威盾解密

对某PHP程序解密过程

作者:

 

蒲松林

 

发布时间:

 

2013年09月02日

 

所在分类:

 

代码

 

评论数：

 

暂无评论

对于程序加密可能是出于程序创作者对于自己的产品产权保护、授权验证，也有一些人把一些后面程序以及黑链等加密发布的。在给朋友用的一套程序中发现index.php被加密了。

一些站长朋友是不是经常会看到类似的加密？默认的index.php肯定不是这样的，那么我们今天就来一步一步的对这个PHP程序进行解密。蒲松林了解到这类加密就是采用了微盾的方式进行的，我们姑且不去管网上有对应的解密工具，直接手工吧。源代码如下：

index.php源代码

 

 

 

 

 

 

PHP

 

1 2 3

<? $O00OO0 = urldecode ( "%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A" ) ; $O00O0O = $O00OO0 { 3 } . $O00OO0 { 6 } . $O00OO0 { 33 } . $O00OO0 { 30 } ; $O0OO00 = $O00OO0 { 33 } . $O00OO0 { 10 } . $O00OO0 { 24 } . $O00OO0 { 10 } . $O00OO0 { 24 } ; $OO0O00 = $O0OO00 { 0 } . $O00OO0 { 18 } . $O00OO0 { 3 } . $O0OO00 { 0 } . $O0OO00 { 1 } . $O00OO0 { 24 } ; $OO0000 = $O00OO0 { 7 } . $O00OO0 { 13 } ; $O00O0O . = $O00OO0 { 22 } . $O00OO0 { 36 } . $O00OO0 { 29 } . $O00OO0 { 26 } . $O00OO0 { 30 } . $O00OO0 { 32 } . $O00OO0 { 35 } . $O00OO0 { 26 } . $O00OO0 { 30 } ; eval ( $O00O0O ( "JE8wTzAwMD0iQk9DWm1LUHF5bkR4QWJmR05FdW90c2pkUlljcmlKTXdWZ0ZVenZYTGthVFNwSWxoZUhRV1dITmZhQ0d5b3RzanBRTFN3WXpyYmx4aERjQXZUT1VQUklpdW1aSmVrbktkcWdNVlhGRUJHczh3TmFWTWNCRE1BVElURTI5emhTUnpoTjEwWEpXTUhUVzBmSlYwZTJWMFFCUDdnU3dyY0pPbWZKRTloSkRhZUtJVENLbElzRXFxZlRJVmZhTWxmUjlNWFNNbWhGVXJPbzRaZlNpMGNkOXFRdHcwY0JqbGVhalpjMmx0Q2Rrd050bHdOVHBJZ05XcmZCaWtmSmdyZ2tqWmMyaTBuQjl6SFRwWm5CNW1oU2lsUU45cVFhRE1YTjVQbkZwVENLbHdOVHBJZ05XTVhTTTBIUDBDTEUwQ2ZTUmFuQjVNQ05oV3VpV0x1azlHUk5BbGdGdzBBTTlvZkpXbGNCd01DTmhBSk5BbGdOQVpPb1BJZlNNb1FhaWJmZFZMSjBmT0tZUkxKb2txQ0tsd05UOHlnSEI2TUhYdXlIQkV4WFh0bEZoM2hvNVZmUzFxUWE0emMyNHllUDBDZlNSYW5CNU1DTmhXdWlXTEtraXdEZEFsZ05oVkFGcHRDS2x3TlQ4eWdIQjZNSFh1eUhYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzBpRXVpOUVFUkRnT29QSU9vNFpjMjFtaFNpWmVvQXFIUDBDZW9ySTVxQlA1cjJ6NTV6ejVRMlJDVDh3TmFETWZhTXpmZEl0dVlNSEowRFdSWWlMdVlpdWROQWxnTkF6ZTJEVmhTWVpPb2s3c0VyWkNUc2FUbnRNbGZKdGE2N01aZnV5ZVAwQ2ZTUmFuQjVNQ05oaUJpRGlLa0RMdVlpdWROQWxnWWlFdWk5RUVSRGdnTjRJTzBSNGhTUnpmTjh0Q0tsd05UOHlnSGFpeFhYOXZ6bkJWK2Q3YnpYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzB3R0trZkx1WWl1ZE5BbGdpV09LTTlZRVJEV0oxV1dSWUlJZVRwdGMyOXpmYU10ZW9BcUhQMENlb3JJNXFCUDVyMno1NXp6NVEyUkNUOHdOYURNZmFNemZkSXR1TVJIUllNd0RSOUVFUkRnT29QSU9vNFpKM08xUXREcVFCdVpPb2s3c0VyWkNUV2dSWTFVNmYyZjVyTlc1cW5GNWV6MjU1eno1UTJSQ1Q4d05UOFpmU1JhbkI1TUNOaGdSWTFVSjFXV1JZSXRlTldFZHU1TERZaXVFUjlFRVJEZ2dONElPMlYwUUJQWk9vazdzRXJaQ1RXWUR1T1JEK0I4SUhCaWxvclpzRXFrZkJmcVFhdXJPMGlFdWk5WUR1T1JEb0FsZ1NmVlFGd01DS2x3TnRPTUFKUnFBYXVyZ1Q0WmMyOW9mZDl1blNNem4xV2d1Tjl1blNNem4xV2d1TjVQbkZwVENLbHdOSTBDc0VyL0dJPT0iO2V2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksJE9PME8wMCgkTzBPMDAwLDAsJE9PMDAwMCkpKSk7" ) ) ; ?>

