PHP eval gzinflate base64_decode str_rot13加密解密

2010年10月14日星期四 | | |

遇到了一个文件用eval(gzinflate(str_rot13(base64_decode(一串解密的,原以为替换eval为echo看下好了,谁知道,还有N层,一怒之下写了这个脚本,直接转换之。顺便弄个了在线版的,省得需要的朋友直接找我了。

以下为源码:

  1. <?php 
  2. /********************************************************************** 
  3. *PHP eval gzinflate base64_decode str_rot13加密解密脚本 By:Neeao 
  4. *目前只写了针对四种组合的,其他组合的可参考注释自行修改: 
  5. *1.eval(gzinflate(str_rot13(base64_decode( 
  6. *2.eval(gzinflate(base64_decode( 
  7. *3.gzinflate(base64_decode(base64_decode(str_rot13( 
  8. *4.eval(gzinflate(base64_decode(str_rot13( 
  9. *Http://Neeao.com 
  10. *2009-09-28 
  11. ***********************************************************************/ 
  12.  
  13. $filename='code.php';//要解密的文件 
  14. $handle = fopen($filename"r"); 
  15. $contents = fread($handlefilesize ($filename)); 
  16. $contents_arr=explode('NeeaoNeeao',htmlspecialchars(decode($contents))); 
  17. echo "此代码被加密了".$contents_arr[0]."层,内容如下:<br>\n"
  18. echo $contents_arr[1]; 
  19.  
  20. /* 
  21. 解密主函数 
  22. $Str,要解密的文件内容 
  23. */ 
  24. function decode($str,$i=0) 
  26.      
  27.     $content=""
  28.     //eval(gzinflate(str_rot13(base64_decode( 
  29.     //先正则查找是否相关组合加密的,base64编码后的正则是:[A-Za-z0-9\/\+=] 
  30.     if(preg_match("/(eval\(gzinflate\(str_rot13\(base64_decode\(')([A-Za-z0-9\/\+=]*)'/",$str,$x)) 
  31.     {    
  32.         //替换掉没用的字符,获取加密后的密文 
  33.         $content=str_replace("eval(gzinflate(str_rot13(base64_decode('","",$x[0]); 
  34.         $content=str_replace("'","",$content); 
  35.         //变量i是用来判断加密层数的,初始值为0,解密一次,层数加一 
  36.         $i++; 
  37.         //采用相关组合解密 
  38.         $content=gzinflate(str_rot13(base64_decode($content))); 
  39.         //递归判断下是不是已经结束了,没结束继续重复解密 
  40.         $content=decode($content,$i); 
  41.     } 
  42.     //eval(gzinflate(base64_decode( 
  43.     elseif(preg_match("/eval\(gzinflate\(base64_decode\('[A-Za-z0-9\/\+=]*'/",$str,$y)) 
  44.     {    
  45.          
  46.         $content=str_replace("eval(gzinflate(base64_decode('","",$y[0]); 
  47.         $content=str_replace("'","",$content); 
  48.         $i++; 
  49.         $content=gzinflate(base64_decode($content)); 
  50.         $content=decode($content,$i); 
  51.     } 
  52.     //gzinflate(base64_decode(base64_decode(str_rot13( 
  53.     elseif(preg_match("/eval\(gzinflate\(base64_decode\(base64_decode\(str_rot13\('[A-Za-z0-9\/\+=]*'/",$str,$z)) 
  54.     { 
  55.         $content=str_replace("eval(gzinflate(base64_decode(base64_decode(str_rot13('","",$z[0]); 
  56.         $content=str_replace("'","",$content); 
  57.         $i++; 
  58.         $content=gzinflate(base64_decode(base64_decode(str_rot13(($content))))); 
  59.         $content=decode($content,$i); 
  60.     } 
  61.     //eval(gzinflate(base64_decode(str_rot13( 
  62.     elseif(preg_match("/eval\(gzinflate\(base64_decode\(str_rot13\('[A-Za-z0-9\/\+=]*'/",$str,$m)) 
  63.     { 
  64.         $content=str_replace("eval(gzinflate(base64_decode(str_rot13('","",$m[0]); 
  65.         $content=str_replace("'","",$content); 
  66.         $i++; 
  67.         $content=gzinflate(base64_decode(str_rot13(($content)))); 
  68.         $content=decode($content,$i); 
  69.     } 
  70.     else 
  71.     { 
  72.         $content=$i."NeeaoNeeao".$str
  73.     } 
  74.     return $content
  75.      
  77. ?> 

在线版地址:http://neeao.com/tools/decode/index_eval.php

参考:http://neeao.com/archives/17/

0 评论:

发表评论

订阅: 博文评论 (Atom)

所有文章收集于网络,如果有牵扯到版权问题请与本站站长联系。谢谢合作![email protected]

 
Glossy Blue by N.Design Studio
Blogger Templates by Blogcrowds | Glossy Blue Blogger Template