Ask about the decryption idea of the PHP obfuscation character +eval. Hope Xuzuning and other experts to help

Recently encountered 2 PHP file encryption compared nausea, as if using a confused +eval.
This confusion differs from 0 | o the difference. It seems that the code is messy and looks like an ASCII encoded function name.
Do not know the master can give a thought?
Not much nonsense, directly on the code

 
  __FILE__), if (!defined (' Feeaabfaa ')) {define ("Feeaabfaa", 1395120187), function????? ($?????,$????? = "") {global $?????; $????? =base64_decode ($?????); if (empty ($?????)) return ""; if ($????? = = "") {return ~$?????;} else{$????? =$????? ['?????'] ($?????); $????? =$????? ['?????'] ($?????,$?????,$?????); return $????? ^$?????;}}} $????? ['?????'] =????? (' JIUNK5QR ', '); $????? ['?????'] =????? (' mpkpi4y= ', '); $????? ['?????'] =????? (' Nz6mmsnlojua? jcbmg== ', '); $????? ['?????'] =????? (' Jiun? i+emw== ', '); $????? ['?????'] =????? (' agyidg== ', ' gpibl4mkhj8= '); $????? ['?????'] =????? (' Gstoldvhhca? Oegu ', ' Iy+kj5yp '); $????? ['?????'] =????? (' 0mvizsfmm?rpmsmex8+encnjyczm?8rgmcrknsfhnsjo? Jo= ', '); eval ($????? ['?????'] (' No more writing, omitted here ... ') "); return;? >4861704e7c6c38ed5439414665b9adb0

There is also another

Two code I packed it.
Link: http://pan.baidu.com/s/1tNVxs Password: gtip


I hope you will greatly enlighten me.

Reply to discussion (solution)

Link: http://pan.baidu.com/s/1tNVxs Password: gtip

Address re-release.

?? The documents are indicated in the line of the??,?? Law? You

?? The documents are indicated in the line of the??,?? Law? You
Pro, running alone is correct, but will not error. Download, Baidu network disk;

If you think it looks disgusting, you change the letter yourself, the principle is the same.

If you think it looks disgusting, you change the letter yourself, the principle is the same.
I've tried to change it and I can change it.

You've changed your dadadi.php, haven't you?

You've changed your dadadi.php, haven't you?

Link: http://pan.baidu.com/s/1qWLLFDa Password: 4372

This should be no problem.

In addition, I tried to crack the plugin.class.php, and came to the following 2 PHP
But the discovery seems to be cyclical, and the core algorithm should be

function on top//define a fun ($var 1, $var 2 = "), the general meaning is to first restore $VAR1 base64 and then Reutren ~ Fetch the number of complements. Again judge Var2 whether there is a value, the following one seems to have not read the last is rerun aaa^bbb;//(Mutual exclusion)//under the encryption of a string of variables//In an array//array, I have a detempb in the back of the compression package can be made, as if to show the correct preg_match (' Regular expression (I did not restore it, or restore the wrong feeling) ', eval (gzuncompress (Base64_decode (cryptographic string wear)), ' This is like a bunch of numbers ')

Besides, I've been doing it myself for half a day. Generate these two files is plugin.class.php decryption file, run no error, should not be decrypted wrong. I don't know how to get it back.
I feel wrong when I try to output the encrypted string again. Never get the right results. Ask for advice

Link: http://pan.baidu.com/s/1u3Tgy Password: j15w

The method of manual decryption is to look at the value of the variable in eval, possibly out of or with eval, so repeat. It's a manual job anyway.

Oh? Take it for granted.
First time out, there's no eval.

The method of manual decryption is to look at the value of the variable in eval, possibly out of or with eval, so repeat. It's a manual job anyway.

Oh? Take it for granted.
First time out, there's no eval.


The method of manual decryption is to look at the value of the variable in eval, possibly out of or with eval, so repeat. It's a manual job anyway.
No, of course, I'm just saying maybe, and I'm not saying that this code must have been solved for the first time. Say maybe, just because I solved one, to repeat three or four times before finally fix.

Oh? Take it for granted.
First time out, there's no eval.


The method of manual decryption is to look at the value of the variable in eval, possibly out of or with eval, so repeat. It's a manual job anyway.
I got this one, and the execution seems to have gone through two times @gzuncompress (Base64_decode (code ...))
The second time Eval seems to exist in the array before
But to the second time @gzuncompress (Base64_decode (code ...)) Data error appears after execution do not know how you did it? Can you give me a clue?

