php解密:php5.4 zend解密核心代码分享
本帖最后由 willydong 于 2018-11-9 12:58 编辑此代码来自于著名的G-DeZender软件(具体请度娘,php批量解密),版本是1.0.1.0,其核心是php解密类\lib\bin3\Decompiler.class.php
但该文件被加密了,看了一下,混淆加密,那么我们解密它就是了
具体参考:PHP解密:phpjm混淆加密
https://www.52pojie.cn/thread-794057-1-1.html
经分析,其核心解密思路为:
$fileData=@file_get_contents($myfile);
$headlen=@unpack('l', substr($fileData, -4));
$startData=$headlen{1 };
$data=str_rot13(@gzuncompress(myfunc(substr($fileData, $startData, -48))));
/*核心思想
通过文件最后4个字符,确定文件头有多长,然后从该处一直截取到倒数48个字符的位置。
然后通过str_rot13(@gzuncompress(myfunc('被加密内容')))来得到真正的文件内容
*/
然后我们得到最终的zend5.4解密类如下:
<?php
////////////////////////////////////////////////////////////
//修复ISSET EMPTY 丢失!
//XCACHE DECOMPILER
////////////////////////////////////////////////////////////
//How to work with this CLASS:
//cmd line>php phpdc.phpr file.php>file.txt
////////////////////////////////////////////////////////////
define('INDENT', "\t");
ini_set('error_reporting', E_ALL);
$_CURRENT_FILE = NULL;
function color($str, $color = 33) {
return "\x1B[{$color}m$str\x1B[0m";
}
function str($code, $indent = '') // {{{
{
if (is_array($code)) {
$array = array();
foreach ($code as $key => $value) {
$array[$key] = str($value, $indent);
}
return $array;
}
if (is_object($code)) {
$code = foldToCode($code, $indent);
return $code->toCode($indent);
}
return (string) $code;
}
// }}}
function foldToCode($src, $indent = '') // {{{ wrap or rewrap anything to Decompiler_Code
{
if (is_array($indent)) {
$indent = $indent['indent'];
}
if (!is_object($src)) {
return new Decompiler_Code($src);
}
if (!method_exists($src, 'toCode')) {
var_dump($src);
exit('no toCode');
}
if (get_class($src) != 'Decompiler_Code') {
// rewrap it
$src = new Decompiler_Code($src->toCode($indent));
}
return $src;
}
// }}}
function value($value,$noescape = false) // {{{
{
$spec = xcache_get_special_value($value);
if (isset($spec)) {
$value = $spec;
if (!is_array($value)) {
// constant
return $value;
}
}
if (is_a($value, 'Decompiler_Object')) {
// use as is
}
else {
if (is_array($value)) {
$value = new Decompiler_ConstArray($value);
}
else {
$value = new Decompiler_Value($value,$noescape);
}
}
return $value;
}
太长了,此处省略部分内容
define('ZEND_EVAL', (1 << 0));
define('ZEND_INCLUDE', (1 << 1));
define('ZEND_INCLUDE_ONCE', (1 << 2));
define('ZEND_REQUIRE', (1 << 3));
define('ZEND_REQUIRE_ONCE', (1 << 4));
/*
define('ZEND_ISSET', (1 << 0));
define('ZEND_ISEMPTY', (1 << 1));
define('ZEND_QUICK_SET',(1<<2));
define('ZEND_ISSET_ISEMPTY_MASK',(ZEND_ISSET | ZEND_ISEMPTY));
*/
if (ZEND_ENGINE_2_4) {
define('ZEND_ISSET', 0x02000000);
define('ZEND_ISEMPTY', 0x01000000);
define('ZEND_ISSET_ISEMPTY_MASK', (ZEND_ISSET | ZEND_ISEMPTY));
define('ZEND_QUICK_SET', 0x00800000);
} else {
define('ZEND_ISSET', (1 << 0));
define('ZEND_ISEMPTY', (1 << 1));
define('ZEND_ISSET_ISEMPTY_MASK', (ZEND_ISSET | ZEND_ISEMPTY));
}
if (ZEND_ENGINE_2_4) {
define('EXT_TYPE_UNUSED', (1 << 5));
}
else {
define('EXT_TYPE_UNUSED', (1 << 0));
}
define('ZEND_FETCH_STANDARD', 0);
define('ZEND_FETCH_ADD_LOCK', (ZEND_ENGINE_2_3 || ZEND_ENGINE_2_4 ? 0x08000000 : 1));
