浅谈 PHP 神盾的解密过程-php手册-php.cn

Home

php教程

php手册

浅谈 PHP 神盾的解密过程

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 13, 2016 am 09:37 AM

aspnet software programming

前些日子一个朋友丢了个shell给我，让我帮忙解密，打开源码看了下写着是 “神盾加密” , 牛逼闪闪的样子、
百度下发现神盾是个很古老的东西，最后一次更新是在 2012-10-09。和他相似的另一款是phpjm，有人说是神盾抄袭phpjm的，这些都不是我们所要关心的问题、
phpjm一直在更新，而神盾貌似不搞了，我们分析下神盾，顺便写成工具，方便大家使用(因为他不更新，所以就不用担心解密工具失效问题了)。
其实网上早就有人分析过这个了，而且写成了工具、但是我测试了很多个，没一个能用，所以决定自己从头分析一遍。

打开神盾加密过后的源码，可以看到这样的代码

上面写着广告注释，而且不能删除，因为文件末尾有个md5效验码，以验证代码是否被修改过，如图、

再仔细看代码部分，发现里面都是乱码，其实这都是障眼法，
它利用了php变量扩充到 latin1 字符范围，其变量匹配正则是 \$[a-zA-Z_\x7f-\xff][\w\x7f-\xff]* 这样的格式。
这个昨天已经分析过了，最终也在官网找到了答案，请看《浅谈 PHP 变量可用字符》

有点扯远了，我们来做第一步解密处理吧。
PS: 这只是我的解密思路，与大家分享一下，也许你有更好的方法还望分享。。

<?<span php
$str </span>= file_get_contents("1.php"<span );

</span><span //</span><span  第一步 替换所有变量</span><span 
//</span><span  正则 \$[a-zA-Z_\x7f-\xff][\w\x7f-\xff]*</span>
preg_match_all('|\$[a-zA-Z_\x7f-\xff][\w\x7f-\xff]*|', $str, $params) or die('err 0.'<span );
$params </span>= array_unique($params[0]); <span //</span><span  去重复</span>
$replace =<span  array();
$i </span>= 1<span ;
foreach ($params as $v) {
    $replace[] </span>= '$p'<span  . $i;
    tolog($v . </span>' => $p' . $i); <span //</span><span  记录到日志</span>
    $i++<span ;
}
$str </span>=<span  str_replace($params, $replace, $str);


</span><span //</span><span  第二步 替换所有函数名</span><span 
//</span><span  正则 function ([a-zA-Z_\x7f-\xff][\w\x7f-\xff]*)</span>
preg_match_all('|function ([a-zA-Z_\x7f-\xff][\w\x7f-\xff]*)|', $str, $params) or die('err 0.'<span );
$params </span>= array_unique($params[1]); <span //</span><span  去重复</span>
$replace =<span  array();
$i </span>= 1<span ;
foreach ($params as $v) {
    $replace[] </span>= 'fun'<span  . $i;
    tolog($v . </span>' => fun' . $i); <span //</span><span  记录到日志</span>
    $i++<span ;
}
$str </span>=<span  str_replace($params, $replace, $str);

</span><span //</span><span  第三步 替换所有不可显示字符</span>
<span function</span><span  tohex($m) {
    $p </span>= urlencode($m[0]); <span //</span><span  把所有不可见字符都转换为16进制、</span>
    $p = str_replace('%', '\x'<span , $p);
    $p </span>= str_replace('+', ' ', $p); <span //</span><span  urlencode 会吧 空格转换为 + </span>
    <span return</span><span  $p;
}
$str </span>= preg_replace_callback('|[\x00-\x08\x0e-\x1f\x7f-\xff]|s', "tohex"<span , $str);

</span><span //</span><span  写到文件</span>
file_put_contents("1_t1.php"<span , $str);

</span><span function</span><span  tolog($str) {
    file_put_contents(</span>"replace_log.txt", $str . "\n"<span , FILE_APPEND);
}
</span>?>

