展开目录
无脑破解phpjm加密
php加密破解
X
陈尼玛的博客
记录开发生涯的踩坑经历,用时间来验证成长
加载中

phpjm.net 加密的原理是php源码基础上套了几层字符串运算的壳,从而实现看上去好像加密了。不过这种加密方法是没有什么卵用的,因为最终必须通过eval入口解密执行,所以从zend内核里的zend_prepare_string_for_scanning方法上加一个钩子就能dump出原始代码。

验证我的说法,我找了一个php官网的输出demo,原始代码如下:

<?php
echo "Hello World";

echo "This spans
multiple lines. The newlines will be
output as well";

echo "This spans\nmultiple lines. The newlines will be\noutput as well.";

echo "Escaping characters is done \"Like this\".";

// You can use variables inside of an echo statement
$foo = "foobar";
$bar = "barbaz";

echo "foo is $foo"; // foo is foobar

// You can also use arrays
$baz = array("value" => "foo");

echo "this is {$baz['value']} !"; // this is foo !

// Using single quotes will print the variable name, not the value
echo 'foo is $foo'; // foo is $foo

// If you are not using any other characters, you can just echo variables
echo $foo;          // foobar
echo $foo,$bar;     // foobarbarbaz

// Strings can either be passed individually as multiple arguments or
// concatenated together and passed as a single argument
echo 'This ', 'string ', 'was ', 'made ', 'with multiple parameters.', chr(10);
echo 'This ' . 'string ' . 'was ' . 'made ' . 'with concatenation.' . "\n";

echo <<<END
This uses the "here document" syntax to output
multiple lines with $variable interpolation. Note
that the here document terminator must appear on a
line with just a semicolon. no extra whitespace!
END;

// Because echo does not behave like a function, the following code is invalid.
($some_var) ? echo 'true' : echo 'false';

// However, the following examples will work:
($some_var) ? print 'true' : print 'false'; // print is also a construct, but
                                            // it behaves like a function, so
                                            // it may be used in this context.
echo $some_var ? 'true': 'false'; // changing the statement around
?>

用phpjm加密后可以得到一个乱码文件,虽然每次加密得到的结果实际上是不一样的,不过这并不是对原始变量的混淆,而是对加密后的壳做的混淆。

<a href='/uploadfile/imgs/phpjm1.png' target='_blank'><img src='/uploadfile/imgs/phpjm1.png' style='max-width:100%;' /></a>

破解的步骤很简单,打开php源码的zend_language_scanner.c文件,找到zend_prepare_string_for_scanning方法,增加3句话打印结果就可以了:

ZEND_API int zend_prepare_string_for_scanning(zval *str, char *filename TSRMLS_DC)
{

  php_printf(filename);php_printf("\n");// 打印文件名,同时可以知道是从哪个方法被调用的
  php_printf(str);php_printf("\n"); // 打印被执行的代码
  php_printf("---------------------\n\n"); // 隔开每次的输出结果

...
后面省略

编译php环境,然后用php命令行直接执行加密后的文件,就可以找到完整的原始代码了。

<a href='/uploadfile/imgs/phpjm2.png' target='_blank'><img src='/uploadfile/imgs/phpjm2.png' style='max-width:100%;' /></a>

<font color='#f00'>综上所述,非内核级的加密都是扯谈。。</font>

--- 2016/10/19 更新 --

今天在改外卖人后台代码时,发现Mysite.php是用 http://www.phpjiami.com 加密的,然而坑爹的是之前的方法居然无法解密运行,目测是编译参数的问题。因此我索性重新编译了一个php5.3的解密环境。

修改同样的地方:

ZEND_API int zend_prepare_string_for_scanning(zval *str, char *filename TSRMLS_DC)
{
    /* enforce two trailing NULLs for flex... */
    str->value.str.val = safe_erealloc(str->value.str.val, 1, str->value.str.len, ZEND_MMAP_AHEAD);

    memset(str->value.str.val + str->value.str.len, 0, ZEND_MMAP_AHEAD);

        // 输出eval的内容
    php_printf(filename);
    php_printf(str->value.str);
    php_printf("------\r\n");

php版本号 5.3.29 编译参数 ./configure --prefix=/usr/local/php --with-config-file-path=/usr/local/php/etc --enable-fpm --with-fpm-user=www --with-fpm-group=www --with-mysql=mysqlnd --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-iconv-dir --with-freetype-dir=/usr/local/freetype --with-jpeg-dir --with-png-dir --with-zlib --with-libxml-dir=/usr --enable-xml --disable-rpath --enable-magic-quotes --enable-safe-mode --enable-bcmath --enable-shmop --enable-sysvsem --enable-inline-optimization --with-curl=/usr/local/curl --enable-mbregex --enable-mbstring --with-mcrypt --enable-ftp --with-gd --enable-gd-native-ttf --with-openssl --with-mhash --enable-pcntl --enable-sockets --with-xmlrpc --enable-zip --enable-soap --with-gettext --disable-fileinfo

