How to decode ugly eval(gzinflate(base64_decode
PHP, WordpressI just installed this great new theme, and i though everything is gonna be easy in customizing it. I don’t have a problem with keeping the authors link in the footer because its his credit and he diserve’s it but when he forces me trough this coded footer it becomes a problem. So i decided i want to remove this shit from my footer file. Where to start ? i didnt knew anything about gzinflate or base64_decode, so i googled after this things and came across this nice script that does all the job for you. As the author says a little disclaimer is needed so you don’t understand this wrong.
Disclaimer: I don’t condone modifying and distributing copyright files, this is simply provided so you can view the plain source to ensure your script isn’t doing anything malicious on your property ie server.
And here is the script and Link to authors page.
<?php
echo "\nDECODE nested eval(gzinflate()) from Taree Internet\n\n";
echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);
echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/<\?|\?>/", "", $contents); eval(preg_replace("/eval/", "\$contents=", $contents)); } echo "3. Writing decoded.txt\n"; $fp2 = fopen("decoded.txt","w"); fwrite($fp2, trim($contents)); fclose($fp2);
?>
Now the first step you need to take is to save this code in a file named decrypt.php
Second step is to save your encoded file inside a file name coded.txt (make sure you get all the code, i noticed when working with notepad and very long code lines some of the code gets skiped, and you dont want that to happen as the script wont work)
And the third step is to create an empty file named decoded.txt
Now upload all three files on your webserver and chmod the decoded.txt file with 666
Next you need to run the decrypt.php file from your server like this : http://yourdomain.com/path-to-script/decrypt.php. It should display a message about the operation and say “Writing Decoded.txt”. Now you are done the decoded.txt file that was empty should now have inside it the HTML code that you need to place inside your footer.php file and edit at your needs.
Related posts
Thursday, February 21st, 2008 at 6:51 pm and is filed under PHP, Wordpress. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
This is like veeeeeeeerrryyyy usefull, very very usefull
, withouth this script i would not manage to remove those links from my theme, thank you very much
Usefull resource, i dont get it why do they force us to keep their links and god knows what other hidded code ?, thats not ok with me, good job with this decoder
Yes, its a very good script, but I dont understand something. I tried this script, but I get an another obfuscated code in the decode.txt.
So, what can I do?
Unfortunately the script cant decrypt every code, sometimes all you get its just another scrambled code. Im guessing that happenes when the code was crypted two times but i dont know for sure and i did not find any solution on this yet.
Hey guys glad you are finding the script useful.
With the few failures to decrypt i have found some were resolved when the user sent me his whole footer.php file and i decrypted it from his original. So obviously some of the original was lost, or their text file editor wordwrapped and broke the code somehow causing it not to decrypt.
If this is happening another thing you can try is, get a backup copy of your encrypted footer.php and just directly rename it coded.txt without editing it or copying/pasting with your text editing program.
Then just upload it and run the decrypt script against it. If that works you will just need to remove the opening and closing php tags and re-save your plain source file as footer.php and you are good to go.
The one case i have come across it hasn’t worked, it appears an encrypt program was used that done “something” to the code before applying the regular Eval encryption.
Because they didn’t encrypt the file, they don’t know what program was used which makes it hard for me to reverse what’s going on.
But this should work on 98% of eval(gzinflate(base64_decode encrypted files.
Thank’s its very-very helfull
[...] http://www.proxyutza.com/how-to-decode-ugly-evalgzinflatebase64_decode/ Posted in: Misc By Vina [...]
[...] take a look to these links Decoding eval gzinflate base64_decode str_rot13 | Tangential Musings How to decode ugly eval(gzinflate(base64_decode | Proxyutza blog Decoding eval gzinflate base64_decode – Web Design & SEO Company cyborgworkshop.org
I followed your instructions exactly as you wrote them and made sure that I used to original footer file as coded.txt to make sure there were no inadvertent changes, but I’m getting this error:
Parse error: syntax error, unexpected $end in /home/itscoldi/public_html/decrypt/decrypt.php on line 14
Do you have any ideas of what I might be doing wrong?
please try to get the code for decrypt.php from the original site located here http://www.tareeinternet.com/forum/knowledgebase/274-decoding-eval-gzinflate-base64_decode.html
than rerun the script. If any other error occurs from PHP please paste the respective line in a comment here
Thanks a lot, the original formatting worked perfectly.
you’re welcomed Eric
i had the same error
and i copied the script from the webpage that u guys said
Parse error: syntax error, unexpected $end in /home/defenestrando/www/thais/wp-content/themes/nap/decrypt.php on line 10
its probably a syntax error, try and paste a few lines before and after line 10, here, to see where’s the error
Hi there,
I got a good one for ya…
Apparently it doesn’t work the decodign script you gave us.
here is the link to the file:
http://djinsanity.nl/decrypt/footer.php
Just type it in your url line, then view page source.
