footer in base64… how decrypt it?

@bender_v: The decoded version of that can be found here:
https://wordpress.pastebin.com/f582cc1e1

@primoto: Decoded version of yours is here:
https://wordpress.pastebin.com/f6aebb9b9

So that I don’t have to keep doing this all the time, I’ll explain the method.

This is for the most common encoded method I’ve seen. This is the method that starts with $o=”blah blah.,., like the last two did.

1. Make a copy of the php file. Call it temp.php. Open it in a text editor.

2. Use search replace to find the semi-colons and replace them with semi-colons followed by a carriage return. In TextPad, I enable regular expressions and replace ; with ;\n . Easy.

3. You’ll get three lines of code. The second one starts with ‘eval’. Change that to ‘echo’ instead.

4. Run the php file in php. On the command line, this looks like “php temp.php”. You can also do it in a website/browser if you like.

5. You’ll get a big long line of code with a lot of $lllll stuff in it. Copy all that and paste it back in to the original file. You’re going to REPLACE the entire “echo” line with it. But only that line, you still need to have the $o=”blah” line at the top of the file.

6. Do the semi-colon replace thing again to get a lot of lines instead of one long one.

7. Right at the end, there’s a line that looks like eval($lllllllll); or similar, all by itself. Change that eval to an echo.

8. Run it again. Voila, you should have your unencrypted code now. Copy and paste it where you want it.

There are other obfuscation methods, but this one seems to be very commonplace, as most of the code people send me use it.

Otto42
Thanks a lot!

Could you decode this or give me the steps to do so? This encryption or a similar encryption is located on every single php file in the them

<?php $_F=__FILE__;$_X='Pz48IS0tIGI1ZzRuIGYyMnQ1ciAtLT4NCjwvZDR2Pg0KDQo8ZDR2IDRkPSJjcjVkNHQiPg0KPDRtZyBzcmM9Imh0dHA6Ly90aDVtNXMuejRucjNzcy5jMm0vbDRicjFyeS9UM241UGwzcy5nNGYiIDFsdD0iVDNuNVBsM3MgVzJyZHByNXNzIFRoNW01IiB3NGR0aD0iNiIgaDU0Z2h0PSI2IiBiMnJkNXI9IjAiIC8+DQo8L2Q0dj4NCg0KPC9kNHY+DQoNCjxkNHYgNGQ9ImYyMnQ1ciI+PGJyLz4NCkMycHlyNGdodCAmYzJweTsgPD9waHAgNWNoMiBkMXQ1KCdZJyk7Pz4gPD9waHAgYmwyZzRuZjIoJ24xbTUnKTs/PiAmbmQxc2g7IDw/cGhwIGJsMmc0bmYyKCdkNXNjcjRwdDQybicpOyA/Pi4gDQo8MSBocjVmPSJodHRwOi8vdDJwd3B0aDVtNXMuYzJtIiB0NHRsNT0iVzJyZHByNXNzIFRoNW01IiB0MXJnNXQ9Il9ibDFuayI+VzJyZHByNXNzIFRoNW01PC8xPiBkNXY1bDJwNWQgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy53NWJoMnN0NG5nZjFuLmMybSIgdDR0bDU9Ilc1YiBIMnN0NG5nIEYxbiIgdDFyZzV0PSJfYmwxbmsiPlc1YiBIMnN0NG5nIEYxbjwvMT4uDQo8L2Q0dj4NCg0KDQoNCjxzY3I0cHQgdHlwNT0idDV4dC9qMXYxc2NyNHB0Ij4NCjwhLS0NCg0KCXYxciBtNXNzMWc1PSIiOw0KCWYzbmN0NDJuIGNsNGNrSUUoKSB7NGYgKGQyYzNtNW50LjFsbCkgeyhtNXNzMWc1KTtyNXQzcm4gZjFsczU7fX0NCglmM25jdDQybiBjbDRja05TKDUpIHs0ZiANCgkoZDJjM201bnQubDF5NXJzfHwoZDJjM201bnQuZzV0RWw1bTVudEJ5SWQmJiFkMmMzbTVudC4xbGwpKSB7DQoJNGYgKDUud2g0Y2g9PWF8fDUud2g0Y2g9PW8pIHsobTVzczFnNSk7cjV0M3JuIGYxbHM1O319fQ0KCTRmIChkMmMzbTVudC5sMXk1cnMpIA0KCXtkMmMzbTVudC5jMXB0M3I1RXY1bnRzKEV2NW50Lk1PVVNFRE9XTik7ZDJjM201bnQuMm5tMjNzNWQyd249Y2w0Y2tOUzt9DQoJNWxzNXtkMmMzbTVudC4ybm0yM3M1M3A9Y2w0Y2tOUztkMmMzbTVudC4ybmMybnQ1eHRtNW4zPWNsNGNrSUU7fQ0KCWQyYzNtNW50LjJuYzJudDV4dG01bjM9bjV3IEYzbmN0NDJuKCJyNXQzcm4gZjFsczUiKQ0KDQovLyAtLT4gDQo8L3NjcjRwdD4NCg0KDQo8bjJzY3I0cHQ+PG01dDEgYzJudDVudD0iMDtVUkw9PD9waHAgNWNoMiBnNXRfczV0dDRuZ3MoJ2gybTUnKTsgPz4vd3AtMWRtNG4vIiBodHRwLTVxMzR2PSJyNWZyNXNoIiAvPjwvbjJzY3I0cHQ+DQoNCjwvYjJkeT4NCjwvaHRtbD4=';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

