Tutorial on how to encrypt and decrypt data by using Alibaba Cloud Security (2) decryption _ PHP instance by using php

Some days ago, a friend lost a shell to me and asked me to decrypt it. I opened the source code and read it, saying "shield encryption ", baidu found that yundun was a very old thing. The last update was in 2012-10-09. Another similar to phpjm is phpjm. some people say that phpjm has been copied by Alibaba Cloud Security. these are not our concerns. phpjm has been being updated, but it seems that this does not happen, let's analyze yundun and write it as a tool for your convenience (because it is not updated, you don't have to worry about the failure of the decryption tool ). In fact, some people have already analyzed this on the internet and have written it as a tool. However, I have tested many tools, but none of them can be used. so I decided to analyze it from the beginning.

Open the source code encrypted by Alibaba Cloud security and you can see this code.

The advertisement comment is written and cannot be deleted, because an md5 verification code is provided at the end of the file to verify whether the code has been modified ,,

Looking at the code carefully, we found that the code is garbled. In fact, this is a blind spot,
It uses the php variable to expand to the latin1 character range, the variable matching regular is in the format of \ $ [a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff.
I have analyzed the analysis in the past few days and finally found the answer on the official website. please refer 《Tutorial on how to encrypt and decrypt a PHP variable"

A little too far. let's do the first step of decryption.
PS: This is just my decryption idea. I 'd like to share with you some better ideas ..

The code is as follows:

$ Str = file_get_contents ("1.php ");

// Replace all variables in step 1
// Regular \ $ [a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] *
Preg_match_all ('| \ $ [a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] * |', $ str, $ params) or die ('err 0. ');
$ Params = array_unique ($ params [0]); // deduplication
$ Replace = array ();
$ I = 1;
Foreach ($ params as $ v ){
$ Replace [] = '$ p'. $ I;
Tolog ($ v. '=> $ p'. $ I); // record to log
$ I ++;
}
$ Str = str_replace ($ params, $ replace, $ str );

// Replace all function names in step 2
// Regular function ([a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] *)
Preg_match_all ('| function ([a-zA-Z _ \ x7f-\ xff] [\ w \ x7f-\ xff] *) |', $ str, $ params) or die ('err 0. ');
$ Params = array_unique ($ params [1]); // deduplication
$ Replace = array ();
$ I = 1;
Foreach ($ params as $ v ){
$ Replace [] = 'fun '. $ I;
Tolog ($ v. '=> fun'. $ I); // record to log
$ I ++;
}
$ Str = str_replace ($ params, $ replace, $ str );

// Replace all non-printable characters in step 3
Function tohex ($ m ){
$ P = urlencode ($ m [0]); // converts all invisible characters to hexadecimal,
$ P = str_replace ('%', '\ X', $ p );
$ P = str_replace ('+', '', $ p); // urlencode converts spaces to +
Return $ p;
}
$ Str = preg_replace_callback ('| [\ x00-\ x08 \ x0e-\ x1f \ x7f-\ xff] | s', "tohex", $ str );

// Write to file
File_put_contents ("effect1.php", $ str );

Function tolog ($ str ){
File_put_contents ("replace_log.txt", $ str. "\ n", FILE_APPEND );
}
?>

(There is a log recorded code, which is useful for subsequent secondary decryption .)
After execution, you will get a javast1.php file. open the file and you will see code similar to this.

Find a tool to format it. phpstorm comes with the formatting function, and the code is much clearer.

The following code is obtained after further sorting:

The code is as follows:

// Start code decryption <=
If (! Defined ('in _ DECODE_82d1b9a966825e3524eb0ab6e9f21aa7 ')){
Define ('\ xA130 \ x8c', true );

Function fun1 ($ str, $ flg = ""){
If (! $ Flg) return (base64_decode ($ str ));

$ Ret = '? ';
For ($ I = 0; $ I $ C = ord ($ str [$ I]);
$ Ret. = $ c <245? ($ C> 136? Chr ($ c/2): $ str [$ I]): "";
}
Return base64_decode ($ ret );
}

