On the decryption process of PHP Aegis

Text: A brief talk on the decryption process of PHP Aegis

Some days ago a friend lost a shell to me, let me help to decrypt, open the source read the following is "God Shield Encryption", the appearance of a brilliant,
Baidu under the discovery of the aegis is a very old thing, the last update was in 2012-10-09. And he is similar to another paragraph is PHPJM, some people say is the shield plagiarism PHPJM, these are not we have to concern about the problem,
PHPJM has been updated, and God shield seemingly do not engage, we analyze the aegis, by the way written tools, convenient for everyone to use (because he does not update, so there is no need to worry about the decryption tool failure problem).
In fact, someone on the internet has already analyzed this, and has been written as a tool, but I tested a lot of, no one can use, so decided to analyze it from the beginning.

Open the source of the shield after the encryption, you can see this code

It says ad annotations, and cannot be deleted because there is a MD5 validation code at the end of the file to verify that it has been modified,

Look at the code part again, found inside are garbled, in fact, this is a fake,
It uses PHP variables to extend to the Latin1 character range, whose variables match the regular format of the \$[a-za-z_\x7f-\xff][\w\x7f-\xff]*.
This has been analyzed yesterday, and finally found the answer on the official website, please read the "about PHP variable available characters"

A little bit far away, let's do the first step to decrypt the deal.
PS: This is just my idea of decryption, share with you, maybe you have a better way to look to share.

<?php$str = file_get_contents ("1.php");//The first step replaces all variables//regular \$[a-za-z_\x7f-\xff][\w\x7f-\xff]*preg_match_all (' |\$[ A-za-z_\x7f-\xff][\w\x7f-\xff]*| ', $str, $params) or Die (' err 0. '); $params = Array_unique ($params [0]);    To repeat $replace = Array (), $i = 1;foreach ($params as $v) {$replace [] = ' $p '. $i; Tolog ($v. ' = ' $p '. $i); Record to log $i + +;} $str = Str_replace ($params, $replace, $STR);//The second step replaces all function names//regular functions ([a-za-z_\x7f-\xff][\w\x7f-\xff]*) Preg_match_ All (' |function [a-za-z_\x7f-\xff][\w\x7f-\xff]*] | ', $STR, $params) or Die (' err 0. '); $params = Array_unique ($params [1]);    To repeat $replace = Array (), $i = 1;foreach ($params as $v) {$replace [] = ' fun '. $i; Tolog ($v. ' = Fun '. $i); Record to log $i + +;} $str = Str_replace ($params, $replace, $STR);//The third step replaces all non-display characters function Tohex ($m) {$p = UrlEncode ($m [0]);//convert all invisible characters    For 16 binary, $p = str_replace ('% ', ' \x ', $p); $p = str_replace (' + ', ' ', $p); UrlEncode will convert the space to + return $p;} $str = Preg_replace_callback ('|    [\x00-\x08\x0e-\x1f\x7f-\xff]|s ', ' Tohex ', $str);//write to File file_put_contents ("1_t1.php", $str); function Tolog ($STR) { File_put_contents ("Replace_log.txt", $str. "\ n", file_append);}? >

(There is a code that logs to the log, which is useful for decrypting two times later.) ）
After execution you will get a 1_t1.php file, open the file and see code like this

Find a tool to format, I use the phpstorm with the formatting function, and then the code is much clearer.

After further finishing, get the following code:

