Decrypts a PHP custom Encryption File

This type of custom encryption method is very common in foreign programs (I guess it is only because similar decryption articles are all foreign, and there are articles from English, Russian, and Persian, although they cannot be understood, the decrypted code is different, but the encryption method is similar. For details, refer to the analysis at the end of the article.) the author of this program can be described as crazy or abnormal. Let me sort out the code first. The original encryption code is: <? Php $ OOO000000 = urldecode ('% 66% 67% 36% 73% 62% 65% 68% 70% 72% 61% 34% 63% 6f % 5f % 74% 6e % 64'); $ ooo=o0 = $ ooo=00 {4 }. $ OOO000000 {9 }. $ OOO000000 {3 }. $ ooo=00 {5}; $ ooo=o0. = $ OOO000000 {2 }. $ OOO000000 {10 }. $ OOO000000 {13 }. $ OOO000000 {16}; $ ooo=o0. = $ ooo=o0 {3 }. $ OOO000000 {11 }. $ OOO000000 {12 }. $ ooo=o0 {7 }. $ OOO000000 {5}; $ OOO000O00 = $ OOO000000 {0 }. $ OOO000000 {12 }. $ OOO000000 {7 }. $ OOO000000 {5 }. $ OOO000000 {15}; $ O0O000O00 = $ OOO00 0000 {0 }. $ OOO000000 {1 }. $ OOO000000 {5 }. $ OOO000000 {14 }. $ OOO000000 {3}; $ O0O00OO00 = $ OOO000000 {0 }. $ OOO000000 {8 }. $ OOO000000 {5 }. $ OOO000000 {9 }. $ OOO000000 {16}; $ OOO00000O = $ OOO000000 {3 }. $ OOO000000 {14 }. $ OOO000000 {8 }. $ OOO000000 {14 }. $ OOO000000 {8}; $ OOO0O0O00 =__ FILE __; $ OO00O0000 = 45296; eval ($ ooo1_o0 ('prop Required bytes Z3eHl6MDEyMzQ1Njc4OSsvJykpO2V2YWwoJE9PMDBPMDBPMCk7 '); return;?> After reading the code, I first changed the last and third lines of eval to echo Author: YoCo Smart from: Silic Group Hacker Army. Please note: http://blackbap.org Second, the url-based url decryption result of line2's urldecode is: fg6sbehpra4co_tnd. The most evil part of encryption is actually a variable. The variable uses the letter o and number 0 to confuse people, what do people do not know (this will be said later) the content obtained after decryption at the first layer is described as follows: <? Php $ OOO000000 = 'fg6sbehpra4co _ tnd'; // url-decrypted content $ ooo=o0 = $ ooo=00 {4 }. $ OOO000000 {9 }. $ OOO000000 {3 }. $ ooo=00 {5}; $ ooo=o0. = $ OOO000000 {2 }. $ OOO000000 {10 }. $ OOO000000 {13 }. $ OOO000000 {16}; $ ooo=o0. = $ ooo=o0 {3 }. $ OOO000000 {11 }. $ OOO000000 {12 }. $ ooo=o0 {7 }. $ OOO000000 {5}; $ OOO000O00 = $ OOO000000 {0 }. $ OOO000000 {12 }. $ OOO000000 {7 }. $ OOO000000 {5 }. $ OOO000000 {15}; $ O0O000O00 = $ OOO000000 {0 }. $ OOO000000 {1 }. $ OOO000000 {5 }. $ OOO000000 {14 }. $ OOO000000 {3}; $ O0O00OO00 = $ OOO000000 {0 }. $ OOO000000 {8 }. $ OOO000000 {5 }. $ OOO000000 {9 }. $ OOO000000 {16}; $ OOO00000O = $ OOO000000 {3 }. $ OOO000000 {14 }. $ OOO000000 {8 }. $ OOO000000 {14 }. $ OOO000000 {8}; $ OOO0O0O00 =__ FILE __; $ OO00O0000 = 45296;/* echo decrypted content */if (! 0) $ O000O0O00 = $ OOO000O00 ($ ooo0o00, 'rb'); $ O0O000O00 ($ O000O0O00, 1024); $ O0O000O00 ($ O000O0O00, 4096 ); $ OO00O00O0 = $ ooow.o0 ($ OOO00000O ($ O0O00OO00 ($ O000O0O00, 380), 'vxzw + ready/ready = ', 'prop + /')); eval ($ OO00O00O0); return;?