Brief Introduction to the decryption process of PHP Shield

Welcome to the Linux community forum and interact with 2 million technical staff. A friend lost a shell to me a few days ago and asked me to decrypt the shell. I opened the source code and read it as "shenshield encryption, in fact, some people have already analyzed this on the Internet and have written it as a tool. However, I have tested many tools, but none of them can be used. So I decided to analyze it from the beginning.

Welcome to the Linux community forum and interact with 2 million technicians> A Friend lost a shell to me a few days ago and asked me to decrypt it, I opened the source code and read it as "Alibaba Cloud security encryption". In fact, some people have analyzed this on the Internet and have written it as a tool. But I have tested many tools and none of them can be used, so I decided to analyze it from the beginning.

Welcome to the Linux community forum and interact with 2 million technicians>

Some days ago, a friend lost a shell to me and asked me to decrypt it. I opened the source code and read it, saying "shield encryption". In fact, someone has analyzed this on the Internet, I also wrote a tool, but I tested a lot and did not use it. So I decided to analyze it from the beginning.

Let's do the first step of decryption.

PS: This is just my decryption ideas. I 'd like to share with you some better ideas.

　　

$ Str = file_get_contents ("1.php ");

// Replace all variables in step 1

// Regular \ $ [a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] *

Preg_match_all ('| \ $ [a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] * |', $ str, $ params) or die ('err 0. ');

$ Params = array_unique ($ params [0]); // deduplication

$ Replace = array ();

$ I = 1;

Foreach ($ params as $ v ){

$ Replace [] = '$ P'. $ I;

Tolog ($ v. '=> $ P'. $ I); // record to log

$ I ++;

}

$ Str = str_replace ($ params, $ replace, $ str );

// Replace all function names in step 2

// Regular function ([a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] *)

Preg_match_all ('| function ([a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] *) |', $ str, $ params) or die ('err 0. ');

$ Params = array_unique ($ params [1]); // deduplication

$ Replace = array ();

$ I = 1;

Foreach ($ params as $ v ){

$ Replace [] = 'fun '. $ I;

Tolog ($ v. '=> fun'. $ I); // record to log

$ I ++;

}

$ Str = str_replace ($ params, $ replace, $ str );

// Replace all non-printable characters in step 3

Function tohex ($ m ){

$ P = urlencode ($ m [0]); // converts all invisible characters to hexadecimal,

$ P = str_replace ('%', '\ x', $ p );

$ P = str_replace ('+', '', $ p); // urlencode converts spaces to +

Return $ p;

}

$ Str = preg_replace_callback ('| [\ x00-\ x08 \ x0e-\ x1f \ x7f-\ xff] | s', "tohex", $ str );

// Write to file

File_put_contents ("effect1.php", $ str );

Function tolog ($ str ){

File_put_contents ("replace_log.txt", $ str. "\ n", FILE_APPEND );

}

?>

(There is a log recorded code, which is useful for subsequent secondary decryption .)

After execution, you will get a javast1.php file. open the file and you will see code similar to this.

Find a tool to format it. phpstorm comes with the formatting function, and the code is much clearer.

The following code is obtained after further sorting:

　　

// Start code decryption <==

If (! Defined ('in _ DECODE_82d1b9a966825e3524eb0ab6e9f21aa7 ')){

Define ('\ xA130 \ x8c', true );

Function fun1 ($ str, $ flg = ""){

If (! $ Flg) return (base64_decode ($ str ));

$ Ret = '? ';

For ($ I = 0; $ I

$ C = ord ($ str [$ I]);

$ Ret. = $ c <245? ($ C> 136? Chr ($ c/2): $ str [$ I]): "";

}

Return base64_decode ($ ret );

}

[1] [2]