For reasons unknown, some dumb ass at WooThemes decided to encode certain files in their themes. This mainly concerns the footer.php with links (read: spam) to WooThemes and the index.php which calls the footer.php as an include. Luckily the coding was done by some 12 year old coding amateur, so I got around it in about 10 minutes. Below are the instructions how to decode the WooTheme files. I’ll be using one of the footer.php themes as an example, but this works for any file that’s been “lame-ass-encoded”.

The “encryption” consist of base64 encoding the actual page, replacing some characters in the resulting code, again base64 encoding the code needed to decode the first part and finally using a simple php reversed function to call the base4 decoding routine. Below is how to permanently reverse the process. For this you need a code-editor (obviously) and a running WordPress installation that holds the theme you want to un-encode.

First step is to remove the 90’s technique of putting the entire code on one line which makes it hard to read and is most probably done so people won’t notice that there are actually two encoded parts and will fail when trying to use a base64 decoder on the first part. Just use find-and-replace in your favorite editor and replace every ; with a ; followed by a return-code. If you don’t know how to enter a carriage-return as a replacement string, just manually hit enter after every ; since there aren’t that many. Your file should now have three clearly distinguishable parts (apart from the php opening and closing tags):

<?php $_F=__FILE__; 
$_X='Pz4JPGQ0diBjbDFzcz0iY2w1MXIiPjwvZDR2Pg0KCQ0KCTxkNHYgNGQ9Im... 
eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF... ?>

 

$_F will be assigned the name of the script being executed, in this case footer.php $_X will hold the actual final code. It LOOKS base64 encoded, but some part are replaced so that standard base64 decoding routines will break on it and the person trying to decode will think it’s not base64 at all and just give up. (At least I think that’s the idea behind this amateur protection.) The part inside the Anyhow, we first need to know the code in the third line that will decode the part in the second line. For this, you can use just any plain online base64 decoder. I used this one, but any base64 decoder will do. Just copy the entire string between the two quotes (’) in the third line, paste in into the decoder and decode. In this example, it will return a single line of php code: $_X=base64_decode($_X);$_X=strtr($_X,’123456aouie’,’aouie123456?);$_R=ereg_replace(’__FILE__’,”‘”.$_F.”‘”,$_X);eval($_R);$_R=0;$_X=0; Just do the find-and-replace trick again so make it more readable, and you’ll end up having:

 

$_X=base64_decode($_X); $_X=strtr($_X,'123456aouie','aouie123456'); 

$_R=ereg_replace('__FILE__',"'".$_F."'",$_X); eval($_R); $_R=0; 

$_X=0;

 

As you can see (or maybe not) this routine will alter the code in $_X and put a resulting string in $_R. It is beyond the scope of this topic to dive in to deep about the actual how and what, if you need more info, read the php manual. Just replace the entire third line of code in your .php file (eval(base64_decode(‘JF9YPWJhc2U2NF9k…) with the code above. The result will be something like:

 

<?php $_F=__FILE__; 

$_X='Pz4JPGQ0diBjbDFzcz0iY2w1MXIiPjwvZDR2Pg0KCQ0KCTxkNHYgNGQ9Im... 

$_X=base64_decode($_X); $_X=strtr($_X,'123456aouie','aouie123456'); 

$_R=ereg_replace('__FILE__',"'".$_F."'",$_X); eval($_R); $_R=0; 

$_X=0;
?>

 

At this point, your page will still look the same. The only thing we did so far is decode the routine that is needed to decode the actual page.

Finally, we need to know the resulting code of the page, so instead of parsing it through our php engine, we need to just echo it. Therefore we need to replace theeval part (which will execute the contents of a string as plain php code) with a simple echo command. To make it easier to find the code in our final page output, you might want to add some starting and ending markers that are unlikely to appear anywhere else in the page and are easy to find. The example resulting code could be something like this:

<?php $_F=__FILE__; 

$_X='Pz4JPGQ0diBjbDFzcz0iY2w1MXIiPjwvZDR2Pg0KCQ0KCTxkNHYgNGQ9Im... 

$_X=base64_decode($_X) $_X=strtr($_X,'123456aouie','aouie123456'); 

$_R=ereg_replace('__FILE__',"'".$_F."'",$_X); echo 'startcode->'.

$_R.'<-endcode'; $_R=0; $_X=0; ?>

Save this final result and (re)load your WordPress site. You’ll notice the page looks messed up, that’s okay for now. Use your browser to search for the starting tag you made up in the SOURCE of your page, NOT the displayed page in your browser. Use “view source” or whatever command your browser uses to look at the actual code of a page. In this example, look for “startcode->” and copy the entire contents up till the endcode you made up. This will be the final code that you can use to replace the entire encoded page. WordPress might have added an additional php closing tag (”?>”) at the start of this code, which you should of course delete.

Any questions left? Just ask!

Happy hacking!

evalcommand IS base64 encoded and holds additional “programming” to correctly decode the first part. Since this part was originally at the end of a very long line, the braindead person who made this up probably figured noone would bother to look any further than one screen wide, or just blindly jump to the end of the line and assume that the base64 string was just one long piece rather than two parts.