> In fact, it is easy to decrypt the variable and the variable, and construct a decryption file to run: <? Php $ OOO000000 = 'fg6sbehpra4co _ tnd'; $ ooo=o0 = $ ooo=00 {4 }. $ OOO000000 {9 }. $ OOO000000 {3 }. $ OOO000000 {5}; // base $ ooo=o0. = $ OOO000000 {2 }. $ OOO000000 {10 }. $ OOO000000 {13 }. $ OOO000000 {16}; $ ooo=o0. = $ ooo=o0 {3 }. $ OOO000000 {11 }. $ OOO000000 {12 }. $ ooo=o0 {7 }. $ OOO000000 {5}; $ OOO000O00 = $ OOO000000 {0 }. $ OOO000000 {12 }. $ OOO000000 {7 }. $ OOO000000 {5 }. $ OOO000000 {15}; $ O0O000O00 = $ OOO000000 {0 }. $ OOO000000 {1 }. $ OOO000000 {5 }. $ O OO000000 {14 }. $ OOO000000 {3}; $ O0O00OO00 = $ OOO000000 {0 }. $ OOO000000 {8 }. $ OOO000000 {5 }. $ OOO000000 {9 }. $ OOO000000 {16}; $ OOO00000O = $ OOO000000 {3 }. $ OOO000000 {14 }. $ OOO000000 {8 }. $ OOO000000 {14 }. $ OOO000000 {8}; print_r ($ OOO000O00); print_r ('<br>'); print_r ($ O0O000O00); print_r ('<br> '); print_r ($ O0O00OO00); print_r ('<br>'); print_r ($ OOO00000O); return;?> In this way, we can understand the values of several variables: $ OOO000000 => feature $ ooo=o0 => base $ OOO000O00 => fopen $ O0O000O00 => fgets $ response => fread $ OOO00000O => strtr $ response = >__ FILE __$ OO00O0000 => 45296 Replace the variables in the original code one by one: <? Php/* define the encryption part */$ OOO000000 = 'fg6sbehpra4co _ tnd'; $ ooo=o0 = $ OOO000000 {4 }. $ OOO000000 {9 }. $ OOO000000 {3 }. $ OOO000000 {5}; // base $ ooo=o0. = $ OOO000000 {2 }. $ OOO000000 {10 }. $ OOO000000 {13 }. $ OOO000000 {16}; $ ooo=o0. = $ ooo=o0 {3 }. $ OOO000000 {11 }. $ OOO000000 {12 }. $ ooo=o0 {7 }. $ OOO000000 {5}; $ OOO000O00 = $ OOO000000 {0 }. $ OOO000000 {12 }. $ OOO000000 {7 }. $ OOO000000 {5 }. $ OOO000000 {15}; // fopen $ O0O000O00 = $ OOO000000 {0 }. $ OOO000000 {1 }. $ OOO000000 {5 }. $ OOO000000 {14 }. $ OOO000000 {3}; // fgets $ O0O00OO00 = $ OOO000000 {0 }. $ OOO000000 {8 }. $ OOO000000 {5 }. $ OOO000000 {9 }. $ OOO000000 {16}; // fread $ OOO00000O = $ OOO000000 {3 }. $ OOO000000 {14 }. $ OOO000000 {8 }. $ OOO000000 {14 }. $ OOO000000 {8}; // strtr $ OOO0O0O00 =__ FILE __; $ OO00O0000 = 45296;/* end of encryption * // * start of the operation, the second encrypted part of the original code */if (! 0) $ test = fopen (_ FILE __, 'rb'); fgets ($ test, 1024); fgets ($ test, 4096 ); $ data = base (strtr (fread ($ test, 380), 'vxzw + AOPi1FnutgC7H9652JRjI4/records = ', 'samples +/'); eval ($ data ); return;?> Remove irrelevant code: <? Phpif (! 0) $ test = fopen (_ FILE __, 'rb'); fgets ($ test, 1024); fgets ($ test, 4096 ); $ data = base (strtr (fread ($ test, 380), 'vxzw + AOPi1FnutgC7H9652JRjI4/records = ', 'samples +/'); eval ($ data ); return;?> In this simple way, www.2cto.com PS: There is a pile of data behind the original file, so I will not post it if the content is too long... The decryption method is not clever and advanced. It is easy to find out who is the variable. I googled a lot of examples of decryption methods abroad, such as confusing letters o and numbers 0, and mixed letters l and numbers 1. Although I cannot understand it, I cannot see examples of encryption methods such as domestic decryption. Writing this article is a supplement to the blank content in China. It is also a reference. I hope that the ox people can write more such articles.