Gojira 哥斯拉Gojira 哥斯拉

哥斯拉爱好者的日常
生活相当无趣 我得找点乐子

eval(base64_decode的php加密文件解密方法

gojira.net

下载了一个*ZhePHP的值得买模式的海淘网站程序,出于对网上代码的不信任,检测一下,发现3个文件可能留有后门。

分别是:

app/Lib/Action/baseAction.class.php
app/Lib/Action/admin/indexAction.class.php
app/Lib/Action/mobile/searchAction.class.php

加密模式都基本一样,是eval+base64_decode的。

其他不讲,说说这种加密php文件的解码方式吧。

拿app/Lib/Action/admin/indexAction.class.php来举例,加密的源代码如下:


[php]
<?php $_F=__FILE__;$_X='Pz48P3BocCANCi8qKg0KKiBaaDVQSFAgJiNhMGl1MDsmI2F1dTc2OyYjYTAwODA7JiNhNzZlOTsmI2F1b29pOyYjbzBvdTA7JiNhODBhbzsmI2E4NmEwOyYjb2FpOW87JiNvNnV1OTsmI282YXVvOyYjYXVhMDc7DQoqID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQoqIHd3dy4xZG00bm4uY24NCiogPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NCiovDQpjbDFzcyA0bmQ1eEFjdDQybiA1eHQ1bmRzIGIxY2s1bmRBY3Q0Mm4gew0KICAgIHAzYmw0YyBmM25jdDQybiBfNG40dDQxbDR6NSgpIHsNCiAgICAgICAgcDFyNW50OjpfNG40dDQxbDR6NSgpOw0KICAgICAgICAkdGg0cy0+X20yZCA9IEQoJ201bjMnKTsNCiAgICB9DQogICAgcDNibDRjIGYzbmN0NDJuIDRuZDV4KCkgeyAgICAgICAgDQogICAgICAgICR0MnBfbTVuM3MgPSAkdGg0cy0+X20yZC0+MWRtNG5fbTVuMygwKTsNCiAgICAgICAgJHRoNHMtPjFzczRnbigndDJwX201bjNzJywgJHQycF9tNW4zcyk7ICAgICAgICANCiAgICAgICAgJG15XzFkbTRuID0gMXJyMXkoJzNzNXJuMW01Jz0+JF9TRVNTSU9OWycxZG00biddWyczczVybjFtNSddLCAncjJsNW4xbTUnPT4kX1NFU1NJT05bJzFkbTRuJ11bJ3IybDVfbjFtNSddKTsNCiAgICAgICAgJHRoNHMtPjFzczRnbignbXlfMWRtNG4nLCAkbXlfMWRtNG4pOyAgICAgICAgICAgICAgICAgICANCiAgICAgICAgJHRoNHMtPjFzczRnbignbTVuM19kMXQxJyxqczJuXzVuYzJkNSgkdGg0cy0+X20yZC0+ZzV0X201bjNfZDF0MSgpKSk7ICAgICANCiAgICAgICAgJHRoNHMtPmQ0c3BsMXkoKTsNCiAgICB9DQogICAgcDNibDRjIGYzbmN0NDJuIHAxbjVsKCkgew0KICAgICAgICAkbTVzczFnNSA9IDFycjF5KCk7DQogICAgICAgIDRmICg0c19kNHIoJy4vNG5zdDFsbCcpKSB7DQogICAgICAgICAgICAkbTVzczFnNVtdID0gMXJyMXkoDQogICAgICAgICAgICAgICAgJ3R5cDUnID0+ICc1cnIycicsDQogICAgICAgICAgICAgICAgJ2MybnQ1bnQnID0+ICImI2F1N3V1OyYjb2U4YXU7JiNhNzgwOTsmI2Flbzc3OyYjYTYwYXU7JiNvOGkwMDsgNG5zdDFsbCAmI2FpOTk2OyYjYTBhNnU7JiNhYTh1NjsmI2VpYTlhOyYjYTA5OGU7JiNhMDY2MDsmI2FvdW9vOyYjYTA4dTA7JiNvMG91MDsmI29hNzc2OyYjb3VvOGk7JiNlaWE5YTsmI2FpNjBpOyYjYTBhMHU7JiNhdW82dTsmI29pN2k4OyYjYXU3dXU7JiNhNjBhdTsmI284aTAwOyA0bnN0MWxsICYjYWk5OTY7JiNhMGE2dTsmI2FhOHU2OyYjNmFhOTA7IiwNCiAgICAgICAgICAgICk7DQogICAgICAgIH0NCiAgICAgICAgNGYgKEFQUF9ERUJVRyA9PSB0cjM1KSB7DQogICAgICAgICAgICAkbTVzczFnNVtdID0gMXJyMXkoDQogICAgICAgICAgICAgICAgJ3R5cDUnID0+ICc1cnIycicsDQogICAgICAgICAgICAgICAgJ2MybnQ1bnQnID0+ICImI2F1N3V1OyYjb2FpOW87JiNvNnV1OTsmI28wb3UwOyBERUJVRyAmI2E3ODA5OyYjYWVvNzc7JiNhMDhpNjsmI284bzg2OyYjZWlhOWE7JiNhMDk4ZTsmI2EwNjYwOyYjYW91b287JiNhMDh1MDsmI29hNzc2OyYjb3VvOGk7JiNlaWE5YTsmI2FpNjBpOyYjYTBhMHU7JiNhdW82dTsmI29pN2k4OyYjYXU3dXU7JiNhMDhpNjsmI284bzg2OyYjbzZhdW87JiNhdWEwNzsgREVCVUcmIzZhYTkwOyIsDQogICAgICAgICAgICApOw0KICAgICAgICB9DQogICAgICAgIDRmICghZjNuY3Q0Mm5fNXg0c3RzKCJjM3JsX2c1dDRuZjIiKSkgew0KICAgICAgICAgICAgJG01c3MxZzVbXSA9IDFycjF5KA0KICAgICAgICAgICAgICAgICd0eXA1JyA9PiAnNXJyMnInLA0KICAgICAgICAgICAgICAgICdjMm50NW50JyA9PiAiJiNvNjk5aTsmI29hdTc5OyYjNjk5ODY7JiNhaTkwbzsmI2Fpb3VpOyBDVVJMICwmI2FvaWk4OyYjYWUwODA7JiNhNzhlNjsmI283bzY5OyYjbzhpOTg7JiNhNjhvMDsmI2E2ZTk3OyYjYWk5ZTg7JiNhaXVpdTsmIzZhYTkwOyIsDQogICAgICAgICAgICApOw0KICAgICAgICB9DQogICAgICAgICR0aDRzLT4xc3M0Z24oJ201c3MxZzUnLCAkbTVzczFnNSk7DQogICAgICAgICRzeXN0NW1fNG5mMiA9IDFycjF5KA0KICAgICAgICAgICAgJ1poNFBIUF92NXJzNDJuJyA9PiBaSElfVkVSU0lPTiAuICcgUkVMRUFTRSAnLiBaSElfUkVMRUFTRSAuJyBbPDEgaHI1Zj0iaHR0cDovL3d3dy4xZG00bm4uY24vIiBjbDFzcz0iYmwzNSIgdDFyZzV0PSJfYmwxbmsiPiYjYWVpOTc7JiNvMHU3aTsmI2Flb2U4OyYjYWUwb2E7JiNhOWFpZTsmI2FldTZhOzwvMT5dJywNCiAgICAgICAgICAgICdzNXJ2NXJfZDJtMTRuJyA9PiAkX1NFUlZFUlsnU0VSVkVSX05BTUUnXSAuICcgWyAnIC4gZzV0aDJzdGJ5bjFtNSgkX1NFUlZFUlsnU0VSVkVSX05BTUUnXSkgLiAnIF0nLA0KICAgICAgICAgICAgJ3M1cnY1cl8ycycgPT4gUEhQX09TLA0KICAgICAgICAgICAgJ3c1Yl9zNXJ2NXInID0+ICRfU0VSVkVSWyJTRVJWRVJfU09GVFdBUkUiXSwNCiAgICAgICAgICAgICdwaHBfdjVyczQybicgPT4gUEhQX1ZFUlNJT04sDQogICAgICAgICAgICAnbXlzcWxfdjVyczQybicgPT4gbXlzcWxfZzV0X3M1cnY1cl80bmYyKCksDQogICAgICAgICAgICAnM3BsMjFkX20xeF9mNGw1czR6NScgPT4gNG40X2c1dCgnM3BsMjFkX20xeF9mNGw1czR6NScpLA0KICAgICAgICAgICAgJ20xeF81eDVjM3Q0Mm5fdDRtNScgPT4gNG40X2c1dCgnbTF4XzV4NWMzdDQybl90NG01JykgLiAnJiNvNjY4ZTsnLA0KICAgICAgICAgICAgJ3MxZjVfbTJkNScgPT4gKGIyMmw1MW4pIDRuNF9nNXQoJ3MxZjVfbTJkNScpID8gIEwoJ3k1cycpIDogTCgnbjInKSwNCiAgICAgICAgICAgICd6bDRiJyA9PiBmM25jdDQybl81eDRzdHMoJ2d6Y2wyczUnKSA/ICBMKCd5NXMnKSA6IEwoJ24yJyksDQogICAgICAgICAgICAnYzNybCcgPT4gZjNuY3Q0Mm5fNXg0c3RzKCJjM3JsX2c1dDRuZjIiKSA/IEwoJ3k1cycpIDogTCgnbjInKSwNCiAgICAgICAgICAgICd0NG01ejJuNScgPT4gZjNuY3Q0Mm5fNXg0c3RzKCJkMXQ1X2Q1ZjEzbHRfdDRtNXoybjVfZzV0IikgPyBkMXQ1X2Q1ZjEzbHRfdDRtNXoybjVfZzV0KCkgOiBMKCduMicpDQogICAgICAgICk7DQogICAgICAgICR0aDRzLT4xc3M0Z24oJ3N5c3Q1bV80bmYyJywgJHN5c3Q1bV80bmYyKTsNCiAgICAgICAgJHRoNHMtPmQ0c3BsMXkoKTsNCiAgICB9DQogICAgcDNibDRjIGYzbmN0NDJuIGwyZzRuKCkgew0KICAgICAgICA0ZiAoSVNfUE9TVCkgeyAgICAgICAgICAgIA0KICAgICAgICAgICAgJDNzNXJuMW01ID0gJHRoNHMtPl9wMnN0KCczczVybjFtNScsICd0cjRtJyk7DQogICAgICAgICAgICAkcDFzc3cycmQgPSAkdGg0cy0+X3Ayc3QoJ3Axc3N3MnJkJywgJ3RyNG0nKTsNCiAgICAgICAgICAgICR2NXI0ZnlfYzJkNSA9ICR0aDRzLT5fcDJzdCgndjVyNGZ5X2MyZDUnLCAndHI0bScpOw0KICAgICAgICAgICAgNGYoczVzczQybigndjVyNGZ5JykgIT0gbWRpKCR2NXI0ZnlfYzJkNSkmJkMoJ3A0bl9jMXB0Y2gxX3N0MXQzcycpKXsNCiAgICAgICAgICAgICAgICAkdGg0cy0+NXJyMnIoTCgndjVyNGZ5X2MyZDVfNXJyMnInKSk7DQogICAgICAgICAgICB9DQogICAgICAgICAgICAkMWRtNG4gPSBEKCcxZG00bicpLT53aDVyNSgxcnIxeSgnM3M1cm4xbTUnPT4kM3M1cm4xbTUsICdzdDF0M3MnPT42KSktPmY0bmQoKTsNCiAgICAgICAgICAgIDRmICghJDFkbTRuKSB7DQogICAgICAgICAgICAgICAgJHRoNHMtPjVycjJyKEwoJzFkbTRuX24ydF81eDRzdCcpKTsNCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgIDRmICgkMWRtNG5bJ3Axc3N3MnJkJ10gIT0gbWRpKCRwMXNzdzJyZCkpIHsNCiAgICAgICAgICAgICAgICAkdGg0cy0+NXJyMnIoTCgncDFzc3cycmRfNXJyMnInKSk7DQogICAgICAgICAgICB9DQogICAgICAgICAgICAkZDF0MT0xcnIxeSgNCiAgICAgICAgICAgICAgICAnNGQnID0+ICQxZG00blsnNGQnXSwNCiAgICAgICAgICAgICAgICAncjJsNV80ZCc9PiQxZG00blsncjJsNV80ZCddLA0KICAgICAgICAgICAgICAgICdyMmw1X24xbTUnID0+IEQoJzFkbTRuX3IybDUnKS0+d2g1cjUoIjRkPSQxZG00bltyMmw1XzRkXSIpLT5nNXRGNDVsZCgibjFtNSIpLA0KICAgICAgICAgICAgICAgICczczVybjFtNScgPT4gJDFkbTRuWyczczVybjFtNSddLA0KICAgICAgICAgICAgICAgICd0Mms1bic9Pm1kaSgkM3M1cm4xbTUubWRpKCRwMXNzdzJyZCkpLA0KICAgICAgICAgICAgKTsNCiAgICAgICAgICAgIGMyMms0NSgnMWRtNG4nLCRkMXQxLDFycjF5KCc1eHA0cjUnPT5vZTAwKmF1KjYwKSk7DQogICAgICAgICAgICBzNXNzNDJuKCcxZG00bicsICRkMXQxKTsNCiAgICAgICAgICAgIEQoJzFkbTRuJyktPndoNXI1KDFycjF5KCc0ZCc9PiQxZG00blsnNGQnXSkpLT5zMXY1KDFycjF5KCdsMXN0X3Q0bTUnPT50NG01KCksICdsMXN0XzRwJz0+ZzV0X2NsNDVudF80cCgpKSk7DQogICAgICAgICAgICAkcjV0XzNybD0kdGg0cy0+X3I1cTM1c3QoJ3I1dF8zcmwnLCczcmxfZDVjMmQ1JyxVKCc0bmQ1eC80bmQ1eCcpKTsNCiAgICAgICAgICAgICRyNXRfM3JsXzRuZjI9cDFyczVfM3JsKCRyNXRfM3JsKTsNCiAgICAgICAgICAgICR0aDRzLT5zM2NjNXNzKEwoJ2wyZzRuX3MzY2M1c3MnKSxVKCc0bmQ1eC80bmQ1eCcpLiIjIi4zcmxkNWMyZDUoJHI1dF8zcmxfNG5mMlsnZnIxZ201bnQnXSkpOw0KICAgICAgICB9IDVsczUgew0KICAgICAgICAgICAgJHRoNHMtPmQ0c3BsMXkoKTsNCiAgICAgICAgfQ0KICAgIH0NCiAgICBwM2JsNGMgZjNuY3Q0Mm4gbDJnMjN0KCkgew0KICAgICAgICBzNXNzNDJuKCcxZG00bicsIG4zbGwpOw0KICAgICAgICBjMjJrNDUoJzFkbTRuJyxuM2xsKTsNCiAgICAgICAgJHRoNHMtPnMzY2M1c3MoTCgnbDJnMjN0X3MzY2M1c3MnKSwgVSgnNG5kNXgvbDJnNG4nKSk7DQogICAgICAgIDV4NHQ7DQogICAgfQ0KICAgIHAzYmw0YyBmM25jdDQybiB2NXI0ZnlfYzJkNSgpIHsNCiAgICAgICAgSW0xZzU6OmIzNGxkSW0xZzVWNXI0ZnkodSw2LCdnNGYnLCdpMCcsJ2F1Jyk7DQogICAgfQ0KICAgIHAzYmw0YyBmM25jdDQybiBsNWZ0KCkgew0KICAgICAgICAkbTVuMzRkID0gJHRoNHMtPl9yNXEzNXN0KCdtNW4zNGQnLCAnNG50djFsJywwKTsNCiAgICAgICAgNGYgKCRtNW4zNGQpIHsNCiAgICAgICAgICAgICRsNWZ0X201bjMgPSAkdGg0cy0+X20yZC0+MWRtNG5fbTVuMygkbTVuMzRkKTsNCiAgICAgICAgICAgIGYycjUxY2ggKCRsNWZ0X201bjMgMXMgJGs1eT0+JHYxbCkgew0KICAgICAgICAgICAgICAgICRsNWZ0X201bjNbJGs1eV1bJ3MzYiddID0gJHRoNHMtPl9tMmQtPjFkbTRuX201bjMoJHYxbFsnNGQnXSk7DQogICAgICAgICAgICB9DQogICAgICAgIH0gNWxzNSB7DQogICAgICAgICAgICAkbDVmdF9tNW4zWzBdID0gMXJyMXkoJzRkJz0+MCwnbjFtNSc9PkwoJ2MybW0ybl9tNW4zJykpOw0KICAgICAgICAgICAgJGw1ZnRfbTVuM1swXVsnczNiJ10gPSAxcnIxeSgpOw0KICAgICAgICAgICAgNGYgKCRyID0gJHRoNHMtPl9tMmQtPndoNXI1KDFycjF5KCcyZnQ1bic9PjYpKS0+czVsNWN0KCkpIHsNCiAgICAgICAgICAgICAgICAkbDVmdF9tNW4zWzBdWydzM2InXSA9ICRyOw0KICAgICAgICAgICAgfQ0KICAgICAgICAgICAgMXJyMXlfM25zaDRmdCgkbDVmdF9tNW4zWzBdWydzM2InXSwgMXJyMXkoJzRkJz0+MCwnbjFtNSc9PicmI2E2aTY4OyYjYTZ1ODg7JiNvOW82ODsmI285MGE5OycpKTsNCiAgICAgICAgfQ0KICAgICAgICAkdGg0cy0+MXNzNGduKCd0MnA0ZCcsICRtNW4zNGQpOw0KICAgICAgICAkdGg0cy0+MXNzNGduKCdsNWZ0X201bjMnLCAkbDVmdF9tNW4zKTsNCiAgICAgICAgJHRoNHMtPmQ0c3BsMXkoKTsNCiAgICB9DQogICAgcDNibDRjIGYzbmN0NDJuIDJmdDVuKCkgew0KICAgICAgICA0ZiAoNHNzNXQoJF9QT1NUWydkMiddKSkgew0KICAgICAgICAgICAgJDRkXzFyciA9IDRzczV0KCRfUE9TVFsnNGQnXSkgJiYgNHNfMXJyMXkoJF9QT1NUWyc0ZCddKSA/ICRfUE9TVFsnNGQnXSA6ICcnOw0KICAgICAgICAgICAgJHRoNHMtPl9tMmQtPndoNXI1KDFycjF5KCcyZjVuJz0+NikpLT5zMXY1KDFycjF5KCcyZnQ1bic9PjApKTsNCiAgICAgICAgICAgICQ0ZF9zdHIgPSA0bXBsMmQ1KCcsJywgJDRkXzFycik7DQogICAgICAgICAgICAkdGg0cy0+X20yZC0+d2g1cjUoJzRkIElOKCcuJDRkX3N0ci4nKScpLT5zMXY1KDFycjF5KCcyZnQ1bic9PjYpKTsNCiAgICAgICAgICAgICR0aDRzLT5zM2NjNXNzKEwoJzJwNXIxdDQybl9zM2NjNXNzJykpOw0KICAgICAgICB9IDVsczUgew0KICAgICAgICAgICAgJHIgPSAkdGg0cy0+X20yZC0+MWRtNG5fbTVuMygwKTsNCiAgICAgICAgICAgICRsNHN0ID0gMXJyMXkoKTsNCiAgICAgICAgICAgIGYycjUxY2ggKCRyIDFzICR2KSB7DQogICAgICAgICAgICAgICAgJHZbJ3MzYiddID0gJHRoNHMtPl9tMmQtPjFkbTRuX201bjMoJHZbJzRkJ10pOw0KICAgICAgICAgICAgICAgIGYycjUxY2ggKCR2WydzM2InXSAxcyAkazV5PT4kc3YpIHsNCiAgICAgICAgICAgICAgICAgICAgJHZbJ3MzYiddWyRrNXldWydzM2InXSA9ICR0aDRzLT5fbTJkLT4xZG00bl9tNW4zKCRzdlsnNGQnXSk7DQogICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICRsNHN0W10gPSAkdjsNCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgICR0aDRzLT4xc3M0Z24oJ2w0c3QnLCAkbDRzdCk7DQogICAgICAgICAgICAkdGg0cy0+ZDRzcGwxeSgpOw0KICAgICAgICB9DQogICAgfQ0KICAgIHAzYmw0YyBmM25jdDQybiBtMXAoKSB7DQogICAgICAgICRyID0gJHRoNHMtPl9tMmQtPjFkbTRuX201bjMoMCk7DQogICAgICAgICRsNHN0ID0gMXJyMXkoKTsNCiAgICAgICAgZjJyNTFjaCAoJHIgMXMgJHYpIHsNCiAgICAgICAgICAgICR2WydzM2InXSA9ICR0aDRzLT5fbTJkLT4xZG00bl9tNW4zKCR2Wyc0ZCddKTsNCiAgICAgICAgICAgIGYycjUxY2ggKCR2WydzM2InXSAxcyAkazV5PT4kc3YpIHsNCiAgICAgICAgICAgICAgICAkdlsnczNiJ11bJGs1eV1bJ3MzYiddID0gJHRoNHMtPl9tMmQtPjFkbTRuX201bjMoJHN2Wyc0ZCddKTsNCiAgICAgICAgICAgIH0NCiAgICAgICAgICAgICRsNHN0W10gPSAkdjsNCiAgICAgICAgfQ0KICAgICAgICAkdGg0cy0+MXNzNGduKCdsNHN0JywgJGw0c3QpOw0KICAgICAgICAkdGg0cy0+ZDRzcGwxeSgpOw0KICAgIH0NCn0=';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>
[/php]

