一个加密PHP脚本的解码步骤 -PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

一个加密PHP脚本的解码步骤

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 13, 2016 pm 01:03 PM

gtltoption

一个加密PHP脚本的解码方法
三个星期以前我发布了一篇文章，介绍了base64加密的PHP脚本的解码方法。前几天，飞信好友行者又扔来了一段更加复杂、诡异的PHP脚本：

下载每一步的源代码

//0.php
$OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6
f%5f%73%61%64%66%70%6e%72');$OO00O0000=26408;$OOO0000O0=$OOO000000{4}.$OOO000000
{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000
000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$
OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';eval(($$O0O0000O0('JE9PME9PMDA
wMD0kT09PMDAwMDAwezE3fS4kT09PMDAwMDAwezEyfS4kT09PMDAwMDAwezE4fS4kT09PMDAwMDAwezV
9LiRPT08wMDAwMDB7MTl9O2lmKCEwKSRPMDAwTzBPMDA9JE9PME9PMDAwMCgkT09PME8wTzAwLCdyYic
pOyRPTzBPTzAwME89JE9PTzAwMDAwMHsxN30uJE9PTzAwMDAwMHsyMH0uJE9PTzAwMDAwMHs1fS4kT09
PMDAwMDAwezl9LiRPT08wMDAwMDB7MTZ9OyRPTzBPTzAwTzA9JE9PTzAwMDAwMHsxNH0uJE9PTzAwMDA
wMHswfS4kT09PMDAwMDAwezIwfS4kT09PMDAwMDAwezB9LiRPT08wMDAwMDB7MjB9OyRPTzBPTzAwME8
oJE8wMDBPME8wMCwxMTgyKTskT08wME8wME8wPSgkT09PMDAwME8wKCRPTzBPTzAwTzAoJE9PME9PMDA
wTygkTzAwME8wTzAwLDkwOCksJ0kvTU5LQUNkVlJHUXlEV1VncTY4d3BrYXpMTzVsdG5tVEIrMGJ2OXV
IcnhGN1hTWTFFM2ZaaGlqYzRlMm9Kc1A9JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZ
naGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));re
turn;?>
tiBr5CwHGMBrljDvtMTb6AqwwAJ8qpRkqpRmpbA6wh7uwZp6pbp6aZ4/8wwua6brR+zHVkp3LktrGMlH
GMcxaMcrUiqHzkvSzk4lQ9DY56voGMBlQ+rlaMcrUiBFyuDH5jplQ9DY56voGMBlQ+rlaMcrUiEYziA7
OCJftMbuQMqVpAqgahDAwvLAwvJkgpR8k3t8qpRkqpRm8bADq6ttG6brmd1HGCvflipZGMqmwZp6pbp6
k3tVpAqgaZBUwhgua6brR+zHVkp3LktrGMlHGMcxaMcrUiqHzkvSzk4lQ9DY56voGMBlQ+rlaMcrUiBF
yuDH5jplQ9DY56voGMBlQ+rlaMcrUiEYziA7OCJftMbuQMqmwZp6pbp6k3tVpAqgaZBUwhgua6brG6vb
OkwHRomF3Fu81JU31P7TLCBBOk4B5+405iZTOC73liBYt6405iij1o2GHe3EYFazEsYGStUNH2r75iDB
5CBYlj6BH2UyZUG4S7Q3EsY/x7shwpC0S0gED8V1DMlrW3qU8fI18fI18fIJljq3ajRvlCEBziwHRhJm
qbvyqpJmR31+R3VSRKJU8f/UyKo1yMc+R3V7GMqU8Zo1yNI18fIHRKJUyKJUyN/UyMTb8Zo18Zo1yN/U
GMqUyNI18f/UyNI7RKJUyN/UyNI1yMb7RZbY8w4QgwDbpvRdwavKphpul8zctj/Fzary8fp7tC4XpKVF
yCRiWapVluBCDhB8k8AAyiLOOCvxzfqvy9JGlhIJR31ugwRNqKpCqZBR6bXy8w4UwAA6whqppvtzkprB
z9DbLkLuOCvxOiEX59J1laRftdpitjB4n0IEy0yZD8zjWNbFQ3lrG6brWiL05CJfL6Tb8fI1yKo18fI1
G8Xvt9A7GMqU8fI18fI18fIrW1==Ngr3LaAhOaRvGMlSQ+J05CAfl3J05i4SLkDZQu/HlMlrW1ZGOk40
5dpbL6TuQ+cYziEBljyYLCRmljA7Qu/HlMlrW1ZGOk405dpbL6TuQ+cYziEBljyY（后面还有大量数据，省略）
其中，在“?>”后面的数据足有27KB（共27316字节）。显然，这些数据并不是直接输出给客户端的，而要在服务端经过一定的处理。这27KB的数据看起来很像base64编码，但是直接用base64_decode解码得不到任何有意义的结果。

