Encrypted code base64 Problem [Closed]

[lifeiwonder]

I have a problem Editing The footer on my WordPress MagPress Theme (Bizom)

I’ve Tried Many things to get rid of this malicious code please Guys Help Me

I don’t know If i missing something But here is my Code which is encrypted with base64

add_action(‘admin_init’, ‘mytheme_add_init’);
add_action(‘admin_menu’, ‘mytheme_add_admin’);
eval(base64_decode(‘ZnVuY3Rpb24gdGhlbWVfdXNhZ2VfbWVzc2FnZSgpIHsgDQpnbG9iYWwgJHRoZW1lbmFtZSwgJHNob3J0bmFtZTsNCiRya191cmwgPSBnZXRfYmxvZ2luZm8oJ3RlbXBsYXRlX2RpcmVjdG9yeScpOw0KZWNobyAoIjxkaXYgc3R5bGU9XCJ3aWR0aDo4MDBweDsgbWFyZ2luOmF1dG87IG1hcmdpbi10b3A6MzBweDsgcGFkZGluZzoxNXB4OyB0ZXh0LWFsaWduOmNlbnRlcjsgYmFja2dyb3VuZC1jb2xvcjojRkZGRkZGOyBib3JkZXI6NXB4IHNvbGlkICNGRjAwMDA7IGNvbG9yOiMwMDAwMDBcIj4iKTsNCmVjaG8gKCI8ZGl2PjxpbWcgc3JjPVwiJHJrX3VybC9pbWFnZXMvZXJyb3IuanBnXCIgYWx0PVwiRXJyb3JcIiAvPjwvZGl2PiIpOw0KZWNobyAoIjxkaXYgc3R5bGU9XCJmb250LXNpemU6MzBweDsgbGluZS1oZWlnaHQ6IDM2cHg7XCI+PGI+T3Bwcy4uWW91IEhhdmUgTW9kaWZpZWQgVGhlIEZvb3RlciBMaW5rcy4uVGhpcyBUaGVtZSBJcyBOb3cgRGVhY3RpdmF0ZWQhPC9iPjwvZGl2PiIpOw0KZWNobyAoIjxkaXYgc3R5bGU9XCJmb250LXNpemU6MTJweDtcIj48Yj5UaGlzIFRoZW1lIElzIFJlbGVhc2VkIEZyZWUgRm9yIFVzZSBVbmRlciBDcmVhdGl2ZSBDb21tb25zIExpY2VuY2UuIEFsbCBMaW5rcyBJbiBUaGUgRm9vdGVyIE11c3QgUmVtYWluIEludGFjdCBBUyBJUy4gUGxlYXNlIEFwcHJlY2lhdGUgVGhlc2UgU3VwcG9ydGVycyBFZmZvcnQgSW4gUHJvdmlkaW5nIFlvdSBUaGlzIEdyZWF0IFRoZW1lIEZvciBGcmVlLjwvYj48L2Rpdj4iKTsNCmVjaG8gKCI8ZGl2IHN0eWxlPVwiZm9udC1zaXplOjE5cHg7IHBhZGRpbmctdG9wOjIwcHg7XCI+PGI+UGxlYXNlIEZvbGxvdyBUaGVzZSBTdGVwcyBUbyBSZXN0b3JlIFRoZSBGb290ZXI6PC9iPjwvZGl2PjxvbCBzdHlsZT1cIm1hcmdpbjowOyBwYWRkaW5nOjIwcHg7IHRleHQtYWxpZ246bGVmdDtcIj48bGk+UGxlYXNlIHJlZG93bmxvYWQgPGEgaHJlZj1cImh0dHA6Ly93d3cubWFncHJlc3MuY29tL3dvcmRwcmVzcy10aGVtZXMvJHNob3J0bmFtZS5odG1sXCIgdGFyZ2V0PVwiX2JsYW5rXCI+JHRoZW1lbmFtZSBUaGVtZTwvYT4gZGlyZWN0bHkgb24gb3VyIHdlYnNpdGUuPC9saT48bGk+RGVsZXRlLCB1cGxvYWQgYW5kIGFjdGl2YXRlIHRoZSB0aGVtZSBhZ2Fpbi48L2xpPjxsaT5GaW5hbGx5LCByZWZyZXNoIHlvdXIgcGFnZSB0byBnbyBiYWNrIHRvIHlvdXIgaG9tZXBhZ2UuPC9saT48L29sPjwvZGl2PiIpO30NCmZ1bmN0aW9uIGNoZWNrX3RoZW1lX2Zvb3RlcigpIHsgDQokbCA9ICc8YSBocmVmPSJodHRwOi8vd3d3Lm1hZ3ByZXNzLmNvbS93b3JkcHJlc3MtdGhlbWVzL2Jpem9tLmh0bWwiPkJpem9tIFdvcmRQcmVzcyBUaGVtZTwvYT4gQnkgPGEgaHJlZj0iaHR0cDovL2ZyZWViaW5nb25vZGVwb3NpdC5uZXQvIj5mcmVlYmluZ29ub2RlcG9zaXQubmV0PC9hPic7DQokZiA9IGRpcm5hbWUoX19maWxlX18pIC4gIi9mb290ZXIucGhwIjsNCiRmZCA9IGZvcGVuKCRmLCAiciIpOw0KJGMgPSBmcmVhZCgkZmQsIGZpbGVzaXplKCRmKSk7DQpmY2xvc2UoJGZkKTsgaWYgKHN0cnBvcygkYywgJGwpID09IDApIHsNCnRoZW1lX3VzYWdlX21lc3NhZ2UoKTsgZGllOyB9fQ0KZnVuY3Rpb24gY2hlY2tfdGhlbWVfaGVhZGVyKCkgeyANCmlmICghKGZ1bmN0aW9uX2V4aXN0cygiZnVuY3Rpb25zX2ZpbGVfZXhpc3RzIikgJiYgZnVuY3Rpb25fZXhpc3RzKCJ0aGVtZV9mb290ZXJfdiIpKSkgeyB0aGVtZV91c2FnZV9tZXNzYWdlKCk7IGRpZTsgfX0NCmZ1bmN0aW9uIGZ1bmN0aW9uc19maWxlX2V4aXN0cygpIHsNCmlmICghZmlsZV9leGlzdHMoZGlybmFtZShfX2ZpbGVfXykgLiAiL2Z1bmN0aW9ucy5waHAiKSB8fCAhZnVuY3Rpb25fZXhpc3RzKCJ0aGVtZV91c2FnZV9tZXNzYWdlIikgKSB7IHRoZW1lX3VzYWdlX21lc3NhZ2UoKTsgZGllOyB9fQ0KYWRkX2FjdGlvbignd3BfaGVhZCcsICdjaGVja190aGVtZV9oZWFkZXInKTsNCmFkZF9hY3Rpb24oJ3dwX2hlYWQnLCAnZnVuY3Rpb25zX2ZpbGVfZXhpc3RzJyk7DQpjaGVja190aGVtZV9mb290ZXIoKTs=’));?>

