php代码解密
<p><span style="font-size: 14pt"><strong>发现很多网上的源码,都会被插入一段来历不明的代码。</strong></span></p><p> </p>
<p><span style="font-size: 14pt"><strong>此类代码加密特征为:</strong></span></p>
<div class="cnblogs_code">
<pre><span style="color: rgba(128, 0, 128, 1)">$OOO0O0O00</span>=<span style="color: rgba(255, 0, 255, 1)">__FILE__</span>;<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>=<span style="color: rgba(0, 128, 128, 1)">urldecode</span>('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%6e%72');、<span style="color: rgba(0, 0, 255, 1)">eval</span>(($<span style="color: rgba(128, 0, 128, 1)">$O0O0000O0</span>( </pre>
</div>
<p> </p>
<p><span style="color: rgba(51, 102, 255, 1); font-size: 18px"><strong> 例如:</strong></span></p>
<div class="cnblogs_code">
<pre><?php <span style="color: rgba(0, 128, 0, 1)">/*</span><span style="color: rgba(0, 128, 0, 1)">*/</span><span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>=<span style="color: rgba(0, 128, 128, 1)">urldecode</span>('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{4}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{9}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{3}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{2}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{10}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{13}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{16};<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0'].=<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0']{3}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{11}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{12}.<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0']{7}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5};<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO000O00']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{0}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{12}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{7}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{15};<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O000O00']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{0}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{1}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{14};<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O000O00']=<span style="color: rgba(128, 0, 128, 1)">$O0O000O00</span>.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{3};<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O00OO00']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{0}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{8}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{9}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{16};<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO00000O']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{3}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{14}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{8}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{14}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{8};<span style="color: rgba(128, 0, 128, 1)">$OOO0O0O00</span>=<span style="color: rgba(255, 0, 255, 1)">__FILE__</span>;<span style="color: rgba(128, 0, 128, 1)">$OO00O0000</span>=0x9980;<span style="color: rgba(0, 0, 255, 1)">echo</span>(<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0']('JE8wMDBPME8wMD0kR0xPQkFMU1snT09PMDAwTzAwJ10oJE9PTzBPME8wMCwncmInKTskR0xPQkFMU1snTzBPMDBPTzAwJ10oJE8wMDBPME8wMCwweDUwMik7JE9PMDBPMDBPMD0kR0xPQkFMU1snT09PMDAwME8wJ10oJEdMT0JBTFNbJ09PTzAwMDAwTyddKCRHTE9CQUxTWydPME8wME9PMDAnXSgkTzAwME8wTzAwLDB4MWE4KSwnRW50ZXJ5b3V3a2hSSFlLTldPVVRBYUJiQ2NEZEZmR2dJaUpqTGxNbVBwUXFTc1Z2WHhaejAxMjM0NTY3ODkrLz0nLCdBQkNERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDEyMzQ1Njc4OSsvJykpO2V2YWwoJE9PMDBPMDBPMCk7'));<span style="color: rgba(0, 0, 255, 1)">return</span>;?>
~Dkr9NHenNHenNHe1zfukgFMaXdoyjcUImb19oUAxyb18mRtwmwJ4LT09NHr8XTzEXRJwmwJXLO0xN···········后面还有很多这样的代码。</pre>
</div>
<p><span style="color: rgba(51, 102, 255, 1)"><strong><span style="font-size: 18px">发现上面这个?>后面有很多的代码,很明显,这些代码肯定不是要给客户的浏览器看的,肯定是在php中进行解析的。</span></strong></span></p>
<div class="cnblogs_code">
<pre><?php <span style="color: rgba(0, 128, 0, 1)">/*</span><span style="color: rgba(0, 128, 0, 1)">*/</span>