define('ZEND_FETCH_MAKE_REF', 0x04000000);
define('ZEND_FE_FETCH_BYREF', 1);
define('ZEND_FE_FETCH_WITH_KEY', 2);
define('ZEND_FE_RESET_REFERENCE', 2);
define('ZEND_MEMBER_FUNC_CALL', (1 << 0));
define('ZEND_CTOR_CALL', (1 << 1));
define('ZEND_ARG_SEND_BY_REF', (1 << 0));
define('ZEND_ARG_COMPILE_TIME_BOUND', (1 << 1));
define('ZEND_ARG_SEND_FUNCTION', (1 << 2));
define('BYREF_NONE', 0);
define('BYREF_FORCE', 1);
define('BYREF_ALLOW', 2);
define('BYREF_FORCE_REST', 3);
define('IS_NULL', 0);
define('IS_LONG', 1);
define('IS_DOUBLE', 2);
define('IS_BOOL', (ZEND_ENGINE_2 ? 3 : 6));
define('IS_ARRAY', 4);
define('IS_OBJECT', 5);
define('IS_STRING', (ZEND_ENGINE_2 ? 6 : 3));
define('IS_RESOURCE', 7);
define('IS_CONSTANT', 8);
define('IS_CONSTANT_ARRAY', 9);
/* Ugly hack to support constants as static array indices */
define('IS_CONSTANT_TYPE_MASK', 0x0f);
define('IS_CONSTANT_UNQUALIFIED', 0x10);
define('IS_CONSTANT_INDEX', 0x80);
define('IS_LEXICAL_VAR', 0x20);
define('IS_LEXICAL_REF', 0x40);
@define('XC_IS_CV', 16);
/*
if (preg_match_all('!XC_+!', file_get_contents(__FILE__), $ms)) {
$verdiff = array();
foreach ($ms as $k) {
if (!defined($k)) {
$verdiff[$k] = -1;
define($k, -1);
}
}
var_export($verdiff);
}
/*/
foreach (array(
'XC_HANDLE_EXCEPTION' => -1,
'XC_FETCH_CLASS' => -1,
'XC_FETCH_' => -1,
'XC_FETCH_DIM_' => -1,
'XC_ASSIGN_DIM' => -1,
'XC_UNSET_DIM' => -1,
'XC_UNSET_OBJ' => -1,
'XC_ASSIGN_OBJ' => -1,
'XC_ISSET_ISEMPTY_DIM_OBJ' => -1,
'XC_ISSET_ISEMPTY_PROP_OBJ' => -1,
'XC_ISSET_ISEMPTY_VAR' => -1,
'XC_INIT_STATIC_METHOD_CALL' => -1,
'XC_INIT_METHOD_CALL' => -1,
'XC_VERIFY_ABSTRACT_CLASS' => -1,
'XC_DECLARE_CLASS' => -1,
'XC_DECLARE_INHERITED_CLASS' => -1,
'XC_DECLARE_INHERITED_CLASS_DELAYED' => -1,
'XC_ADD_INTERFACE' => -1,
'XC_POST_DEC_OBJ' => -1,
'XC_POST_INC_OBJ' => -1,
'XC_PRE_DEC_OBJ' => -1,
'XC_PRE_INC_OBJ' => -1,
'XC_UNSET_OBJ' => -1,
'XC_JMP_NO_CTOR' => -1,
'XC_FETCH_' => -1,
'XC_FETCH_DIM_' => -1,
'XC_UNSET_DIM_OBJ' => -1,
'XC_ISSET_ISEMPTY' => -1,
'XC_INIT_FCALL_BY_FUNC' => -1,
'XC_DO_FCALL_BY_FUNC' => -1,
'XC_DECLARE_FUNCTION_OR_CLASS' => -1,
'XC_INIT_NS_FCALL_BY_NAME' => -1,
'XC_GOTO' => -1,
'XC_CATCH' => -1,
'XC_THROW' => -1,
'XC_INSTANCEOF' => -1,
'XC_DECLARE_FUNCTION' => -1,
'XC_RAISE_ABSTRACT_ERROR' => -1,
'XC_DECLARE_CONST' => -1,
'XC_USER_OPCODE' => -1,
'XC_JMP_SET' => -1,
'XC_RETURN_BY_REF' => -1,
'XC_GENERATOR_RETURN' => -1,
'XC_SEPARATE' => -1,
'XC_DECLARE_LAMBDA_FUNCTION' => -1,
) as $k => $v) {
if (!defined($k)) {
define($k, $v);
}
}
// }}}
另,研究了一下G-DeZender的exe文件,delphi写的,未注册时每破解一个文件都需要点一下,不能批量解密
但是,通过修改一个字节,将跳转条件ja改为jbe就可以绕过注册啦,有兴趣的可以试一试,用起来方便多了。
网上为了绕过此问题,居然有兄弟调用G-DeZender的方法写了一个软件SeayDzend,也挺好用,但貌似对5.2的解密有问题。
最后,还是要向SeayDzend和G-DeZender两款软件作者致敬,是他们的努力让php学习更加便捷。
经提醒,发现此解密类来自于git上的xcache项目,checked in by Xuefer <xuefer@…>, 5年 ago 具体地址
http://xcache.lighttpd.net/brows ... eebbbc02bbc231de141
该项目最新版已经支持php5.1-5.6,回头试一试再说。
[*]20140918
[*]XCache 3.2.0 发布. 增加 PHP_5_6 支持. 详情参见发布包内的 NEWS 与 ChangeLog 文件
[*]XCache 3.1.2 发布, 除了修复文件夹名字之外与 3.1.1 一致.
