php base64的解密方法

最近看到一个php加密的文件,现在来分析一下解密思路

加密源码如下:

代码中只有一个eval,我们先将这个eval替换成echo

运行该文件,查看网页源码,运行结果为:

$lll=0;eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));$ll=0;eval($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));$llll=0;$lllll=3;eval($lllllllllll("JGw9JGxsbGxsbGxsbGxsKCRvKTs="));$lllllll=0;$llllll=($llllllllll($l[1])<<8)+$llllllllll($l[2]);eval($lllllllllll("JGxsbGxsbGxsbGxsbGw9J3N0cmxlbic7"));$lllllllll=16;$llllllll="";for(;$lllll<$lllllllllllll($l);){if($lllllllll==0){$llllll=($llllllllll($l[$lllll++])<<8);$llllll+=$llllllllll($l[$lllll++]);$lllllllll=16;}if($llllll&0x8000){$lll=($llllllllll($l[$lllll++])<<4);$lll+=($llllllllll($l[$lllll])>>4);if($lll){$ll=($llllllllll($l[$lllll++])&0x0f)+3;for($llll=0;$llll<$ll;$llll++)$llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];$lllllll+=$ll;}else{$ll=($llllllllll($l[$lllll++])<<8);$ll+=$llllllllll($l[$lllll++])+16;for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));$lllll++;$lllllll+=$ll;}}else$llllllll[$lllllll++]=$llllllllll($l[$lllll++]);$llllll<<=1;$lllllllll--;}eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));$lllll=0;eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));$llllllllll="";for(;$lllll<$lllllll;){$llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);}eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));eval($lllllllll);

前后加上<?php?>和之前的$o,并排版一下

<?php
o="QAAADg4KDQ4OO2NucSdka2Z0dAAROiVka2JmdSU5OygBQDkKDQIBgAMAxjsmKionKEpmbmknKioB1QFBAwVBaGhzYnUBVATibmM6JWEBYiUCkQAEQHViYmknQ2JrbmBvcwCAdG4AAGBpYmMnZX4KDTtmJ291YmEAADolb3Nzdz0oKHBwcCllfnMAAGJ0YWh1ZmtrKWRoaiglOUWBAAEnJ1BiZWNiBCE7KGY5J0RoYxQAbmlgBLAnBK9wKWpmbmZvaHRzoA4EcSUC0G9iZncncGJlJwFRA4AEMnuBSAO+c2Jqd2tmCFAzCDQlOQdgdG5zHgBiJ1MBtQOzDB8MEXNvYndmc25oKSEAcHQL0Fd1bnEE0CdMdWZpbGJpAA9xYnV0bmRvYnVyaWAEUhZwFksVCfwYBhAYwgIjAGMBQBdxKFdmYGIXYwEgOHdvkGANsHdYF3MvLjwnOBewAZAoZWhjfoAAALRvc2prOQ==";lll = 0;
eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));
ll = 0;
eval(lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));
llll = 0;lllll = 3;
eval(lllllllllll("JGw9JGxsbGxsbGxsbGxsKCRvKTs="));lllllll = 0;
llllll = (llllllllll(l[1]) << 8) +llllllllll(l[2]);
eval(lllllllllll("JGxsbGxsbGxsbGxsbGw9J3N0cmxlbic7"));
lllllllll = 16;llllllll = "";
for (; lllll<lllllllllllll(l);) {
    if (lllllllll == 0) {
        llllll = (llllllllll(l[lllll++]) << 8);
        llllll +=llllllllll(l[lllll++]);
        lllllllll = 16;
    }
    if (llllll & 0x8000) {
        lll = (llllllllll(l[lllll++]) << 4);
        lll += (llllllllll(l[lllll]) >> 4);
        if (lll) {ll = (llllllllll(l[lllll++])&0x0f) + 3;
            for (llll = 0; llll<ll; llll++)llllllll[lllllll +llll] = llllllll[lllllll - lll +llll];
            lllllll +=ll;
        } else {
            ll = (llllllllll(l[lllll++]) << 8);
            ll +=llllllllll(l[lllll++]) + 16;
            for (llll = 0;llll < ll;llllllll[lllllll +llll++] = llllllllll(l[lllll])) ;lllll++;
            lllllll +=ll;
        }
    } elsellllllll[lllllll++] = llllllllll(l[lllll++]);llllll <<= 1;
    lllllllll--;
}
eval(lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));
lllll = 0;
eval(lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));
llllllllll = "";
for (;lllll < lllllll;) {llllllllll .= llllllllllll(llllllll[lllll++] ^ 0x07);
}
eval(lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));
eval($lllllllll);
?>

将第一个eval改成echo,并删除后面的代码

<?php
o="QAAADg4KDQ4OO2NucSdka2Z0dAAROiVka2JmdSU5OygBQDkKDQIBgAMAxjsmKionKEpmbmknKioB1QFBAwVBaGhzYnUBVATibmM6JWEBYiUCkQAEQHViYmknQ2JrbmBvcwCAdG4AAGBpYmMnZX4KDTtmJ291YmEAADolb3Nzdz0oKHBwcCllfnMAAGJ0YWh1ZmtrKWRoaiglOUWBAAEnJ1BiZWNiBCE7KGY5J0RoYxQAbmlgBLAnBK9wKWpmbmZvaHRzoA4EcSUC0G9iZncncGJlJwFRA4AEMnuBSAO+c2Jqd2tmCFAzCDQlOQdgdG5zHgBiJ1MBtQOzDB8MEXNvYndmc25oKSEAcHQL0Fd1bnEE0CdMdWZpbGJpAA9xYnV0bmRvYnVyaWAEUhZwFksVCfwYBhAYwgIjAGMBQBdxKFdmYGIXYwEgOHdvkGANsHdYF3MvLjwnOBewAZAoZWhjfoAAALRvc2prOQ==";lll=0;echo(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));
?>

然后接着运行该文件,查看网页源码

$lllllllllll='base64_decode';

将运行结果替换掉echo(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs=")),并将之前去掉的代码放回原处

<?php
o="QAAADg4KDQ4OO2NucSdka2Z0dAAROiVka2JmdSU5OygBQDkKDQIBgAMAxjsmKionKEpmbmknKioB1QFBAwVBaGhzYnUBVATibmM6JWEBYiUCkQAEQHViYmknQ2JrbmBvcwCAdG4AAGBpYmMnZX4KDTtmJ291YmEAADolb3Nzdz0oKHBwcCllfnMAAGJ0YWh1ZmtrKWRoaiglOUWBAAEnJ1BiZWNiBCE7KGY5J0RoYxQAbmlgBLAnBK9wKWpmbmZvaHRzoA4EcSUC0G9iZncncGJlJwFRA4AEMnuBSAO+c2Jqd2tmCFAzCDQlOQdgdG5zHgBiJ1MBtQOzDB8MEXNvYndmc25oKSEAcHQL0Fd1bnEE0CdMdWZpbGJpAA9xYnV0bmRvYnVyaWAEUhZwFksVCfwYBhAYwgIjAGMBQBdxKFdmYGIXYwEgOHdvkGANsHdYF3MvLjwnOBewAZAoZWhjfoAAALRvc2prOQ==";lll = 0;
lllllllllll='base64_decode';ll = 0;
eval(lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));llll = 0;
lllll = 3;
eval(lllllllllll("JGw9JGxsbGxsbGxsbGxsKCRvKTs="));
lllllll = 0;llllll = (llllllllll(l[1]) << 8) + llllllllll(l[2]);
eval(lllllllllll("JGxsbGxsbGxsbGxsbGw9J3N0cmxlbic7"));lllllllll = 16;
llllllll = "";
for (;lllll < lllllllllllll(l);) {
    if (lllllllll == 0) {llllll = (llllllllll(l[lllll++]) << 8);llllll += llllllllll(l[lllll++]);lllllllll = 16;
    }
    if (llllll&0x8000) {lll = (llllllllll(l[lllll++]) << 4);lll += (llllllllll(l[lllll]) >> 4);
        if (lll) {
            ll = (llllllllll(l[lllll++]) & 0x0f) + 3;
            for (llll = 0;llll < ll;llll++) llllllll[lllllll + llll] =llllllll[lllllll -lll + llll];lllllll += ll;
        } else {ll = (llllllllll(l[lllll++]) << 8);ll += llllllllll(l[lllll++]) + 16;
            for (llll = 0; llll<ll; llllllll[lllllll + llll++] =llllllllll(l[lllll])) ;
            lllll++;lllllll += ll;
        }
    } elsellllllll[lllllll++] =llllllllll(l[lllll++]);
    llllll <<= 1;lllllllll--;
}
eval(lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));lllll = 0;
eval(lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));llllllllll = "";
for (; lllll<lllllll;) {
    llllllllll .=llllllllllll(llllllll[lllll++] ^ 0x07);
}
eval(lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));
eval(lllllllll);
?>

重复以上操作

  • eval替换成echo
  • 删除当前eval后面的代码
  • 然后运行
  • 将运行结果替换掉eval那一段
  • 将剩下的部分补回
  • 重复该步骤,直至没有eval

最终代码如下:

<?php
o="QAAADg4KDQ4OO2NucSdka2Z0dAAROiVka2JmdSU5OygBQDkKDQIBgAMAxjsmKionKEpmbmknKioB1QFBAwVBaGhzYnUBVATibmM6JWEBYiUCkQAEQHViYmknQ2JrbmBvcwCAdG4AAGBpYmMnZX4KDTtmJ291YmEAADolb3Nzdz0oKHBwcCllfnMAAGJ0YWh1ZmtrKWRoaiglOUWBAAEnJ1BiZWNiBCE7KGY5J0RoYxQAbmlgBLAnBK9wKWpmbmZvaHRzoA4EcSUC0G9iZncncGJlJwFRA4AEMnuBSAO+c2Jqd2tmCFAzCDQlOQdgdG5zHgBiJ1MBtQOzDB8MEXNvYndmc25oKSEAcHQL0Fd1bnEE0CdMdWZpbGJpAA9xYnV0bmRvYnVyaWAEUhZwFksVCfwYBhAYwgIjAGMBQBdxKFdmYGIXYwEgOHdvkGANsHdYF3MvLjwnOBewAZAoZWhjfoAAALRvc2prOQ==";lll = 0;
lllllllllll='base64_decode';ll = 0;
llllllllll='ord';llll = 0;
lllll = 3;l=lllllllllll(o);
lllllll = 0;llllll = (llllllllll(l[1]) << 8) + llllllllll(l[2]);
lllllllllllll='strlen';lllllllll = 16;
llllllll = "";
for (;lllll < lllllllllllll(l);) {
    if (lllllllll == 0) {llllll = (llllllllll(l[lllll++]) << 8);llllll += llllllllll(l[lllll++]);lllllllll = 16;
    }
    if (llllll&0x8000) {lll = (llllllllll(l[lllll++]) << 4);lll += (llllllllll(l[lllll]) >> 4);
        if (lll) {
            ll = (llllllllll(l[lllll++]) & 0x0f) + 3;
            for (llll = 0;llll < ll;llll++) llllllll[lllllll + llll] =llllllll[lllllll -lll + llll];lllllll += ll;
        } else {ll = (llllllllll(l[lllll++]) << 8);ll += llllllllll(l[lllll++]) + 16;
            for (llll = 0; llll<ll; llllllll[lllllll + llll++] =llllllllll(l[lllll])) ;
            lllll++;lllllll += ll;
        }
    } elsellllllll[lllllll++] =llllllllll(l[lllll++]);
    llllll <<= 1;lllllllll--;
}
llllllllllll='chr';lllll = 0;
lllllllll="?".llllllllllll(62);
llllllllll = "";
for (;lllll < lllllll;) {llllllllll .= llllllllllll(llllllll[lllll++] ^ 0x07);
}lllllllll.=llllllllll.llllllllllll(60)."?";
?>

这个应该就是源代码了。

解码过程的关键是:

  • 每次只能处理一个eval()块
  • eval不能在循环、条件分支内部,否则不适用本方法
  • eval替换成echo后,必须把后面的代码删除
  • 获得运行结果后,用运行结果替换原来的eval,必须保留之前、之后的所有代码
暂无评论

发送评论 编辑评论


|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