分享我的生活
分享能使人快乐

研究废了一段php代码

先贴一段代码

代码见评论1

 

 

经过2个小时的研究

研究如下


////上面这一句是 读取__halt_compiler();后面的加密代码

if(!function_exists(“YiunIUY76bBhuhNYIO8”))
///先判断YiunIUY76bBhuhNYIO8函数是否存在,存在就运行,不存在也不报错
{function YiunIUY76bBhuhNYIO8($g,$b=0)
////此处及后面是YiunIUY76bBhuhNYIO8函数的定义
{
$a=implode(“\n”,$g);
///***把$g集合中的单词句子使用\n 换行,形成完整的代码
$d=array(655,236,40);
///一个列表/集合
if($b==0)
///如果$b为0,
$f=substr($a,$d[0],$d[1]);
///那么返回字符串$a中从$d[0]开始的$d[1]个字符
elseif($b==1)
$f=substr($a,$d[0]+$d[1],$d[2]);
else
$f=trim(substr($a,$d[0]+$d[1]+$d[2]));
///trim参数未指定,移除字符串中的空白字符回车、tab等符号
return($f);

}}

eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));
//先跑了一遍上面定义的YiunIUY76bBhuhNYIO8函数,返回了某文件从第655字符($d[0]=655)开始的236个($d[1]=236)字符
eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));
///ZsldkfhGYU87iyihdfsow函数处理了 YiunIUY76bBhuhNYIO8使用参数2(某文件931字符后面的所有字符串,移除了空行空格tab等空白符号)和使用参数1(某文件891字符后面的40个字符)获取的字符串

///YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2) 返回了某文件931字符后面的所有字符串,移除了空行空格tab等空白符号
///YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1) 返回了某文件891字符后面的40个字符
///ZsldkfhGYU87iyihdfsow 函数处理了上面这两处的字符串

__halt_compiler();

if(!function_exists(“ZsldkfhGYU87iyihdfsow”))
{function ZsldkfhGYU87iyihdfsow($a,$h)
///ZsldkfhGYU87iyihdfsow函数的定义
{if($h==sha1($a))
///如果散列值h(SHA-1)和$a的散列值相同
{return(gzinflate(base64_decode($a)));}
返回(解压缩的(base64解密过的a))
else
///散列值不对
{echo(“Error: File Modified”);}}}
////提示文件被修改过了

///
///后面的文件无法解密 无法判断具体做了什么


原文件是加密过的 大概如下

<?php /*** PHP Encode www.xxxxxx.com ***/ $XnNhAWEnhoiqwciqpoHH=file(__FILE__);

eval(base64_decode(“aWYoIWZ1bmN0aW9uX2V4aXN0cygiWWl1bklVWTc2YkJodWhOWUlPOCIpKXtmdW5jdGlvbiBZaXVuSVVZNzZiQmh1aE5ZSU84KCRnLCRiPTApeyRhPWltcGxvZGUoIlxuIiwkZyk7JGQ9YXJyYXkoNjU1LDIzNiw0MCk7aWYoJGI9PTApICRmPXN1YnN0cigkYSwkZFswXSwkZFsxXSk7ZWxzZWlmKCRiPT0xKSAkZj1zdWJzdHIoJGEsJGRbMF0rJGRbMV0sJGRbMl0pO2Vsc2UgJGY9dHJpbShzdWJzdHIoJGEsJGRbMF0rJGRbMV0rJGRbMl0pKTtyZXR1cm4oJGYpO319”));

eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));

eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));

__halt_compiler();

aWYoIWZ1bmN0aW9uX2V4aXN0cygiWnNsZGtmaEdZVTg3aXlpaGRmc293Iikpe2Z1bmN0aW9uIFpzbGRrZmhHWVU4N2l5aWhkZnNvdygkYSwkaCl7aWYoJGg9PXNoYTEoJGEpKXtyZXR1cm4oZ3ppbmZsYXRlKGJhc2U2NF9kZWNvZGUoJGEpKSk7fWVsc2V7ZWNobygiRXJyb3I6IEZpbGUgTW9kaWZpZWQiKTt9fX0=a6518d125373e6b79ccc3fb81ed77adfc9fe343c3VptbxPZFf5sJP7DIEWMrTqxQ1upCg0oW1XtfirSRuIDikbjmet4ynhmmLnGsXaRwmqzOLsLhi7LSxdEoN0q2rYkFSx5VfNnPBP7E3+h577M+M547NhJUNVKINvn3nvuOc95v6CjsmEhPSvJcx99cmVu/veylJM++0xCSwa+ePbM2TOaqXqedPXCVeUqMpYMS5m78rH06dkzGfhTrlkaNmxLUhTNtjzs1jSczdHVjKrrStkwMXKBt4s8rLjoRo18qmUgKppqmiVVu+7

 

 

 

两个文件链接

 

