Step by step practical method to restore PHP encrypted files

ps: The author is just technical communication and has no malicious intent. Please do not abuse this technology.

Actual restoration of PHP encrypted files

## Let’s talk about the environment first:

    Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-52-generic x86_64)
    PHP 5.5.9-1ubuntu4.19 (cli)

Practical process

I have an encrypted project and a PHP extended dynamic link library (jinhou.so) on hand.

The PHP code looks like the following:

<?php /* xxxx技术有限公司版权所有: 2016-09-08 08:18:00 */
jhgo(&#39;uGpqefbDEBkqp4preQ2UaAp3RAUeJAZ5s4aERAQMkxbJTgEovHnQw6WxsA99sAhSacJCLGxZL4Q4u6zFyGveuDUoemktHGkMaB5D&#39;);
?>

According to the known conditions analyzed above:

1. The encryption method is similar to the eval encryption method.

2.jhgo contains execution code and decryption code.

3.jinhou.so contains the jhgo function.

First of all, use VIM to open jinhou.so very roughly to see if there is any key information.

Unfortunately, the source of the solution is clearly written. https://github.com/eixom/zoeeyguard

After looking at the code, theoretically, this extension exposes two methods, one for encrypting files and one for decrypting files. But only one method was actually exposed, and one was removed by the cunning provider.

Of course we already have the source code, so we don’t care about it so much.

Try to compile it with the official source code and then decode it and find that it still doesn’t work.

I studied it carefully and found that there was a very magical string in

##:

82dsa7dsas32112389uy7aydh8h2h2i412

I wondered if it belonged to him Encryption Key. After re-reading the code, it turned out to be true. In the https://github.com/eixom/zoeeyguard/blob/master/src/guard.h file. The original one is 28dsa7dsas12312389uy7aydh8h1h2i312
. After making the changes, I found that it still didn't work. As expected, I am still Too Young Too Simple.

Analysis from the psychological perspective of programmers: Generally no one will change the code, basically just changing the parameters.

Are there any other parameters that have been changed? But other parameters are in array format, which is a headache.

/*  private key */
#define PRIVATE_KEY "28dsa7dsas12312389uy7aydh8h1h2i312"
#define PRIVATE_KEY_LEN sizeof(PRIVATE_KEY)

/* order */
static const unsigned char OBFUSCATED_ORDER[] = {
      13,  6,  5,  7,  1, 15, 14, 20
    ,  9, 16, 19,  4, 18, 10,  2,  8
    , 12,  3, 11,  0, 17
};
#define ORDER_SIZE sizeof(OBFUSCATED_ORDER) / sizeof(* OBFUSCATED_ORDER)

/* alphabet for base64 */
static const unsigned char OBFUSCATED_ALPHABET[] = {
      's', '4', 'N', 'E', 'k', 'X', 'c', 'u'
    , 'J', '2', 'U', 'o', 'O', 'w', 'K', 'v'
    , 'h', 'H', 'C', '/', 'D', 'q', 'l', 'R'
    , 'B', 'r', '5', 'Z', 'S', 'Q', '6', 'W'
    , '3', 'L', 'j', '8', '1', 'z', '0', 'G'
    , 'n', 'e', 'y', 'b', 'I', 'd', 'i', 'P'
    , 'A', '9', '7', '+', 'm', 'V', 'M', 'Y'
    , 'F', 'g', 'f', 'p', 'a', 'T', 't', 'x'
};
#define ALPHABET_SIZE 64

At this time, we have to use a killer tool: IDA Pro v6.8, a decompilation artifact. The left is the normal version, and the right is jinhou.so.

Change the files in guard.h based on the data. After recompiling, it was successfully decrypted.

<?php require_cache(APP_PATH.&#39;/Lib/Action/User/AddonAction.class.php&#39;);
?>

Summary afterwards

1. This cracking did not take much time, mainly thanks to the fact that the encryption scheme and encryption code were clearly told to us.

2. The main time is to test the encryption parameters. Fortunately, the .so file is not packed.

3. During the cracking process, I also learned about the flaws of PHP encryption.

【Recommended learning:

PHP video tutorial

】

The above is the detailed content of Step by step practical method to restore PHP encrypted files. For more information, please follow other related articles on the PHP Chinese website!