仔细观察，在前面的PHP代码部分有一个eval。那就按照上一篇文章的办法，把它改成echo试试！

//1.php
$OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6
f%5f%73%61%64%66%70%6e%72');$OO00O0000=26408;$OOO0000O0=$OOO000000{4}.$OOO000000
{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000
000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$
OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';echo(($$O0O0000O0('JE9PME9PMDA
wMD0kT09PMDAwMDAwezE3fS4kT09PMDAwMDAwezEyfS4kT09PMDAwMDAwezE4fS4kT09PMDAwMDAwezV
9LiRPT08wMDAwMDB7MTl9O2lmKCEwKSRPMDAwTzBPMDA9JE9PME9PMDAwMCgkT09PME8wTzAwLCdyYic
pOyRPTzBPTzAwME89JE9PTzAwMDAwMHsxN30uJE9PTzAwMDAwMHsyMH0uJE9PTzAwMDAwMHs1fS4kT09
PMDAwMDAwezl9LiRPT08wMDAwMDB7MTZ9OyRPTzBPTzAwTzA9JE9PTzAwMDAwMHsxNH0uJE9PTzAwMDA
wMHswfS4kT09PMDAwMDAwezIwfS4kT09PMDAwMDAwezB9LiRPT08wMDAwMDB7MjB9OyRPTzBPTzAwME8
oJE8wMDBPME8wMCwxMTgyKTskT08wME8wME8wPSgkT09PMDAwME8wKCRPTzBPTzAwTzAoJE9PME9PMDA
wTygkTzAwME8wTzAwLDkwOCksJ0kvTU5LQUNkVlJHUXlEV1VncTY4d3BrYXpMTzVsdG5tVEIrMGJ2OXV
IcnhGN1hTWTFFM2ZaaGlqYzRlMm9Kc1A9JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZ
naGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));re
turn;?>
/* 27316 bytes encoded data */
运行方式还是 wget http://localhost/1.php -O1.txt ，运行结果如下：

//1.txt
$OO0OO0000=$OOO000000{17}.$OOO000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO000000
{19};if(!0)$O000O0O00=$OO0OO0000($OOO0O0O00,'rb');$OO0OO000O=$OOO000000{17}.$OOO
000000{20}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OO0OO00O0=$OOO000000{14}.
$OOO000000{0}.$OOO000000{20}.$OOO000000{0}.$OOO000000{20};$OO0OO000O($O000O0O00,
1182);$OO00O00O0=($OOO0000O0($OO0OO00O0($OO0OO000O($O000O0O00,908),'I/MNKACdVRGQ
yDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=','ABCDEFGHIJKLMNOPQRSTUVWX
YZabcdefghijklmnopqrstuvwxyz0123456789+/')));eval($OO00O00O0);
用1.txt的结果替换1.php中那个echo，得到：

//1a.php
$OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6
f%5f%73%61%64%66%70%6e%72');$OO00O0000=26408;$OOO0000O0=$OOO000000{4}.$OOO000000
{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000
000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$
OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';$OO0OO0000=$OOO000000{17}.$OOO
000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO000000{19};if(!0)$O000O0O00=$OO0OO00
00($OOO0O0O00,'rb');$OO0OO000O=$OOO000000{17}.$OOO000000{20}.$OOO000000{5}.$OOO0
00000{9}.$OOO000000{16};$OO0OO00O0=$OOO000000{14}.$OOO000000{0}.$OOO000000{20}.$
OOO000000{0}.$OOO000000{20};$OO0OO000O($O000O0O00,1182);$OO00O00O0=($OOO0000O0($
OO0OO00O0($OO0OO000O($O000O0O00,908),'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHr
xF7XSY1E3fZhijc4e2oJsP=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01
23456789+/')));eval($OO00O00O0);return;?>
/* 27316 bytes encoded data */
又看到了eval，那就再换成echo吧！遗憾的是，这样做不能得到正确的结果。原因是：