链接:https://pan.baidu.com/s/1YgL_iYGwskmIRdJEXy7qqw
提取码:xaz7

赞(0)
未经允许不得转载:RUBLOG-分享我的生活 » 研究废了一段php代码

我想说 2

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址
  1. #-49

    /*** PHP Encode http://www.xxxxxx.com ***/ $XnNhAWEnhoiqwciqpoHH=file(__FILE__);

    eval(base64_decode(“aWYoIWZ1bmN0aW9uX2V4aXN0cygiWWl1bklVWTc2YkJodWhOWUlPOCIpKXtmdW5jdGlvbiBZaXVuSVVZNzZiQmh1aE5ZSU84KCRnLCRiPTApeyRhPWltcGxvZGUoIlxuIiwkZyk7JGQ9YXJyYXkoNjU1LDIzNiw0MCk7aWYoJGI9PTApICRmPXN1YnN0cigkYSwkZFswXSwkZFsxXSk7ZWxzZWlmKCRiPT0xKSAkZj1zdWJzdHIoJGEsJGRbMF0rJGRbMV0sJGRbMl0pO2Vsc2UgJGY9dHJpbShzdWJzdHIoJGEsJGRbMF0rJGRbMV0rJGRbMl0pKTtyZXR1cm4oJGYpO319”));

    eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));

    eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));

    __halt_compiler();

    aWYoIWZ1bmN0aW9uX2V4aXN0cygiWnNsZGtmaEdZVTg3aXlpaGRmc293Iikpe2Z1bmN0aW9uIFpzbGRrZmhHWVU4N2l5aWhkZnNvdygkYSwkaCl7aWYoJGg9PXNoYTEoJGEpKXtyZXR1cm4oZ3ppbmZsYXRlKGJhc2U2NF9kZWNvZGUoJGEpKSk7fWVsc2V7ZWNobygiRXJyb3I6IEZpbGUgTW9kaWZpZWQiKTt9fX0=a6518d125373e6b79ccc3fb81ed77adfc9fe343c3VptbxPZFf5sJP7DIEWMrTqxQ1upCg0oW1XtfirSRuIDikbjmet4ynhmmLnGsXaRwmqzOLsLhi7LSxdEoN0q2rYkFSx5VfNnPBP7E3+h577M+M547NhJUNVKINvn3nvuOc95v6CjsmEhPSvJcx99cmVu/veylJM++0xCSwa+ePbM2TOaqXqedPXCVeUqMpYMS5m78rH06dkzGfhTrlkaNmxLUhTNtjzs1jSczdHVjKrrStkwMXKBt4s8rLjoRo18qmUgKppqmiVVu+7JeUl1XbWRlSZwxfDykoyqDm4o5AwIk5emi3np51IOpMncYvc6tZJpaFJ0fe8AMIEPB4RBeWmiolq6idw8IdK7JS6cUc5K2Yh6TbbUKpxSNSQvSOdmJbl+

    xinyu2ru1个月前 (09-10)Reply
  2. #-48

    /*** PHP Encode ***/ $XnNhAWEnhoiqwciqpoHH=file(__FILE__);
    ////上面这一句是 读取__halt_compiler();后面的加密代码

    if(!function_exists(“YiunIUY76bBhuhNYIO8”))
    ///先判断YiunIUY76bBhuhNYIO8函数是否存在,存在就运行,不存在也不报错
    {function YiunIUY76bBhuhNYIO8($g,$b=0)
    ////此处及后面是YiunIUY76bBhuhNYIO8函数的定义
    {
    $a=implode(“\n”,$g);
    ///***把$g集合中的单词句子使用\n 换行,形成完整的代码
    $d=array(655,236,40);
    ///一个列表/集合
    if($b==0)
    ///如果$b为0,
    $f=substr($a,$d[0],$d[1]);
    ///那么返回字符串$a中从$d[0]开始的$d[1]个字符
    elseif($b==1)
    $f=substr($a,$d[0]+$d[1],$d[2]);
    else
    $f=trim(substr($a,$d[0]+$d[1]+$d[2]));
    ///trim参数未指定,移除字符串中的空白字符回车、tab等符号
    return($f);

    }}

    eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));
    //先跑了一遍上面定义的YiunIUY76bBhuhNYIO8函数,返回了某文件从第655字符($d[0]=655)开始的236个($d[1]=236)字符
    eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));
    ///ZsldkfhGYU87iyihdfsow函数处理了 YiunIUY76bBhuhNYIO8使用参数2(某文件931字符后面的所有字符串,移除了空行空格tab等空白符号)和使用参数1(某文件891字符后面的40个字符)获取的字符串

    ///YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2) 返回了某文件931字符后面的所有字符串,移除了空行空格tab等空白符号
    ///YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1) 返回了某文件891字符后面的40个字符
    ///ZsldkfhGYU87iyihdfsow 函数处理了上面这两处的字符串

    __halt_compiler();

    if(!function_exists(“ZsldkfhGYU87iyihdfsow”))
    {function ZsldkfhGYU87iyihdfsow($a,$h)
    ///ZsldkfhGYU87iyihdfsow函数的定义
    {if($h==sha1($a))
    ///如果散列值h(SHA-1)和$a的散列值相同
    {return(gzinflate(base64_decode($a)));}
    返回(解压缩的(base64解密过的a))
    else
    ///散列值不对
    {echo(“Error: File Modified”);}}}
    ////提示文件被修改过了

    ///
    ///后面的文件无法解密 无法判断具体做了什么

    xinyu2ru1个月前 (09-10)Reply