微擎 goto + 混淆加密, 反向解密思路
写在前面(一堆废话着急请略过)
首先我是个菜鸡。这段时间学习微擎遇到一个模块。关键文件都加密了。类似这种:
<?php
defined("x49116137111101") or exit("x41143143145163163x20x44145156x69x65144"); class yzxcpt_sunModuleWxapp extends WeModuleWxapp {public function doPageactivitylist() { goto ZBpAU; Yykb9: foreach ($res as $key => $value) { goto B8RTV; TUI2i: $allzan = pdo_fetchcolumn("163145154x65143x74x20x63157x75x6e16450x69144x2940x61163x20143157165156164x20x66x72157155" . tablename("x79x7ax78x63x70164137163165156x5fx61x63164x69x76151164x79172141156") . "40x77x68x65162145x20x75x6ex69x61143x69144407540" . $_W["x75x6ex69x61143x69144"] . "x20141156x64x20x61x69x64x2075x20" . $value["151144"]); goto XEsex; gjDMe: goto ubQkx; goto Aq3KL; FRAU3: DRIM_: goto BXJiV; u0xtV: ubQkx: goto TUI2i; XEsex: $res[$key]["172x61x6e"] = $value["170x6e172x61x6e"] + $allzan["143x6f165x6ex74"]; goto FRAU3; riKrf: $res[$key]["151163172141x6e"] = 1; goto u0xtV; w07AK: $zan = pdo_get("x79x7ax78x63x70164137x73x75x6ex5f141143x74151166151x74171x7a141156", array("x75x6e151141143x69x64" => $_W["x75x6e151x61x63151x64"], "165151x64" => $uid, "141151144" => $value["151x64"])); goto V5M1X; V5M1X: if ($zan) { goto BB6x7; } goto k8F2e; k8F2e: $res[$key]["x69163x7ax61156"] = 0; goto gjDMe; B8RTV: $res[$key]["164x69x6d145"] = date("x59x2dx6d55144", $value["x74151155x65"]); goto w07AK; Aq3KL: BB6x7: goto riKrf; BXJiV: } goto V7iyu; e8HwJ: $where .= "x20141156x64x20x74x79160x65x20x3dx20" . $type; goto hDwoK; c9NgR: $this->return_msg(1, $res, "x73x75143x63x65x73x73"); goto wztqM; sMfnF: $type = $_GPC["164x79x70145"]; goto Vl90R; pggxy: $where = "40167x68145162x65x20165x6ex69x61143151144x207540" . $_W["x75156x69141143151144"] . "40x61156144x20163x74141164165x73x20x3dx20x32"; goto UmOHV; c2hzE: $res = pdo_fetchall("x73x65x6c145143x74405240x66x72x6fx6d40" . tablename("x79x7ax78143x70164x5f163165x6e137141x63164x69x76x69164x79") . $where . "x20x6fx72144145162x20x6217140x73157162x7440x6116314340" . $limit); goto Yykb9; Vl90R: $uid = $_GPC["165x69144"]; goto j3k3y; bjheH: $limit = "40x6cx69x6dx6916440" . $start . "x2c" . $length; goto pggxy; j3k3y: $page = $_GPC["160x61147x65"] ? $_GPC["160x61x67145"] : 1; goto kY_oM; Z4LTa: $start = ($page - 1) * $length; goto bjheH; hDwoK: lMF7r: goto c2hzE; UmOHV: if (!$type) { goto lMF7r; } goto e8HwJ; V7iyu: Gtn_w: goto c9NgR; ZBpAU: global $_GPC, $_W; goto sMfnF; kY_oM: $length = $_GPC["154145x6e147164150"] ? $_GPC["154x65x6e147x74150"] : 10; goto Z4LTa; wztqM: }
这样就很难受,google 了一下有很多微擎 解密 的网站,都是按 kb 收费的,emmm,犹豫了一下没有剁手。
想着自己学着玩也没人给报销,并且这次掏钱包解决了,下次遇到还是不会。。。
索性研究研究吧。找了挺多相关帖子,奈何水平有限,那些文章提到的工具之类都不会用。只好用笨方法。
搜索论坛关键词,还没有人发过类似帖子。倒有不少求助解密的。授人以鱼不如授人以渔。
