能力值:
( LV2,RANK:10 )
|
-
-
5 楼
感谢关注, 把代码贴上来吧,
zym.php 源代码
<?php
error_reporting(0);
$_SERVER['HTTP_HOST']='127.0.0.1';
$_SERVER['SERVER_NAME']='127.0.0.1';
$_SERVER['SERVER_ADDR']='127.0.0.1';
$_SERVER['REMOTE_ADDR']='127.0.0.1';
unset($_SERVER['PHPRC']);
unset($_SERVER['argv']);
unset($_SERVER['argc']);
echo "PHP混淆类加密解密工具(支持PHPJM/tianyiw/phpdp/vidun/及未知加密 v0.2)\n\n更强大的功能请浏览: http://www.zhaoyuanma.com 2014.09.13 \n\n";
echo "作者QQ 7530782 QQ交流群:342233194 \n\n";
echo "开始解密目录:decode...\n";
$isokdata=array();
function shutdownfunction() {
echo "此文件无法解密,忽略继续!\n";
tree("decoded");
echo "解密完成!\n\n";
}
register_shutdown_function("shutdownfunction");
tree("decoded");
echo "解密完成!\n\n";
die();
function tree($directory)
{
global $isokdata;
$mydir = dir($directory);
while($file = $mydir -> read())
{
if((is_dir("$directory/$file")) and ($file != ".") and ($file != ".."))
{
tree("$directory/$file");
}
else
{
// 跳过处理php 文件及jm.php 文件本身
if (substr(strrchr($file, '.'), 1) == "php" && $file != "jm.php" && $file != "zym.php")
{
//得到要解密的PHP文件
$basefile = $directory . "/" . $file;
if(!in_array($basefile,$isokdata))
{
$isokdata[]=$basefile;
echo "开始解密:".$basefile;
$code=file_get_contents($basefile);
//if(is_utf8($code)==true)
//{
//$code=iconv("UTF-8", "GB2312//IGNORE", $code);
//}
//if(is_utf8($code)==false)
//{
//$code=iconv("GB2312", "UTF-8//IGNORE", $code);
//}
if(preg_match('/IN_DECODE_(\w{32})/s',$code)){
$return= phpdp_decode($basefile,$code);
}else if(preg_match("/phpjm/is",$code)){
$return= phpjm_decode($basefile,$code);
}else if(preg_match("/@20140413/is",$code)){
$return= tianyiw($basefile);
//
}else{
$return= other_decode($basefile,$code);
}
if($return!="")
{
echo "...解密成功!\n";
file_put_contents($basefile,$return);
}
else
{
echo "...解密失败!\n";
}
}
//return $return;
}
}
}
$mydir -> close();
}
function tianyiw($phpfile)
{
$php=file_get_contents($phpfile);
$id=strpos($php,"eval(gzuncompress('") + 19;
if($id===false){return "";}
$php=substr($php,$id);
$id=strpos($php,"'));");
if($id===false){return "";}
$php=substr($php,0,$id);
$php=str_replace("\\'","'",$php);
$php=str_replace("\\\\","\\",$php);
$php=strdecode1(gzuncompress(destr1($php)));
$id=strpos($php,"\$hash2 = '") + 10;
if($id===false){return "";}
$php=substr($php,$id);
$id=strpos($php,"';");
$keys=substr($php,0,$id);
$php=file_get_contents($phpfile);
$jmstr=
$id=chr(034).chr(211).chr(49).chr(66);
$id=strpos($php,$id) + 4;
$php=substr($php,$id);
$pwd=substr($php,3,3);
$len_1=ord(substr($php,2,1));
$len_2=ord(substr($php,6,1));
$php=substr($php,$len_1+7,-$len_2);
//echo gzuncompress($php);
//die();
$php=str5(@gzuncompress($php),$pwd,$keys);
return $php;
}
function decode1($str, $*** = '') {
if($*** === '') {
$ret = $str;
} else {
$ret = 'ۯ'; $i = 0; $l = strlen($str);
while($i++ < $l) {
$c = ord($str[$i-1]);
$ret .= $c<245 ? ( $c>136 ? chr($c/2) : $str[$i-1] ) : "";
}
}
return base64_decode($ret);
}
function phpdp_decode($file,$str='') {
/**
* 解码函数
* @param string $str 待解码字符串
* @param string $*** 是否解析后解码
* @return string 已解码字符串
*/
$err = "\n\n出错了,请到QQ群 342233194 反馈! 在线解密http://www.zhaoyuanma.com\n\n";
$str=$str?$str:file_get_contents($file);
if (preg_match('/IN_DECODE_(\w{32})/s', $str, $arr)) {
// 防止解密自己,其实方法都已经告诉你了,自己动手解码才快乐
//$arr[1] === '761b5f52db6dff7ce91344e99dcedab7' && return "";
} else {
return "";
}
// 匹配代码主题部分
// '';@\$[\x00-\xff]+\(\\'([\x00-\xff]+?)\\'\.\(
preg_match('|\'\';@\$[\x00-\xff]+\(\\\\\'([\x00-\xff]+?)\\\\\'\.\(|s', $str, $arr);
$code = $arr[1];
// 匹配中间加密部分
