分类
站内搜索
访问统计(起于2010/10/2)
PortWatcher's Blog
Monday, 2025-06-30, 1:19 PM
Welcome Guest
Welcome Guest
Blog
Main » 2010 December 25 » 解密一加密php文件10:59 PM 解密一加密php文件 |
| 一日朋友发我一个加密PHP说文件运行不了``可能是源码有错```但由于源码被加密了所以要我帮着解密一下 密文如下:
Code echo(base64_decode('JElJSUlJSUlJSUlJST0naGVhZGVyJzs='));$OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36% 73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%6e%72');$OO00O0000=1316;$OOO0000O0=$OOO000 000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO00000 0{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000 000{5};$O0O0000O0='OOO0000O0';eval(($$O0O0000O0('JE9PME9PMDAwMD0kT09PMDAwMDAwezE3fS4kT09PMDAwMDAwezE yfS4kT09PMDAwMDAwezE4fS4kT09PMDAwMDAwezV9LiRPT08wMDAwMDB7MTl9O2lmKCEwKSRPMDAwTzBPMDA9JE9PME9PMDAw MCgkT09PME8wTzAwLCdyYicpOyRPTzBPTzAwME89JE9PTzAwMDAwMHsxN30uJE9PTzAwMDAwMHsyMH0uJE9PTzAwMDAwMHs1fS4 kT09PMDAwMDAwezl9LiRPT08wMDAwMDB7MTZ9OyRPTzBPTzAwTzA9JE9PTzAwMDAwMHsxNH0uJE9PTzAwMDAwMHswfS4kT09PM DAwMDAwezIwfS4kT09PMDAwMDAwezB9LiRPT08wMDAwMDB7MjB9OyRPTzBPTzAwME8oJE8wMDBPME8wMCwxMTk1KTskT08wME 8wME8wPSgkT09PMDAwME8wKCRPTzBPTzAwTzAoJE9PME9PMDAwTygkTzAwME8wTzAwLDM4MCksJ2F1ZFJaWFc4Z05tbm9xdCtQc mVTY2ZMaU0vVXZZc3BqNzMxMEZER0E1S1RDUTlrSEpCbHdWNnhPNGJ6eWhFMkk9JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYW VphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?> NZE+oRu+oRu+oR6ws8NjYGfJvWX0/e7Ai6EWecBXi6hAndgAg14FSVE+oZhJSwaJn1gAg1J5NZE+SwaJoRu+od7FSVhJSVhJoZhJmdr+ Swu+SwaJoZh5NZhJoRu+oZhJodJFSVhJoZhJoRaJmeJAMifFcDKMfw3ASG6kvOXVm6ul/fq0/FBKSeEfsDDwYW5OowZJrFr8PSfnfZqrtL9 geFNQs6MxpZhVMAKbUZcleSVAndsuPFqZrc/8eZDmeVBqSFEPcfNSfXfLf63/LGX1MxrD/Gs5ULKCvW6kvOuBYAqVsi/Op8DzoRZlowP6q 0Y4teQHNlFKmeFy/GqQvOqDmdr+oRaJSwu+oRaKtxfxMLJ5NZE+oRu+oRu+odFyRPKDYANHYDEl/iuHYArKvGY5rfEXcDN+c1FyRP5FrVB +PFXoc6QFrVB+PFXoc6QASVE+oRaJoZhJN6V5N6qfvZKSfLBmc6fQeDqfvZ5AmfV5NZsoSVNuSXqvNVE+SwaJoRu+odssmds/o0D6/Zs LsLrRoffDLZNQSxDdoXKMURuooG7JMDsOqVD8SGE/LZKzLD3rtf5leiDqpFfbNlFKtJVmULM5YOrlUiqVY17Fi6qXcD/XcDQFrVB+PFXoc6QA