Decoding eval gzinflate base64_decode

Admin · #1 09-20-2007, 08:00 PM

Decoding eval gzinflate base64_decode

There's a few applications around both freeware and paid that encode files or rather scripts so you can't see or modify the source. These encrypted files can be identified by the starting line which is like:

eval(gzinflate(str_rot13(base64_decode

Then it goes on with a mass of random numbers, letters and characters like 'FZi3ksTWEVJ/hZnITwDvV' and so on.

Now i'm all for people who wish to keep their code or intellectual property hidden so it's not stolen or modified, but at the same time i do like to know exactly what the given piece of code is doing on my server. Being encrypted like this, it could be doing all sorts of malicious things i don't want happening.

So, lets decrypt it and see if it's all legitimate.

Disclaimer: I don't condone modifying and distributing copyright files, this is simply provided so you can view the plain source to ensure your script isn't doing anything malicious on your property ie server.

Firstly, copy the below code in to Notepad and save it as decrypt.php

Quote:

<?php
echo "\nDECODE nested eval(gzinflate()) from Taree Internet <www.tareeinternet.com>\n\n";
echo "1. Reading coded.txt\n";
$fp1 = fopen ("coded.txt", "r");
$contents = fread ($fp1, filesize ("coded.txt"));
fclose($fp1);
echo "2. Decoding\n";
while (preg_match("/eval\(gzinflate/",$contents)) {
$contents=preg_replace("/<\?|\?>/", "", $contents); eval(preg_replace("/eval/", "\$contents=", $contents)); } echo "3. Writing decoded.txt\n"; $fp2 = fopen("decoded.txt","w"); fwrite($fp2, trim($contents)); fclose($fp2);
?>

Next step, copy your encoded file to NotePad and save it as coded.txt

Save a blank text file as decoded.txt

Upload all 3 files to the root directory of your server, then set the CHMOD on decoded.txt to 666

You will have:

www.domain.com/decrypt.php - Our decoding script
www.domain.com/coded.txt - A text file with our encoded script
www.domain.com/decoded.txt - A blank .txt file CHMOD to 666

Next up, simply visit www.domain.com/decrypt.php with your browser and you will receive a message "Writing Decoded.txt" and you are done. The decoded.txt file that was blank will now have your plain viewable source code.

Save the text file as original-filename.php and you will have a plain source code version of your encrypted file.

#2 11-19-2007, 08:34 AM

I tried your sollution to decode something, but it doesn't work with me. I got exactly the same code in the decoded.txt file. Below my code I need to decrypt.

<?eval(gzinflate(base64_decode(’ZC9bsMwDITnFOg7XD2 1g+PdVWSgS7t1CZCxkCLaixLqq
TECNCHrxX3ZwkXHu7IDyA7zh7qGpIG49B7ymirvn93WbDGmXOq +qCDhgofySjSIr4+PS
MrkR/M0UvEkbtqhVTFRtggUNRMoMjBXlpwQR0pH5X6ZxDzTzPG8nMdL nyRzH7dFPF
X931jjCgWQymfByMlZRI3gEE7dRswktU/ZuGEgGtMKWgh4W12U9dcS4QviIwV0hL6SAS
RW+x9uIXNPswha5roB4mDjypESgn7q124rAnLtVjq9yH/XXp1uQqdJ8tZ9w0=))); ?>

Admin · #3 11-19-2007, 10:04 AM

Quote:

Originally Posted by Unregistered

I tried your sollution to decode something, but it doesn't work with me. I got exactly the same code in the decoded.txt file. Below my code I need to decrypt.

<?eval(gzinflate(base64_decode(’ZC9bsMwDITnFOg7XD2 1g+PdVWSgS7t1CZCxkCLaixLqq
TECNCHrxX3ZwkXHu7IDyA7zh7qGpIG49B7ymirvn93WbDGmXOq +qCDhgofySjSIr4+PS
MrkR/M0UvEkbtqhVTFRtggUNRMoMjBXlpwQR0pH5X6ZxDzTzPG8nMdL nyRzH7dFPF
X931jjCgWQymfByMlZRI3gEE7dRswktU/ZuGEgGtMKWgh4W12U9dcS4QviIwV0hL6SAS
RW+x9uIXNPswha5roB4mDjypESgn7q124rAnLtVjq9yH/XXp1uQqdJ8tZ9w0=))); ?>

Hello,

I had a shot as well using 2 different methods, and same thing i was unable to decode it.. Which is quite strange because it's the first piece of encrypted code like this that hasn't worked out of hundreds.

