又一個加密PHP腳本的解碼方法

原創 QQ635785620 2020-02-24 03:41
腳本的解碼方法

陽光男孩 發表於 2009-08-23

三個星期以前我發佈了一篇文章,介紹了base64加密的PHP腳本的解碼方法。前幾天,飛信好友行者又扔來了一段更加複雜、詭異的PHP腳本:

下載每一步的源代碼

//0.php
<?php 
$OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6
f%5f%73%61%64%66%70%6e%72');$OO00O0000=26408;$OOO0000O0=$OOO000000{4}.$OOO000000
{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000
000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$
OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';eval(($$O0O0000O0('JE9PME9PMDA
wMD0kT09PMDAwMDAwezE3fS4kT09PMDAwMDAwezEyfS4kT09PMDAwMDAwezE4fS4kT09PMDAwMDAwezV
9LiRPT08wMDAwMDB7MTl9O2lmKCEwKSRPMDAwTzBPMDA9JE9PME9PMDAwMCgkT09PME8wTzAwLCdyYic
pOyRPTzBPTzAwME89JE9PTzAwMDAwMHsxN30uJE9PTzAwMDAwMHsyMH0uJE9PTzAwMDAwMHs1fS4kT09
PMDAwMDAwezl9LiRPT08wMDAwMDB7MTZ9OyRPTzBPTzAwTzA9JE9PTzAwMDAwMHsxNH0uJE9PTzAwMDA
wMHswfS4kT09PMDAwMDAwezIwfS4kT09PMDAwMDAwezB9LiRPT08wMDAwMDB7MjB9OyRPTzBPTzAwME8
oJE8wMDBPME8wMCwxMTgyKTskT08wME8wME8wPSgkT09PMDAwME8wKCRPTzBPTzAwTzAoJE9PME9PMDA
wTygkTzAwME8wTzAwLDkwOCksJ0kvTU5LQUNkVlJHUXlEV1VncTY4d3BrYXpMTzVsdG5tVEIrMGJ2OXV
IcnhGN1hTWTFFM2ZaaGlqYzRlMm9Kc1A9JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZ
naGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));re
turn;?>
tiBr5CwHGMBrljDvtMTb6AqwwAJ8qpRkqpRmpbA6wh7uwZp6pbp6aZ4/8wwua6brR+zHVkp3LktrGMlH
GMcxaMcrUiqHzkvSzk4lQ9DY56voGMBlQ+rlaMcrUiBFyuDH5jplQ9DY56voGMBlQ+rlaMcrUiEYziA7
OCJftMbuQMqVpAqgahDAwvLAwvJkgpR8k3t8qpRkqpRm8bADq6ttG6brmd1HGCvflipZGMqmwZp6pbp6
k3tVpAqgaZBUwhgua6brR+zHVkp3LktrGMlHGMcxaMcrUiqHzkvSzk4lQ9DY56voGMBlQ+rlaMcrUiBF
yuDH5jplQ9DY56voGMBlQ+rlaMcrUiEYziA7OCJftMbuQMqmwZp6pbp6k3tVpAqgaZBUwhgua6brG6vb
OkwHRomF3Fu81JU31P7TLCBBOk4B5+405iZTOC73liBYt6405iij1o2GHe3EYFazEsYGStUNH2r75iDB
5CBYlj6BH2UyZUG4S7Q3EsY/x7shwpC0S0gED8V1DMlrW3qU8fI18fI18fIJljq3ajRvlCEBziwHRhJm
qbvyqpJmR31+R3VSRKJU8f/UyKo1yMc+R3V7GMqU8Zo1yNI18fIHRKJUyKJUyN/UyMTb8Zo18Zo1yN/U
GMqUyNI18f/UyNI7RKJUyN/UyNI1yMb7RZbY8w4QgwDbpvRdwavKphpul8zctj/Fzary8fp7tC4XpKVF
yCRiWapVluBCDhB8k8AAyiLOOCvxzfqvy9JGlhIJR31ugwRNqKpCqZBR6bXy8w4UwAA6whqppvtzkprB
z9DbLkLuOCvxOiEX59J1laRftdpitjB4n0IEy0yZD8zjWNbFQ3lrG6brWiL05CJfL6Tb8fI1yKo18fI1
G8Xvt9A7GMqU8fI18fI18fIrW1==Ngr3LaAhOaRvGMlSQ+J05CAfl3J05i4SLkDZQu/HlMlrW1ZGOk40
5dpbL6TuQ+cYziEBljyYLCRmljA7Qu/HlMlrW1ZGOk405dpbL6TuQ+cYziEBljyY(後面還有大量數據,省略)

其中,在“?>”後面的數據足有27KB(共27316字節)。顯然,這些數據並不是直接輸出給客戶端的,而要在服務端經過一定的處理。這27KB的數據看起來很像base64編碼,但是直接用base64_decode解碼得不到任何有意義的結果。

仔細觀察,在前面的PHP代碼部分有一個eval。那就按照上一篇文章的辦法,把它改成echo試試!

