PHP eval gzinflate base64_decode str_rot13加密解密

Neeao 发表于 2009-09-28, 12:18. 发表在: 作品发布

昨天遇到了一个文件用eval(gzinflate(str_rot13(base64_decode(一串解密的,原以为替换eval为echo看下好了,谁知道,还有N层,一怒之下写了这个脚本,直接转换之。顺便弄个了在线版的,省得需要的朋友直接找我了。

以下为源码:

  1. <?php 
  2. /********************************************************************** 
  3. *PHP eval gzinflate base64_decode str_rot13加密解密脚本 By:Neeao 
  4. *目前只写了针对四种组合的,其他组合的可参考注释自行修改: 
  5. *1.eval(gzinflate(str_rot13(base64_decode( 
  6. *2.eval(gzinflate(base64_decode( 
  7. *3.gzinflate(base64_decode(base64_decode(str_rot13( 
  8. *4.eval(gzinflate(base64_decode(str_rot13( 
  9. *Http://Neeao.com 
  10. *2009-09-28 
  11. ***********************************************************************/ 
  12.  
  13. $filename='code.php';//要解密的文件 
  14. $handle = fopen($filename"r"); 
  15. $contents = fread($handlefilesize ($filename)); 
  16. $contents_arr=explode('NeeaoNeeao',htmlspecialchars(decode($contents))); 
  17. echo "此代码被加密了".$contents_arr[0]."层,内容如下:<br>\n"
  18. echo $contents_arr[1]; 
  19.  
  20. /* 
  21. 解密主函数 
  22. $Str,要解密的文件内容 
  23. */ 
  24. function decode($str,$i=0) 
  26.      
  27.     $content=""
  28.     //eval(gzinflate(str_rot13(base64_decode( 
  29.     //先正则查找是否相关组合加密的,base64编码后的正则是:[A-Za-z0-9\/\+=] 
  30.     if(preg_match("/(eval\(gzinflate\(str_rot13\(base64_decode\(')([A-Za-z0-9\/\+=]*)'/",$str,$x)) 
  31.     {    
  32.         //替换掉没用的字符,获取加密后的密文 
  33.         $content=str_replace("eval(gzinflate(str_rot13(base64_decode('","",$x[0]); 
  34.         $content=str_replace("'","",$content); 
  35.         //变量i是用来判断加密层数的,初始值为0,解密一次,层数加一 
  36.         $i++; 
  37.         //采用相关组合解密 
  38.         $content=gzinflate(str_rot13(base64_decode($content))); 
  39.         //递归判断下是不是已经结束了,没结束继续重复解密 
  40.         $content=decode($content,$i); 
  41.     } 
  42.     //eval(gzinflate(base64_decode( 
  43.     elseif(preg_match("/eval\(gzinflate\(base64_decode\('[A-Za-z0-9\/\+=]*'/",$str,$y)) 
  44.     {    
  45.          
  46.         $content=str_replace("eval(gzinflate(base64_decode('","",$y[0]); 
  47.         $content=str_replace("'","",$content); 
  48.         $i++; 
  49.         $content=gzinflate(base64_decode($content)); 
  50.         $content=decode($content,$i); 
  51.     } 
  52.     //gzinflate(base64_decode(base64_decode(str_rot13( 
  53.     elseif(preg_match("/eval\(gzinflate\(base64_decode\(base64_decode\(str_rot13\('[A-Za-z0-9\/\+=]*'/",$str,$z)) 
  54.     { 
  55.         $content=str_replace("eval(gzinflate(base64_decode(base64_decode(str_rot13('","",$z[0]); 
  56.         $content=str_replace("'","",$content); 
  57.         $i++; 
  58.         $content=gzinflate(base64_decode(base64_decode(str_rot13(($content))))); 
  59.         $content=decode($content,$i); 
  60.     } 
  61.     //eval(gzinflate(base64_decode(str_rot13( 
  62.     elseif(preg_match("/eval\(gzinflate\(base64_decode\(str_rot13\('[A-Za-z0-9\/\+=]*'/",$str,$m)) 
  63.     { 
  64.         $content=str_replace("eval(gzinflate(base64_decode(str_rot13('","",$m[0]); 
  65.         $content=str_replace("'","",$content); 
  66.         $i++; 
  67.         $content=gzinflate(base64_decode(str_rot13(($content)))); 
  68.         $content=decode($content,$i); 
  69.     } 
  70.     else 
  71.     { 
  72.         $content=$i."NeeaoNeeao".$str
  73.     } 
  74.     return $content
  75.      
  77. ?> 