SVE+oRaJoZhJN6V5N6qWcDffr0DScDfUrDfCfDoAmfVQNZsoSVNuSXqvNVE+SwaJoRu+odssmds/vc/JLF3fsfFltirooVVHNlFKmeuyRP5F ecDNecDNecDNecDQ+L/KvWfj/xfVixqHvArDvArwmdr8SZEdPcBSLls+SVhJoRaJSwaAie7AMc3eoWqZvO/oo0f5MDsfscbceG91LWrkSW 6tsGNStSuDUSFwMDo6oWfgcSVAmeFyRP5FrVB+PFXoc6QFrVB+PFXoc6QASVE+oRaJoZhJN6V5N6qfvZKSfLBmc6fQeDqfvZ5AmfV5gF BHMxXVULEkt1rNecDNecDNecDNeLJ1n1r8SZEdPcBSLls+SVhJoRaJSwaAie7Ac8YE+eYKn1rjcVfefFfeLlr8SZEdPcBSLls+SVhJoRaJSwaA ie7AfSuLc6/CfDqMoRfdfXff+eYKieFyRPKDpWDVtJVmjLfQYxfK/13KYOqDsd7FiVsXfXQFrVB+PFXoc6QASVE+oRaJoZhJN6V5N6FlpW30o VVENlDsmeDyRP5FecDNecDNecDNecFB+erjrVfcLlr8SZEdPcBSLls+SVhJoRaJSwaAie7ALSN4UWowSSVAmfVyRPKDMx3HgW/KvWfj/xf VixqHvArDvArwmdr8SZEdPcBSLls+SVhJoRaJSwaAie7AMc3eoWqZvO/oo0f5MDsfscbcrG91LWrkSW6tsGNcvwrqrWs4SRqFsX5lvO/1rx B6MiF6sxXgPeE/oA35MwqqteYKn1rNecDNecDNecDNeSZKtJVm/i3KsR9E/LBw/iQqd1rNecDNecDNecDNvZFENXE8rfrvNZsoSVNuSXqv NVE+SwaJoRu+odssmds3f6ZENlDstJVm/Lq5vluGULBDixsDsXE0vxbV/LbVYl7FrVB+PFXoc6QASVE+oRaJoZhJN6V5NxXgc0u0rWExSR g6UWNififtfZKCMD3FvFB9SA/1cwD6LD30sGPloLb3USFJLD3toZB9rAK0rRDJLFPJ+eYKn1rNecDNecDNecDNvZFKtOVqd7== 一眼看到类似于PHP eval(base64_decode)的加密形式,第一反应就应该是把eval改成echo,这样想看什么内容都直接显示出来了``` 我们先把其按照编程书写规范整理一下,顺便解密开头部分的URL编码和BASE64加密:
Code $IIIIIIIIIIII='header'; $OOO0O0O00=__FILE__; $OOO000000='th6sbehqla4co_sadfpnr'; $OO00O0000=1316; $OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5}; $OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16}; $OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5}; $O0O0000O0='OOO0000O0'; eval(($$O0O0000O0 ($OO0OO0000=$OOO000000{17}.$OOO000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO000000{19}; if(!0) $O000O0O00=$OO0OO0000($OOO0O0O00,'rb'); $OO0OO000O=$OOO000000{17}.$OOO000000{20}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16}; $OO0OO00O0=$OOO000000{14}.$OOO000000{0}.$OOO000000{20}.$OOO000000{0}.$OOO000000{20}; $OO0OO000O($O000O0O00,1195); $OO00O00O0=($OOO0000O0($OO0OO00O0($OO0OO000O($O000O0O00,380),'audRZXW8gNmnoqt+PreScfLiM/UvYspj7310FDGA5KTCQ9kHJBl wV6xO4bzyhE2I=','ABCDEFGHIJKLM') ) ); return; ?