注意到代码的后面有个eval(base64_decode(............
直接将eval改为echo,就能输出后面加密的原始内容为:
[php]$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;[/php]

整理下,即为

[php]
$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);
$_R=0;
$_X=0;
[/php]

一步一步来:
$_X=base64_decode($_X);
echo出$_X的值为:

[php]
<?php
/**
* Zh5PHP &#a0iu0;&#auu76;&#a0080;&#a76e9;&#auooi;&#o0ou0;&#a80ao;&#a86a0;&#oai9o;&#o6uu9;&#o6auo;&#aua07;
* ====================================================================
*/
cl1ss 4nd5xAct42n 5xt5nds b1ck5ndAct42n {
p3bl4c f3nct42n _4n4t41l4z5() {
p1r5nt::_4n4t41l4z5();
$th4s->_m2d = D('m5n3');
}
p3bl4c f3nct42n 4nd5x() {
$t2p_m5n3s = $th4s->_m2d->1dm4n_m5n3(0);
$th4s->1ss4gn('t2p_m5n3s', $t2p_m5n3s);
$my_1dm4n = 1rr1y('3s5rn1m5'=>$_SESSION['1dm4n']['3s5rn1m5'], 'r2l5n1m5'=>$_SESSION['1dm4n']['r2l5_n1m5']);
$th4s->1ss4gn('my_1dm4n', $my_1dm4n);
$th4s->1ss4gn('m5n3_d1t1',js2n_5nc2d5($th4s->_m2d->g5t_m5n3_d1t1()));
$th4s->d4spl1y();
}
p3bl4c f3nct42n p1n5l() {
$m5ss1g5 = 1rr1y();
4f (4s_d4r('./4nst1ll')) {
$m5ss1g5[] = 1rr1y(
'typ5' => '5rr2r',
'c2nt5nt' => "&#au7uu;&#oe8au;&#a7809;&#aeo77;&#a60au;&#o8i00; 4nst1ll &#ai996;&#a0a6u;&#aa8u6;&#eia9a;&#a098e;&#a0660;&#aouoo;&#a08u0;&#o0ou0;&#oa776;&#ouo8i;&#eia9a;&#ai60i;&#a0a0u;&#auo6u;&#oi7i8;&#au7uu;&#a60au;&#o8i00; 4nst1ll &#ai996;&#a0a6u;&#aa8u6;&#6aa90;",
);
}
4f (APP_DEBUG == tr35) {
$m5ss1g5[] = 1rr1y(
'typ5' => '5rr2r',
'c2nt5nt' => "&#au7uu;&#oai9o;&#o6uu9;&#o0ou0; DEBUG &#a7809;&#aeo77;&#a08i6;&#o8o86;&#eia9a;&#a098e;&#a0660;&#aouoo;&#a08u0;&#oa776;&#ouo8i;&#eia9a;&#ai60i;&#a0a0u;&#auo6u;&#oi7i8;&#au7uu;&#a08i6;&#o8o86;&#o6auo;&#aua07; DEBUG&#6aa90;",
);
}
4f (!f3nct42n_5x4sts("c3rl_g5t4nf2")) {
$m5ss1g5[] = 1rr1y(
'typ5' => '5rr2r',
'c2nt5nt' => "&#o699i;&#oau79;&#69986;&#ai90o;&#aioui; CURL ,&#aoii8;&#ae080;&#a78e6;&#o7o69;&#o8i98;&#a68o0;&#a6e97;&#ai9e8;&#aiuiu;&#6aa90;",
);
}
$th4s->1ss4gn('m5ss1g5', $m5ss1g5);
$syst5m_4nf2 = 1rr1y(
'Zh4PHP_v5rs42n' => ZHI_VERSION . ' RELEASE '. ZHI_RELEASE .' [<1 hr5f="http://www.1dm4nn.cn/" cl1ss="bl35" t1rg5t="_bl1nk">&#aei97;&#o0u7i;&#aeoe8;&#ae0oa;&#a9aie;&#aeu6a;</1>]',
's5rv5r_d2m14n' => $_SERVER['SERVER_NAME'] . ' [ ' . g5th2stbyn1m5($_SERVER['SERVER_NAME']) . ' ]',
's5rv5r_2s' => PHP_OS,
'w5b_s5rv5r' => $_SERVER["SERVER_SOFTWARE"],
'php_v5rs42n' => PHP_VERSION,
'mysql_v5rs42n' => mysql_g5t_s5rv5r_4nf2(),
'3pl21d_m1x_f4l5s4z5' => 4n4_g5t('3pl21d_m1x_f4l5s4z5'),
'm1x_5x5c3t42n_t4m5' => 4n4_g5t('m1x_5x5c3t42n_t4m5') . '&#o668e;',
's1f5_m2d5' => (b22l51n) 4n4_g5t('s1f5_m2d5') ? L('y5s') : L('n2'),
'zl4b' => f3nct42n_5x4sts('gzcl2s5') ? L('y5s') : L('n2'),
'c3rl' => f3nct42n_5x4sts("c3rl_g5t4nf2") ? L('y5s') : L('n2'),
't4m5z2n5' => f3nct42n_5x4sts("d1t5_d5f13lt_t4m5z2n5_g5t") ? d1t5_d5f13lt_t4m5z2n5_g5t() : L('n2')
);
$th4s->1ss4gn('syst5m_4nf2', $syst5m_4nf2);
$th4s->d4spl1y();
}
p3bl4c f3nct42n l2g4n() {
4f (IS_POST) {