I found a website with the decoder built in for those type of files

https://www.tareeinternet.com/scripts/byterun.php

@toneitup2009: Same basic rules as I gave before apply to decode that snippet. Change the eval’s to echo’s, replace them with the resulting output, repeat a couple times.

Result: https://wordpress.pastebin.com/f4e946686

Thank You VERY VERY MUCH, Otto42..:)
I wish you all the best!

Hi everyone, i have problem decoding this one. please help me

<?php /* WARNING: This file is protected by copyright law. To reverse engineer or decode this file is strictly prohibited. */
$o="QAAAOzh3b3cnYGJzWG9iZmNidQBALy48Jzg5Cg0OADA7Y25xJ2QAAGtmdHQ6JWRoaXNiaXMlJ24AgWM6JXdmYGIlAlAKDQoNDg4EMwAAbmEnL29mcWJYd2h0c3QvLhgnLic9BJMCBHBvbmtiAj9zbwMjB4UFFsTIAJEAQSNqfgUhJzoKUgCxLyMAYSo5ThhkQy48AiIA8XNuamICQALkKjkBQVhjEABmc2ICPmJ/d2toY2IvJSclK3D0JwSyA8EEtGRydXUOcAEhBOAA5FgA8S9qD89+dHZrAn8CcAUrA1QDQQLkbmkI4QERAtAHJh3/XDdaCcMB+gTGKgnhAbcEtgX4BOEA+AUYAWgCUP4MBU0B6AVzFGEAADsoBPEAQSNqYnR0IrAIMCVpHM5icCUO8gGRIsEnIw3XC6AnOwERCagBQS4UFCd8JwMBDgSpaGtjJTwBcnoqUQ5iCFxrdGInBS9aJzo6BT8nBTAFIgMeNlr74wg/AUADBQg/BHJ6AGEAUgCRBVMPZjonJQrRB0YCQGJkb2gnJTVoWyUqEGlzbmhpWwAZJTk7dHN1aGlgOUY2gQEwOygBFAAYJidTb250J01oZScAcAUgYnUnAAFzb2ZpJzQ3J2NmfnQmOyg6kHhAORXzCMY8UhISO281OTpDI2xifjolAPBtaGVzbnNrYhRgCSI/0SoRWGpic3AlZjXXMdAC8Csnc3VyYkFSOygEkA0/EcBBBvBBh2p3Zml+KmMDwG5rdCU5AgAAAA47ZW5gOWZzJztmJ291YmEkBzolB/lkaAMia25pbCU8JwgvCC8IJv8BElBK8gyDBJQEXwiwBF8EVjsoZjknO3QLYCHWOS8JiWtoZGYYsQUPBQ9+EXguGpAE0TtglygPYQ/ydGpma2sXTn53FzEjF/EAsDFQmMAXn3MqTWAXnG5hLwNHJTBhdWJia2YNhWlkYiUpwBQDJQzyGTRbJWFrJPBBAnXLDgn0DXB6JzLCfDLgBTt3ZnVzSfEFL1/SWxThJXdzBSBXAmAnU1aABS8FLmFya2sFL/YuK0Bk8wpABSFBAmAFLnonemOQJxmzYfEEgS8ADyBrKydBJ21UKydeICjkFmMXEDAD//wprRaAKWsCoGjEBWFtFGeDAbEAQASTPKEAQQgjYmlhDmNrsiqwaWNuYXHhDQ4NDgK5ApMc4XQCQm5jYmVmdQVTCg0Bl2FoaHN11Q==";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?>

