Webshell's key_access to a locally encrypted webshell in a browser

Webshell's key_access to a locally encrypted webshell in a browser

By chance, an encrypted webshell is found, which is encrypted by PHP shield Var 1.54. The notepad was opened with a bunch of garbled characters, and Baidu had a hero.
The method is to use php_apd extension for decryption:
Rename_function ('gzuncompress ', 'new _ gzuncompress ');
Override_function ('gzuncompress ',' $ arg ', 'print (new_gzuncompress ($ arg); return new_gzuncompress ($ arg );');
Require_once 'decryption. php ';
Decryption ('decryption. php ');
?>
I know what it means, but I don't know how to operate it. Is there any other way? I tried it with OD, but it does.
Build an Apache service and enable it.
　　

Then, add the httpd process to the od, and pay attention to the red one (because the other will be immediately suspended), and then let the httpd continue to run.
　　

Now you can access the locally encrypted webshell in the browser, such as http: // localhost/DebugPHP/818.php
Search for memory in OD. We can see the plaintext, And the webshell password is clear at a glance :)
　　

　　

The rest is simple. Copy the binary data in the memory and save it.
I am using PHP shield Var 1.54 for encryption. I searched for a decryption tool on the Internet. After practice, I can decrypt it successfully.
However, this tool itself is also encrypted, No matter what encryption it is, as a result.
Create a file named "dec. php", where "decryption. PHP" is the encrypted form of php shield Var 1.54 decryption tool.
Require_once 'decryption. php ';
Echo 'OK ';
?>
This is simpler. You can directly access http: // localhost/DebugPHP/dec. php, and the plain text is displayed again. You do not need to find it in the old location.
　　

The extracted result is as follows:
Function decryption ($ fileName ){
/**
* Decoding function
* @ Param string $ str string to be decoded
* @ Param string $ whether the flg is parsed and decoded
* @ Return string decoded string
*/
Function decode ($ str, $ flg = ''){
If ($ flg = ''){
$ Ret = $ str;
} Else {
$ Ret = 'hangzhou'; $ I = 0; $ l = strlen ($ str );
While ($ I ++ $ l ){
$ C = ord ($ str [$ I-1]);
$ Ret. = $ c245? ($ C> 136? Chr ($ c/2): $ str [$ I-1]): "";
}
}
Return base64_decode ($ ret );
}

$ Err = 'An error occurred while decoding. Contact the instructor to process the file! ';
$ Str = file_get_contents ($ fileName );
$ Path = pathinfo ($ fileName );
$ Dirname = $ path ['dirname']; // directory of the file
$ BaseName = $ path ['filename']; // file name


If (preg_match ('| IN_DECODE _ (\ w {32}) | s', $ str, $ arr )){
// Prevent you from decrypting yourself. In fact, all methods have been told, so you can perform decoding on your own.
$ Arr [1] = '761b5f52db6dff7ce91344e99dcedab7' & die ("err: [-1]-Do not try to decrypt this tool with this tool! ");
} Else {
Die ("err: [-1]-No security features found. Are you sure this is anti-DDoS encryption? ");
}

// Match the subject of the Code
// ''; @ \ $ [\ X00-\ xff] + \ (\ '([\ x00-\ xff] + ?) \\'\.\(
Preg_match ('| \'; \ $ [\ x00-\ xff] + \ (\ '([\ x00-\ xff] + ?) \\\\\' \. \ (| S', $ str, $ arr) | die ("err: [0]-". $ err );
$ Code = $ arr [1];
// Match the intermediate encryption part
Preg_match ('| \ (\' ([\ x00-\ xff] +) \ ', \' | s', $ code, $ arr) | die ("err: [1]-". $ err );
$ Key = base64_decode (decode ($ arr [1], "decode "));

$ Code = preg_replace ('| \' \. [\ x00-\ xff] + \ '\) \. \' | s', $ key, $ code );
// Match the encrypted code at the end
Preg_match ('| = \' (x [\ x00-\ xff] +) \ '\); | s', $ str, $ arr) | die ("err: [2]-". $ err );
$ Core = $ arr [1];
// Match the verification key
Preg_match ('| [\ w +/=] {59} = | s', $ arr [1], $ arr) | die ("err: [3]-". $ err );
$ Key = $ arr [0];
$ Core = str_replace ($ key, '', $ core); // remove the key
$ Suffix = gzuncompress ($ core); // obtain the end of base64
// Decoding
$ Code = gzuncompress (base64_decode ($ code. $ suffix ));
// Match clean code
If (preg_match ('|! --\? Php endif; \?> (\? Php [\ r \ n] {1, 2} [\ x00-\ xff] + \?>) \? Php \ $ GLOBALS \ [| s', $ code, $ arr )){
$ Code = $ arr [1];
}
// Write to file
$ Source = $ dirname. DIRECTORY_SEPARATOR. $ baseName. "_ source. php ";
File_put_contents ($ source, $ code );
Die ("decrypted successfully, saved as:". $ source );
}
?>
After debugging, I mainly used regular expressions, and my eyes were full of flowers.