解密方法如下：

index.php加密后的解密方法

 

 

 

 

 

 

PHP

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

<? $O00OO0 = urldecode ( "%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A" ) ; echo '第一步：生成$O00OO0：' . $O00OO0 ; echo '<br /><br />********************************************************<br /><br />' ; $O00O0O = $O00OO0 { 3 } . $O00OO0 { 6 } . $O00OO0 { 33 } . $O00OO0 { 30 } ; $O0OO00 = $O00OO0 { 33 } . $O00OO0 { 10 } . $O00OO0 { 24 } . $O00OO0 { 10 } . $O00OO0 { 24 } ; $OO0O00 = $O0OO00 { 0 } . $O00OO0 { 18 } . $O00OO0 { 3 } . $O0OO00 { 0 } . $O0OO00 { 1 } . $O00OO0 { 24 } ; $OO0000 = $O00OO0 { 7 } . $O00OO0 { 13 } ; $O00O0O . = $O00OO0 { 22 } . $O00OO0 { 36 } . $O00OO0 { 29 } . $O00OO0 { 26 } . $O00OO0 { 30 } . $O00OO0 { 32 } . $O00OO0 { 35 } . $O00OO0 { 26 } . $O00OO0 { 30 } ; echo '第二步生成$O00O0O：' . $O00O0O ; echo '<br /><br />********************************************************<br /><br />' ;   //上面解出来 $O00O0O=base64_decode; //既然  $O00O0O=base64_decode那么把下面的代码改一下，eval是用来执行php代码，这里不需要执行，只需要解出php代码即可，那么去掉eavl 并把$O00O0O换成上面解出来的值   //源代码内容 //eval($O00O0O("JE8wTzAwMD0iQk9DWm1LUHF5bkR4QWJmR05FdW90c2pkUlljcmlKTXdWZ0ZVenZYTGthVFNwSWxoZUhRV1dITmZhQ0d5b3RzanBRTFN3WXpyYmx4aERjQXZUT1VQUklpdW1aSmVrbktkcWdNVlhGRUJHczh3TmFWTWNCRE1BVElURTI5emhTUnpoTjEwWEpXTUhUVzBmSlYwZTJWMFFCUDdnU3dyY0pPbWZKRTloSkRhZUtJVENLbElzRXFxZlRJVmZhTWxmUjlNWFNNbWhGVXJPbzRaZlNpMGNkOXFRdHcwY0JqbGVhalpjMmx0Q2Rrd050bHdOVHBJZ05XcmZCaWtmSmdyZ2tqWmMyaTBuQjl6SFRwWm5CNW1oU2lsUU45cVFhRE1YTjVQbkZwVENLbHdOVHBJZ05XTVhTTTBIUDBDTEUwQ2ZTUmFuQjVNQ05oV3VpV0x1azlHUk5BbGdGdzBBTTlvZkpXbGNCd01DTmhBSk5BbGdOQVpPb1BJZlNNb1FhaWJmZFZMSjBmT0tZUkxKb2txQ0tsd05UOHlnSEI2TUhYdXlIQkV4WFh0bEZoM2hvNVZmUzFxUWE0emMyNHllUDBDZlNSYW5CNU1DTmhXdWlXTEtraXdEZEFsZ05oVkFGcHRDS2x3TlQ4eWdIQjZNSFh1eUhYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzBpRXVpOUVFUkRnT29QSU9vNFpjMjFtaFNpWmVvQXFIUDBDZW9ySTVxQlA1cjJ6NTV6ejVRMlJDVDh3TmFETWZhTXpmZEl0dVlNSEowRFdSWWlMdVlpdWROQWxnTkF6ZTJEVmhTWVpPb2s3c0VyWkNUc2FUbnRNbGZKdGE2N01aZnV5ZVAwQ2ZTUmFuQjVNQ05