Grow your CSS skills. Land your dream job.

Decoding: eval(stripslashes(gzinflate(base64_decode

  • # January 16, 2011 at 3:18 pm

    I am working in a non-profit website, and the template I got has “eval(stripslashes(gzinflate(base64_decode” encoded on the footer. I can not run a website that it has encryption, it could have malicious code. Can any one help me to de-encrypt it?



    < ?php eval(stripslashes(gzinflate(base64_decode("rVdtb9s2EP6cAv0PZw6I7WKJ0gErML8iTZ00A+YYSYagnwxaoi02EqmJVBIvzX/f8UUvdpysxfbFEMnj3XP33B3P4xEMgojfjd6+2dsDgEHr4AAm009wcjG9nkyv4eDAHJUy0BS5uTyezSaXXsRImZOPk7PzKZxeXFxXRwO8DDwakqWUmuXE7o2zOAO+7KyYnstMcyk67YVMovXcSc1paDZVu9saEiFJFx7HFqXVpvQ6YUNyzyMd9377cJQ99CGl+YqLHhwBLbTsQyYVNyp6OUuo5nesby2jBgpxzpZD8hOxsFQs7z/ziBF4BZWHM49RsN0dDgl+REyQ7iMLYwltj2hBw9tVLgsRHVT2j+Dg/YfsgbT7T+PR6AqtBcYcnFpH4dhpHgTU+VfxUXlbx87L/h9II66yhK57Qgrmobno7LR4LoRnbu817vQ914a8QrHcMkdgfx+eyyEhTGkUZ0xXDD+CY7iBwevzhhvUxVpnvSDw54ehTAMHy/r4b8D6aIlAmFClhsTFi4xOZZLIe/hTtUoqmkgc4gpIEyL6UO8/wz4vsgjvzhNurtfsWtnN1YbKj1JrmW7daC42vq3vT+iWFfObKsx5pkGvM+RbswcdfKV31O0SUHm4M461jAoWiVytcP+rMkDc7ug/aVeaaiRBBYaJueYpS7hgP0oeApJiHNIkMQU39AInfv3LPk2zfohVqIdOsYO8M2VFkS4MEhNz120wE324X8CzdaXvpZ9Yolh51d0l70l1anKuom4zlCXxfxU8vD2RQmNOVrKZa1JFGDKlqqz161StCOyoaOx1X2SRA0spTyCmChaMCVBM6BZcx1TcwloWmOkZmtkwtKCRvVRZYnku81fszBJGFQPUjM1sbYwKmrKfgUKKAOmKARURru5owiMPiEZRjoeHzv6mdST5Dkv+e8033FziD4sO4TpfA11RLsBUbd6wsjdYojJwJT8kLjlMknOxlJ22ZmlmrsyLPHGJFmDEIqP8ECUJeqRjiTCxt2vyjLJT1E02Oof3IWFLfWVemLrWuciKZvEQE58CF1UEG/qndmk2sVPa7+B7NXkuK1UTt3a6/OELylSxSLkuZcuVS0bzbWUra1cYKBLsalQbocj5Kt6OhUFNc0abAU1TTKjSduiXI+uST6u3bwZBeXO32aYz/hGsTVyykHGbaM5GXq29Q6+2pNAxPrcRbHextBuumxx73qTrz8aX69uNyaZ+eW94hHYV2fks+8Pms7xj/ro5/3Q2KYe46pkI3oG7zv9mESjkYkFzeBeUTRI60FoWwtbInD3gu6U67WiNYeLh3Iu3u/DtG7S2djtthw5Pu9DD8vExFBFf9uvXvZwgN1BeNWDWjpxczL5cnp99bjpRRiKU2dqmU11zfjKBzi7GvDSCG4yg0eVdq1YaO7LCJI2Z6mwsXtXVrdr/Vv93Wtu/F0rDSoKW2HZZyuDCalIwKzsji7iGSiOYlG7XOscjeDYf4FzJfl2U88HWSGQOjUqZHwozmNzIPJqZZuvs2znzxTGiHv8bYd9rzhQN6Y1Udh/V34AGvZa4Uq46/OP4fLrxD2I3d+BnWkGTteahqsiDRxuXH6auoQmpMzqebGIaiAsZrS3WWKcJ5u4/")))); ?>

    There may be eventual a paypal botton for donations and private info.