For reasons unknown, some dumb ass at WooThemes decided to encode certain files in their themes. This mainly concerns the footer.php with links (read: spam) to WooThemes and the index.php which calls the footer.php as an include. Luckily the coding was done by some 12 year old coding amateur, so I got around it in about 10 minutes. Below are the instructions how to decode the WooTheme files. I’ll be using one of the footer.php themes as an example, but this works for any file that’s been “lame-ass-encoded”.

The “encryption” consist of base64 encoding the actual page, replacing some characters in the resulting code, again base64 encoding the code needed to decode the first part and finally using a simple php reversed function to call the base4 decoding routine. Below is how to permanently reverse the process. For this you need a code-editor (obviously) and a running WordPress installation that holds the theme you want to un-encode.

First step is to remove the 90’s technique of putting the entire code on one line which makes it hard to read and is most probably done so people won’t notice that there are actually two encoded parts and will fail when trying to use a base64 decoder on the first part. Just use find-and-replace in your favorite editor and replace every ; with a ; followed by a return-code. If you don’t know how to enter a carriage-return as a replacement string, just manually hit enter after every ; since there aren’t that many. Your file should now have three clearly distinguishable parts (apart from the php opening and closing tags):
<?php $_F=__FILE__; 

$_X='Pz4JPGQ0diBjbDFzcz0iY2w1MXIiPjwvZDR2Pg0KCQ0KCTxkNHYgNGQ9Im... 

eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF... ?>

$_F will be assigned the name of the script being executed, in this case footer.php $_X will hold the actual final code. It LOOKS base64 encoded, but some part are replaced so that standard base64 decoding routines will break on it and the person trying to decode will think it’s not base64 at all and just give up. (At least I think that’s the idea behind this amateur protection.)

The part inside theevalcommand IS base64 encoded and holds additional “programming” to correctly decode the first part. Since this part was originally at the end of a very long line, the braindead person who made this up probably figured noone would bother to look any further than one screen wide, or just blindly jump to the end of the line and assume that the base64 string was just one long piece rather than two parts.

Anyhow, we first need to know the code in the third line that will decode the part in the second line. For this, you can use just any plain online base64 decoder. But any base64 decoder will do. Just copy the entire string between the two quotes (’) in the third line, paste in into the decoder and decode. In this example, it will return a single line of php code:

$_X=base64_decode($_X);$_X=strtr($_X,’123456aouie’,’aouie123456?);

$_R=ereg_replace(’__FILE__’,”‘”.$_F.”‘”,$_X);eval($_R);$_R=0;$_X=0;

Just do the find-and-replace trick again so make it more readable, and you’ll end up having:

$_X=base64_decode($_X); $_X=strtr($_X,'123456aouie','aouie123456'); 

$_R=ereg_replace('__FILE__',"'".$_F."'",$_X); eval($_R); $_R=0; 

$_X=0;

As you can see (or maybe not) this routine will alter the code in $_X and put a resulting string in $_R. It is beyond the scope of this topic to dive in to deep about the actual how and what, if you need more info, read the php manual. Just replace the entire third line of code in your .php file (eval(base64_decode(‘JF9YPWJhc2U2NF9k…) with the code above. The result will be something like:
<?php $_F=__FILE__; 

$_X='Pz4JPGQ0diBjbDFzcz0iY2w1MXIiPjwvZDR2Pg0KCQ0KCTxkNHYgNGQ9Im... 

$_X=base64_decode($_X); $_X=strtr($_X,'123456aouie','aouie123456'); 

$_R=ereg_replace('__FILE__',"'".$_F."'",$_X); eval($_R); $_R=0; 

$_X=0;
?>

At this point, your page will still look the same. The only thing we did so far is decode the routine that is needed to decode the actual page.

Finally, we need to know the resulting code of the page, so instead of parsing it through our php engine, we need to just echo it. Therefore we need to replace theevalpart (which will execute the contents of a string as plain php code) with a simple echo command. To make it easier to find the code in our final page output, you might want to add some starting and ending markers that are unlikely to appear anywhere else in the page and are easy to find. The example resulting code could be something like this:
<?php $_F=__FILE__; 

$_X='Pz4JPGQ0diBjbDFzcz0iY2w1MXIiPjwvZDR2Pg0KCQ0KCTxkNHYgNGQ9Im... 

$_X=base64_decode($_X) $_X=strtr($_X,'123456aouie','aouie123456'); 

$_R=ereg_replace('__FILE__',"'".$_F."'",$_X); echo 'startcode->'.

$_R.'<-endcode'; $_R=0; $_X=0; ?>

Save this final result and (re)load your WordPress site. You’ll notice the page looks messed up, that’s okay for now. Use your browser to search for the starting tag you made up in the SOURCE of your page, NOT the displayed page in your browser. Use “view source” or whatever command your browser uses to look at the actual code of a page. In this example, look for “startcode->” and copy the entire contents up till the endcode you made up. This will be the final code that you can use to replace the entire encoded page. WordPress might have added an additional php closing tag (”?>”) at the start of this code, which you should of course delete.

It will pleased me to help you and if you make any donation to support me. Any questions left? Just ask!

Happy hacking!

Credit : http://adf.ly/2QCDn

Incoming search terms:

• x=strtr($_x ’123456aouie’ ’aouie123456’);
• decode songs encryption
• woo settings encode decode
• woo theme base64
• wootheme base64
• woothemes base64
• woothemes base64_decode
• woothemes footer php decode
• wordpress changing woo theme
• wordpress encryption decoder