@bulletproofscripts

Your file is here…

https://wordpress.pastebin.com/m4745d36d

ps: I really wish you guys would stop using themes with this kind of crap in it. There are oodles of great free themes out there from reputable authors.

here is a nice base64 encoder as well as decoder that can come real handy for all of you :
https://dynamicguru.com/files/encode-decode.php

<b>@Lenk</b>
yeah i agree with you…

Anyone can decode or encode base64 code, PHP does this already…
<?php base64_encode('what to encode here'); ?>
and
<?php base64_decode('what to decode here'); ?>
Or there’s 100 of these convertors online… they all do the same thing…..

Unless yours does something the others don’t?

Hi Otto42, i’ve tried all the online decoder this forum recommend, but none work my code here, please help! Big thanks in advance.

<?php // This file is protected by copyright law and provided under license. Reverse engineering of this file is strictly prohibited.
$OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=8460;eval((base64_decode('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDAsNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0cihmcmVhZCgkTzAwME8wTzAwLDM3MiksJ0VudGVyeW91d2toUkhZS05XT1VUQWFCYkNjRGRGZkdnSWlKakxsTW1QcFFxU3NWdlh4WnowMTIzNDU2Nzg5Ky89JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>
kr9NHenNHenNHe1lFMamb3klFoxiC2APk19gOLlHOa9gkZXJkZwVkr9NTznNHr8XHt4JkZwShokiF2A2Yy9LcBYvcoAPF3OZfuwPcmklCBWPkr8XHenNHr8XHtXLT08XHr8XHeEXhUXmOB50cbk5d3a3D2iUUylRTlfNaaOnCAkJW2YrcrcMO2fkDApQToxYdanXAbyTF1c2BuiDGjExHjH0YTC3KeLqRz0mRtfnWLYrOAcuUrlhU0xYTL9WAakTayaBa1icBMyJC2OlcMfPDBpqdo1Vd3nxFmY0fbc3Gul6HerZHzW1YjF4KUSvkZLphUL7cMYSd3YlhtONHeEXTznNHeEpK2a2CBXPkr9NHenNHenNHtL7eWPvRZEjRU0sRU0sRU0sRU0sRU0sRU0sRU0sRU0sRU0IA2YZDbn0wryMcMlSDByzDUnBcbwIHU4Xwt0sRU0sRU0sRU0sRU0sRU0sRU0sRU0sRU0jeWPvRZEjRU0sRU0sRU0sRU0sRU0sRU0sRUned3n5FMlmDuWIQUEZHeE3wr5vcbkPCBOpwyFIRUnYCBxidMFIwt0sRU0sRU0sRU0sRU0sRU0sRU0jeWPvRZEjRU0sRU0sRU0sRU0sRU0sRU0sRU0sRU0swoi0fuE6RZ93f3FVD2xpD2yJCBOpRM5lftEsRU0sRU0sRU0sRU0sRU0sRU0sRU0sRU0sRU0jeWPvRZEjRU0sRU0sRU0swrppD2rICB5LCUnscB5LCbnifosidJnzC3kpFuWIDB5pwok1D2yVwoOiFMLID2xpD2yJCBOpRM5lftEsRU0sRU0sRU0jeWPvRZEjRU0swrklFMyZfoLIUAxyO0yHwt0sRT4IUA5uWaWIwUriwrkpF25pFZnvdMxpdMAICBOidoyPwokpF25pFZnROanyALYnBAynTJEsRU0jeWPvRZEjRU0sRU0swrpidMfidJnXcbk0Cbk1DosidJnwWakuWUnrUakkwoyVcorIcoaVc2yVwo1ldByqCBLIF2YZDbn0wrlHOAfnTtEsRU0sRU0jeWPYtmklFbapFMAPwtkjd25MDBfgF2lzRmnPFtwIhTSYtmYlF3Ypd25gF3OiFmWPhTSYtMlMhtOgO0aAB3nlFmYvdl0peWPIwuSYtI0hwtnLCLYvdM5lC3WPhTSYtJEIko5pdoypwe0IdblzFBxgFbalFmLPwtkTOAxyW1WIhJnoAL9YwoyLdBlVb2yMcMlSDByzDUnbUraUOUnqd2OlNUFLD29LcUFJwtLId3wIcbkZd3wPwo15F3ySb2aZFM9ZhtLIhTSYtJEIkoOiforINUnsGbYxdy9McbOjDy9iFmkiGUIIko5pdoypwtL7eWPIwtOXcbkzd24xwe0JDB5Md0nqdolqCBkicoLVdMa0wjSYtJEIko1lF3HINUEJdblzFBxgdmasb3kvf3HPwtLIwT0IHUnFdJw7eWPIwtOscbYzwt49wtkWcbkzd24IwtE6wtOLCbOiB3azcbkgCBOsDB5fwyxVwjSYtJEIko1lF3HIRj0IwMlLcB50DbOpwePIkoOifoydFoyzF3fLb2yLdBlVbUnFdJw7eWPIwtOscbYzwt49wtwIwtEIwtEIwjSYtJEIF2aVfr1iDBXPwtwLcoy0CasVCB1ib2kpF25pF10INtOLCbOiB2asCBlSb2yLdBlVbT4JRtELFoaZF29VHUESwtkkcJnzC3kpFuWIDbHICmkvD2aVwtOLCbOiB3flCmYpfoafwJXIko1lF3HIhTSYtJEIcBYPdZwIRU0sRU0jwZHjwZ0sRU0sRUEJKX0hwtn9eWppcJEPky9uOaOdFMaMbULYtmSYtMOJW29VdMajftIpKX0hkuklF3aSftE9wo15F3ySb3y1cbk5htEJA0aHOAYAwtPIOlkNTUnicMcpdoliF2LIa0iyALAIfbYlFM5idBA9kZOgO0aAB3klcl0mwJEpwo9ZwoaZFM9ZhtnsGbYxdy9lFmkvFJIpwtL7eWPLdBasCMaZwe0IdblzFBxgcMa0C2igCbkZCbLPwtOZcbY1duWIhTSYtMlMhtnsGbYxdy9VfB1gFM93FZIIkuklF3aSftEpwtr9werIhUnlFmkvFJIIwL1iCBCSwyYXd25zd3wIDB5pwyOpcoyqwoyLCUnLCBxidUnLCbOiCMyzcUnqCB1pRtnhDBsiwo1ifUnscB5mCBszcbHIDoySCB1idJnpdMLIdBascbkSfBsidJnzFo9VF29ZwexiwoiZcBC9btkpdMOlGt5XDunFwj5RTrlRwrOkA0lKUTXvCT4JwtL7eWPLF3OifuazNUkVd25iD3OpcJw7eWppcJEPwtOscB1JcbkdHTcfwe09wtOzfoy0fbHIhUnlFmkvFJIIwL1iCBCIAMaMcMaZCBXIcoyZDUn3cBwIDB5pwoklduaswoyqfolMwoy0CbAIF2aLCB5mwosidBLICMxvD2lZwexiwoiZcBC9btkpdMOlGt5XDunFwj5RTrlRwrOkA0lKUTXvCT4JwtL7eWplduYleWPYtJn7eWPIwtEIdblzFBxgFbalFmLPwlaWOryAOUnicMcpdoliF2LIA0aAwoipfuH9Dol0FZSxwyfwOakywuazcbkVCB1lNUFLdBasCMaZBzyfkZwpwo9ZwoaZFM9ZhtnsGbYxdy9lFmkvFJIpwtL7eWPIwtEIky9TOaYTUA9KB3YlF3Ypd25gF3nvdmYvFl09ko