zvv

base64加密PHP脚本的解码方法

PHP是网站服务端最流行的编程语言之一。PHP运行环境本身是开源的,服务器不加载插件时PHP脚本也无法加密。但是,总有人因为商业上的考虑,而将PHP程序通过各种方法进行混淆,使读者很难看到清晰易懂的代码。

然而,PHP运行环境的本质决定了,被混淆、编码的PHP脚本总是有办法恢复成可读的代码的。本文介绍了一种对含有eval和base64_decode的、被加密的PHP的解码方法。

在使用这种方法之前,你应该准备好:

■能运行PHP的Web服务器,例如 Apache 或 IIS
■wget.exe命令行客户端 或 浏览器
■具备PHP语法高亮功能的文本编辑器,例如 Notepad2

下载每一步的源代码

待解密的PHP代码来自某WordPress模板,来源

//0.php 代码中只有一个eval,先把这个eval替换为echo。

//1.php 运行上述代码。运行的方法是:将代码粘贴到一个PHP文件里,用浏览器访问并查看源代码,或者用wget下载。运行结果是:

//1.txt $lll=0;eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));$ll=0;eva l($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));$llll=0;$lllll=3;eval($lllllllllll(" JGw9JGxsbGxsbGxsbGxsKCRvKTs="));$lllllll=0;$llllll=($llllllllll($l[1])<<8)+$llll llllll($l[2]);eval($lllllllllll("JGxsbGxsbGxsbGxsbGw9J3N0cmxlbic7"));$lllllllll= 16;$llllllll="";for(;$lllll<$lllllllllllll($l);){if($lllllllll==0){$llllll=($lll lllllll($l[$lllll++])<<8);$llllll+=$llllllllll($l[$lllll++]);$lllllllll=16;}if($ llllll&0x8000){$lll=($llllllllll($l[$lllll++])<<4);$lll+=($llllllllll($l[$lllll] )>>4);if($lll){$ll=($llllllllll($l[$lllll++])&0x0f)+3;for($llll=0;$llll<$ll;$lll l++)$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];$lllllll+=$ll;}else {$ll=($llllllllll($l[$lllll++])<<8);$ll+=$llllllllll($l[$lllll++])+16;for($llll= 0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));$lllll++;$lllll ll+=$ll;}}else$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);$llllll<<=1;$lllll llll--;}eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));$lllll=0;eval($llllll lllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));$llllllllll="";for(;$llll l<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}eval($lllllll llll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));eval($ lllllllll);
前后加上 ,加进来原来$o的定义,并将代码稍稍排版一下,可得:

//1r.php >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs=")); $lllll=0; eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7")); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO w==")); eval($lllllllll); ?>
将代码中的第一个eval改成echo,后面的语句删除:

//2.php
运行结果:

//2.txt $lllllllllll='base64_decode';
将运行结果替换掉echo(base64_decode(...))部分,后面的语句粘贴回来:

//2r.php >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs=")); $lllll=0; eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7")); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO w==")); eval($lllllllll); ?>
类似的,反复进行三步操作:

1.将eval替换成echo,删除后面的语句
2.运行
3.用运行结果替换eval语句,恢复后面的语句
直到代码中不再出现eval。

//3.php //3.txt $llllllllll='ord'; //3r.php >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs=")); $lllll=0; eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7")); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO w==")); eval($lllllllll); ?>
仍有eval,继续……

//4.php //4.txt $l=$lllllllllll($o); //4r.php >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs=")); $lllll=0; eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7")); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO w==")); eval($lllllllll); ?>
仍有eval,继续……

//5.php //5.txt $lllllllllllll='strlen'; //5r.php >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs=")); $lllll=0; eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7")); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO w==")); eval($lllllllll); ?>
仍有eval,继续……

//6.php >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } echo($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs=")); ?> //6.txt $llllllllllll='chr'; //6r.php >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } $llllllllllll='chr'; $lllll=0; eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7")); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO w==")); eval($lllllllll); ?>
仍有eval,继续……

//7.php >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } $llllllllllll='chr'; $lllll=0; echo($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7")); ?> //7.txt $lllllllll="?".$llllllllllll(62); >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } $llllllllllll='chr'; $lllll=0; $lllllllll="?".$llllllllllll(62); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO w==")); eval($lllllllll); ?>
仍有eval,继续……

//8.php >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } $llllllllllll='chr'; $lllll=0; $lllllllll="?".$llllllllllll(62); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} echo($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO w==")); ?> //8.txt $lllllllll.=$llllllllll.$llllllllllll(60)."?"; //8r.php >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } $llllllllllll='chr'; $lllll=0; $lllllllll="?".$llllllllllll(62); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} $lllllllll.=$llllllllll.$llllllllllll(60)."?"; eval($lllllllll); ?>
仍有eval,继续……

//9.php >4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } $llllllllllll='chr'; $lllll=0; $lllllllll="?".$llllllllllll(62); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} $lllllllll.=$llllllllll.$llllllllllll(60)."?"; echo($lllllllll); ?> //9.txt ?>

>4); if($lll){ $ll=($llllllllll($l[$lllll++])&0x0f)+3; for($llll=0;$llll<$ll;$llll++) $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll]; $lllllll+=$ll; } else{ $ll=($llllllllll($l[$lllll++])<<8); $ll+=$llllllllll($l[$lllll++])+16; for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll])) ; $lllll++; $lllllll+=$ll; } } else $llllllll[$lllllll++]=$llllllllll($l[$lllll++]); $llllll<<=1; $lllllllll--; } $llllllllllll='chr'; $lllll=0; $lllllllll="?".$llllllllllll(62); $llllllllll=""; for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);} $lllllllll.=$llllllllll.$llllllllllll(60)."?"; ?>

没有eval了!9r.php就是真实代码。从功能上看,也不妨把9.txt看作真实代码。

下载每一步的源代码

解码过程的关键是:

■每次只能处理一个eval()块
■eval不能在循环、条件分支内部,否则不适用本方法
■eval替换成echo后,必须把后面的代码删除
■获得运行结果后,用运行结果替换原来的eval,必须保留之前、之后的所有代码
PHP解密的难点,并不是技术问题,而是耐心。PHP解码,需要你作好打持久战的准备,才能顺利完成。

如果你正被形如eval(base64_decode(...))的PHP代码困扰,祝您在阅读本文后能顺利解密PHP代码。

转载自:http://yoursunny.com/t/2009/PHP-decode/

当前页面是本站的「Google AMP」版。查看和发表评论请点击:完整版 »

因本文不是用Markdown格式的编辑器书写的,转换的页面可能不符合AMP标准。