研究废了一段php代码
先贴一段代码
代码见评论1
经过2个小时的研究
研究如下
////上面这一句是 读取__halt_compiler();后面的加密代码
if(!function_exists("YiunIUY76bBhuhNYIO8"))
///先判断YiunIUY76bBhuhNYIO8函数是否存在,存在就运行,不存在也不报错
{function YiunIUY76bBhuhNYIO8($g,$b=0)
////此处及后面是YiunIUY76bBhuhNYIO8函数的定义
{
$a=implode("\n",$g);
///***把$g集合中的单词句子使用\n 换行,形成完整的代码
$d=array(655,236,40);
///一个列表/集合
if($b==0)
///如果$b为0,
$f=substr($a,$d[0],$d[1]);
///那么返回字符串$a中从$d[0]开始的$d[1]个字符
elseif($b==1)
$f=substr($a,$d[0]+$d[1],$d[2]);
else
$f=trim(substr($a,$d[0]+$d[1]+$d[2]));
///trim参数未指定,移除字符串中的空白字符回车、tab等符号
return($f);
}}
eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));
//先跑了一遍上面定义的YiunIUY76bBhuhNYIO8函数,返回了某文件从第655字符($d[0]=655)开始的236个($d[1]=236)字符
eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));
///ZsldkfhGYU87iyihdfsow函数处理了 YiunIUY76bBhuhNYIO8使用参数2(某文件931字符后面的所有字符串,移除了空行空格tab等空白符号)和使用参数1(某文件891字符后面的40个字符)获取的字符串
///YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2) 返回了某文件931字符后面的所有字符串,移除了空行空格tab等空白符号
///YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1) 返回了某文件891字符后面的40个字符
///ZsldkfhGYU87iyihdfsow 函数处理了上面这两处的字符串
__halt_compiler();
if(!function_exists("ZsldkfhGYU87iyihdfsow"))
{function ZsldkfhGYU87iyihdfsow($a,$h)
///ZsldkfhGYU87iyihdfsow函数的定义
{if($h==sha1($a))
///如果散列值h(SHA-1)和$a的散列值相同
{return(gzinflate(base64_decode($a)));}
返回(解压缩的(base64解密过的a))
else
///散列值不对
{echo("Error: File Modified");}}}
////提示文件被修改过了
///
///后面的文件无法解密 无法判断具体做了什么
原文件是加密过的 大概如下
<?php /*** PHP Encode www.xxxxxx.com ***/ $XnNhAWEnhoiqwciqpoHH=file(__FILE__);
eval(base64_decode("aWYoIWZ1bmN0aW9uX2V4aXN0cygiWWl1bklVWTc2YkJodWhOWUlPOCIpKXtmdW5jdGlvbiBZaXVuSVVZNzZiQmh1aE5ZSU84KCRnLCRiPTApeyRhPWltcGxvZGUoIlxuIiwkZyk7JGQ9YXJyYXkoNjU1LDIzNiw0MCk7aWYoJGI9PTApICRmPXN1YnN0cigkYSwkZFswXSwkZFsxXSk7ZWxzZWlmKCRiPT0xKSAkZj1zdWJzdHIoJGEsJGRbMF0rJGRbMV0sJGRbMl0pO2Vsc2UgJGY9dHJpbShzdWJzdHIoJGEsJGRbMF0rJGRbMV0rJGRbMl0pKTtyZXR1cm4oJGYpO319"));
eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));
eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));
__halt_compiler();
aWYoIWZ1bmN0aW9uX2V4aXN0cygiWnNsZGtmaEdZVTg3aXlpaGRmc293Iikpe2Z1bmN0aW9uIFpzbGRrZmhHWVU4N2l5aWhkZnNvdygkYSwkaCl7aWYoJGg9PXNoYTEoJGEpKXtyZXR1cm4oZ3ppbmZsYXRlKGJhc2U2NF9kZWNvZGUoJGEpKSk7fWVsc2V7ZWNobygiRXJyb3I6IEZpbGUgTW9kaWZpZWQiKTt9fX0=a6518d125373e6b79ccc3fb81ed77adfc9fe343c3VptbxPZFf5sJP7DIEWMrTqxQ1upCg0oW1XtfirSRuIDikbjmet4ynhmmLnGsXaRwmqzOLsLhi7LSxdEoN0q2rYkFSx5VfNnPBP7E3+h577M+M547NhJUNVKINvn3nvuOc95v6CjsmEhPSvJcx99cmVu/veylJM++0xCSwa+ePbM2TOaqXqedPXCVeUqMpYMS5m78rH06dkzGfhTrlkaNmxLUhTNtjzs1jSczdHVjKrrStkwMXKBt4s8rLjoRo18qmUgKppqmiVVu+7
两个文件链接
链接:https://pan.baidu.com/s/1YgL_iYGwskmIRdJEXy7qqw
提取码:xaz7
版权声明:
作者:xinyu2ru
链接:https://www.rxx0.com/software/research_scrapped_a_piece_of_php_code.html
