PHP是网站服务端最流行的编程语言之一。PHP运行环境本身是开源的,服务器不加载插件时PHP脚本也无法加密。但是,总有人因为商业上的考虑,而将PHP程序通过各种方法进行混淆,使读者很难看到清晰易懂的代码。
然而,PHP运行环境的本质决定了,被混淆、编码的PHP脚本总是有办法恢复成可读的代码的。本文介绍了一种对含有eval和base64_decode的、被加密的PHP的解码方法。
在使用这种方法之前,你应该准备好:
■能运行PHP的Web服务器,例如 Apache 或 IIS
■wget.exe命令行客户端 或 浏览器
■具备PHP语法高亮功能的文本编辑器,例如 Notepad2
待解密的PHP代码来自某WordPress模板,来源
//0.php
代码中只有一个eval,先把这个eval替换为echo。
//1.php
运行上述代码。运行的方法是:将代码粘贴到一个PHP文件里,用浏览器访问并查看源代码,或者用wget下载。运行结果是:
//1.txt
$lll=0;eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));$ll=0;eva
l($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));$llll=0;$lllll=3;eval($lllllllllll("
JGw9JGxsbGxsbGxsbGxsKCRvKTs="));$lllllll=0;$llllll=($llllllllll($l[1])<<8)+$llll
llllll($l[2]);eval($lllllllllll("JGxsbGxsbGxsbGxsbGw9J3N0cmxlbic7"));$lllllllll=
16;$llllllll="";for(;$lllll<$lllllllllllll($l);){if($lllllllll==0){$llllll=($lll
lllllll($l[$lllll++])<<8);$llllll+=$llllllllll($l[$lllll++]);$lllllllll=16;}if($
llllll&0x8000){$lll=($llllllllll($l[$lllll++])<<4);$lll+=($llllllllll($l[$lllll]
)>>4);if($lll){$ll=($llllllllll($l[$lllll++])&0x0f)+3;for($llll=0;$llll<$ll;$lll
l++)$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];$lllllll+=$ll;}else
{$ll=($llllllllll($l[$lllll++])<<8);$ll+=$llllllllll($l[$lllll++])+16;for($llll=
0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));$lllll++;$lllll
ll+=$ll;}}else$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);$llllll<<=1;$lllll
llll--;}eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));$lllll=0;eval($llllll
lllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));$llllllllll="";for(;$llll
l<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}eval($lllllll
llll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));eval($
lllllllll);
前后加上 ,加进来原来$o的定义,并将代码稍稍排版一下,可得:
//1r.php
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));
$lllll=0;
eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));
$llllllllll="";
for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}
eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO
w=="));
eval($lllllllll);
?>
将代码中的第一个eval改成echo,后面的语句删除:
//2.php
运行结果:
//2.txt
$lllllllllll='base64_decode';
将运行结果替换掉echo(base64_decode(...))部分,后面的语句粘贴回来:
//2r.php
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));
$lllll=0;
eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));
$llllllllll="";
for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}
eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO
w=="));
eval($lllllllll);
?>
类似的,反复进行三步操作:
1.将eval替换成echo,删除后面的语句
2.运行
3.用运行结果替换eval语句,恢复后面的语句
直到代码中不再出现eval。
//3.php
//3.txt
$llllllllll='ord';
//3r.php
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));
$lllll=0;
eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));
$llllllllll="";
for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}
eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO
w=="));
eval($lllllllll);
?>
仍有eval,继续……
//4.php
//4.txt
$l=$lllllllllll($o);
//4r.php
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));
$lllll=0;
eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));
$llllllllll="";
for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}
eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO
w=="));
eval($lllllllll);
?>
仍有eval,继续……
//5.php
//5.txt
$lllllllllllll='strlen';
//5r.php
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));
$lllll=0;
eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));
$llllllllll="";
for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}
eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO
w=="));
eval($lllllllll);
?>
仍有eval,继续……
//6.php
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
echo($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));
?>
//6.txt
$llllllllllll='chr';
//6r.php
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
$llllllllllll='chr';
$lllll=0;
eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));
$llllllllll="";
for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}
eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO
w=="));
eval($lllllllll);
?>
仍有eval,继续……
//7.php
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
$llllllllllll='chr';
$lllll=0;
echo($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));
?>
//7.txt
$lllllllll="?".$llllllllllll(62);
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
$llllllllllll='chr';
$lllll=0;
$lllllllll="?".$llllllllllll(62);
$llllllllll="";
for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}
eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO
w=="));
eval($lllllllll);
?>
仍有eval,继续……
//8.php
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
$llllllllllll='chr';
$lllll=0;
$lllllllll="?".$llllllllllll(62);
$llllllllll="";
for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}
echo($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iO
w=="));
?>
//8.txt
$lllllllll.=$llllllllll.$llllllllllll(60)."?";
//8r.php
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
$llllllllllll='chr';
$lllll=0;
$lllllllll="?".$llllllllllll(62);
$llllllllll="";
for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}
$lllllllll.=$llllllllll.$llllllllllll(60)."?";
eval($lllllllll);
?>
仍有eval,继续……
//9.php
>4);
if($lll){
$ll=($llllllllll($l[$lllll++])&0x0f)+3;
for($llll=0;$llll<$ll;$llll++)
$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];
$lllllll+=$ll;
}
else{
$ll=($llllllllll($l[$lllll++])<<8);
$ll+=$llllllllll($l[$lllll++])+16;
for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]))
;
$lllll++;
$lllllll+=$ll;
}
}
else
$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);
$llllll<<=1;
$lllllllll--;
}
$llllllllllll='chr';
$lllll=0;
$lllllllll="?".$llllllllllll(62);
$llllllllll="";
for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}
$lllllllll.=$llllllllll.$llllllllllll(60)."?";
echo($lllllllll);
?>
//9.txt
?>