随笔- 359 文章- 4 评论- 296 阅读- 37万

威盾解密

对某PHP程序解密过程

作者:

蒲松林

发布时间:

2013年09月02日
所在分类:

代码

评论数：

暂无评论

对于程序加密可能是出于程序创作者对于自己的产品产权保护、授权验证，也有一些人把一些后面程序以及黑链等加密发布的。在给朋友用的一套程序中发现index.php被加密了。

一些站长朋友是不是经常会看到类似的加密？默认的index.php肯定不是这样的，那么我们今天就来一步一步的对这个PHP程序进行解密。蒲松林了解到这类加密就是采用了微盾的方式进行的，我们姑且不去管网上有对应的解密工具，直接手工吧。源代码如下：

index.php源代码 
 
PHP
 
1
2
3

<?
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};eval($O00O0O("JE8wTzAwMD0iQk9DWm1LUHF5bkR4QWJmR05FdW90c2pkUlljcmlKTXdWZ0ZVenZYTGthVFNwSWxoZUhRV1dITmZhQ0d5b3RzanBRTFN3WXpyYmx4aERjQXZUT1VQUklpdW1aSmVrbktkcWdNVlhGRUJHczh3TmFWTWNCRE1BVElURTI5emhTUnpoTjEwWEpXTUhUVzBmSlYwZTJWMFFCUDdnU3dyY0pPbWZKRTloSkRhZUtJVENLbElzRXFxZlRJVmZhTWxmUjlNWFNNbWhGVXJPbzRaZlNpMGNkOXFRdHcwY0JqbGVhalpjMmx0Q2Rrd050bHdOVHBJZ05XcmZCaWtmSmdyZ2tqWmMyaTBuQjl6SFRwWm5CNW1oU2lsUU45cVFhRE1YTjVQbkZwVENLbHdOVHBJZ05XTVhTTTBIUDBDTEUwQ2ZTUmFuQjVNQ05oV3VpV0x1azlHUk5BbGdGdzBBTTlvZkpXbGNCd01DTmhBSk5BbGdOQVpPb1BJZlNNb1FhaWJmZFZMSjBmT0tZUkxKb2txQ0tsd05UOHlnSEI2TUhYdXlIQkV4WFh0bEZoM2hvNVZmUzFxUWE0emMyNHllUDBDZlNSYW5CNU1DTmhXdWlXTEtraXdEZEFsZ05oVkFGcHRDS2x3TlQ4eWdIQjZNSFh1eUhYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzBpRXVpOUVFUkRnT29QSU9vNFpjMjFtaFNpWmVvQXFIUDBDZW9ySTVxQlA1cjJ6NTV6ejVRMlJDVDh3TmFETWZhTXpmZEl0dVlNSEowRFdSWWlMdVlpdWROQWxnTkF6ZTJEVmhTWVpPb2s3c0VyWkNUc2FUbnRNbGZKdGE2N01aZnV5ZVAwQ2ZTUmFuQjVNQ05oaUJpRGlLa0RMdVlpdWROQWxnWWlFdWk5RUVSRGdnTjRJTzBSNGhTUnpmTjh0Q0tsd05UOHlnSGFpeFhYOXZ6bkJWK2Q3YnpYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzB3R0trZkx1WWl1ZE5BbGdpV09LTTlZRVJEV0oxV1dSWUlJZVRwdGMyOXpmYU10ZW9BcUhQMENlb3JJNXFCUDVyMno1NXp6NVEyUkNUOHdOYURNZmFNemZkSXR1TVJIUllNd0RSOUVFUkRnT29QSU9vNFpKM08xUXREcVFCdVpPb2s3c0VyWkNUV2dSWTFVNmYyZjVyTlc1cW5GNWV6MjU1eno1UTJSQ1Q4d05UOFpmU1JhbkI1TUNOaGdSWTFVSjFXV1JZSXRlTldFZHU1TERZaXVFUjlFRVJEZ2dONElPMlYwUUJQWk9vazdzRXJaQ1RXWUR1T1JEK0I4SUhCaWxvclpzRXFrZkJmcVFhdXJPMGlFdWk5WUR1T1JEb0FsZ1NmVlFGd01DS2x3TnRPTUFKUnFBYXVyZ1Q0WmMyOW9mZDl1blNNem4xV2d1Tjl1blNNem4xV2d1TjVQbkZwVENLbHdOSTBDc0VyL0dJPT0iO2V2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksJE9PME8wMCgkTzBPMDAwLDAsJE9PMDAwMCkpKSk7"));
?>

