我正在尝试对这段 PHP 代码进行反混淆:
<?php if(!function_exists("TC9A16C47DA8EEE87")){function TC9A16C47DA8EEE87($T059EC46CFE335260){$T059EC46CFE335260=base64_decode($T059EC46CFE335260);$TC9A16C47DA8EEE87=0;$TA7FB8B0A1C0E2E9E=0;$T17D35BB9DF7A47E4=0;$T65CE9F6823D588A7=(ord($T059EC46CFE335260[1])<<8)+ord($T059EC46CFE335260[2]);$TBF14159DC7D007D3=3;$T77605D5F26DD5248=0;$T4A747C3263CA7A55=16;$T7C7E72B89B83E235="";$T0D47BDF6FD9DDE2E=strlen($T059EC46CFE335260);$T43D5686285035C13=__FILE__;$T43D5686285035C13=file_get_contents($T43D5686285035C13);$T6BBC58A3B5B11DC4=0;preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"),$T43D5686285035C13,$T6BBC58A3B5B11DC4);for(;$TBF14159DC7D007D3<$T0D47BDF6FD9DDE2E;){if(count($T6BBC58A3B5B11DC4)) exit;if($T4A747C3263CA7A55==0){$T65CE9F6823D588A7=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])<<8);$T65CE9F6823D588A7+=ord($T059EC46CFE335260[$TBF14159DC7D007D3++]);$T4A747C3263CA7A55=16;}if($T65CE9F6823D588A7&0x8000){$TC9A16C47DA8EEE87=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])<<4);$TC9A16C47DA8EEE87+=(ord($T059EC46CFE335260[$TBF14159DC7D007D3])>>4);if($TC9A16C47DA8EEE87){$TA7FB8B0A1C0E2E9E=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])&0x0F)+3;for($T17D35BB9DF7A47E4=0;$T17D35BB9DF7A47E4<$TA7FB8B0A1C0E2E9E;$T17D35BB9DF7A47E4++)$T7C7E72B89B83E235[$T77605D5F26DD5248+$T17D35BB9DF7A47E4]=$T7C7E72B89B83E235[$T77605D5F26DD5248-$TC9A16C47DA8EEE87+$T17D35BB9DF7A47E4];$T77605D5F26DD5248+=$TA7FB8B0A1C0E2E9E;}else{$TA7FB8B0A1C0E2E9E=(ord($T059EC46CFE335260[$TBF14159DC7D007D3++])<<8);$TA7FB8B0A1C0E2E9E+=ord($T059EC46CFE335260[$TBF14159DC7D007D3++])+16;for($T17D35BB9DF7A47E4=0;$T17D35BB9DF7A47E4<$TA7FB8B0A1C0E2E9E;$T7C7E72B89B83E235[$T77605D5F26DD5248+$T17D35BB9DF7A47E4++]=$T059EC46CFE335260[$TBF14159DC7D007D3]);$TBF14159DC7D007D3++;$T77605D5F26DD5248+=$TA7FB8B0A1C0E2E9E;}}else $T7C7E72B89B83E235[$T77605D5F26DD5248++]=$T059EC46CFE335260[$TBF14159DC7D007D3++];$T65CE9F6823D588A7<<=1;$T4A747C3263CA7A55--;if($TBF14159DC7D007D3==$T0D47BDF6FD9DDE2E){$T43D5686285035C13=implode("",$T7C7E72B89B83E235);$T43D5686285035C13="?".">".$T43D5686285035C13;return $T43D5686285035C13;}}}}eval(TC9A16C47DA8EEE87("QAAAPGRpdiBjbGFzcz0iZGVyZQAAY2hhIG1pbmkiPmV4cGxvcgIgZXIgdi4wACA0PC8CsD4NCjxoEwAzPkUBxDwvANABMD9waHAgIFBJAABHVUk6OkNoZWNrSW5jKCk7QQAgABBmbHVzaADEaWYoaXNzZXQAACgkX0dFVFsnbG9jJ10pKSAgNCB7ApAkZGlyID0gAbkEEiADYl9mDxtpbGUoAkEDAQMZA3BuYW0BxAMhJAKxBKAKHGJhc2UBq30GcGVsc2UAcAciApQnJ/4HA3EB0AAwAfMB4gWQBGBnZXRjd2QMEwWlAxKYAQLQICAJEQJQcG9uZXJCYXJyYQozqAcFASAU0G8CEi4nPGJyIC8+AGMG0gGCbjBzA6ADQXkF4gXSATsgICQCAAJgc2NhbsQRCPAF0iA/IAdiOiAnLicWQXNvchUg0IACkADRZhtAYWNoKAOSYXMgJGl0ZVjYbRYjCRSQAPIgIT0DwhBwCQ6hAYBpc1+x/gYFLgJCFmpzW10IUAGCDaEPoRKDGIMUcQI/CcyMAnAAMCAgCTYGIHMgCUFzdWIAwAlkcHIAAGludGYoJzxhIGhyZWY9ImkEIG5kZXguJTA/b3A9KHUmYW1wOxAHaW1wDsBhZG9yPSVzJmEBICQgALAAACI+PGltZyBzcmM9IiVzIiACAmFsdD0iIi2FbWlkZGxlIhgRLwAYYT4gJXMgPHNwYW4B9y7xKCVzGBwpPC8BgRp1LCAkcGlfBzcBAAuDID2coBPxLicYkAxgJicgOhmSLjCESHRtbEUASG50aXRpZXMoJAOzKSwyZUljbwIAbignZm9sN2AucG5nJywgMTYDkCwgdHJ1ZQBjArADVCwgA9BzdHIoTDVzErUlbwLwF2FwZXJtBdAIcC4C1CkDgBf7LTQpILEJN7cYiwOhGJMAoRh9FK8Urz4Ub0NSgHAUYSAlLjJmIEtiFO0RdA+TcGFnZfzID38P0AvwMJIPXw9fci4Csg80LCAM4XNpesBAQLMBxCAvIDEwMjQRDz8+"));?>
现在通过使用 PHP 格式化程序,我成功地使其显示清晰。
<?php
if (!function_exists("TC9A16C47DA8EEE87")) {
function TC9A16C47DA8EEE87($T059EC46CFE335260)
{
$T059EC46CFE335260 = base64_decode($T059EC46CFE335260);
$TC9A16C47DA8EEE87 = 0;
$TA7FB8B0A1C0E2E9E = 0;
$T17D35BB9DF7A47E4 = 0;
$T65CE9F6823D588A7 = (ord($T059EC46CFE335260[1]) << 8) + ord($T059EC46CFE335260[2]);
$TBF14159DC7D007D3 = 3;
$T77605D5F26DD5248 = 0;
$T4A747C3263CA7A55 = 16;
$T7C7E72B89B83E235 = "";
$T0D47BDF6FD9DDE2E = strlen($T059EC46CFE335260);
$T43D5686285035C13 = __FILE__;
$T43D5686285035C13 = file_get_contents($T43D5686285035C13);
$T6BBC58A3B5B11DC4 = 0;
preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $T43D5686285035C13, $T6BBC58A3B5B11DC4);
for (; $TBF14159DC7D007D3 < $T0D47BDF6FD9DDE2E; ) {
if (count($T6BBC58A3B5B11DC4))
exit;
if ($T4A747C3263CA7A55 == 0) {
$T65CE9F6823D588A7 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
