Decifrare un codice eval(base64_decode trovato nel file footer.php.

[opso]

Ciao, ho trovato questo codice nel file footer.php di un tema per wordpress, (il footer.php contiene solo questo codice) sapreste dirmi come fare per decifrarlo?

Codice PHP:

<?php /* File code. */ $o="QAAAOzh3b3cNKC0tDSctJ09maQAAY2tidCdzb2InYW5pZmsnZgEAZHNuaGl0JwGQJ2pmdWxydycgwGhhAgJ3ZmBiKQNQADAnR3dmZGyAhgEAJ1NvYnRudAEwKA0nDQRgANBYAABvaGhsWGZhc2J1WG9zamsvAAAuPA0NJCdGY2NiYydzaCdmAAB3d2JmdGInZGJ1c2ZuaSd3CABrcmBuByBwb25kbydkb2JkbAgEJ2FodQdAbnQnZGhjYicCUHNvggYA0GFua2I9BLBwd1hhaGgGAAWxOAAgOQ0NOyhlaGN+OQCA";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?>

Ho provato molti tools online per decifrare i codici eval(base64 ma questo sembra essere stato criptato anche con altri metodi.

Grazie!

[bubi1]

Metti echo al posto dell'eval.
Crea un nuovo file, uguale al tuo, poi sostiuisci tutto l'eval con il risultato che ottieni sopra.
In questo nuovo file, sostituisci l'ultimo eval con echo.

[opso]

Ciao, con metti echo al posto di eval intendi nei vari tools online per decifrare il codice?

Ho provato ma vengono fuori caratteri strani.

Puoi spiegarmi meglio il procedimento?

Non perché non ti sei fatto capire ma perché per me è ancora un po’ complicato

[bubi1]

No, niente tools online..

ti posto la soluzione, tanto se non hai capito le dritte e' inutile insistere

quel codice si traduce in:

Codice PHP:

?><?php
/**
 * Handles the final actions and markup of the page.
 *
 * @package Thesis
 */

thesis_hook_after_html();

# Added to appease certain plugins which check for this code in this file:
# wp_footer();
?>

</body>
</<?

[opso]

Grazie!

Vedrò di capire meglio il procedimento che hai descritto.

Ora provo a copiare il codice che hai postato nel footer per vedere cosa succede.