> NZE+oRu+oRu+oR6ws8NjYGfJvWX0 e7Ai6EWecBXi6hAndgAg14FSVE+oZhJSwaJn1gAg1J5NZE+SwaJoRu+od7FSVhJSVhJoZhJmdr+Swu+SwaJoZh5NZhJoRu+oZhJodJFS VhJoZhJoRaJmeJAMifFcDKMfw3ASG6kvOXVm6ul fq0 FBKSeEfsDDwYW5OowZJrFr8PSfnfZqrtL9geFNQs6MxpZhVMAKbUZcleSVAndsuPFqZrc 8eZDmeVBqSFEPcfNSfXfLf63 LGX1MxrD Gs5ULKCvW6kvOuBYAqVsi Op8DzoRZlowP6q0Y4teQHNlFKmeFy GqQvOqDmdr+oRaJSwu+oRaKtxfxMLJ5NZE+oRu+oRu+odFyRPKDYANHYDEl iuHYArKvGY5rfEXcDN+c1FyRP5FrVB+PFXoc6QFrVB+PFXoc6QASVE+oRaJoZhJN6V5N6qfvZKSfLBmc6fQeDqfvZ5AmfV5NZsoSVNuSXqv NVE+SwaJoRu+odssmds o0D6 ZsLsLrRoffDLZNQSxDdoXKMURuooG7JMDsOqVD8SGE LZKzLD3rtf5leiDqpFfbNlFKtJVmULM5YOrlUiqVY17Fi6qXcD XcDQFrVB+PFXoc6QASVE+oRaJoZhJN6V5N6qWcDffr0DScDfUrDfCfDoAmfVQNZsoSVNuSXqvNVE+SwaJoRu+odssmds vc JLF3fsfFltirooVVHNlFKmeuyRP5FecDNecDNecDNecDQ+L KvWfj xfVixqHvArDvArwmdr8SZEdPcBSLls+SVhJoRaJSwaAie7AMc3eoWqZvO oo0f5MDsfscbceG91LWrkSW6tsGNStSuDUSFwMDo6oWfgcSVAmeFyRP5FrVB+PFXoc6QFrVB+PFXoc6QASVE+oRaJoZhJN6V5N6qfvZ KSfLBmc6fQeDqfvZ5AmfV5gFBHMxXVULEkt1rNecDNecDNecDNeLJ1n1r8SZEdPcBSLls+SVhJoRaJSwaAie7Ac8YE+eYKn1rjcVfefFfeLlr8 SZEdPcBSLls+SVhJoRaJSwaAie7AfSuLc6 CfDqMoRfdfXff+eYKieFyRPKDpWDVtJVmjLfQYxfK 13KYOqDsd7FiVsXfXQFrVB+PFXoc6QASVE+oRaJoZhJN6V5N6FlpW30oVVENlDsmeDyRP5FecDNecDNecDNecFB+erjrVfcLlr8SZEdPcBS Lls+SVhJoRaJSwaAie7ALSN4UWowSSVAmfVyRPKDMx3HgW KvWfj xfVixqHvArDvArwmdr8SZEdPcBSLls+SVhJoRaJSwaAie7AMc3eoWqZvO oo0f5MDsfscbcrG91LWrkSW6tsGNcvwrqrWs4SRqFsX5lvO 1rxB6MiF6sxXgPeE oA35MwqqteYKn1rNecDNecDNecDNeSZKtJVm i3KsR9E LBw iQqd1rNecDNecDNecDNvZFENXE8rfrvNZsoSVNuSXqvNVE+SwaJoRu+odssmds3f6ZENlDstJVm Lq5vluGULBDixsDsXE0vxbV LbVYl7FrVB+PFXoc6QASVE+oRaJoZhJN6V5NxXgc0u0rWExSRg6UWNififtfZKCMD3FvFB9SA 1cwD6LD30sGPloLb3USFJLD3toZB9rAK0rRDJLFPJ+eYKn1rNecDNecDNecDNvZFKtOVqd7== 发现这些变量名是故意为难解密者的```但这个毫无意义``因为比较正常一点的IDE都有相同变量名高亮显示的功能``` 值得注意的是,数组的第一个元素索引是0而不是1``` 再将相容的变量进行类似于数学中的"等量替换"```