Copy after login

（其中有一个记录到日志的代码，这个在之后的二次解密时有用。）
执行之后就会得到一个 1_t1.php 文件，打开文件看到类似这样的代码

进一步整理后得到如下代码：

<?<span php
</span><span //</span><span Start code decryption<<===</span>
<span if</span> (!defined('IN_DECODE_82d1b9a966825e3524eb0ab6e9f21aa7'<span )) {
    define(</span>'\xA130\x8C', <span true</span><span );
    
    </span><span function</span> fun1($str, $flg=""<span ) {
        </span><span if</span>(!$flg) <span return</span><span (base64_decode($str));

        $ret </span>= '?'<span ;
        </span><span for</span>($i=0; $i<strlen($str); $i++<span ) {
            $c </span>=<span  ord($str[$i]);
            $ret .</span>= $c<245 ? ( $c>136 ? chr($c/2) : $str[$i] ) : "";
<span         }
        </span><span return</span><span  base64_decode($ret);
    }

    </span><span function</span> fun2(&<span $p14)
    {
        global $p15, $p16, $p17, $p18, $p19, $p3;
        @$p17($p18, $p19 . </span>'(@$p16($p15(\'eNq9kl1r01AYx79KG0JzDqZJT9KkL2ladXYgWxVsh6iTkCYna7o2yZL0dfTGG0GkoHhVi1dFxi5EZv0KvRSRMYYfQob0A5g0bM6BF0Pw4rw9539+53nO+ZeKhZLTcGKmAeII5kvFgqe5puPH/IGDZcLHfZ9tql01ihLFnmnpdo9p2Zrqm7bFNFxsyETD9508y/Z6P' . $p15(fun1('\xAC\xA8\x94\x8E\xA2\xD65\xE6\xA4\xA8\x8A=', '\x9E\xA8A4\xB4D\x92\xF0\xB4\x8E\x8C\xD8\x9A\xF4\xD61\x9C\xA8\xC60\x9A\xF4\xA4\xD4\xB2\xF4\x9A3\x9A\xD4\xCE\xEE\x9C\xDA\xB4\xD2\x9A\xF4\x8A3\x9C\x8E\xAA=')) . 'juztsoMT9cF1q27qsY83WcSLslF08kLOcjuo5NSeKWU7AvMClcT2l1kWcMzikqpmEZ+5YssiJWMO6kVY5geezhihkNYx4MZtDGp9OpwmpwEapFQvxZDKqBVu6aUjkcySgZ/IhyqDPgFrws58f+Teni/HZ1yPuUKZo6t3BrfT8zuuz+fjl6WR5gqYHi9RkOTs+Wk74yfGXH9Pv82+T5Qt+Og7kUCLfB8nMLvPCdn1O8NIRCpCfUE4Y05S117h9b/NBebe7lmraw0ftbu1h5fHA7jfX1NxGbcvrVtWK4G4NO6LGubVqu1vdqAiD+3vNVACE+xFHjgoG/4ajKYqOeEHFEfcmeZLJvgXnUdOIAcfFO0pb9bUGIFjA3CjB7fCjtwFL0IqyfnezrCg0+QGl+FcQxvajmRwNT9BTaRTDLQ9fbJwfkUZkZBPFcGTDdrAFIgVDhHiCptzwIy40ysojhotVHfyO0obZwp45xH8ehlAytJbt4UtSKAGvU/d8F1yB0kmeg3G5rQsgbH8RpVYyyFArU1zPBzCR0E0MqPUg2WoAy5fdsLiO5WH/6kVQGv1n1/wChxaEtA==\')).$p16($p15($p3)))', "82d1b9a966825e3524eb0ab6e9f21aa7"<span );
    }
}
global $p15, $p16, $p17, $p18, $p19, $p3;
$p17 </span>= 'preg_replace'<span ;
$p18 </span>= '/82d1b9a966825e3524eb0ab6e9f21aa7/e'<span ;
$p15 </span>= 'base64_decode'<span ;
$p19 </span>= 'eval'<span ;
$p16 </span>= 'gzuncompress'<span ;
$p3 </span>= ''<span ;

