专注ECSHOP第九年
始自2007,服务二千多商户,不断为您增光溢彩

某些ECSHOP PHP加密拆解

今天要介绍的是 PHP加密和解密 ,先别急,请先看下拆解PHP加密文件,原文:

<?php
$hdiqw=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$BDj=$hdiqw{3}.$hdiqw{6}.$hdiqw{33}.$hdiqw{30};$UnFTMPbOfXmy=$hdiqw{33}.$hdiqw{10}.$hdiqw{24}.$hdiqw{10}.$hdiqw{24};$myLCNKScJz=$UnFTMPbOfXmy{0}.$hdiqw{18}.$hdiqw{3}.$UnFTMPbOfXmy{0}.$UnFTMPbOfXmy{1}.$hdiqw{24};$GZgtspQR=$hdiqw{7}.$hdiqw{13};$BDj.=$hdiqw{22}.$hdiqw{36}.$hdiqw{29}.$hdiqw{26}.$hdiqw{30}.$hdiqw{32}.$hdiqw{35}.$hdiqw{26}.$hdiqw{30};eval($BDj("JEVhdnhZZW9Wa0g9IlZGemtMY3lEVE9RdmdhSlV4d1JoQ0dITW5aUFlmV2xYcmJJQU5tZEVpaktwQmV1cXNTb3RUWExQaG1OcFZvTXJkU0hSSlF3dFVhaXpXSWZieVl2ZXFEY0VHamxCT1pDc2dueGt1QUtGZnA5UVNpRUNiMkp0bTN6ZFNpd0ZERXM3VVdnMWJqSnNiTkVQSWo5cmxhVE5mQWM4YldjcmZaSlFjaUcwbllKdmZBbE9iWUdxSTNIcmxZNVBoWUdyRGE5Tm9PelF6cEVRSWpiN2IyOXVEM2M2YzJJaklqSWpJT20rSGpHcm1pUDd3WTF0U1lRNm5ZOTFlMnNzYlk1V0RhOXhJMEVKR1p6eGIyOUZmYUhOaEw3dlpzL3ZPSHJ2T2hEUHJJTFVrbm5IT29TbGQrU0hkb1NtT1ZRcm1wNENmVTlPRDJ3NWZkSzhoMnQwRFlRK2NadUNtaVRPRGF2WmNhSTFEakcwU1k5eGNpd3NsYUp2Q1V3MFNld3VJQVBDblFzdmIydHJjVWM4U2l3RkRwNENmYXR2YllNK1VaSjBTZXd1SVY1N0hpd3NsYUp2eVZRcmxhdjBEYVIrVVpRclNhVHRJcDRDZmFIcklpUCtjWnVDeU1zUWxZSHVTWXpkSVdUeGIzd3NEMjRkSWo5TkRBZFBtVVFQRGpYRklBUVBsYVQ0bFVQQ25Rc3ZiMnRyY1VjOElqOU5EQWd0YjN3c0QyNDlIM2xOU2V3dmhXZ0ttVW1kRFlUMFNhOVBmQWxRRDNHMEhMNENmaUUrbk53UXlWUXJtcDRDZml3dm5pd3RtalR0Y2lIcmwzejlITG1XY2FHckRpejlITGNRSE5neGJZMXZmQWw3SGE1dERZVDlITDU3SGl3dm5pdzlmVTkwSWV0MGJlSHZiVjRDZmFITmhMNENmYXZ4bWlUMGNpdzVtYVI5SDNHMWJqMXNsVW1kbGpYdWxZUjlIK1NmUG9BNnNVbXJmZEs4aDJJcm1qMCtjWnVDeU1zOVVqSTFEakcwU1k5eGNpdDVTaXdGRFVkUG5pUHVIaUl0RGlUdkNNczdValRaU2E4ZGNaSmpEM0hGY2FYWmxhdnJEWjBXU1k1UEllZHhtYXRRSE5nRklld0tEMk05SDJsdmxVbStVWkpzRFdnMWxVZzBuZWd2ZkFsS1NZd1BJWTRXY2E1dERZUjlIM3Q1SE5nMmJZSjFJVjBXbk53NG5lMFdoTDRDZmF2eG1pVDBjaXc1bWFSOUgzRzFiajFzbFVtZGxqWHVsWVI5SDN1UGxqWHVsWVQ5SE44K1VaUXJJajlORFY0T29RczlVWjgrIjtldmFsKCc/PicuJEJEaigkVW5GVE1QYk9mWG15KCRteUxDTktTY0p6KCRFYXZ4WWVvVmtILCRHWmd0c3BRUioyKSwkbXlMQ05LU2NKeigkRWF2eFllb1ZrSCwkR1pndHNwUVIsJEdaZ3RzcFFSKSwkbXlMQ05LU2NKeigkRWF2eFllb1ZrSCwwLCRHWmd0c3BRUikpKSk7"));
?>