文件末有27KB的数据，这些数据应该包含了经过编码的程序代码。
开头的解码脚本从__FILE__变量获取当前执行的文件名，然后定位到27KB数据内部的某个位置（可能是开头或中间），解码并执行那些数据中蕴藏的程序。
从0.php变换到1a.php的过程中，开头的解码脚本的长度被改变，造成不能定位到正确的位置。
在1a.php已经可以看到三个数字：26408、1182、908。但是，无法判断这些数字将使解码脚本定位到27KB数据的哪个位置。

老路行不通了！现在必须分析这段解码脚本的流程。先把代码整理一下：

$OOO0O0O00=__FILE__;
$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%
6e%72');
$OO00O0000=26408;
$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};
$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};
$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000
{5};
$O0O0000O0='OOO0000O0';
$OO0OO0000=$OOO000000{17}.$OOO000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO000000
{19};
if(!0)$O000O0O00=$OO0OO0000($OOO0O0O00,'rb');
$OO0OO000O=$OOO000000{17}.$OOO000000{20}.$OOO000000{5}.$OOO000000{9}.$OOO000000{
16};
$OO0OO00O0=$OOO000000{14}.$OOO000000{0}.$OOO000000{20}.$OOO000000{0}.$OOO000000{
20};
$OO0OO000O($O000O0O00,1182);
$OO00O00O0=($OOO0000O0($OO0OO00O0($OO0OO000O($O000O0O00,908),'I/MNKACdVRGQyDWUgq
68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcd
efghijklmnopqrstuvwxyz0123456789+/')));
eval($OO00O00O0);
return;
?>
/* 27316 bytes encoded data */
然后，便是一行行弄清解码脚本中每个变量的值，这样就可以看懂其流程。例如$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%6e%72');，可以在其后面加一句die($OOO000000);，就能看到这个变量的值是'th6sbehqla4co_sadfpnr'。

对解码脚本的分析结果是：

//1c.php
$OOO0O0O00=__FILE__;

//$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%7
0%6e%72');
$OOO000000='th6sbehqla4co_sadfpnr';

$OO00O0000=26408;

//$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};
//$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};
//$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO0000
00{5};
$OOO0000O0='base64_decode';

$O0O0000O0='OOO0000O0';

//$OO0OO0000=$OOO000000{17}.$OOO000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO0000
00{19};
$OO0OO0000='fopen';

//if(!0)$O000O0O00=$OO0OO0000($OOO0O0O00,'rb');
$O000O0O00=fopen($OOO0O0O00,'rb');

//$OO0OO000O=$OOO000000{17}.$OOO000000{20}.$OOO000000{5}.$OOO000000{9}.$OOO00000
0{16};
$OO0OO000O='fread';

//$OO0OO00O0=$OOO000000{14}.$OOO000000{0}.$OOO000000{20}.$OOO000000{0}.$OOO00000
0{20};
$OO0OO00O0='strtr';

//$OO0OO000O($O000O0O00,1182);
fread($O000O0O00,1182);

/*$OO00O00O0=($OOO0000O0(
$OO0OO00O0(
$OO0OO000O($O000O0O00,908),
'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
);*/
$OO00O00O0=(base64_decode(
strtr(
fread($O000O0O00,908),
'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
);

eval($OO00O00O0);
return;
?>
/* 27316 bytes encoded data */
其中涉及文件操作的，也就是这几句：

$OOO0O0O00=__FILE__;//获取当前文件名
$O000O0O00=fopen($OOO0O0O00,'rb');//打开文件
fread($O000O0O00,1182);//跳过1182字节
$OO00O00O0=(base64_decode(
strtr(
fread($O000O0O00,908),
'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
);//读取908字节，根据代码表替换字符，base64解码
eval($OO00O00O0);//执行解码后的代码
在1a.php中把eval替换为echo之所以行不通，就是因为这里写着的跳过1182字节。跳过1182字节是针对原始文件而言的，修改过后文件大小改变，需要跳过的字节数就不一定是1182字节了。现在，只要从原始文件中跳过1182字节后复制908字节，替换掉fread($O000O0O00,908)，然后把eval换成echo就可以了。