oaUJpRGlLa0RMdVlpdWROQWxnWWlFdWk5RUVSRGdnTjRJTzBSNGhTUnpmTjh0Q0tsd05UOHlnSGFpeFhYOXZ6bkJWK2Q3YnpYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzB3R0trZkx1WWl1ZE5BbGdpV09LTTlZRVJEV0oxV1dSWUlJZVRwdGMyOXpmYU10ZW9BcUhQMENlb3JJNXFCUDVyMno1NXp6NVEyUkNUOHdOYURNZmFNemZkSXR1TVJIUllNd0RSOUVFUkRnT29QSU9vNFpKM08xUXREcVFCdVpPb2s3c0VyWkNUV2dSWTFVNmYyZjVyTlc1cW5GNWV6MjU1eno1UTJSQ1Q4d05UOFpmU1JhbkI1TUNOaGdSWTFVSjFXV1JZSXRlTldFZHU1TERZaXVFUjlFRVJEZ2dONElPMlYwUUJQWk9vazdzRXJaQ1RXWUR1T1JEK0I4SUhCaWxvclpzRXFrZkJmcVFhdXJPMGlFdWk5WUR1T1JEb0FsZ1NmVlFGd01DS2x3TnRPTUFKUnFBYXVyZ1Q0WmMyOW9mZDl1blNNem4xV2d1Tjl1blNNem4xV2d1TjVQbkZwVENLbHdOSTBDc0VyL0dJPT0iO2V2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksJE9PME8wMCgkTzBPMDAwLDAsJE9PMDAwMCkpKSk7"));   //修改后变成 echo '第三步生成：' ; echo base64_decode ( "JE8wTzAwMD0iQk9DWm1LUHF5bkR4QWJmR05FdW90c2pkUlljcmlKTXdWZ0ZVenZYTGthVFNwSWxoZUhRV1dITmZhQ0d5b3RzanBRTFN3WXpyYmx4aERjQXZUT1VQUklpdW1aSmVrbktkcWdNVlhGRUJHczh3TmFWTWNCRE1BVElURTI5emhTUnpoTjEwWEpXTUhUVzBmSlYwZTJWMFFCUDdnU3dyY0pPbWZKRTloSkRhZUtJVENLbElzRXFxZlRJVmZhTWxmUjlNWFNNbWhGVXJPbzRaZlNpMGNkOXFRdHcwY0JqbGVhalpjMmx0Q2Rrd050bHdOVHBJZ05XcmZCaWtmSmdyZ2tqWmMyaTBuQjl6SFRwWm5CNW1oU2lsUU45cVFhRE1YTjVQbkZwVENLbHdOVHBJZ05XTVhTTTBIUDBDTEUwQ2ZTUmFuQjVNQ05oV3VpV0x1azlHUk5BbGdGdzBBTTlvZkpXbGNCd01DTmhBSk5BbGdOQVpPb1BJZlNNb1FhaWJmZFZMSjBmT0tZUkxKb2txQ0tsd05UOHlnSEI2TUhYdXlIQkV4WFh0bEZoM2hvNVZmUzFxUWE0emMyNHllUDBDZlNSYW5CNU1DTmhXdWlXTEtraXdEZEFsZ05oVkFGcHRDS2x3TlQ4eWdIQjZNSFh1eUhYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzBpRXVpOUVFUkRnT29QSU9vNFpjMjFtaFNpWmVvQXFIUDBDZW9ySTVxQlA1cjJ6NTV6ejVRMlJDVDh3TmFETWZhTXpmZEl0dVlNSEowRFdSWWlMdVlpdWROQWxnTkF6ZTJEVmhTWVpPb2s3c0VyWkNUc2FUbnRNbGZKdGE2N01aZnV5ZVAwQ2ZTUmFuQjVNQ05oaUJpRGlLa0RMdVlpdWROQWxnWWlFdWk5RUVSRGdnTjRJTzBSNGhTUnpmTjh0Q0tsd05UOHlnSGFpeFhYOXZ6bkJWK2Q3YnpYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzB3R0trZkx1WWl1ZE5BbGdpV09LTTlZRVJEV0oxV1dSWUlJZVRwdGMyOXpmYU10ZW9BcUhQMENlb3JJNXFCUDVyMno1NXp6NVEyUkNUOHdOYURNZmFNemZkSXR1TVJIUllNd0RSOUVFUkRnT