Home > Backend Development > PHP Tutorial > Step by step practical method to restore PHP encrypted files

Step by step practical method to restore PHP encrypted files

藏色散人
Release: 2023-04-09 19:38:02
forward
3587 people have browsed it

ps: The author is just technical communication and has no malicious intent. Please do not abuse this technology.

Actual restoration of PHP encrypted files

## Let’s talk about the environment first:

    Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-52-generic x86_64)
    PHP 5.5.9-1ubuntu4.19 (cli)
Copy after login

Practical process

I have an encrypted project and a PHP extended dynamic link library (jinhou.so) on hand.

The PHP code looks like the following:

<?php /* xxxx技术有限公司版权所有: 2016-09-08 08:18:00 */
jhgo(&#39;uGpqefbDEBkqp4preQ2UaAp3RAUeJAZ5s4aERAQMkxbJTgEovHnQw6WxsA99sAhSacJCLGxZL4Q4u6zFyGveuDUoemktHGkMaB5D&#39;);
?>
Copy after login
According to the known conditions analyzed above:

1. The encryption method is similar to the eval encryption method.

2.jhgo contains execution code and decryption code.

3.jinhou.so contains the jhgo function.

First of all, use VIM to open jinhou.so very roughly to see if there is any key information.

Step by step practical method to restore PHP encrypted files

Unfortunately, the source of the solution is clearly written. https://github.com/eixom/zoeeyguard

After looking at the code, theoretically, this extension exposes two methods, one for encrypting files and one for decrypting files. But only one method was actually exposed, and one was removed by the cunning provider.

Of course we already have the source code, so we don’t care about it so much.

Try to compile it with the official source code and then decode it and find that it still doesn’t work.

I studied it carefully and found that there was a very magical string in

Step by step practical method to restore PHP encrypted files##:

82dsa7dsas32112389uy7aydh8h2h2i412

I wondered if it belonged to him Encryption Key. After re-reading the code, it turned out to be true. In the https://github.com/eixom/zoeeyguard/blob/master/src/guard.h file. The original one is 28dsa7dsas12312389uy7aydh8h1h2i312
. After making the changes, I found that it still didn't work. As expected, I am still Too Young Too Simple.

Analysis from the psychological perspective of programmers: Generally no one will change the code, basically just changing the parameters.

Are there any other parameters that have been changed? But other parameters are in array format, which is a headache.

/*  private key */
#define PRIVATE_KEY "28dsa7dsas12312389uy7aydh8h1h2i312"
#define PRIVATE_KEY_LEN sizeof(PRIVATE_KEY)

/* order */
static const unsigned char OBFUSCATED_ORDER[] = {
      13,  6,  5,  7,  1, 15, 14, 20
    ,  9, 16, 19,  4, 18, 10,  2,  8
    , 12,  3, 11,  0, 17
};
#define ORDER_SIZE sizeof(OBFUSCATED_ORDER) / sizeof(* OBFUSCATED_ORDER)

/* alphabet for base64 */
static const unsigned char OBFUSCATED_ALPHABET[] = {
      's', '4', 'N', 'E', 'k', 'X', 'c', 'u'
    , 'J', '2', 'U', 'o', 'O', 'w', 'K', 'v'
    , 'h', 'H', 'C', '/', 'D', 'q', 'l', 'R'
    , 'B', 'r', '5', 'Z', 'S', 'Q', '6', 'W'
    , '3', 'L', 'j', '8', '1', 'z', '0', 'G'
    , 'n', 'e', 'y', 'b', 'I', 'd', 'i', 'P'
    , 'A', '9', '7', '+', 'm', 'V', 'M', 'Y'
    , 'F', 'g', 'f', 'p', 'a', 'T', 't', 'x'
};
#define ALPHABET_SIZE 64
Copy after login
At this time, we have to use a killer tool: IDA Pro v6.8, a decompilation artifact. The left is the normal version, and the right is jinhou.so.

Step by step practical method to restore PHP encrypted filesChange the files in guard.h based on the data. After recompiling, it was successfully decrypted.

<?php require_cache(APP_PATH.&#39;/Lib/Action/User/AddonAction.class.php&#39;);
?>
Copy after login

Summary afterwards

1. This cracking did not take much time, mainly thanks to the fact that the encryption scheme and encryption code were clearly told to us.

2. The main time is to test the encryption parameters. Fortunately, the .so file is not packed.

3. During the cracking process, I also learned about the flaws of PHP encryption.

【Recommended learning:

PHP video tutorial

The above is the detailed content of Step by step practical method to restore PHP encrypted files. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
php
source:segmentfault.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template