MENU

破解php神盾,phpjm的解密程序

April 14, 2014 • 技术随笔

之前一直想写个解密php神盾的脚本,一直没有时间,今天又在服务器发现一段php神盾加密的程序,然后Google到了解密代码,我也就不再重复造轮子了。


首先是破解phpjm.net加密的:

<?php
$file = 'common.inc.php';

$fp = fopen($file, 'r');
$str = fread($fp, filesize($file));
fclose($fp);
$code = strdecode($str);

//变量和函数
$vals = $funs = array();

$code = fmt_code($code);


//echo $code;exit;

preg_match('/function [a-z]+\(&\\$(.*?)\)\{(.*)return "[0-9a-zA-Z]{1}";\}/iesU', $code, $res);
$fun = str_replace($res[2],'$'.$res[1].'[email protected](base64_decode($'.$res[1].'));',$res[0]);
$code = str_replace($res[0], $fun, $code);

preg_match('/\."\(@\\$(.*?)\(\\$/iesU', $code, $res);

$str = str_replace('$'.$res[1].'(', 'file_put_contents(\'detmp2.php\',', $res[0]);
$code = str_replace($res[0], $str, $code);

$code = destr($code);
file_put_contents('detmp.php', $code);
include('detmp.php');

$fp = fopen('detmp2.php', 'r');
$str = fread($fp, filesize('detmp2.php'));
fclose($fp);

unlink('detmp2.php');
unlink('detmp.php');

$decode = gzuncompress($str);
$decode = preg_replace('/^;\?>/', '', $decode);
$decode = preg_replace('/<\?php unset\((.*?)\?>$/', '', $decode);

file_put_contents($file.'.de.php' ,$decode);
print_r($decode);

////////////
function val_replace($code, $val, $deval){
    $code = str_replace('$'.$val.',', '$'.$deval.',', $code);
    $code = str_replace('$'.$val.';', '$'.$deval.';', $code);
    $code = str_replace('$'.$val.'=', '$'.$deval.'=', $code);
    $code = str_replace('$'.$val.'(', '$'.$deval.'(', $code);
    $code = str_replace('$'.$val.')', '$'.$deval.')', $code);
    $code = str_replace('$'.$val.'.', '$'.$deval.'.', $code);
    $code = str_replace('$'.$val.'/', '$'.$deval.'/', $code);
    $code = str_replace('$'.$val.'>', '$'.$deval.'>', $code);
    $code = str_replace('$'.$val.'<', '$'.$deval.'<', $code);
    $code = str_replace('$'.$val.'^', '$'.$deval.'^', $code);
    $code = str_replace('$'.$val.'||', '$'.$deval.'||', $code);
    $code = str_replace('($'.$val.' ', '($'.$deval.' ', $code);
    return $code;
}

function fmt_code($code){
    global $vals,$funs;
    preg_match_all("/\\$[0-9a-zA-Z\[\]]+(,|;)/iesU", $code, $res);
    foreach($res[0] as $v){
        $val = str_replace(array('$',',',';'), '', $v);
        $deval = destr($val, 1);
        $vals[$val] = $deval;
        $code = val_replace($code, $val, $deval);
    }

    preg_match_all("/\\$[0-9a-zA-Z\[\]]+=/iesU", $code, $res);
    foreach($res[0] as $v){
        $val = str_replace(array('$','='), '', $v);
        $deval = destr($val, 1);
        $vals[$val] = $deval;
        $code = val_replace($code, $val, $deval);
    }

    preg_match_all("/function\s[0-9a-zA-Z\[\]]+\(/iesU", $code, $res);
    foreach($res[0] as $v){
        $val = str_replace(array('function ','('), '', $v);
        $deval = destr($val, 1);
        $funs[$val] = $deval;
        $code = str_replace('function '.$val.'(', 'function '.$deval.'(', $code);
        $code = str_replace('='.$val.'(', '='.$deval.'(', $code);
        $code = str_replace('return '.$val.'(', 'return '.$deval.'(', $code);
    }
    return $code;
}

php神盾解密:

<?php
//解密 PHP神盾

$file = 'Code2.php';

$fp = fopen($file, 'r');
$str = fread($fp, filesize($file));
fclose($fp);

$code = strdecode($str);

//for func de1
preg_match("/;(.*)\]='(.*?)';for\(/e", $code, $res);
$c1 = $res[2];

//for func de1
preg_match("/;(.*)=(.*)\('(.*)'\);(.*);(.*)$/e", $res[1], $rs);
$c2 = $rs[3];

//for func de2
preg_match("/'\(@(.*?)\(\\\'(.*?)\\\'\)\)/e", $code, $res);
$c3 = $res[2];

preg_match("/'\.(.*?)\.'/e", $c3, $r);
preg_match("/\('(.*?)','/e", $r[1], $r2);
$c4 = $r2[1];
$c4 = base64_decode(de1(destr($c4), 1));
$c3 = str_replace($r[0], $c4, $c3);

$funstr = gzuncompress(base64_decode($c3)).base64_decode($c1);
preg_match("/if(.*),'(.*?)'\)\)/e", $funstr, $res);
$c5 = $res[2];

//find main code
preg_match("/'\(@(.*)\(\\\'(.*?)\\\'\.\(/e", $code, $res);
$c = $res[2];
preg_match("/'\.(.*?)\.'/e", $c, $r);
preg_match("/\('(.*?)','/e", $r[1], $r2);
$c6 = base64_decode(de1(destr($r2[1]), 1));
$c = str_replace($r[0], $c6, $c);

//find $de2
preg_match("/\"\.\((.*)='(.*?)'\)\);/e", $code, $res);
$de2 = destr($res[2]);
$x = ($de2.=de2($de2));
$c .= $x;
$decode = gzuncompress(base64_decode($c));

$str = explode('<!--<?php endif;?>', $decode);
$str = explode('?><?php $GLOBALS', $str[1]);
$decode = $str[0].'?>';

echo $decode;

file_put_contents($file.'.de.php' ,$decode);

//////////////////////////////

function de1($de1,$str2=''){
    global $c1,$c2;
    if(!$str2)return(base64_decode(destr($de1)));
    $s9=de1($c2);
    for($i=0;$i<strlen($de1);$i++)
        $s9.=ord($de1{$i})<245?((ord($de1{$i})>140&&ord($de1{$i})<245)?chr(ord($de1{$i})/2):$de1{$i}):"";
    return(base64_decode($s9));
}

function de2(&$de2){
    global $c5;
    if(strstr($de2,$c5)){
        $de2=str_replace($c5,'',$de2);
        $de2=gzuncompress($de2);
    }
    if(strstr($de2,$c5)){
        $de2=str_replace($c5,'',$de2);
        de2($de2);
    }
    
}

/////////////////////////////

function strdecode($str){
    $len = strlen($str);
    $newstr = '';
    for($i=0; $i<$len; $i++){
        $n = ord($str[$i]);
        $newstr .= decode($n);
    }
    return $newstr;
}

function decode($dec){
    if(($dec > 126 || $dec<32)){
        return '['.$dec.']';
    }else{
        return chr($dec);
    }
}

function destr($str){
    $k = 0;
    $num = '';
    $n = strlen($str);
    $code = '';
    for($i=0; $i<$n; $i++){
        if($str[$i] == '['){
            $k = 1;
        }elseif($str[$i] == ']'){
            $num = intval($num);
            $code .= chr($num);
            $k = 0;
            $num = null;
        }else{
            if($k == 1){
                $num .= $str[$i];
            }else{
                $code .= $str[$i];
            }
        }
    }
    return $code;
}
?>
Archives QR Code
QR Code for this page
Tipping QR Code