On the decryption process of PHP Aegis _php tutorial

Some days ago a friend lost a shell to me, let me help to decrypt, open the source read the following is "God Shield Encryption", the appearance of a brilliant,
Baidu under the discovery of the aegis is a very old thing, the last update was in 2012-10-09. And he is similar to another paragraph is PHPJM, some people say is the shield plagiarism PHPJM, these are not we have to concern about the problem,
PHPJM has been updated, and God shield seemingly do not engage, we analyze the aegis, by the way written tools, convenient for everyone to use (because he does not update, so there is no need to worry about the decryption tool failure problem).
In fact, someone on the internet has already analyzed this, and has been written as a tool, but I tested a lot of, no one can use, so decided to analyze it from the beginning.

Open the source of the shield after the encryption, you can see this code

It says ad annotations, and cannot be deleted because there is a MD5 validation code at the end of the file to verify that it has been modified,

Look at the code part again, found inside are garbled, in fact, this is a fake,
It uses PHP variables to extend to the Latin1 character range, whose variables match the regular format of the \$[a-za-z_\x7f-\xff][\w\x7f-\xff]*.
This has been analyzed yesterday, and finally found the answer on the official website, please read the "about PHP variable available characters"

A little bit far away, let's do the first step to decrypt the deal.
PS: This is just my idea of decryption, share with you, maybe you have a better way to look to share.

 = file_get_contents ("1.php"Preg_match_all (' |\$[a-za-z_\x7f-\xff][\w\x7f-\xff]*| ', $str, $params) or Die (' err 0. ')= Array_unique ($params [0]);$replace == 1= ' $p '' = ' $p '. $i);$i + +=Preg_match_all (' |function ([a-za-z_\x7f-\xff][\w\x7f-\xff]*) | ', $STR, $params) or Die (' err 0. ')= Array_unique ($params [1]);$replace == 1
                         
                          = ' fun ' 
                           ' = Fun ' $i);  $i ++
                             
                              =
                               = urlencode ($m [0]);  $p = str_replace ('% ', ' \x ' 
                                     
                                      = str_replace (' + ', ', $ p); 
                                       = Preg_replace_callback ('| [\x00-\x08\x0e-\x1f\x7f-\xff]|s ', "Tohex" 
                                          
                                           
                                            file_put_contents (" 1_t1.php "
                                             
                                               replace_) Log.txt ", $str. "\ n" 
                                                
                                                 ?> 
                                                  
                                              
                                           
                                              
                                        
                             
                         

(There is a code that logs to the log, which is useful for decrypting two times later.) ）
After execution you will get a 1_t1.php file, open the file and see code like this

< span="">

After further finishing, get the following code:

 (!defined (' In_decode_82d1b9a966825e3524eb0ab6e9f21aa7 '' \xa130\x8c ',Fun1 ($str, $FLG = ""(! $flg)= '?'($i =0; $i
              