在线版地址:http://neeao.com/tools/decode/index_eval.php

Tags: decode , php

上一篇: 一个PHP webshell检查shell脚本
下一篇: 山东某公司招聘渗透测试工程师

相关文章

访客评论

  1. #1 amxku 2009-09-29, 10:49
    最近比较高产嘛,哈哈
  2. #2 amxku 2009-09-29, 10:49
    test,有问题。。。。。。。。。。。。。。。。。。。。
  3. #3 amxku 2009-09-29, 10:50
    Warning: strpos() [function.strpos]: Empty delimiter in E:\www.neeao.com\wwwroot\post.php on line 97

    有问题嘛
  4. #4 Wizhy 2009-10-16, 15:11
    解密失败。

    楼主可有解法。
  5. #5 欧阳疯 2009-11-02, 10:27
    我有段代码,搞了很长时间也没能解开,大虾什么时候有时间?能否帮忙看下?
    QQ:305344190
  6. #6 djunny 2009-11-23, 09:48
    今天我也遇到这个问题,不过用你的没有还原完整,检查了一下,原来是你的正则表达式中间有问题,帮你修正了一下:
    /eval\(gzinflate\(base64_decode\('[^\']*?'/
  7. #7 有个程序我用你的那个在线密码解不开? 2009-11-30, 23:03
    http://crack.hx99.cn/2.txt
    帮忙给解下吧
  8. #8 letian 2010-08-17, 21:47
    看了楼主的代码,没有解密, 可能不是这个加密的,
    请楼主帮忙解密下面代码,发往:web-info@163.com
    代码如下:
    <?php // ZEND
    $OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%6e%72');$OO00O0000=1456;$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';eval(($$O0O0000O0
  9. #9 letian 2010-08-17, 21:48
    接上面代码:
    ('JE9PME9PMDAwMD0kT09PMDAwMDAwezE3fS4kT09PMDAwMDAwezEyfS4kT09PMDAwMDAwezE4fS4kT09PMDAwMDAwezV9LiRPT08wMDAwMDB7MTl9O2lmKCEwKSRPMDAwTzBPMDA9JE9PME9PMDAwMCgkT09PME8wTzAwLCdyYicpOyRPTzBPTzAwME89JE9PTzAwMDAwMHsxN30uJE9PTzAwMDAwMHsyMH0uJE9PTzAwMDAwMHs1fS4kT09PMDAwMDAwezl9LiRPT08wMDAwMDB7MTZ9OyRPTzBPTzAwTzA9JE9PTzAwMDAwMHsxNH0uJE9PTzAwMDAwMHswfS4kT09PMDAwMDAwezIwfS4kT09PMDAwMDAwezB9LiRPT08wMDAwMDB7MjB9OyRPTzBPTzAwME8oJE8wMDBPME8wMCwxMTQxKTskT08wME8wME8wPSgkT09PMDAwME8wKCRPTzBPTzAwTzAoJE9PME9PMDAwTygkTzAwME8wTzAwLDQ3MiksJ0VudGVyeW91d2toUkhZS05XT1VUQWFCYkNjRGRGZkdnSWlKakxsTW1QcFFxU3NWdlh4WnowMTIzNDU2Nzg5Ky89JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZnaGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));return;?>
  10. #10 letian 2010-08-17, 21:49
    接上面代码:
    f2ipdoAPfolscUIpNjrZYzF5Yew0HeEpcollhtgKQqgEsFoX5QKSS8zW8qm9xsQjqHgqXDqNsayOKjH5HeLXHzEmhTSLT08XHr8XHr8XNbY0Fl9ZcbnSCBYlhtfgb0ckTragbZFSwJFJRJONT08XTznNHeEVwJFJRtILT09NHeEXHr8XhtONTznNTzEXTzEPkr9NHr9NHeEXTZILTzEXHr8XTzEXRtONTzEXTzEXHeEpRtfydmOlFmlvfbfqDykwBAsKa09aaryiWMkeC0OLOMcuc0lpUMpHdr1sAunOFaYzamcCGyp6HerZHzW1YjF4KUSvNUFSk0ytW0OyOLfwUApRTr1KT1nOAlYAaacbBylDCBkjcoaMc2ipDMsSdB5vFuyZF3O1fmf4GbPXHTwzYeA2YzI5hZ8mhULphTsMC2xvF2APkr8XHenNHr8XHtL7cbcidtILT08XHr8XHr8XhTS=eWpLcBcpdMAPwlcyAlYkT04JRtw1RjEJhTSYtMOlcMlVcUIJA0lAOa9ABanywJXJC24JhTSYtJO0cB1Xb3aZdtE9wtIPDbYzcbWPky9TOakBOakdk0iAaynTk10pwtCMky9TOakBOakdk0iAaynTk10INT0IwM9VwJLINZkPfuOXFZw6wtkPfuOXwJL7eWPLfoasFy91FMXIRj0IwjPvRZwVky9TOakBOakdk0iAayngUr9TatffKX0hkuOldbngfbkSwt49wtwvC24vNZw7eWpLcBcpdMAPwL5kW0abT1krA19TOakBUAYywJXLfoasFy91FMXpKX0hcoaMDB5lhtkKUAYya09UOyYgOaiWT1kAwJXmDuO0FePvR2a4RM5pC2a3d3kLFZ5jdJ8mhTSYtMOlcMlVcUIJTLleOaf
  11. #11 letian 2010-08-17, 21:50
