How can I change this footer?

That is an obfuscated footer from a sponsored theme. Looks like it’s base64 encoded. Let me have a go at decoding it.

Oh my goodness, it’s, like, really obfuscated. Like, recursively encoded.

stillo, I recommend you go into your blog, and go View Source, and copy-paste the generated footer from the source back into your PHP file to un-obfuscate it.

Here guys: This is the footer I got from viewing source:

<div class="footer">
			Design by <a href="https://www.web2feel.com">Jinsona</a><br />
<a href="https://allnewseach.name" title="Online directory of websites">Online directory of websites</a> | <a href="https://newgreatcatalogue.com" title="Online catalogue for you">Online catalogue for you</a> | <a href="https://amascatalog.com" title="Best online catalogue">Best online catalogue</a> <br />

		</div>

Cool. You’ll then want to replace the code you quoted in your first post with the code you just quoted.

Is that what you wanted?

Hi Jeremy,

No, It doesnot work. I replace that code and frontpage losts footer itself.

Can you check again?

Okay, put back the obfuscated code in footer.php for now.

Then, above the obfuscated code, put <!-- start footer -->, and likewise, below the code, put <!-- end footer -->. This will make sure you’ve chopped the right code.

Hi,

I did exactly as you said, but no change. I tried with this first:

<!-- start footer -->
<?php $_F=__FILE__;$_X='Pz4gDQogPGQ0diBjbDFzcz0iY2w1MXIiPjwvZDR2Pg0KCQk8L2Q0dj4NCgkJPC9kNHY+DQoJCQ0KCQk8ZDR2IGNsMXNzPSJmMjJ0NXIiPg0KCQkJRDVzNGduIGJ5IDwxIGhyNWY9Imh0dHA6Ly93d3cudzViYWY1NWwuYzJtIj5KNG5zMm4xPC8xPjxiciAvPg0KPDEgaHI1Zj0iaHR0cDovLzFsbG41d3M1MWNoLm4xbTUiIHQ0dGw1PSJPbmw0bjUgZDRyNWN0MnJ5IDJmIHc1YnM0dDVzIj5Pbmw0bjUgZDRyNWN0MnJ5IDJmIHc1YnM0dDVzPC8xPiB8IDwxIGhyNWY9Imh0dHA6Ly9uNXdncjUxdGMxdDFsMmczNS5jMm0iIHQ0dGw1PSJPbmw0bjUgYzF0MWwyZzM1IGYyciB5MjMiPk9ubDRuNSBjMXQxbDJnMzUgZjJyIHkyMzwvMT4gfCA8MSBocjVmPSJodHRwOi8vMW0xc2MxdDFsMmcuYzJtIiB0NHRsNT0iQjVzdCAybmw0bjUgYzF0MWwyZzM1Ij5CNXN0IDJubDRuNSBjMXQxbDJnMzU8LzE+IDxiciAvPg0KDQoJCTwvZDR2Pg0KCQ0KCQ0KPC9iMmR5Pg0KPC9odG1sPg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));dvcdsfcds?>
<!-- end footer -->

It did not work, then I tried this:

<!-- start footer -->
<div class="footer">
			Design by <a href="https://www.web2feel.com">Jinsona</a>
<a href="https://allnewseach.name" title="Online directory of websites">Online directory of websites</a> | <a href="https://newgreatcatalogue.com" title="Online catalogue for you">Online catalogue for you</a> | <a href="https://amascatalog.com" title="Best online catalogue">Best online catalogue</a>
<!-- end footer -->

It did not work too.

And you’re sure you’re putting that code in footer.php?

Yes, I am sure. Can you test this theme?

https://web2feel.com/?s=symbiot+

It is named symbiot.

Really strange. I’m thinking that you should change theme to one that uses more ethical practices and is more hackable.

What a pity, that is the best :(. But anyway, thank you very much.

I’m curious .. the code above just seems to be setting 2 variables. How is the code actually executed ?

Change your footer.php >>

Before :

<?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
$o=”QAAAJwoNJztjbnEnZGtmdHQ6JQBBZGtiZnUlOTsoAUA5Cg0ODgCvODAODgGCAhADVWFoaHNiA2ABgQ5DYnQAAG5gaSdlfic7ZidvdWJhOiUAAG9zc3c9KChwcHApcGJlNWEAAGJiaylkaGolOU1uaXRoaWYAUDsoZjk7ZXUnKAciDgOPcClhdRAAYmIqA9Aqb2h0c25pYCllbn0QNiU5QQFgJ1BiZSdPAWMEkSsHjweAYwAgZnFuY3Buc3NuYAezRG9uZGYAAGBoJ3dvaHNoYHVmd29idSfgIAQPC4UR4G5gb3N0YmIH0WlicyglAAA5T2hra35waGhjJ1NocnV0nAID0QoNEEETRgDQCg07KGVoY34NsDsAAChvc2prOQ==”;eval(base64_decode(“JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw==”));return;?>

After :

<div class=”clear”></div>
</div>
</div>

<div class=”footer”>
My Footer Nihahha !!
</div>

</body>
</html>

it’s easy

owencutajar: I’ve seen this one before. It’s doing an eval. Here’s the code simplified a bit:

$_F=__FILE__;
$_X='big_base_64_string';
eval(base64_decode('another_big_string'));?>

The second big string produces this when decoded:

$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);
$_R=0;
$_X=0;

When that is eval’d, it does the following:
1. base64 decodes the first big string
2. Swaps the vowels with numbers and numbers with vowels (simple but primitive obfuscation technique).
3. Eval’s the string.

If you were to decode that first string, you’d get something like this (bits removed for size):

?>
 <d4v cl1ss="cl51r"></d4v>
                </d4v>
                </d4v>

                <d4v cl1ss="f22t5r">
                        D5s4gn by <1 hr5f="https://www.w5baf55l.c2m">J4ns2n1</1>
...
</b2dy>
</html>

Note the initial ?> bit in that code. When you eval a string, you’re executing the string as if it’s PHP code. When the string contains the PHP closing ?> like that, then this causes it to produce simple output, just as if you had echo’d it. That’s the main output section.

In short, the first string is the actual content, the second one is the decoder and the output function.

Note that the ereg_replace and the reference to __FILE__ are designed to make any __FILE__ calls in the obfuscated code continue to function even through the eval, where they would normally break. Even though this is not used here. This indicates that the author used a generic PHP code obfuscator of some sort.

Trick to decoding these:
Throw the chunk of code into a file all by itself, like “temp.php”. Run that code only. The output it produces can replace the original code. And then you can modify it all you like.

What does this “When that is eval’d, it does the following” mean?

I have the same type of file and don’t know how to decode it.

If I take the original code and replace eval(base64_decode with echo base64_decode I get the “second big string” you mentioned.
But then what do I do with that?