@$p17($p18, $p19 . </span>'(@$p16($p15(\'eNplks9Og0AQxu8mvgMlxrYHoMCyQPkXvdhDE5to4sE0BtihoMgSSqWN8RV60pMX73oy8RG8e/J5bLutIeWyyfebnS/zTcZzbS+Pcy6JOi252/dcexoWSV5y5SIHhy9hXkq3/oPPKO9WSUZoJaY09MuEZmJcQOTwcVnmfUmqqkpcmZFcpMVEWv2E+Vp795Q4BEJK4Hj93NzBwjEUIgemb2JsKB' . $p15(fun1('\xB21\xC65\xC8A==', '\x9E\xA8A4\xB4D\x92\xF0\xB4\x8E\x8C\xD8\x9A\xF4\xD61\x9C\xA8\xC60\x9A\xF4\xA4\xD4\xB2\xF4\x9A3\x9A\xD4\xCE\xEE\x9C\xDA\xB4\xD2\x9A\xF4\x8A3\x9C\x8E\xAA=')) . 'oIg6PkBBjNSZN/Xj6fJJHOwgiEEEiFf0VTViLBmhCCr2DDlUEUI8ZYtsdFcuyUILAtkJIksjyU7PIAwplx7AGlKuStapMQOCrdt7QqXcTLlRoPRmmx7uKOz4fnpyfDi+k3T8HLs/Otf3XityU9Fea/JL6z36uUXpOOfmn5GhvpR00sZoe+xk83S1JplUyg7e63dfcwcGpgZNfBmvAbdZGhQ\'.($p20.=fun2($p20)))))', "82d1b9a966825e3524eb0ab6e9f21aa7" . ($p20 = '<span x\xDA\xCB)
vnqhBNLREkvC0jozYmvTWMZyoxjCa9KTUsvSaM5rUzu6c2rTSmvSKM5yOqj0=
O\FF.\xADH5\xCF2\x88\xF0u\x8BL*\xCD\xF2223.
\xB1\xF0\FF1\xCF+\x02\x00\xB6\xCA
\xBE</span>'<span ));
</span><span //</span><span End of the decryption code===>></span>
<span return</span> <span true</span>;?>76cde264ef549deac4d0fae860b50010

Copy after login

是不是很清晰了，剩下的就是基本代码了，还有个知识点 preg_replace 当正则修饰符含有e的时候，就会把第二个参数当作 php 代码解析执行，
$p18 变量里就是那个正则，末尾的 e 在闪闪发光。
还有 fun2 里的内容最好再次输出一个文件，然后用上面的方法替换下变量。
@$p17 那一行的才是我们真正的源码，但是尾部有一部在 fun2 函数里，因为 fun2 里才是真正的验证和输出尾部base64代码。
剩下的我懒的写了，因为所有解密要用到的知识我都已经说了、

明天我会把我写的解密代码用这个工具加密后贴出来，我会提供解密 api 给大家调用的。
不是我装逼或者是炫耀，因为授之以鱼不如授之以渔，也可以说自己动手丰衣足食。
当然也有人只要结果，不要过程，那我直接给你 api 也是一样的，对吧。

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

2 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Repo: How To Revive Teammates

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hello Kitty Island Adventure: How To Get Giant Seeds

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

How Long Does It Take To Beat Split Fiction?

3 weeks ago By DDD

R.E.P.O. Save File Location: Where Is It & How to Protect It?