不过，也许是因为我得到文件已经被别人修改过，跳过1182字节后复制的数据无法正确解码。我尝试复制了那27KB数据开头的908字节，才看到了正确的结果。

//2.php
$A='tiBr5CwHGMBrljDvtMTb6AqwwAJ8qpRkqpRmpbA6wh7uwZp6pbp6aZ4/8wwua6brR+zHVkp3Lktr
GMlHGMcxaMcrUiqHzkvSzk4lQ9DY56voGMBlQ+rlaMcrUiBFyuDH5jplQ9DY56voGMBlQ+rlaMcrUiEY
ziA7OCJftMbuQMqVpAqgahDAwvLAwvJkgpR8k3t8qpRkqpRm8bADq6ttG6brmd1HGCvflipZGMqmwZp6
pbp6k3tVpAqgaZBUwhgua6brR+zHVkp3LktrGMlHGMcxaMcrUiqHzkvSzk4lQ9DY56voGMBlQ+rlaMcr
UiBFyuDH5jplQ9DY56voGMBlQ+rlaMcrUiEYziA7OCJftMbuQMqmwZp6pbp6k3tVpAqgaZBUwhgua6br
G6vbOkwHRomF3Fu81JU31P7TLCBBOk4B5+405iZTOC73liBYt6405iij1o2GHe3EYFazEsYGStUNH2r7
5iDB5CBYlj6BH2UyZUG4S7Q3EsY/x7shwpC0S0gED8V1DMlrW3qU8fI18fI18fIJljq3ajRvlCEBziwH
RhJmqbvyqpJmR31+R3VSRKJU8f/UyKo1yMc+R3V7GMqU8Zo1yNI18fIHRKJUyKJUyN/UyMTb8Zo18Zo1
yN/UGMqUyNI18f/UyNI7RKJUyN/UyNI1yMb7RZbY8w4QgwDbpvRdwavKphpul8zctj/Fzary8fp7tC4X
pKVFyCRiWapVluBCDhB8k8AAyiLOOCvxzfqvy9JGlhIJR31ugwRNqKpCqZBR6bXy8w4UwAA6whqppvtz
kprBz9DbLkLuOCvxOiEX59J1laRftdpitjB4n0IEy0yZD8zjWNbFQ3lrG6brWiL05CJfL6Tb8fI1yKo1
8fI1G8Xvt9A7GMqU8fI18fI18fIrW1==';

$OO00O00O0=(base64_decode(
strtr(
$A,
'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
);

echo($OO00O00O0);
return;
?>
//2.txt
while(((isset($HTTP_SERVER_VARS['SERVER_NAME']))&&(!eregi('((.*\.)?dhainan\.com)
|((\.*\\.)?hk2shou\.com)|((\.*\\.)?localhost)',$HTTP_SERVER_VARS['SERVER_NAME'])
))||((isset($_SERVER['HTTP_HOST']))&&(!eregi('((.*\.)?dhainan\.com)|((\.*\\.)?hk
2shou\.com)|((\.*\\.)?localhost)',$_SERVER['HTTP_HOST']))))die('请使用域名 dhainan.co
m hk2shou.com访问，本地请使用：localhost。程序购买请联系QQ：415204');$OO00O00O0=str_replace('__FIL
E__',"'".$OOO0O0O00."'",($OOO0000O0($OO0OO00O0($OO0OO000O($O000O0O00,$OO00O0000)
,'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=','ABCDEFGHIJ
KLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'))));fclose($O000O0O00);e
val($OO00O00O0);
再次出现eval，还是没有解完。将2.txt内容替换掉2.php的echo部分，然后再整理代码、分析各变量：

//2a.php
$OOO0O0O00=__FILE__;

//$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%7
0%6e%72');
$OOO000000='th6sbehqla4co_sadfpnr';

$OO00O0000=26408;

//$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};
//$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};
//$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO0000
00{5};
$OOO0000O0='base64_decode';

$O0O0000O0='OOO0000O0';

//$OO0OO0000=$OOO000000{17}.$OOO000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO0000
00{19};
$OO0OO0000='fopen';

//if(!0)$O000O0O00=$OO0OO0000($OOO0O0O00,'rb');
$O000O0O00=fopen($OOO0O0O00,'rb');

//$OO0OO000O=$OOO000000{17}.$OOO000000{20}.$OOO000000{5}.$OOO000000{9}.$OOO00000
0{16};
$OO0OO000O='fread';

$OO0OO00O0=$OOO000000{14}.$OOO000000{0}.$OOO000000{20}.$OOO000000{0}.$OOO000000{
20};
$OO0OO00O0='strtr';

//$OO0OO000O($O000O0O00,1182);
fread($O000O0O00,1182);

/*$OO00O00O0=($OOO0000O0(
$OO0OO00O0(
$OO0OO000O($O000O0O00,908),
'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
);*/
$OO00O00O0=(base64_decode(
strtr(
fread($O000O0O00,908),
'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
);

