BASE64解密

Posted on by

修改某个主题时.发现footer.php给加密了.不能添加一些blog的信息.于是便试试在网上找找.看能不能解密.

footer.php里的加密内容是这样的

<?php $_F=__FILE__;$_X=’Pz4gICA8L2Q0dj4NCg0KICAgICAgPGQ0diA0ZD0iczVjMm5kMXJ5QzJudDVudCI+DQogICAgICAgIDw/cGhwIGc1dF9zNGQ1YjFyKCk7ID8+DQogICAgICA8L2Q0dj4NCg0KICAgICAgPGQ0diA0ZD0iZjIydDVyIj4NCiAgICAgICAgPD9waHAgd3BfZjIydDVyKCk7ID8+DQo8YzVudDVyPiBDTUQgRDVzNGduNWQgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy5kMmxwaDRucHIybTJ0NDJucy5jMi4zay9zNTItczVydjRjNXMuMXNwIj5TRU8gUzVydjRjNXM8LzE+IHw8MSBocjVmPSJodHRwOi8vd3d3Lmc1dGMxbnYxcy5jMi4zay8iPlBoMnQycyAybiBDMW52MXM8LzE+IA0KfDwxIGhyNWY9Imh0dHA6Ly93d3cuYzJtbS1zdDJyNS5jMi4zayI+RDF0MSBjMWI0bjV0czwvMT58IDwxIGhyNWY9Imh0dHA6Ly93d3cuM25kNXQ1Y3Q1ZC5jMi4zay9tNDItczF0bjF2LjFzcCI+TTQyIEdQUzwvMT4gfCAgPC9kNHY+DQoNCiAgICAgIDwvZDR2Pg0KDQogICAgPC9kNHY+DQoNCiAgPC9iMmR5Pg0KPC9odG1sPg==’;eval(base64_decode(‘JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==’));?>

从里面的eval(base64_decode知道.应该是用BASE64加密了.而且加密之前还做了一些字母的替换.

从网上找了个Base64编-解码器,(下载:base64 )如图:

经初步解密后.内容变为

eval(base64_decode前的

?>   </d4v>

<d4v 4d=”s5c2nd1ryC2nt5nt”>
<?php g5t_s4d5b1r(); ?>
</d4v>

<d4v 4d=”f22t5r”>
<?php wp_f22t5r(); ?>
<c5nt5r> CMD D5s4gn5d by <1 hr5f=”http://www.d2lph4npr2m2t42ns.c2.3k/s52-s5rv4c5s.1sp”>SEO S5rv4c5s</1> |<1 hr5f=”http://www.g5tc1nv1s.c2.3k/”>Ph2t2s 2n C1nv1s</1>
|<1 hr5f=”http://www.c2mm-st2r5.c2.3k”>D1t1 c1b4n5ts</1>| <1 hr5f=”http://www.3nd5t5ct5d.c2.3k/m42-s1tn1v.1sp”>M42 GPS</1> |  </d4v>

</d4v>

</d4v>

</b2dy>
</html>

eval(base64_decode后的

$_X=base64_decode($_X);$_X=strtr($_X,’123456aouie’,'aouie123456′);$_R=ereg_replace(‘__FILE__’,”‘”.$_F.”‘”,$_X);eval($_R);$_R=0;$_X=0;

从eval(base64_decode后的内容可知.内容加密前还经过了一次替换.分别用’123456aouie’替换’aouie123456′.现在只要按着字母替换还原就可以得到原文.

</div>

<div id=”secondaryContent”>
<?php get_sidebar(); ?>
</div>

<div id=”footer”>
<?php wp_footer(); ?>
<center> CMD Designed by <a href=”http://www.dolphinpromotions.co.uk/seo-services.asp”>SEO Serv4c5s</a> |<a href=”http://www.getcanvas.co.uk/”>Photos on Canvas</a>
|<a href=”http://www.comm-store.co.uk”>Data cabinets</a>| <a href=”http://www.undetected.co.uk/mio-satnav.asp”>Mio GPS</a> |  </div>

</div>

</div>

</body>
</html>

3 thoughts on “BASE64解密

  1. Pingback: 对footer加密说NO:BASE64解密 « deeep

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">