If i can get it to decode i'll post it up here, but so far not looking good. It may of been encrypted twice using the eval(gzinflate(base64_decode method last which is why it doesn't want to go back.

#4 11-19-2007, 12:12 PM

Thanks for your help. Ofcourse I understand that developers and designers protect there copyright, but this is really frustrating.

Stephan

#5 02-08-2008, 09:06 PM

Looking at the problem code block posted here, I see you have included the <?php ?> tags, which I think is wrong.

Also there is a single angled quote mark at the beginning of the block - it should be a straight one - and no quote mark at the end. This will cause problems.

Lastly there are whitespaces in the block. I don't think this is right. Best review the whole block thoroughly / start again.

It's been working fine for me when other decrypters failed. It is indeed good to know that commercial code is free of mal/ad/bug-ware. So a very big thanks the author.

#6 03-05-2008, 04:19 PM

Hello.. I followed every step but it still doesn't work..
It says: DECODE nested eval(gzinflate()) from Taree Internet 1. Reading coded.txt 2. Decoding 3. Writing decoded.txt..
Thats hopefull.. But when I looked in decoded.txt it was just the same code..

Code:

<?php $__F=__FILE__;$__C='Pz48L2Q0dj4NCiAgICAgIDxkNHYgNGQ9ImYyMnQ1ciI+PGJyLz48YnIvPkQ1czRnbjVkIGJ5IDwxDQpocjVmPSJodHRwOi8vdzViaDJzdDRuZ2c1NWtzLmMybSI+VzViIEgyc3Q0bmcgRzU1a3M8LzE+IDFuZCA8MQ0KaHI1Zj0iaHR0cDovL3QycHdwdGg1bTVzLmMybSI+VDJwIFcycmRQcjVzcyBUaDVtNXM8LzE+LjwvZDR2Pg0KICAgICAgDQogICA8L2Q0dj4NCiAgIA0KPGQ0diA0ZD0iY3I1ZDR0Ij4gDQogDQoNCjwvZDR2Pg0KDQo8L2IyZHk+DQo8L2h0bWw+';eval(base64_decode('JF9fQz1iYXNlNjRfZGVjb2RlKCRfX0MpOwokX19DPXN0cnRyKCRfX0MsIjEyMzQ1NmFvdWllIiwiYW91aWUxMjM0NTYiKTsKJF9fQz1lcmVnX3JlcGxhY2UoJ19fRklMRV9fJywiJyIuJF9fRi4iJyIsJF9fQyk7CmV2YWwoJF9fQyk7CiRfX0M9IiI7'));?>

Admin · #7 03-06-2008, 05:15 AM

Quote:

Originally Posted by Unregistered

Hello.. I followed every step but it still doesn't work..
It says: DECODE nested eval(gzinflate()) from Taree Internet 1. Reading coded.txt 2. Decoding 3. Writing decoded.txt..
Thats hopefull.. But when I looked in decoded.txt it was just the same code..

Code:

<?php $__F=__FILE__;$__C='Pz48L2Q0dj4NCiAgICAgIDxkNHYgNGQ9ImYyMnQ1ciI+PGJyLz48YnIvPkQ1czRnbjVkIGJ5IDwxDQpocjVmPSJodHRwOi8vdzViaDJzdDRuZ2c1NWtzLmMybSI+VzViIEgyc3Q0bmcgRzU1a3M8LzE+IDFuZCA8MQ0KaHI1Zj0iaHR0cDovL3QycHdwdGg1bTVzLmMybSI+VDJwIFcycmRQcjVzcyBUaDVtNXM8LzE+LjwvZDR2Pg0KICAgICAgDQogICA8L2Q0dj4NCiAgIA0KPGQ0diA0ZD0iY3I1ZDR0Ij4gDQogDQoNCjwvZDR2Pg0KDQo8L2IyZHk+DQo8L2h0bWw+';eval(base64_decode('JF9fQz1iYXNlNjRfZGVjb2RlKCRfX0MpOwokX19DPXN0cnRyKCRfX0MsIjEyMzQ1NmFvdWllIiwiYW91aWUxMjM0NTYiKTsKJF9fQz1lcmVnX3JlcGxhY2UoJ19fRklMRV9fJywiJyIuJF9fRi4iJyIsJF9fQyk7CmV2YWwoJF9fQyk7CiRfX0M9IiI7'));?>

Unfortunately that's using a different encryption method to what this script decodes. For this one to work your encrypted code needs to start with eval(gzinflate(base64_decode

The actual encrypted string itself does look similar, and midway through the code it has eval(base64_decode( so i tried taking just the string after that end decoding it however it wouldn't work either.