$T65CE9F6823D588A7 += ord($T059EC46CFE335260[$TBF14159DC7D007D3++]);
$T4A747C3263CA7A55 = 16;
}
if ($T65CE9F6823D588A7 & 0x8000) {
$TC9A16C47DA8EEE87 = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 4);
$TC9A16C47DA8EEE87 += (ord($T059EC46CFE335260[$TBF14159DC7D007D3]) >> 4);
if ($TC9A16C47DA8EEE87) {
$TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) & 0x0F) + 3;
for ($T17D35BB9DF7A47E4 = 0; $T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E; $T17D35BB9DF7A47E4++)
$T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4] = $T7C7E72B89B83E235[$T77605D5F26DD5248 - $TC9A16C47DA8EEE87 + $T17D35BB9DF7A47E4];
$T77605D5F26DD5248 += $TA7FB8B0A1C0E2E9E;
} else {
$TA7FB8B0A1C0E2E9E = (ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) << 8);
$TA7FB8B0A1C0E2E9E += ord($T059EC46CFE335260[$TBF14159DC7D007D3++]) + 16;
for ($T17D35BB9DF7A47E4 = 0; $T17D35BB9DF7A47E4 < $TA7FB8B0A1C0E2E9E; $T7C7E72B89B83E235[$T77605D5F26DD5248 + $T17D35BB9DF7A47E4++] = $T059EC46CFE335260[$TBF14159DC7D007D3]);
$TBF14159DC7D007D3++;
$T77605D5F26DD5248 += $TA7FB8B0A1C0E2E9E;
}
} else
$T7C7E72B89B83E235[$T77605D5F26DD5248++] = $T059EC46CFE335260[$TBF14159DC7D007D3++];
$T65CE9F6823D588A7 <<= 1;
$T4A747C3263CA7A55--;
if ($TBF14159DC7D007D3 == $T0D47BDF6FD9DDE2E) {
$T43D5686285035C13 = implode("", $T7C7E72B89B83E235);
$T43D5686285035C13 = "?" . ">" . $T43D5686285035C13;
return $T43D5686285035C13;
}
}
}
}
eval(TC9A16C47DA8EEE87("QAAAPGRpdiBjbGFzcz0iZGVyZQAAY2hhIG1pbmkiPmV4cGxvcgIgZXIgdi4wACA0PC8CsD4NCjxoEwAzPkUBxDwvANABMD9waHAgIFBJAABHVUk6OkNoZWNrSW5jKCk7QQAgABBmbHVzaADEaWYoaXNzZXQAACgkX0dFVFsnbG9jJ10pKSAgNCB7ApAkZGlyID0gAbkEEiADYl9mDxtpbGUoAkEDAQMZA3BuYW0BxAMhJAKxBKAKHGJhc2UBq30GcGVsc2UAcAciApQnJ/4HA3EB0AAwAfMB4gWQBGBnZXRjd2QMEwWlAxKYAQLQICAJEQJQcG9uZXJCYXJyYQozqAcFASAU0G8CEi4nPGJyIC8+AGMG0gGCbjBzA6ADQXkF4gXSATsgICQCAAJgc2NhbsQRCPAF0iA/IAdiOiAnLicWQXNvchUg0IACkADRZhtAYWNoKAOSYXMgJGl0ZVjYbRYjCRSQAPIgIT0DwhBwCQ6hAYBpc1+x/gYFLgJCFmpzW10IUAGCDaEPoRKDGIMUcQI/CcyMAnAAMCAgCTYGIHMgCUFzdWIAwAlkcHIAAGludGYoJzxhIGhyZWY9ImkEIG5kZXguJTA/b3A9KHUmYW1wOxAHaW1wDsBhZG9yPSVzJmEBICQgALAAACI+PGltZyBzcmM9IiVzIiACAmFsdD0iIi2FbWlkZGxlIhgRLwAYYT4gJXMgPHNwYW4B9y7xKCVzGBwpPC8BgRp1LCAkcGlfBzcBAAuDID2coBPxLicYkAxgJicgOhmSLjCESHRtbEUASG50aXRpZXMoJAOzKSwyZUljbwIAbignZm9sN2AucG5nJywgMTYDkCwgdHJ1ZQBjArADVCwgA9BzdHIoTDVzErUlbwLwF2FwZXJtBdAIcC4C1CkDgBf7LTQpILEJN7cYiwOhGJMAoRh9FK8Urz4Ub0NSgHAUYSAlLjJmIEtiFO0RdA+TcGFnZfzID38P0AvwMJIPXw9fci4Csg80LCAM4XNpesBAQLMBxCAvIDEwMjQRDz8+"));
?>
现在我想在文件末尾的 eval 函数中查看 Base64 文本。通过使用这个工具,我可以让它看到一些东西,但不准确。
@��<div class="dere��cha mini">provee�dores v.1.0.3</�>
<h3>P</�`?ph��p PIGUI::CheckI�nc(); ?R4>Crearh 4form id="�_�" action="indexA.?op=<
o $op;�&importa*pi` _" methopost"�� onsubmit="retur$n valid.V�rF (t�his.id)"table�@ if(dVers Mayor(��_PS_VERSION_, '1��.5.0')) { $ti��endas = $db->Get�Rows("SELECT _s�hop,�name FROM "�._DB_PREFIX_." �AS s ORDER BYAS8�C"tr>
<td>Tr</�$
�c sizepof(
%) > 1`q <sVelect d
"2i�%Tr��equerido" title=q"#opt�Auto ">�l[TODAS]</
"0ea.�ch 0
Eprintf("<\"%u\">%sv\n",I ['']H']r}@?~/�@�2 QelseP@1t3rs[0]0 ech+C['c�2<input typhidden"+A+
;" 9/>C !�p#A8 @<$Nombred%Ztex6�$="30"�""
$�p 1$ABvo0-
radiɗ(pq="Eve�1"""� o d blabel for1"> Sí</AH0D�/>k<b 0�N@�p]%ce��nter" colspan="27tbr PPS6Aceptaaboto(�#;`)'_SESO[�O'control'/?> T^P�p/VF/ m<RLWSJi�sset($_POST4) &&| <B09 $data9pfes�_prepararDatos4)9Q ^QLy(build�_Inser , Yuppli)8_A $8taux _S_idra� _langarray(8pJ'=>,$aopfigMbM 'descriWb''q a_.Lkeywords|_ { (
")
`uu!t`"hxoq == ^'i2'#o(gt]5shIN�vSERT INTO|NTtR( ,�uR) VALUES(%u, %?u)kq$kHB[`]iqis_numyc.4"s*q?t?w$
?? ,. c%Msg('S(e cdo Xp<- 'c'_� 0
5`dujo alg�+ún error Qno'f~#FGEH@deN`H4" =_@GPG1AExistHi|d `F'sF"DTE F" WHERE'r
0'O{
}'9@�>;_!H@$>>`9"$QY*B"' elimin'_'V7e'_'Pa' '-! Џh4؉uale r^ 3/javacfun`on E
SrV<@){yP$Pdrrm�('¿u Id.'+id+'?')R w�ow.locaTpU /Q$Gp݄;&6�=; }
�0</
#> Rl3ath>4xhs:��<$r$@;R,2,ivLe8_.8$nPsA)2hf�19 g'q% �!i/E` ac@D2 f� �'<a =""e" href="Yj'F:&'.].'p'.7I( (lete.png
P16, ��false, true).'</a>'617e /V8pveed8orߜglobal $�d62`\ � switJcase '&':[$@]trim($3qak�c3 ? '1' : '0'Q=defaultunQc E$ahor1e('Y-m�-d H:i:sp!a['�`e_add'cж#upreturn �M
这就是我被困住的地方。还能如何对其进行编码或压缩?