/*
while (
(
(isset($HTTP_SERVER_VARS['SERVER_NAME']))
&&
(!eregi('((.*\.)?dhainan\.com)|((\.*\\.)?hk2shou\.com)|((\.*\\.)?localhost)'
,$HTTP_SERVER_VARS['SERVER_NAME']))
)
||
(
(isset($_SERVER['HTTP_HOST']))
&&
(!eregi('((.*\.)?dhainan\.com)|((\.*\\.)?hk2shou\.com)|((\.*\\.)?localhost)'
,$_SERVER['HTTP_HOST']))
)
) die('请使用域名 dhainan.com hk2shou.com访问，本地请使用：localhost。程序购买请联系QQ：415204');
*/

/*
$OO00O00O0=str_replace(
'__FILE__',
"'".$OOO0O0O00."'",
($OOO0000O0(
$OO0OO00O0(
$OO0OO000O($O000O0O00,$OO00O0000),
'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
)
);*/
$OO00O00O0=str_replace(
'__FILE__',
"'".$OOO0O0O00."'",
(base64_decode(
strtr(
fread($O000O0O00,26408),
'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
)
);
fclose($O000O0O00);
eval($OO00O00O0);
?>
那段判断域名的代码已经注释掉了。有用的就是最后一段：

# 先前已经打开文件，定位到27KB数据开头，读取908字节
$OO00O00O0=str_replace(
'__FILE__',
"'".$OOO0O0O00."'",
(base64_decode(
strtr(
fread($O000O0O00,26408),
'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
)
);//读取26408字节，根据代码表替换字符，base64解码，把__FILE__替换为真正的当前文件名
fclose($O000O0O00);//关闭文件
eval($OO00O00O0);//执行代码
处理方法就很明显了，从原始文件的27KB数据开头起，跳过908字节，复制26408字节，替换掉fread($O000O0O00,26408)，eval换成echo。前面那次解码使用的代码也需要删除，但是$OOO0O0O00=__FILE__;这句要留着，因为str_replace里用到了这个变量。

//3.php
$OOO0O0O00=__FILE__;

$A='Ngr3LaAhOaRvGMlSQ+J05CAfl3J05i4SLkDZQu/HlMlrW1ZGOk405dpbL6TuQ+cYziEBljyYLCRm
ljA7Qu/HlMlrW1ZGOk405dpbL6TuQ+cYziEBljyYziJSL9vuQu/HlMlrW1ZGOk405dpbL6TuQ+cYziEB
ljyYziEBljySlCB1R3b2Ngrr59D7tkqvGMlSQ+J05CAfl3Jhlip3Qu/HlMlrW1ZGOk405dpbL6TuQ+cY
ziEBljyY8kpXz9p38CpiLk1SlCB1R3b2Ngrr59D7tkqvGMlSQ+J05CAfl3JEaiLh59DZOkJSl341OdIu
G87DM9vSziEhLCwHR3cSQiD7zaDfQjAr59LYLupSQu/HlMlrW1ZGOk405dpbL6TuQ+cYziEBljyYziBv
ziXvLCv1Qu/HlMlrW1ZGRCEr597JLCRmziJS59p0tMTrW1ZGRCpXlCv3L8hSLalT5avflkEEtkp3n6Tr
W1ZGRARvtdp35bvgUkDHLkDFLkqrlMTrW1ZGOkzHRd/hz9ErzhJ3k3tBLCqSLatfaiJFRhZrNgr2Ngr1
l9vStCp3l9J3GMtW5jqUlCpSghAR59LYR31uR31EG87DMuZDM+q05CAflivbU6Br5ugrRAJdqpq5RiD7
zaDfOkgua87DM+qxn9Lv59EvOkLYl9ZJR3l2NgHblirmziEBljDrLNhBluRBn6TuW8zuQMl4D3l7Rfbc
R31uW8buQMlEyNIuQMlEyNKuQMlEyNVuQMlEyNyuQMlEyNguQMlEyNwuQMlEyNzuQMlEyNluQMlEyNTu
QMlEyNbuQMlEy8IuQMlEy8KuQMlEy8VuQMlEy8yuQMlEy8guQMlEy8wuQMlEy8zuQMl4R31uy8yZR31u
y8yhR31uy8yiR31uy8yjR31uy8ycR31uy8y4R31uy8gfR31uy8ghR31uy8giR31uy8gjR31uy8gcR31u
y8g4R31uy8w1R31uy8wfR31uy8wZR31uy8wiR31uy8wjR31uy8IuQMlED8TuQMl（后面还有大量数据，省略）';