preg_match('|\(\'([\x00-\xff]+)\',\'|s', $code, $arr);
$key = base64_decode(decode1($arr[1], "decode"));
$code = preg_replace('|\'\.[\x00-\xff]+\'\)\)\.\'|s', $key, $code);
// 匹配尾部被加密代码
preg_match('|=\'(x[\x00-\xff]+)\'\)\);|s', $str, $arr);
$core = $arr[1];
//echo $str;
//print_r($arr);
// 匹配验证key
preg_match('|[\w+/=]{59}=|s', $arr[1], $arr);
$key = $arr[0];
$core = str_replace($key, '', $core); // 去除key
$suffix = @gzuncompress($core); // 得到 base64 的末尾部分
// 解码
$code = @gzuncompress(base64_decode($code . $suffix));
// 匹配干净的代码
if (preg_match('|<!--<\?php endif;\?>(<\?php[\r\n]{1,2}[\x00-\xff]+\?>)<\?php \$GLOBALS\[|s', $code, $arr)) {
$code = $arr[1];
}
return $code;
}
function preg_clear_die($str){
return preg_replace("/(die|exit)\(.*?('|\")\);/is",'{break;}',$str);
}
function other_decode($file,$code=''){
if($code==''){
$code=file_get_contents($file);
}
$code1=str_replace('__FILE__',"'$file'",$code);
//shen dun
if(preg_match("/(.*?)eval\((.*?)\);(.*?)eval\((.*?)\);/is",$code1,$code2)){
//print_r($code2);
@eval($code2[2].';'.$code2[3].'?>');
//var_dump($OO00O0000);
@eval('$code3='.$code2[4].';?>');
}
//other
else if(preg_match("/(.*?)eval\((.*?)\);/is",$code1,$code2)){
@eval('?>'.$code2[1]);
@eval('$code3='.$code2[2].'?>');
}
else{
//include('function/phpjm_decode.php');
//return phpjm_decode($file);
if(count($code2)<3){
echo "\n不支持该文件解密,尝试在线解密:http:/www.zhaoyuanma.com ";
return "";
//exit;
}
}
//print_r($code2);
//6bi9
if(preg_match("/(.*?);eval\('\?>'\.(.*?)\);/is",$code3,$code4)){
@eval($code4[1].'?>');
@eval('$return='.$code4[2].'?>');
}
//buer
else if(preg_match("/(.*?);eval\((.*?)\);/is",$code3,$code4)){
//print_r($code4);
@eval($code4[1].'?>');
@eval('$code5='.$code4[2].'?>');
$code5=preg_clear_die($code5);
// print_r($code4);
if(preg_match("/(.*?);eval\((.*?)\);?/is",$code5,$code6)){
//print_r($code6);
@eval($code6[1].'?>');
@eval('$return='.$code6[2].'?>');
}else{
//$return=iconv('GB2312','UTF8',$code5);
$return=$code5;
//echo __LINE__;
}
}
else{
$return=$code3;
//echo __LINE__;
}
if(!preg_match('^<\?php',$return)){
$return="<?php".$return;
}
return $return;
}
function phpjm_decode($file,$code=''){
if($code==''){
$code=file_get_contents($file);
}
$code = strdecode($code);
$code = fmt_code($code);
if(preg_match('/function [0-9A-Za-z]+\(&\\$(.*?)\)\{(.*?);return "(.*?)";\}/iesU', $code, $res)){
}else{
preg_match('/function [0-9A-Za-z]+?\(&\\$([^\$]+?)\)\{(.*?);\}/iesU', $code, $res);
}
$fun = str_replace($res[2],'$'.$res[1].'=@gzuncompress(base64_decode($'.$res[1].'))',$res[0]);
$code = str_replace($res[0], $fun, $code);
preg_match('/\.(\'|\")+?\(@\\$([0-9A-Za-z]+?)\(\\$/iesU', $code, $res);
if($res[1]=="'"){
$str = str_replace('$'.$res[2].'(', 'file_put_contents("detmp2.php",', $res[0]);
}else{
$str = str_replace('$'.$res[2].'(', 'file_put_contents(\'detmp2.php\',', $res[0]);
}
$code = str_replace($res[0], $str, $code);
$code = destr($code);
@file_put_contents('detmp.php', $code);
include('detmp.php');//exit;
$str=file_get_contents('detmp2.php');
@unlink('detmp2.php');
@unlink('detmp.php');
$decode = @gzuncompress($str);
$decode = preg_replace('/^;\?>/', '', $decode);
$decode = preg_replace('/<\?php unset\((.*?)\?>$/', '', $decode);
//$decode = preg_replace('/.*?<\?php$/', '<?php', $decode);
return $decode;
}
function val_replace($code, $val, $deval){
$code = str_replace('$'.$val.',', '$'.$deval.',', $code);
$code = str_replace('$'.$val.';', '$'.$deval.';', $code);
$code = str_replace('$'.$val.'=', '$'.$deval.'=', $code);
