Ioncube Decoder 2013: February 2015

I recently saw an entire WordPress theme encoded with PhpLockIt 2.2.0 and I realized that this encryption is still widely used and that someone could be interested to find out a way to decrypt it.

Since PhpLockIt 2.2.0 is practically a base64 encoding, it can be decoded without errors, 100% clean, and the output script will work without the need to correct syntax errors or make additional changes to the code.

How to decode PhpLockIt 2.2.0:

Original file - This is the original test file, unedited. Save it please in a php file "1.php".

<?php /* . */$OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$GLOBALS['OOO0000O0']=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}.$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$GLOBALS['OOO0000O0'].=$GLOBALS['OOO0000O0']{3}.$OOO000000{11}.$OOO000000{12}.$GLOBALS['OOO0000O0']{7}.$OOO000000{5};$GLOBALS['OOO000O00']=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$GLOBALS['O0O000O00']=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$GLOBALS['O0O000O00']=$O0O000O00.$OOO000000{3};$GLOBALS['O0O00OO00']=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$GLOBALS['OOO00000O']=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0xa8;eval($GLOBALS['OOO0000O0']('JE8wMDBPME8wMD0kR0xPQkFMU1snT09PMDAwTzAwJ10oJE9PTzBPME8wMCwncmInKTskR0xPQkFMU1snTzBPMDBPTzAwJ10oJE8wMDBPME8wMCwweDUwMSk7JE9PMDBPMDBPMD0kR0xPQkFMU1snT09PMDAwME8wJ10oJEdMT0JBTFNbJ09PTzAwMDAwTyddKCRHTE9CQUxTWydPME8wME9PMDAnXSgkTzAwME8wTzAwLDB4M2E4KSwnblBESmV4VzJML21vU2dNWk9RQUdLNE5jRmI2YWtZMDM4cGhxaTFVZEJmbHd2UnJUdElYN3lINXNWenVDK2pFOT0nLCdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDEyMzQ1Njc4OSsvJykpO2V2YWwoJE9PMDBPMDBPMCk7'));return;?>MEY5pfaWKBLcPXbNY3aNxyF58B/Xg0mD8rm1trmGjw0NjX67LtcDzqa5yf/Dgf/XtiG7ntSejZSJPZZApfksg1YD8icHgxK1bxK1vdKy4A4i4AcyzPGKKdcAi9/xjGQ4/NQ4/a/HgxK1bxK1jMOKHx/HyumW17k54ymDQ3Ky4A4i4ANXYL4xQOcypZKHOdcAi9/xjGQ4/NQ4/a/ypK4xP3AejG4DYYMhpfksg1YD8iAxQKKxjGQ4/NQ4/34ixAKHvdKy4A4i4AcyzPGKKdcAi9/epK4xP3Ky4A4i4AcHbPK1ga/HgxK1bxK1jMOKHx/HyumW17k54ymDQL4xQOcHgxK1bxK1jNO4/GNXYL4xQOcypZKHOdcAi9/epK4xP3Ky4A4i4AcHbPK1ga/ypK4xP3AejG4DYYMhkdmAifmAifbW11mDQZSJntGy+tSe+r/7B8JOfPaWITY54iLWH1aNjX0AP76cf1LWjUL2pV0DPh0cQ1kXP10WppYcgybNOr/XiC/ejZSJPZSJPZSJH7Y2/3kU4taWxqbA8dcHjWAKIxcH+doDLdLhViGyjZSe+tG7ntohLdLhtiQyIZOixSKHvdGyjZSJntSe+t/HyB/eYSGy/PGxga/yjZG7ntSJntGXYYmDQ2GejDOKIGNXYZSe+tSejZSJndcA8iG7ntSe+tG7ntoDQZG7ntG7ntSJnfoDYrKeQmbcpcSitTaNjGbyH6GHxPQyvyGUgWFqbp6HitS7pt62xfS44iOUbvYsbAk1QyA48s0K8HkHbuYKSw6iKzZAkv/yxDOyQxQiYLAKfoGeHMGHPQK1gK44bcNx16FN/qbW4Ub5pf6URvaNzTk2xXksQHYdYV0cBtSGL7gJK5g78zmX+dmAifM5bqaWj7bA8iG7ntSe+tG7ntmGR1YUxvmDQZG7ntG7ntG7nfMt==LnfXbcxH6c/1c5jrF5K8/51rF5IHbW47o5gTaUbfbXzt62ndMtffbhpfksg1YD8icHPZKHQa/5jh6U4qYxjfbDYYmA1CDU4q6W+8bW4vbcQ1KU4pbD8icHPZKHQa/5jh6U4qYxjfbDYYmGvm3N4vk54CDU4q6W+8SJvm3Gv=_~OBkWGHEAf]p@

Step 1 - Write down the hex variable before eval. You will use it later.
$start = 0xa8;

Step 2 - See what "eval" contains.
Replace "eval" with "echo" and run the file. You will get the result below.

Write down 3 variables from above. You will use them later.
$offset = 0x501 + 0x3a8;
$key = 'nPDJexW2L/moSgMZOQAGK4NcFb6akY038phqi1UdBflwvRrTtIX7yH5sVzuC+jE9=',

Step 3 - Decoding function. I have replaced the variables $file, $key, $start, $offset as arguments for the function.

Save the decoding function above in a php file named "decode.php", in the same folder with "1.php". Run "decode.php" and you'll get the decoded file.

You can decode any file encoded with PhpLockIt 2.2.0, if you follow the steps above.

Replace "eval" with "echo" in the original file and run it. Write down the variables.
Insert the variables in the decoding function.
Run the file that contains the function and you'll get the decoded file.

Ioncube Decoder 2013

Tuesday, February 24, 2015

How to Decode PhpLockIt 2.2.0

How to decode PhpLockIt 2.2.0: