好吧,我正在为客户使用一些 PHP。最后一个制作他的网站的人对他的所有 PHP 进行了编码,使像我这样的人很难进来进行更改。我不知道这是什么。
好的,一开始是这样的:
<?php $OOO000000=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000{5};$OOO000O00=$OOO000000{0}.$OOO000000{12}.$OOO000000{7}.$OOO000000{5}.$OOO000000{15};$O0O000O00=$OOO000000{0}.$OOO000000{1}.$OOO000000{5}.$OOO000000{14};$O0O000O0O=$O0O000O00.$OOO000000{11};$O0O000O00=$O0O000O00.$OOO000000{3};$O0O00OO00=$OOO000000{0}.$OOO000000{8}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OOO00000O=$OOO000000{3}.$OOO000000{14}.$OOO000000{8}.$OOO000000{14}.$OOO000000{8};$OOO0O0O00=__FILE__;$OO00O0000=0xa68;eval($OOO0000O0('JE8wMDBPME8wMD0kT09PMDAwTzAwKCRPT08wTzBPMDAsJ3JiJyk7JE8wTzAwT08wMCgkTzAwME8wTzAwLDB4NTU0KTskT08wME8wME8wPSRPT08wMDAwTzAoJE9PTzAwMDAwTygkTzBPMDBPTzAwKCRPMDAwTzBPMDAsMHgxN2MpLCdmaFY2THhOT01GUlgwZXZjK3lTOEhXdHNZcUpuUUNQVEJacGszb0VnQXU5YjI1MW1Jai9yYTRHemxkRFU3S3dpPScsJ0FCQ0RFRkdISUpLTE1OT1BRUlNUVVZXWFlaYWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXowMTIzNDU2Nzg5Ky8nKSk7ZXZhbCgkT08wME8wME8wKTs='));return;?>~DFLKc06hc06hc064rCOFTQEWInNxkqSBgs4KNSHjxs47gXVMgMpl38aKc0L7I8rfIXpMgMpI38aKc06fI0L7IRVyc8a7I06fI0L7AFL7I8rfI8a7I0VB38rfI0L7I8rfIXVyc8rfI8rfI06fuXVCEJxYG8OZv8a4NHoBIqsqkRzo8vLZsCOeqQHu1HHe+WLFJQN2rnaWg+sHdYkM40t4FJpK/Y8yOPEj3yxHzSzCucSQ2FaxV+ayxy3CMSHuX8L4v84hyHoeHWWqstxoJYtFkqNWEqGZuJE52ntdmQOx/Qzy4CgClPsAI08Mre6HGerBdR/7gRS3uvGqknNKrqSB38rfI0L7I8rfIR85oCEx2RVyc8rfI8rfI8rfuvI==VEe2YserMNxrnHjunE2RPIurCNxaJt0BqgW1YzyunGlBYzFoYsyoHGWZQEeAWsF2MVB3nzFuqGo1YtjWQEIuVg2RFNK/JtCunEx2WsF2M6aBCOFunSB3nzFuqGo1YtjWQEIuvIA3Yt4DWsF2+EoaQ/fKMOhZQgeoszW/nVB3nzFuqGo1YtjWQEIuvIA3Yt4DHGeAqt4oM6aBFNx5PoW/nLFuCOenFzekJNW5qSCCvIA3Yt4DSNKrCVfKMVyZnsuWQEjVJsyrt/CAnzeaF4aUVpyZnsuLnG4ZJtlBcSf3Yt4DHGeAqt4oXpQDX/7gXpyZnsuMnzeavIuIYsFrqWKrCOMAFNx5PoW/nLFuCOenFzx4qsFdF4a2FNx5PohZQEx5Q/3UVpyZnsu+YsyA+EoaQ/fKMNWlQNjmqNHAF/7gXVyZnsuWQEjVJsyrt/CIYsyAF4auvIA3Yt4DHNxaJLx/QExdM6aBYsF/Ys3AR82RqEK/qtxkJVfAFNx5PohZCNZVJsyrMNxrMVyIYsyA+EoaRShUVpyIYsyA+EoaM6aBCOFunSB3QNxaJLFuCV3UVEoEMVZrCtFrCOMAFOhZCNZVJs+20VIrRSfKcSfgQEWEF/3BPIA3Yt4DHNx/Yt4rt/C/qtYgsSfKMVyIYsyA+EoavIuKqtjrqShuqpfAMtW5QOydRVyIYsyA+EoaRS3BPIA3Yt4DHNxaJLx/QExdt4aBcSf3QNxaJLFuC62RT+uKVpyZnsu+YsFZnsenFzhZCNBgsSfKMNo5QNjmqNHAF/7gXVyZnsu+YsyA+sF/Ys3uvIA3Yt4DHNxaJVfKMVZuQzeoCVB3Yt4DHNx/Yt4rt/CIYsyAF4auMVYEMtW5QOydRVyZnsu+YsFZnsenFzhZCNBgsS3uVk7gX/Q1FNx5PohZQEx5Q42gQNxaJVCCM6ABF/7gvIA3Yt4DHEWEM6aBRNorQGWaRVyZnsu+YsFZnsenFzFoqpCCRSfEFpxonshaPSB3Yt4DHNx/Yt4rt/C/qtYgsS3uVk7gX/Q1FNx5PohZQEx5Q42gQEWEF4aBvpfgFr2RFNx5PohZQEx5QaK4CVfKMNx/QExdRV3UVpyZnsu+YsFZnsecCsynFGooF4aBcSfAJserqs+AFNx5PohZQEx5Q42gJtHgsS3BFpYZqt4ICO3AFNx5PohZQEx5Q42gJtHgsS3uVk73Yt4DHNx/Yt4rt/CuqSCCM6ABF4WHykBgvIA3CNo5qseaYsfBcShaJt4oRV3UVpy/Ytd3nG48qtemnEyrM6aBQEx1qVB4X60IR82RFNx5PohZQEx5QaK4Cx2gQto3F4aBcSf3CNo5qseaYsfBXSy/Ytd3nG48qtemnEyrvIA3Yt4DHNx/Yt4r8zWat/CrQpCCM6aBRNorQGWaRVyZnsu+YsFZnsenFze/F4auMVYEMtW5QOydRVyZnsu+YsFZnsenFze/F4auR+AiFNx5PohZQEx5Q42gQzMgsSfDMVQgvIA3Yt4DHNx/Yt4r8zWat/CbqsoznzF3Q/CCM6aBRNorQGWaRVyZnsu+YsFZnsenFG5oPsCmQEyrF4auMVYEMtW5QOydRVyZnsu+YsFZnsenFG5oPsCmQEyrF4auR+AiFNx5PohZQEx5Q42gJGWdCGK/qO0gsSfDMVQgvIA3Yt4DyNWrCNo1YsyunGlBcSf3Yt4DyNK5Yto1MVl3Yt4DHNxaJVf1FNx5PoFoqk2RFNx5P3yoQzyunExaJtK1MVlKMVQiF/dACOyIsGF4Jtj3szx4qsFdRVyZnsu+YsFZnsecCs+uvIu/qsy4QElBFNx5P3yoQzyunExaJtK1vIuKVEq4nEeaJtK1MNe2Jteb+GK4ng+BRVy2JtdbRShUVpyAJsyknzW1CNW/M6aBF/l1X/Q1FNjunE2BXpQmJNoaYGK4ngyoQpdZQGagvIuoYGZmMVF6nzW1CNW/MLqunNHDMNZuCNemCtdaqsMpvIuknNWZQgeaYsykYteAqSBuvIA3nNKkJaemCtdaM6aB062RJtYBRNqunNWTqsZuQzyrRVyAJsyknzW1CNW/RS3BPIA3qEBBcShEnzhonpB3JNoaYGK4ngyoQpIgQp2gR82RCGZunNHA0S3BPIuuqpfAqEjmYG2AFNqAXLjc+a5TyWBuRShUVpypCtqEqsMBcShkJNKIRNq/qtx3RVyEJVjEJtjoQGoDqSB3JNoaYGK4ngyoQp3uR82RFNF4qEqoQp2bvIu/qsCunE+AFNqAR82RqgC/JsyoRVyEJVI3YgWEqEW/R82RqEq2CseARVyEJV3UVEqaQgW1YGxaqSB3qEB2qgyonNIAFNqARS3UVEq2nGebRVyEJVj08aeXs4WvR82RYgFoYt2UVg4onOeoMO2RFNjmYG56nzW1CV2bvIurnNWoQVBjR82RT+uuqpfAFNjmYG56nzW1CVfwcSf4RShUVEF/qtxbvIuKVgaRTtW2QGHBPIA3qEBBcShEnzhonpB3JNoaYGK4ngyoQpIgC/2gR82RqgC/JsyoRVyEJVIp0SMuvIA3YgWEqEW/cSMjMk2RT+uEYGjmQGHAFNqAR82RT+uKVpyZQG48qtx/YGZWQEIBcShZQG40JtdbvkukQEWZCNW8qtx/YGZWQEIAFN4dnNo1JGyoQz+uvIAUalVnRPIq