[__]

take that line and replace the word `eval` with `print`. That’ll show you the raw code they’re eval’ing.

You say it is “malicious,” what is it doing? It looks like the author is simply trying to force you to have a link to his site in your footer. How is this theme licensed? Are you required to keep the links?

My recommendation, in any case, would be to dump the theme and be very verbal in your criticism of the author. There is no legitimate reason to obfuscate code like this. Even if this particular code is not malicious, it is Not A Good Thing.

[lifeiwonder]

function theme_usage_message() { global $themename, $shortname; $rk_url = get_bloginfo(‘template_directory’); echo (“
“); echo (“
“Error”
“); echo (“
Opps..You Have Modified The Footer Links..This Theme Is Now Deactivated!
“); echo (“
This Theme Is Released Free For Use Under Creative Commons Licence. All Links In The Footer Must Remain Intact AS IS. Please Appreciate These Supporters Effort In Providing You This Great Theme For Free.
“); echo (“
Please Follow These Steps To Restore The Footer:

Please redownload $themename Theme directly on our website.
Delete, upload and activate the theme again.
Finally, refresh your page to go back to your homepage.

“);} function check_theme_footer() { $l = ‘Bizom WordPress Theme By freebingonodeposit.net’; $f = dirname(__file__) . “/footer.php”; $fd = fopen($f, “r”); $c = fread($fd, filesize($f)); fclose($fd); if (strpos($c, $l) == 0) { theme_usage_message(); die; }} function check_theme_header() { if (!(function_exists(“functions_file_exists”) && function_exists(“theme_footer_v”))) { theme_usage_message(); die; }} function functions_file_exists() { if (!file_exists(dirname(__file__) . “/functions.php”) || !function_exists(“theme_usage_message”) ) { theme_usage_message(); die; }} add_action(‘wp_head’, ‘check_theme_header’); add_action(‘wp_head’, ‘functions_file_exists’); check_theme_footer();

that’s it traq thank you for your time and by the way i don’t have money to buy the theme please if you could help do it i count on this website revenue … i don’t even have a payed domain name or hosting

[CrocoDillon]

Odd way to obfuscate code like that… every one and their mother can decode base64.

Why is leaving the attribution in the footer not an option?

[__]

> i don’t have money to buy the theme

That’s besides the point. Regardless of how you or I feel about sneaky-looking code, if you don’t intend to abide by the terms of this theme’s licence, then you **should not use it**. Just because I don’t agree with obfuscating code and man-handling clients into obeying license terms doesn’t mean that I think it’s *remotely* acceptable to try and circumvent them.

In showing you how to see this code (I’d already decoded it, I knew what it did), I wanted you to be able to confirm that – however “crappy” – there was no “malicious” code hidden inside. I **do not approve** of ignoring copyrights and violating licenses, and I will not assist anyone in doing so.

It looks like the author of the theme is releasing his code under a CC-BY license. That makes it free and open-source, so long as you include attribution to the original author (i.e., the links in the footer). The Creative Commons licenses **are** legally binding and you could be setting yourself up for trouble, especially since you are going to such efforts to break the license terms.

> i count on this website revenue

that doesn’t help your argument. Quite the opposite.

[chrisburton]

I would vote to close this discussion as the user is clearly trying to find a loophole in breaking the EULA.

[Author]

Posts