解密方法如下：

index.php加密后的解密方法 
 
 
 
 
 
PHP
 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

<?
$O00OO0=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");
echo'第一步：生成$O00OO0：'.$O00OO0;
echo'<br /><br />********************************************************<br /><br />';
$O00O0O=$O00OO0{3}.$O00OO0{6}.$O00OO0{33}.$O00OO0{30};$O0OO00=$O00OO0{33}.$O00OO0{10}.$O00OO0{24}.$O00OO0{10}.$O00OO0{24};
$OO0O00=$O0OO00{0}.$O00OO0{18}.$O00OO0{3}.$O0OO00{0}.$O0OO00{1}.$O00OO0{24};
$OO0000=$O00OO0{7}.$O00OO0{13};$O00O0O.=$O00OO0{22}.$O00OO0{36}.$O00OO0{29}.$O00OO0{26}.$O00OO0{30}.$O00OO0{32}.$O00OO0{35}.$O00OO0{26}.$O00OO0{30};
echo'第二步生成$O00O0O：'.$O00O0O;
echo'<br /><br />********************************************************<br /><br />';
 
//上面解出来 $O00O0O=base64_decode;
//既然  $O00O0O=base64_decode那么把下面的代码改一下，eval是用来执行php代码，这里不需要执行，只需要解出php代码即可，那么去掉eavl 并把$O00O0O换成上面解出来的值
 
//源代码内容
//eval($O00O0O("JE8wTzAwMD0iQk9DWm1LUHF5bkR4QWJmR05FdW90c2pkUlljcmlKTXdWZ0ZVenZYTGthVFNwSWxoZUhRV1dITmZhQ0d5b3RzanBRTFN3WXpyYmx4aERjQXZUT1VQUklpdW1aSmVrbktkcWdNVlhGRUJHczh3TmFWTWNCRE1BVElURTI5emhTUnpoTjEwWEpXTUhUVzBmSlYwZTJWMFFCUDdnU3dyY0pPbWZKRTloSkRhZUtJVENLbElzRXFxZlRJVmZhTWxmUjlNWFNNbWhGVXJPbzRaZlNpMGNkOXFRdHcwY0JqbGVhalpjMmx0Q2Rrd050bHdOVHBJZ05XcmZCaWtmSmdyZ2tqWmMyaTBuQjl6SFRwWm5CNW1oU2lsUU45cVFhRE1YTjVQbkZwVENLbHdOVHBJZ05XTVhTTTBIUDBDTEUwQ2ZTUmFuQjVNQ05oV3VpV0x1azlHUk5BbGdGdzBBTTlvZkpXbGNCd01DTmhBSk5BbGdOQVpPb1BJZlNNb1FhaWJmZFZMSjBmT0tZUkxKb2txQ0tsd05UOHlnSEI2TUhYdXlIQkV4WFh0bEZoM2hvNVZmUzFxUWE0emMyNHllUDBDZlNSYW5CNU1DTmhXdWlXTEtraXdEZEFsZ05oVkFGcHRDS2x3TlQ4eWdIQjZNSFh1eUhYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzBpRXVpOUVFUkRnT29QSU9vNFpjMjFtaFNpWmVvQXFIUDBDZW9ySTVxQlA1cjJ6NTV6ejVRMlJDVDh3TmFETWZhTXpmZEl0dVlNSEowRFdSWWlMdVlpdWROQWxnTkF6ZTJEVmhTWVpPb2s3c0VyWkNUc2FUbnRNbGZKdGE2N01aZnV5ZVAwQ2ZTUmFuQjVNQ05oaUJpRGlLa0RMdVlpdWROQWxnWWlFdWk5RUVSRGdnTjRJTzBSNGhTUnpmTjh0Q0tsd05UOHlnSGFpeFhYOXZ6bkJWK2Q3YnpYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzB3R0trZkx1WWl1ZE5BbGdpV09LTTlZRVJEV0oxV1dSWUlJZVRwdGMyOXpmYU10ZW9BcUhQMENlb3JJNXFCUDVyMno1NXp6NVEyUkNUOHdOYURNZmFNemZkSXR1TVJIUllNd0RSOUVFUkRnT29QSU9vNFpKM08xUXREcVFCdVpPb2s3c0VyWkNUV2dSWTFVNmYyZjVyTlc1cW5GNWV6MjU1eno1UTJSQ1Q4d05UOFpmU1JhbkI1TUNOaGdSWTFVSjFXV1JZSXRlTldFZHU1TERZaXVFUjlFRVJEZ2dONElPMlYwUUJQWk9vazdzRXJaQ1RXWUR1T1JEK0I4SUhCaWxvclpzRXFrZkJmcVFhdXJPMGlFdWk5WUR1T1JEb0FsZ1NmVlFGd01DS2x3TnRPTUFKUnFBYXVyZ1Q0WmMyOW9mZDl1blNNem4xV2d1Tjl1blNNem4xV2d1TjVQbkZwVENLbHdOSTBDc0VyL0dJPT0iO2V2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksJE9PME8wMCgkTzBPMDAwLDAsJE9PMDAwMCkpKSk7"));
 
//修改后变成
echo'第三步生成：';
echobase64_decode("JE8wTzAwMD0iQk9DWm1LUHF5bkR4QWJmR05FdW90c2pkUlljcmlKTXdWZ0ZVenZYTGthVFNwSWxoZUhRV1dITmZhQ0d5b3RzanBRTFN3WXpyYmx4aERjQXZUT1VQUklpdW1aSmVrbktkcWdNVlhGRUJHczh3TmFWTWNCRE1BVElURTI5emhTUnpoTjEwWEpXTUhUVzBmSlYwZTJWMFFCUDdnU3dyY0pPbWZKRTloSkRhZUtJVENLbElzRXFxZlRJVmZhTWxmUjlNWFNNbWhGVXJPbzRaZlNpMGNkOXFRdHcwY0JqbGVhalpjMmx0Q2Rrd050bHdOVHBJZ05XcmZCaWtmSmdyZ2tqWmMyaTBuQjl6SFRwWm5CNW1oU2lsUU45cVFhRE1YTjVQbkZwVENLbHdOVHBJZ05XTVhTTTBIUDBDTEUwQ2ZTUmFuQjVNQ05oV3VpV0x1azlHUk5BbGdGdzBBTTlvZkpXbGNCd01DTmhBSk5BbGdOQVpPb1BJZlNNb1FhaWJmZFZMSjBmT0tZUkxKb2txQ0tsd05UOHlnSEI2TUhYdXlIQkV4WFh0bEZoM2hvNVZmUzFxUWE0emMyNHllUDBDZlNSYW5CNU1DTmhXdWlXTEtraXdEZEFsZ05oVkFGcHRDS2x3TlQ4eWdIQjZNSFh1eUhYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzBpRXVpOUVFUkRnT29QSU9vNFpjMjFtaFNpWmVvQXFIUDBDZW9ySTVxQlA1cjJ6NTV6ejVRMlJDVDh3TmFETWZhTXpmZEl0dVlNSEowRFdSWWlMdVlpdWROQWxnTkF6ZTJEVmhTWVpPb2s3c0VyWkNUc2FUbnRNbGZKdGE2N01aZnV5ZVAwQ2ZTUmFuQjVNQ05oaUJpRGlLa0RMdVlpdWROQWxnWWlFdWk5RUVSRGdnTjRJTzBSNGhTUnpmTjh0Q0tsd05UOHlnSGFpeFhYOXZ6bkJWK2Q3YnpYUXZ6QjlNZHJac0Vxa2ZCZnFRYXVyTzB3R0trZkx1WWl1ZE5BbGdpV09LTTlZRVJEV0oxV1dSWUlJZVRwdGMyOXpmYU10ZW9BcUhQMENlb3JJNXFCUDVyMno1NXp6NVEyUkNUOHdOYURNZmFNemZkSXR1TVJIUllNd0RSOUVFUkRnT29QSU9vNFpKM08xUXREcVFCdVpPb2s3c0VyWkNUV2dSWTFVNmYyZjVyTlc1cW5GNWV6MjU1eno1UTJSQ1Q4d05UOFpmU1JhbkI1TUNOaGdSWTFVSjFXV1JZSXRlTldFZHU1TERZaXVFUjlFRVJEZ2dONElPMlYwUUJQWk9vazdzRXJaQ1RXWUR1T1JEK0I4SUhCaWxvclpzRXFrZkJmcVFhdXJPMGlFdWk5WUR1T1JEb0FsZ1NmVlFGd01DS2x3TnRPTUFKUnFBYXVyZ1Q0WmMyOW9mZDl1blNNem4xV2d1Tjl1blNNem4xV2d1TjVQbkZwVENLbHdOSTBDc0VyL0dJPT0iO2V2YWwoJz8+Jy4kTzAwTzBPKCRPME9PMDAoJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAqMiksJE9PME8wMCgkTzBPMDAwLCRPTzAwMDAsJE9PMDAwMCksJE9PME8wMCgkTzBPMDAwLDAsJE9PMDAwMCkpKSk7");
 
