I recently saw an entire WordPress theme encoded with PhpLockIt 2.2.0 and I realized that this encryption is still widely used and that someone could be interested to find out a way to decrypt it.
Since PhpLockIt 2.2.0 is practically a base64 encoding, it can be decoded without errors, 100% clean, and the output script will work without the need to correct syntax errors or make additional changes to the code.
How to decode PhpLockIt 2.2.0:
Original file – This is the original test file, unedited:
Step 1 - Determine the values of the variables above "eval"
Below, you will see the edited file so that it can be read more easily. You will notice that I added "print_r ($ GLOBALS);”
Running this file will give you an array, and at the end of it you will notice the variables we are interested in:
- $ GLOBALS ['OOO000000'] = 'fg6sbehpra4co_tnd';
- $ GLOBALS ['OOO0000O0'] = 'base64_decode';
- $ GLOBALS ['OOO000O00'] = 'fopen';
- $ GLOBALS ['O0O000O00'] = 'fgets';
- $ GLOBALS ['O0O00OO00'] = 'fread';
- $ GLOBALS ['OOO00000O'] = 'strtr';
- $ OOO0O0O00 = 'C: \ Documents and Settings \ mla \ Desktop \ How to decode phpLockIt 2.2.0 \ original.php';
- $ OO00O0000 = 0xa8;
Step 2 - See what "eval" contains
I replaced the variables in the file above and as you see, "eval" is followed by a variable "$ GLOBALS ['OOO0000O0']" with the value "base64_decode".
I replaced it and changed also "eval" with "echo". Let’s run the file again.
Step 3 - Replace "eval"
I replaced "echo base64_decode ..." with the result obtained after running the file above. For clarity, I added two variables:
- $ O000O0O00 = $ data;
- $ OO00O00O0 = $ result;
Step 4 - Replace variables in "eval"
Replace $ GLOBALS ['OOO000O00'], $ GLOBALS ['OOO00000O'], etc. with corresponding values "fopen", "strtr", etc.
Step 5 - Getting the decoded file
At the first glance, to obtain the decoded file we would need to replace "eval ($ result)" with "echo $result". By running the program you will see that this does not work, you will not get anything as a result. We need to add something.
In Step 1, we have obtained the variable "$ OO00O0000 = 0xa8".
- I will change the "$ result = base64_decode (strtr (fread ($ date, 0x3a8)" with "$ result = base64_decode (strtr (fread ($ date, 0xa8)"
- Also I will add "fread ($ date, 0x3a8)" under existing "fread ($ date, 0x501);"
Note: Before running this php file, make sure to change the path to the original file "C:\Documents and Settings\mla\Desktop\How to decode phpLockIt 2.2.0\original.php" with your own path.
Decoded file - if you run the file above, you will get you the decoded file below. You need to add "<? Php" and "?>".
I hope the explanation above is clear enough and useful at the same time. Download the example files presented in the steps above, here.
If someone is interested to buy the decoder for $5, you can find it here: PhpLockIt 2.2.0 Decoder. If you want to test it on some of your files, send them please to this email address: firstname.lastname@example.org. Thank you.