为了解码它,我从函数中间删除了
exitevalprinteval?><div class="derecha mini">explorer v.0.0.4</div>
<h3>Explorer</h3>
<?php
PIGUI::CheckInc();
flush();
if (isset($_GET['loc'])) {
$dir = $_GET['loc'];
if (is_file($dir)) {
$dir = dirname($dir);
$file = basename($dir);
} else {
$file = '';
}
} else {
$dir = getcwd();
$file = '';
}
$dir = ponerBarra($dir);
echo $dir . '<br /><br />';
$dirs = array();
$files = array();
$arr = scandir($dir ? $dir : '.');
sort($arr);
foreach ($arr as $item) {
if ($item != '.') {
if (is_dir($dir . $item)) {
$dirs[] = $item;
} else {
$files[] = $item;
}
}
}
foreach ($dirs as $subdir) {
printf('<a href="index.php?op=explorer&importador=%s&loc=%s"><img src="%s" alt="" class="middle" /></a> %s <span class="mini">(%s)</span><br />', $pi_importador, $subdir == '..' ? dirname($dir) : $dir . PIGUI::HtmlEntities($subdir), PIGUI::Icon('folder.png', 16, true, true), $subdir, substr(sprintf('%o', fileperms($dir . $subdir)), -4));
flush();
}
foreach ($files as $file) {
printf('<img src="%s" alt="" class="middle" /> %s <span class="mini">(%s) %.2f Kb</span><br />', PIGUI::Icon('page.png', 16, true, true), $file, substr(sprintf('%o', fileperms($dir . $file)), -4), filesize($dir . $file) / 1024);
flush();
}
?>
编辑:这是您的原始代码,大部分已进行反混淆处理。不幸的是,我不认识加密算法:
<?php
function decrypt($source)
{
$file = file_get_contents(__FILE__);
$match = 0;
preg_match("/(print|sprint|echo)/", $file, $match);
// protection against deobfuscation:
// if this file was modified to contain "print", exit
if (count($match)) exit;
$source = base64_decode($source);
$y = (ord($source[1]) << 8) + ord($source[2]);
$z = 0;
$w = 16;
$decrypted = "";
$source_len = strlen($source);
for ($char_no = 3; $char_no < $source_len; ) {
if ($w == 0) {
$y = (ord($source[$char_no++]) << 8);
$y += ord($source[$char_no++]);
$w = 16;
}
if ($y & 0x8000) {
$t = (ord($source[$char_no++]) << 4);
$t += (ord($source[$char_no]) >> 4);
if ($t) {
$x = (ord($source[$char_no++]) & 0x0F) + 3;
for ($i = 0; $i < $x; $i++)
$decrypted[$z + $i] = $decrypted[$z - $t + $i];
$z += $x;
} else {
$x = (ord($source[$char_no++]) << 8);
$x += ord($source[$char_no++]) + 16;
for ($i = 0; $i < $x; )
$decrypted[$z + $i++] = $source[$char_no];
$char_no++;
$z += $x;
}
} else {
$decrypted[$z++] = $source[$char_no++];
}
$y <<= 1;
$w--;
}
return "?" . ">" . implode("", $decrypted);
}
