Talking about the decryption process of PHP shield. Some days ago, a friend lost a shell to me and asked me to help decrypt it. I opened the source code and read it, saying "it's shield encryption, baidu found that yundun was a very old thing. a friend threw me a shell a few days ago and asked me to decrypt it, open the source code and read it as "shield encryption,
Baidu discovered that Alibaba Cloud security was an old thing. The last update was in 2012-10-09. Another version similar to phpjm is phpjm. some people say that yundun copied phpjm. these are not our concerns,
Phpjm has been updated, but it does not seem to have been involved. let's analyze and write it as a tool for your convenience (because it is not updated, so you don't have to worry about the failure of the decryption tool ).
In fact, some people have already analyzed this on the internet and have written it as a tool. However, I have tested many tools, but none of them can be used. so I decided to analyze it from the beginning.
Open the source code encrypted by Alibaba Cloud security and you can see this code.
The advertisement comment is written and cannot be deleted, because an md5 verification code is provided at the end of the file to verify whether the code has been modified ,,
Looking at the code carefully, we found that the code is garbled. In fact, this is a blind spot,
It uses the php variable to expand to the latin1 character range, the variable matching regular is in the format of \ $ [a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff.
I have analyzed the problem yesterday and finally found the answer on the official website. please refer to "talking about available characters of PHP variables".
A little too far. let's do the first step of decryption.
PS: This is just my decryption idea. I 'd like to share with you some better ideas ..
$p' . $i); $i++=preg_match_all('|function ([a-zA-Z_\x7f-\xff][\w\x7f-\xff]*)|', $str, $params) or die('err 0.'= array_unique($params[1]); $replace == 1= 'fun'' => fun' . $i); $i++== urlencode($m[0]); $p = str_replace('%', '\x'= str_replace('+', ' ', $p); = preg_replace_callback('|[\x00-\x08\x0e-\x1f\x7f-\xff]|s', "tohex"file_put_contents("1_t1.php""replace_log.txt", $str . "\n"?>
(There is a log recorded code, which is useful for subsequent secondary decryption .)
After execution, you will get a javast1.php file. open the file and you will see code similar to this.
The following code is obtained after further sorting:
136 ? chr($c/2) : $str[$i] ) : ""; fun2(&'(@$p16($p15(\'eNq9kl1r01AYx79KG0JzDqZJT9KkL2ladXYgWxVsh6iTkCYna7o2yZL0dfTGG0GkoHhVi1dFxi5EZv0KvRSRMYYfQob0A5g0bM6BF0Pw4rw9539+53nO+ZeKhZLTcGKmAeII5kvFgqe5puPH/IGDZcLHfZ9tql01ihLFnmnpdo9p2Zrqm7bFNFxsyETD9508y/Z6P' . $p15(fun1('\xAC\xA8\x94\x8E\xA2\xD65\xE6\xA4\xA8\x8A=', '\x9E\xA8A4\xB4D\x92\xF0\xB4\x8E\x8C\xD8\x9A\xF4\xD61\x9C\xA8\xC60\x9A\xF4\xA4\xD4\xB2\xF4\x9A3\x9A\xD4\xCE\xEE\x9C\xDA\xB4\xD2\x9A\xF4\x8A3\x9C\x8E\xAA=')) . 'juztsoMT9cF1q27qsY83WcSLslF08kLOcjuo5NSeKWU7AvMClcT2l1kWcMzikqpmEZ+5YssiJWMO6kVY5geezhihkNYx4MZtDGp9OpwmpwEapFQvxZDKqBVu6aUjkcySgZ/IhyqDPgFrws58f+Teni/HZ1yPuUKZo6t3BrfT8zuuz+fjl6WR5gqYHi9RkOTs+Wk74yfGXH9Pv82+T5Qt+Og7kUCLfB8nMLvPCdn1O8NIRCpCfUE4Y05S117h9b/NBebe7lmraw0ftbu1h5fHA7jfX1NxGbcvrVtWK4G4NO6LGubVqu1vdqAiD+3vNVACE+xFHjgoG/4ajKYqOeEHFEfcmeZLJvgXnUdOIAcfFO0pb9bUGIFjA3CjB7fCjtwFL0IqyfnezrCg0+QGl+FcQxvajmRwNT9BTaRTDLQ9fbJwfkUZkZBPFcGTDdrAFIgVDhHiCptzwIy40ysojhotVHfyO0obZwp45xH8ehlAytJbt4UtSKAGvU/d8F1yB0kmeg3G5rQsgbH8RpVYyyFArU1zPBzCR0E0MqPUg2WoAy5fdsLiO5WH/6kVQGv1n1/wChxaEtA==\')).$p16($p15($p3)))', "82d1b9a966825e3524eb0ab6e9f21aa7"= 'preg_replace'= '/82d1b9a966825e3524eb0ab6e9f21aa7/e'= 'base64_decode'= 'eval'= 'gzuncompress'= '''(@$p16($p15(\'eNplks9Og0AQxu8mvgMlxrYHoMCyQPkXvdhDE5to4sE0BtihoMgSSqWN8RV60pMX73oy8RG8e/J5bLutIeWyyfebnS/zTcZzbS+Pcy6JOi252/dcexoWSV5y5SIHhy9hXkq3/oPPKO9WSUZoJaY09MuEZmJcQOTwcVnmfUmqqkpcmZFcpMVEWv2E+Vp795Q4BEJK4Hj93NzBwjEUIgemb2JsKB' . $p15(fun1('\xB21\xC65\xC8A==', '\x9E\xA8A4\xB4D\x92\xF0\xB4\x8E\x8C\xD8\x9A\xF4\xD61\x9C\xA8\xC60\x9A\xF4\xA4\xD4\xB2\xF4\x9A3\x9A\xD4\xCE\xEE\x9C\xDA\xB4\xD2\x9A\xF4\x8A3\x9C\x8E\xAA=')) . 'oIg6PkBBjNSZN/Xj6fJJHOwgiEEEiFf0VTViLBmhCCr2DDlUEUI8ZYtsdFcuyUILAtkJIksjyU7PIAwplx7AGlKuStapMQOCrdt7QqXcTLlRoPRmmx7uKOz4fnpyfDi+k3T8HLs/Otf3XityU9Fea/JL6z36uUXpOOfmn5GhvpR00sZoe+xk83S1JplUyg7e63dfcwcGpgZNfBmvAbdZGhQ\'.($p20.=fun2($p20)))))', "82d1b9a966825e3524eb0ab6e9f21aa7" . ($p20 = ''> ;?>76cde264ef549deac4d0fae860b50010
Is it clear? the rest is the basic code. There is also a knowledge point: preg_replace. when the regular modifier contains e, the second parameter will be parsed and executed as the php code,
$ P18 is the regular expression, and the e at the end is shining.
In addition, it is best to output a file again in fun2, and then replace the variable with the above method.
@ $ P17 the line is our real source code, but there is a function in fun2 at the end, because fun2 is the real verification and output of base64 code at the end.
I am lazy to write the rest, because I have already mentioned all the knowledge used for decryption,
Tomorrow, I will post the decryption code I wrote with this tool for encryption. I will provide the decryption api for you to call.
It's not that I pretend to be forced or show off, because it's better to teach fish to fish than to teach fish. you can also say that you can do it yourself.
Of course there are also people who just want to get the results and don't want the process, so I will give you the same api directly, right.
Yundun is encrypted, and Baidu finds that yundun is a very old thing...