我使用的是下载的PHP模板,当我很好地操作它时,我意识到它的一部分已经加密了似乎是base64。
我尝试了一些在线转换,运气不佳。
我有一些代码,然后是<? ?>标记之外的大量随机字符:
<?$OOO0O0O00=__FILE__;$O00O00O00=__LINE__;$OO00O0000=3804;eval((base64_decode('JE8wMDBPME8wMD1mb3BlbigkT09PME8wTzAwLCdyYicpO3doaWxlKC0tJE8wME8wME8wMClmZ2V0cygkTzAwME8wTzAwLDEwMjQpO2ZnZXRzKCRPMDAwTzBPMDAsNDA5Nik7JE9PMDBPMDBPMD0oYmFzZTY0X2RlY29kZShzdHJ0cihmcmVhZCgkTzAwME8wTzAwLDM3MiksJzNzYWZaakc1NEhGcU1kTEFPZzl3Ykl6UFIvcGxLOCs3ZVVjeFFCV21ZMXVTNk5Ycmh2RENudDBFMlRvSmtWaXk9JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>
我能够将其解码为:
$O000O0O00=fopen($OOO0O0O00,'rb');while(--$O00O00O00)fgets($O000O0O00,1024);fgets($O000O0O00,4096);$OO00O00O0=(base64_decode(strtr(fread($O000O0O00,372),'3safZjG54HFqMdLAOg9wbIzPR/plK8+7eUcxQBWmY1uS6NXrhvDCnt0E2ToJkViy=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/')));eval($OO00O00O0);
但是,下面我有这段代码:
我不知道如何转换它。有任何想法吗?我认为代码段太长了 - 我试着使用Notepad ++来转换它,它基本上说它太长了。
感谢。
答案 0 :(得分:3)
这是我到目前为止的解压缩版本:
<?php
/* In the original file, this is __FILE__
and __LINE__. I've hardcoded them in this
script so that we can refer to the original
file when actually running what follows. */
$this_file = 'original_file.php';
$this_line = 1; // originally __LINE__
/* Prepare the original script to be read */
$this_file_handle = fopen($this_file, 'rb');
/* Move the file cursor past the block of PHP */
while(--$this_line) {
fgets($this_file_handle,1024);
}
/* Move the file cursor just a wee bit more,
presumably to where the other data starts. */
fgets($this_file_handle,4096);
/* Read in the remaining data, run it through
a character replacing function
(3 --> A, s --> B, etc.), and base64-decode
the result. */
$probably_malicious_code = (
base64_decode(
strtr(
fread($this_file_handle,372),
'3safZjG54HFqMdLAOg9wbIzPR/plK8+7eUcxQBWmY1uS6NXrhvDCnt0E2ToJkViy=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
);
/* Run the probably-evil code. */
eval($probably_malicious_code);
如果我们在最后一行使用echo而不是eval,我们就会得到第三级混淆。
I N C E P T I O N
这是一个与第3级相同的脚本:
<?php
/* Pulled in from level 1: */
$this_file = 'original_magic.php'; // originally __FILE__, refers to original file
$this_line = 1; // originally __LINE__
$level_three_read_amount = 3804;
/* Pulled in from level 2: */
$this_file_handle = fopen($this_file, 'rb');
while(--$this_line) {
fgets($this_file_handle,1024);
}
fgets($this_file_handle,4096);
/* Level 3 decoding: */
$level_three_code = ereg_replace(
'__FILE__',
"'".$this_file."'", //
base64_decode(
strtr(
fread($this_file_handle, $level_three_read_amount),
'3safZjG54HFqMdLAOg9wbIzPR/plK8+7eUcxQBWmY1uS6NXrhvDCnt0E2ToJkViy=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
);
fclose($this_file_handle);
eval($level_three_code);
这次回应而不是评估最后一行产生了接近我们最后效果的东西:
global $traction; ;echo ' </div><!--end main-->
<div id="main-bottom"></div>
</div><!--end wrapper-->
<div id="footer">
<div class="wrapper clear">
<div id="footer-about" class="footer-column">
'; if ($traction->footerAboutState() == 'true') : ;echo ' <ul>
'; if ( !function_exists('dynamic_sidebar')|| !dynamic_sidebar('footer_sidebar_3') ) : ;echo ' <li class="widget widget_categories">
<h2 class="widgettitle">'; _e('Categories'); ;echo '</h2>
<ul>
'; wp_list_cats('sort_column=name&hierarchical=0'); ;echo ' </ul>
</li>
'; endif; ;echo ' </ul>
'; else : ;echo ' <h2>'; _e( 'About', 'traction' ); ;echo '</h2>
'; if ($traction->footerAbout() != '' ) : ;echo ' '; echo $traction->footerAbout(); ;echo ' '; else : ;echo ' <p>'; _e("Did you know you can write your own about section just like this one? It's really easy. Head into the the <em>Traction Options</em> menu and check out the footer section. Type some stuff in the box, click save, and your new about section shows up in the footer.", "traction"); ;echo '</p>
'; endif; ;echo ' '; endif; ;echo ' </div>
<div id="footer-middle" class="footer-column">
'; if ( is_active_sidebar( 'footer_sidebar' ) ) echo "<ul>" ;echo ' '; if ( !function_exists( 'dynamic_sidebar' ) || !dynamic_sidebar( 'footer_sidebar' ) ) : ;echo ' <ul>
<li class="widget">
<h2 class="widgettitle">'; _e( 'Pages' ); ;echo '</h2>
<ul>
'; wp_list_pages( 'depth=0&title_li=' ); ;echo ' </ul>
</li>
</ul>
'; endif; ;echo ' '; if ( is_active_sidebar( 'footer_sidebar' ) ) echo "</ul>" ;echo ' </div>
<div id="footer-search" class="footer-column">
'; if ( is_active_sidebar( 'footer_sidebar_2' ) ) echo "<ul>" ;echo ' '; if ( !function_exists( 'dynamic_sidebar' ) || !dynamic_sidebar( 'footer_sidebar_2' ) ) : ;echo ' <h2>'; _e( 'Search', 'traction' ); ;echo '</h2>
'; if (is_file(STYLESHEETPATH . '/searchform.php' )) include (STYLESHEETPATH . '/searchform.php' ); else include(TEMPLATEPATH . '/searchform.php' ); ;echo ' '; endif; ;echo ' '; if ( is_active_sidebar( 'footer_sidebar_2' ) ) echo "</ul>" ;echo ' </div>
</div><!--end wrapper-->
</div><!--end footer-->
<div id="copyright" class="wrapper">
<p class="credit">Powered by <a href="http://www.free-premium-wordpress-themes.com" rel="dofollow">Free Premium Wordpress Themes</a> and <a href="http://thethemefoundry.com">The Theme Foundry</a></p>
<p>Copyright © '; echo date
由于某些原因,它有点被切断,但看起来这个想法只是包含版权,同时让你找到它变得非常困难。这是粗略的业务;删除此代码。