[*]20140902
[*]XCache 3.1.1 发布, 修复问题. 本版本不支持 PHP_5_6. 详情参见发布包内的 NEWS 与 ChangeLog 文件
[*]20131010
[*]XCache 3.1.0 发布. 增加 PHP_5_5 支持. 详情参见发布包内的 NEWS 与 ChangeLog 文件
[*]XCache 3.0.4 发布. 增强稳定性. 详情参见发布包内的 NEWS 与 ChangeLog 文件
只能说人不要脸天下无敌!!!!!!!!!!!
1\这套程序是基于xcache 首先要谢的是国内大牛XUEFEI
2\这套程序是deioncube 的论坛 主要完成者是:sidxx55(俄罗斯)Cw2in as2227654 等完成的.
到国内就成了打包党了.打你那2个作者删除吧!!!
...continue open a big capability of xcache for encoders.
============================
status is free. not for sale.
============================
Works LOG:
updated for win8 added libeay32.dll (tested on win8 x64)
=====
Updated 07/10/14 for php52: ModeBIphp52ts.rar see tests inside
- recompiled php52 module (bcompiler (0.9.3 -last beta only for php 5.2 compilation and => 0.14 marker is a 52 php ithink), xcache (3.2.0 - better support for Bcompiller decompilation)), bz2 enabled.
============
php53 mode was updated 07/10/14 with new xcache (3.2.0), bcompiler 1.0.2, bz2 enabled, php 5.3.29
+ added tests + bencoder (for tests)
+ fixed $this for Nucoder decompilation of decompiler class (added test file)
=======================
bcompiler dont has off updates for php54 - Bproject finished until php54 support by off-dev release.
=================
Upd:
added php-express module of Nu-coder for php53, Nu-coder has php53 support only, may be its finished.
================================
Upd:
added decoders (alpha) for Mmcache and eAccelerator (php4), details in
rar readme file.
==============================================
Upd 07/11/2014
Added Zend php5.4 decoding loader is not cracked (original). Details in rar readme.
+upd decompiler class by as2227654 this fix for Zend54 $this in classes and funcs like $request = getRequest(); to $request = $this->getRequest(); (test file inside)
+sync with off-class of dec try{} and catch{}, bug: catch ("Exception" $e) to catch (Exception $e)
30/01/15
+fixed decompilation (testing) of inside funcs extraction like: func a {func b{}} (empty funcs decompiler bug)
+some decompiler fixes by as2227654 like "show"::$siteid = $s["siteid"]; to show::$siteid = $s["siteid"];
====================================================
30/11/2014
added decoding for truebug and php-beast for php54, special thx as2227654. Details in rar readme.
=========================================================================
28/08/2015
added Update 5 for zend54 some decompiler improvements, recompiled core, added mass decoding file (more Readme.txt)
29/08/2015
Update 6 added static const fix (lost major fix)
SeayDzend G-DeZender 楼主可以下载链接? 太多了,看不过来。 jccforever 发表于 2018-11-8 20:31
SeayDzend G-DeZender 楼主可以下载链接?
随便百度一下,一大堆啊 非常感谢分享 混淆加密 ,谢谢 php不会,不过知道这加速的挺好,谢谢分享