 

 

看过之后发现跟威盾的加密手法类似、首先用urldecode()出一串字符串,然后用字符串中的字符拼成一个个的函数名。而且看代码段eval部分就知道一定要用到base64_decode函数。好吧,先解密eval前的定义部分

<?PHP
$hdiqw=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
#$hdiqw="n1zb/ma5vt0i28-pxuqy*6lrkdg9_ehcswo4+f37j";
$BDj=$hdiqw{3}.$hdiqw{6}.$hdiqw{33}.$hdiqw{30};
#$BDj="base";
$UnFTMPbOfXmy=$hdiqw{33}.$hdiqw{10}.$hdiqw{24}.$hdiqw{10}.$hdiqw{24};
#$UnFTMPbOfXmy="strtr"
$myLCNKScJz=$UnFTMPbOfXmy{0}.$hdiqw{18}.$hdiqw{3}.$UnFTMPbOfXmy{0}.$UnFTMPbOfXmy{1}.$hdiqw{24};
#$myLCNKScJz="substr"
$GZgtspQR=$hdiqw{7}.$hdiqw{13};
#$GZgtspQR="52"
$BDj.=$hdiqw{22}.$hdiqw{36}.$hdiqw{29}.$hdiqw{26}.$hdiqw{30}.$hdiqw{32}.$hdiqw{35}.$hdiqw{26}.$hdiqw{30};
#$BDj.="64_decode";$BDj="base64_decode";
?>

 

解出strtr,substr,base64_decode三个函数名。

接下来输出eval部分的内容:
$EavxYeoVkH=”VFzkLcyDTOQvgaJUxwRhCGHMnZPYfWlXrbIANmdEijKpBeuqsSotTXLPhmNpVoMrdSHRJQwtUaizWIfbyYveqDcEGjlBOZCsgnxkuAKFfp9QSiECb2Jtm3zdSiwFDEs7UWg1bjJsbNEPIj9rlaTNfAc8bWcrfZJQciG0nYJvfAlObYGqI3HrlY5PhYGrDa9NoOzQzpEQIjb7b29uD3c6c2IjIjIjIOm+HjGrmiP7wY1tSYQ6nY91e2ssbY5WDa9xI0EJGZzxb29FfaHNhL7vZs/vOHrvOhDPrILUknnHOoSld+SHdoSmOVQrmp4CfU9OD2w5fdK8h2t0DYQ+cZuCmiTODavZcaI1DjG0SY9xciwslaJvCUw0SewuIAPCnQsvb2trcUc8SiwFDp4CfatvbYM+UZJ0SewuIV57HiwslaJvyVQrlav0DaR+UZQrSaTtIp4CfaHrIiP+cZuCyMsQlYHuSYzdIWTxb3wsD24dIj9NDAdPmUQPDjXFIAQPlaT4lUPCnQsvb2trcUc8Ij9NDAgtb3wsD249H3lNSewvhWgKmUmdDYT0Sa9PfAlQD3G0HL4CfiE+nNwQyVQrmp4CfiwvniwtmjTtciHrl3z9HLmWcaGrDiz9HLcQHNgxbY1vfAl7Ha5tDYT9HL57Hiwvniw9fU90Iet0beHvbV4CfaHNhL4CfavxmiT0ciw5maR9H3G1bj1slUmdljXulYR9H+SfPoA6sUmrfdK8h2Irmj0+cZuCyMs9UjI1DjG0SY9xcit5SiwFDUdPniPuHiItDiTvCMs7UjTZSa8dcZJjD3HFcaXZlavrDZ0WSY5PIedxmatQHNgFIewKD2M9H2lvlUm+UZJsDWg1lUg0negvfAlKSYwPIY4Wca5tDYR9H3t5HNg2bYJ1IV0WnNw4ne0WhL4CfavxmiT0ciw5maR9H3G1bj1slUmdljXulYR9H3uPljXulYT9HN8+UZQrIj9NDV4OoQs9UZ8+”;
eval(‘?>’.$BDj($UnFTMPbOfXmy($myLCNKScJz($EavxYeoVkH,$GZgtspQR*2),$myLCNKScJz($EavxYeoVkH,$GZgtspQR,$GZgtspQR),$myLCNKScJz($EavxYeoVkH,0,$GZgtspQR))));