<font color=red>如果make报错需要修改Makefile,增加EXTRA_LIBS参数,-liconv,写在结尾</font>

然后 make && make install

最终就得到了一个可解密运行的环境

解密运行效果如下:

<meta charset='utf-8' />

/home/wwwroot/default/Mysite.php(1) : eval()'d codeif(strpos(__FILE__, dnimoiyv) !== 0){$exitfunc();}------
/home/wwwroot/default/Mysite.php(1) : eval()'d codeeval(base64_decode($�笠����));------
/home/wwwroot/default/Mysite.php(1) : eval()'d code(1) : eval()'d code?><?php @eval("//Encode by  phpjiami.com,Free user."); ?><?php

define('MYSITE_PATH',dirname(__file__).DIRECTORY_SEPARATOR);

class Mysite
{ 
    public static $app; 
    public static $_classes = array('controllers'=>'controllers.*');
    public static $_otherclass = array('class'=>'class.*');

    public static function createApp($className, $config)
    {
        $app = new $className($config); 
            return $app;
    }


    public static function createWebApp($config = null)
    {
        self::$app = self::createApp('myapp',$config);
        return self::$app;
    } 

    public static function autoload($className)
    { 
        if(isset(self::$_coreClasses[$className]))
        {
            include(MYSITE_PATH.self::$_coreClasses[$className]); 
        }else if(isset(self::$_classes))
        {
         /*
            foreach(self::$_classes as $classPath)
       { 
             $filePath = hopedir.strtr(strtolower(trim($classPath,'*')),'.','/').strtolower( $className ) .'.php';
                    if(is_file($filePath))
                    {

                        include($filePath);
                        return true;
                    }
      }*/
             foreach(self::$_otherclass as $classPath)
       { 

             $filePath = hopedir.strtr(strtolower(trim($classPath,'*')),'.','/').strtolower( $className ) .'.php';


                    if(is_file($filePath))
                    {

                        include($filePath);
                        return true;
                    }
      } 
        } 
        return true;
    }


    public static function setClasses($classes)
    {
        if(is_string($classes)) self::$_classes += array($classes);
        if(is_array($classes))  self::$_classes += $classes;
    }
    //系统内核所有类文件注册信息
     public static $_coreClasses = array( 
        'myapp' => 'application_class.php',
        'IUrl'=> 'urlmanager_class.php',
        'IReq'=>'req_class.php', 
        'mysql_class'=>'extend/mysql_class.php',
        'page'=>'extend/page.php', 
        'phpmailer'=>'extend/class.phpmailer.php',
        'SMTP'=>'extend/class.smtp.php',
        'config'=>'extend/Config.php',
        'ICookie'=>'extend/cookie_class.php',
        'ICrypt'=>'extend/crypt_class.php',
        'IFile'=>'extend/IFile.php',
        'IValidate'=>'extend/IValidate.php',
        'IReq'=>'extend/req_class.php',
        'Services_JSON'=>'extend/Services_JSON.php',
        'ISmtp'=>'extend/smtp_class.php',
        'upload'=>'extend/upload.php',
        'IString'=>'extend/string_class.php',
        'ISession'=>'extend/session_class.php',
        'JSON'=>'extend/json_class.php',
        'IFilter'=>'extend/filter_class.php',
        'IClient'=>'extend/client_class.php',
        'Captcha'=>'extend/captcha_class.php' 
     );
}

function __autoload($className)
{
    Mysite::autoload($className); 
}
 ------
/home/wwwroot/default/Mysite.php(1) : eval()'d code(1) : eval()'d code(1) : eval()'d code//Encode by  phpjiami.com,Free user.------

相关文档

暂无

随便看看

  1. css多行文本超出截断显示省略号

  2. css3自定义滚动条样式

  3. 安卓文字偏上,文字顶部被遮罩

  4. sass变量和继承类写法

  5. mac 终端运行后台程序如何在终端关闭时继续运行

  6. css3 文字渐变色

  7. ios13 vpn 能连接但不能传数据问题解决

  8. git删除远程分支

  9. 判断变量是否 0 或者 '0'

  10. heroku查看app使用时间

  11. 树莓派 3B/3B+ usb启动

  12. 树莓派配置wifi热点

  13. git 设置代理服务器

  14. mongodb2.4 添加用户

  15. sendmail用nginx做代理

  16. 猴子选大王算法问题

  17. centos7 开放或者关闭端口

  18. 简易版事件封装

  19. 前端性能观察器

畅言模块加载中