AXM/Tgcn3vsi3SUFPwBeHEebHhRoTVB+vHDyEdzwYzZJ4o+kVy0dQu8hAmUncwtV3KNj9xYMxkXW8kanq8NLzBjejyFz5/hWXAyvsbSwqVSFvuKKcwBhUF6Xbj/jpJO+MUoEdzxYsFApArSpJ4d87LcCgzSJeYoLbSKuCRxPduBHODR2rGnnjXTec0fkFj3Ddm2f45Pxmen9Mg7Y1VDCyKQ9q+4f0+/7hkSTvxEsk964j7o/4Gy4GXfAU7MmNT8v7IueVX/o675X+m6QMte6ukhHetNu9ZYEVfUk51IPkvCDBVCVVyqzvqKA9H6Iga1xvI8qK1t53H8wAQvmFU62nyJlK7ivMb8PqYS1KgDcMTOg1XNDbSsQtg1oAFm4O5qtbiGs+gUbq3muQ3SH30aEpZlet+Ldxal4ZlAuNq2qFf4aGHB9H3XwjWTVUewQfocKol7DGLP3tnBRumi1WiMoz8wvlEb2kEB2RZ+UsVNX3ECxhL1UJWhrTFk2oLBhknLcyBiRkkmoO0ywU3NZQWtYLZUuomCdMA4IHQ8l4ZmdzSTt637ZNRXTDx4eLgvSme23XXhGjI35lJNxuRO9EcGQnja9xzekep4U8Bk8bJjs4l+YVkKLsQ2ylUTN3RgaWghtZFrWH96CGnho7B8ijrM8FVEi3kttRKiRwzSFX2ChCUF3mgiDnTqrMpUobvGd166GFgF31y0b4+cRKZlcqf3HqtELObPtdPGzNadFl6/IP0uyX1k7sny9nbqZz1AOVA/jVlwlPgUEmc/xrxW7tKTXbP+3WEP5l0Bu69oV2l5g3pNcrWTM19gMFeyoIIwTA9MMDjMe2DvsSEdkyJbt6htI+ga+AM=

I repeated the workflow one more time and was excited to see real code!
 <div id="widgets"> <div class="widgetd"> <php if ( function_exists('dynamic_sidebar') && dynamic_sidebar('Left Footer') ) : else : ?> <ul> <li id="a" class="wg"> <h2 class="widgettitle">Recent posts</h2> <ul><?php get_archives(‘postbypost’,‘10′,‘custom’,‘ <li>‘,‘</li> ‘); ?> </ul> </li> </ul> <?php endif; ?> </div> <div class="widgetd"><?php if ( function_exists(‘dynamic_sidebar’) && dynamic_sidebar(‘Right Footer’) ) : else : ?> <ul> <li id="c" class="wg"> <h2 class="widgettitle">Meta</h2> <ul> <?php wp_register(); ?> <li><?php wp_loginout(); ?></li> <li><a href="http://validator.w3.org/check/referer" title="This page validates as XHTML 1.0 Strict">Valid <abbr title="eXtensible HyperText Markup Language">XHTML 1.0 Strict</abbr></a></li> <li><a href="http://wordpress.org/" title="Powered by WordPress, state-of-the-art semantic personal publishing platform.">WordPress</a></li> <?php wp_meta(); ?> </ul> </li> </ul> </div> <?php endif; ?> </div> <div id="footer"><?php bloginfo(‘name’); ?> – Powered by: <a href="http://wordpress.org/">WordPress</a> and <a href="http://www.jefflilly.com/mustang-restoration/">Mustang Restoration</a> – <a href="http://www.technroll.com">Tech n Roll</a> – <a href="http://www.flighttobodrum.com">Flight to Bodrum</a>. <a href="feed:<?php bloginfo(‘rss2_url’); ?>“>Entries (RSS)</a> <!-- <?php echo get_num_queries(); ?> queries. <?php timer_stop(1); ?> seconds. –></div> <?php wp_footer(); ?> </div> </body> </html>

You’ll notice instead of <?php it printed out php because they were removed with the str_replace function. There’s also no ending ?> tags at the end of the PHP code but simply replace them where they belong and remove the links in the end and you’re done!
Update: changed the str_replace() search/replace terms so now everything will look like it should (for some reason I overlooked this simple correction a week ago … lol
I’ve got no idea why the person that made this theme felt it necessary to keep their blasted links so sacred … whatever.

| Tags: base64_decode, eval, gzinflate, str_replace, str_rot13

Jerry Galino
Saturday, April 26 12:05 am

Good site I “Stumbledupon” it today and gave it a stumble for you.. looking forward to seeing what else you have..later
Motdymbomo
Sunday, August 3 2:35 am

Tahnks for posting
Php Nested Array
Friday, October 31 5:49 am

found your site on del.icio.us today and really liked it.. i bookmarked it and will be back to check it out some more later ..

Your ad here, right now: $0.05

Josh’s Random Non-sense! // my crazy life :)

Annoying Coding Methods (solved)

Leave a Comment

Pages

Recent Comments

Categories

Tags