2010年12月

白粉仔昨晚发了个主题过来

说footer.php加密了.

代码如下:

<?php /* WARNING: This file is protected by woothemes and is subject to copyright law. */<br /> 
$o="QAAADjs4d293J25hJy8nJm50WABFb2hqYi8uJyEhAOJ3ZmAA5C8BwAAAZmRzbnFiWHRuY2JlZnUvNQWALid7eycBjzQBjwMCMy4uJy4nPQAAJygoJ0NoaSBzJ3RvaHAnaAAIaSdzb2InYXVoaXMnBwEnODkQAAoNJwAQOyYqKidFaHNzaGonACBQbmNgYnN0JyoqAdAOO2NucQAGJ2RrZnR0OiVlaH8xJQFRAWpzAwNodyU5OygCgAG+dHdmZGJ1AzEGQMOAADYFOWRoazQCDQKRErNjfmlmam5kp70QeDwLMA4OAiEARAwDANQnCHUBBQCBDcEoBoH/Dw0jATEARQivBPsCgQivGRE0LjwnCL8DAQBFCL81eicnCL8C5ScIvScXMHMRrwRAJFIRrTMJDyf8QAzLCQ8EwB9wEb8JQjtldR91YW5/JSco+m8d0x53A7EeAxWDDiFaZWgL0Ac1DgCXA2EkcQNDwQQGoRYDYmljbmEd0QoNCg0OEoEnQQYPaGhzYnUCkwXDbmM6JWEBYhGZE6kFsd/wAckGEmMsJyrKAdEARQRZDWMEfQKhAmlhayU5AQAhZGh3fjwnDDRkb2gnY2ZzYgkALyBeIBjwODkBlGVraGBuaWFoVAAvAVMqAXRYApBXaHBidWJjJ2V+EEAgK3ANoG9iamJ0AnM7ZidvdWIAAGE6JW9zc3c9KChwcHApcGgAAnVjd3VidHQpaHVgJTlQAPU7DwAoZjkpFlUAAAAnC1o40EhxYnVCZnR+wMAIeAf/JyFpZXR3DbAIbylwbmRsYiwQYyoI1ipFUAtwKWRoaihFYSg0KCUAmzlXdWJqbnJqRxFqYgoBCfUOABAJOv3/JeBD+CLGFwEARSEBKBlzIQMBlQCBBNknegHRAEEHpvj/AJcocSSjBQZZ5HB3WAGTGuMo8QN1CGIOEQNDAbEgkAoNH8Mjc3BucyrhOidTwFhod3MC2W5oaS8lcFSyWAHUAOMlHfIDlW5hYNCBFgPlXCBydGJ1TzBiIFpb8HxGEAKAdAAAZHVud3Mnc353Yjolc2J/cwQeKG1mcWYBYyUndHVkIjYGhBiSAkd0QO8oKBFgYnUpbXRakQOjPPA7AKMFrwcBBa/CQA3wBaJ0c2ZzCoB0KABQdVhzbmpiBZhrbmliKBCTYjBRDQ8gWj3BCBBoaTgAUGRma2tlZmRsOgr0RAEENSFmagCAdzxkaHJpczoE33VcIGlyamU7BGJ1BLMMm1EyehLyExAoZWhjfg4BKG8QAHNqawCQ";eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbFskbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));return;?> 

用DW打开,一看,又是base64_decode解码,根据WordPress主题的解密过程,用echo htmlspecialchars替换里边的eval,在浏览器执行,得到如下代码.

2139327846.jpg

把这些代码替换上面的红色部分..又注意到里边还有eval,base64_decode,找到最后一个eval,继续用echo htmlspecialchars替换最后那个eval,就可以完全解密了....如下所示:

