Unlocking The CMS Templates

Recently one of my friends showed me a Locked Joomla Template, i.e. the template which was locked by its developers. It was nice, creative and a good way to get paid but just out of curiosity I decided to look into it and unlock it.

This is how their mechanism worked. I could download the template free of cost and test it on local server (localhost || 127.0.0.1) very easily but as soon as I uploaded it over a paid Web-server, it showed a horrific “License Required” logo instead of pretty website. So, I couldnt’t get the website running without a license. From the moment that logo showed up, it became a challenge to find a way to remove it, so I sat down to remove that ugly thing.

Disclaimer: If you like things, Pay for them. This was done by me just out of curiosity and knowledge purposes, Am neither responsible for your deeds nor I support these type of activities.

Closely looking at template structure, I found a call to default.php in the very beginning which included with following code :

eval(gzinflate(base64_decode('ZZBBa4NAEIXPCv6HIQhrILp3S4RcikhDSvEuWzuNSzfudtwk9N933Y2BkOPMvPe9x8RN3e7fyrLL2CcO4iI1Fd8kTnjV9MM2YOmM65ckTmLC37Mk7PTYIzTvu7buPg6HFgpYcYsno4TFia/cnNpBTnm1LN2Gcdmj1VpNfEBlkAozGOaxnMMRLRjhQqckTsMdtjDiFZyr9nP2BJ1L3cR5RTh+IbW3210coBD6p8KYKIq20LyK3mr6K0sXvDNGyV5YqcfMI5eA4HXy2ZdXTnrH+58s9MBW+qg9/CHZ2zI2H1ko8Q8=')));


This code melts down to simple php script which is checking a value of a parameter in helper.php

Opening up helper.php we again get one messy code :

