How to decipher this code?

2022-12-22 08:06 问答作者：

$o="QAAAOzh3b3cnYGJzWG9iZmNidQAgLy48Jzg5Cg0KDQGjbmlka3IAAGNiJy9TQkpXS0ZTQldGU08ABScpJyAoYGZra2J1fikEACADXIQABPFhaGhzBPU=";

eval(base64_decode("JGxsbD0wO2V2YWwoYmFzZTY0X2RlY29kZSgiSkd4c2JHeHNiR3hzYkd4c1BTZGlZWE5sTmpSZlpHVmpiMlJsSnpzPSIpKTskbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd3OUoyOXlaQ2M3IikpOyRsbGxsPTA7JGxsbGxsPTM7ZXZhbCgkbGxsbGxsbGxsbGwoIkpHdzlKR3hzYkd4c2JHeHNiR3hzS0NSdktUcz0iKSk7JGxsbGxsbGw9MDskbGxsbGxsPSgkbGxsbGxsbGxsbCgkbFsxXSk8PDgpKyRsbGxsbGxsbGxsKCRsWzJdKTtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JHdzlKM04wY214bGJpYzciKSk7JGxsbGxsbGxsbD0xNjskbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGxsbGxsbGwoJGwpOyl7aWYoJGxsbGxsbGxsbD09MCl7JGxsbGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsbGxsbCs9JGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTskbGxsbGxsbGxsPTE2O31pZigkbGxsbGxsJjB4ODAwMCl7JGxsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8NCk7JGxsbCs9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbF0pPj40KTtpZigkbGxsKXskbGw9KCRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSkmMHgwZikrMztmb3IoJGxsbGw9MDskbGxsbDwkbGw7JGxsbGwrKykkbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGxdPSRsbGxsbGxsbFskbGxsbGxsbC0kbGxsKyRsbGxsXTskbGxsbGxsbCs9JGxsO31lbHNleyRsbD0oJGxsbGxsbGxsbGwoJGxbJGxsbGxsKytdKTw8OCk7JGxsKz0kbGxsbGxsbGxsbCgkbF开发者_运维问答skbGxsbGwrK10pKzE2O2ZvcigkbGxsbD0wOyRsbGxsPCRsbDskbGxsbGxsbGxbJGxsbGxsbGwrJGxsbGwrK109JGxsbGxsbGxsbGwoJGxbJGxsbGxsXSkpOyRsbGxsbCsrOyRsbGxsbGxsKz0kbGw7fX1lbHNlJGxsbGxsbGxsWyRsbGxsbGxsKytdPSRsbGxsbGxsbGxsKCRsWyRsbGxsbCsrXSk7JGxsbGxsbDw8PTE7JGxsbGxsbGxsbC0tO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkd4c2JEMG5ZMmh5SnpzPSIpKTskbGxsbGw9MDtldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkQwaVB5SXVKR3hzYkd4c2JHeHNiR3hzYkNnMk1pazciKSk7JGxsbGxsbGxsbGw9IiI7Zm9yKDskbGxsbGw8JGxsbGxsbGw7KXskbGxsbGxsbGxsbC49JGxsbGxsbGxsbGxsbCgkbGxsbGxsbGxbJGxsbGxsKytdXjB4MDcpO31ldmFsKCRsbGxsbGxsbGxsbCgiSkd4c2JHeHNiR3hzYkM0OUpHeHNiR3hzYkd4c2JHd3VKR3hzYkd4c2JHeHNiR3hzYkNnMk1Da3VJajhpT3c9PSIpKTtldmFsKCRsbGxsbGxsbGwpOw=="));

return;?>

Replace eval by echo and run your script.