<?php /* WARNING: This file is protected by woothemes and is subject to copyright law. */<br /> 
$o="QAAADjs4d293J25hJy8nJm50WABFb2hqYi8uJyEhAOJ3ZmAA5C8BwAAAZmRzbnFiWHRuY2JlZnUvNQWALid7eycBjzQBjwMCMy4uJy4nPQAAJygoJ0NoaSBzJ3RvaHAnaAAIaSdzb2InYXVoaXMnBwEnODkQAAoNJwAQOyYqKidFaHNzaGonACBQbmNgYnN0JyoqAdAOO2NucQAGJ2RrZnR0OiVlaH8xJQFRAWpzAwNodyU5OygCgAG+dHdmZGJ1AzEGQMOAADYFOWRoazQCDQKRErNjfmlmam5kp70QeDwLMA4OAiEARAwDANQnCHUBBQCBDcEoBoH/Dw0jATEARQivBPsCgQivGRE0LjwnCL8DAQBFCL81eicnCL8C5ScIvScXMHMRrwRAJFIRrTMJDyf8QAzLCQ8EwB9wEb8JQjtldR91YW5/JSco+m8d0x53A7EeAxWDDiFaZWgL0Ac1DgCXA2EkcQNDwQQGoRYDYmljbmEd0QoNCg0OEoEnQQYPaGhzYnUCkwXDbmM6JWEBYhGZE6kFsd/wAckGEmMsJyrKAdEARQRZDWMEfQKhAmlhayU5AQAhZGh3fjwnDDRkb2gnY2ZzYgkALyBeIBjwODkBlGVraGBuaWFoVAAvAVMqAXRYApBXaHBidWJjJ2V+EEAgK3ANoG9iamJ0AnM7ZidvdWIAAGE6JW9zc3c9KChwcHApcGgAAnVjd3VidHQpaHVgJTlQAPU7DwAoZjkpFlUAAAAnC1o40EhxYnVCZnR+wMAIeAf/JyFpZXR3DbAIbylwbmRsYiwQYyoI1ipFUAtwKWRoaihFYSg0KCUAmzlXdWJqbnJqRxFqYgoBCfUOABAJOv3/JeBD+CLGFwEARSEBKBlzIQMBlQCBBNknegHRAEEHpvj/AJcocSSjBQZZ5HB3WAGTGuMo8QN1CGIOEQNDAbEgkAoNH8Mjc3BucyrhOidTwFhod3MC2W5oaS8lcFSyWAHUAOMlHfIDlW5hYNCBFgPlXCBydGJ1TzBiIFpb8HxGEAKAdAAAZHVud3Mnc353Yjolc2J/cwQeKG1mcWYBYyUndHVkIjYGhBiSAkd0QO8oKBFgYnUpbXRakQOjPPA7AKMFrwcBBa/CQA3wBaJ0c2ZzCoB0KABQdVhzbmpiBZhrbmliKBCTYjBRDQ8gWj3BCBBoaTgAUGRma2tlZmRsOgr0RAEENSFmagCAdzxkaHJpczoE33VcIGlyamU7BGJ1BLMMm1EyehLyExAoZWhjfg4BKG8QAHNqawCQ";$lll=0;eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));$ll=0;eval($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));$llll=0;$lllll=3;eval($lllllllllll("JGw9JGxsbGxsbGxsbGxsKCRvKTs="));$lllllll=0;$llllll=($llllllllll($l[1])<<8)+$llllllllll($l[2]);eval($lllllllllll("JGxsbGxsbGxsbGxsbGw9J3N0cmxlbic7"));$lllllllll=16;$llllllll="";for(;$lllll<$lllllllllllll($l);){if($lllllllll==0){$llllll=($llllllllll($l[$lllll++])<<8);$llllll+=$llllllllll($l[$lllll++]);$lllllllll=16;}if($llllll&0x8000){$lll=($llllllllll($l[$lllll++])<<4);$lll+=($llllllllll($l[$lllll])>>4);if($lll){$ll=($llllllllll($l[$lllll++])&0x0f)+3;for($llll=0;$llll<$ll;$llll++)$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];$lllllll+=$ll;}else{$ll=($llllllllll($l[$lllll++])<<8);$ll+=$llllllllll($l[$lllll++])+16;for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));$lllll++;$lllllll+=$ll;}}else$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);$llllll<<=1;$lllllllll--;}eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));$lllll=0;eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));$llllllllll="";for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));echo htmlspecialchars($lllllllll);return;?> 

就得出真正的代码了.不要被这些长度不一的字母l变量所迷惑,只不过是把PHP函数进行base64_encode编码了.这里,

$lllllllllll='base64_decode';$lllllllllllll='strlen';$llllllllllll='chr';

3016825630.jpg

总结: 对于只有evalbase64_decode,找到最后一个eval,替换成echo htmlspecialchars, 如果有多层, 就再继续替换...