Ask about the decryption concept of php obfuscation character + eval. I hope that xuzuning and other experts will help me solve the problem of two php file encryption recently, which seems to be confusing and eval.
This obfuscation is different from 0 | o. It seems that the encoding is messy. it seems that you want to encode the ascii function name.
I don't know if the experts can give me some ideas?
Not much nonsense. directly add code
_ FILE _); if (! Defined ('feeaabfaa') {define ("FEEAABFAA", 1395120187); function ????? ($ ?????, $ ????? = "") {Global $ ?????; $ ????? = Base64_decode ($ ?????); If (empty ($ ?????)) Return ""; if ($ ????? = "") {Return ~ $ ?????;} Else {$ ????? = $ ????? ['????? '] ($ ?????); $ ????? = $ ????? ['????? '] ($ ?????, $ ?????, $ ?????); Return $ ????? ^ $ ?????;}}} $ ????? ['????? '] = ????? ('Jiunk5qr ', ''); $ ????? ['????? '] = ????? ('Mpkpi4y = ', ''); $ ????? ['????? '] = ????? ('Nz6mmsnlojua? JCbmg = ', ''); $ ????? ['????? '] = ????? ('Jiun? I + emw = ', ''); $ ????? ['????? '] = ????? ('Agyidg = ', 'gpibl4mkhj8 ='); $ ????? ['????? '] = ????? ('Maid? OEgu ', 'y' + kj5p'); $ ????? ['????? '] = ????? ('0mvizsfmm? RPmsmex8 + encnJyczM? 8 rGmcrKnsfHnsjO? Jo = ', ''); eval ($ ????? ['????? '] (' Cannot be written. it is omitted here ............ '); Return;?> 4861704e7c6c38ed5439414665b9adb0
There is another
_ FILE _); $ ????? ['????? '] = ????? ('Nz6mm? NLoJuan? Cbmg = ', ''); $ ????? ['Salary ???] = ????? ('Jiunk5qr ', ''); $ ????? ['????? '] = ????? ('Mpkpi4y = ', ''); $ ????? ['Boat ??? Leopard '] = ????? ('Jiunoi + emw? = ', ''); $ ????? ['Qian qian? Qiang'] = ????? ('0j2cz5? AmZn? ? NLzJv? Y53H? 5qcy8? JzMjOys? H0Jo = ', ''); $ ????? ['? 『??? '] = ????? ('Domnq = ', 'mlgyqyghx6m ='); $ ????? ['Salary ???? '] = ????? ('Gchxhzbkkh? Yvewj', 'hz2xo8odt5/FoQ = '); $ ????? ['????? '] = ????? ('/K73993Zn? B0kA = ', 'k4qfiy + Vw7M ='); @ $ ????? ['Salary ???? '] ($ ????? ['Qian qian? Qiang '], $ ????? ['? 『??? '].' ('. $ ????? ['????? '].' ('. $ ????? ['????? '].' (\ 'Is omitted here ............ Cannot write '); return;?> 616df3258c3d0520a46c2829342b76be
I have packaged two codes.
Link: http://pan.baidu.com/s/1tNVxs password: gtip
I hope you can give me some advice.
Reply to discussion (solution)
Link: http://pan.baidu.com/s/1tNVxs password: gtip
The address is published again.
?? FILE In? Row? Are there any prompts? Method ??,?? Method? You
?? FILE In? Row? Are there any prompts? Method ??,?? Method? You
Yes, but no error is reported. Download Baidu online storage;
If you think it looks disgusting, you should replace it with a letter. The principle is the same.
If you think it looks disgusting, you should replace it with a letter. The principle is the same.
I have tried to change it. you can change it as needed to solve the problem.
Have you modified your dadadi. php?
Have you modified your dadadi. php?
URL: http://pan.baidu.com/s/1qWLLFDa password: 4372
This should be fine.
In addition, I tried to crack plugin. class. php and got the following two php
However, it seems like a loop. The core algorithm should be
// Function defines a fun ($ var1, $ var2 = '') above. it generally means restoring $ var1 base64 first and then reutren ~ Number of complements. Judge whether var2 has a value. The following one does not seem to understand the value. The last one is rerun aaa ^ bbb; (mutually exclusive) // A string of variables is encrypted below // put in an array // if an array is stored, a detempb can be found in the compressed package, it seems that the correct preg_match is displayed ('regular expression (I have not restored it, or I am wrong to restore it) ', eval (gzuncompress (base64_decode (encrypted string ))), 'The here seems to be a string of number ')
In addition, I made it for half a day. The two files are generated as the decryption files of plugin. class. php. they are running correctly and should not be decrypted incorrectly. I don't know how to get it.