$OO00O00O0=str_replace(
'__FILE__',
"'".$OOO0O0O00."'",
(base64_decode(
strtr(
$A,
'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
)
)
)
);
echo($OO00O00O0);
?>
又一次 wget http://localhost/3.php -O3.txt ，获得最终结果！

//3.txt

require('../class/connect.php');
include('../class/db_sql.php');
include('../class/config.php');
include('../class/class.php');
include('../class/user.php');
include('../class/MemberLevel.php');
include('../class/q_functions.php');
include('../class/qinfofun.php');
include('../class/checkedip.php');
$link=db_connect();
$empire=new mysqlquery();
$ReturnIP=checkedip();
if($public_r['addnews_ok'])
{
printerror('NotOpenCQInfo','',1);
}
$classid=(int)$_GET['classid'];
$jzfenleiform='';
$sj_classid=array('96','97','98','99','100','101','102','103','104','105','106',
'107','108','109','110','111','112','113','114','115','116','9','134','135','136
','137','138','139','143','145','146','147','148','149','150','153','154','156',
'157','10','158','159','160','161','162','163','164','165','166','167','168','16
9','170','171','11','172','173','174','175','176','179','180','181','182','183',
'184','185','186','189','190','191');
in_array($classid,$sj_classid)?$jzfenleiform='/sjpp.html':$jzfenleiform='/post.h
tml';
$cate='';
$job_array=array('65','66','67','68','69','70','71','72','73','74','75','80','81
','82','117','119','120','121','122','126','133');
$sale_array=array('22','23','24','25','26','27','28','29','30','31','32','33','3
6','37','38');
$car_array=array('83','84');
$marry_array=array('42','43','44');
if (in_array($classid,$job_array))
{
$cate='

type="radio" value="招聘" checked="checked">招聘e="cate" id="cate1" type="radio" value="求职">求职
tr>

* 学历：
strong>
   span class="redn">* 薪资： 元/月
;* 专业
如:艺术设计
';
}
elseif (in_array($classid,$sale_array))
{
$cate=' value="出售" checked="checked">出售求购d="cate2" type="radio" value="交换">交换 tr>
* 成色：
strong>
   class="redn">* 价格： 元
';
}
elseif (in_array($classid,$car_array))
{
$cate=' type="radio" value="出售" checked="checked">出售e="cate" id="cate1" type="radio" value="求购">求购
tr>
* 成色：
strong>
价格："jiage" type="text" size=4 id="jiage" value="" onKeyUp="value=value.replace(/\D+
/g,\'\')"> 元
';
}
elseif (in_array($classid,$marry_array))
{
$cate='
* 我的性别：
abel for="mysex">男女年龄：="myage"> 岁身高：="3"> CM 户籍：学历：

* trong>对方要求：
e="男">男 "女">女年龄：身高：户籍：lect name="huji" id="huji"> ="山西">山西 option value="吉林">吉林 alue="安徽">安徽
> alue="广西">广西
> alue="甘肃">甘肃
> 学历：
';
}
$house='';
$chu_array=array('12','13','14','17','18','19');
$mai_array=array('15','16');
if (in_array($classid,$chu_array))
{
$house=' 元/月';
}
elseif (in_array($classid,$mai_array))
{
$house=' 万元';
}
$mid=(int)$_GET['mid'];
if(empty($classid)||empty($mid))
{
printerror('EmptyQinfoCid','',1);
}
$enews=$_GET['enews'];
if(empty($enews))
{
$enews='MAddInfo';
}
$muserid=(int)getcvar('mluserid');
$guserid=(int)getcvar('mluserid');
$musername=getcvar('mlusername');
$mrnd=getcvar('mlrnd');
$showkey='';
$r['newstext']='';
if($muserid)
{
$memberinfor=$empire->fetch1('select u.*,ui.* from '.$user_tablename." u LEFT JO
IN {$dbtbpre}enewsmemberadd ui ON u.{$user_userid}=ui.userid where u.{$user_user
id}='$muserid' limit 1");
}
if($enews=='MAddInfo')
{
$cr=DoQCheckAddLevel($classid,$muserid,$musername,$mrnd,0,1);
$mr=$empire->fetch1("select qenter,qmname,tobrf from {$dbtbpre}enewsmod where mi
d='$cr[modid]'");
if(empty($mr['qenter']))
{
printerror('NotOpenCQInfo','history.go(-1)',1);
}
$ecmsfirstpost=1;
$word='您当前选择的分类是：';
$rechangeclass="  [更改分类
]";
if($cr['qaddshowkey'])
{
$showkey="
*
span> 验证码：
一个加密PHP脚本的解码步骤