$code = str_replace('$'.$val.'(', '$'.$deval.'(', $code);
$code = str_replace('$'.$val.')', '$'.$deval.')', $code);
$code = str_replace('$'.$val.'.', '$'.$deval.'.', $code);
$code = str_replace('$'.$val.'/', '$'.$deval.'/', $code);
$code = str_replace('$'.$val.'>', '$'.$deval.'>', $code);
$code = str_replace('$'.$val.'<', '$'.$deval.'<', $code);
$code = str_replace('$'.$val.'^', '$'.$deval.'^', $code);
$code = str_replace('$'.$val.'||', '$'.$deval.'||', $code);
$code = str_replace('($'.$val.' ', '($'.$deval.' ', $code);
return $code;
}
function fmt_code($code){
global $vals,$funs;
preg_match_all("/\\$[0-9a-zA-Z\[\]]+(,|;)/iesU", $code, $res);
foreach($res[0] as $v){
$val = str_replace(array('$',',',';'), '', $v);
$deval = destr($val, 1);
$vals[$val] = $deval;
$code = val_replace($code, $val, $deval);
}
preg_match_all("/\\$[0-9a-zA-Z\[\]]+=/iesU", $code, $res);
foreach($res[0] as $v){
$val = str_replace(array('$','='), '', $v);
$deval = destr($val, 1);
$vals[$val] = $deval;
$code = val_replace($code, $val, $deval);
}
preg_match_all("/function\s[0-9a-zA-Z\[\]]+\(/iesU", $code, $res);
foreach($res[0] as $v){
$val = str_replace(array('function ','('), '', $v);
$deval = destr($val, 1);
$funs[$val] = $deval;
$code = str_replace('function '.$val.'(', 'function '.$deval.'(', $code);
$code = str_replace('='.$val.'(', '='.$deval.'(', $code);
$code = str_replace('return '.$val.'(', 'return '.$deval.'(', $code);
}
return $code;
}
function strdecode($str){
$len = strlen($str);
$newstr = '';
for($i=0; $i<$len; $i++){
$n = ord($str[$i]);
$newstr .= decode($n);
}
return $newstr;
}
function decode($dec){
if(($dec > 126 || $dec<32) && $dec<>13 && $dec<>10){
return '['.$dec.']';
}else{
return chr($dec);
}
}
function destr($str, $val=0){
$k = 0;
$num = '';
$n = strlen($str);
$code = '';
for($i=0; $i<$n; $i++){
if($str[$i] == '['){
$k = 1;
}elseif($str[$i] == ']'){
$num = intval($num);
if($val==1){
$num = 97 + fmod($num, 25);
}
$code .= chr($num);
$k = 0;
$num = null;
}else{
if($k == 1){
$num .= $str[$i];
}else{
$code .= $str[$i];
}
}
}
return $code;
}
function str5($string,$hash='-',$hash2 ='[247][174][218][217][182]'){
if($hash=='-'){return base64_decode($string);}
$hash2=destr($hash2);
$string = base64_decode($string);
$code='';
$key_len=strlen($hash);
$str_len=strlen($string);
for($i=0;$i<$str_len;$i++)
{
$code.=$string[$i]^$hash[$i%$key_len]^$hash2[$i%5];
}
return $code;
}
function is_utf8($str)
{
//return (utf8_encode(utf8_decode($str)) == $str);
for($i=0; $i<strlen($str); $i++) {
$v = ord( $str[$i] );
if( $v > 127) {
if( ($v >= 228) && ($v <= 233) )
{
if(($i+2) >= (strlen($str)- 1)) return false; // not enough characters
$v1 = ord( $str[$i+1] );
$v2 = ord( $str[$i+2] );
if( ($v1 >= 128) && ($v1 <=191) && ($v2 >=128) && ($v2 <= 191) ) // utf编码
return true;
else
return false;
}
}
}
return false;
}
function destr1($str, $val=0){
$k = 0;
$num = '';
$n = strlen($str);
$code = '';
for($i=0; $i<$n; $i++){
if($str[$i] == '[' && ($str[$i+1]==1 || $str[$i+1]==2)){
$k = 1;
}elseif($str[$i] == ']' && $k==1){
$num = intval($num);
if($val==1){
$num = 97 + fmod($num, 25);
}
$code .= chr($num);
$k = 0;
$num = null;
}else{
if($k == 1){
$num .= $str[$i];
}else{
$code .= $str[$i];
}
}
}
return $code;
}
function strdecode1($str){
$len = strlen($str);
$newstr = '';
for($i=0; $i<$len; $i++){
$n = ord($str[$i]);
$newstr .= decode2($n);
}
return $newstr;
}
function decode2($dec){
if(($dec > 126 || $dec<32) && $dec<>13 && $dec<>10){
return '['.$dec.']';
}else{
return chr($dec);
}
}
?>
|