Pages

Monday 23 November 2015

Advanced Guide to Decrypt Encrypted Footer Credits

how to remove encrypted footer credits from blogger template advanced guide

Hi friends, I've already written a basic guide on  "Encryption and Decryption of footer credits for blogger templates" and got a very good response for that. One of my blog readers Robin Mera posted a comment on it which I would like to mention.
Removal of footer credits Trick works well for gooyaabitemplates templates. But when we try to edit a single word, footer credit like goes despair but some of the query responsive function also not working.. can you guide me for this? how can I remove encrypted footer link without affecting other UI responsive functions?
So, I thought an advanced guide will work for bloggers who want to know how technically these footer credits are encrypted and how to remove them. In case you did not follow my previous post, please go through it.

How to Decrypt footer credits from any blogger template?

Before knowing how to remove credits from template, let us dig deep into the concept and find out how they are actually encrypted.

How are these footers actually encrypted?

I've already said in my blog post that they are encrypted using some nasty java script. Actually it's much more than a javascript. What happens during Encryption is ...
  1. The template authors design the template with all the inline javascripts.
  2. Take each javascript and pack it with necessary code that places back the footer credits in case you try to remove it.
  3. Hex encode the script to obfuscate it as shown below.
    Hex encoded script
Javascript code that has been packed helps to compress as well as to obfuscate the code. The reasons for this will be to reduce the size of the original Javascript code as well as make it harder for someone to work out what is going on and to steal it. Obviously if you have spent time and effort writing a cool widget or piece of code you don't really want every tom dick and harry coming along and ripping your code without payment or even acknowledgement. 

Why query responsive function and other features are lost when we edit the code shown above?

Basically when we are editing or removing something in the packed script or hex encoded script we make it useless to render. We are actually not editing the script that only replaces the footer link but, we are changing the entire script. So, obviously the useful script function turns out useless along with the code that replaces footer credits.

Is there no way to remove credits without loosing the features of the useful script??

As I always say 
Where there is a will, there is a way.
 Yes, we have two procedures to remove only the script that replaces footer credits back.
  • First one is useless according to me. It goes like this "Disable all the java script using no-script tag in css". I don't prefer this one because script is mandatory for my templates.
  • And the Second ..Here it comes, buckle up your seat belts and concentrate.

Process to unpack a packed java script and remove hex encoding:

So, we have two jobs to accomplish. First is to find if any packed java script is present and unpack it which is then followed by hex decoding.

1. Unpacking java script and removing of footer credits and URL redirects

Fore most step is open your template with an editor or directly in template edit section of your blogger account.
search for the following line

eval(function(p,a,c,k,e,d)
you may find multiple instances. Remember to repeat the procedure for all the packed codes. Consider for example I find the following code.

