最近遇到2个php文件加密比较恶心,好像用了混淆+eval。
这个混淆不同于0 | o的区别。好像编码比较乱看起来想ascii编码过的函数名字。
不知道高手能不能给个思路?
废话不多,直接上代码
<?php global $?????;$?????=array('?????'=>__FILE__);if(!defined('FEEAABFAA')){define("FEEAABFAA",1395120187);function ?????($?????,$?????=""){global $?????;$?????=base64_decode($?????);if(empty($?????)) return "";if($?????==""){return ~$?????;}else{$?????=$?????['?????']($?????);$?????=$?????['?????']($?????,$?????,$?????);return $?????^$?????;}}}$?????['?????']=?????('jIuNk5qR','');$?????['?????']=?????('mpKPi4Y=','');$?????['?????']=?????('nZ6MmsnLoJua?JCbmg==','');$?????['?????']=?????('jIuN?I+emw==','');$?????['?????']=?????('AgYIDg==','gpibl4mKhJ8=');$?????['?????']=?????('GStOLDVHHCA?OEgu','iY+Kj5yP');$?????['?????']=?????('0MvIzsfMm?rPmsmex8+encnJyczM?8rGmcrKnsfHnsjO?Jo=','');eval($?????['?????'](' 写不下了,这里省略…………'));return;?>4861704e7c6c38ed5439414665b9adb0
<?php if(!defined('BCCEFFAFDBEC')){define("BCCEFFAFDBEC",1377408872);function ?????($?????,$?????=""){global $?????;$?????=base64_decode($?????);if(empty($?????)) return "";if($?????==""){return ~$?????;}else{$侗?????$?????['侗?????]($?????);$?????=$?????['船???豹']($?????,$侗?????$?????);return $?????^$?????;}}}global $?????;$?????=array('?酣????=>__FILE__);$?????['?????']=?????('nZ6Mm?nLoJuan?Cbmg==','');$?????['侗?????]=?????('jIuNk5qR','');$?????['?????']=?????('mpKPi4Y=','');$?????['船???豹']=?????('jIuNoI+emw?=','');$?????['辜脯千?羌']=?????('0J2cz5?amZn?nsaZx?nLzJv?y53H?5qcy8?JzMjOys?H0Jo=','');$?????['?『???']=?????('CDomNQ==','mLGYqYGhx6M=');$?????['噶????']=?????('GChXHzBKKh?YVEwj','hZ2xo8Odt5/FoQ==');$?????['?????']=?????('/K73993Zn?b0kA==','k4qfiY+Vw7M=');@$?????['噶????']($?????['辜脯千?羌'],$?????['?『???'].'('.$?????['?????'].'('.$?????['?????'].'(\'这里省略…………写不下了');return;?>616df3258c3d0520a46c2829342b76be
链接: http://pan.baidu.com/s/1tNVxs 密码: gtip
??文件在?行的?候都提示有?法??,??法?你
??文件在?行的?候都提示有?法??,??法?你
亲,单独运行的没错,但是不会报错。下载一下,百度网盘的;
如果你觉得看起来比较恶心,你自己换成字母好了,原理是一样的。
如果你觉得看起来比较恶心,你自己换成字母好了,原理是一样的。
我试过改动,可以随便改动一下就出问题。
你的 dadadi.php 被你改动过了吧?
你的 dadadi.php 被你改动过了吧?
链接: http://pan.baidu.com/s/1qWLLFDa 密码: 4372
//function 在上面//定义了一个fun($var1,$var2='');大体意思是先先把$var1 base64还原 然后reutren ~取补数。再判断var2是否有值,下面那个好像没读懂 最后是 rerun aaa^bbb;(互斥)//下面加密了一串变量//放在一个数组中//数组的话,我后面的压缩包里面有个detempb可以弄出来,好像显示正确preg_match('正则表达式(我没有还原出来,还是还原错了感觉不对)',eval(gzuncompress(base64_decode(加密字符串穿))), ‘这里好像是一串数字’)
链接: http://pan.baidu.com/s/1u3Tgy 密码: j15w
手工解密的方法就是看eval里的变量的值,可能出来的还是带eval的,要如此反复。反正是个体力活就对了。
哦?想当然了吧
第一遍出来就没有 eval 了
手工解密的方法就是看eval里的变量的值,可能出来的还是带eval的,要如此反复。反正是个体力活就对了。
哦?想当然了吧
第一遍出来就没有 eval 了
手工解密的方法就是看eval里的变量的值,可能出来的还是带eval的,要如此反复。反正是个体力活就对了。
没想当然,我只是说可能,又没说这个代码第一遍解出来的一定有。说可能,只是因为我解过一个,要反复三四次才最后搞定。
哦?想当然了吧
第一遍出来就没有 eval 了
手工解密的方法就是看eval里的变量的值,可能出来的还是带eval的,要如此反复。反正是个体力活就对了。
这个我弄了一下,执行好像是经过二次@gzuncompress(base64_decode( code....... ))
第二遍eval 好像存在之前的数组中
但是到第二遍@gzuncompress(base64_decode( code....... ))执行后出现data error不知道您是怎么做的?能给个思路么?
他的结构比较复杂
第一层
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e)
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e [?????] => time [?????] => basename [?????] => die [?????] => ????? [?????] => explode [?????] => in_array [?????] => gethostbyname)第三层又直接使用了 eval
他的结构比较复杂
第一层
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e)
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e [?????] => time [?????] => basename [?????] => die [?????] => ????? [?????] => explode [?????] => in_array [?????] => gethostbyname)第三层又直接使用了 eval
他的结构比较复杂
第一层
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e)
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e [?????] => time [?????] => basename [?????] => die [?????] => ????? [?????] => explode [?????] => in_array [?????] => gethostbyname)第三层又直接使用了 eval
preg_replace('\b777fb918ffda23fb0979c4ca77ab814\e',eval(gzuncompress(base64_decode($code))),'??b777fb918ffda23fb0979c4ca77ab814???');
代码是这样的
应该是思路有点问题,做不下去了
$filename = __DIR__ . '/plugin.class.php';$gl = '';$old_vars = '';$c = explode('eval', file_get_contents($filename));file_put_contents($filename.'_0.php', $c[0]);$old_vars = get_defined_vars();include $filename.'_0.php';$new_vars = array_diff_key(get_defined_vars(), $old_vars);//print_r($new_vars);$gl = key($new_vars);$ev = array_search('eval', $$gl);${$gl}[$ev] = '$code';$code = create_function('$s', <<< CODEglobal \$$gl;echo \$s,PHP_EOL;eval(explode('@', \$s)[0]);file_put_contents('t_2.php', '<?php '. explode('@', \$s)[1]);CODE);file_put_contents($filename.'_1.php', '<?php eval'.$c[1]);include $filename.'_1.php';//include 't_2.php';print_r($$gl);
调整了一下思路,应该是解开了
$filename = __DIR__ . '/plugin.class.php';function code($s) { $v = $GLOBALS['gl']; $$v =& $GLOBALS[$v]; echo $s . PHP_EOL; $s = str_replace('eval(', 'code(', $s); eval($s);}$gl = '';$old_vars = '';$c = explode('eval', file_get_contents($filename));file_put_contents($filename.'_0.php', $c[0]);$old_vars = get_defined_vars();include $filename.'_0.php';$new_vars = array_diff_key(get_defined_vars(), $old_vars);$gl = key($new_vars);$ev = array_search('eval', $$gl);${$gl}[$ev] = 'code';file_put_contents($filename.'_1.php', '<?php eval'.$c[1]);include $filename.'_1.php';print_r($$gl);输出的最后一行就是最后执行的代码