//得到如下代码
/*
$O0O000="BOCZmKPqynDxAbfGNEuotsjdRYcriJMwVgFUzvXLkaTSpIlheHQWWHNfaCGyotsjpQLSwYzrblxhDcAvTOUPRIiumZJeknKdqgMVXFEBGs8wNaVMcBDMATITE29zhSRzhN10XJWMHTW0fJV0e2V0QBP7gSwrcJOmfJE9hJDaeKITCKlIsEqqfTIVfaMlfR9MXSMmhFUrOo4ZfSi0cd9qQtw0cBjleajZc2ltCdkwNtlwNTpIgNWrfBikfJgrgkjZc2i0nB9zHTpZnB5mhSilQN9qQaDMXN5PnFpTCKlwNTpIgNWMXSM0HP0CLE0CfSRanB5MCNhWuiWLuk9GRNAlgFw0AM9ofJWlcBwMCNhAJNAlgNAZOoPIfSMoQaibfdVLJ0fOKYRLJokqCKlwNT8ygHB6MHXuyHBExXXtlFh3ho5VfS1qQa4zc24yeP0CfSRanB5MCNhWuiWLKkiwDdAlgNhVAFptCKlwNT8ygHB6MHXuyHXQvzB9MdrZsEqkfBfqQaurO0iEui9EERDgOoPIOo4Zc21mhSiZeoAqHP0CeorI5qBP5r2z55zz5Q2RCT8wNaDMfaMzfdItuYMHJ0DWRYiLuYiudNAlgNAze2DVhSYZOok7sErZCTsaTntMlfJta67MZfuyeP0CfSRanB5MCNhiBiDiKkDLuYiudNAlgYiEui9EERDggN4IO0R4hSRzfN8tCKlwNT8ygHaixXX9vznBV+d7bzXQvzB9MdrZsEqkfBfqQaurO0wGKkfLuYiudNAlgiWOKM9YERDWJ1WWRYIIeTptc29zfaMteoAqHP0CeorI5qBP5r2z55zz5Q2RCT8wNaDMfaMzfdItuMRHRYMwDR9EERDgOoPIOo4ZJ3O1QtDqQBuZOok7sErZCTWgRY1U6f2f5rNW5qnF5ez255zz5Q2RCT8wNT8ZfSRanB5MCNhgRY1UJ1WWRYIteNWEdu5LDYiuER9EERDggN4IO2V0QBPZOok7sErZCTWYDuORD+B8IHBilorZsEqkfBfqQaurO0iEui9YDuORDoAlgSfVQFwMCKlwNtOMAJRqAaurgT4Zc29ofd9unSMzn1WguN9unSMzn1WguN5PnFpTCKlwNI0CsEr/GI==";
eval('?>'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000))));
*/
 