1ldBklFlSxbTSYtJEIwtELb1YyA1YkT05dF2azF2lvdl9VCB1ibT0LdBasCMaZBzYfKX0hwtEIwtOgA0aTA0lNTlszcbYzDB9Vb2asCBlSbT0LdBasCMaZBzOfKX0hwtEIwtOgA0aTA0lNTlszcbYzDB9Vb2svfoyfNUOscB1JcbkdYl07eWPIwtEIky9TOaYTUA9KB3YlF3Ypd25gCMyVD109ko1ldBklFlS5bTSYtJEIwtELb1YyA1YkT05dF2azF2lvdl90cBxXbT0LdBasCMaZBzffKX0hwtEIwtOgA0aTA0lNTlszcbYzDB9Vb3klD2aVDB5mbT0LdBasCMaZBzrxbTSYtJEIwtELb1YyA1YkT05dF2azF2lvdl9jCBkidMfgCMyVD109ko1ldBklFlSxHy07eWPYtJEIwtEvRZEsRU0sRU0sRU0sRU0sRU0sRU0sRU0sRU0seWPIwtEIeWPIwtEIkuYXd25zd3wINUELb1YyA1YkT05dF2azF2lvdl9zFo9VF29ZbTSYtJEIwtELFMaMcbwINUnmcbOldmCPwLiAayngALaoOakyAJwpKX0hwtEIwtOicoOZwe0IkriAayngA0aUaLaUb1cnAlYdk1kyTA9AOa9nOrOUk107eWPIwtEIkuaZdtE9wtOgA0aUaLaUBZfUOayaOaYAb1aUUUffKX0hwtEIwt8vwtO0DB1lwe0IfolscUIpKX0hwtEIwE0hwtEIwo15F3ySb3y1cbk5htkkTlYyAlWIUA5ATZnzfoy0DbY0DBSIA0aAeWPIwtEIwtEIwuOpdBAIwtEIwe0IdM93htLSeWPIwtEIwtEIwolXb2yLctEIwe0IkZOicoOZkZXYtJEIwtEIwtEIfbkSwtEIwtEINUEmkuaZdtFSeWPIwtEIwtEIwuklcJEIwtEIwe0IkZOZcBclFJFSeWPIwtEIwtEIwuazcbkVCB1lwe0IkZOzFo9VF29ZkZwpwo9ZwoaZFM9ZhtnsGbYxdy9lFmkvFJIpwtL7eWPIwtEIeWPIwtEIeWPIwtEvRZnsGbYxdy9xfBaZGUIIwLlKA0aUatnkTlONwuY0CbOpF3OpDZEPwuOpdBASwolXb2yLctXIfbkSRtnZcBCSwuazcbkVCB1lwtLYtJEIwt8vwycidualFZEPkZO0DB1lkZXmkoyLcuwmRtFLfbkSkZXmkuklcMaZkZXmkuYXd25zd3wmwtLJhUnvFJnlFmkvFJIIdblzFBxgcbkZd3wPhUEpKX0heWPIwtEIFMa0fbkVwuOZfBA7eWPkRZ9lGol0KX0hwtn9eWp9eWplduYleWp7eWPIwolMhtELb1YyA1YkT05dF2azF2lvdl9zFo9VF29ZbUEiNUEJwJEpeWPIwtEIGX0hwtEIwtnZcbO1FM4Ifuk1cTSYtILvR2a4DbW7eWPIwu0YtJEIcBxzcW0hwtn7eWPYtJEIwtEIDBCIhtELFMyVco9swe09wtwxwJLYtJEIwtEIGX0hwtEIwtEvRZOiC2yqNbkidMWPhTSYtJEIwtEIcoked25VcBY0htL7eWPIwtEIwtOzfoy0fbHxNUkiD3OpcJw7eWPIwtEIwtOZcbY1dtE9wo15F3ySb3y1cbk5htEJA0aHOAYAwtPIOlkNTUnicMcpdoliF2LIa0iyALAIF3Oifer9kZOzfoy0fbHxkZEJwtLId3wIcbkZd3wPwo15F3ySb2aZFM9ZhtLIhTSYtJEIwtEIkoLZwe0IHeSYtJEIwtEIf2ipdoAPwtOZd3FINUnsGbYxdy9McbOjDy9iFmkiGUIIkuklF3aSwtLIhW0hwtEIwtEIwtEIwuSYtJEIwtEIwtEIwtEIwtELCMwZBZOpHl09kukvf1s1F2aZdMysca07eWPIwtEIwtEIwtEIwtEIwtOpHJSqKX0hwtEIwtEIwtEIwu0YtJEIwtEIwtELCMwxHJE9woyZFMy5b3kidMWPkokJHJXxhUE7eWPIwtEIwtEIkuklcj0LCMwZBZOJCjrZbTSYtJEIwtEIeWPIwtEIwtOZcbY1duWINUnsGbYxdy9xfBaZGUIIwlYyTraeatEQwrcUT00ICBcMDBxpCbYpwyfwOakywuazcbkVCB1lNUFLFMaMkZwIhUnvFJnlFmkvFJIIdblzFBxgcbkZd3wPhUEpKX0hwtEIwtEYtJEIwtEIko1ldBklFJE9wo15F3ySb2clfoYPb2yZFMy5htELFMazfBx0wtL7eWPIwtEIwolMhtnsGbYxdy9VfB1gFM93FZIIkuklF3aSftEpwtr9werIhUnlFmkvFJIIwL1iCBCSwyazcbkVCB1lwolVDUnADBOiDZnicorIcoySCB0Icoy0CBkiF2AID2ysDUXIUMlqCUnsCbAIdBaVc2yqF2azwoiidoysCB4IDB5pwo1ldBaZduaqCB4IF3nvdmYvFJE8CUnPFMaMNaXJDB5LcbIVFoiXbtw+U0xkUZnrUaYkTLL8R2r+wJEpKX0hwtEIwtnsGbYxdy9xfBaZGUIJaanrWaOywoyMcMlSDByzDUnTOaWIDol0Fz1PDbOzhzrIa0iyALAIfbYlFM5idBA9kZOscB1JcbkdHa0mwJLId3wIcbkZd3wPwo15F3ySb2aZFM9ZhtLIhTSYtJEIwtEIky9TOaYTUA9KB3YlF3Ypd25gF3nvdmYvFl09ko1ldBklFlSxbTSYtJEIwtEIky9TOaYTUA9KB3YlF3Ypd25gdMysCa09ko1ldBklFlSzbTSYtJEIwtEIky9TOaYTUA9KB3YlF3Ypd25gcB1iDBxfNUOscB1JcbkdYy07eWPIwtEIwtOgA0aTA0lNTlszcbYzDB9Vb2svfoyfNUOscB1JcbkdYl07eWPIwtEIwtOgA0aTA0lNTlszcbYzDB9Vb2kidMsfNUOscB1JcbkdKa07eWPIwtEIwtOgA0aTA0lNTlszcbYzDB9Vb3OldunfNUOscB1JcbkdY107eWPIwtEIwtOgA0aTA0lNTlszcbYzDB9Vb3klD2aVDB5mbT0LdBasCMaZBzrxbTSYtJEIwtEIky9TOaYTUA9KB3YlF3Ypd25gC2yJCB5mb2kidMsfNUOscB1JcbkdHTnfKX0hwtEIwtEIeWPIwtEIwt8vwt0sRU0sRU0sRU0sRU0sRU0sRU0sRU0sRU0YtJEIwtEIeWPIwtEIwtOzFo9VF29Zwe0Iky9TOaYTUA9KB3YlF3Ypd25gF3nvdmYvFl07eWPIwtEIwtOZcBclFJE9woflfoaVfJIJUyOAAy9UOAcyALaUwJL7eWPIwtEIwtOicoOZwe0IkriAayngA0aUaLaUb1cnAlYdk1kyTA9AOa9nOrOUk107eWPIwtEIwtO1FMXINUELb1YyAlcyAlSmALaOaAaTay9aALLmbTSYtJEIwtEIRZ8IkuOpdBAINUn0DB1lhtL7eWPYtJEIwtnsGbYxdy9xfBaZGUIJUA5TOakAwrlKar8IF3OifolzfolqwyYyaE0hwtEIwtEIwtn0DB1lwtEIwtE9wo5vfZIpRE0hwtEIwtEIwtnpFy9icoWIwtE9wtFLCBOLFJFSeWPIwtEIwtEIwuaZdtEIwtEIwe0IkZO1FMXmRE0hwtEIwtEIwtnZcBCIwtEIwtE9wtFLFMaMcbwmRE0hwtEIwtEIwtn1F2aZdMyscUE9wtFLF3nvdmYvFJFJhUnvFJnlFmkvFJIIdblzFBxgcbkZd3wPhUEpKX0heWPYtJEIwt8vwo15F3ySb3y1cbk5htEJUA5TOakAwrlKar8IF3OifolzfolqwtIIfolscUXIDbngCBOLRtn1FMXSwuklcJXIfbYlFM5idBAIhW0hwtEIRZ8IaMySfBazwtImkuOpdBAmRtFLCBOLFJFSkZO1FMXmRtFLFMaMcbwmRtFLF3nvdmYvFJFIhUwpwo9ZwoaZFM9ZhtnsGbYxdy9lFmkvFJIpwtL7eWPYtJEIwtnZcbO1FM4Ifuk1cTSYtILvR2a4DbW7eWPIwtEIgW0hwtnlduYleWPIwtn7eWPIwtEIcoked25VcBY0htL7eWPIwtEIwtOzfoy0fbHxNUkiD3OpcJw7eWPIwtEIwtOZcbY1duWINUnsGbYxdy9xfBaZGUIIwlYyTraeatEQwrcUT00ICBcMDBxpCbYpwyfwOakywuazcbkgDBW9kzrmwryKOtnzfoy0HT0mkuY0CbO1FzrmwtwIhUnvFJnlFmkvFJIIdblzFBxgcbkZd3wPhUEpKX0heWPIwtEIwtOscB1JcbwINUnsGbYxdy9McbOjDy9iFmkiGUIIkuklF3aSftEpKX0hwtEIwtnpcJIIdblzFBxgdmasb3kvf3HPwtOZcbY1duWIhUEiNUExwtLIcbkZd3wPwtkYCByMRtnaF2aZdMyscUnpdMLIaolLCBSICBOiwoOidoyswoOifoyJCbYlwosidBLSwrppD2rIdBy1wo1ldMfiD3YlFZnPCBxidByVwolVDUnscB1lFMx1D2yVwuYXd25zd3wINorIDuklcj1FwMlVcoa4RmnPFyXJNLsHUASIOrlTUA5kNt9iNJwIhTSYtJEIwtEIdblzFBxgFbalFmLPwlaWOryAOUnicMcpdoliF2LIA0aAwoipfuH9Dol0FZSxwyfwOakywuazcbkVCB1lNUFLdBasCMaZBzyfkZwpwo9ZwoaZFM9ZhtnsGbYxdy9lFmkvFJIpwtL7eWPIwtEIwtOgA0aTA0lNTlszcbYzDB9Vb3YXd25zd3kfNUOscB1JcbkdHa07eWPIwtEIwtOgA0aTA0lNTlszcbYzDB9Vb25idByfNUOscB1JcbkdH107eWPIwtEIwtOgA0aTA0lNTlszcbYzDB9Vb2asCBlSbT0LdBasCMaZBzOfKX0hwtEIwtELb1YyA1YkT05dF2azF2lvdl9qd3OibT0LdBasCMaZBzcfKX0hwtEIwtELb1YyA1YkT05dF2azF2lvdl9JCB5qbT0LdBasCMaZBzlfKX0hwtEIwtELb1YyA1YkT05dF2azF2lvdl90cBxXbT0LdBasCMaZBzffKX0hwtEIwtELb1YyA1YkT05dF2azF2lvdl9ZcBsldMlVc109ko1ldBklFlSxHa07eWPIwtEIwtOgA0aTA0lNTlszcbYzDB9Vb2YiCMyVc19JCB5qbT0LdBasCMaZBzrXbTSYtI0hwtEIwtEvRZEsRU0sRU0sRU0sRU0sRU0sRU0sRU0sRU0seWPYtJEIwtEIkuYXd25zd3wINUELb1YyA1YkT05dF2azF2lvdl9zFo9VF29ZbTSYtJEIwtEIkuklcMaZwe0Ic2a0cB52htkwayOWb1kyOLaUOawJhTSYtJEIwtEIkoyLcuwINUELUyOAAy9TOakBOakgaLyUA1SmALaYT1Oyb0yrOywmbTSYtJEIwtEIkuaZdtE9wtOgA0aUaLaUBZfUOayaOaYAb1aUUUffKX0hwtEIwtEvRZELfolscUE9wuOpdBAPhTSYtI0hwtEIwo15F3ySb3y1cbk5htkkTlYyAlWIUA5ATZnzfoy0DbY0DBSIA0aAeWPIwtEIwtEIwuOpdBAIwtEIwe0IdM93htLSeWPIwtEIwtEIwolXb2yLctEIwe0IkZOicoOZkZXYtJEIwtEIwtEIfbkSwtEIwtEINUEmkuaZdtFSeWPIwtEIwtEIwuklcJEIwtEIwe0IkZOZcBclFJFSeWPIwtEIwtEIwuazcbkVCB1lwe0IkZOzFo9VF29ZkZwpwo9ZwoaZFM9ZhtnsGbYxdy9lFmkvFJIpwtL7eWPYtI0hwtEIRZ8IdblzFBxgFbalFmLPwtkkTlYyAlWIUA5ATZnzfoy0DbY0DBSIhtn0DB1lRtnpFy9icoWSwuaZdtXIFMaMRtn1F2aZdMyscUEpeWPIwtEvRZnBCBx1cbHIhtFLfolscUFSkZOicoOZkZXmkuaZdtFSkZOZcBclFJFSkZOzFo9VF29ZkZEpwJLId3wIcbkZd3wPwo15F3ySb2aZFM9ZhtLIhTSYtI0hwtEIwuklfuaZdJn0FmalKX0htU8vcbipfeSYtJEIwu0YtJEIwu0ktWLYtm0YtI==