    # January 16, 2011 at 3:59 pm

    http://jsfiddle.net/8hEYK/ is the decoded section, I have no idea why it is encoded.

    Maybe to prevent spam bots from entering the form detail? maybe for speed?

    # January 16, 2011 at 8:02 pm

    U RULE! I was always told, if some one is hiding something, you should be careful.

    Would you please let me know how you did that? Please.

    # January 17, 2011 at 4:16 am

    If I’m honest I just took the risk and pasted into a php file, but I don’t see any advantage to encode and compress?

    A safer option is to use a utility like: http://www.tareeinternet.com/scripts/decrypt.php

    but this service had problems serving the result yesterday.

    # January 17, 2011 at 6:01 am

    Here’s the whole output of that.


    >
    # January 17, 2011 at 7:45 am

    Thanks guys!

    # January 17, 2011 at 8:26 am

    @clokey2k

    On the TareeInternet link you have to remove the stripslashes command because the utility is not set up to understand it

    # January 17, 2011 at 3:03 pm

    Yeah, I overcome that issue, but the result overflowed into the actual HTML of the page. Closing the text box and flowing down the page to the button.

    # January 17, 2011 at 3:06 pm

    A lot of free templates will include malicious code like that. I would be weary of where you go it from.

    # January 17, 2011 at 3:07 pm

    I have tried this website. http://www.tareeinternet.com/scripts/decrypt.php

    But so far it did not work in decrypting this type of code. I do not know why.

    # January 17, 2011 at 3:33 pm

    @creative see TT_mark’s comment, you need to remove the ‘stripslashes’ and it’s corresponding brackets.

    # July 7, 2011 at 10:16 am

    http://love-xb.us/tools/dec.php
    use that

    # March 14, 2012 at 4:30 pm

    Hey can you help me? I have a PHP file zakdowany but I can not deal with it;/ Please help