//再显示eval里面的内容
 
echo '再显示eval里面的内容得到：';
echo '<br/><br/>********************************************************<br/><br/>';
$O0O000="BOCZmKPqynDxAbfGNEuotsjdRYcriJMwVgFUzvXLkaTSpIlheHQWWHNfaCGyotsjpQLSwYzrblxhDcAvTOUPRIiumZJeknKdqgMVXFEBGs8wNaVMcBDMATITE29zhSRzhN10XJWMHTW0fJV0e2V0QBP7gSwrcJOmfJE9hJDaeKITCKlIsEqqfTIVfaMlfR9MXSMmhFUrOo4ZfSi0cd9qQtw0cBjleajZc2ltCdkwNtlwNTpIgNWrfBikfJgrgkjZc2i0nB9zHTpZnB5mhSilQN9qQaDMXN5PnFpTCKlwNTpIgNWMXSM0HP0CLE0CfSRanB5MCNhWuiWLuk9GRNAlgFw0AM9ofJWlcBwMCNhAJNAlgNAZOoPIfSMoQaibfdVLJ0fOKYRLJokqCKlwNT8ygHB6MHXuyHBExXXtlFh3ho5VfS1qQa4zc24yeP0CfSRanB5MCNhWuiWLKkiwDdAlgNhVAFptCKlwNT8ygHB6MHXuyHXQvzB9MdrZsEqkfBfqQaurO0iEui9EERDgOoPIOo4Zc21mhSiZeoAqHP0CeorI5qBP5r2z55zz5Q2RCT8wNaDMfaMzfdItuYMHJ0DWRYiLuYiudNAlgNAze2DVhSYZOok7sErZCTsaTntMlfJta67MZfuyeP0CfSRanB5MCNhiBiDiKkDLuYiudNAlgYiEui9EERDggN4IO0R4hSRzfN8tCKlwNT8ygHaixXX9vznBV+d7bzXQvzB9MdrZsEqkfBfqQaurO0wGKkfLuYiudNAlgiWOKM9YERDWJ1WWRYIIeTptc29zfaMteoAqHP0CeorI5qBP5r2z55zz5Q2RCT8wNaDMfaMzfdItuMRHRYMwDR9EERDgOoPIOo4ZJ3O1QtDqQBuZOok7sErZCTWgRY1U6f2f5rNW5qnF5ez255zz5Q2RCT8wNT8ZfSRanB5MCNhgRY1UJ1WWRYIteNWEdu5LDYiuER9EERDggN4IO2V0QBPZOok7sErZCTWYDuORD+B8IHBilorZsEqkfBfqQaurO0iEui9YDuORDoAlgSfVQFwMCKlwNtOMAJRqAaurgT4Zc29ofd9unSMzn1WguN9unSMzn1WguN5PnFpTCKlwNI0CsEr/GI==";
echo('?>'.$O00O0O($O0OO00($OO0O00($O0O000,$OO0000*2),$OO0O00($O0O000,$OO0000,$OO0000),$OO0O00($O0O000,0,$OO0000))));
 
?>

最后的解密结果为：

解密结果 
 
 
 
 
PHP
 


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

<?
header("Content-type: text/html; charset=utf-8");
if(!file_exists('./data/install.lock'))
{
    header("Location: /install/index.php");
    exit;
}
define('APP_ROOT',str_replace('\\', '/', dirname(__FILE__)));
/* 应用名称www.pusonglin.cn*/
define('APP_NAME', 'app');
/* 应用目录*/
define('APP_PATH', './cmstao/');
/* 数据目录*/
define('PIN_DATA_PATH', './data/');
/* 扩展目录*/
define('EXTEND_PATH', APP_PATH . 'Extend/');
/* 配置文件目录*/
define('CONF_PATH', PIN_DATA_PATH . 'config/');
/* 数据目录*/
define('RUNTIME_PATH', './_runtime/');
/* HTML静态文件目录*/
//define('HTML_PATH', PIN_DATA_PATH . 'html/');
/* DEBUG开关*/
define('APP_DEBUG',false);
require("./core/ThinkPHP/ThinkPHP.php");
?>