"../ShowKey?ecms\"> ";
}
$imgwidth=0;
$imgheight=0;
if(strstr($mr['qenter'],'morepic{
$morepicnum=3;
$morepicpath="

g=1>

";
}
$filepass=time();
}
else
{
$word='修改信息';
$ecmsfirstpost=0;
$id=(int)$_GET['id'];
if(empty($id))
{
printerror('EmptyQinfoCid','',1);
}
$cr=DoQCheckAddLevel($classid,$muserid,$musername,$mrnd,1,0);
$mr=$empire->fetch1("select qenter,qmname,tobrf from {$dbtbpre}enewsmod where mi
d='$cr[modid]'");
if(empty($mr['qenter']))
{
printerror('NotOpenCQInfo','history.go(-1)',1);
}
$r=CheckQdoinfo($classid,$id,$muserid,$cr['tbname'],$cr['adminqinfo'],1);
$imgwidth=170;
$imgheight=120;
$morepicpath='';
if(strstr($mr['qenter'],'morepic{
$morepicnum=0;
if($r[morepic])
{
$r[morepic]=stripSlashes($r[morepic]);
$j=0;
$pd_record=explode("\r\n",$r[morepic]);
for($i=0;$i{
$j=$i+1;
$pd_field=explode('::::::',$pd_record[$i]);
$morepicpath.="

".$j."

dden name=mpicid[] value=".$j.'>删

';
}
$morepicnum=$j;
$morepicpath="".$morepi
cpath.'

';
}
}
$filepass=$id;
}
$tbname=$cr['tbname'];
esetcookie('qeditinfo','dgcms');
$classurl=sys_ReturnBqClassname($cr,9);
$postclass="".$class_
r[$classid]['classname'].''.$rechangeclass;
if($cr['bclassid'])
{
$bcr['classid']=$cr['bclassid'];
$bclassurl=sys_ReturnBqClassname($bcr,9);
$postclass="".$class_
r[$cr['bclassid']]['classname'].' -> '.$postclass;
}
$url="首页 > 控制面板 >
管理信息 > ".$word.'
('.$mr[qmname].')';
if(strstr($mr['qenter'],'playerid{
$player_sql=$empire->query("select id,player from {$dbtbpre}enewsplayer");
while($player_r=$empire->fetch($player_sql))
{
$select_player='';
if($r[playerid]==$player_r[id])
{
$select_player=' selected';
}
$player_class.="';
}
}
if(strstr($mr['qenter'],'newstext{
$htmlareacode="
userid&username=$musername&rnd=$mrnd&classid=$classid&filepass=$filepass\">
ipt>
page.js\">
en.js\">
";
$onload='<script>initEditor();</script>';
}
if(empty($musername))
{
$musername='游客发布登陆 e/member/register class=px12>注册';
}
if (empty ($guserid))
{
$guserid=" 信息密码：
span class=\"notes\">凭此密码您可以随时删除您发布的信息 ";
}
else
{
$guserid='';
}
$cnews='';
$new_classid=array('64');
in_array($classid,$new_classid)?$cnews='<script> function bs(){ var f=document.add if(f.title.value.length==0){alert("标题还没写");f.title.focus();return false;} if(f.classid.value==0){alert("请选择栏目");f.classid.focus();return false;} } function foreColor(){ if(!Error()) return; var arr = showModalDialog("../e/data/html/selcolor.html", "", "dialogWidth:18. 5em; dialogHeight:17.5em; status:0"); if (arr != null) document.add.titlecolor.value=arr; else document.add.titlecolor.focus(); } function FieldChangeColor(obj){ if(!Error()) return; var arr = showModalDialog("../e/data/html/selcolor.html", "", "dialogWidth:18. 5em; dialogHeight:17.5em; status:0"); if (arr != null) obj.value=arr; else obj.focus(); } </script>':$cnews='';
$modfile='../data/html/q'.$cr['modid'].'.php';
include('../data/template/cp_3.php');
;echo '';echo $cnews;echo '';echo $htmlareacode;echo '