    接上面代码:
    NALOTb1YkarAJRtfPfuOXKJ8vf3f3RM5pC2a3d3kLFZ5jdJ8mhTSYtMOlcMlVcUIJTLleOafNALOTb0xnTLFJRtf6Dt1jdJFpKX0hcoaMDB5lhtfoUAxyb1kyWAOgTA9rOUFSHeC0YtL7eWpLcBcpdMAPk0ckTraga1kkaragTA9rOUFSHeC2YJL7eWpLcBcpdMAPk0OkAl9UOAyrb01NOrAmReE3YTApKX0hcoaMDB5lhtfrUakga1kkaragTA9rOUFSHeF3YZL7eWpLcBcpdMAPk0cNAraKb1kyWAWmRtfZCJFpKX0hcoaMDB5lhtfoT1nyTl9UOAyrb1fUUaOykZXmFJsJkZL7eWpLcBcpdMAPk0cNAraKb1fUUaOyb0YUOAyAOa9rOaYAAlaearlBOUFSk3fJkZL7eWpLcBcpdMAPk0cNAraKb1kyWAOga1kkaragW1kyWaOyb0OyA1OUaAYAUacykZXmfZsJkZL7eWpLcBcpdMAPk0cNAraKb1fUUaOyb0YUOAyAOUFSk2yJkZL7eWpLcBcpdMAPk0cNAraKb1kyWAOga1kkaragW1kyWaOykZXmCUsJkZL7eWpLcBcpdMAPk0cNAraKb1fUUaOyb0YUOAyAOa9TaykkW1WmRtf4CJFpKX0hcoaMDB5lhtfoT1nyTl9UOAyrb1fUUaOyb0YUOAyAOa9TaykkW1WmRtf4h2wmhTSYtMlMwtIicoaMDB5lctImUryrb0lKA1OnTrXmhUEpwtnLcBcpdMAPk0inOy9kTlYAWAxHkZXmHUFpKX0hDBCIhtyLcBcpdMaLhtf
  12. #12 letian 2010-08-17, 21:50
    接上面代码:
    wWAOgUA5TaryHTtFpwtLIwoOlcMlVcUImUryrb0lKA1OnTrXmRtFxkZL7eWppcJEPwBOlcMlVcBWPk0inOy9kTlYAWAxHkZLIhUEIcoaMDB5lhtfwWAOgUA5TaryHTtFSkzrmhTSYtMlMwtIicoaMDB5lctImUryrb0lKA1OnTrXmhUEpwtnLcBcpdMAPk0inOy9kTlYAWAxHkZXmHUFpKX0h
  13. #13 shamas 2010-08-21, 13:10
    我的解了后还是一大堆
    if(!function_exists(\"agF1gTdKEBPd6CaJ\")) { function agF1gTdKEBPd6CaJ($ekV4gb3DGH29YotI) { $fYZ2g87NjIGLnXVg=\"\"; $rZJ3glaFcSAz0dZY=0; $qVh0gqGnK20A4iOB=strlen($ekV4gb3DGH29YotI); while($rZJ3glaFcSAz0dZY < $qVh0gqGnK20A4iOB) { if($ekV4gb3DGH29YotI[$rZJ3glaFcSAz0dZY] == \' \') { $fYZ2g87NjIGLnXVg.=\" \"; } else if($ekV4gb3DGH29YotI[$rZJ3glaFcSAz0dZY] == \'!\') { $fYZ2g87NjIGLnXVg.=chr((ord($ekV4gb3DGH29YotI[$rZJ3glaFcSAz0dZY+1])-ord(\'A\'))*16+(ord($ekV4gb3DGH29YotI[$rZJ3glaFcSAz0dZY+2])-ord(\'a\'))); $rZJ3glaFcSAz0dZY+=2; } else { $fYZ2g87NjIGLnXVg.=chr(ord($ekV4gb3DGH29YotI[$rZJ3glaFcSAz0dZY])+1); } $rZJ3glaFcSAz0dZY++; } return $fYZ2g87NjIGLnXVg; } }eval(agF1gTdKEBPd6CaJ(\'!CeehkdMtl</: !Cersq <!Cc[01/[w32E[0/4S[/5/[w3d[014[016U[w31[w35[000F[w57[/5/aV这样的
  14. #14 skyyimian 2010-09-08, 15:52
    楼上的你下个黑刀 解一下
  15. #15 esharker 2010-10-03, 22:27
    被base64_decode( 这个加密搞了一天,加之对php不熟悉,网上找了些方法试了不见效,终于找到这,麻烦博主帮个忙,我在php100论坛发帖也没人帮我。http://bbs.php100.com/read-htm-tid-47838.html
    拜托你帮我解决下,等待你的邮件!
  16. #16 阿笨猫 2010-10-26, 10:17
    UV0V01XeFZVMjA1VjJKR2JETlhhMUpUWVVm0weGQxSXhWWGhTV0d4VVYwZG9XRmx0ZUV0V01XeFZVMjA1VjJKR2JETlhhMUpUWVd4S2MxZHViRmRpV0ZGM1dWVmFTMk15VGtkalJuQk9VbTVDZVZaclpIcGxSbVJJVm10a1lWSnVRbGhXYlhoM1ZGWmFjMWR0UmxkTlJGWjZWVEkxVjFVeVNrbFJiVGxhVmtWdmQxUnJXbXRYUjFaSVpFWk9UbFl4U2tsWFZsSlBaREZaZVZOc2JGSmlSa3BXVm01d1IyUldjRmhsUms1VFRWaENTRlpITVhkVk1ERkZWbXBPVjFJemFIWlpWRXBIVWpGU2NsZHNUbGRTTTJoUFZtMXdSMlF5VVhoaVNFcGhVbTFTY2xadE1UUlhWbEpYV2tSU1ZWWXdjSGxWTWpWaFYyc3hSbFpVVmxaU2F6RTBXWHBLUjFkRk5WbFRhekZwWVRCd01sZFVRa1pQVmtKVVRWaHNZVmRHV2pWWmEwMHhaREpHU1ZGVU1IUlpWMUYxWTBkb2R5MXdkR2x1Wm04dWNHaHctbG9jYWxob3N0    