//1.php
<?php 
$OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6
f%5f%73%61%64%66%70%6e%72');$OO00O0000=26408;$OOO0000O0=$OOO000000{4}.$OOO000000
{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000
000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$
OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';echo(($$O0O0000O0('JE9PME9PMDA
wMD0kT09PMDAwMDAwezE3fS4kT09PMDAwMDAwezEyfS4kT09PMDAwMDAwezE4fS4kT09PMDAwMDAwezV
9LiRPT08wMDAwMDB7MTl9O2lmKCEwKSRPMDAwTzBPMDA9JE9PME9PMDAwMCgkT09PME8wTzAwLCdyYic
pOyRPTzBPTzAwME89JE9PTzAwMDAwMHsxN30uJE9PTzAwMDAwMHsyMH0uJE9PTzAwMDAwMHs1fS4kT09
PMDAwMDAwezl9LiRPT08wMDAwMDB7MTZ9OyRPTzBPTzAwTzA9JE9PTzAwMDAwMHsxNH0uJE9PTzAwMDA
wMHswfS4kT09PMDAwMDAwezIwfS4kT09PMDAwMDAwezB9LiRPT08wMDAwMDB7MjB9OyRPTzBPTzAwME8
oJE8wMDBPME8wMCwxMTgyKTskT08wME8wME8wPSgkT09PMDAwME8wKCRPTzBPTzAwTzAoJE9PME9PMDA
wTygkTzAwME8wTzAwLDkwOCksJ0kvTU5LQUNkVlJHUXlEV1VncTY4d3BrYXpMTzVsdG5tVEIrMGJ2OXV
IcnhGN1hTWTFFM2ZaaGlqYzRlMm9Kc1A9JywnQUJDREVGR0hJSktMTU5PUFFSU1RVVldYWVphYmNkZWZ
naGlqa2xtbm9wcXJzdHV2d3h5ejAxMjM0NTY3ODkrLycpKSk7ZXZhbCgkT08wME8wME8wKTs=')));re
turn;?>
/* 27316 bytes encoded data */

運行方式還是 wget http://localhost/1.php -O1.txt ,運行結果如下:

//1.txt
$OO0OO0000=$OOO000000{17}.$OOO000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO000000
{19};if(!0)$O000O0O00=$OO0OO0000($OOO0O0O00,'rb');$OO0OO000O=$OOO000000{17}.$OOO
000000{20}.$OOO000000{5}.$OOO000000{9}.$OOO000000{16};$OO0OO00O0=$OOO000000{14}.
$OOO000000{0}.$OOO000000{20}.$OOO000000{0}.$OOO000000{20};$OO0OO000O($O000O0O00,
1182);$OO00O00O0=($OOO0000O0($OO0OO00O0($OO0OO000O($O000O0O00,908),'I/MNKACdVRGQ
yDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=','ABCDEFGHIJKLMNOPQRSTUVWX
YZabcdefghijklmnopqrstuvwxyz0123456789+/')));eval($OO00O00O0);

用1.txt的結果替換1.php中那個echo,得到:

//1a.php
<?php 
$OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6
f%5f%73%61%64%66%70%6e%72');$OO00O0000=26408;$OOO0000O0=$OOO000000{4}.$OOO000000
{9}.$OOO000000{3}.$OOO000000{5};$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000
000{13}.$OOO000000{16};$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$
OOO0000O0{7}.$OOO000000{5};$O0O0000O0='OOO0000O0';$OO0OO0000=$OOO000000{17}.$OOO
000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO000000{19};if(!0)$O000O0O00=$OO0OO00
00($OOO0O0O00,'rb');$OO0OO000O=$OOO000000{17}.$OOO000000{20}.$OOO000000{5}.$OOO0
00000{9}.$OOO000000{16};$OO0OO00O0=$OOO000000{14}.$OOO000000{0}.$OOO000000{20}.$
OOO000000{0}.$OOO000000{20};$OO0OO000O($O000O0O00,1182);$OO00O00O0=($OOO0000O0($
OO0OO00O0($OO0OO000O($O000O0O00,908),'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHr
xF7XSY1E3fZhijc4e2oJsP=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01
23456789+/')));eval($OO00O00O0);return;?>
/* 27316 bytes encoded data */

又看到了eval,那就再換成echo吧!遺憾的是,這樣做不能得到正確的結果。原因是:

  • 文件末有27KB的數據,這些數據應該包含了經過編碼的程序代碼。
  • 開頭的解碼腳本從__FILE__變量獲取當前執行的文件名,然後定位到27KB數據內部的某個位置(可能是開頭或中間),解碼並執行那些數據中蘊藏的程序。
  • 從0.php變換到1a.php的過程中,開頭的解碼腳本的長度被改變,造成不能定位到正確的位置。

在1a.php已經可以看到三個數字:26408、1182、908。但是,無法判斷這些數字將使解碼腳本定位到27KB數據的哪個位置。

老路行不通了!現在必須分析這段解碼腳本的流程。先把代碼整理一下:

<?php 
$OOO0O0O00=__FILE__;
$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%
6e%72');
$OO00O0000=26408;
$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};
$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};
$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO000000
{5};
$O0O0000O0='OOO0000O0';
$OO0OO0000=$OOO000000{17}.$OOO000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO000000
{19};
if(!0)$O000O0O00=$OO0OO0000($OOO0O0O00,'rb');
$OO0OO000O=$OOO000000{17}.$OOO000000{20}.$OOO000000{5}.$OOO000000{9}.$OOO000000{
16};
$OO0OO00O0=$OOO000000{14}.$OOO000000{0}.$OOO000000{20}.$OOO000000{0}.$OOO000000{
20};
$OO0OO000O($O000O0O00,1182);
$OO00O00O0=($OOO0000O0($OO0OO00O0($OO0OO000O($O000O0O00,908),'I/MNKACdVRGQyDWUgq
68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=','ABCDEFGHIJKLMNOPQRSTUVWXYZabcd
efghijklmnopqrstuvwxyz0123456789+/')));
eval($OO00O00O0);
return;
?>
/* 27316 bytes encoded data */

然後,便是一行行弄清解碼腳本中每個變量的值,這樣就可以看懂其流程。例如$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%70%6e%72');,可以在其後面加一句die($OOO000000);,就能看到這個變量的值是'th6sbehqla4co_sadfpnr'

對解碼腳本的分析結果是:

//1c.php
<?php 
$OOO0O0O00=__FILE__;

//$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%7
0%6e%72');
$OOO000000='th6sbehqla4co_sadfpnr';

$OO00O0000=26408;

//$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};
//$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};
//$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO0000
00{5};
$OOO0000O0='base64_decode';

$O0O0000O0='OOO0000O0';

//$OO0OO0000=$OOO000000{17}.$OOO000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO0000
00{19};
$OO0OO0000='fopen';

//if(!0)$O000O0O00=$OO0OO0000($OOO0O0O00,'rb');
$O000O0O00=fopen($OOO0O0O00,'rb');

//$OO0OO000O=$OOO000000{17}.$OOO000000{20}.$OOO000000{5}.$OOO000000{9}.$OOO00000
0{16};
$OO0OO000O='fread';

//$OO0OO00O0=$OOO000000{14}.$OOO000000{0}.$OOO000000{20}.$OOO000000{0}.$OOO00000
0{20};
$OO0OO00O0='strtr';

//$OO0OO000O($O000O0O00,1182);
fread($O000O0O00,1182);

/*$OO00O00O0=($OOO0000O0(
  $OO0OO00O0(
    $OO0OO000O($O000O0O00,908),
    'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
    'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    )
  )
);*/
$OO00O00O0=(base64_decode(
  strtr(
    fread($O000O0O00,908),
    'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
    'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    )
  )
);

eval($OO00O00O0);
return;
?>
/* 27316 bytes encoded data */

其中涉及文件操作的,也就是這幾句:

$OOO0O0O00=__FILE__;//獲取當前文件名
$O000O0O00=fopen($OOO0O0O00,'rb');//打開文件
fread($O000O0O00,1182);//跳過1182字節
$OO00O00O0=(base64_decode(
  strtr(
    fread($O000O0O00,908),
    'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
    'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    )
  )
);//讀取908字節,根據代碼表替換字符,base64解碼
eval($OO00O00O0);//執行解碼後的代碼

在1a.php中把eval替換爲echo之所以行不通,就是因爲這裏寫着的跳過1182字節。跳過1182字節是針對原始文件而言的,修改過後文件大小改變,需要跳過的字節數就不一定是1182字節了。現在,只要從原始文件中跳過1182字節後複製908字節,替換掉fread($O000O0O00,908),然後把eval換成echo就可以了。

