PHP \x47\x4cO\x42A 解密

php 2个月前 pythonK
34 0

在看wp-autopost-pro_378 时候 wp-autopost-function.php 有类似加密。

$d=file_get_contents('./wp-autopost-function.php');
 echo htmlentities(stripcslashes($d));

在线工具 http://ddecode.com/hexdecoder/

实际使用时,使用下面面两段代码各处理一次

<?php
//解码GL\x4f\x42A\x4c\x53类加密
$fn='aaa.php';
$t='0123456789abcdefABCDEF';
$r=$p=$qt=$s='';
$slash=false;
$i=$j=0;
if ($f=fopen($fn,"rb")){
    $s=fread($f,filesize($fn));
    fclose($f);
    for ($i=0;$i<strlen($s);$i++){
        $slash=false;
        $p=sprintf("&nbsp;%06d,%06d",$i,$j);
        if ($s[$i]=='\\'&&$s[$i + 1]=='x'
            &&strpos($t,$s[$i+2])!==false&&strpos($t,$s[$i+3])!==false){
            $qt=strtolower(substr($s,$i,4));
            $slash=(($qt=='\\x22'||$qt=='\\x5c')&&$s[$i-1]!='\\') //引号\x22 斜杠\x5c,前面不是斜杠,需补充斜杠
                 ||(($qt=='\\x22'||$qt=='\\x5c')&&substr($s,$i-2,2)=='\\\\');//前面是2+个斜杠,需要补充斜杠
            if ($slash) {
                $p=sprintf("<font color=red>%s",$p);
                $j++;
            }
            //echo 'H:'.$qt.'=>&nbsp;'.chr(hexdec($s[$i+2].$s[$i+3])).$p.'<br />';
            $qt=($slash)?'\\':'';
            $r.=$qt.chr(hexdec($s[$i+2].$s[$i+3]));
            $i=$i+3;
        }else{
            //echo 'C:=====>&nbsp;'.$s[$i].$p.'<br />';
            $r.=$s[$i];
        }
        $j++;
    }

	$i=0;
	$ra=array();

    preg_match_all('/(?P<item>\$\{"[a-zA-Z_0-9]+"\}\s*\[\"[a-zA-Z_0-9]+\"\])\s*=\s*"(?P<value>[a-zA-Z_0-9]+)";/i',$r,$ra);
	
    foreach ($ra['item'] as $i=>$a){  //$a = ${"GLOBALS"}["mqhformwegp"]
        $b=$a.'="'.$ra['value'][$i].'";';
        if (strpos($r,$b)!==false) {
			//print_r($b);exit;
            $r=str_replace($b,'',$r);
            $r=str_replace('{'.$a.'}',$ra['value'][$i],$r);
			
        }
    }
    preg_match_all('/(?P<item>\$[a-zA-Z_0-9]+)\s*=\s*"(?P<value>[a-zA-Z_0-9]+)";/i',$r,$ra);
    foreach ($ra['item'] as $i=>$a){
        $b=$a.' = "'.$ra['value'][$i].'";';
        $a1='${'.$a.'}';
        if (strpos($r,$b)!==false&&strpos($r,$a1)!==false) {
            $r=str_replace($b,'',$r);
            $r=str_replace('{'.$a.'}',$ra['value'][$i],$r);
        }
    }

    preg_match_all('/(?P<item>\$\{(?P<value>\$[a-z]+)\})/i',$r,$ra);

    foreach ($ra['item'] as $i=>$a){  //$a = ${$mqhformwegp}		

            //$b=$a.'="'.$ra['value'][$i].'";';
            $b='/\\'.$ra['value'][$i].'=\"([a-zA-Z_0-9]+)\";/';
            //print_r($b);
            //if(preg_match($b, $r, $c)){
            if( preg_match($b,$r, $c) ){
                    $r=str_replace($c[0],'',$r);
                    $r=str_replace($a,'$'.$c[1],$r);
            }
    }



    $r= str_replace("{","{\r\n\t",$r);
    $r= str_replace("}","}\r\n\t",$r);
    $r= str_replace(";",";\r\n\t",$r);
    
    $fn='hexdecoded1.php';
    $f=fopen($fn,"wb");
    fwrite($f,$r);
    fclose($f);
    echo 'done...';
    exit;
}
<?php
$fn='hexdecoded1.php'; $r=''; $i=0; $ra=array(); 
if ($f=fopen($fn,"rb")){ 
    $r=fread($f,filesize($fn)); 
    fclose($f); 
    preg_match_all('/(?P\$\{"[a-zA-Z_0-9]+"\}\s*\[\"[a-zA-Z_0-9]+\"\])\s*=\s*"(?P[a-zA-Z_0-9]+)";/i',$r,$ra);
    
    foreach ($ra['item'] as $i=>$a){
        $b=$a.' = "'.$ra['value'][$i].'";';
        if (strpos($r,$b)!==false) {
        $r=str_replace($b,'',$r);
        $r=str_replace('{'.$a.'}',$ra['value'][$i],$r);
        }
    }
preg_match_all('/(?P\$[a-zA-Z_0-9]+)\s*=\s*"(?P[a-zA-Z_0-9]+)";/i',$r,$ra);
foreach ($ra['item'] as $i=>$a){
$b=$a.' = "'.$ra['value'][$i].'";';
$a1='${'.$a.'}';
if (strpos($r,$b)!==false&&strpos($r,$a1)!==false) {
$r=str_replace($b,'',$r);
$r=str_replace('{'.$a.'}',$ra['value'][$i],$r);
}
}
while (strpos($r,"\t\r\n")!==false) $r=str_replace("\t\r\n","\r\n",$r);
while (strpos($r,"\r\n\r\n")!==false) $r=str_replace("\r\n\r\n","\r\n",$r);
$fn='hexdecoded2.php';
$f=fopen($fn,"wb");	fwrite($f,$r);	fclose($f);
echo 'done...';
}
exit();
?> 

 

版权声明:pythonK 发表于 2020-09-03 15:59:23。
转载请注明:PHP \x47\x4cO\x42A 解密 | 喜喵导航