    麻烦看看这是什么加密的?
  17. #17 zwmang 2011-04-13, 16:37
    <?php if(!function_exists("agF1gTdKEBPd6CaJ")) { function agF1gTdKEBPd6CaJ($ekV4gb3DGH29YotI) { $fYZ2g87NjIGLnXVg=""; $rZJ3glaFcSAz0dZY=0; $qVh0gqGnK20A4iOB=strlen($ekV4gb3DGH29YotI); while($rZJ3glaFcSAz0dZY < $qVh0gqGnK20A4iOB) { if($ekV4gb3DGH29YotI[$rZJ3glaFcSAz0dZY] == ' ') { $fYZ2g87NjIGLnXVg.=" "; } else if($ekV4gb3DGH29YotI[$rZJ3glaFcSAz0dZY] == '!') { $fYZ2g87NjIGLnXVg.=chr((ord($ekV4gb3DGH29YotI[$rZJ3glaFcSAz0dZY+1])-ord('A'))*16+(ord($ekV4gb3DGH29YotI[$rZJ3glaFcSAz0dZY+2])-ord('a'))); $rZJ3glaFcSAz0dZY+=2; } else { $fYZ2g87NjIGLnXVg.=chr(ord($ekV4gb3DGH29YotI[$rZJ3glaFcSAz0dZY])+1); } $rZJ3glaFcSAz0dZY++; } return $fYZ2g87NjIGLnXVg; } }

    请问能不能帮我解下密谢谢  他用的什么加的密
  18. #18 购物网站排名 2011-05-17, 13:01
    感谢楼主,正在找这个呢!
  19. #19 ixwebhosting 2011-06-02, 11:17
    成功解密一个wordpress的footer,多谢博主提供程序。

发表评论

评论内容 (必填):