php !function_exists("T7FC56270E7A70FA81A5935B72EACBE29"))代码解密直接将eval替换成echo,结果页面为空白!真郁闷,这招可是百发百中的...
php !function_exists("T7FC56270E7A70FA81A5935B72EACBE29"))代码解密 直接将eval替换成echo,结果页面为空白!真郁闷,这招可是百发百中的啊,今天遇到了高人写的代码。。。
慢慢替换,将长变量替换成短的,增强代码可读性。
复制代码 代码如下:
-
< ?php
-
if (!function_exists("bear01″))
-
{
-
function bear01($bear02)
-
{
-
$bear02 = base64_decode($bear02);
-
$bear01 = 0;
-
$bear03 = 0;
-
$bear04 = 0;
-
$bear05 = (ord($bear02[1]) < < 8) + ord($bear02[2]);
-
$bear06 = 3;
-
$bear07 = 0;
-
$bear08 = 16;
-
$bear09 = "";
-
$bear10 = strlen($bear02);
-
$bear11 = __FILE__;
-
$bear11 = file_get_contents($bear11);
-
$bear12 = 0;
-
preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $bear11, $bear12); ///(print|sprint|echo)/
-
for (;$bear06< $bear10;)
-
{
-
if (count($bear12)) exit;
-
if ($bear08 == 0)
-
{
-
$bear05 = (ord($bear02[$bear06++]) < < 8);
-
$bear05 += ord($bear02[$bear06++]);
-
$bear08 = 16;
-
}
-
if ($bear05 & 0×8000)
-
{
-
$bear01 = (ord($bear02[$bear06++]) < < 4);
-
$bear01 += (ord($bear02[$bear06]) >> 4);
-
if ($bear01)
-
{
-
$bear03 = (ord($bear02[$bear06++]) & 0x0F) + 3;
-
for ($bear04 = 0; $bear04 < $bear03; $bear04++)
-
$bear09[$bear07+$bear04] = $bear09[$bear07-$bear01+$bear04];
-
$bear07 += $bear03;
-
}
-
else
-
{
-
$bear03 = (ord($bear02[$bear06++]) < < 8);
-
$bear03 += ord($bear02[$bear06++]) + 16;
-
for ($bear04 = 0; $bear04 < $bear03; $bear09[$bear07+$bear04++] = $bear02[$bear06]);
-
$bear06++; $bear07 += $bear03;
-
}
-
}
-
else
-
$bear09[$bear07++] = $bear02[$bear06++];
-
$bear05 < <= 1;
-
$bear08–;
-
if ($bear06 == $bear10)
-
{
-
$bear11 = implode("", $bear09);
-
$bear11 = "?".">".$bear11."< "."?";
-
return $bear11;
-
}
-
}
-
}
-
}
复制代码
eval(bear01("一大堆貌似base64_encode后的代码")); ?>
其中
preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv"), $bear11, $bear12);
显得格外扎眼 ,decode出来就是
/(print|sprint|echo)/
哈哈,echo就在里面,将
/(print|sprint)/
base64_encode一下然后替换,eval替换成echo输出,被隐藏的代码终于重见天日。
其实简单的就是分三步即可:
第一步:搜索preg_match(base64_decode("LyhwcmludHxzcHJpbnR8ZWNobykv")替换为:preg_match(base64_decode("LyhwcmludHxzcHJpbnQpLw==")即可
第二步:将eval(T7FC56270E7A70FA81A5935B72EACBE29字符串中的下面的eval替换为echo或print即可
第三步:然后查看源文件即可看到php代码(右键-查看源文件)。
收藏