29QSU9vNFpKM08xUXREcVFCdVpPb2s3c0VyWkNUV2dSWTFVNmYyZjVyTlc1cW5GNWV6MjU1eno1UTJSQ1Q4d05UOFpmU1JhbkI1TUNOaGdSWTFVSjFXV1JZSXRlTldFZHU1TERZaXVFUjlFRVJEZ2dONElPMlYwUUJQWk9vazdzRXJaQ1RXWUR1T1JEK0I4SUhCaWxvclpzRXFrZkJmcVFhdXJPMGlFdWk5WUR1T1JEb0FsZ1NmVlFGd01DS2x3TnRPTUFKUnFBYXVyZ1Q0WmMyOW9mZDl1blNNem4xV2d1Tjl1blNNem4xV2d1TjVQbkZwVENLbHdOSTBDc0VyL0dJPT0iO2V2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksJE9PME8wMCgkTzBPMDAwLDAsJE9PMDAwMCkpKSk7" ) ;   //得到如下代码 / * $O0O000 = "BOCZmKPqynDxAbfGNEuotsjdRYcriJMwVgFUzvXLkaTSpIlheHQWWHNfaCGyotsjpQLSwYzrblxhDcAvTOUPRIiumZJeknKdqgMVXFEBGs8wNaVMcBDMATITE29zhSRzhN10XJWMHTW0fJV0e2V0QBP7gSwrcJOmfJE9hJDaeKITCKlIsEqqfTIVfaMlfR9MXSMmhFUrOo4ZfSi0cd9qQtw0cBjleajZc2ltCdkwNtlwNTpIgNWrfBikfJgrgkjZc2i0nB9zHTpZnB5mhSilQN9qQaDMXN5PnFpTCKlwNTpIgNWMXSM0HP0CLE0CfSRanB5MCNhWuiWLuk9GRNAlgFw0AM9ofJWlcBwMCNhAJNAlgNAZOoPIfSMoQaibfdVLJ0fOKYRLJokqCKlwNT8ygHB6MHXuyHBExXXtlFh3ho5VfS1qQa4zc24yeP0CfSRanB5MCNhWuiWLKkiwDdAlgNhVAFptCKlwNT8ygHB6MHXuyHXQvzB9MdrZsEqkfBfqQaurO0iEui9EERDgOoPIOo4Zc21mhSiZeoAqHP0CeorI5qBP5r2z55zz5Q2RCT8wNaDMfaMzfdItuYMHJ0DWRYiLuYiudNAlgNAze2DVhSYZOok7sErZCTsaTntMlfJta67MZfuyeP0CfSRanB5MCNhiBiDiKkDLuYiudNAlgYiEui9EERDggN4IO0R4hSRzfN8tCKlwNT8ygHaixXX9vznBV+d7bzXQvzB9MdrZsEqkfBfqQaurO0wGKkfLuYiudNAlgiWOKM9YERDWJ1WWRYIIeTptc29zfaMteoAqHP0CeorI5qBP5r2z55zz5Q2RCT8wNaDMfaMzfdItuMRHRYMwDR9EERDgOoPIOo4ZJ3O1QtDqQBuZOok7sErZCTWgRY1U6f2f5rNW5qnF5ez255zz5Q2RCT8wNT8ZfSRanB5MCNhgRY1UJ1WWRYIteNWEdu5LDYiuER9EERDggN4IO2V0QBPZOok7sErZCTWYDuORD+B8IHBilorZsEqkfBfqQaurO0iEui9YDuORDoAlgSfVQFwMCKlwNtOMAJRqAaurgT4Zc29ofd9unSMzn1WguN9unSMzn1WguN5PnFpTCKlwNI0CsEr/GI==" ; eval (' ?> '.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000)))); */   //再显示eval里面的内容   echo '再显示 eval里面的内容得到： '; echo ' < br / > < br / > * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * < br / > < br / > '; $O0O000="BOCZmKPqynDxAbfGNEuotsjdRYcriJMwVgFUzvXLkaTSpIlheHQWWHNfaCGyotsjpQLSwYzrblxhDcAvTOUPRIiumZJeknKdqgMVXFEBGs8wNaVMcBDMATITE29zhSRzhN10XJWMHTW0fJV0e2V0QBP7gSwrcJOmfJE9hJDaeKITCKlIsEqqfTIVfaMlfR9MXSMmhFUrOo4ZfSi0cd9qQtw0cBjleajZc2ltCdkwNtlwNTpIgNWrfBikfJgrgkjZc2i0nB9zHTpZnB5mhSilQN9qQaDMXN5PnFpTCKlwNTpIgNWMXSM0HP0CLE0CfSRanB5MCNhWuiWLuk9GRNAlgFw0AM9ofJWlcBwMCNhAJNAlgNAZOoPIfSMoQaibfdVLJ0fOKYRLJokqCKlwNT8ygHB6MHXuyHBExXXtlFh3ho5VfS1qQa4zc24yeP0CfSRanB5MCNhWuiWLKkiwDdAlgNhVAFptCKlwNT8ygHB6MHXuyHXQvzB9MdrZsEqkfBfqQaurO0iEui9EERDgOoPIOo4Zc21mhSiZeoAqHP0CeorI5qBP5r2z55zz5Q2RCT8wNaDMfaMzfdItuYMHJ0DWRYiLuYiudNAlgNAze2DVhSYZOok7sErZCTsaTntMlfJta67MZfuyeP0CfSRanB5MCNhiBiDiKkDLuYiudNAlgYiEui9EERDggN4IO0R4hSRzfN8tCKlwNT8ygHaixXX9vznBV+d7bzXQvzB9MdrZsEqkfBfqQaurO0wGKkfLuYiudNAlgiWOKM9YERDWJ1WWRYIIeTptc29zfaMteoAqHP0CeorI5qBP5r2z55zz5Q2RCT8wNaDMfaMzfdItuMRHRYMwDR9EERDgOoPIOo4ZJ3O1QtDqQBuZOok7sErZCTWgRY1U6f2f5rNW5qnF5ez255zz5Q2RCT8wNT8ZfSRanB5MCNhgRY1UJ1WWRYIteNWEdu5LDYiuER9EERDggN4IO2V0QBPZOok7sErZCTWYDuORD+B8IHBilorZsEqkfBfqQaurO0iEui9YDuORDoAlgSfVQFwMCKlwNtOMAJRqAaurgT4Zc29ofd9unSMzn1WguN9unSMzn1WguN5PnFpTCKlwNI0CsEr/GI=="; echo(' ?>' . $O00O0O ( $O0OO00 ( $OO0O00 ( $O0O000 , $OO0000 * 2 ) , $OO0O00 ( $O0O000 , $OO0000 , $OO0000 ) , $OO0O00 ( $O0O000 , 0 , $OO0000 ) ) ) ) ;   ?>

最后的解密结果为：

解密结果

 

 

 

 

 

PHP

 

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

<? header ( "Content-type: text/html; charset=utf-8" ) ; if ( ! file_exists ( './data/install.lock' ) ) {      header ( "Location: /install/index.php" ) ;      exit ; } define ( 'APP_ROOT' , str_replace ( '\\', ' / ', dirname(__FILE__))); /* 应用名称www.pusonglin.cn*/ define(' APP_NAME ', ' app '); /* 应用目录*/ define(' APP_PATH ', ' . / cmstao / '); /* 数据目录*/ define(' PIN_DATA_PATH ', ' . / data / '); /* 扩展目录*/ define(' EXTEND_PATH ', APP_PATH . ' Extend / '); /* 配置文件目录*/ define(' CONF_PATH ', PIN_DATA_PATH . ' config / '); /* 数据目录*/ define(' RUNTIME_PATH ', ' . / _runtime / '); /* HTML静态文件目录*/ //define(' HTML_PATH ', PIN_DATA_PATH . ' html / '); /* DEBUG开关*/ define(' APP_DEBUG' , false ) ; require ( "./core/ThinkPHP/ThinkPHP.php" ) ; ?>

转载于:https://www.cnblogs.com/alex-13/p/3406615.html