eval(gzinflate(base64_decode('1Vn7U9tIEv4ZqvgfGsWF5JRt2dTmsSbmzmvLgSzYrBGXS6VSKiGNsQ5Z0uoB+Hb537fnafkFpC77w4XEyDM9Xz+m+5seZdc0YRiDH6TEy8H1PJJljb1dn0yCiPiG7nyy/m319CrEKQqRo73dvd3KpdW7Gp/aX5zeqG9BB7TAI/mUzIh2JJcaWu/E6v3q9LtftBq8f/tTs1ktTfatX64+Oue4HGcnbpiR8uylNf6XNXauxmc4q03zPGmb5v39fUPqaXjxzAwinzw0kmmiAV0cTIwFavWPvd0dCTe8Oqd2XCIYM+Jxb5egxi0iLSGyt+uFbpYB6jwhYUJSKn/nplCZxlmOXkdFGB7JsSBxXN9PMXqrMzmZJaGbEyfwaag0NeFNiXfrFGmIwwuP1XSCWhx8ooBanORBHHXQbSdEg6KMHNwF5L4jvmQHuZvddhjiQdhZ6JhhvGKm92J0aS/GnSx382LNVoca6yRu6s7Kc5Mi8qh+cBwvjrI8LbzcWHOMxXynkk+DrH4sYlRxuGdfdeHhsHtu6d+OSpJLkbuh9mb59TxyZ8TYsrrKluN+owH53FjDqXJLNipQkNrYOh/ZltPt98caN+ixZNWyc2VfqSiVTIprjD6o2GQkt1Hqmbg8j6sA2W6exZ4b0pAYAuZ+GqB4GLDwumnqzg0tlEK0XFqH7xpN/GlpKk4QRA4XhdL21KAEVoU//1yIrUVuRVYEOCV5kUaA+UAWARSDrKilT+br1/gJr2Hm3hJIye8FQfszkt5h/vIZ/vlPlnuAKRZEN1DB4hDjAvUuDvwGGzKX8jLIPJQNMDfdMETeqgK3kDovpRzygMZnhk5FnTuSZjiIzNbBTbIi9xrXIZOwZXzxmn/cwR1KHmWxYAJgyNjhI1Og12gyO2Hs+sRH1TnWKerLjGpVGrdBgdDAVGywHQyNGR9EQa6pbXgGZ0VIbYySetyYeT0f8xITxqO/S4lMzdoXlcfmVLlF8T3K5QFWLk+9nUrqRje4OI2LyDfAYCJ1gVk1QZ0RQh6xxZIPHZCcrNzcvB1bk26lkDhTokOCM6GjaaBckh6JSekTbq0Bsmg2ZJk0zTQLRKSzkMd04wGJErc8h0kaz4DnMQ3I1I38kIZT7aOMFRdgw0glSPhoKpeuAR63Z6MLm54PNWnN4vgQAC9DQPrrfrSGdq3EzSe2fcFmHDalf1OQT4PZp+fW6Aqh8HRXS+gecgvl4SNPH5WuZdQ1UCoK7E+tVV3OZjxlF0yOHOGkBNnTw/O7odU0R1OxKZ0FGxzZqHJwap31L5laAaIO4IbMioZ24He0RolDcSRfjJTYHCeChM4ok18W0rFlX42H9rg7vBxYY+xGynHdx3xxMLkMPXMnxJnFPkH+OjgANYGNAomcazcj2NFpJaZ50v/B6Oxs9Pls1Ovap6OhaIFKcX9y8YnV7VtjsWPYXwFgS9kfwXBkA/cGaH4Bl7sEsZUYkiRmZchLgTwQT4JL9bLuVLPCJNHPIJrEy5acDgcjh+Ux7UmXYu2FMat7UXoK3ImLPClynkr4F0WkUTXt6x9aKfCCHMSKKj8kJP1vQFoAgbYAetykWOWwOMtRcU17/IYf7EGrIgRNbKl73Xo8K2fG6jytQiWCBUhJU/uB58WSaHkzeYNLB2NmHR7oGaE0ZazylnKFpGkU024IHzAi+KTrck72kQj2VadfRPP4P5FBJXHzqUKlX5DyGqD/Q8fPv6f6lT8E+4EUaKA+WjZwS2jemq1GK420FbkGyp2gpja/dWwW6PGjpm7PE9IGN0nQYJeefOZDHW9N9UmczuoYcBJ5yBj+ZpAuXv2SvG5RGey92hDFEdmqLyLsaG1DjxZXGi0EhXgWe7fo5IT+ppxkcAfwKtisAd/xmtzw1fMDjH22fq1PWkpFoAmoJCb3KbanBluHwNxaCbmDvStWvrE/IfGEy5SosZS+6N0E6SWTOK3D9wrjUWrifMJRjrZSwBYy2c4mOwt7XsgnyqQfwijPUsoznLLO1ofNply6gXGU9WXOWQd5sw5STgOJ8vg9DWFKIswOW9SrAQcVdeXlMZONnbRm+VospPklVnWTcrh+zA5iMY4RF/ulGullOTa6kGLd9eI9Bqg+dIk+S7fCp5vj1YXLTX31BZ31Il9XWmPiTWPQPvjBHSbdPCQd/dr1bm9Yq99+Zb21Br3DI7iOUwx1u5U8QBaHeOl91bOs5vu3R0CZkRJNq4lzrTfJwxHeDtObIOIjbpHHR3Af+Pm0/eawSac5Vj11/aDI2u/o0ASprz5xZ0E4b3fTwA3FUBb8l7RbPyUP+rFWaq+FzdNDabLQ2IQmvEc8Jc0EP9l4bWu3HUMbxiDuD/Arme9r1XVMc3p4/CFZwQUK/O4JYDsGenHIpwROPWLTd1twkZJZUMxAnicwjwuICPHBBZltt2Te2GhFssmIreq/ILLnRuzCQm0owfOLizSKvnADqVDocmGakklH3/Z+Tr6bakzzWagffxQ6yoH8YLpLlnEHTMwpNfygbkgsHUVKLhXD2s1O3Uix/8Nazx16J129msoqzEpVCEsrpKR/jWsPPg1cL4/TebuN0er/MloBcv6TIbN0wODvLqpLLLFT+b0g6Zye+lcX/a5twSvHUf0C264MLrEf4Gs6OrYOJdiGpsPnE2tsqZxgEhvaDl1TNjPPfqNqDa69WppiA9KDtdc4C0Z+QaUPBtah1dxU6YPBz92fD/+/Kv00unOp8X9PuX8meMAQjE+KyXCNxyiWdrpUdUEGgTAhTiHIMVIoSaCI2PvGbEr87yh8/GEB/TH1X4fvpQD8h20L1pPJX2DXSi+wzdCNbmokMumL7JokC/NZoniZ1084fRESl76swezBikb+BWw52UYEWVYQSOibQbx11L/X2+41Nkdmj+MK1hPfVCCfcGQL7e1I7ntk/y3xFw==')));

This messed up code actually melts to the following when decoding and is the main part :

// No direct access.
defined('_JEXEC') or die;