Function fun2 (& $ p14)
{
Global $ p15, $ p16, $ p17, $ p18, $ p19, $ p3;
@ $ P17 ($ p18, $ p19. '(@ $ p16 ($ p15 (\ 'signature + 53nO + ZeKhZLTcGKmAeII5kvFgqe5puPH/Signature/z6p '. $ p15 (fun1 ('\ xAC \ xA8 \ x94 \ x8E \ xA2 \ xD65 \ xE6 \ xA4 \ xA8 \ x8A = ', '\ x9E \ xA8A4 \ xB4D \ x92 \ xF0 \ xB4 \ x8E \ x8C \ xD8 \ x9A \ xF4 \ xD61 \ x9C \ xA8 \ x60\ x9A \ xF4 \ xA4 \ xD4 \ xB2 \ xF4 \ x9A3 \ x9A \ xD4 \ xCE \ xEE \ x9C \ xDA \ xB4 \ xD2 \ x9A \ xF4 \ x8A3 \ x9C \ x8E \ xAA = ')). 'samples + samples/samples + Teni/samples + Wk74yfGXH9Pv82 + T5Qt + samples/samples + 3 vNVACE + xFHjgoG/samples + QGl + samples/6kVQGv1n1/wChxaEtA == \ ')). $ p16 ($ p15 ($ p3) ', "82d1b9a966825e3524eb0ab6e9f21aa7 ");
}
}
Global $ p15, $ p16, $ p17, $ p18, $ p19, $ p3;
$ P17 = 'preg _ replace ';
$ P18 = '/82d1b9a966825e3524eb0ab6e9f21aa7/E ';
$ P15 = 'base64 _ decode ';
$ P19 = 'eval ';
$ P16 = 'gzuncompress ';
$ P3 = '';

@ $ P17 ($ p18, $ p19. '(@ $ p16 ($ p15 (\ 'workshop/J5bLutIeWyyfebnS/zTcZzbS + Pcy6JOi252/dcexoWSV5y5SIHhy9hXkq3/workshop + workshop '. $ p15 (fun1 ('\ xB21 \ xC65 \ xC8A = ', '\ x9E \ xA8A4 \ xB4D \ x92 \ xF0 \ xB4 \ x8E \ x8C \ xD8 \ x9A \ xF4 \ xD61 \ x9C \ xA8 \ x60\ x9A \ xF4 \ xA4 \ xD4 \ xB2 \ xF4 \ x9A3 \ x9A \ xD4 \ xCE \ xEE \ x9C \ xDA \ xB4 \ xD2 \ x9A \ xF4 \ x8A3 \ x9C \ x8E \ xAA = ')). 'oig6pkbbjnszn/records + k3T8HLs/Otf3XityU9Fea/JL6z36uUXpOOfmn5GhvpR00sZoe + records \'. ($ p20. = fun2 ($ p20) ', "82d1b9a966825e3524eb0ab6e9f21aa7 ". ($ p20 = 'x \ xDA \ xCB)
Signature =
O \ FF. \ xADH5 \ xCF2 \ x88 \ xF0u \ x8BL * \ xCD \ xF2223.
\ XB1 \ xF0 \ FF1 \ xCF + \ x02 \ x00 \ xB6 \ xCA
\ XBE '));
// End of the decryption code ==>>
Return true;?> 76cdemo-ef549deac4d0fae860b50010

Is it clear? the rest is the basic code. There is also a knowledge point: preg_replace. when the regular modifier contains e, the second parameter will be parsed and executed as the php code,
$ P18 is the regular expression, and the e at the end is shining.
In addition, it is best to output a file again in fun2, and then replace the variable with the above method.
@ $ P17 the line is our real source code, but there is a function in fun2 at the end, because fun2 is the real verification and output of base64 code at the end.
I am lazy to write the rest, because I have already mentioned all the knowledge used for decryption,

Tomorrow, I will post the decryption code I wrote with this tool for encryption. I will provide the decryption api for you to call.
It's not that I pretend to be forced or show off, because it's better to teach fish to fish than to teach fish. you can also say that you can do it yourself.
Of course there are also people who just want to get the results and don't want the process, so I will give you the same api directly, right.