用函数名替换掉变量得:
eval(‘?>’.base64_decode(substr(substr($EavxYeoVkH,52*2),substr($EavxYeoVkH,52,52),substr($EavxYeoVkH,0,52))));

让PHP直接输出结果吧:
<?PHP
$EavxYeoVkH=”VFzkLcyDTOQvgaJUxwRhCGHMnZPYfWlXrbIANmdEijKpBeuqsSotTXLPhmNpVoMrdSHRJQwtUaizWIfbyYveqDcEGjlBOZCsgnxkuAKFfp9QSiECb2Jtm3zdSiwFDEs7UWg1bjJsbNEPIj9rlaTNfAc8bWcrfZJQciG0nYJvfAlObYGqI3HrlY5PhYGrDa9NoOzQzpEQIjb7b29uD3c6c2IjIjIjIOm+HjGrmiP7wY1tSYQ6nY91e2ssbY5WDa9xI0EJGZzxb29FfaHNhL7vZs/vOHrvOhDPrILUknnHOoSld+SHdoSmOVQrmp4CfU9OD2w5fdK8h2t0DYQ+cZuCmiTODavZcaI1DjG0SY9xciwslaJvCUw0SewuIAPCnQsvb2trcUc8SiwFDp4CfatvbYM+UZJ0SewuIV57HiwslaJvyVQrlav0DaR+UZQrSaTtIp4CfaHrIiP+cZuCyMsQlYHuSYzdIWTxb3wsD24dIj9NDAdPmUQPDjXFIAQPlaT4lUPCnQsvb2trcUc8Ij9NDAgtb3wsD249H3lNSewvhWgKmUmdDYT0Sa9PfAlQD3G0HL4CfiE+nNwQyVQrmp4CfiwvniwtmjTtciHrl3z9HLmWcaGrDiz9HLcQHNgxbY1vfAl7Ha5tDYT9HL57Hiwvniw9fU90Iet0beHvbV4CfaHNhL4CfavxmiT0ciw5maR9H3G1bj1slUmdljXulYR9H+SfPoA6sUmrfdK8h2Irmj0+cZuCyMs9UjI1DjG0SY9xcit5SiwFDUdPniPuHiItDiTvCMs7UjTZSa8dcZJjD3HFcaXZlavrDZ0WSY5PIedxmatQHNgFIewKD2M9H2lvlUm+UZJsDWg1lUg0negvfAlKSYwPIY4Wca5tDYR9H3t5HNg2bYJ1IV0WnNw4ne0WhL4CfavxmiT0ciw5maR9H3G1bj1slUmdljXulYR9H3uPljXulYT9HN8+UZQrIj9NDV4OoQs9UZ8+”;
echo(base64_decode(strtr(substr($EavxYeoVkH,52*2),substr($EavxYeoVkH,52,52),substr($EavxYeoVkH,0,52))));
得到加密前的内容:

<?php
class html
{
public $footer="<br/><p style='background-color:#0000ff;color:#ffffff'>©Email:[email protected]<br/>原创制作©版权所有</p>
</body>
</html>";
public function title($title)
{
echo "<html>
<head>
<title>{$title}</title>
</head>
<body>";
}
public function form($p,$name,$text)
{
echo "<form action='write.php' method='post'>
<p>{$p}</p>
<textarea rows='7' cols='20' name='{$name}'>{$text}</textarea>
<br/>
<input type='submit' value='提交'/>
</form>";
}
}
function xyhtml($xy,$value)
{
echo "<form action='index.php' method='get'>
<input type='hidden' name='xy' value='{$xy}'/>
<input type='submit' value='{$value}'/>
</form>";
}
?>

Over,收工…

未经允许不得转载:阿牛ECSHOP » 某些ECSHOP PHP加密拆解
1

Parse error: syntax error, unexpected '}' in /www/wwwroot/blog2018.uuecs.com/wp-content/themes/DUX/comments.php on line 31