The $__F=__FILE__;$__C= has got me, i'm not familiar with that encryption string. Is this from a commercial script or something like a Wordpress theme? You can PM me if you don't wish to post it, but i'd like to work out what's going on with this one.

#8 03-12-2008, 06:22 PM

I have tried used this method on this code string but I can't get it to decrypt. Any help is appreciated.

<?php eval(gzinflate(base64_decode('lVJNT8MwDD3TX2HCZUi0 FVdIM8EEAgkJhKZxnLLWXSK1cUjSVfDrSdvxJeBATo797Pf8MR cJr/QOdFWwmiigYyI5gPgSAG4Fr8kE8PoVC3bKoJZlNFboKmnkCVw4 LZsTuMFmh0GX0eOl8alHp2smHqhHhxVsXoBLUA7rgqkQ7Fme9+ Qq69D7zDpisLxd3l0V7NohwtN7CJYKW/Rsr6GkhlzBjhbjY+ITlwxyJzDPB6zguRQZLBzKEPkvf+Hv+2wr 202DijqPWUnth4qVLGXQZOARTZDNnwLuTaMNTuwL6bWhb+yXjr qtCr92H9l7G0bFdex5oM8ZBB2aON3/D+BH7x+m3S+TH6Yp8LlVFrBUBFsMa9O16+curgr97Pgc5gL2v2 yPDLpFt/aB7Ox0AngsyVQRkKZi6PuA5/F4xFj9aDqfMZR89XdG79B5hEzVGNcxAUaG3q6nrNlxLD+kbah6 iSeZq9A2YgQl8AY=')));?>

Ps. this code is from a Wordpress theme footer.php which is weird...

I just got it to decode using this code....

<?php
$a = 'lVJNT8MwDD3TX2HCZUi0FVdIM8EEAgkJhKZxnLLWXSK1cUjSV fDrSdvxJeBATo797Pf8MRcJr/QOdFWwmiigYyI5gPgSAG4Fr8kE8PoVC3bKoJZlNFboKmnkCVw4 LZsTuMFmh0GX0eOl8alHp2smHqhHhxVsXoBLUA7rgqkQ7Fme9+ Qq69D7zDpisLxd3l0V7NohwtN7CJYKW/Rsr6GkhlzBjhbjY+ITlwxyJzDPB6zguRQZLBzKEPkvf+Hv+2wr 202DijqPWUnth4qVLGXQZOARTZDNnwLuTaMNTuwL6bWhb+yXjr qtCr92H9l7G0bFdex5oM8ZBB2aON3/D+BH7x+m3S+TH6Yp8LlVFrBUBFsMa9O16+curgr97Pgc5gL2v2 yPDLpFt/aB7Ox0AngsyVQRkKZi6PuA5/F4xFj9aDqfMZR89XdG79B5hEzVGNcxAUaG3q6nrNlxLD+kbah6 iSeZq9A2YgQl8AY=';
function a($a){ return gzinflate(base64_decode($a));}
while(!$b){
if(substr($a,0,4) == 'eval' || !$count){
$a = a(str_replace(Array('eval(gzinflate(base64_decode( \'','\')));'),'',$a));
$count++;
}else
$b = true;
}
echo $a;
?>

Then I just went to view page source and copied it over the encoded footer.php code.

#9 03-15-2008, 06:48 PM

i`ve got the same problem with my footer ... but i didn`t get how where u able to fix your problem

#10 03-22-2008, 03:21 PM

It is very easy for you to decode it....

just create a php file with below code and run it from any php server. Once the page is loaded, just check the page source.... and that's it.... there you can see the original source

<?php

echo gzinflate(base64_decode(' ...... Your Encrypted Code Goes Here ......... '));

?>

Best Of luck......
Visit my Site: www.green-tea.co.cc