When I try to output the encrypted string again, I feel wrong. No correct results are obtained. Please advise
Link: http://pan.baidu.com/s/1u3Tgy password: j15w
The manual decryption method is to look at the value of the variable in eval. it may still come out with eval, so it should be repeated. It's just a physical activity.
Oh? Take it for granted
No more eval after the first time
The manual decryption method is to look at the value of the variable in eval. it may still come out with eval, so it should be repeated. It's just a physical activity.
Oh? Take it for granted
No more eval after the first time
The manual decryption method is to look at the value of the variable in eval. it may still come out with eval, so it should be repeated. It's just a physical activity.
I didn't think about it. of course, I just said it was possible, but I didn't say that this code must be first parsed. Probably, it is only because I have solved one problem that it takes three or four times to complete.
Oh? Take it for granted
No more eval after the first time
The manual decryption method is to look at the value of the variable in eval. it may still come out with eval, so it should be repeated. It's just a physical activity.
I have done this. the execution is like a second @ gzuncompress (base64_decode (code .......))
The second time, eval seems to exist in the previous array.
However, after @ gzuncompress (base64_decode (code...) is executed, data error occurs. I don't know how you do it? Can you give me a thought?
Its structure is complex.
Level 1
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e)
Layer 2
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e [?????] => time [?????] => basename [?????] => die [?????] => ????? [?????] => explode [?????] => in_array [?????] => gethostbyname)
The third layer directly uses eval.
It is difficult to intercept the data through the preg_replace driver (regex additional attribute e ).
You need to change the eval in the array to a UDF.
The code to be parsed needs to be split. first, execute the preceding parameter settings, and then process the following self-decoding code.
Its structure is complex.
Level 1
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e)
Layer 2
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e [?????] => time [?????] => basename [?????] => die [?????] => ????? [?????] => explode [?????] => in_array [?????] => gethostbyname)
The third layer directly uses eval.
It is difficult to intercept the data through the preg_replace driver (regex additional attribute e ).
You need to change the eval in the array to a UDF.
The code to be parsed needs to be split. first, execute the preceding parameter settings, and then process the following self-decoding code.
The eval (original encryption) in the array has been replaced with echo in the original position. how can we split it later?
Its structure is complex.
Level 1
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e)
Layer 2
Array( [?????] => plugin.class.php.php [?????] => strlen [?????] => empty [?????] => base64_decode [?????] => str_pad [?????] => eval [?????] => preg_replace [?????] => /47183fe0e6a80ab66633459f55a88a71/e [?????] => time [?????] => basename [?????] => die [?????] => ????? [?????] => explode [?????] => in_array [?????] => gethostbyname)
The third layer directly uses eval.
It is difficult to intercept the data through the preg_replace driver (regex additional attribute e ).
You need to change the eval in the array to a UDF.
The code to be parsed needs to be split. first, execute the preceding parameter settings, and then process the following self-decoding code.
Can you decrypt the code to obtain the array?
preg_replace('\b777fb918ffda23fb0979c4ca77ab814\e',eval(gzuncompress(base64_decode($code))),'??b777fb918ffda23fb0979c4ca77ab814???');
How can we reorganize and decode this?
The code is like this
It should be a bit of a problem.
$ Filename = _ DIR __. '/plugin. class. php '; $ gl = ''; $ old_vars =''; $ c = explode ('eval', file_get_contents ($ filename); file_put_contents ($ filename. '_ 0. php', $ c [0]); $ old_vars = get_defined_vars (); include $ filename. '_ 0. php '; $ new_vars = array_diff_key (get_defined_vars (), $ old_vars); // print_r ($ new_vars); $ gl = key ($ new_vars ); $ ev = array_search ('eval', $ gl); $ {$ gl} [$ ev] = '$ code'; $ code = create_function (' $ S ', <CODEglobal \ $ gl; echo \ $ s, PHP_EOL; eval (explode ('@', \ $ s) [0]); file_put_contents ('t _ 2. php ','
After adjusting the thought, it should have been unlocked.
$ Filename = _ DIR __. '/plugin. class. php '; function code ($ s) {$ v = $ GLOBALS ['Gl']; $ v = & $ GLOBALS [$ v]; echo $ s. PHP_EOL; $ s = str_replace ('eval (', 'Code (', $ s); eval ($ s) ;}$ gl = ''; $ old_vars = ''; $ c = explode ('eval', file_get_contents ($ filename); file_put_contents ($ filename. '_ 0. php', $ c [0]); $ old_vars = get_defined_vars (); include $ filename. '_ 0. php '; $ new_vars = array_diff_key (get_defined_vars (), $ old_vars); $ gl = key ($ new_vars); $ ev = array_search ('eval', $ gl ); $ {$ gl} [$ ev] = 'code'; file_put_contents ($ filename. '_ 1. php ','
The last line of output is the last code executed.