白粉仔昨晚发了个主题过来

说footer.php加密了.

代码如下:

用DW打开,一看,又是base64_decode解码,根据WordPress主题的解密过程,用echo htmlspecialchars替换里边的eval,在浏览器执行,得到如下代码.

把这些代码替换上面的红色部分..又注意到里边还有eval,base64_decode,找到最后一个eval,继续用echo htmlspecialchars替换最后那个eval,就可以完全解密了....如下所示:

>4);if($lll){$ll=($llllllllll($l[$lllll++])&0x0f)+3;for($llll=0;$llll<$ll;$llll++)$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];$lllllll+=$ll;}else{$ll=($llllllllll($l[$lllll++])<<8);$ll+=$llllllllll($l[$lllll++])+16;for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));$lllll++;$lllllll+=$ll;}}else$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);$llllll<<=1;$lllllllll--;}eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));$lllll=0;eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));$llllllllll="";for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));echo htmlspecialchars($lllllllll);return;?>

就得出真正的代码了.不要被这些长度不一的字母l变量所迷惑,只不过是把PHP函数进行base64_encode编码了.这里, $lllllllllll='base64_decode';$lllllllllllll='strlen';$llllllllllll='chr';

总结: 对于只有eval和base64_decode,找到最后一个eval,替换成echo htmlspecialchars , 如果有多层, 就再继续替换...

doubanclaimcfb890522527358e

本文转载自:http://deloz.net/1000000518.html