我这算是抛砖引玉吧,希望能有大佬写出脚本自动执行。节省人工。
准备工作
PHP goto 知识
PHP.net
PHP中文网
格式化代码
看到无序乱码就烦,我也是。
可以用编辑器自带的代码格式化来优化
我用的是 vscode 快捷键 alt + shift +f
需要插件,叫啥我忘了。不过如果没装过按下快捷键的时候会提示你安装
推荐工具
online PHP and Javascript Decoder
这个站点对变量值的混淆解析有用
缺点是不能解析goto
加密特征
目前发现微擎的加密主要是两种
变量值混淆
用 goto 语法 打乱正常代码顺序
+ 根据上面的特征,就方便做出反向解密
1. 变量值混淆
+ 上面的工具可以解决,你可能好奇是怎么解析出来的
+ 其实用 echo | var_dump() | peint 同样可以达到一样的效果
+ 注意要用 “双括号” php 才会解析
+ 具体是什么编码混淆的,因为本人能力有限。就不得而知了。有知道的大佬可以帮忙解惑。先谢谢啦。
2. goto 打乱正常代码顺序
+ 目前我用的笨方法,就是一句一句找
+ 按照 goto 顺序 重新剪切还原
+ 缺点就是太浪费时间,目前还没有好的思路。想用正则可是不知道怎么写。。。。
+ 希望大佬能有高效解决方案[/md]
调试过程
小技巧
微擎的方法多数以 global $_W, $_GPC; 开始。
(初始化两个全局变量)
微擎小程序的结尾多数是 $this->result( );
等理顺所有 goto 的时候,你会发现正好和最后一个 goto 标记相对
微擎还对条件判断语句做了加密。可以通过特征识别
if 单个条件判断语句会取反。if…elseif…else 按正常解析
if…elseif….特征
else 特征
特征在代码注释找吧 —-> // 去掉goto思路
我太困了.马上两点了。我要睡了zzz
格式化代码之后,清爽了很多。也更有耐心看下去啦
<?php
// 格式化完毕
defined("IN_IA") or exit("Access Denied");
class yzxcpt_sunModuleWxapp extends WeModuleWxapp
{
public function doPagecoupontlist()
{
goto RJq8z;
RJq8z: global $_GPC, $_W;
goto Fd00u;
Fd00u: $sid = $_GPC["x73x69144"];
goto zEa5k;
zEa5k: $page = max(1, intval($_GPC["160x61x67145"]));
goto h9fAf;
h9fAf: $size = intval($_GPC["x6cx65156x67164x68"]) ? intval($_GPC["x6c145x6e147x74x68"]) : 10;
goto pZcKj;
pZcKj: $coupon = pdo_fetchall("163x65x6cx65x63x7440141x2ex2a40x66x72x6fx6d40" . tablename("x79x7ax78143x70164x5f163x75x6e137143157x75x70x6fx6e") . "x61x20x6cx65x66164x20x6a157x69x6e40" . tablename("171172170143160x74137x73165156137x73x68157x70x5fx63x6fx75160x6fx6e") . "142x20x6fx6ex20142x2e143x69x64x20x3dx20141x2e151x6440167150x65x72x6540142x2e163151144x207540{$sid}x20141156x644014156x73x74x61x74165x73x3d6140141x6ex6440x6156x63x68145143153x73x20x3dx2061x20141x6e144x20141x2e163x74141164x65417561x20141156144x2014156x75x6ex69141143151x64407540" . $_W["x75x6ex69141x63x69x64"] . "40141156x644014256x75x6ex69x61x63x69144x20x3d40" . $_W["x75156151141143151144"] . "x20154151x6d15116440" . ($page - 1) * $size . "x2c" . $size);
goto vffZo;
vffZo: foreach ($coupon as $key => $value) {
goto H8EAI;
H8EAI: if ($value["163164141164x65"] == 1) {
goto Yn0N_;
}
goto sCZQr;
sCZQr: if ($value["x73x74141x74x65"] == 2) {
goto h23aY;
}
goto UDLmI;
UDLmI: $coupon[$key]["x73150x6f160"]["x6ex61155145"] = "xe9200x9a347x94250";
goto aaTT8;
aaTT8: goto KEerh;
goto OdbV7;
OdbV7: Yn0N_: goto dMffH;
dMffH: $coupon[$key]["x73150157x70"] = pdo_get("x79x7ax78143160164137x73165156137163150157160", array("165x6e151x61x63x69144" => $_W["x75x6e151x61x63151x64"], "x69x64" => $value["163x69x64"]), array("x6e141155x65", "151163143157x75x70x6f156"));
goto x3KQl;
x3KQl: goto KEerh;
