Decoding the obfuscated base64 php

php-logoWordPress is quite versatile. The ability to customize, tweak, manipulate code, and or change plugins and themes are among the top reasons that it is so popular today. However, there are those who maliciously and intentionally add code that generally cannot be changed. This code is often encrypted or obfuscated so that it may be masked as legitimate code. Often this encrypted code is found in the footer.php file where in some cases hundreds of links point to various “shady” sites. Generally, it is not the intention to remove the copyright information of the other legitimate sources, but to add such as their own copyright information to correct misspellings and so on. This code may have been obfuscated using a number of different techniques, however, one that seems to be difficult is the base64_decode with gzuncompress.

Some PHP code may be encrypted with code that may begin with a string like the following:
eval(gzuncompress(base64_decode(“****……..

Many different sources offer the solution of changing the eval to echo or print. However, there are very few people who may use that method to decompress a php string. I found some code that does do the trick.

decode

<?php

$file_name='code.txt'; 
if (!$manager = fopen($file_name, 'a')) {
	echo "Unable to open file ($file_name)";
	exit;
   } 
   
$content = gzuncompress(base64_decode("***--long-string--***"));

if (fwrite($manager, $content) === FALSE) {
	echo "Can not write file ($file_name)";
	exit;
   } 
   
fclose($manager);

?>

Usage

  • Save it with the PHP extension.
  • Change the (***–long-string–***) to the code that needs decoding.
  • Using your web server, execute the PHP file.

The result will be a file called code.txt which should contain the decrypted text.