Code $IIIIIIIIIIII='header'; eval(base64_decode( $handle = fopen('_FILE_','rb'); fread($handle,1195); $result=(base64_decode(strtr(fread($handle,380),'audRZXW8gNmnoqt+PreScfLiM/UvYspj7310FDGA5KTCQ9kHJBlwV6xO4bzyhE2I=','ABC DEFGHIJKLM'))); ) ) return; ?> NZE+oRu+oRu+oR6ws8NjYGfJvWX0 /e7Ai6EWecBXi6hAndgAg14FSVE+oZhJSwaJn1gAg1J5NZE+SwaJoRu+od7FSVhJSVhJoZhJmdr+Swu+SwaJoZh5NZhJoRu+oZhJodJF SVhJoZhJoRaJmeJAMifFcDKMfw3ASG6kvOXVm6ul /fq0 /FBKSeEfsDDwYW5OowZJrFr8PSfnfZqrtL9geFNQs6MxpZhVMAKbUZcleSVAndsuPFqZrc /8eZDmeVBqSFEPcfNSfXfLf63 /LGX1MxrD /Gs5ULKCvW6kvOuBYAqVsi /Op8DzoRZlowP6q0Y4teQHNlFKmeFy /GqQvOqDmdr+oRaJSwu+oRaKtxfxMLJ5NZE+oRu+oRu+odFyRPKDYANHYDEl /iuHYArKvGY5rfEXcDN+c1FyRP5FrVB+PFXoc6QFrVB+PFXoc6QASVE+oRaJoZhJN6V5N6qfvZKSfLBmc6fQeDqfvZ5AmfV5NZsoSVNuSXq vNVE+SwaJoRu+odssmds /o0D6 /ZsLsLrRoffDLZNQSxDdoXKMURuooG7JMDsOqVD8SGE /LZKzLD3rtf5leiDqpFfbNlFKtJVmULM5YOrlUiqVY17Fi6qXcD /XcDQFrVB+PFXoc6QASVE+oRaJoZhJN6V5N6qWcDffr0DScDfUrDfCfDoAmfVQNZsoSVNuSXqvNVE+SwaJoRu+odssmds /vc /JLF3fsfFltirooVVHNlFKmeuyRP5FecDNecDNecDNecDQ+L /KvWfj /xfVixqHvArDvArwmdr8SZEdPcBSLls+SVhJoRaJSwaAie7AMc3eoWqZvO /oo0f5MDsfscbceG91LWrkSW6tsGNStSuDUSFwMDo6oWfgcSVAmeFyRP5FrVB+PFXoc6QFrVB+PFXoc6QASVE+oRaJoZhJN6V5N6qfvZ KSfLBmc6fQeDqfvZ5AmfV5gFBHMxXVULEkt1rNecDNecDNecDNeLJ1n1r8SZEdPcBSLls+SVhJoRaJSwaAie7Ac8YE+eYKn1rjcVfefFfeLlr8 SZEdPcBSLls+SVhJoRaJSwaAie7AfSuLc6 /CfDqMoRfdfXff+eYKieFyRPKDpWDVtJVmjLfQYxfK /13KYOqDsd7FiVsXfXQFrVB+PFXoc6QASVE+oRaJoZhJN6V5N6FlpW30oVVENlDsmeDyRP5FecDNecDNecDNecFB+erjrVfcLlr8SZEdPcB SLls+SVhJoRaJSwaAie7ALSN4UWowSSVAmfVyRPKDMx3HgW /KvWfj /xfVixqHvArDvArwmdr8SZEdPcBSLls+SVhJoRaJSwaAie7AMc3eoWqZvO /oo0f5MDsfscbcrG91LWrkSW6tsGNcvwrqrWs4SRqFsX5lvO /1rxB6MiF6sxXgPeE /oA35MwqqteYKn1rNecDNecDNecDNeSZKtJVm /i3KsR9E /LBw /iQqd1rNecDNecDNecDNvZFENXE8rfrvNZsoSVNuSXqvNVE+SwaJoRu+odssmds3f6ZENlDstJVm /Lq5vluGULBDixsDsXE0vxbV /LbVYl7FrVB+PFXoc6QASVE+oRaJoZhJN6V5NxXgc0u0rWExSRg6UWNififtfZKCMD3FvFB9SA /1cwD6LD30sGPloLb3USFJLD3toZB9rAK0rRDJLFPJ+eYKn1rNecDNecDNecDNvZFKtOVqd7== 代码到这里错误已经非常明显了```真的是非常低级的错误```少了2个括号和1个分号- -! 托我帮忙的朋友实在想看明文,只要在排错以后的php文件中把eval换成echo就行了 |
|
|
| Total comments: 0 | |
admin@portwatcher.net | 