               =
               = $c <245? ($c >136 chr ($c/2): $str [$i]): "";Fun2 (&' (@ $p ($p 15 (\ ') enq9kl1r01ayx79kg0jzdqzjt9kkl2ladxygwxvsh6itkcyna7o2yzl0dftgg0gkohhvi1dfxi5ezv0kvrsrmyyfqob0a5g0bm6bf0pw4rw9539 +53no+zekhzltcgkmaeii5kvfgqe5puph/igdzclhfz9tql01ihlfnmnpdo9p2zrqm7bfnfxsyetd9508y/z6p '. $p (fun1 (' \xac\xa8\x94\x8e\xa2\xd65\xe6\xa4\xa8\x8a= ', ' \x9e\xa8a4\xb4d\x92\xf0\xb4\x8e\x8c\xd8\x9a\xf4\xd61\ X9c\xa8\xc60\x9a\xf4\xa4\xd4\xb2\xf4\x9a3\x9a\xd4\xce\xee\x9c\xda\xb4\xd2\x9a\xf4\x8a3\x9c\x8e\xaa= ')). ' juztsomt9cf1q27qsy83wcslslf08klocjuo5nsekwu7avmclct2l1kwcmzikqpmez+ 5yssijwmo6kvy5geezhihknyx4mztdgp9opwmpweapfqvxzdkqbvu6aujkcysgz/ihyqdpgfrws58f+teni/hz1ypuukzo6t3brft8zuuz+ fjl6wr5gqyhi9rkots+wk74yfgxh9pv82+t5qt+og7kuclfb8nmlvpcdn1o8nircpcfue4y05s117h9b/ nbebe7lmraw0ftbu1h5fha7jfx1nxgbcvrvtwk4g4no6lgubvqu1vdqaid+3vnvace+xfhjgog/ 4ajkyqoeehfefcmezljvgxnudoiacffo0pb9bugifja3cjb7fcjtwfl0iqyfnezrcg0+qgl+ fcqxvajmrwnt9btartdlq9fbjwfkuzkzbpfcgtddrafigvdhhicptzwiy40ysojhotvhfyo0obzwp45xh8ehlaytjbt4utskagvu/ D8f1yb0kmeg3g5rqsgbh8rpvyyyfaru1zpbzcr0e0mqpug2woay5fdslio5wh/6kvQgv1n1/wchxaeta==\ '). $p ($p ($p 3)) ', ' 82d1b9a966825e3524eb0ab6e9f21aa7 ' = ' Preg_replace '= '/82d1b9a966825e3524eb0ab6e9f21aa7/e '= ' Base64_decode '= ' eval '= ' gzuncompress '= ''(@ $p-$p (\ ' enplks9og0aqxu8mvgmlxryhomcyqpkxvdhde5to4se0btihomgssqwn8rv60pmx73oy8rg8e/j5blutiewyyfebns/ Ztczzbs+pcy6joi252/dcexowsv5y5sihhy9hxkq3/oppko9wsuzojay09muezmjcqotwcvnmfumqqkpcmzfcpmvewv2e+ Vp795q4bejk4hj93nzbwjeuigemb2jskb '. $p (fun1 (' \xb21\xc65\xc8a== ', ' \x9e\xa8a4\xb4d\x92\xf0\xb4\x8e\x8c\xd8\x9a\xf4\xd61\x9c\xa8\xc60\x9a\xf4\xa4\ Xd4\xb2\xf4\x9a3\x9a\xd4\xce\xee\x9c\xda\xb4\xd2\x9a\xf4\x8a3\x9c\x8e\xaa= ')). ' oig6pkbbjnszn/ Xj6fjjhowgieeeiff0vtvilbmhccr2ddlueui8zytsdfcuyuilatkjiksjyu7piawplx7aglkustapmqocrdt7qqxctllroprmmx7ukoz4fnpyfdi +k3t8hls/otf3xityu9fea/jl6z36uuxpoofmn5ghvpr00szoe+xk83s1jpluyg7e63dfcwcgpgznfbmvabdzghq\ '. ($p 20.=fun2 ($p)))) ', ' 82d1b9a966825e3524eb0ab6e9f21aa7 '. ($p 20 = ''   >;?  < span=""> < span="">< span=""> < span=""> >76cde264ef549deac4d0fae860b50010
              

is not very clear, the rest is the basic code, there is a knowledge point preg_replace when the regular modifier contains E, the second parameter is interpreted as a PHP code to execute,
$p 18 variable is that regular, and the e at the end is shining.
and the contents of the fun2. It is best to output a file again, and then replace the next variable with the method above.
@ $p 17 The line is our real source code, but the tail has a fun2 function, because FUN2 is the real verification and output tail base64 code.
The rest of my lazy writing, because all the decryption to use the knowledge I have already said,

Tomorrow I will write my decryption code with this tool to encrypt and post it, I will provide the decryption API for everyone to call.
It's not that I pretend to be or show off, because the fish is better to give than to give it to the fishing, but also to say that they are clothed.
Of course, some people as long as the result, do not process, then I directly to your API is the same, right.

http://www.bkjia.com/PHPjc/755940.html www.bkjia.com true http://www.bkjia.com/PHPjc/755940.html techarticle some days ago a friend lost a shell to me, let me help to decrypt, open source read the next write is the God Shield encryption, a brilliant look, Baidu under the discovery of God Shield is a very old thing ...