来源:RUBLOG-分享我的生活
文章版权归作者所有,未经允许请勿转载。
xinyu2ru
/*** PHP Encode http://www.xxxxxx.com ***/ $XnNhAWEnhoiqwciqpoHH=file(__FILE__);
eval(base64_decode(“aWYoIWZ1bmN0aW9uX2V4aXN0cygiWWl1bklVWTc2YkJodWhOWUlPOCIpKXtmdW5jdGlvbiBZaXVuSVVZNzZiQmh1aE5ZSU84KCRnLCRiPTApeyRhPWltcGxvZGUoIlxuIiwkZyk7JGQ9YXJyYXkoNjU1LDIzNiw0MCk7aWYoJGI9PTApICRmPXN1YnN0cigkYSwkZFswXSwkZFsxXSk7ZWxzZWlmKCRiPT0xKSAkZj1zdWJzdHIoJGEsJGRbMF0rJGRbMV0sJGRbMl0pO2Vsc2UgJGY9dHJpbShzdWJzdHIoJGEsJGRbMF0rJGRbMV0rJGRbMl0pKTtyZXR1cm4oJGYpO319”));
eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));
eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));
__halt_compiler();
aWYoIWZ1bmN0aW9uX2V4aXN0cygiWnNsZGtmaEdZVTg3aXlpaGRmc293Iikpe2Z1bmN0aW9uIFpzbGRrZmhHWVU4N2l5aWhkZnNvdygkYSwkaCl7aWYoJGg9PXNoYTEoJGEpKXtyZXR1cm4oZ3ppbmZsYXRlKGJhc2U2NF9kZWNvZGUoJGEpKSk7fWVsc2V7ZWNobygiRXJyb3I6IEZpbGUgTW9kaWZpZWQiKTt9fX0=a6518d125373e6b79ccc3fb81ed77adfc9fe343c3VptbxPZFf5sJP7DIEWMrTqxQ1upCg0oW1XtfirSRuIDikbjmet4ynhmmLnGsXaRwmqzOLsLhi7LSxdEoN0q2rYkFSx5VfNnPBP7E3+h577M+M547NhJUNVKINvn3nvuOc95v6CjsmEhPSvJcx99cmVu/veylJM++0xCSwa+ePbM2TOaqXqedPXCVeUqMpYMS5m78rH06dkzGfhTrlkaNmxLUhTNtjzs1jSczdHVjKrrStkwMXKBt4s8rLjoRo18qmUgKppqmiVVu+7JeUl1XbWRlSZwxfDykoyqDm4o5AwIk5emi3np51IOpMncYvc6tZJpaFJ0fe8AMIEPB4RBeWmiolq6idw8IdK7JS6cUc5K2Yh6TbbUKpxSNSQvSOdmJbl+
xinyu2ru
/*** PHP Encode ***/ $XnNhAWEnhoiqwciqpoHH=file(__FILE__);
////上面这一句是 读取__halt_compiler();后面的加密代码
if(!function_exists(“YiunIUY76bBhuhNYIO8”))
///先判断YiunIUY76bBhuhNYIO8函数是否存在,存在就运行,不存在也不报错
{function YiunIUY76bBhuhNYIO8($g,$b=0)
////此处及后面是YiunIUY76bBhuhNYIO8函数的定义
{
$a=implode(“\n”,$g);
///***把$g集合中的单词句子使用\n 换行,形成完整的代码
$d=array(655,236,40);
///一个列表/集合
if($b==0)
///如果$b为0,
$f=substr($a,$d[0],$d[1]);
///那么返回字符串$a中从$d[0]开始的$d[1]个字符
elseif($b==1)
$f=substr($a,$d[0]+$d[1],$d[2]);
else
$f=trim(substr($a,$d[0]+$d[1]+$d[2]));
///trim参数未指定,移除字符串中的空白字符回车、tab等符号
return($f);
}}
eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));
//先跑了一遍上面定义的YiunIUY76bBhuhNYIO8函数,返回了某文件从第655字符($d[0]=655)开始的236个($d[1]=236)字符
eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));
///ZsldkfhGYU87iyihdfsow函数处理了 YiunIUY76bBhuhNYIO8使用参数2(某文件931字符后面的所有字符串,移除了空行空格tab等空白符号)和使用参数1(某文件891字符后面的40个字符)获取的字符串
///YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2) 返回了某文件931字符后面的所有字符串,移除了空行空格tab等空白符号
///YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1) 返回了某文件891字符后面的40个字符
///ZsldkfhGYU87iyihdfsow 函数处理了上面这两处的字符串
__halt_compiler();
if(!function_exists(“ZsldkfhGYU87iyihdfsow”))
{function ZsldkfhGYU87iyihdfsow($a,$h)
///ZsldkfhGYU87iyihdfsow函数的定义
{if($h==sha1($a))
///如果散列值h(SHA-1)和$a的散列值相同
{return(gzinflate(base64_decode($a)));}
返回(解压缩的(base64解密过的a))
else
///散列值不对
{echo(“Error: File Modified”);}}}
////提示文件被修改过了
///
///后面的文件无法解密 无法判断具体做了什么