goto weAfu;
weAfu: h23aY: goto s8Iqg;
s8Iqg: $coupon[$key]["x73x68157x70"]["x6ex61x6dx65"] = "xe9x99x90351203250xe5210x86345225206345xaexb6344275xbf347224xa8";
goto PQvO4;
PQvO4: KEerh: goto oyZDv;
oyZDv: IyHnC: goto Gzoio;
Gzoio:
}
goto Fcg6E;
Fcg6E: I1y9r: goto GoLNC;
GoLNC: $info["x63157x75160x6fx6e"] = $coupon;
goto k3btY;
k3btY: $info["x73x65164"] = pdo_get("x79172170143x70164x5f163165x6ex5fx76x69160x63x61x72144x5fx73x65x74", array("165x6ex69141143x69144" => $_W["165156x69141143x69144"]));
goto vGEBd;
vGEBd: $info["165163x65162"] = pdo_get("171x7a170143160x74x5f163x75x6e137x75x73145162", array("151x64" => $_GPC["x75x69x64"], "165156151141143x69144" => $_W["x75156151x61x63151144"]));
goto UkXDm;
UkXDm: $this->return_msg(1, $info, "163x75x63143x65163x73");
goto GF5Hz;
GF5Hz:
}
}
```php
<?php
// 使用工具解析混淆
defined("IN_IA") or exit("Access Denied");
class yzxcpt_sunModuleWxapp extends WeModuleWxapp
{
public function doPagecoupontlist()
{
goto RJq8z;
RJq8z: global $_GPC, $_W;
goto Fd00u;
Fd00u: $sid = $_GPC["sid"];
goto zEa5k;
zEa5k: $page = max(1, intval($_GPC["page"]));
goto h9fAf;
h9fAf: $size = intval($_GPC["length"]) ? intval($_GPC["length"]) : 10;
goto pZcKj;
pZcKj: $coupon = pdo_fetchall("select a.* from " . tablename("yzxcpt_sun_coupon") . "a left join " . tablename("yzxcpt_sun_shop_coupon") . "b on b.cid = a.id where b.sid = {$sid} and a.status=1 and a.checks = 1 and a.state!=1 and a.uniacid = " . $_W["uniacid"] . " and b.uniacid = " . $_W["uniacid"] . " limit " . ($page - 1) * $size . "," . $size);
goto vffZo;
vffZo: foreach ($coupon as $key => $value) {
goto H8EAI;
H8EAI: if ($value["state"] == 1) {
goto Yn0N_;
}
goto sCZQr;
sCZQr: if ($value["state"] == 2) {
goto h23aY;
}
goto UDLmI;
UDLmI: $coupon[$key]["shop"]["name"] = "通用";
goto aaTT8;
aaTT8: goto KEerh;
goto OdbV7;
OdbV7: Yn0N_: goto dMffH;
dMffH: $coupon[$key]["shop"] = pdo_get("yzxcpt_sun_shop", array("uniacid" => $_W["uniacid"], "id" => $value["sid"]), array("name", "iscoupon"));
goto x3KQl;
x3KQl: goto KEerh;
goto weAfu;
weAfu: h23aY: goto s8Iqg;
s8Iqg: $coupon[$key]["shop"]["name"] = "限部分商家使用";
goto PQvO4;
PQvO4: KEerh: goto oyZDv;
oyZDv: IyHnC: goto Gzoio;
Gzoio:
}
goto Fcg6E;
Fcg6E: I1y9r: goto GoLNC;
GoLNC: $info["coupon"] = $coupon;
goto k3btY;
k3btY: $info["set"] = pdo_get("yzxcpt_sun_vipcard_set", array("uniacid" => $_W["uniacid"]));
goto vGEBd;
vGEBd: $info["user"] = pdo_get("yzxcpt_sun_user", array("id" => $_GPC["uid"], "uniacid" => $_W["uniacid"]));
goto UkXDm;
UkXDm: $this->return_msg(1, $info, "success");
goto GF5Hz;
GF5Hz:
}
}
<?php
// 理顺 goto
defined("IN_IA") or exit("Access Denied");