mast.bis: That whole thing decodes to some kind of affiliate and statistical tracking system. I’d recommend simply removing it outright, there’s nothing WordPress related there.

So that I don’t have to keep doing this all the time, I’ll explain the method.

This is for the most common encoded method I’ve seen. This is the method that starts with $o=”blah blah.,., like the last two did.

1. Make a copy of the php file. Call it temp.php. Open it in a text editor.

2. Use search replace to find the semi-colons and replace them with semi-colons followed by a carriage return. In TextPad, I enable regular expressions and replace ; with ;\n . Easy.

3. You’ll get three lines of code. The second one starts with ‘eval’. Change that to ‘echo’ instead.

4. Run the php file in php. On the command line, this looks like “php temp.php”. You can also do it in a website/browser if you like.

5. You’ll get a big long line of code with a lot of $lllll stuff in it. Copy all that and paste it back in to the original file. You’re going to REPLACE the entire “echo” line with it. But only that line, you still need to have the $o=”blah” line at the top of the file.

6. Do the semi-colon replace thing again to get a lot of lines instead of one long one.

7. Right at the end, there’s a line that looks like eval($lllllllll); or similar, all by itself. Change that eval to an echo.

8. Run it again. Voila, you should have your unencrypted code now. Copy and paste it where you want it.

There are other obfuscation methods, but this one seems to be very commonplace, as most of the code people send me use it.

i follow this step but couldn’t decrypt it could you explain more cleary thanks