: This article mainly introduces an encrypted PHP file and writes down the decode process. if you are interested in the PHP Tutorial, refer to it. In the morning, a friend asked me to help read a php file, which contains garbled characters. if I change any character, the operation will be suspended.
The file contains only one row. The following is part of the content:
A heap of character encoding is omitted in the middle, and the final content is
2Kx9yHSQyO/D + 5 + fnPf + v/BSrlfeg = '); return;?> 5e813... 32-bit md5...... 3f6
At first, I used ZendStudio + Xdebug to trace the code. I found that the debugging of this compressed code in a row is not powerful at all! Resumable Upload fails.
After half a day, it still didn't work. just solve it manually.
A simple look, just replace the variable name with some special characters, open it in the editor, and replace several repeated keywords.
A user-defined function is also used. This function is provided at the beginning of the file, that is, "Getting started without getting started ".
Function compute has been completed before ($ A, $ B = "") {$ A = base64_decode ($ A); if (empty ($ A) return ""; if ($ B = "") {return ~ $ A;} else {$ D = strlen ($ A); $ B = str_pad ($ B, $ D, $ B); $ str = $ A ^ $ B; return $ str ;}}
After several simple replacements, you can know what is saved in each field.
Start with the eval function, followed by two decryption functions, and the function name is saved in the array. Similar
The key code that cannot be run after the modification is displayed:
$ A = file_get_contents ('Origin. php '); @ substr ($ A,-32) = md5 (substr ($ A, 0,-32 ). 'Another 32-bit md5', 6) | die ();
After the code is commented out, run the following code:
Another eval, decrypted ......
Because the decrypted file has garbled characters, you cannot directly use Copy & Paste. you must write a file in binary format, replace and decrypt it, and then write a file ...... After a total of five rounds of decryption, the source file is obtained.
Finally, I sorted out a regular expression to fix this file and removed it directly.
Code: http://download.csdn.net/detail/sbdx/8616319
The above introduces an encrypted PHP file, which writes down the decode process, including some content, and hopes to help friends who are interested in PHP tutorials.