class yzxcpt_sunModuleWxapp extends WeModuleWxapp
{
public function doPagecoupontlist()
{
goto RJq8z;
RJq8z: global $_GPC, $_W;
goto Fd00u;
Fd00u: $sid = $_GPC["sid"];
goto zEa5k;
zEa5k: $page = max(1, intval($_GPC["page"]));
goto h9fAf;
h9fAf: $size = intval($_GPC["length"]) ? intval($_GPC["length"]) : 10;
goto pZcKj;
pZcKj: $coupon = pdo_fetchall("select a.* from " . tablename("yzxcpt_sun_coupon") . "a left join " . tablename("yzxcpt_sun_shop_coupon") . "b on b.cid = a.id where b.sid = {$sid} and a.status=1 and a.checks = 1 and a.state!=1 and a.uniacid = " . $_W["uniacid"] . " and b.uniacid = " . $_W["uniacid"] . " limit " . ($page - 1) * $size . "," . $size);
goto vffZo;
vffZo: foreach ($coupon as $key => $value) {
goto H8EAI;
H8EAI: if ($value["state"] == 1) {
goto Yn0N_;
}
goto sCZQr;
sCZQr: if ($value["state"] == 2) {
goto h23aY;
}
goto UDLmI;
UDLmI: $coupon[$key]["shop"]["name"] = "通用";
goto aaTT8;
aaTT8: goto KEerh;
goto OdbV7;
OdbV7: Yn0N_: goto dMffH;
dMffH: $coupon[$key]["shop"] = pdo_get("yzxcpt_sun_shop", array("uniacid" => $_W["uniacid"], "id" => $value["sid"]), array("name", "iscoupon"));
goto x3KQl;
x3KQl: goto KEerh;
goto weAfu;
weAfu: h23aY: goto s8Iqg;
s8Iqg: $coupon[$key]["shop"]["name"] = "限部分商家使用";
goto PQvO4;
PQvO4: KEerh: goto oyZDv;
oyZDv: IyHnC: goto Gzoio;
Gzoio:
}
goto Fcg6E;
Fcg6E: I1y9r: goto GoLNC;
GoLNC: $info["coupon"] = $coupon;
goto k3btY;
k3btY: $info["set"] = pdo_get("yzxcpt_sun_vipcard_set", array("uniacid" => $_W["uniacid"]));
goto vGEBd;
vGEBd: $info["user"] = pdo_get("yzxcpt_sun_user", array("id" => $_GPC["uid"], "uniacid" => $_W["uniacid"]));
goto UkXDm;
UkXDm: $this->return_msg(1, $info, "success");
goto GF5Hz;
GF5Hz:
}
}
// 去掉goto思路
<?php
defined("IN_IA") or exit("Access Denied");
class yzxcpt_sunModuleWxapp extends WeModuleWxapp
{
public function doPagecoupontlist()
{
global $_GPC, $_W;
$sid = $_GPC["sid"];
$page = max(1, intval($_GPC["page"]));
$size = intval($_GPC["length"]) ? intval($_GPC["length"]) : 10;
$coupon = pdo_fetchall("select a.* from " . tablename("yzxcpt_sun_coupon") . "a left join " . tablename("yzxcpt_sun_shop_coupon") . "b on b.cid = a.id where b.sid = {$sid} and a.status=1 and a.checks = 1 and a.state!=1 and a.uniacid = " . $_W["uniacid"] . " and b.uniacid = " . $_W["uniacid"] . " limit " . ($page - 1) * $size . "," . $size);
foreach ($coupon as $key => $value) {
goto H8EAI;
H8EAI: if ($value["state"] == 1) {
goto Yn0N_;
}
goto sCZQr;
sCZQr: if ($value["state"] == 2) {
goto h23aY;
}
/**
* 上面的 H8EAI 紧跟 if代码块
* 代码块结束后的 goto sCZQr;
* sCZQr 又是 if 代码块
* 并且 条件变量 $value["state"] 是一样的
* 通过 代码结构 和 上下文语境 可以肯定 sCZQr 是 elseif
*/
goto UDLmI;
