Decryption and removal of a PHP Trojan-free webshell

Today, I want to find a PHP Trojan to manage my own space, but I don't have it at hand. I had to find a PHP Trojan on the Internet. I found a new version of the black/white network is called "Kill PHP Trojan, so I downloaded it and killed my avast --! Okay.

So turn off anti-virus and download it again. Okay, this is an episode! ,

Download the PHP source file just below here </P> <p> http://down.qiannao.com/space/file/strivescript/share/2011/2/7/-514d-6740php-5927-9a6c_-521d-4e0b-8f7d-7248.rar/.page

 

Then, move things to the PHP environment in the Virtual Machine and open it. There is encryption. The function used is:

First use this function base64_decode () and then use this function gzuncompress () for encryption. The good thing is that the ciphertext is one piece, and then cut all the parts.

Re-write a PHP file:

<? Php <br/> print_r (gzunconpress (base64_decode (ciphertext segment); <br/>?>

 

 

This is simple,Source codeAll in one view !!!!

 

View SourceCodeAfter

CTRL + F find this http ://

Check the source code and find that there is another encryption point:

The above method is used to find a backdoor.

 

<SCRIPT src = 'webshell address'> </SCRIPT>

 

Then delete the code.

OK. Run it and you will find that no mix. dll can be released.

It's rare to download the decrypted source code here.

 

 

Http://down.qiannao.com/space/file/strivescript/share/2011/2/7/-9700-8981-91ca-653edll-7684php-9a6c.zip/.page <br/>

 

 

 

 

You can also use this online storage and share it with us:

Http://upload.qiannao.com/tomos/ui/qnupload.jsp? Id = strivescript