Brief introduction to the decryption process of PHP shield

Some days ago, a friend lost a shell to me and asked me to help decrypt it. I opened the source code and read it, saying "it's shield encryption, baidu found that yundun was a very old thing. The last update was in 2012-10-09. Another one similar to him is phpjm, which is said to be the yundun... "/> <scripttype =" text/javascript "src =" http:/a friend lost a shell to me a few days ago and asked me to decrypt it, open the source code and read it as "shield encryption". Baidu found that shield is a very old thing, and the last update was in 2012-10-09. Another similar to phpjm is phpjm. some people say that phpjm has been copied by Alibaba Cloud Security. these are not our concerns. phpjm has been being updated, but it seems that this does not happen, let's analyze yundun and write it as a tool for your convenience (because it is not updated, you don't have to worry about the failure of the decryption tool ). In fact, some people have already analyzed this on the internet and have written it as a tool. However, I have tested many tools, but none of them can be used. so I decided to analyze it from the beginning. Open the source code encrypted by Alibaba Cloud Security. you can see that the code contains ad comments and cannot be deleted, because the file end has an md5 verification code to verify whether the code has been modified, and read the code carefully, and found that the code is garbled. In fact, this is a blind way. it uses the php variable to expand to the latin1 character range, the variable matching regular is in the format of \ $ [a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff. I have analyzed the problem yesterday and finally found the answer on the official website. please refer to "talking about available characters in PHP variables". let's do the first step of decryption. PS: This is just my decryption idea. I 'd like to share with you some better ideas .. $ P '. $ I); // log $ I ++;} $ str = str_replace ($ params, $ replace, $ str ); // replace all function names in step 2 // regular function ([a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] *) preg_match_all ('| function ([a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] *) |', $ str, $ params) or die ('err 0. '); $ params = array_unique ($ params [1]); // repeat $ replace = array (); $ I = 1; foreach ($ params as $ v) {$ replace [] = 'fun '. $ I; tolog ($ v. '=> fun '. $ I); // log $ I ++;} $ str = st R_replace ($ params, $ replace, $ str); // The third step replaces all non-printable characters function tohex ($ m) {$ p = urlencode ($ m [0]); // Convert all invisible characters to hexadecimal notation, $ p = str_replace ('%', '\ X', $ p ); $ p = str_replace ('+', '', $ p); // urlencode converts a space to + return $ p ;} $ str = preg_replace_callback ('| [\ x00-\ x08 \ x0e-\ x1f \ x7f-\ xff] | s', "tohex", $ str ); // write to the file file_put_contents ("effect1.php", $ str); function tolog ($ str) {file_put_contents ("replace_log.txt ", $ Str." \ n ", FILE_APPEND) ;}?> (There is a log recorded code, which is useful for subsequent secondary decryption .) After execution, you will get a 1_t1.php file. open the file and you will see code like this to find a tool for formatting. I use phpstorm to bring the formatting function, and then the code will be much clearer. The following code is obtained after further sorting: 136? Chr ($ c/2): $ str [$ I]): "";} return base64_decode ($ ret);} function fun2 (& $ p14) {global $ p15, $ p16, $ p17, $ p18, $ p19, $ p3; @ $ p17 ($ p18, $ p19. '(@ $ p16 ($ p15 (\ 'signature + 53nO + ZeKhZLTcGKmAeII5kvFgqe5puPH/Signature/z6p '. $ p15 (fun1 ('\ xAC \ xA8 \ x94 \ x8E \ xA2 \ xD65 \ xE 6 \ xA4 \ xA8 \ x8A = ', '\ x9E \ xA8A4 \ xB4D \ x92 \ xF0 \ xB4 \ x8E \ x8C \ xD8 \ x9A \ xF4 \ xD61 \ x9C \ xA8 \ x60\ x9A \ xF4 \ xA4 \ xD4 \ xB2 \ xF4 \ x9A3 \ x9A \ xD4 \ xCE \ xEE \ x9C \ xDA \ xB4 \ xD2 \ x9A \ xF4 \ x8A3 \ x9C \ x8E \ xAA = ')). 'samples + logs/IhyqDPgFrws58f + Teni/HZ1yPuUKZo6t3BrfT8zuuz + fjl6WR5gqYHi9RkOTs + Wk74yfGXH9Pv82 + T5Qt + Og7kUCLfB8 NMLvPCdn1O8NIRCpCfUE4Y05S117h9b/release + 3 vNVACE + xFHjgoG/release + QGl + Release/release/6kVQGv1n1/wChxaEtA == \')). $ p16 ($ p15 ($ p3) ', "82d1b9a966825 E3524eb0ab6e9f21aa7 ") ;}} global $ p15, $ p16, $ p17, $ p18, $ p19, $ p3; $ p17 = 'preg _ replace '; $ p18 = '/users/E'; $ p15 = 'base64 _ decode'; $ p19 = 'eval'; $ p16 = 'gzuncompress'; $ p3 = ''; @ $ p17 ($ p18, $ p19.' FUmqqkpcmZFcpMVEWv2E + Vp795Q4BEJK4Hj93NzBwjEUIgemb2JsKB '. $ p15 (fun1 ('\ xB21 \ xC65 \ xC8A = ', '\ x9E \ xA8A4 \ xB4D \ x92 \ xF0 \ xB4 \ x8E \ x8C \ xD8 \ x9A \ xF4 \ xD61 \ x9C \ xA8 \ x60\ x9A \ xF4 \ xA4 \ xD4 \ xB2 \ xF4 \ x9A3 \ x9A \ xD4 \ xCE \ xEE \ x9C \ xDA \ xB4 \ xD2 \ x9A \ xF4 \ x8A3 \ x9C \ x8E \ xAA = ')). 'oig6pkbbjnszn/records + k3T8HLs/Otf3XityU9Fea/J L6z36uUXpOOfmn5GhvpR00sZoe + xk83S1JplUyg7e63dfcwcGpgZNfBmvAbdZGhQ \'. ($ p20. = fun2 ($ p20) ', "82d1b9a966825e3524eb0ab6e9f21aa7 ". ($ p20 = 'x \ xDA \ xCB) bytes = O \ FF. \ xADH5 \ xCF2 \ x88 \ xF0u \ x8BL * \ xCD \ xF2223. \ xB1 \ xF0 \ FF1 \ xCF + \ x02 \ x00 \ xB6 \ xCA \ xBE ')); // End of the decryption code ==>> return true;?> 76cdemo-ef549deac4d0fae860b50010 is not very clear, the rest is the basic code, there is a knowledge point preg_replace when the regular modifier contains e, it will take the second parameter as php code parsing and execution, $ p18 is the regular expression, and the e at the end is shining. In addition, it is best to output a file again in fun2, and then replace the variable with the above method. @ $ P17 the line is our real source code, but there is a function in fun2 at the end, because fun2 is the real verification and output of base64 code at the end. I am lazy to write the rest, because I have already said all the knowledge I need to use for decryption. tomorrow I will use this tool to encrypt and paste the decryption code I have written, I will provide the decryption api for you to call. It's not that I pretend to be forced or show off, because it's better to teach fish to fish than to teach fish. you can also say that you can do it yourself. Of course there are also people who just want to get the results and don't want the process, so I will give you the same api directly, right. Classification: PHP