UDLmI: $coupon[$key]["shop"]["name"] = "通用";
goto aaTT8;
aaTT8: goto KEerh;
//
/**
* goto aaTT8;
* aaTT8: 紧跟 goto标签 goto KEerh;
* goto 标签;
* 标记: goto 标签;
* 这种代表 else 结束
*
*/
goto OdbV7;
OdbV7: Yn0N_: goto dMffH;
/**
* goto 标签1;
* 标记1: 括号内标记: goto 标签2;
* 代表标记1 结束 和 括号内标记开始
*/
dMffH: $coupon[$key]["shop"] = pdo_get("yzxcpt_sun_shop", array("uniacid" => $_W["uniacid"], "id" => $value["sid"]), array("name", "iscoupon"));
goto x3KQl;
x3KQl: goto KEerh;
/**
* goto 标签1;
* 标记1: goto 标记2;
* 这种都代表结束
* 跟 else 的区别在于上下句
* if 的开头带有
* goto 标签1;
* 标记1: 括号内标记: goto 标签2;
* else 没有这个开头
*
*/
goto weAfu;
weAfu: h23aY: goto s8Iqg;
s8Iqg: $coupon[$key]["shop"]["name"] = "限部分商家使用";
goto PQvO4;
PQvO4: KEerh: goto oyZDv;
oyZDv: IyHnC: goto Gzoio;
Gzoio:
}
goto Fcg6E;
Fcg6E: I1y9r: goto GoLNC;
GoLNC: $info["coupon"] = $coupon;
goto k3btY;
k3btY: $info["set"] = pdo_get("yzxcpt_sun_vipcard_set", array("uniacid" => $_W["uniacid"]));
goto vGEBd;
vGEBd: $info["user"] = pdo_get("yzxcpt_sun_user", array("id" => $_GPC["uid"], "uniacid" => $_W["uniacid"]));
goto UkXDm;
UkXDm: $this->return_msg(1, $info, "success");
goto GF5Hz;
GF5Hz:
}
}
<?php
// 最终成品
defined("IN_IA") or exit("Access Denied");
class yzxcpt_sunModuleWxapp extends WeModuleWxapp
{
public function doPagecoupontlist()
{
global $_GPC, $_W;
$sid = $_GPC["sid"];
$page = max(1, intval($_GPC["page"]));
$size = intval($_GPC["length"]) ? intval($_GPC["length"]) : 10;
$coupon = pdo_fetchall("select a.* from " . tablename("yzxcpt_sun_coupon") . "a left join " . tablename("yzxcpt_sun_shop_coupon") . "b on b.cid = a.id where b.sid = {$sid} and a.status=1 and a.checks = 1 and a.state!=1 and a.uniacid = " . $_W["uniacid"] . " and b.uniacid = " . $_W["uniacid"] . " limit " . ($page - 1) * $size . "," . $size);
foreach ($coupon as $key => $value) {
if ($value["state"] == 1) {
$coupon[$key]["shop"] = pdo_get("yzxcpt_sun_shop", array("uniacid" => $_W["uniacid"], "id" => $value["sid"]), array("name", "iscoupon"));
}elseif ($value["state"] == 2) {
$coupon[$key]["shop"]["name"] = "限部分商家使用";
}else {
$coupon[$key]["shop"]["name"] = "通用";
}
}
$info["coupon"] = $coupon;
$info["set"] = pdo_get("yzxcpt_sun_vipcard_set", array("uniacid" => $_W["uniacid"]));
$info["user"] = pdo_get("yzxcpt_sun_user", array("id" => $_GPC["uid"], "uniacid" => $_W["uniacid"]));
$this->return_msg(1, $info, "success");
}
}
本文链接:http://78moban.cn/post/8150.html
版权声明:站内所有文章皆来自网络转载,只供模板演示使用,并无任何其它意义!
上一篇:PHP goto解密核心算法
下一篇:PHP混淆解密之pack还原大法
模板技术学习站-专注于织梦cms模板、discuz模板、帝国cms模板,wordpress主题与插件等技术教程,分享常见的cms模板站长教程,让您轻松学习开发建站模板技术,技术无忧!
Copyright 2019-2024 78模板网 | 
豫ICP备2021026617号-2
豫公网安备:41172602000192 | Powered by 78模板网 ·