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('4 6=n o();4 f=0;4 7=n o();4 9=n o();u 1e(L){x(4 i=0;i<L.12.g.2;i++){4 g=L.12.g[i];6[f]=g.1c.$t;1g{9[f]=g.1h$1b.18}19(1a){s=g.1f.$t;a=s.J("<P");b=s.J("N=\\"",a);c=s.J("\\"",b+5);d=s.1i(b+5,c-b-5);8((a!=-1)&&(b!=-1)&&(c!=-1)&&(d!="")){9[f]=d}z{8(V(10)!==\'U\')9[f]=10;z 9[f]="K://3.1q.1p.G/-1m/1r/1n/1l/1j/1k.1o"}}8(6[f].2>R)6[f]=6[f].1u(0,R)+"...";x(4 k=0;k<g.E.2;k++){8(g.E[k].1t==\'1s\'){7[f]=g.E[k].A;f++}}}}u 1v(){4 p=n o(0);4 y=n o(0);4 v=n o(0);x(4 i=0;i<7.2;i++){8(!T(p,7[i])){p.2+=1;p[p.2-1]=7[i];y.2+=1;v.2+=1;y[y.2-1]=6[i];v[v.2-1]=9[i]}}6=y;7=p;9=v}u T(a,e){x(4 j=0;j<a.2;j++)8(a[j]==e)11 1d;11 1A}u 1U(W){4 B;8(V(M)!==\'U\')B=M;z B="#1V";x(4 i=0;i<7.2;i++){8((7[i]==W)||(!6[i])){7.q(i,1);6.q(i,1);9.q(i,1);i--}}4 r=O.1T((6.2-1)*O.1S());4 i=0;8(6.2>0)h.l(\'<S>\'+1Q+\'</S>\');h.l(\'<m w="1w: 1W;"/>\');22(i<6.2&&i<15&&i<1Z){h.l(\'<a w="1Y-21:Z;Y:Q;20:F;\');8(i!=0)h.l(\'H-F:1R 0.Q \'+B+\';"\');z h.l(\'"\');h.l(\' A="\'+7[r]+\'"><P w="1O:1C;17:1D;H:1E;" N="\'+9[r]+\'"/><1B/><m 1P="1x"><m w="Y-F: X; H: I Z; 1y: X I I; D-w: C; D-1z: C; D-1F: C; 1G-17: C;">\'+6[r]+\'</m></m></a>\');i++;8(r<6.2-1){r++}z{r=0}}h.l(\'</m>\');7.q(0,7.2);9.q(0,9.2);6.q(0,6.2)}$(h).1M(u(){$(\'#13\').1N(\'<a A="K://14.16.G/">1L</a>\');1K(u(){8(!$(\'#13:1H\').2)1I.1J.A=\'K://14.16.G/\'},1X)})',62,127,'||length||var||relatedTitles|relatedUrls|if|thumburl||||||relatedTitlesNum|entry|document||||write|div|new|Array|tmp|splice||||function|tmp3|style|for|tmp2|else|href|splitbarcolor|normal|font|link|left|com|border|0pt|indexOf|http|json|splittercolor|src|Math|img|5px|35|h2|contains_thumbs|undefined|typeof|current|3px|padding|none|defaultnoimage|return|feed|mycontent|www||templateism|height|url|catch|error|thumbnail|title|true|related_results_labels_thumbs|content|try|media|substr|s1600|no_image|092MmUHSFQ0|PpjfsStySz0|AAAAAAAACl8|jpg|blogspot|bp|UF91FE7rxfI|alternate|rel|substring|removeRelatedDuplicates_thumbs|clear|titles|margin|variant|false|br|200px|120px|0px|weight|line|visible|window|location|setInterval|Templateism|ready|html|width|id|relatedpoststitle|solid|random|floor|printRelatedLabels_thumbs|DDDDDD|both|3000|text|maxresults|float|decoration|while'.split('|'),0,{}))

I'll copy the code completely from "eval(" to last occurance of ")"  as shown in the image. Then go to the following link and paste your code under paste section then click Unpack.
http://dean.edwards.name/unpacker/

After unpacking you may get a code like the one shown below

var relatedTitles=new Array();var relatedTitlesNum=0;var relatedUrls=new Array();var thumburl=new Array();function related_results_labels_thumbs(json){for(var i=0;i<json.feed.entry.length;i++){var entry=json.feed.entry[i];relatedTitles[relatedTitlesNum]=entry.title.$t;try{thumburl[relatedTitlesNum]=entry.media$thumbnail.url}catch(error){s=entry.content.$t;a=s.indexOf("<img");b=s.indexOf("src=\"",a);c=s.indexOf("\"",b+5);d=s.substr(b+5,c-b-5);if((a!=-1)&&(b!=-1)&&(c!=-1)&&(d!="")){thumburl[relatedTitlesNum]=d}else{if(typeof(defaultnoimage)!=='undefined')thumburl[relatedTitlesNum]=defaultnoimage;else thumburl[relatedTitlesNum]="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLQoFO5ZEwXUgpOEke9ETn9eCsJ0450MQbmDmUfdETChWJJ7Lua-CYBQJh1SClmxYrnc3_RN0l1Ao-eQ52PS_V745PPxfSBCqhAh4Uksn7le7h_M3lXJzeh6iv9MOKm0s1BwxhlgyL6vxM/s1600/no_image.jpg"}}if(relatedTitles[relatedTitlesNum].length>35)relatedTitles[relatedTitlesNum]=relatedTitles[relatedTitlesNum].substring(0,35)+"...";for(var k=0;k<entry.link.length;k++){if(entry.link[k].rel=='alternate'){relatedUrls[relatedTitlesNum]=entry.link[k].href;relatedTitlesNum++}}}}function removeRelatedDuplicates_thumbs(){var tmp=new Array(0);var tmp2=new Array(0);var tmp3=new Array(0);for(var i=0;i<relatedUrls.length;i++){if(!contains_thumbs(tmp,relatedUrls[i])){tmp.length+=1;tmp[tmp.length-1]=relatedUrls[i];tmp2.length+=1;tmp3.length+=1;tmp2[tmp2.length-1]=relatedTitles[i];tmp3[tmp3.length-1]=thumburl[i]}}relatedTitles=tmp2;relatedUrls=tmp;thumburl=tmp3}function contains_thumbs(a,e){for(var j=0;j<a.length;j++)if(a[j]==e)return true;return false}function printRelatedLabels_thumbs(current){var splitbarcolor;if(typeof(splittercolor)!=='undefined')splitbarcolor=splittercolor;else splitbarcolor="#DDDDDD";for(var i=0;i<relatedUrls.length;i++){if((relatedUrls[i]==current)||(!relatedTitles[i])){relatedUrls.splice(i,1);relatedTitles.splice(i,1);thumburl.splice(i,1);i--}}var r=Math.floor((relatedTitles.length-1)*Math.random());var i=0;if(relatedTitles.length>0)document.write('<h2>'+relatedpoststitle+'</h2>');document.write('<div style="clear: both;"/>');while(i<relatedTitles.length&&i<15&&i<maxresults){document.write('<a style="text-decoration:none;padding:5px;float:left;');if(i!=0)document.write('border-left:solid 0.5px '+splitbarcolor+';"');else document.write('"');document.write(' href="'+relatedUrls[r]+'"><img style="width:200px;height:120px;border:0px;" src="'+thumburl[r]+'"/><br/><div id="titles"><div style="padding-left: 3px; border: 0pt none; margin: 3px 0pt 0pt; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal;">'+relatedTitles[r]+'</div></div></a>');i++;if(r<relatedTitles.length-1){r++}else{r=0}}document.write('</div>');relatedUrls.splice(0,relatedUrls.length);thumburl.splice(0,thumburl.length);relatedTitles.splice(0,relatedTitles.length)}$(document).ready(function(){$('#mycontent').html('<a href="http://www.templateism.com/">Templateism</a>');setInterval(function(){if(!$('#mycontent:visible').length)window.location.href='http://www.templateism.com/'},3000)})