His structure is more complicated.
First floor

Array (    [?????] = plugin.class.php.php    [?????] = strlen    [?????] + empty    [?????] = = Base64_decode    [?????] = Str_pad    [?????] = eval    [?????] + preg_replace    [?????] =/ 47183FE0E6A80AB66633459F55A88A71/E)

Second floor

Array (    [?????] = plugin.class.php.php    [?????] = strlen    [?????] + empty    [?????] = = Base64_decode    [?????] = Str_pad    [?????] = eval    [?????] + preg_replace    [?????] =/ 47183fe0e6a80ab66633459f55a88a71/e    [?????] = time    [?????] = basename    [?????] + die    [ ?????] =?????    [?????] = = Explode    [?????] = In_array    [?????] = gethostbyname)

The third layer is also directly using eval

It is difficult to intercept because it is driven by preg_replace (regular attached attribute e).
You need to change the eval of the array to a custom function

The code to be solved is split, the previous parameter settings are executed, and the subsequent self-decoding code is processed

His structure is more complicated.
First floor

Array (    [?????] = plugin.class.php.php    [?????] = strlen    [?????] + empty    [?????] = = Base64_decode    [?????] = Str_pad    [?????] = eval    [?????] + preg_replace    [?????] =/ 47183FE0E6A80AB66633459F55A88A71/E)

Second floor

Array (    [?????] = plugin.class.php.php    [?????] = strlen    [?????] + empty    [?????] = = Base64_decode    [?????] = Str_pad    [?????] = eval    [?????] + preg_replace    [?????] =/ 47183fe0e6a80ab66633459f55a88a71/e    [?????] = time    [?????] = basename    [?????] + die    [ ?????] =?????    [?????] = = Explode    [?????] = In_array    [?????] = gethostbyname)

The third layer is also directly using eval

It is difficult to intercept because it is driven by preg_replace (regular attached attribute e).
You need to change the eval of the array to a custom function

The code to be solved is split, the previous parameter settings are executed, and the subsequent self-decoding code is processed


The eval (original encryption) in the array has been replaced with Echo in its original position, and how is the back split?

His structure is more complicated.
First floor

Array (    [?????] = plugin.class.php.php    [?????] = strlen    [?????] + empty    [?????] = = Base64_decode    [?????] = Str_pad    [?????] = eval    [?????] + preg_replace    [?????] =/ 47183FE0E6A80AB66633459F55A88A71/E)

Second floor

Array (    [?????] = plugin.class.php.php    [?????] = strlen    [?????] + empty    [?????] = = Base64_decode    [?????] = Str_pad    [?????] = eval    [?????] + preg_replace    [?????] =/ 47183fe0e6a80ab66633459f55a88a71/e    [?????] = time    [?????] = basename    [?????] + die    [?????] =?????    [?????] = = Explode    [?????] = In_array    [?????] = gethostbyname)

The third layer is also directly using eval

It is difficult to intercept because it is driven by preg_replace (regular attached attribute e).
You need to change the eval of the array to a custom function

The code to be solved is split, the previous parameter settings are executed, and the subsequent self-decoding code is processed

Can you give me the code that you decrypted to get the array, I'll look into

Preg_replace (' \b777fb918ffda23fb0979c4ca77ab814\e ', eval (gzuncompress (Base64_decode ($code))), '?? B777fb918ffda23fb0979c4ca77ab814??? ');

How should this be reorganized and decoded?

The code is like this
I think there's something wrong with the train of thought.

$filename = __dir__. '/plugin.class.php '; $gl = '; $old _vars = '; $c = explode (' eval ', file_get_contents ($filename)); File_put_contents ($ filename. ' _0.php ', $c [0]); $old _vars = Get_defined_vars (); Include $filename. ' _0.php '; $new _vars = Array_diff_key (Get_defined_vars (), $old _vars),//print_r ($new _vars); $gl = key ($new _vars); $ev = Array_search (' eval ', $ $gl); ${$gl}[$ev] = ' $code '; $code = create_function (' $s ', <<< codeglobal \$ $gl; echo \ $s, Php_eol;eval (Explode (' @ ', \ $s) [0]); file_put_contents (' t_2.php ', '
  
 
Adjusted the idea, it should be solved
  
 $filename = __dir__.  '/plugin.class.php '; function code ($s) {$v = $GLOBALS [' GL '];  $ $v =& $GLOBALS [$v]; Echo $s.  Php_eol;  $s = str_replace (' eval (', ' Code (', $s); eval ($s);} $GL = "; $old _vars ="; $c = explode (' eval ', file_get_contents ($filename)); File_put_contents ($filename. ') _0.php ', $c [0]); $old _vars = Get_defined_vars (); Include $filename. ' _0.php '; $new _vars = Array_diff_key (Get_defined_vars (), $old _vars); $gl = key ($new _vars); $ev = Array_search (' eval ', $ $gl ); ${$gl}[$ev] = ' code '; file_put_contents ($filename. ' _1.php ', '!--? php eval '. $c [1]); include $filename. ' _1.php ';p rint_r ($ $gl);  The last line of the output is the last executed code 
 
 
 
 
 