<script> var oCalendarEn=new PopupCalendar("oCalendarEn"); //初始化控件时,请给出实例名称如:oCalendar En oCalendarEn.Init(); var oCalendarChs=new PopupCalendar("oCalendarChs"); //初始化控件时,请给出实例名称:oCalenda rChs oCalendarChs.weekDaySting=new Array("日","一","二","三","四","五","六"); oCalendarChs.monthSting=new Array("一月","二月","三月","四月","五月","六月","七月","八月","九月"," 十月","十一月","十二月"); oCalendarChs.oBtnTodayTitle="今天"; oCalendarChs.oBtnCancelTitle="取消"; oCalendarChs.Init(); </script>

';
db_close();
$empire=null;
include('../data/template/cp_4.php');
echo $onload;
看来是某分类信息发布程序的一个页面。PHP是一个自由、开源的世界，将代码弄成这样，影响执行效率、不便于修改，何必呢？

下载每一步的源代码

好吧，我已经写了两篇有关PHP解码的文章了，最近不会再有更多的相关文章了。如果你遇到了一段被编码的PHP脚本，最好的处理办法就是不使用这个程序。对一切有违自由、开源精神的PHP程序，请各位自觉抵制。

链接来源：http://yoursunny.com/t/2009/PHP-decode-2/

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

The Continued Use of PHP: Reasons for Its EnduranceApr 19, 2025 am 12:23 AM

What’s still popular is the ease of use, flexibility and a strong ecosystem. 1) Ease of use and simple syntax make it the first choice for beginners. 2) Closely integrated with web development, excellent interaction with HTTP requests and database. 3) The huge ecosystem provides a wealth of tools and libraries. 4) Active community and open source nature adapts them to new needs and technology trends.

PHP and Python: Exploring Their Similarities and DifferencesApr 19, 2025 am 12:21 AM

PHP and Python are both high-level programming languages that are widely used in web development, data processing and automation tasks. 1.PHP is often used to build dynamic websites and content management systems, while Python is often used to build web frameworks and data science. 2.PHP uses echo to output content, Python uses print. 3. Both support object-oriented programming, but the syntax and keywords are different. 4. PHP supports weak type conversion, while Python is more stringent. 5. PHP performance optimization includes using OPcache and asynchronous programming, while Python uses cProfile and asynchronous programming.

PHP and Python: Different Paradigms ExplainedApr 18, 2025 am 12:26 AM

PHP is mainly procedural programming, but also supports object-oriented programming (OOP); Python supports a variety of paradigms, including OOP, functional and procedural programming. PHP is suitable for web development, and Python is suitable for a variety of applications such as data analysis and machine learning.

PHP and Python: A Deep Dive into Their HistoryApr 18, 2025 am 12:25 AM

PHP originated in 1994 and was developed by RasmusLerdorf. It was originally used to track website visitors and gradually evolved into a server-side scripting language and was widely used in web development. Python was developed by Guidovan Rossum in the late 1980s and was first released in 1991. It emphasizes code readability and simplicity, and is suitable for scientific computing, data analysis and other fields.

Choosing Between PHP and Python: A GuideApr 18, 2025 am 12:24 AM

PHP is suitable for web development and rapid prototyping, and Python is suitable for data science and machine learning. 1.PHP is used for dynamic web development, with simple syntax and suitable for rapid development. 2. Python has concise syntax, is suitable for multiple fields, and has a strong library ecosystem.

PHP and Frameworks: Modernizing the LanguageApr 18, 2025 am 12:14 AM

PHP remains important in the modernization process because it supports a large number of websites and applications and adapts to development needs through frameworks. 1.PHP7 improves performance and introduces new features. 2. Modern frameworks such as Laravel, Symfony and CodeIgniter simplify development and improve code quality. 3. Performance optimization and best practices further improve application efficiency.

PHP's Impact: Web Development and BeyondApr 18, 2025 am 12:10 AM

PHPhassignificantlyimpactedwebdevelopmentandextendsbeyondit.1)ItpowersmajorplatformslikeWordPressandexcelsindatabaseinteractions.2)PHP'sadaptabilityallowsittoscaleforlargeapplicationsusingframeworkslikeLaravel.3)Beyondweb,PHPisusedincommand-linescrip

How does PHP type hinting work, including scalar types, return types, union types, and nullable types?Apr 17, 2025 am 12:25 AM

PHP type prompts to improve code quality and readability. 1) Scalar type tips: Since PHP7.0, basic data types are allowed to be specified in function parameters, such as int, float, etc. 2) Return type prompt: Ensure the consistency of the function return value type. 3) Union type prompt: Since PHP8.0, multiple types are allowed to be specified in function parameters or return values. 4) Nullable type prompt: Allows to include null values and handle functions that may return null values.

See all articles