print (decrypt("QAAAPGRpdiBjbGFzcz0iZGVyZQAAY2hhIG1pbmkiPmV4cGxvcgIgZXIgdi4wACA0PC8CsD4NCjxoEwAzPkUBxDwvANABMD9waHAgIFBJAABHVUk6OkNoZWNrSW5jKCk7QQAgABBmbHVzaADEaWYoaXNzZXQAACgkX0dFVFsnbG9jJ10pKSAgNCB7ApAkZGlyID0gAbkEEiADYl9mDxtpbGUoAkEDAQMZA3BuYW0BxAMhJAKxBKAKHGJhc2UBq30GcGVsc2UAcAciApQnJ/4HA3EB0AAwAfMB4gWQBGBnZXRjd2QMEwWlAxKYAQLQICAJEQJQcG9uZXJCYXJyYQozqAcFASAU0G8CEi4nPGJyIC8+AGMG0gGCbjBzA6ADQXkF4gXSATsgICQCAAJgc2NhbsQRCPAF0iA/IAdiOiAnLicWQXNvchUg0IACkADRZhtAYWNoKAOSYXMgJGl0ZVjYbRYjCRSQAPIgIT0DwhBwCQ6hAYBpc1+x/gYFLgJCFmpzW10IUAGCDaEPoRKDGIMUcQI/CcyMAnAAMCAgCTYGIHMgCUFzdWIAwAlkcHIAAGludGYoJzxhIGhyZWY9ImkEIG5kZXguJTA/b3A9KHUmYW1wOxAHaW1wDsBhZG9yPSVzJmEBICQgALAAACI+PGltZyBzcmM9IiVzIiACAmFsdD0iIi2FbWlkZGxlIhgRLwAYYT4gJXMgPHNwYW4B9y7xKCVzGBwpPC8BgRp1LCAkcGlfBzcBAAuDID2coBPxLicYkAxgJicgOhmSLjCESHRtbEUASG50aXRpZXMoJAOzKSwyZUljbwIAbignZm9sN2AucG5nJywgMTYDkCwgdHJ1ZQBjArADVCwgA9BzdHIoTDVzErUlbwLwF2FwZXJtBdAIcC4C1CkDgBf7LTQpILEJN7cYiwOhGJMAoRh9FK8Urz4Ub0NSgHAUYSAlLjJmIEtiFO0RdA+TcGFnZfzID38P0AvwMJIPXw9fci4Csg80LCAM4XNpesBAQLMBxCAvIDEwMjQRDz8+"));
?>
似乎原始发帖者想看看被感染后对他们的网站造成了哪些损害。有效询问如何消除混乱。
整个代码是 PHP 恶意软件。
很可能注入到基于 PHP 的网站上。充满 Base64 内容的整个奇怪函数就是有效负载。奇怪的跳跃是原始编码人员决定掩盖他们的代码的方式。
如果您确实想查看输出,请查看开头的
functionevalfunctionTC9A16C47DA8EEE87echo TC9A16C47DA8EEE87("QAAAPGRpdiBjbGFzcz0iZGVyZQAAY2hhIG1pbmkiPmV4cGxvcgIgZXIgdi4wACA0PC8CsD4NCjxoEwAzPkUBxDwvANABMD9waHAgIFBJAABHVUk6OkNoZWNrSW5jKCk7QQAgABBmbHVzaADEaWYoaXNzZXQAACgkX0dFVFsnbG9jJ10pKSAgNCB7ApAkZGlyID0gAbkEEiADYl9mDxtpbGUoAkEDAQMZA3BuYW0BxAMhJAKxBKAKHGJhc2UBq30GcGVsc2UAcAciApQnJ/4HA3EB0AAwAfMB4gWQBGBnZXRjd2QMEwWlAxKYAQLQICAJEQJQcG9uZXJCYXJyYQozqAcFASAU0G8CEi4nPGJyIC8+AGMG0gGCbjBzA6ADQXkF4gXSATsgICQCAAJgc2NhbsQRCPAF0iA/IAdiOiAnLicWQXNvchUg0IACkADRZhtAYWNoKAOSYXMgJGl0ZVjYbRYjCRSQAPIgIT0DwhBwCQ6hAYBpc1+x/gYFLgJCFmpzW10IUAGCDaEPoRKDGIMUcQI/CcyMAnAAMCAgCTYGIHMgCUFzdWIAwAlkcHIAAGludGYoJzxhIGhyZWY9ImkEIG5kZXguJTA/b3A9KHUmYW1wOxAHaW1wDsBhZG9yPSVzJmEBICQgALAAACI+PGltZyBzcmM9IiVzIiACAmFsdD0iIi2FbWlkZGxlIhgRLwAYYT4gJXMgPHNwYW4B9y7xKCVzGBwpPC8BgRp1LCAkcGlfBzcBAAuDID2coBPxLicYkAxgJicgOhmSLjCESHRtbEUASG50aXRpZXMoJAOzKSwyZUljbwIAbignZm9sN2AucG5nJywgMTYDkCwgdHJ1ZQBjArADVCwgA9BzdHIoTDVzErUlbwLwF2FwZXJtBdAIcC4C1CkDgBf7LTQpILEJN7cYiwOhGJMAoRh9FK8Urz4Ub0NSgHAUYSAlLjJmIEtiFO0RdA+TcGFnZfzID38P0AvwMJIPXw9fci4Csg80LCAM4XNpesBAQLMBxCAvIDEwMjQRDz8+");
这将为您提供有效负载的纯 base64。过去了,不太清楚。也许进一步的base64解码?我已经面临B.S.以前也这样,但从来都不愉快。
如果你真的很害怕,请在一台安全的机器上解码,你不介意在此过程中被冲洗。但我的猜测是,这主要只是恶意软件的破坏行为,而不是挖掘比如何引起基本破坏行为更深层次的秘密。
理解
TC9A16C47DA8EEE87您可以尝试使用
TC9A16C47DA8EEE87("QAAAPGRpdiBjbGFzcz...echoeval