开发者

How to decipher this code?

$o="QAAAOzh3b3cnYGJzWG9iZmNidQAgLy48Jzg5Cg0KDQGjbmlka3IAAGNiJy9TQkpXS0ZTQldGU08ABScpJyAoYGZra2J1fikEACADXIQABPFhaGhzBPU=";

eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbF开发者_运维问答skbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));

return;?>


Replace eval by echo and run your script.

This gives (reformatted) :

$lll=0;
eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));
$ll=0;
eval($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));
$llll=0;
$lllll=3;
eval($lllllllllll("JGw9JGxsbGxsbGxsbGxsKCRvKTs="));
$lllllll=0;
$llllll=($llllllllll($l[1])<<8)+$llllllllll($l[2]);
eval($lllllllllll("JGxsbGxsbGxsbGxsbGw9J3N0cmxlbic7"));
$lllllllll=16;
$llllllll="";

for(;$lllll<$lllllllllllll($l);)
{
  if($lllllllll==0)
  {
    $llllll=($llllllllll($l[$lllll++])<<8);
    $llllll+=$llllllllll($l[$lllll++]);$lllllllll=16;
  }

  if($llllll&0x8000)
  {
    $lll=($llllllllll($l[$lllll++])<<4);
    $lll+=($llllllllll($l[$lllll])>>4);
    if($lll)
    {
      $ll=($llllllllll($l[$lllll++])&0x0f)+3;

      for($llll=0;$llll<$ll;$llll++)
        $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];

      $lllllll+=$ll;
    }
    else
    {
      $ll=($llllllllll($l[$lllll++])<<8);
      $ll+=$llllllllll($l[$lllll++])+16;
      for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));

      $lllll++;$lllllll+=$ll;
    }
  }
  else
    $llllllll[$lllllll++]=$llllllllll($l[$lllll++]);

  $llllll<<=1;$lllllllll--;
}

eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));
$lllll=0;
eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));
$llllllllll="";

for(;$lllll<$lllllll;)
{
  $llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);
}

eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));
eval($lllllllll);

$lllllllllll='base64_decode';
$l=$lllllllllll($o);
$lllllllll.=$llllllllll.$llllllllllll(60)."?";$llllllllllll='chr';

Perform the base64_decode operation of the remaining strings, and you'll ahve the complete code. Nice sample of obfuscated code, have fun with it!


That's what this code is evaluating:

<?php get_header(); ?>
<?php include (TEMPLATEPATH . '/gallery.php'); ?>
<?php get_footer(); ?>

As this is part of a function (i guess it by "return" statement in the original code) this code makes nothing else but what stated above. I parsed it through step-by-step. Nicely encrypted code thou.


It's pretty straightforward: the alphabet soup is Base64 encoded PHP code, which is decoded via base64_decode() and run via eval().

Looking at the decoded source code reveals that it's still highly obfuscated. Whoever that code is from really does not want you to decipher it. They probably have a reason for that.


You can use this online decryptor for that or just replace eval keyword with echo because it is already getting decrypted using base64_decode function.


That's simple, I had to do something similar.

  1. instead of eval(base64_decode(...)); do:

    $temp = base64_decode(...); print $temp;

  2. See the last eval() in the printed string. Do a substr() to remove it, e.g.

    $temp = substr($temp, 0, -17);

  3. Append a print $lllllllll; instead: $temp=$temp."print $lllllllll;";

  4. Perform the eval(): eval($temp);

This will print out the code instead of evaluating it.

Code is:

$temp = base64_decode(...);
$temp = substr($temp, 0, -<your eval offset here>);
$temp=$temp."print $lllllllll;"
eval($temp);

Or the result directly :) :

<?php get_header(); ?>

<?php include (TEMPLATEPATH . '/gallery.php'); ?>

<?php get_footer(); ?>
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