Encryption and decryption tutorial on God shield (i) PHP variable available characters _php tips

Source: Internet
Author: User
Tags parse error php source code throw exception

First say the PHP variable naming rules, Baidu next catch a lot of:
(1) PHP variable name is case-sensitive;
(2) The variable name must begin with the dollar sign $;
(3) The beginning of the variable name can be underlined;
(4) The variable name cannot begin with a numeric character.

In fact, all programming is similar to the naming conventions are:
1. The first character of a variable is preferably a letter or _ and cannot begin with a number
2. The second character begins to allow numbers, letters, _

Well, that's pretty much it, but that's not the point we're talking about.
Today we talk about the available characters for PHP variables, not just numbers, letters, _ Oh.

A few days ago QQ A friend sent me a shell, is encrypted, the whole garbled, but there are comments, called "God Shield Encryption" good domineering appearance.
It uses some of the more obscure points of knowledge, the most obvious is the variable name, so today we start from the variable to speak.

Of course I did not find the authoritative material on the internet powerful description of PHP variable name available characters information, so I can only test their own. (Bad English, no way Google to the favorable evidence)
Let's take a look at the method I use (if you have a better way to share it.) )

Copy Code code as follows:

<?php
if ($_post) {
$CHR = Chr ($_post[' CHR '));
Eval (' $ '. $chr. " = 1; ");
echo ' OK ';
Exit
}
?>
<!doctype html>
<meta charset= "UTF-8" >
<title>test</title>
<script src= "Http://ajax.googleapis.com/ajax/libs/jquery/1.8.2/jquery.js" ></script>
<body>
<script>
for (var i = 0x00 i <= 0xFF; i++) {//0x00-0xff 255 characters
$.ajaxsettings.async = false; Synchronous mode, in order to return data sequentially
$.post ("?", {chr:i}, (function (data) {//post I to PHP parsing
data = = ' OK ' && console.log ("\\x" + (i). toString (16)); An exception is thrown if only the OK description is returned for normal execution
});
}
</script>
</body>

The code is relatively simple, the PHP section is only responsible for resolving each character as a variable name execution results will throw overflow.
For example, character A will parse eval (' $a = 1; '); Such a result is certainly no problem, so will not throw exception, return result is OK character.
If the character-then will parse eval (' $-=1; '); This is obviously wrong, so will throw PHP Parse error:syntax error, unexpected '-', expecting t_variable or ' $ ' and OK characters.
And the following Ajax part is to use the return result is ' OK ' to determine whether it is a valid variable name.
Let's see what happens after execution:

Copy Code code as follows:

"\x41, \x42, \x43, \x44, \x45, \x46, \x47, \x48, \x49, \x4a, \x4b, \x4c, \x4d, \x4e, \x4f, \x50, \x51, \x52, \x53, \x54, \ X55, \x56, \x57, \x58, \x59, \x5a, \x5f, \x61, \x62, \x63, \x64, \x65, \x66, \x67, \x68, \x69, \x6a, \x6b, \x6c, \x6d, \x6 E, \x6f, \x70, \x71, \x72, \x73, \x74, \x75, \x76, \x77, \x78, \x79, \x7a, \x7f, \x80, \x81, \x82, \x83, \x84, \x85, \x86, \x87, \x88, \x89, \x8a, \x8b, \x8c, \x8d, \x8e, \x8f, \x90, \x91, \x92, \x93, \x94, \x95, \x96, \x97, \x98, \x99, \x9a, \ x9b, \x9c, \x9d, \x9e, \x9f, \xa0, \xa1, \xa2, \xa3, \xa4, \xa5, \xa6, \xa7, \xa8, \xa9, \xaa, \xab, \xac, \xad, \xae, \xa F, \xb0, \xb1, \xb2, \xb3, \xb4, \xb5, \xb6, \xb7, \xb8, \XB9, \xba, \xbb, \XBC, \XBD, \xbe, \XBF, \xc0, \xc1, \xc2, \xc3, \xc4, \xc5, \xc6, \xc7, \xc8, \xc9, \xca, \XCB, \XCC, \xcd, \xce, \XCF, \xd0, \xd1, \xd2, \xd3, \xd4, \xd5, \xd6, \xd7, \ Xd8, \XD9, \xda, \xdb, \xdc, \xdd, \xde, \XDF, \xe0, \xe1, \xe2, \xe3, \xe4, \xe5, \xe6, \xe7, \xe8, \xe9, \xea, \xeb, \xe C, \xed, \xee, \xef, \XF0, \xf1, \xf2, \xf3, \xf4, \xf5, \xf6, \xf7, \xf8, \xf9, \xfa, \XFB, \XFC, \xfd, \xfe, \xff "

After finishing found that is such a 16 data, of course, do not understand it does not matter, look at the escape after the result:

Copy Code code as follows:

"A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, _, A, B, C, D, E, F, G, H, I, J, K, L, M, N , O, p, Q, R, S, T, U, V, W, X, Y, Z,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?, ?,?,?,?,?,, ¡,¢,£,¤,¥,¦,§,¨,©,ª,«,¬, ®,¯,°,±,²,³,´,µ,¶,,¸,¹,º,»,¼,½,¾,¿,à,á,â,ã, Ä,å,æ,ç,è,é,ê,ë,ì,í,î,ï,ð,ñ,ò,ó,ô,õ,ö,x,ø,ù,ú,û,ü,ý,þ,ß,à,á,â,ã,ä,å,æ,ç,è,é,ê,ë,ì , Í,î,ï,ð,ñ,ò,ó,ô,õ,ö,÷,ø,ù,ú,û,ü,ý,þ,ÿ "

In addition to the front of the a-z_a-z is familiar to us, the back of those messy things can also be used as a normal variable name, it is inconceivable.
In fact, PHP has expanded the character range of variable names, on the a-z_a-z, the variable can be extended to the range of \x7f-\xff.
So, the first character range should be [A-za-z_\x7f-\xff]
So if the second character is the same, let's go ahead and test it.
Put the eval (' $ '. $chr) in the PHP code above.  = 1; "); Change to eval (' $a '. $chr.  = 1; "); Save Tests,

Copy Code code as follows:

"\x9, \xa, \xd, \x20, \x30, \x31, \x32, \x33, \x34, \x35, \x36, \x37, \x38, \x39, \x41, \x42, \x43, \x44, \x45, \x46, \x47 , \x48, \x49, \x4a, \x4b, \x4c, \x4d, \x4e, \x4f, \x50, \x51, \x52, \x53, \x54, \x55, \x56, \x57, \x58, \x59, \x5a, \x5f, \x61, \x62, \x63, \x64, \x65, \x66, \x67, \x68, \x69, \x6a, \x6b, \x6c, \x6d, \x6e, \x6f, \x70, \x71, \x72, \x73, \x74, \x \x76, \x77, \x78, \x79, \x7a, \x7f, \x80, \x81, \x82, \x83, \x84, \x85, \x86, \x87, \x88, \x89, \x8a, \x8b, \x8c, \x8d , \x8e, \x8f, \x90, \x91, \x92, \x93, \x94, \x95, \x96, \x97, \x98, \x99, \x9a, \x9b, \x9c, \x9d, \x9e, \x9f, \xa0, \xa1, \xa2, \xa3, \xa4, \xa5, \xa6, \xa7, \xa8, \xa9, \xaa, \xab, \xac, \xad, \xae, \xaf, \xb0, \xb1, \xb2, \xb3, \xb4, \xb5, \x B6, \xb7, \xb8, \XB9, \xba, \xbb, \XBC, \XBD, \xbe, \XBF, \xc0, \xc1, \xc2, \xc3, \xc4, \xc5, \xc6, \xc7, \xc8, \XC9, \xca , \XCB, \XCC, \xcd, \xce, \XCF, \xd0, \xd1, \xd2, \xd3, \xd4, \xd5, \xd6, \xd7, \xd8, \xd9, \xda, \xdb, \xdc, \XDD, \xde, \XDF, \xe0, \xe1, \xe2,\xe3, \xe4, \xe5, \xe6, \xe7, \xe8, \xe9, \xea, \xeb, \xec, \xed, \xee, \xef, \xf0, \xf1, \xf2, \xf3, \xf4, \xf5, \xf6, \x F7, \xf8, \xf9, \xfa, \XFB, \XFC, \xfd, \xfe, \xff "

found that many more characters, in fact, there is a part we want to remove, such as \x20 is actually a space, equivalent to eval (' $a = 1; '); Only, of course, it can be carried out normally.
In addition to the spaces, and \t\r\n are removed because these are also the PHP syntax to say allow \t=\x9,\n=\xa,\r=\xd, so we want to remove the first 4 data in the results \x9, \xa, \xd, \x20,
The end result is just a lot of \x30, \x31, \x32, \x33, \x34, \x35, \x36, \x37, \x38, \x39, the people who are familiar with ASCII may see it at a glance, that's the number 0-9.
So the first character range should be [\w\x7f-\xff] is not familiar may feel how is not [0-9a-za-z_\x7f-\xff], in fact, \w is 0-9a-za-z_

Maybe someone would say $ $a;  ${$a}; What about this variable?
I think this is out of the scope of the variable naming, isn't it.

OK, about the PHP variable can be used to share the knowledge point of the word, if there is any wrong, please leave a message, I will promptly correct to avoid misleading everyone.

My guess: ASCII range 0-127 (\x00-\x7f), Latin1 range 0-255 (\x00-\xff), perhaps PHP is to extend the scope to the Latin1 character set, of course, I did not read the PHP source code, can only say is a conjecture.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.