3 weeks ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7329

Java Tutorial

1627

CakePHP Tutorial

1350

Laravel Tutorial

1262

PHP Tutorial

1209

Related knowledge

The combination of Vue.js and ASP.NET provides tips and suggestions for performance optimization and expansion of web applications. Jul 29, 2023 pm 05:19 PM

The combination of Vue.js and ASP.NET provides tips and suggestions for performance optimization and expansion of web applications. With the rapid development of web applications, performance optimization has become an indispensable and important task for developers. As a popular front-end framework, Vue.js combined with ASP.NET can help us achieve better performance optimization and expansion. This article will introduce some tips and suggestions, and provide some code examples. 1. Reduce HTTP requests The number of HTTP requests directly affects the loading speed of web applications. pass

MySQL connection pool usage and optimization techniques in ASP.NET programs Jun 30, 2023 pm 11:54 PM

How to correctly use and optimize the MySQL connection pool in ASP.NET programs? Introduction: MySQL is a widely used database management system that features high performance, reliability, and ease of use. In ASP.NET development, using MySQL database for data storage is a common requirement. In order to improve the efficiency and performance of database connections, we need to correctly use and optimize the MySQL connection pool. This article will introduce how to correctly use and optimize the MySQL connection pool in ASP.NET programs.

Ten ways generative AI will change software development Mar 11, 2024 pm 12:10 PM

Translator | Reviewed by Chen Jun | Chonglou In the 1990s, when people mentioned software programming, it usually meant choosing an editor, checking the code into the CVS or SVN code base, and then compiling the code into an executable file. Corresponding integrated development environments (IDEs) such as Eclipse and Visual Studio can integrate programming, development, documentation, construction, testing, deployment and other steps into a complete software development life cycle (SDLC), thus improving the work of developers. efficiency. In recent years, popular cloud computing and DevSecOps automation tools have improved developers' comprehensive capabilities, making it easier for more enterprises to develop, deploy and maintain software applications. Today, generative AI is the next generation development

How to reconnect to MySQL in ASP.NET program? Jun 29, 2023 pm 02:21 PM

How to reconnect to MySQL in ASP.NET program? In ASP.NET development, it is very common to use the MySQL database. However, due to network or database server reasons, the database connection may sometimes be interrupted or time out. In this case, in order to ensure the stability and reliability of the program, we need to re-establish the connection after the connection is disconnected. This article will introduce how to reconnect MySQL connections in ASP.NET programs. To reference the necessary namespaces first, reference them at the head of the code file

The combination of Vue.js and ASP.NET enables the development and deployment of enterprise-level applications Jul 29, 2023 pm 02:37 PM

The combination of Vue.js and ASP.NET enables the development and deployment of enterprise-level applications. In today's rapidly developing Internet technology field, the development and deployment of enterprise-level applications has become more and more important. Vue.js and ASP.NET are two technologies widely used in front-end and back-end development. Combining them can bring many advantages to the development and deployment of enterprise-level applications. This article will introduce how to use Vue.js and ASP.NET to develop and deploy enterprise-level applications through code examples. First, we need to install

How to correctly configure and use MySQL connection pool in ASP.NET program? Jun 29, 2023 pm 12:56 PM

How to correctly configure and use MySQL connection pool in ASP.NET program? With the development of the Internet and the increase in data volume, the demand for database access and connections is also increasing. In order to improve the performance and stability of the database, connection pooling has become an essential technology. This article mainly introduces how to correctly configure and use the MySQL connection pool in ASP.NET programs to improve the efficiency and response speed of the database. 1. The concept and function of connection pooling. Connection pooling is a technology that reuses database connections. At the beginning of the program,

What are the built-in objects in aspnet? Nov 21, 2023 pm 02:59 PM

The built-in objects in ASP.NET include "Request", "Response", "Session", "Server", "Application", "HttpContext", "Cache", "Trace", "Cookie" and "Server.MapPath": 1. Request, indicating the HTTP request issued by the client; 2. Response: indicating the HTTP response returned by the web server to the client, etc.

Recommended configuration for ASP.NET development using Visual Studio on Linux Jul 06, 2023 pm 08:45 PM

Overview of the recommended configuration for using Visual Studio for ASP.NET development on Linux: With the development of open source software and the popularity of the Linux operating system, more and more developers are beginning to develop ASP.NET on Linux. As a powerful development tool, Visual Studio has always occupied a dominant position on the Windows platform. This article will introduce how to configure VisualStudio for ASP.NE on Linux

See all articles