php !function_exists("T7FC56270E7A70FA81A5935B72EACBE29"))代碼解密直接将eval替換成echo,結果頁面為空白!真郁悶,這招可是百發百中的...
php !function_exists("T7FC56270E7A70FA81A5935B72EACBE29"))代碼解密 直接将eval替換成echo,結果頁面為空白!真郁悶,這招可是百發百中的啊,今天遇到了高人寫的代碼。。。
慢慢替換,将長變數替換成短的,增強代碼可讀性。
複制代碼 代碼如下:
-
< ?php
-
if (!function_exists("bear01″))
-
{
-
function bear01($bear02)
-
{
-
$bear02 = base64_decode($bear02);
-
$bear01 = 0;
-
$bear03 = 0;
-
$bear04 = 0;
-
$bear05 = (ord($bear02[1]) < < 8) + ord($bear02[2]);
-
$bear06 = 3;
-
$bear07 = 0;
-
$bear08 = 16;
-
$bear09 = "";
-
$bear10 = strlen($bear02);
-
$bear11 = __FILE__;
-
$bear11 = file_get_contents($bear11);
-
$bear12 = 0;
-
preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $bear11, $bear12); ///(print|sprint|echo)/
-
for (;$bear06< $bear10;)
-
{
-
if (count($bear12)) exit;
-
if ($bear08 == 0)
-
{
-
$bear05 = (ord($bear02[$bear06++]) < < 8);
-
$bear05 += ord($bear02[$bear06++]);
-
$bear08 = 16;
-
}
-
if ($bear05 & 0×8000)
-
{
-
$bear01 = (ord($bear02[$bear06++]) < < 4);
-
$bear01 += (ord($bear02[$bear06]) >> 4);
-
if ($bear01)
-
{
-
$bear03 = (ord($bear02[$bear06++]) & 0x0F) + 3;
-
for ($bear04 = 0; $bear04 < $bear03; $bear04++)
-
$bear09[$bear07+$bear04] = $bear09[$bear07-$bear01+$bear04];
-
$bear07 += $bear03;
-
}
-
else
-
{
-
$bear03 = (ord($bear02[$bear06++]) < < 8);
-
$bear03 += ord($bear02[$bear06++]) + 16;
-
for ($bear04 = 0; $bear04 < $bear03; $bear09[$bear07+$bear04++] = $bear02[$bear06]);
-
$bear06++; $bear07 += $bear03;
-
}
-
}
-
else
-
$bear09[$bear07++] = $bear02[$bear06++];
-
$bear05 < <= 1;
-
$bear08–;
-
if ($bear06 == $bear10)
-
{
-
$bear11 = implode("", $bear09);
-
$bear11 = "?".">".$bear11."< "."?";
-
return $bear11;
-
}
-
}
-
}
-
}
複制代碼
eval(bear01("一大堆貌似base64_encode後的代碼")); ?>
其中
preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $bear11, $bear12);
顯得格外紮眼 ,decode出來就是
/(print|sprint|echo)/
哈哈,echo就在裡面,将
/(print|sprint)/
base64_encode一下然後替換,eval替換成echo輸出,被隐藏的代碼終于重見天日。
其實簡單的就是分三步即可:
第一步:搜索preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv")替換為:preg_match(base64_decode("LyhwcmludHxzcHJpbnQpLw==")即可
第二步:将eval(T7FC56270E7A70FA81A5935B72EACBE29字元串中的下面的eval替換為echo或print即可
第三步:然後查看源文件即可看到php代碼(右鍵-查看源文件)。
收藏
