Tutorial on how to encrypt and decrypt a PHP variable

Let's talk about the naming rules of php variables:
(1) PHP variable names are case sensitive;
(2) The variable name must start with the dollar sign $;
(3) A variable name can start with an underscore;
(4) The variable name cannot start with a number.

In fact, the naming rules for all programming are similar:
1. the first character of the variable is preferably a letter or _. It cannot start with a number.
2. The second character can start with a number, letter ,_

Well, that's almost the case, but this is not the point we're going to focus on.
Today, let's talk about the available characters of PHP variables, not just numbers, letters,.

A friend sent me a shell on QQ a few days ago. It was encrypted and garbled, but there was a comment on it, which is called "shield encryption.
Some uncommon knowledge points are used, the most obvious of which is the variable name. So let's start with the variable today.

Of course, I did not find any authoritative materials on the Internet to strongly illustrate the available characters of PHP variable names, so I can only test it myself. (Poor English, no good evidence for Google)
First, let's take a look at the method I used. (If you have a better method, I hope to share it with you .)

Copy codeThe Code is as follows:
<? Php
If ($ _ POST ){
$ Chr = chr ($ _ POST ['chr']);
Eval ('$'. $ chr. "= 1 ;");
Echo 'OK ';
Exit;
}
?>
<! Doctype html>
<Html lang = "en">
<Head>
<Meta charset = "UTF-8">
<Title> test </title>
<Script src = "http://ajax.googleapis.com/ajax/libs/jquery/1.8.2/jquery.js"> </script>
</Head>
<Body>
<Script>
For (var I = 0x00; I <= 0xFF; I ++) {// 0x00-0xFF 255 characters
$. AjaxSettings. async = false; // synchronous mode, in order to return data in order
$. Post ("? ", {Chr: I}, (function (data) {// post I parse to php
Data = 'OK' & console. log ("\ x" + (I ). toString (16); // If only OK is returned, the task can be executed normally. Otherwise, an exception is thrown.
});
}
</Script>
</Body>
</Html>

The code is relatively simple. The PHP part is only responsible for parsing each character as the variable name and whether the execution result will throw overflow.
For example, if character a is used, the eval ('$ a = 1;') will be parsed. This result is certainly okay, so no exception is thrown. The returned result is an OK character.
If the character-is used, eval ('$-= 1;') will be parsed. This is obviously incorrect, so PHP Parse error: syntax error, unexpected '-' will be thrown '-', expecting T_VARIABLE or '$' and OK characters.
The following ajax component uses whether the returned result is 'OK' to determine whether it is a valid variable name.
Let's see what the execution result is:

Copy codeThe Code is as follows:
"\ X41, \ x42, \ x43, \ x44, \ x45, \ x46, \ x47, \ x48, \ x49, \ x4a, \ x4b, \ x4c, \ x4d, \ x4e, \ x4f, \ x50, \ x51, \ x52, \ x53, \ x54, \ x55, \ x56, \ x57, \ x58, \ x59, \ x5a, \ x5f, \ x61, \ x62, \ x63, \ x64, \ x65, \ x66, \ x67, \ x68, \ x69, \ x6a, \ x6b, \ x6c, \ x6d, \ x6e, \ x6f, \ cross, \ x71, \ x72, \ x73, \ x74, \ x75, \ x76, \ x77, \ x78, \ x79, \ x7a, \ x7f, \ x80, \ x81, \ x82, \ x83, \ x84, \ x85, \ x86, \ x87, \ x88, \ x89, \ x8a, \ x8b, \ x8c, \ x8d, \ x8e, \ x8f, \ x90, \ x91, \ x92, \ x93, \ x94, \ x95, \ x96, \ x97, \ x98, \ x99, \ x9a, \ x9b, \ x9c, \ x9d, \ x9e, \ x9f, \ xa0, \ xa1, \ xa2, \ xa3, \ xa4, \ xa5, \ xa6, \ xa7, \ xa8, \ xa9, \ xaa, \ xab, \ xac, \ xad, \ xae, \ xaf, \ xb0, \ xb1, \ xb2, \ xb3, \ xb4, \ xb5, \ xb6, \ xb7, \ xb8, \ xb9, \ xba, \ xbb, \ xbc, \ xbd, \ xbe, \ xbf, \ xc0, \ xc1, \ xc2, \ xc3, \ xc4, \ xc5, \ xc6, \ xc7, \ xc8, \ xc9, \ xca, \ xcb, \ xcc, \ xcd, \ xce, \ xcf, \ xd0, \ xd1, \ xd2, \ xd3, \ xd4, \ xd5, \ xd6, \ xd7, \ xd8, \ xd9, \ xda, \ xdb, \ xdc, \ xdd, \ xde, \ xdf, \ xe0, \ xe1, \ xe2, \ xe3, \ xe4, \ xe5, \ xe6, \ xe7, \ xe8, \ xe9, \ xea, \ xeb, \ xec, \ xed, \ xee, \ xef, \ xf0, \ xf1, \ xf2, \ xf3, \ xf4, \ xf5, \ xf6, \ xf7, \ xf8, \ xf9, \ xfa, \ xfb, \ xfc, \ xfd, \ xfe, \ xff"

After sorting, we found that the hexadecimal data is like this. Of course, it doesn't matter if you don't understand it. Let's look at the escaped results:

Copy codeThe Code is as follows:
"A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, t, U, V, W, X, Y, Z, _, a, B, c, d, e, f, g, h, I, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z ,,?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, , Charge, charge, £, charge, ¥, charge,©, Operator, «, operator, ­,®, Hour, °, ±, ², hour, ', μ, hour, ·, hour, hour, °,», hour, À, Á, â, region, ä, region, region, C, É, É, Qu, JIU, Í, Í, Qu, Qu, juannez, juannez, Ó, JIU, JIU, ö, ×, Ø, Zou, ú, Zou, U, Lu, à, á, â, ã, ä, Qu, ç, ç, é, é, upper, lower, upper, N, lower, upper, lower, ú, lower, U, lower, success, fail"

In addition to the previous A-Z_a-z is familiar to us, the things behind it can also be used as a normal variable name, it is incredible.
In fact, only PHP expands the character range of the variable name, on the A-Z_a-z, the variable available character range extended to \ x7f-\ xff.
Therefore, the first character range should be [a-zA-Z _ \ x7f-\ xff]
The second character can also be used. Let's continue the test.
Run the eval ('$' in the above php code '. $ chr. "= 1;"); change to eval ('$ '. $ chr. "= 1;"); save test,

Copy codeThe Code is as follows:
"\ X9, \ xa, \ xd, \ x20, \ x30, \ x31, \ x32, \ x33, \ x34, \ x35, \ x36, \ x37, \ x38, \ x39, \ x41, \ x42, \ x43, \ x44, \ x45, \ x46, \ x47, \ x48, \ x49, \ x4a, \ x4b, \ x4c, \ x4d, \ x4e, \ x4f, \ x50, \ x51, \ x52, \ x53, \ x54, \ x55, \ x56, \ x57, \ x58, \ x59, \ x5a, \ x5f, \ x61, \ x62, \ x63, \ x64, \ x65, \ x66, \ x67, \ x68, \ x69, \ x6a, \ x6b, \ x6c, \ x6d, \ x6e, \ x6f, \ cross, \ x71, \ x72, \ x73, \ x74, \ x75, \ x76, \ x77, \ x78, \ x79, \ x7a, \ x7f, \ x80, \ x81, \ x82, \ x83, \ x84, \ x85, \ x86, \ x87, \ x88, \ x89, \ x8a, \ x8b, \ x8c, \ x8d, \ x8e, \ x8f, \ x90, \ x91, \ x92, \ x93, \ x94, \ x95, \ x96, \ x97, \ x98, \ x99, \ x9a, \ x9b, \ x9c, \ x9d, \ x9e, \ x9f, \ xa0, \ xa1, \ xa2, \ xa3, \ xa4, \ xa5, \ xa6, \ xa7, \ xa8, \ xa9, \ xaa, \ xab, \ xac, \ xad, \ xae, \ xaf, \ xb0, \ xb1, \ xb2, \ xb3, \ xb4, \ xb5, \ xb6, \ xb7, \ xb8, \ xb9, \ xba, \ xbb, \ xbc, \ xbd, \ xbe, \ xbf, \ xc0, \ xc1, \ xc2, \ xc3, \ xc4, \ xc5, \ xc6, \ xc7, \ xc8, \ xc9, \ xca, \ xcb, \ xcc, \ xcd, \ xce, \ xcf, \ xd0, \ xd1, \ xd2, \ xd3, \ xd4, \ xd5, \ xd6, \ xd7, \ xd8, \ xd9, \ xda, \ xdb, \ xdc, \ xdd, \ xde, \ xdf, \ xe0, \ xe1, \ xe2, \ xe3, \ xe4, \ xe5, \ xe6, \ xe7, \ xe8, \ xe9, \ xea, \ xeb, \ xec, \ xed, \ xee, \ xef, \ xf0, \ xf1, \ xf2, \ xf3, \ xf4, \ xf5, \ xf6, \ xf7, \ xf8, \ xf9, \ xfa, \ xfb, \ xfc, \ xfd, \ xfe, \ xff"

The result contains many characters, but some of them need to be removed. For example, \ x20 is actually a space, which is equivalent to eval ('$ a = 1, of course, it can be executed normally.
In addition to spaces, \ t \ r \ n is removed because these are also permitted by PHP syntax \ t = \ x9, \ n = \ xa, \ r = \ xd, therefore, we need to remove the first four data in the Result \ x9, \ xa, \ xd, \ x20,
The final result is only \ x30, \ x31, \ x32, \ x33, \ x34, \ x35, \ x36, \ x37, \ x38, \ x39 people who are familiar with ascii may see it at a Glance. This is the number 0-9.
Therefore, the first character range should be [\ w \ x7f-\ xff], which is unfamiliar with regular expressions. Maybe it's not [0-9a-zA-Z _ \ x7f-\ xff], in fact, \ w is 0-9a-zA-Z _

Maybe someone will say $ a; $ {$ a}; what about such variables?
I think this is out of the variable naming range, isn't it.

Now, I have shared the knowledge about available characters in php variables. If anything is wrong, please leave a message and I will correct it in time to avoid misleading everyone.

My guess: the ascii range is 0-127 (\ x00-\ x7f), latin1 range is 0-255 (\ x00-\ xff ), maybe PHP expands the scope to the latin1 character set. Of course, I have not read the PHP source code and can only say it is a conjecture.