Welcome to the Linux community forum and interact with 2 million technical staff. A friend lost a shell to me a few days ago and asked me to decrypt the shell. I opened the source code and read it as "shenshield encryption, in fact, some people have already analyzed this on the Internet and have written it as a tool. However, I have tested many tools, but none of them can be used. So I decided to analyze it from the beginning.
Welcome to the Linux community forum and interact with 2 million technicians> A Friend lost a shell to me a few days ago and asked me to decrypt it, I opened the source code and read it as "Alibaba Cloud security encryption". In fact, some people have analyzed this on the Internet and have written it as a tool. But I have tested many tools and none of them can be used, so I decided to analyze it from the beginning.
Welcome to the Linux community forum and interact with 2 million technicians>
Some days ago, a friend lost a shell to me and asked me to decrypt it. I opened the source code and read it, saying "shield encryption". In fact, someone has analyzed this on the Internet, I also wrote a tool, but I tested a lot and did not use it. So I decided to analyze it from the beginning.
Let's do the first step of decryption.
PS: This is just my decryption ideas. I 'd like to share with you some better ideas.
$ Str = file_get_contents ("1.php ");
// Replace all variables in step 1
// Regular \ $ [a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] *
Preg_match_all ('| \ $ [a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] * |', $ str, $ params) or die ('err 0. ');
$ Params = array_unique ($ params [0]); // deduplication
$ Replace = array ();
$ I = 1;
Foreach ($ params as $ v ){
$ Replace [] = '$ P'. $ I;
Tolog ($ v. '=> $ P'. $ I); // record to log
$ I ++;
}
$ Str = str_replace ($ params, $ replace, $ str );
// Replace all function names in step 2
// Regular function ([a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] *)
Preg_match_all ('| function ([a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] *) |', $ str, $ params) or die ('err 0. ');
$ Params = array_unique ($ params [1]); // deduplication
$ Replace = array ();
$ I = 1;
Foreach ($ params as $ v ){
$ Replace [] = 'fun '. $ I;
Tolog ($ v. '=> fun'. $ I); // record to log
$ I ++;
}
$ Str = str_replace ($ params, $ replace, $ str );
// Replace all non-printable characters in step 3
Function tohex ($ m ){
$ P = urlencode ($ m [0]); // converts all invisible characters to hexadecimal,
$ P = str_replace ('%', '\ x', $ p );
$ P = str_replace ('+', '', $ p); // urlencode converts spaces to +
Return $ p;
}
$ Str = preg_replace_callback ('| [\ x00-\ x08 \ x0e-\ x1f \ x7f-\ xff] | s', "tohex", $ str );
// Write to file
File_put_contents ("effect1.php", $ str );
Function tolog ($ str ){
File_put_contents ("replace_log.txt", $ str. "\ n", FILE_APPEND );
}
?>
(There is a log recorded code, which is useful for subsequent secondary decryption .)
After execution, you will get a javast1.php file. open the file and you will see code similar to this.
Find a tool to format it. phpstorm comes with the formatting function, and the code is much clearer.
The following code is obtained after further sorting:
// Start code decryption <==
If (! Defined ('in _ DECODE_82d1b9a966825e3524eb0ab6e9f21aa7 ')){
Define ('\ xA130 \ x8c', true );
Function fun1 ($ str, $ flg = ""){
If (! $ Flg) return (base64_decode ($ str ));
$ Ret = '? ';
For ($ I = 0; $ I
$ C = ord ($ str [$ I]);
$ Ret. = $ c <245? ($ C> 136? Chr ($ c/2): $ str [$ I]): "";
}
Return base64_decode ($ ret );
}
[1] [2]