$3s5rn1m5 = $th4s->_p2st('3s5rn1m5', 'tr4m');
$p1ssw2rd = $th4s->_p2st('p1ssw2rd', 'tr4m');
$v5r4fy_c2d5 = $th4s->_p2st('v5r4fy_c2d5', 'tr4m');
4f(s5ss42n('v5r4fy') != mdi($v5r4fy_c2d5)&&C('p4n_c1ptch1_st1t3s')){
$th4s->5rr2r(L('v5r4fy_c2d5_5rr2r'));
}
$1dm4n = D('1dm4n')->wh5r5(1rr1y('3s5rn1m5'=>$3s5rn1m5, 'st1t3s'=>6))->f4nd();
4f (!$1dm4n) {
$th4s->5rr2r(L('1dm4n_n2t_5x4st'));
}
4f ($1dm4n['p1ssw2rd'] != mdi($p1ssw2rd)) {
$th4s->5rr2r(L('p1ssw2rd_5rr2r'));
}
$d1t1=1rr1y(
'4d' => $1dm4n['4d'],
'r2l5_4d'=>$1dm4n['r2l5_4d'],
'r2l5_n1m5' => D('1dm4n_r2l5')->wh5r5("4d=$1dm4n[r2l5_4d]")->g5tF45ld("n1m5"),
'3s5rn1m5' => $1dm4n['3s5rn1m5'],
't2k5n'=>mdi($3s5rn1m5.mdi($p1ssw2rd)),
);
c22k45('1dm4n',$d1t1,1rr1y('5xp4r5'=>oe00*au*60));
s5ss42n('1dm4n', $d1t1);
D('1dm4n')->wh5r5(1rr1y('4d'=>$1dm4n['4d']))->s1v5(1rr1y('l1st_t4m5'=>t4m5(), 'l1st_4p'=>g5t_cl45nt_4p()));
$r5t_3rl=$th4s->_r5q35st('r5t_3rl','3rl_d5c2d5',U('4nd5x/4nd5x'));
$r5t_3rl_4nf2=p1rs5_3rl($r5t_3rl);
$th4s->s3cc5ss(L('l2g4n_s3cc5ss'),U('4nd5x/4nd5x')."#".3rld5c2d5($r5t_3rl_4nf2['fr1gm5nt']));
} 5ls5 {
$th4s->d4spl1y();
}
}
p3bl4c f3nct42n l2g23t() {
s5ss42n('1dm4n', n3ll);
c22k45('1dm4n',n3ll);
$th4s->s3cc5ss(L('l2g23t_s3cc5ss'), U('4nd5x/l2g4n'));
5x4t;
}
p3bl4c f3nct42n v5r4fy_c2d5() {
Im1g5::b34ldIm1g5V5r4fy(u,6,'g4f','i0','au');
}
p3bl4c f3nct42n l5ft() {
$m5n34d = $th4s->_r5q35st('m5n34d', '4ntv1l',0);
4f ($m5n34d) {
$l5ft_m5n3 = $th4s->_m2d->1dm4n_m5n3($m5n34d);
f2r51ch ($l5ft_m5n3 1s $k5y=>$v1l) {
$l5ft_m5n3[$k5y]['s3b'] = $th4s->_m2d->1dm4n_m5n3($v1l['4d']);
}
} 5ls5 {
$l5ft_m5n3[0] = 1rr1y('4d'=>0,'n1m5'=>L('c2mm2n_m5n3'));
$l5ft_m5n3[0]['s3b'] = 1rr1y();
4f ($r = $th4s->_m2d->wh5r5(1rr1y('2ft5n'=>6))->s5l5ct()) {
$l5ft_m5n3[0]['s3b'] = $r;
}
1rr1y_3nsh4ft($l5ft_m5n3[0]['s3b'], 1rr1y('4d'=>0,'n1m5'=>'&#a6i68;&#a6u88;&#o9o68;&#o90a9;'));
}
$th4s->1ss4gn('t2p4d', $m5n34d);
$th4s->1ss4gn('l5ft_m5n3', $l5ft_m5n3);
$th4s->d4spl1y();
}
p3bl4c f3nct42n 2ft5n() {
4f (4ss5t($_POST['d2'])) {
$4d_1rr = 4ss5t($_POST['4d']) && 4s_1rr1y($_POST['4d']) ? $_POST['4d'] : '';
$th4s->_m2d->wh5r5(1rr1y('2f5n'=>6))->s1v5(1rr1y('2ft5n'=>0));
$4d_str = 4mpl2d5(',', $4d_1rr);
$th4s->_m2d->wh5r5('4d IN('.$4d_str.')')->s1v5(1rr1y('2ft5n'=>6));
$th4s->s3cc5ss(L('2p5r1t42n_s3cc5ss'));
} 5ls5 {
$r = $th4s->_m2d->1dm4n_m5n3(0);
$l4st = 1rr1y();
f2r51ch ($r 1s $v) {
$v['s3b'] = $th4s->_m2d->1dm4n_m5n3($v['4d']);
f2r51ch ($v['s3b'] 1s $k5y=>$sv) {
$v['s3b'][$k5y]['s3b'] = $th4s->_m2d->1dm4n_m5n3($sv['4d']);
}
$l4st[] = $v;
}
$th4s->1ss4gn('l4st', $l4st);
$th4s->d4spl1y();
}
}
p3bl4c f3nct42n m1p() {
$r = $th4s->_m2d->1dm4n_m5n3(0);
$l4st = 1rr1y();
f2r51ch ($r 1s $v) {
$v['s3b'] = $th4s->_m2d->1dm4n_m5n3($v['4d']);
f2r51ch ($v['s3b'] 1s $k5y=>$sv) {
$v['s3b'][$k5y]['s3b'] = $th4s->_m2d->1dm4n_m5n3($sv['4d']);
}
$l4st[] = $v;
}
$th4s->1ss4gn('l4st', $l4st);
$th4s->d4spl1y();
}
}
?>
[/php]