<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>=<span style="color: rgba(0, 128, 128, 1)">urldecode</span>('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64'<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{4}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{9}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{3}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{2}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{10}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{13}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{16<span style="color: rgba(0, 0, 0, 1)">};
</span><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0'].=<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0']{3}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{11}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{12}.<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0']{7}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5<span style="color: rgba(0, 0, 0, 1)">};
</span><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO000O00']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{0}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{12}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{7}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{15<span style="color: rgba(0, 0, 0, 1)">};
</span><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O000O00']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{0}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{1}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{14<span style="color: rgba(0, 0, 0, 1)">};
</span><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O000O00']=<span style="color: rgba(128, 0, 128, 1)">$O0O000O00</span>.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{3<span style="color: rgba(0, 0, 0, 1)">};
</span><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O00OO00']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{0}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{8}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{9}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{16<span style="color: rgba(0, 0, 0, 1)">};
</span><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO00000O']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{3}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{14}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{8}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{14}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{8<span style="color: rgba(0, 0, 0, 1)">};
</span><span style="color: rgba(128, 0, 128, 1)">$OOO0O0O00</span>=<span style="color: rgba(255, 0, 255, 1)">__FILE__</span><span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(128, 0, 128, 1)">$OO00O0000</span>=0x9980<span style="color: rgba(0, 0, 0, 1)">;
</span><span style="color: rgba(128, 0, 128, 1)">$O000O0O00</span>=<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO000O00'](<span style="color: rgba(128, 0, 128, 1)">$OOO0O0O00</span>,'rb'<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O00OO00'](<span style="color: rgba(128, 0, 128, 1)">$O000O0O00</span>,0x502<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(128, 0, 128, 1)">$OO00O00O0</span>=<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0'](<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO00000O'](<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O00OO00'](<span style="color: rgba(128, 0, 128, 1)">$O000O0O00</span>,0x1a8),'EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'<span style="color: rgba(0, 0, 0, 1)">));
</span><span style="color: rgba(0, 0, 255, 1)">eval</span>(<span style="color: rgba(128, 0, 128, 1)">$OO00O00O0</span><span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">return</span><span style="color: rgba(0, 0, 0, 1)">;
</span>?>~Dkr9NHenNHenNHe1zfukgFMaXdoyjcUImb19oUAxyb18mRtwmwJ4LT09NHr8XTzEXRJwmwJXLO0xNWLyHA1SmT09NHeEXHr8Xk10PkrfHT0knTyYdk09NTzEXHeEXTZffhtOuTr9tWAxTBZfNHr8XHr9NHeEmbUILTzEXHr8XTzEXRtONTzEXTzEXHeEpRtfydmOlFmlvfbfqDykwBAsKa09aaryiWMkeC0OLOMcuc0lpUMpHdr1sAunOFaYzamcCGyp6HerZH</pre>
</div>
<p><span style="color: rgba(51, 102, 255, 1)"><strong><span style="font-size: 18px">首先我们将代码整理上面成大概可以阅读的形式。</span></strong></span></p>
<p><span style="color: rgba(51, 102, 255, 1)"><strong><span style="font-size: 18px">什么都不管先,先把长相怪异的变量都输出出来!</span></strong></span></p>
<p><span style="color: rgba(51, 102, 255, 1)"><strong><span style="font-size: 18px">按道理应该都要输出出来的,根据我之前做的结果,发现有用的只有如下几个变量,其他为干扰变量。</span></strong></span></p>
<div class="cnblogs_code">