<?php//start Code decryption<<===if (!defined (' In_decode_82d1b9a966825e3524eb0ab6e9f21aa7 ')) {define (' \        Xa130\x8c ', true);        function fun1 ($str, $FLG = "") {if (! $flg) return (Base64_decode ($STR));        $ret = '? ';            for ($i =0; $i <strlen ($STR), $i + +) {$c = Ord ($str [$i]); $ret. = $c <245?        ($c >136 chr ($c/2): $str [$i]): "";    } return Base64_decode ($ret);        } function fun2 (& $p) {Global $p, $p, $p, $p, $p, $p 3; @ $p ($p, $p 19. ' (@ $p ($p 15 (\ ') enq9kl1r01ayx79kg0jzdqzjt9kkl2ladxygwxvsh6itkcyna7o2yzl0dftgg0gkohhvi1dfxi5ezv0kvrsrmyyfqob0a5g0bm6bf0pw4rw9539 +53no+zekhzltcgkmaeii5kvfgqe5puph/igdzclhfz9tql01ihlfnmnpdo9p2zrqm7bfnfxsyetd9508y/z6p '. $p (fun1 (' \xac\xa8\x94\x8e\xa2\xd65\xe6\xa4\xa8\x8a= ', ' \x9e\xa8a4\xb4d\x92\xf0\xb4\x8e\x8c\xd8\x9a\xf4\xd61\ X9c\xa8\xc60\x9a\xf4\xa4\xd4\xb2\xf4\x9a3\x9a\xd4\xce\xee\x9c\xda\xb4\xd2\x9a\xf4\x8a3\x9c\x8e\xaa= ')). ' Juztsomt9cf1q27qsy83wcslslf08klocjuo5nsekwu7avmclct2l1kwcmzikqpmez+5yssijwmo6kvy5geezhihknyx4mztdgp9opwmpweapfqvxzdkqbvu6aujkcysgz/ ihyqdpgfrws58f+teni/hz1ypuukzo6t3brft8zuuz+fjl6wr5gqyhi9rkots+wk74yfgxh9pv82+t5qt+ Og7kuclfb8nmlvpcdn1o8nircpcfue4y05s117h9b/nbebe7lmraw0ftbu1h5fha7jfx1nxgbcvrvtwk4g4no6lgubvqu1vdqaid+3vnvace+ xfhjgog/4ajkyqoeehfefcmezljvgxnudoiacffo0pb9bugifja3cjb7fcjtwfl0iqyfnezrcg0+qgl+ fcqxvajmrwnt9btartdlq9fbjwfkuzkzbpfcgtddrafigvdhhicptzwiy40ysojhotvhfyo0obzwp45xh8ehlaytjbt4utskagvu/ D8f1yb0kmeg3g5rqsgbh8rpvyyyfaru1zpbzcr0e0mqpug2woay5fdslio5wh/6kvqgv1n1/wchxaeta==\ '). $p ($p ($p 3)) ', '    82d1b9a966825e3524eb0ab6e9f21aa7 "); }}global $p, $p, $p, $p, $p, $p 3; $p = ' preg_replace '; $p = '/82d1b9a966825e3524eb0ab6e9f21aa7/e '; $p = ' base 64_decode '; $p = ' eval '; $p = ' gzuncompress '; $p 3 = '; @ $p ($p, $p 19. (@ $p-$p (\ ' enplks9og0aqxu8mvgmlxryhomcyqpkxvdhde5to4se0btihomgssqwn8rv60pmx73oy8rg8e/j5blutiewyyfebns/ Ztczzbs+pcy6joi252/dcexowsv5y5sihhy9hxkq3/oppko9wsuzojay09muezmjcqotwcvNmfumqqkpcmzfcpmvewv2e+vp795q4bejk4hj93nzbwjeuigemb2jskb '. $p (fun1 (' \xb21\xc65\xc8a== ', ' \x9e\xa8a4\xb4d\x92\xf0\xb4\x8e\x8c\xd8\x9a\xf4\xd61\x9c\xa8\xc60\x9a\xf4\xa4\ Xd4\xb2\xf4\x9a3\x9a\xd4\xce\xee\x9c\xda\xb4\xd2\x9a\xf4\x8a3\x9c\x8e\xaa= ')). ' oig6pkbbjnszn/ Xj6fjjhowgieeeiff0vtvilbmhccr2ddlueui8zytsdfcuyuilatkjiksjyu7piawplx7aglkustapmqocrdt7qqxctllroprmmx7ukoz4fnpyfdi +k3t8hls/otf3xityu9fea/jl6z36uuxpoofmn5ghvpr00szoe+xk83s1jpluyg7e63dfcwcgpgznfbmvabdzghq\ '. ($p 20.=fun2 ($p)))) ', ' 82d1b9a966825e3524eb0ab6e9f21aa7 '. ($p = ' x\xda\xcb) vnqhbnlrekvc0jozymvtwmzyoxjca9ktusvsam5ruzu6c2rtsmvskm5yoqj0=o\ff.\xadh5\xcf2\x88\xf0u\x8bl*\ Xcd\xf2223.\xb1\xf0\ff1\xcf+\x02\x00\xb6\xca\xbe ');//end of the decryption Code===>>return true;? >76cde264ef549deac4d0fae860b50010

is not very clear, the rest is the basic code, there is a knowledge point preg_replace when the regular modifier contains E, the second parameter is interpreted as a PHP code to execute,
$p 18 variable is that regular, and the e at the end is shining.
and the contents of the fun2. It is best to output a file again, and then replace the next variable with the method above.
@ $p 17 The line is our real source code, but the tail has a fun2 function, because FUN2 is the real verification and output tail base64 code.
The rest of my lazy writing, because all the decryption to use the knowledge I have already said,

Tomorrow I will write my decryption code with this tool to encrypt and post it, I will provide the decryption API for everyone to call.
It's not that I pretend to be or show off, because the fish is better to give than to give it to the fishing, but also to say that they are clothed.
Of course, some people as long as the result, do not process, then I directly to your API is the same, right.

On the decryption process of PHP Aegis