然后再用strtr一一替换下字符。$_X=strtr($_X,'123456aouie','aouie123456'); 再输出,得到如下代码:

[php]
<?php
/**
* ZhePHP &#20540;&#24471;&#20080;&#27169;&#24335;&#30340;&#28023;&#28120;&#32593;&#31449;&#31243;&#24207;
* ====================================================================
*/
class indexAction extends backendAction {
public function _initialize() {
parent::_initialize();
$this->_mod = D('menu');
}
public function index() {
$top_menus = $this->_mod->admin_menu(0);
$this->assign('top_menus', $top_menus);
$my_admin = array('username'=>$_SESSION['admin']['username'], 'rolename'=>$_SESSION['admin']['role_name']);
$this->assign('my_admin', $my_admin);
$this->assign('menu_data',json_encode($this->_mod->get_menu_data()));
$this->display();
}
public function panel() {
$message = array();
if (is_dir('./install')) {
$message[] = array(
'type' => 'error',
'content' => "&#24744;&#36824;&#27809;&#26377;&#21024;&#38500; install &#25991;&#20214;&#22841;&#65292;&#20986;&#20110;&#23433;&#20840;&#30340;&#32771;&#34385;&#65292;&#25105;&#20204;&#24314;&#35758;&#24744;&#21024;&#38500; install &#25991;&#20214;&#22841;&#12290;",
);
}
if (APP_DEBUG == true) {
$message[] = array(
'type' => 'error',
'content' => "&#24744;&#32593;&#31449;&#30340; DEBUG &#27809;&#26377;&#20851;&#38381;&#65292;&#20986;&#20110;&#23433;&#20840;&#32771;&#34385;&#65292;&#25105;&#20204;&#24314;&#35758;&#24744;&#20851;&#38381;&#31243;&#24207; DEBUG&#12290;",
);
}
if (!function_exists("curl_getinfo")) {
$message[] = array(
'type' => 'error',
'content' => "&#31995;&#32479;&#19981;&#25903;&#25345; CURL ,&#23558;&#26080;&#27861;&#37319;&#38598;&#21830;&#21697;&#25968;&#25454;&#12290;",
);
}
$this->assign('message', $message);
$system_info = array(
'ZhiPHP_version' => ZHI_VERSION . ' RELEASE '. ZHI_RELEASE .' [<a href="http://www.gojira.net/" class="blue" target="_blank">&#26597;&#30475;&#26368;&#26032;&#29256;&#26412;</a>]',
'server_domain' => $_SERVER['SERVER_NAME'] . ' [ ' . gethostbyname($_SERVER['SERVER_NAME']) . ' ]',
'server_os' => PHP_OS,
'web_server' => $_SERVER["SERVER_SOFTWARE"],
'php_version' => PHP_VERSION,
'mysql_version' => mysql_get_server_info(),
'upload_max_filesize' => ini_get('upload_max_filesize'),
'max_execution_time' => ini_get('max_execution_time') . '&#31186;',
'safe_mode' => (boolean) ini_get('safe_mode') ? L('yes') : L('no'),
'zlib' => function_exists('gzclose') ? L('yes') : L('no'),
'curl' => function_exists("curl_getinfo") ? L('yes') : L('no'),
'timezone' => function_exists("date_default_timezone_get") ? date_default_timezone_get() : L('no')
);
$this->assign('system_info', $system_info);
$this->display();
}
public function login() {
if (IS_POST) {
$username = $this->_post('username', 'trim');
$password = $this->_post('password', 'trim');
$verify_code = $this->_post('verify_code', 'trim');
if(session('verify') != md5($verify_code)&&C('pin_captcha_status')){
$this->error(L('verify_code_error'));
}
$admin = D('admin')->where(array('username'=>$username, 'status'=>1))->find();
if (!$admin) {