<pre><span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>=<span style="color: rgba(0, 128, 128, 1)">urldecode</span>('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64'<span style="color: rgba(0, 0, 0, 1)">);
</span><span style="color: rgba(0, 0, 255, 1)">die</span>(<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>); <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">输出出来$OOO000000 为 </span>fg6sbehpra4co_tnd</pre>
</div>
<div class="cnblogs_code">
<pre><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{4}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{9}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{3}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{2}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{10}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{13}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{16<span style="color: rgba(0, 0, 0, 1)">};
</span><span style="color: rgba(0, 0, 255, 1)">die</span>(<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0']); <span style="color: rgba(0, 128, 0, 1)">//输出出来</span>$GLOBALS['OOO0000O0'] 为 base64_decode</pre>
</div>
<div class="cnblogs_code">
<pre><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO000O00']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{0}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{12}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{7}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{15<span style="color: rgba(0, 0, 0, 1)">};
</span><span style="color: rgba(0, 0, 255, 1)">die</span>(<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO000O00']); <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)"> 输出出来$GLOBALS['OOO000O00'] 为 fopen</span></pre>
</div>
<div class="cnblogs_code">
<pre><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O00OO00']=<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{0}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{8}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{5}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{9}.<span style="color: rgba(128, 0, 128, 1)">$OOO000000</span>{16<span style="color: rgba(0, 0, 0, 1)">};
</span><span style="color: rgba(0, 0, 255, 1)">die</span>(<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O00OO00']); <span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">输出出来 $GLOBALS['O0O00OO00'] 为 fread</span></pre>
</div>
<p> </p>
<p><span style="color: rgba(0, 0, 255, 1)"><strong><span style="font-size: 18px"><span style="color: rgba(51, 102, 255, 1)">紧接着我们来看一下下面的代码</span> <span style="color: rgba(255, 0, 0, 1)">(重要、重要、重要)</span>。</span></strong></span></p>
<div class="cnblogs_code">
<pre><span style="color: rgba(128, 0, 128, 1)">$O000O0O00</span>=<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO000O00'](<span style="color: rgba(128, 0, 128, 1)">$OOO0O0O00</span>,'rb');<br>//然后我们重点来分析上述代码,根据我们之前输出的可以发现这行代码实际为:<br><span style="color: rgba(128, 0, 128, 1)">$O000O0O00</span>=<span style="color: rgba(0, 128, 128, 1)">fopen</span>(<span style="color: rgba(0, 128, 128, 1)">FILE</span>,'rb');</pre>
</div>
<div class="cnblogs_code">
<pre><span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O00OO00'](<span style="color: rgba(128, 0, 128, 1)">$O000O0O00</span>,0x502<span>);<br>//再分析这个上述代码,根据我们之前输出得到变量,可以发现这行代码实际为:<br>fread(</span>$O000O0O00,0x502); //意思就是读文件到0x502 但没有获取内容,这时候句柄指向了0x502,0x502之前的内容就没有了。</pre>
</div>
<div class="cnblogs_code">
<pre><span style="color: rgba(128, 0, 128, 1)">$OO00O00O0</span>=<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO0000O0'](<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['OOO00000O'](<span style="color: rgba(128, 0, 128, 1)">$GLOBALS</span>['O0O00OO00'](<span style="color: rgba(128, 0, 128, 1)">$O000O0O00</span>,0x1a8),'EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'));<br><span>//再分析这个上述代码,根据我们之前输出得到变量,可以发现这行代码实际为:<br></span><span style="color: rgba(128, 0, 128, 1)">$OO00O00O0 = </span>base64_decode(strtr(fread($O000O0O00,0x1a8),'EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'));<br>//上面这个代码又是重新从0x502后取了0x1a8单位的内容赋给了$OO00O00O0。<br>这时候我们解密的步骤很清楚了。<br>先找到这个文件的第0x502,然后删除之前的文本,然后再往后找到0x1a8,复制下来这段文本。<br>构造:<br>$data = "复制下来的文本";<br><span style="color: rgba(128, 0, 128, 1)">$decode = </span>base64_decode(strtr($data,'EnteryouwkhRHYKNWOUTAaBbCcDdFfGgIiJjLlMmPpQqSsVvXxZz0123456789+/=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'));<br>echo $decode; //即可得到源码。</pre>
</div><br><br>
来源:https://www.cnblogs.com/cainiaoyimei/p/12207694.html
頁:
[1]