footer.php 的解密方法
朋友问我wordpress 的footer.php 出现乱码,
这个文件通常是做一些版权说明的东西,可能是theme的修改者不想别人更改他的东西所以加密
as follwing:
<?php $_F=__FILE__;$_X=’Pz4JCTxkNHYgY2wxc3M9ImNsNTFyIj48L2Q0dj4NCg0KCT
wvZDR2PjwhLS0gL2MybnQxNG41ciAtLT4NCg0KCTxkNHYgNGQ9ImMybnQxNG41ci1iMn
R0Mm0iPjwvZDR2Pg0KDQoNCg0KCTxkNHYgNGQ9ImYyMnQ1ciI+DQoNCgkJPGQ0diA0Z
D0iZjIydDVyLWw1ZnQiPjwvZDR2Pg0KDQoJCTxkNHYgNGQ9ImYyMnQ1ci1jNW50NXIiPg
0KDQo8MSA0ZD0iYmwyZy1uMW01LXdyMXAiIGhyNWY9Ijw/cGhwIDVjaDIgZzV0XzJwd
DQybignaDJtNScpID8+LyIgdDR0bDU9IkIxY2sgdDIgVDJwIj48c3AxbiA0ZD0iYmwyZy1uM
W01Ij48P3BocCBibDJnNG5mMignbjFtNScpOz8+PC9zcDFuPjwvMT5DMnB5cjRnaHQgJmMyc
Hk7IDw/cGhwIDVjaDIgZDF0NSgnWScpOz8+LiA8MSBocjVmPSJodHRwOi8vd3BqM25jdDQyb
i5jMm0iPlMyaDJNMWcgVGg1bTU8LzE+IEQ1czRnbjVkIGJ5IDwxIGhyNWY9Imh0dHA6Ly93
d3cuMm5sNG41aDUxbHRoZjR0bjVzcy5jMi4zay8iPkg1MWx0aCBENTFsczwvMT4gZjJyIDwxIG
hyNWY9Imh0dHA6Ly93d3cubDJyZGI0bmcyLmMyLjNrLyI+QjRuZzI8LzE+LCA8MSBocjVmPSJ
odHRwOi8vd3d3Lmcyc3M0cGI0bmcyLmMyLjNrLyI+RnI1NSBCNG5nMjwvMT4gMW5kIDwxIG
hyNWY9Imh0dHA6Ly93d3cuZ2wycjQyM3NiNG5nMi5jMi4zay8ybmw0bjUtYjRuZzIvIj5Pbmw0b
jUgQjRuZzI8MS8+Lg0KCQk8L2Q0dj4NCg0KCQk8ZDR2IDRkPSJmMjJ0NXItcjRnaHQiPjwvZDR2Pg0
KDQoJCTxkNHYgY2wxc3M9ImNsNTFybDVmdCI+PC9kNHY+DQoNCgk8L2Q0dj48IS0tIC9mMjJ0N
XIgLS0+DQoNCjwvZDR2PjwhLS0gL3dyMXBwNXIgLS0+DQoNCjw/cGhwIHdwX2YyMnQ1cigpOyA/Pg0KDQo8L2IyZHk+DQoNCjwvaHRtbD4=’;eval(base64_decode(’JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NT
Zhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0Yu
IiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’));?>
。 于是尝试一下解密,
用这个软件Base64解密,这个软件可以google一下就可以轻易得到, 得到如下的编码:(copy $_F=__FILE__;$_X=’后面的乱码到“Base64上面):
?> <d4v cl1ss=”cl51r”></d4v>
</d4v><!– /c2nt14n5r –>
<d4v 4d=”c2nt14n5r-b2tt2m”></d4v>
<d4v 4d=”f22t5r”>
<d4v 4d=”f22t5r-l5ft”></d4v>
<d4v 4d=”f22t5r-c5nt5r”>
<1 4d=”bl2g-n1m5-wr1p” hr5f=”<?php 5ch2 g5t_2pt42n(’h2m5′) ?>/” t4tl5=”B1ck t2 T2p”><sp1n 4d=”bl2g-n1m5″><?php bl2g4nf2(’n1m5′);?></sp1n></1>C2pyr4ght &c2py; <?php 5ch2 d1t5(’Y');?>. <1 hr5f=”http://wpj3nct42n.c2m”>S2h2M1g Th5m5</1> D5s4gn5d by <1 hr5f=”http://www.2nl4n5h51lthf4tn5ss.c2.3k/”>H51lth D51ls</1> f2r <1 hr5f=”http://www.l2rdb4ng2.c2.3k/”>B4ng2</1>, <1 hr5f=”http://www.g2ss4pb4ng2.c2.3k/”>Fr55 B4ng2</1> 1nd <1 hr5f=”http://www.gl2r423sb4ng2.c2.3k/2nl4n5-b4ng2/”>Onl4n5 B4ng2<1/>.
</d4v>
<d4v 4d=”f22t5r-r4ght”></d4v>
<d4v cl1ss=”cl51rl5ft”></d4v>
</d4v><!– /f22t5r –>
</d4v><!– /wr1pp5r –>
<?php wp_f22t5r(); ?>
</b2dy>
</html>
很明显这个也不是php的代码,在原乱码看到:
eval(base64_decode(’JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZh
b3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciL
CRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’));?>
用同样的方法解码:eval(base64_decode(’后面的内容, 可以得到:
$_X=base64_decode($_X);$_X=strtr($_X,’123456aouie’,'aouie123456′);$_R=ereg_replace(’__FILE__’,”‘”.$_F
.”‘”,$_X);eval($_R);$_R=0;$_X=0;
原来他是123456aouie和aouie123456互换, 只要把数字和字母replace 一下,得到原代码:
?> <div class=”clear”></div>
</div><!– /container –>
<div id=”container-bottom”></div>
<div id=”footer”>
<div id=”footer-left”></div>
<div id=”footer-center”>
<a href=”<?php echo get_option(’home’) ?>/” title=”Back to Top”><span id=”blog-name”><?php bloginfo(’name’);?></span></a>Copyright © <?php echo date(’Y');?>. <a href=”http://wpjunction.com”>SohoMag Theme</a> Designed by <a href=”http://www.onlinehealthfitness.co.uk/”>Health Deals</a> for <a href=”http://www.lordbingo.co.uk/”>Bingo</a>, <a href=”http://www.gossipbingo.co.uk/”>Free Bingo</a> and <a href=”http://www.gloriousbingo.co.uk/online-bingo/”>Online Bingo<a/>.
</div>
<div id=”footer-right”></div>
<div class=”clearleft”></div>
</div><!– /footer –>
</div><!– /wrapper –>
<?php wp_footer(); ?>
</body>
</html>
终于,看到了庐山真面目〉
Popularity: 1% [?]