As you all can see I set the eval to echo so everyone could see the coded lines.
To decode you probably need to set it back again to eval…
However… I was wondering if you all could give it a try…
It dpesn’t seem to work for me, but then again… I’m not a scripter
Hope to read more about it soon :O
Greetz,
insanity
nevermind… I got it already myself..And actually even in an easier way then we all might have thought…
Next time if anyone has a coded footer.php file, just go to your weblog or what so ever, just rightclick your weblog and view source page.
If you know wordpress a little you might already know a bit how a footer.php file should loook like.
Welll…. Just scroll down to the bottem of the page and just copy past the things that you need
That’s how I did it n the file above (A)
GL & HF all
yes insanity, but what if your footer contains php code, while looking at the page source you’re only seeing the result of the parsed code. this could mess-up your theme.
normaly the footer is php code, and the endresult is what you see in the sourcecode of the website.
I just copied what was logical: div class=”footer” and so on.
Copied all that and just pasted that in the footer.php file of the theme. The result remains the same because the output is the same, but then viewed in normal html. The theme doesn’t see the difference.
i understand that but what i meant is that sometimes(it happened to me) you have a php code like wp_footer that closes something from above and if you just take the output you mess`up the footer.
could you give me a link of a template that has that problem.
I’m just started to make videotutorials so I could share all the info with everyone. And if I found a solution to that then I”ll make a tutorial on that as well
Mail me at insanity@mxinflict.nl
i think its the theme from the blog but i don’t remember exactly because it happened some time ago.
i am working on something now so i don’t have time to test it. We’ll leave it for some other time
Sorry
No probs m8. I’ll just make a video tutorial, and if you like we could work togehter on that decoding stuff.. It seems you are a scripter.. I’m totally not, how ever I can make video tutorials to what ever means
Let me know if you are up for that..
thnx
Thanks a lot for this! It would be very helpful once it works but I’m having a little problem.. i think my encrypted code is too BIG (the file is 151k) … i’m getting this error
DECODE nested eval(gzinflate()) from Taree Internet 1. Reading coded.txt 2. Decoding
Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 53593088 bytes) in /home/vsmines/public_html/decrypt.php(9) : eval()’d code on line 1
is there anything I can do about it? thanks for your help!
Kerahna i think you need to increase the memory on your php.ini settings
Muito bom!!!
Parabéns pelo post.
Abraço!
Hey guys, i figured out anither easy way to decode footers. just replace the eval word with echo. now instead of giving the decoded code it will print it out. Now check your page source it will be there.
If you have a footer which does not have a eval function and have some thing starting like $o=”QAAA…… ” or $__F=__FILE__;$__C # then just run the php file as it is on server and them check page source!
but there are custom encryption where i can not help
More information:
http://www.karananand.co.cc/blog/2008/07/the-easiest-way-to-decode-decrypt-eval-gzinflate-str_rot13-base64_decode-or-__f__file____c/
Unfortunately that doesn’t always work.
What is the code was like 34 in word pages like I had?
Boaaaaa!!!
Greetings from brasil !!!
