标签归档:decode

PHP eval gzinflate base64_decode str_rot13加密解密

昨天遇到了一个文件用eval(gzinflate(str_rot13(base64_decode(一串解密的,原以为替换eval为echo看下好了,谁知道,还有N层,一怒之下写了这个脚本,直接转换之。顺便弄个了在线版的,省得需要的朋友直接找我了。

以下为源码:

  1. <?php 
  2. /********************************************************************** 
  3. *PHP eval gzinflate base64_decode str_rot13加密解密脚本 By:Neeao 
  4. *目前只写了针对四种组合的,其他组合的可参考注释自行修改: 
  5. *1.eval(gzinflate(str_rot13(base64_decode( 
  6. *2.eval(gzinflate(base64_decode( 
  7. *3.gzinflate(base64_decode(base64_decode(str_rot13( 
  8. *4.eval(gzinflate(base64_decode(str_rot13( 
  9. *Http://Neeao.com 
  10. *2009-09-28 
  11. ***********************************************************************/ 
  12.  
  13. $filename='code.php';//要解密的文件 
  14. $handle = fopen($filename"r"); 
  15. $contents = fread($handlefilesize ($filename)); 
  16. $contents_arr=explode('NeeaoNeeao',htmlspecialchars(decode($contents))); 
  17. echo "此代码被加密了".$contents_arr[0]."层,内容如下:<br>\n"
  18. echo $contents_arr[1]; 
  19.  
  20. /* 
  21. 解密主函数 
  22. $Str,要解密的文件内容 
  23. */ 
  24. function decode($str,$i=0) 
  25.      
  26.     $content=""
  27.     //eval(gzinflate(str_rot13(base64_decode( 
  28.     //先正则查找是否相关组合加密的,base64编码后的正则是:[A-Za-z0-9\/\+=] 
  29.     if(preg_match("/(eval\(gzinflate\(str_rot13\(base64_decode\(')([A-Za-z0-9\/\+=]*)'/",$str,$x)) 
  30.     {    
  31.         //替换掉没用的字符,获取加密后的密文 
  32.         $content=str_replace("eval(gzinflate(str_rot13(base64_decode('","",$x[0]); 
  33.         $content=str_replace("'","",$content); 
  34.         //变量i是用来判断加密层数的,初始值为0,解密一次,层数加一 
  35.         $i++; 
  36.         //采用相关组合解密 
  37.         $content=gzinflate(str_rot13(base64_decode($content))); 
  38.         //递归判断下是不是已经结束了,没结束继续重复解密 
  39.         $content=decode($content,$i); 
  40.     } 
  41.     //eval(gzinflate(base64_decode( 
  42.     elseif(preg_match("/eval\(gzinflate\(base64_decode\('[A-Za-z0-9\/\+=]*'/",$str,$y)) 
  43.     {    
  44.          
  45.         $content=str_replace("eval(gzinflate(base64_decode('","",$y[0]); 
  46.         $content=str_replace("'","",$content); 
  47.         $i++; 
  48.         $content=gzinflate(base64_decode($content)); 
  49.         $content=decode($content,$i); 
  50.     } 
  51.     //gzinflate(base64_decode(base64_decode(str_rot13( 
  52.     elseif(preg_match("/eval\(gzinflate\(base64_decode\(base64_decode\(str_rot13\('[A-Za-z0-9\/\+=]*'/",$str,$z)) 
  53.     { 
  54.         $content=str_replace("eval(gzinflate(base64_decode(base64_decode(str_rot13('","",$z[0]); 
  55.         $content=str_replace("'","",$content); 
  56.         $i++; 
  57.         $content=gzinflate(base64_decode(base64_decode(str_rot13(($content))))); 
  58.         $content=decode($content,$i); 
  59.     } 
  60.     //eval(gzinflate(base64_decode(str_rot13( 
  61.     elseif(preg_match("/eval\(gzinflate\(base64_decode\(str_rot13\('[A-Za-z0-9\/\+=]*'/",$str,$m)) 
  62.     { 
  63.         $content=str_replace("eval(gzinflate(base64_decode(str_rot13('","",$m[0]); 
  64.         $content=str_replace("'","",$content); 
  65.         $i++; 
  66.         $content=gzinflate(base64_decode(str_rot13(($content)))); 
  67.         $content=decode($content,$i); 
  68.     } 
  69.     else 
  70.     { 
  71.         $content=$i."NeeaoNeeao".$str
  72.     } 
  73.     return $content
  74.      
  75. ?> 

在线版地址:http://neeao.com/tools/decode/index_eval.php