求解密<?php $_F=__FILE__;$_X=' 源码已贴出

首先解密eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));

结果为：

eval('$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;')

运行上述代码

$_X=base64_decode($_X);//执行后$_X的值为

?><d4v?cl1ss="cl51r"></d4v>

<d4v?4d="f22t5r">

<d4v?4d="f22t5rm14n">

<1?4d="f22t5rl2g2"?hr5f="<?php?bl2g4nf2('3rl');?>"?t4tl5="<?php?bl2g4nf2('n1m5');?>"></1>

<?php?5ch2?str4psl1sh5s(g5t_2pt42n('cr55k22_f22t5rl4nkc2d5'));?></br><?php?5ch2?c2m4cpr5ss_c2pyr4ght();?>?<1?hr5f="<?php?5ch2?h2m5_3rl(?'/'?)?>"?t4tl5="<?php?5ch2?5sc_1ttr(?g5t_bl2g4nf2(?'n1m5',?'d4spl1y'?)?);?>"?r5l="h2m5"?t1rg5t="_bl1nk"><?php?5ch2?5sc_1ttr(?g5t_bl2g4nf2(?'n1m5',?'d4spl1y'?)?);?></1>?-?P2w5r5d?by?<1?hr5f="icpress_copyright();?>?<a?href="<?php?echo?home_url(?'/'?)?>"?title="<?php?echo?esc_attr(?get_bloginfo(?'name',?'display'?)?);?>"?rel="home"?target="_blank"><?php?echo?esc_attr(?get_bloginfo(?'name',?'display'?)?);?></a>?-?Powered?by?<a?href="/"?target="_blank">CreeKoo</a><?php?if?(get_option('creekoo_beian')?==?'Display')?{?>?-?<?php?echo?stripslashes(get_option('creekoo_beianhao'));?><?php?}?else?{?}?><?php?if?(get_option('creekoo_tj')?==?'Display')?{?>?-?<?php?echo?stripslashes(get_option('creekoo_tjcode'));?><?php?}?else?{?}?>

</div>

</div>

<?php?wp_footer();?>

<script?type="text/javascript"?src="<?php?bloginfo('template_directory');?>/comments-ajax.js"></script>

<script?type="text/javascript"?src="<?php?bloginfo('template_directory');?>/creekoo.min.js?v1.3"></script>

</body>

$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);//将$_X中的字符串__FILE__替换为当前文件的路径，并用单引号引起来，原字符串并无可替换内容，故不变

eval($_R);//将上述替换后的内容执行

$_R=0;

$_X=0;

加密的代码等价于如下代码

<div?class="clear"></div>

<div?id="footer">

<div?id="footermain">

<a?id="footerlogo"?href="<?php?bloginfo('url');?>"?title="<?php?bloginfo('name');?>"></a>

<?php?echo?stripslashes(get_option('creekoo_footerlinkcode'));?></br><?php?echo?comicpress_copyright();?>?<a?href="<?php?echo?home_url(?'/'?)?>"?title="<?php?echo?esc_attr(?get_bloginfo(?'name',?'display'?)?);?>"?rel="home"?target="_blank"><?php?echo?esc_attr(?get_bloginfo(?'name',?'display'?)?);?></a>?-?Powered?by?<a?href="/"?target="_blank">CreeKoo</a><?php?if?(get_option('creekoo_beian')?==?'Display')?{?>?-?<?php?echo?stripslashes(get_option('creekoo_beianhao'));?><?php?}?else?{?}?><?php?if?(get_option('creekoo_tj')?==?'Display')?{?>?-?<?php?echo?stripslashes(get_option('creekoo_tjcode'));?><?php?}?else?{?}?>

</div>

</div>

<?php?wp_footer();?>

<script?type="text/javascript"?src="<?php?bloginfo('template_directory');?>/comments-ajax.js"></script>

<script?type="text/javascript"?src="<?php?bloginfo('template_directory');?>/creekoo.min.js?v1.3"></script>

</body>