$SECURITY_CODE = "icetheme";
define("CHECK_DAY", 86400);
define("DEBUG_MODE", false);
define("SERVER_URL", "http://www.icetheme.com/index.php" );
if(DEBUG_MODE){
define("NUM_DAYS", 0);
}
else{
define("NUM_DAYS", 1);
}

class iceHelper{
var $host = null;
var $ip_address = null;
var $template_id = "";
var $check_url = SERVER_URL;
var $post_vars = "option=com_license&view=licenses&task=check&l=";
var $method = "POST";
var $_status = null;
var $_temp_params = null;
function __construct($template_id = ""){
$this->host = $_SERVER['SERVER_NAME'];
$this->ip_address = gethostbyname($_SERVER['SERVER_NAME']); // Imp line no. 1
if(empty($this->ip_address)){
$this->ip_address = $_SERVER["REMOTE_ADDR"];
}
$this->template_id = $template_id;
}
public function setTemp($template_id = ""){
$this->template_id = $template_id;
}
function checkLocalhost(){
$white_list = array("localhost", "127.0.0.1"); // Imp line no. 2
if( in_array( $this->host, $white_list) || in_array($this->ip_address, $white_list) ){
return true;
}
return false;
}
/**
* make request service
*
* @param string $url
* @return void.
... snip ...

Notice that in this code looks up your host name. It is matched up against the white-list, i.e the list of ips on which the template is allowed to work (localhost is by default on whitelist). If the ip is not there in this whitelist, the License required logo shows up. Now you can clearly override the calling of this script or you can use a simple approach, add your server’s ip to whitelist. Like


$white_list = array("localhost", "127.0.0.1", "Your ip here")


Note: you have to make these changes, encode it back to original format (just opposite as you decoded it to readable script) and save it on your server.

Now your website will show instead of “License Required” logo 🙂

This method is used by many content management systems now-a-days. Only the file names or script structure may differ little. You just need how the template is authenticating itself with the developer’s site ( Traffic capturing should ring some bells), which file is responsible for authentication and a little bit of programming.

Cyberoam Hack : As many accounts as you like

NOTE : I have now detailed the process explaining how to do it  http://navkamalrakra.com/cyberoam-accounts-stealing-hacking-bypassing/ 

Our College has got a CybeRoam Firewall to censor our online activities, and everybody is provided with a username/password combination to connect to internet. Students get a limited access and the faculty gets unlimited access, so the the aim ultimately is, to gather as many faculty accounts as possible. In free time I wrote a shell script to accomplish this task … and in about 2 hours I had more than 100 accounts out of which more than 10 were unlimited faculty accounts 🙂 ….
It was as easy as grep -i "mode=[0-9][0-9][0-9]" from the dump .
Here the proof (the list is too long to be displayed and the usernames as well as passwords have been trimmed off for security of accounts):

username=10803149		44
username=10901012		56
username=10901015		ki
username=10901018		34
username=10901024		bh
username=10901025		43
username=10901031		1*
username=10901040		le
username=10901042		67
username=10901047		31
username=10901048		40
username=10901056		12
username=10901062		al
username=10902025		dd
username=10902027		ja
username=10902038		ja
username=10902050		19
username=10902062		30
username=10902064		78
username=10902070		78
username=10902105		85
username=10902107		32
username=10902123		26
username=10902125		47
username=10902132		87
username=10902145		32
username=10902172		35
username=10902173		86
username=10902302		70
username=10902302		70
username=10902303		43
username=10903001		76
username=10903005		12
username=10903006		29
username=10903015		20
username=10903016		64
username=10903030		19
username=10903031		13
username=10903038		pa
username=10903045		80
username=10903052		qw
username=10903055		24
username=10903056		22
username=10903058		51
username=10903060		re
username=10903105		31
username=10903108		32
username=10903110		24
username=10903115		80
username=10903125		25
username=10903131		20
username=10903159		90
username=10903159		90
username=10903164		71
username=10903178		ni
username=11002001		88
username=11002005		67
username=11002010		28
username=11002013		41
username=11002034		49
username=11002043		82
username=11002049		23
username=11002096		52
username=11002160		10
username=11002160		um
username=11002172		46
username=11002176		as
username=11003301		77
username=11003309		80
username=11102146		15
username=11102156		15
username=11103042		ba
username=11103069		cu
username=11103323		90
username=11103333		72
username=11103339		72
username=11103339		72
username=1110339		72
username=11191039		96
username=120425727		en
username=120426058		36
username=120426058		36
username=641			40
username=801090			78
username=801160			95
username=802088			mo
username=802100			aa
username=802124			75
username=802242			74
username=802246			59
username=amandeep		pl
username=amandeep		pl
username=baljinder		hl
username=daljeet		sh
username=dinesh			ma
username=ema			37
username=hardeep		72
username=harpreet		20
username=jagro			32
username=nidh			56
username=palwin			11
username=ps			74
username=rake			67
.
.

The article has been moved to http://navkamalrakra.com/cyberoam-accounts-stealing-hacking-bypassing/