I’ve tried everything and I can’t decode the footer and when I take it out it breaks the theme (makes the background black and I can’t figure out how to fix it) Please help if you can! The theme is nt-greeny. you can see the broken version at http://www.solar-powered-home.com/
hello i been trying to decode this for a while and can’t seem to be able to decode it i looked every where for a decoder for this if any one can help me that would be great
eval(gzinflate(base64_decode(’YRZ4FR5O2hLZU+WGZpxFgJeBJqXAE+CAKSxxgEaqs7wWKhyMb3CdVNot4wWL8L7XepyKSdV6/OBU/KUX
aWE5t31bsWSK+cDuEtrKPMuaMiuB8DiwIXRY1y9m7zqfDjhfMjp5dDGMEqAz116ucaNBwNWZ3h4TZD55
zfrgu7mlXX3F1voHXlWjLqZRGTEtpp3qcVT4cUhhFnZijVGF9wZgDOsZQI9J7b2oGS4q08W+fBsgu2GO
0dV5tpGklwiS+qxxp9EMHh9ME6N++7IFRrtpd3TqGPi8toZaSVD3kEplDnGHnAjFaKP4qkDWiuMronc0
LMS0UYVZ0GQMX4SXPytcal5LQ6TNPqzs+CDIZVcEPSodxqhk4YmPN7ounAKS4kVQ76HEIuvsc66gZq6W
AE4NTbEOQf0mKuwE1q6nNJ7hfnL5QSohYFMSDn7qrmENStI2Pyu3pxpGn8hCFCnxOVAc4WM50n2LOGZg
mhNeBuBRdO4NNWofZ30ihNIbeDg5PDeQh75ULTgLWeJczAzc9819R0moksR+tsdOmV0vkyLeP4tn4nUw
nSgT948Z370OHC0FAabdZVfOFER9oGjqy20thq7DJYH2Ah8yNkfAGu9ubQx6KJCgmFoao4uNd00pbxWb
wxHxyyEZdTPJcHgpmpNJg/9FbdnidrlvmE5/5Oyc567cg+w89O7PBCWJGZWR47bSW0dCPU7aaxa55pgt
OWkgDF4lYGj6Wj7JlW2oLhgidKt1icu4XHHkgjfah30q4pgxBeUSLsfYVNbwWtyXPiqPSGrqxUPnFuuV
Eoaqgd2RV5jB+rDPkJP1DvBjwTK2KcE3lnYcMeKkNNYYEw6yMDbyxRC+WWZ2R6WapRVobMwKhVe/Dv7h
V46OnyNFJCx67FXeCnCtX+3h2XRFUjRMlX3KAM13rXji52cx0GRGm+/wTWN6yVdVu+N7QFvB+H3vLgU2
Vys4h7KZnLqk8Uab5D413I/odWu4EczoyxU1yj4OV+0N9VP/rjULKVonnFP16bYdqO5e/xtKx6WJzwQj
FnO4mE+u5ZZ8j6kARP1vaI9ozgt3fRT2E5xd3lC3XAY8pYo3GakiPb2D34bY5ZR5pzOogyDX4q7p4Pl+
yj/JpnR4as+ugQxD+jpkKBtNm98G2oqIaUuXZ7VR9fzmssSMki+aWngjCvy5TZDbSF/FAc3uA04d5xdj
T9YoDnUzQkhWQ/YMaeuYJRXyoEQU8IwRCqBo2aG6awv87aIAJgNUXPjWNjKRdeGBabg2wVWfwIMgaJcy
3mP2Z3JyJTATNKJ1GNkJGGrWNzAgdcl3Df5JPXwN1SorXWJiFpFijvGJstxuLaoGi+kiYMbvy+qghuxQ
p0U/cccCalNNx64kEyLtKAzlbF2exxlinuxC9XpPMaepXMXwAKu0DaZHn/yeVnq1G0MCUUAxJiTBDkFD
v+JL4njH2ZVgSmlsy6RQHAGcEpqG2vOC6gjkJYGfneC4VKP3B7gC11oLSa0TjRl2NIp7w/OIyu47dSJ5
HI3ByaEv8WnnxcFPx7Otd7IBVptq619+XHNYH9i9jPvms+TRBssSFLool6hY45uRdZhuWuHAuCeMLNyR
lEuq2KTvGMwUu9saWvjAT9vDXMzPn8N/AjsbcKzF4/PX9hU42njQSkh7Gm+6d5WNyA7gphhxhFS08tUO
lq2As713F79SlMuFqOkgNAx73TtFEOsTyj8V586pv1S9u2N++TPFKObMmg6sqjfw72K5bQtatLP6r8GW
nl+AZ59XNLN2/z0zxulmxNQhJnb4U99wtqp+AbzMjX9ieP1M8OJudXgMekJyA+UpIG6JtxYjrMInEROp
Eg+DeoE9UOWlanEInUJNEPAC8rfyx7dS8JWa4cmdj6XMXNUGDrDL4y15GtdTlhF/vNeDGuSHIVW0MI4u
hgJJlvOMln8nNW+NI0pPQB0XamK82z6vD+vjCAVsoNaTKou4HWLjOP4dgDRDAUmUgCWSp8UIxYtCgEfd
LN7AXL/E3IN7OcZ/CM6tL5OuzH3rs3RY7hlqDgyyxBmNw5U4JvZQ3sd6WJZcJHNFuWlOYi7okXPpeyAB
AVzF0ivfemi99LsGTxXk21UEuNEzY6Ux/Qj7WRJCR9JiCLkS+0LKY2npT9+COcexiT3G0PkrDSrGizw6
te3KlAgRmuuFJOvn57dRax7/Cmp1s2CZMpJBmtL6ZoiaWitwGcDE2hfD5enjo3iICxIsd8XvnaIdMJv9