$this->error(L('admin_not_exist'));
}
if ($admin['password'] != md5($password)) {
$this->error(L('password_error'));
}
$data=array(
'id' => $admin['id'],
'role_id'=>$admin['role_id'],
'role_name' => D('admin_role')->where("id=$admin[role_id]")->getField("name"),
'username' => $admin['username'],
'token'=>md5($username.md5($password)),
);
cookie('admin',$data,array('expire'=>3600*24*10));
session('admin', $data);
D('admin')->where(array('id'=>$admin['id']))->save(array('last_time'=>time(), 'last_ip'=>get_client_ip()));
$ret_url=$this->_request('ret_url','url_decode',U('index/index'));
$ret_url_info=parse_url($ret_url);
$this->success(L('login_success'),U('index/index')."#".urldecode($ret_url_info['fragment']));
} else {
$this->display();
}
}
public function logout() {
session('admin', null);
cookie('admin',null);
$this->success(L('logout_success'), U('index/login'));
exit;
}
public function verify_code() {
Image::buildImageVerify(4,1,'gif','50','24');
}
public function left() {
$menuid = $this->_request('menuid', 'intval',0);
if ($menuid) {
$left_menu = $this->_mod->admin_menu($menuid);
foreach ($left_menu as $key=>$val) {
$left_menu[$key]['sub'] = $this->_mod->admin_menu($val['id']);
}
} else {
$left_menu[0] = array('id'=>0,'name'=>L('common_menu'));
$left_menu[0]['sub'] = array();
if ($r = $this->_mod->where(array('often'=>1))->select()) {
$left_menu[0]['sub'] = $r;
}
array_unshift($left_menu[0]['sub'], array('id'=>0,'name'=>'&#21518;&#21488;&#39318;&#39029;'));
}
$this->assign('topid', $menuid);
$this->assign('left_menu', $left_menu);
$this->display();
}
public function often() {
if (isset($_POST['do'])) {
$id_arr = isset($_POST['id']) && is_array($_POST['id']) ? $_POST['id'] : '';
$this->_mod->where(array('ofen'=>1))->save(array('often'=>0));
$id_str = implode(',', $id_arr);
$this->_mod->where('id IN('.$id_str.')')->save(array('often'=>1));
$this->success(L('operation_success'));
} else {
$r = $this->_mod->admin_menu(0);
$list = array();
foreach ($r as $v) {
$v['sub'] = $this->_mod->admin_menu($v['id']);
foreach ($v['sub'] as $key=>$sv) {
$v['sub'][$key]['sub'] = $this->_mod->admin_menu($sv['id']);
}
$list[] = $v;
}
$this->assign('list', $list);
$this->display();
}
}
public function map() {
$r = $this->_mod->admin_menu(0);
$list = array();
foreach ($r as $v) {
$v['sub'] = $this->_mod->admin_menu($v['id']);
foreach ($v['sub'] as $key=>$sv) {
$v['sub'][$key]['sub'] = $this->_mod->admin_menu($sv['id']);
}
$list[] = $v;
}
$this->assign('list', $list);
$this->display();
}
}
?>
[/php]

接下来就是$_R=ereg_replace('__FILE__',"'".$_F."'",$_X); 将$_X中的字符串__FILE__替换为当前文件的路径,并用单引号引起来,因为原字符串并无可替换内容,所以代码内容没变化

然后eval($_R);将上述替换后的内容执行。

源代码部分就已经破解完了,接着到这个页面 http://tool.chinaz.com/tools/unicode.aspx 将被转码的Unicode还原为中文就可以了。

总结起来,就两部,第一步将eval后面的解码出来,第二步就是一步一步的顺序执行输出就行了。

[php]
$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
echo $_R;
die;
[/php]

就是这么简单。

多说一句,有些网站拿着别的的代码,加个自己的网址,真是呵呵了。。。

GOJIRA.NET原创文章未经允许不得转载! 当前页面:Gojira 哥斯拉 » eval(base64_decode的php加密文件解密方法

评论