Home/ Questions/Q 3624158
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T23:28:22+00:00

I was using a downloaded PHP template, and when I was well into manipulating

  • 0

I was using a downloaded PHP template, and when I was well into manipulating it, I realize part of it had been encrypted in what appears to be base64.

I tried a few online converts, with little luck.

I have this bit of code, followed by a ton of random characters outside the <? ?> tags:

<?$OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=3804;eval((base64_decode('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDAsNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0cihmcmVhZCgkTzAwME8wTzAwLDM3MiksJzNzYWZaakc1NEhGcU1kTEFPZzl3Ykl6UFIvcGxLOCs3ZVVjeFFCV21ZMXVTNk5Ycmh2RENudDBFMlRvSmtWaXk9JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>

I was able to decode it into this:

$O000O0O00=fopen($OOO0O0O00,'rb');while(--$O00O00O00)fgets($O000O0O00,1024);fgets($O000O0O00,4096);$OO00O00O0=(base64_decode(strtr(fread($O000O0O00,372),'3safZjG54HFqMdLAOg9wbIzPR/plK8+7eUcxQBWmY1uS6NXrhvDCnt0E2ToJkViy=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));eval($OO00O00O0);

However, below that I have this code:

http://pastebin.com/Z2uMwS9C

I have no clue how to convert it. Any ideas? I think the segments of code are too long – I tried to use Notepad++ to convert it, and it basically said it was too long.

Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Here’s my decompressed version of what we have so far:

    <?php
/* In the original file, this is __FILE__
   and __LINE__. I've hardcoded them in this
   script so that we can refer to the original
   file when actually running what follows. */
$this_file = 'original_file.php';
$this_line = 1; // originally __LINE__

/* Prepare the original script to be read */
$this_file_handle = fopen($this_file, 'rb');

/* Move the file cursor past the block of PHP */
while(--$this_line) {
  fgets($this_file_handle,1024);
}

/* Move the file cursor just a wee bit more,
   presumably to where the other data starts. */
fgets($this_file_handle,4096);

/* Read in the remaining data, run it through
   a character replacing function
   (3 --> A, s --> B, etc.), and base64-decode
   the result. */
$probably_malicious_code = (
  base64_decode(
    strtr(
      fread($this_file_handle,372),
      '3safZjG54HFqMdLAOg9wbIzPR/plK8+7eUcxQBWmY1uS6NXrhvDCnt0E2ToJkViy=',
      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    )
  )
);

/* Run the probably-evil code. */
eval($probably_malicious_code);

    If we use echo instead of eval at the last line, we get this, a third level of obfuscation.

    I N C E P T I O N

    Here’s a script that’s equivalent to what’s going on at Level 3:

    <?php
/* Pulled in from level 1: */
$this_file = 'original_magic.php'; // originally __FILE__, refers to original file
$this_line = 1; // originally __LINE__
$level_three_read_amount = 3804;

/* Pulled in from level 2: */
$this_file_handle = fopen($this_file, 'rb');

while(--$this_line) {
  fgets($this_file_handle,1024);
}

fgets($this_file_handle,4096);

/* Level 3 decoding: */
$level_three_code = ereg_replace(
  '__FILE__',
  "'".$this_file."'", //
  base64_decode(
    strtr(
      fread($this_file_handle, $level_three_read_amount),
      '3safZjG54HFqMdLAOg9wbIzPR/plK8+7eUcxQBWmY1uS6NXrhvDCnt0E2ToJkViy=',
      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    )
  )
);

fclose($this_file_handle);
eval($level_three_code);

    Echoing instead of evaluating the last line this time produces something close to our final effect:

    global $traction; ;echo '   </div><!--end main-->
    <div id="main-bottom"></div>
</div><!--end wrapper-->
<div id="footer">
    <div class="wrapper clear">
        <div id="footer-about" class="footer-column">
            '; if ($traction->footerAboutState() == 'true') : ;echo '               <ul>
                    '; if ( !function_exists('dynamic_sidebar')|| !dynamic_sidebar('footer_sidebar_3') ) : ;echo '              <li class="widget widget_categories">
                            <h2 class="widgettitle">'; _e('Categories'); ;echo '</h2>
                            <ul>
                                '; wp_list_cats('sort_column=name&hierarchical=0'); ;echo '                 </ul>
                        </li>
                    '; endif; ;echo '           </ul>
            '; else : ;echo '               <h2>'; _e( 'About', 'traction' ); ;echo '</h2>
                '; if ($traction->footerAbout() != '' ) : ;echo '                   '; echo $traction->footerAbout(); ;echo '               '; else : ;echo '               <p>'; _e("Did you know you can write your own about section just like this one? It's really easy. Head into the the <em>Traction Options</em> menu and check out the footer section. Type some stuff in the box, click save, and your new about section shows up in the footer.", "traction"); ;echo '</p>
                '; endif; ;echo '           '; endif; ;echo '       </div>
        <div id="footer-middle" class="footer-column">
            '; if ( is_active_sidebar( 'footer_sidebar' ) ) echo "<ul>" ;echo '             '; if ( !function_exists( 'dynamic_sidebar' ) || !dynamic_sidebar( 'footer_sidebar' ) ) : ;echo '           <ul>
                        <li class="widget">
                            <h2 class="widgettitle">'; _e( 'Pages' ); ;echo '</h2>
                            <ul>
                                '; wp_list_pages( 'depth=0&title_li=' ); ;echo '                        </ul>
                        </li>
                    </ul>
                '; endif; ;echo '           '; if ( is_active_sidebar( 'footer_sidebar' ) ) echo "</ul>" ;echo '        </div>
        <div id="footer-search" class="footer-column">
            '; if ( is_active_sidebar( 'footer_sidebar_2' ) ) echo "<ul>" ;echo '               '; if ( !function_exists( 'dynamic_sidebar' ) || !dynamic_sidebar( 'footer_sidebar_2' ) ) : ;echo '         <h2>'; _e( 'Search', 'traction' ); ;echo '</h2>
                    '; if (is_file(STYLESHEETPATH . '/searchform.php' )) include (STYLESHEETPATH . '/searchform.php' ); else include(TEMPLATEPATH . '/searchform.php' ); ;echo '                '; endif; ;echo '           '; if ( is_active_sidebar( 'footer_sidebar_2' ) ) echo "</ul>" ;echo '      </div>
    </div><!--end wrapper-->
</div><!--end footer-->
<div id="copyright" class="wrapper">
    <p class="credit">Powered by <a href="http://www.free-premium-wordpress-themes.com" rel="dofollow">Free Premium WordPress Themes</a> and <a href="http://thethemefoundry.com">The Theme Foundry</a></p>
    <p>Copyright &copy; '; echo date

    It’s a bit cut off for some reason, but it looks like the idea is just to include copyright while making it ridiculously difficult for you to find it. This is sketchy business; remove this code.

    • 0