ufhfssD5pWA08kG7Np84tO48O74KwA+82CIVZSjLE7PS6BO20xbGtTsijFQqb7OW6BukQz0eaqSWYONs
DoV9U7yW8/nYGojf+yAw3hD0FO0qHnfgLOv0SKf8akV5VhmNjc3K2QD1Or+ZEFdHMi5TFM0pyXqJ5naJ
hNcyyJRwSZojjojePZlfb9Rt9UtyCrTh4reeoIlztgvGuXUqOXzIPf9o+FTJ7Vw+8hPwED79rI0JwWTr
1NwcEuKpOvqbNNDNGwH5ne5cEmBv4CMEIKFNwDn2gGC1fO4ev9hZpti9+LRQ3lZaw+2aMIMisteKnYdA
6kNAzMFyz6c5rP0HQK4jb7m2Nhsh4zMppPaxuCgyOuT0r2BWkXyHZxA1X1Bkabjnw/GgO7DIhesuSQs9
XtrE5+ABOIBxqPDNboA+a7wm2XRzTLpjBTh58qOkOhMdeSK9Pq8Yqc5kWSiJLwilKtbeoChpy9X/dqMO
1m7Inleba0CAMTfW3E+NzdwOqp3zCuWUk2PRkR5J4a644GVf8glcIv0Gvl6O4BVSVoJe9sLsJaI4JedD
czmb3zIVAnrjfJ12PsVyu0H482L6WGsE/83vxsUXcH71A1zXeb6S0w3BCiuBwsn7r9fg33zozymn9Oj9
+2lP2G+AaDxO484T73jLKpSa4Nihty+4+DDbi7FTcVqyWstnn9ZrB1LRjFsg/alImKkEREb+bNGJC6Xw
+Ds15SugNQBKNtkglIi5bH+t+bKFebC1nijch1+2ohgKghfqcV3oo+SrVrZG2IqM4d7VH8T9+/BTHCcx
86OMgaG1ee5lKUbJBqatCfLr6tXVrl770zGcbE9Su/UUdeprjOHDizHV10rJXzwDcZP0ZkleSkEA435A
I/lqh9kdqikIrXxiiOjNFgzCxDAKWU9NqVffLuUNQ8P869bfR7pHcIK1DzeZuxOJxMtItLtwhxRLwX8J
uy1Kqra1Bxdm7aaJof3mvtSyHBLQXe2QZkvSpsHNtkGxZfEFmB7C40ni43Hebj8mqc/fxb/w5OJ+KvOs
9eNkNS+YDQ1z0ATDICOJDWTLZoVKbbUIjqCASPqgJBiiJAkATJ//7z9+/ff//zfw==’)));
Hey Tom,
Try this code:
$out=”PLACE STRING HERE WITHOUT THE EVAL() PART”;
$i=0;
while(strpos($out,”gzinflate(base64_decode(”)>0){
$i++;
print(”Loop $i “);
$out=str_replace(array(”eval(gzinflate(base64_decode(’”,”‘)));”),array(”",”"),$out);
$out=base64_decode($out);
$out=gzinflate($out);
}
print($out);
Cheers, VJ
Hope you can help, me
ICE_MAG TEMPLATE
i succefuly decrypted the footer.php file to html changed the 5 garbage links to mine, replaced the footer.php with decrypted code, but it looks like crap
everything is out of place
I think i have to encode it
back to gzinflate and then upload that,
I dont Know,
This is a link to download
this Wordpress Template
(Really Cool)
http://www.wpskins.org/download.php?theme=6370&url=/downloads/6370.zip
Tis Page have a decoder Great
http://www.3dmobility.com/decrypt2.php
Has any noticed that a lot of footer.php files now have two
eval(gzinflate(base64_decode(’… code text here…’
sections? I assume that this means the footer.php file has been encoded twice?
works like a charm.
However I need to manually removed additional “?>” at the beginning of decoded script and “<?” at the end of it.
Anyway, it’s very useful. thanks
[...] a blog post called How to decode ugly eval(gzinflate(base64_decode and provides a very useful script that will loop through the multiple encodings on a file to [...]
thx dude !
[...] can use the method outlined here on Proxyutza.com to create a little script in three steps that will let you decode and actually see what has been [...]
some times i used proxy sites to surf. The links are encoded from the actual link. Then How can i get the actual link.(how to decode the link)