Decrypt nested eval gzinflate str_rot13 base64_decode
Posted on Saturday, March 22, 2008 in Coding
So I went ahead and wrote a script to undo massively nested eval(gzinflate(str_rot13(base64_decode(‘STRING’)))); and eval(gzinflate(base64_decode(‘STRING’))); “encryptions” with a multitude of both of them inside it. The string from the original footer here had to go through 67 different iterations before it got to the real source code (talk about overkill).
If you have strings that aren’t nested, you can probably just do this:
$string = gzinflate(str_rot13(base64_decode('YOUR STRING')));
$string = htmlentities($string, ENT_NOQUOTES);
echo $string;
If you have a string from that fits that description you can decrypt it here
Or if you just want to test it here’s the original string from the footer of this one of my old themes:
Saturday, April 12 10:34 pm
Did the job, thank you!
Sunday, June 22 6:05 pm
Is it normal to take a ~20,000 byte string (in a file) down to source code of only ~640 bytes?
Also, should I be able to drop the “source” in place of the “encrypted” file and all work as normal (as I can’t…)?
Very good work, btw. I just am trying to learn and have those and possibly a few more questions.
Sunday, June 22 6:20 pm
it really just depends on how they did it and how many times. the one that was in this footer was originally 11,139 bytes and the actual source was only 6,842 bytes. although that’s not quite as drastic of a difference as 20kb –> .6kb it is possible.
and yes, you should be able to just replace the eval(‘blah blah blah’); with the actual source code.
if it’s not working feel free to send me what you’re trying to decode and i can try and help out.
josh (at) thespiffylife (dot) com
Monday, June 23 11:23 am
By the way, I just fixed the decrypting page to allow for either
eval(gzinflate(str_rot13(base64_decode('STRING'))));oreval(gzinflate(base64_decode('STRING')));(and others nested up inside them). So that should help most everyone.Thursday, June 26 12:40 am
thanks, your scripts helpfull me
Saturday, July 12 1:03 am
thanks for sharing…without a doubt easiest and most efficient solution I found on the web…
Friday, July 25 3:14 pm
It’s awsome man!
Realy thanks… that did my job.
Sunday, July 27 6:49 am
this is so great! thanks a lot for saving my time to search on the decoding. fantastic!!!!
Tuesday, August 12 10:35 am
thanks so much, i have been dying to unencrypt one part of a template that i found but had some junk links plugged into it. i had found others that promised and others that had some ethical problems with unencrypting code.
Thursday, August 21 8:21 pm
awesome job man!! resolved my head ache so much.. haha… coders nowadays got so many ways to send their spyware, backdoor etc… gosh.. u’re great man.. by the way, nice theme.. hehe..
Friday, September 5 4:15 pm
AWESOME … COOL man,,it really works,,so i can edit any wp footer.. THANKS!
Wednesday, September 17 7:38 am
Please could some one decode this into php for me?
Wednesday, September 17 10:44 am
I’m guessing WordPress filtered out your comment. If you can’t post it here and you need some with it something just email me whatever it is to josh (at) thespiffylife (dot) com
Wednesday, October 1 9:53 am
I have one that will not work in your decoder. It starts out with: eval(gzinflate(base64_decode(‘DZa1
and ends with: vf//n/wE=’)));
I put in in the form starting with the DZ and ending with wE=
a couple of times, and it said “Your string doesn’t appear to be encoded using eval(gzinflate(str_rot13(base64_decode(‘STRING’))))
or eval(gzinflate(base64_decode(‘STRING’)))
maybe you put it in wrong?”
I tried it with your example above and that one worked perfectly. Would you be willing to take a shot at it?
Wednesday, October 1 3:25 pm
just send me the code in an email to josh (at) thespiffylife (dot) com and i’ll see if i can figure it out for you.
Sunday, October 12 1:51 pm
nice job , you break http://www.rightscripts.com/phpencode/index.php …heheheh
Sunday, October 12 10:49 pm
Holy crap! I did it! It worked!
Josh, you have a very spiffy life! Thank you.
After searching the internet for hours trying to decode that wordpress footer, you took care of it in less than 30 seconds!
I added you to “my favorites”.
From now on, whenever I have a coding problem, I know right where to go!
THANK YOU! THANK YOU! THANK YOU!
Danielle
Wednesday, October 15 2:28 pm
@Rodrigo Gregorio
lol, you’re right. I just tested it with a really long PHP script I have to generate RSS feeds and mine reversed it no problem
Friday, November 7 12:37 pm
AWESOME! Saved me so much time. You’re the man.
Thursday, November 20 3:33 pm
Thanks for this
Friday, December 12 11:10 am
THANKS!!!
Monday, December 22 11:53 am
Hi there,
I have a “eval(gzinflate(base64_decode” that does not want to encode….. I have tried the decode method where you write a scrip and then it writes the decoded script in the file decode.txt, and I have also tried the plain decode php file, that is the only one that actualy decoded on line of the code.. Can someone pleas advise me on what I can do to decode this….
Regards
Nickey
Monday, December 22 12:16 pm
You can generally change the eval function to simple echo instead and it should print out everything inside instead of run it. This doesn’t always work, it really just depends on what the code inside is/does.
echo htmlentities( gzinflate(base64_decode('string')), ENT_QUOTES);
file_put_contents('decode.txt', gzinflate(base64_decode('long string')));
It might be best to do something like
I’ve also had some luck with just doing a simple
and viewing that to see it.
Your mileage may vary because of how it was encoded or what’s hidden on the inside. If you still can’t figure out how to take care of it, feel free to send me what you’re working on to
josh (at) thesiffylife (dot) comand I’ll see if I can’t help you outThursday, May 14 9:31 am
Great work, thank you!
Thursday, May 21 10:45 am
THANK YOU! What an awesome tool.
Monday, May 25 11:50 am
Thank you! I don’t get why they do this crap when you’ve paid for the WP theme…
Wednesday, May 27 7:30 am
I need source phpL0ckit decrypt. please help me. thanks
Monday, June 8 12:37 am
Thank for the script! It works very well!
Tuesday, June 16 3:58 pm
i have one file can one of you guys decrypt it for me?
Wednesday, July 1 8:02 am
thank you so much!
Thursday, July 9 10:24 pm
Not working for me. I have something different in the footer like this:
$_F=__FILE__;$_X=’encryted-code-here’;eval(base64_decode(‘another-encrypted-code’));
Which code should i take?
Thanks,
Boyz
Friday, July 10 8:12 am
That’s probably one that may need to done in pieces. First decrypt (either using my form or by hand) this part: eval(base64_decode(‘another-encrypted-code’));
Then once you have the actual code from their $_X will probably be visible and you can decrypt that.
Monday, July 13 1:42 pm
just change eval to echo.
Can you even call this obfuscation? might as well not even do it. Any one can figure that out :p
Tuesday, January 26 2:04 am
thank you. it’s working great for me
1 Trackbacks/Pings Not Shown.
Wednesday, December 24 4:34 pm
[...] NattyWP preloaded their footer.php file with one of these ciphers so that users couldn’t remove all of the “Created by NattyWP” links plus all of the other mumbo-jumbo they add to the list. Well, after a quick google search, I was able to decipher the cipher using Josh’s Random Non-Sense Blog (Big Thanks!). [...]
Leave a Comment