A friend asked me to help me read a PHP file this morning. It was full of garbled characters. Changing any character would stop the operation.
The file has only one line, and the following is part of the content:
A bunch of character encodings are omitted in the middle, and the final content is
2Kx9yHSQyO/D+5+fnPf+v/BSrlfeg=')));return;?>5e813...32位MD5....3f6
I used ZendStudio+Xdebug to track it at the beginning, and found that for this kind of compressed code in one line, Debugging is completely useless! There is no starting point from which to start.
After working on it for a long time, it still doesn’t work, so I might as well solve it manually.
After a brief look, I just replaced the variable name with some special characters, opened it with an editor, and replaced a few recurring keywords, and I can get a rough idea.
A custom function is also used. This function has been provided at the beginning of the file, which is "蜖棁ㄔ┄蓣".
function 蜖棁ㄔ┄蕷($A,$B="")
{
$A=base64_decode($A);
if(empty($A)) return "";
if($B==""){return ~$A;}
else
{
$D=strlen($A);$B=str_pad($B,$D,$B);$str=$A^$B;return $str;
}
}
After several simple replacements, you can know what is stored in each field
First, start with the eval function, followed by 2 decryption functions, and the function names are stored in the array. Similar to
<?php $arr['B']='base64_decode'; $arr['G']='gzuncompress'; //调用的时候可以这样用 eval($arr['G']($arr['B']('一大堆乱码')))
, you can see the key code that cannot run after modification:
$A=file_get_contents('origin.php'); @substr($A,-32)==md5(substr(substr($A,0,-32).'另外一个<span style="font-family: Arial, Helvetica, sans-serif;">32位MD5</span>',6))||die();
Comment out and continue to execute the following code:
Another eval, decrypting...
Due to decryption The output file is garbled and cannot be directly used with Copy&Paste. It must be written into a file in binary, and then undergoes some replacement, decryption, and then writing into a file... After a total of 5 rounds of decryption, the source file is finally obtained.
Finally, I sorted it out and wrote a regex to fix the file, and then directly deactivated the file.
<?php
$B='base64_decode';
$G='gzuncompress';
function A($A,$B="")
{
$A=base64_decode($A);
if(empty($A)) return "";
if($B==""){return ~$A;}
else
{
$D=strlen($A);$B=str_pad($B,$D,$B);$str=$A^$B;return $str;
}
}
$s=file_get_contents('origin.php');
//第1次匹配
preg_match('/\]\(\'(.+?)\'\)/',$s,$r1);
$s=$G($B($r1[1]));
//第2次匹配
preg_match('/\]\(\'(.+?)\'\)/',$s,$r2);
$s=A($B($r2[1]));
//第3次匹配
preg_match('/\]\(\'(.+?)\'\)/',$s,$r3);
$s=($B($r3[1]));
//第4次匹配
preg_match('/\]\(\'(e.+?)\'\)/',$s,$r4);
$s=$G($B($r4[1]));
//第5次匹配
preg_match('/\]\(\'(e.+?)\'\)/',$s,$r5);
$s=(A($B($r5[1])));
file_put_contents('code.php',$s);
echo 'Done!';Related code: http://download.csdn.net/detail/sbdx/8616319
The above is an introduction to encountering an encrypted PHP file and writing down the decoding process, including the relevant aspects. I hope it will be helpful to friends who are interested in PHP tutorials.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