This gives (reformatted) :

$lll=0;
eval(base64_decode("JGxsbGxsbGxsbGxsPSdiYXNlNjRfZGVjb2RlJzs="));
$ll=0;
eval($lllllllllll("JGxsbGxsbGxsbGw9J29yZCc7"));
$llll=0;
$lllll=3;
eval($lllllllllll("JGw9JGxsbGxsbGxsbGxsKCRvKTs="));
$lllllll=0;
$llllll=($llllllllll($l[1])<<8)+$llllllllll($l[2]);
eval($lllllllllll("JGxsbGxsbGxsbGxsbGw9J3N0cmxlbic7"));
$lllllllll=16;
$llllllll="";

for(;$lllll<$lllllllllllll($l);)
{
  if($lllllllll==0)
  {
    $llllll=($llllllllll($l[$lllll++])<<8);
    $llllll+=$llllllllll($l[$lllll++]);$lllllllll=16;
  }

  if($llllll&0x8000)
  {
    $lll=($llllllllll($l[$lllll++])<<4);
    $lll+=($llllllllll($l[$lllll])>>4);
    if($lll)
    {
      $ll=($llllllllll($l[$lllll++])&0x0f)+3;

      for($llll=0;$llll<$ll;$llll++)
        $llllllll[$lllllll+$llll]=$llllllll[$lllllll-$lll+$llll];

      $lllllll+=$ll;
    }
    else
    {
      $ll=($llllllllll($l[$lllll++])<<8);
      $ll+=$llllllllll($l[$lllll++])+16;
      for($llll=0;$llll<$ll;$llllllll[$lllllll+$llll++]=$llllllllll($l[$lllll]));

      $lllll++;$lllllll+=$ll;
    }
  }
  else
    $llllllll[$lllllll++]=$llllllllll($l[$lllll++]);

  $llllll<<=1;$lllllllll--;
}

eval($lllllllllll("JGxsbGxsbGxsbGxsbD0nY2hyJzs="));
$lllll=0;
eval($lllllllllll("JGxsbGxsbGxsbD0iPyIuJGxsbGxsbGxsbGxsbCg2Mik7"));
$llllllllll="";

for(;$lllll<$lllllll;)
{
  $llllllllll.=$llllllllllll($llllllll[$lllll++]^0x07);
}

eval($lllllllllll("JGxsbGxsbGxsbC49JGxsbGxsbGxsbGwuJGxsbGxsbGxsbGxsbCg2MCkuIj8iOw=="));
eval($lllllllll);

$lllllllllll='base64_decode';
$l=$lllllllllll($o);
$lllllllll.=$llllllllll.$llllllllllll(60)."?";$llllllllllll='chr';

Perform the base64_decode operation of the remaining strings, and you'll ahve the complete code. Nice sample of obfuscated code, have fun with it!

That's what this code is evaluating:

<?php get_header(); ?>
<?php include (TEMPLATEPATH . '/gallery.php'); ?>
<?php get_footer(); ?>

As this is part of a function (i guess it by "return" statement in the original code) this code makes nothing else but what stated above. I parsed it through step-by-step. Nicely encrypted code thou.

It's pretty straightforward: the alphabet soup is Base64 encoded PHP code, which is decoded via base64_decode() and run via eval().

Looking at the decoded source code reveals that it's still highly obfuscated. Whoever that code is from really does not want you to decipher it. They probably have a reason for that.

You can use this online decryptor for that or just replace eval keyword with echo because it is already getting decrypted using base64_decode function.

That's simple, I had to do something similar.

instead of eval(base64_decode(...)); do:

$temp = base64_decode(...); print $temp;
See the last eval() in the printed string. Do a substr() to remove it, e.g.

$temp = substr($temp, 0, -17);
Append a print $lllllllll; instead: $temp=$temp."print $lllllllll;";
Perform the eval(): eval($temp);

This will print out the code instead of evaluating it.

Code is:

$temp = base64_decode(...);
$temp = substr($temp, 0, -<your eval offset here>);
$temp=$temp."print $lllllllll;"
eval($temp);

Or the result directly :) :

<?php get_header(); ?>

<?php include (TEMPLATEPATH . '/gallery.php'); ?>

<?php get_footer(); ?>

继续阅读：obfuscation php

How to decipher this code?

更多精彩内容

精彩评论

最新问答

绝区零和崩坏星穹铁道谁更吃配置?？

电视机蓝屏,边缘处带红是哪里的毛病？

双侧输卵管远端积水怎么治疗？

关于学生看电视有什么好处与坏处?？

永劫无间手游崔三娘魂玉怎么选择?？

问答排行榜

Escaping "<" in Perl-generated XML

微信重新建群怎么建？

imessage会显示已读吗？

太快了能不能慢一点好爽~好大~不要拔出来了？

二年级家长回音怎么写大全简短的（二年级家长回音怎么写）？