Decode Obfuscated WordPress Strings Which Use eval, gzinflate, And base64_decode.

I’ve been using wordpress for awhile and it seems that whenever I find a useful plugin or theme on the web the author always seems to embed some affiliate link or some other garbage on my main page. Usually they make sure that these links show up on every page and sometimes they even make other features of the software depend on it. Usually when I try to edit out the code it’s not as easy as removing an anchor or a bit of javascript. They always seem to obfuscate what they are doing as much as possible.

The most popular way to do this is to use a combination of gzinflate, base64_decodes, eval, and str_rot13. For most users this is really difficult to decode to figure out what is really going on. I wrote this function to hopefully make peoples lives easier (or harder, depending on who you are).
Usually the obfuscated code is written in the wordpress add-on like this :


$coded_string = "eval(gzinflate(base64_decode('FZfFDs..sdff/7nr/8B')));"

If your string looks like that then the function that follows should take decode it and return the html code pretty easily.

function decode_goofy_string($coded_string)
{
  while(preg_match("/eval\(gzinflate/",$coded_string)) 
  {
    $contents=preg_replace("/<\?|\?>/", "", $coded_string); 
    eval(preg_replace("/eval/", "\$coded_string=", $coded_string)); 
  }
  
  return trim($coded_string);
}

This function is pretty straight forward but if anyone has any troubles then leave a comment or send me an email at cody@codytaylor.org

Share

3 Responses to “Decode Obfuscated WordPress Strings Which Use eval, gzinflate, And base64_decode.”

  • Vikram Says:

    what if the encoded is done in the following way

    eval(base64_decode(‘kcmVjZWaWYgKCg…’));

    can you please provide a solution.

  • Cody Taylor Says:

    @Vikram
    What happens when you replace ‘while(preg_match(“/eval(gzinflate/”,$coded_string))’ with ‘while(preg_match(“/eval/”,$coded_string))’? If it doesn’t work email me the whole string and I’ll see what I can do.

  • Mark Says:

    It didn’t quite work out for me as described there. Is there no easier way? Is there maybe a decoder of some sort on the web which can decode the scrambled part of functions.php?