So, are you thinking why I've highlighted the code at last ignoring the other? Here is the answer.

The above code snippet shows the unpacked script packed in templateism blogger template. If you know a little Java Script you can easily find that this one is the code that encrypts the footer. The above script is written to redirect to www.templateism.com if we remove the footer credits.

You may not find exactly the same one in all template but I can say that you can find something starting with "$(document).ready(" and there will be a url after it. So, remove the similar code I've highlighted form "$(document" to last occurrence of ")" i.e, closing brace.

Repeat the same procedure with all other packed functions.
  1. Copy the packed function code (starts with "eval(function(p,a,c,k,e,d)").
  2. Goto http://dean.edwards.name/unpacker/ and unpack it.
  3. Replace the unpacked code in the place of packed code.
  4. Remove everything starting from "$(document).ready(" to ")" last closing brace.

2. Remove encoded script using Hexdecoder:

Some webmasters use this technique to hide their footer encrypting code. Its very simple to find the hex encoded. It is a very long list of hexadecimal characters stored in an array variable. In java script we use "var" to declare a variable. You can see the snippet below to get an idea how the hex encoded script looks.
Hex encoded script
I'm sorry Blogger doesn't allow me to post the script directly

Now copy all the code starting from "var" to  last semicolon of script. Click the below link and paste the entire copied code in the box and click on decode.
http://ddecode.com/hexdecoder/

Then replace the decoded script with the one that is present in your template. At the end in the decoded script, you can find a code looking like the one below (not exactly same but similar)

$(document)[_0xc5eb[58]](function (){$(_0xc5eb[54])[_0xc5eb[53]](_0xc5eb[52]);setInterval(function (){if(!$(_0xc5eb[55])[_0xc5eb[3]]){window[_0xc5eb[56]][_0xc5eb[18]]=_0xc5eb[57];} ;} ,3000);} );

As I said previously, this is also an obfuscated version to replace the footer credits. Remove this thing, repeat the same procedure for all such hex encoded scripts.

Conclusion

Officially I say that you must not do this. Follow the instructions at your own risk. I'm not responsible for anything :P 
If you have any problem, just drop a comment below, I'll help you to sort it out.

Thanks to Robin as he helped my blog readers to learn something new.

3 comments:

albertodente@gmail.com said...

Excelente me sirvio de mucho-- muchas gracias
www.remediosparalagripe.com

Amnash Anwar said...

A hearty warm welcome for solving such a complex problem for me trying this for a long time ever since now.you mean a lot bro.

सारांश सागर said...

I tried but I get success only in basil theme of Sora templates but other templates doesn't response correctly. When I decode it,the decode version is not able to unpack. Please check it once or make a video to replace footer credit without any hindrances