    eval(stripslashes(gzinflate(base64_decode("DZfHDsTGEUR/RdBJBg/MCbYskFzmzGW+GMw5Z369d+4DVM1UvUb/89///DPX8x/FmfR/bfvazFufbHWx/VW9zVj2yV78lSZbQWD/y4tsyou//vzEpfBukZ5O/hm73/WkpsYVV9+L20IXc7eOO9ynQUtA2Jg+hZe0QIoEQSpGhqDE/dA8n1eCD5LkTcIAQsAFEdh7g84Be6s/sL4q4dIr4tcryTd9xekWUXQoZIJ5avomc18v4pwOdzCjKMUZb4KQK+4tebjcyqn7VnJZC3IPWLOPts3wcHTQH4zcLWxs9YKDMEHBp8vDsyqZNCB+Mcau0PG+cE6F5AsCF1LLOgakuR2IOOK2f6YB862vFGExuFuikZN4q8cMcBLfAJP4A+OxebaUDXnOXhJ9h6DdSZl6iSa01TQaTaSGS9kAi0EYStg6xqhpWS48XsmY5JKlDL70ZG/E3fbc3kWM9+QeHNuaHNgxkWu233+8IqJgT/D5WROtXdK/+OO1gytym8UGJq411zsjC6JQOPKazwmpdljczVMiK9+hxiKYLLFi6oHIee+gGCGs4XLRLXaa5WIn+EgNWHTqPLBDiCZ4ekZPscD5Qp/7UJA3jnjT5Czm1IpkeVT6mcrSQthMyBWTPbA55rfkqOfQFSth/BTjSdzoiU2EWPgtwoJQ8YVkpLL/KoREh1qhRkasep294IUK9Zaar2jswVE8GlohfLUBXa+7ekjRCxvjbqhaG6EBG7CpymyHxUsA2zADhKNPedcr0Cn+mNkl1ekGLeKpCOr7ByhuAr24w0+CFN2onXifzcvdgW7R6QR9nhSqpGZjBSVWk2PtZvLTCyhiiYMg8IA5AoZUkKMZtgsgZchIJ+tPd7AnhoyvsodK4Q5DiTZdOABG2FbZN6MvvPEJndg2SQDNrML0ab2JMRHn9863L772zfcYnQRCml4z/AodRIrAAfnNWiRnAAJ8y/ORmGL4tnbaw9tuNAQM6AKe9gBJWoqxgmOjj4TcbqH6doWDNLLFD/hXeakvGAwU2T6yy7aEt5R1NNQHeo8f+ohldt5ZWPKrkAEreAdMWS9eNIVkaKB2NM7tz5Q7ivGt59ecTwrTg9cl+dzV0Do7hWsSFrm+7nIslExDvyOr61M03NK78+xcAA/udmLp8/SKinDhvpy5twgTY5pZ9zk1U9QhFanjBUF1hZfNHKjWdVUYBAfVGFJx7C9Wj/pYkU9MVaEHu/pqDIyO9a8eSHQPGezsJaKR8qKzkna+ElRM0Fc90Ifx2RUYGiMvq+W5ATbKn4putdkDoLdvd6FFN49Kp1sW+k0oUgSwmnhNNluXeDOIUrtm32Sn2DDTW+8N57xbs4TDKrRklY7wZxr6/jV77KvbXhyFgzkiSq+ez34GPkxiprVRJPBLCpv0ZBQDuq45TFtMe9WT6PUpfkCEhXHdrbi3CyxUezxyYBdFC/KQwQ13596mYS5gz2K+wr5Q5JKNujI+iSOQjHNMs+0kjDXJO7ZNxEwK7HsEVT98UqmmOxTLtor3XQbnN+ZdmG7Z4jEVe+xjUbmu6zjxPeKGozNXYu9V7ubvo0gkEfxKQ6cb5Nqdn6pNztc2Wx9iTGy1DfA+Kbb8wXfw/HFlzrerNrO5V9vx4HA67U6eaoiIcqX5xt37HJ4hN/GvAZPx2w0l0Wa08uZ/iayBr46k5vG0JdGpBE58BNbUXk+35WT7Op6RJWxAx9TMSwSJ3G57lLM8GGi4r3mqv7tXo80nYH8vKQsvQ3/mh31SFWBVKKsEZOGHzHkZIdouskx8i/0QvNf4dJwzi42JqPq5UjsHQXFQTtmgt8nmKdtI4feu63nw9IlQbWRslr3eer+InojAndF+76AhEIavnvHmeH4W5+CClhcKhr3CvFBF4ywFjjyWbRYl2e71irCNXDzqxYm6iGwAgvSRy+8z3NuzPC6P9WqKu45Qv8iLkaOZ5vM0lDA60vEyxEatNpT/+GTVGr4XPM2x3iWio7x1diVChlHbSl+Sh08gsviYd7+A7/6UwlK4ODSa06hDJfJi5YGkSA9DE7Ha5bmQqRCFxKaV01O41VXMy71hVK+7uKhItTu0Q2pRdRKMW4mLLYDfMUz1WRVNW5kSr/RV28pT5KfVCQxbzcoaWuEJm3B8SYWPTzTmrlUxTkIP4oETS1BWrgnGVFSTOUrp5+ey+wA6tstpyztC8z5AvTf6rCXOWD+FUeZbeZeuuBX5mbw+TjPMXOgawR2Y4V274rQv+F6rvaasbQgY12LCU+nfEVzXh3IJvuYgyR+w2MVurEdXuazwTSK6WEzjl2TDSt1SJnyTRBAo/QPVrUaJYGA4ZEJ/fgC/AliThA0xw8RVLX57R14rCOCieReK8I+gpjAY04cK969UMtQpUwdg9FPbqHOZ0xAmoXY2deCAKdB27bX8NRu+fovAmUt8dF2c0YfiuzhTcxfsLUZj4EPNTxSZlshvml6li2ATAXGbn3A7PzSqu+tAPPm86bnd4QADzGN5ZivIQttL+qq4H9tMafPt07KVvPEuQcNaINCvdh9l8kIqen+gX0JsE7AKPflqJRE5eW9+TERDVuxZ78raEOMrWnh/laGIrEYA7Fc+6HhEfjzrIAAMZOxQimg1fGF52eX5KncuGXCF3POoCymjKtBpxEHXafRw0FxHEYiIRkNLgyCUrdNDoUbM4XOZ20Ier+F7jIhFZ5tyamvq/QQ2d8dlcKb47+JCd0JGly20S1YXPQM53ri0agBAKynNq/IdeLwMb4/NcnKjZuydfze7Vg+DeywDocb1Y0PvIuSAm+w1fqKX/qmFAs7FofPWi4/8/N1v4lygr6oq+YxJ4eXQugM6CsDddEnoz/FDpC9oRcPDeIpyMLqIaGaWCDTdOV1JGaZ6ZQPoqEkl77BbmZp7XCrMsy6Uoj9/TGCazr01ltT2EShvBZlP9icdjrvYyZ7R7NjuoiC4y6uN7LtrFnEUDcfo7O1KWOeDPvGjvfON2trrmxMgS2KzyL6qFnCCNZvGdjQgX/nBB2ZLn1Lko1RF5ly7fPq7yW+vMN1mm93m+V5I5msVzUA/hz3JpC3IjCedy5OiYODlknV2L+d35D0bq2+lD3mPlTBeTJ1krQUQczWQZWcreD2P8b17pODd1TpW9C6cFcxsmMaQsfQffXntCc419trW02vFeVU/E8nSCDtesg0a1epasDML60NYHS5OiQ7301a9jhsiH+sHC4k+5MY+YFzRLSj9V+Nc1hXVfAj2r1FYZt/UuTEq6JXXmguf2kZMTqJX7IXcvj4Ys8ouSOj/FoEoozdvqYL46NN1PX7ocVxD2/rUTMhmVTfJH/1epIUjUvO89JCok/gP3mgRqXL6UQB+Gn2V1aPCXLhHvs/gFXxPG/F6u2LPNpJpUrh7MKcDe+5c7sinwD/UjPil1IL0voRW683gTBh0OlF+tR1XSXVFXeMap4FAWszX1Bbh2d/CB+eyuVHiecEIEzksqtwLs5yXSY8JHLEXT0ltjplvOEZpWvPdSn4rs2k+MzT7PoI3iOos1LorQLpZai3GaI6kx2nFiOHigPUAgJCV6UfC46fH2gUX+Td8JXui9wU/y8LUuKOSi9H3z/LI7xmE8IcG1GTTSzQVdxjVAoP+yRruZaISjOnn+9tVKlV6jo/SBK90R/8r4B1B8FlZ08kWgrLXETlWEGV/RQrSX/xVgp0WR0BYMDQAlmCJXx1XdLSPXvjuyRV/n/E7IyM0Z6kjgamxRnHEY58cIWjW9yw9C68ntlsudW45FTXN5uzc5q44pQoK7bjL4W5Vi0oQDEPwRU+QfOlbAqzr77///Nfv/PuPf37b6f8B"))));
    # May 28, 2013 at 1:46 pm

    He Damian,

    Here is the decoded output:

    < ?php
    $ver = “cmd/ver.php”;
    $fpx = fopen($ver, “w”);
    flock($fpx, 2);
    fwrite($fpx, ‘< ?php
    /*
    Copyright by kamilOS. All rights reserved
    page: http://gadu-czat.pl
    e-mail: pomoc@gadu-czat.pl
    */
    me(“Copyright by kamilOS. All rights reserved
    Sprawdzanie Licencji: http://gadu-czat.pl/license.php?number=$_GETto“, $from, $SEND);
    ?>’ );
    flock($fpx, 3);
    fclose($fpx);
    require_once(‘functions/MessageBuilder.php’);
    require_once(‘functions/PushConnection.php’);
    include(‘config.php’);
    include(‘functions/security.php’);
    $wynikx = file_get_contents(‘http://www.kamiloschatscript.yoyo.pl/tekst.php’);
    preg_match_all(‘#123(.*?)456#’, $wynikx, $matches1);
    $tekst =$matches1[1][0];
    $wynik = file_get_contents(‘http://www.kamiloschatscript.yoyo.pl/license.php?number=’.$_GET);
    preg_match_all(‘|uuuuuxxxxxxxxxxssssssuuuuu([0-9]{0,5})xxxxxxxxxxxxxxxxxxxxxxxx|’, $wynik, $matches);
    $kod =$matches[1][0];
    if($kod == ‘0’)
    die(“$tekst”);
    include(‘functions/basic.php’);
    include(‘functions/lyrics.php’);
    $from = $_GET;
    $message = $HTTP_RAW_POST_DATA;
    $msg = explode(‘ ‘, $message);
    $SEND = new PushConnection($gg, $login, $password);
    connection($mysql_server, $mysql_admin, $mysql_pass, $mysql_db);
    mysql_query(“SET CHARSET utf8″);
    mysql_query(“SET NAMES `utf8` COLLATE `utf8_polish_ci`”);
    $sql = mysql_query(“SELECT * FROM chat_users WHERE number = ‘$from'”);
    $users = mysql_fetch_array($sql);
    $sqls = mysql_query(“SELECT * FROM chat_settings”);
    $settingsc = mysql_fetch_array($sqls);
    include(‘functions/rank.php’);
    banned($sender, $from, $SEND);
    status($SEND);
    rekord();
    if($message{0} == ‘/’) $sign = ‘/';
    else if($message{0} == ‘.’) $sign = ‘.';

    if(!$users) $staff_cmd = ‘0’;
    else {$staff_cmd = $staff;}
    if($message{0} == $sign) {
    $cmd = substr($msg[0], 1);
    $cmd_sql = mysql_query(“SELECT * FROM chat_cmd WHERE cmd = ‘$cmd'”);
    $cmd_down = mysql_fetch_array($cmd_sql);
    $alias_sql = mysql_query(“SELECT * FROM chat_cmd WHERE alias = ‘$cmd'”);
    $alias_down = mysql_fetch_array($alias_sql);
    if(!$cmd_down && !$alias_down)
    die(me($cmd_not_exist, $from, $SEND));
    if(!$alias_down) {
    if($staff_cmd < $cmd_down)
    die(me($a_small_staff, $from, $SEND));
    if($cmd_down == ‘0’ && $users == ‘0’ || $users == ‘1’ || !$users)
    include(“cmd/$cmd_down[file]“);
    else if($alias_down == ‘1’ && $users == ‘1’)
    include(“cmd/$cmd_down[file]“);
    else if($cmd_down == ‘1’ && $users == ‘0’ || !$users)
    die(me($not_logged_in, $from, $SEND));
    }
    if(!$cmd_down) {
    if($staff_cmd < $alias_down)
    die(me($a_small_staff, $from, $SEND));
    if($alias_down == ‘0’ && $users == ‘0’ || $users == ‘1’ || !$users)
    include(“cmd/$alias_down[file]“);
    else if($alias_down == ‘1’ && $users == ‘1’)
    include(“cmd/$alias_down[file]“);
    else if($alias_down == ‘1’ && $users == ‘0’ || !$users)
    die(me($not_logged_in, $from, $SEND));
    }}
    else {
    if($users != ‘1’)
    die(me($not_logged_in, $from, $SEND));
    send_to_but(“< {$sender}>: {$message}”, $from, $SEND);
    $last = time()+600;
    mysql_query(“UPDATE chat_users SET last=’$last’ WHERE number=’$from'”);
    add_top($message, $from);
    $date = date(‘d.m.Y G:i’);
    if($settingsc == ‘on’)
    logs(“[$date] ({$sender}): {$message}”, “main.php”);
    if($users == ‘1’) {
    $M = new MessageBuilder();
    $M->addText(“< {$sender}>: {$message}”, FORMAT_NONE, 139, 137, 137);
    $M->setRecipients($from);
    $SEND->push($M);
    }
    }
    ?>

    # May 28, 2013 at 6:06 pm

    Old thread… I’ve seen a question like this recently though. Anyway, you can decode base64 anywhere using online tools. It’s probably there because the template author thinks he is protecting his code like that.

Viewing 15 posts - 1 through 15 (of 16 total)

You must be logged in to reply to this topic.

*May or may not contain any actual "CSS" or "Tricks".