然后我将其解码为:
<?php $O000O0O00 = $OOO000O00($OOO0O0O00, 'rb');
$O0O00OO00($O000O0O00, 0x554);
$OO00O00O0 = $OOO0000O0($OOO00000O($O0O00OO00($O000O0O00, 0x17c), 'fhV6LxNOMFRX0evc+yS8HWtsYqJnQCPTBZpk3oEgAu9b251mIj/ra4GzldDU7Kwi=', 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'));
eval($OO00O00O0); ?>
但是我还没有进一步了解。关于如何使用它有什么想法吗?
最佳答案
哦,一个谜题!我喜欢拼图。
该解码器有两个阶段。
第一个阶段分配多个字符串,然后对第二阶段进行解码和评估。这里删除了一些错误的格式和变量名称:
$map=urldecode('%66%67%36%73%62%65%68%70%72%61%34%63%6f%5f%74%6e%64');
$base64_decode=$map{4}.$map{9}.$map{3}.$map{5};
$base64_decode.=$map{2}.$map{10}.$map{13}.$map{16};
$base64_decode.=$base64_decode{3}.$map{11}.$map{12}.$base64_decode{7}.$map{5};
$fopen=$map{0}.$map{12}.$map{7}.$map{5}.$map{15};
$fgets=$map{0}.$map{1}.$map{5}.$map{14};
$fgetc=$fgets.$map{11};
$fgets=$fgets.$map{3};
$fread=$map{0}.$map{8}.$map{5}.$map{9}.$map{16};
$strtr=$map{3}.$map{14}.$map{8}.$map{14}.$map{8};
$filename=__FILE__;
$hex_a68=0xa68;
eval($base64_decode(another base64 blob -- the second stage))
除了 $map 和 $filename 之外,每个字符串最终都会被分配其名称作为内容。
第二阶段是从 Base64 blob 解码的,由您已经发现的第二部分组成,我在下面对其进行了类似的处理:
$fh = $fopen($filename, 'rb');
$fread($fh, 0x554);
$data = $base64_decode($strtr(
$fread($fh, 0x17c),
'fhV6LxNOMFRX0evc+yS8HWtsYqJnQCPTBZpk3oEgAu9b251mIj/ra4GzldDU7Kwi=',
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
));
eval($data);
这会从当前 PHP 文件中读取一些编码数据,使用 strtr() 对其进行修改,Base64 对其进行解码,然后对其进行评估。此解码的结果似乎有些损坏(可能您省略了部分输入?),但包含以下 PHP 代码的可读片段:
class asmLink
{
static function createSearchUrl ($originalUrl)
{
$originalUrl = trim($originalUrl);
$amzUrlBits = parse_url($originalUrl);
$amzScheme = $amzUrlBits['
顺便说一句:我们强烈建议您的客户仔细阅读与前开发商的契约(Contract),并可能考虑采取法律诉讼 - 该开发商故意采取措施阻止您的客户避免让其他人维护他们的网站。
关于php - 解码这个PHP?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25945309/