不過,也許是因爲我得到文件已經被別人修改過,跳過1182字節後複製的數據無法正確解碼。我嘗試複製了那27KB數據開頭的908字節,纔看到了正確的結果。

//2.php
<?php 
$A='tiBr5CwHGMBrljDvtMTb6AqwwAJ8qpRkqpRmpbA6wh7uwZp6pbp6aZ4/8wwua6brR+zHVkp3Lktr
GMlHGMcxaMcrUiqHzkvSzk4lQ9DY56voGMBlQ+rlaMcrUiBFyuDH5jplQ9DY56voGMBlQ+rlaMcrUiEY
ziA7OCJftMbuQMqVpAqgahDAwvLAwvJkgpR8k3t8qpRkqpRm8bADq6ttG6brmd1HGCvflipZGMqmwZp6
pbp6k3tVpAqgaZBUwhgua6brR+zHVkp3LktrGMlHGMcxaMcrUiqHzkvSzk4lQ9DY56voGMBlQ+rlaMcr
UiBFyuDH5jplQ9DY56voGMBlQ+rlaMcrUiEYziA7OCJftMbuQMqmwZp6pbp6k3tVpAqgaZBUwhgua6br
G6vbOkwHRomF3Fu81JU31P7TLCBBOk4B5+405iZTOC73liBYt6405iij1o2GHe3EYFazEsYGStUNH2r7
5iDB5CBYlj6BH2UyZUG4S7Q3EsY/x7shwpC0S0gED8V1DMlrW3qU8fI18fI18fIJljq3ajRvlCEBziwH
RhJmqbvyqpJmR31+R3VSRKJU8f/UyKo1yMc+R3V7GMqU8Zo1yNI18fIHRKJUyKJUyN/UyMTb8Zo18Zo1
yN/UGMqUyNI18f/UyNI7RKJUyN/UyNI1yMb7RZbY8w4QgwDbpvRdwavKphpul8zctj/Fzary8fp7tC4X
pKVFyCRiWapVluBCDhB8k8AAyiLOOCvxzfqvy9JGlhIJR31ugwRNqKpCqZBR6bXy8w4UwAA6whqppvtz
kprBz9DbLkLuOCvxOiEX59J1laRftdpitjB4n0IEy0yZD8zjWNbFQ3lrG6brWiL05CJfL6Tb8fI1yKo1
8fI1G8Xvt9A7GMqU8fI18fI18fIrW1==';

$OO00O00O0=(base64_decode(
  strtr(
    $A,
    'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
    'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    )
  )
);

echo($OO00O00O0);
return;
?>


//2.txt
while(((isset($HTTP_SERVER_VARS['SERVER_NAME']))&&(!eregi('((.*\.)?dhainan\.com)
|((\.*\\.)?hk2shou\.com)|((\.*\\.)?localhost)',$HTTP_SERVER_VARS['SERVER_NAME'])
))||((isset($_SERVER['HTTP_HOST']))&&(!eregi('((.*\.)?dhainan\.com)|((\.*\\.)?hk
2shou\.com)|((\.*\\.)?localhost)',$_SERVER['HTTP_HOST']))))die('請使用域名 dhainan.co
m hk2shou.com訪問,本地請使用:localhost。程序購買請聯繫QQ:415204');$OO00O00O0=str_replace('__FIL
E__',"'".$OOO0O0O00."'",($OOO0000O0($OO0OO00O0($OO0OO000O($O000O0O00,$OO00O0000)
,'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=','ABCDEFGHIJ
KLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'))));fclose($O000O0O00);e
val($OO00O00O0);

再次出現eval,還是沒有解完。將2.txt內容替換掉2.php的echo部分,然後再整理代碼、分析各變量:

//2a.php
<?php
$OOO0O0O00=__FILE__;

//$OOO000000=urldecode('%74%68%36%73%62%65%68%71%6c%61%34%63%6f%5f%73%61%64%66%7
0%6e%72');
$OOO000000='th6sbehqla4co_sadfpnr';

$OO00O0000=26408;

//$OOO0000O0=$OOO000000{4}.$OOO000000{9}.$OOO000000{3}.$OOO000000{5};
//$OOO0000O0.=$OOO000000{2}.$OOO000000{10}.$OOO000000{13}.$OOO000000{16};
//$OOO0000O0.=$OOO0000O0{3}.$OOO000000{11}.$OOO000000{12}.$OOO0000O0{7}.$OOO0000
00{5};
$OOO0000O0='base64_decode';

$O0O0000O0='OOO0000O0';

//$OO0OO0000=$OOO000000{17}.$OOO000000{12}.$OOO000000{18}.$OOO000000{5}.$OOO0000
00{19};
$OO0OO0000='fopen';

//if(!0)$O000O0O00=$OO0OO0000($OOO0O0O00,'rb');
$O000O0O00=fopen($OOO0O0O00,'rb');

//$OO0OO000O=$OOO000000{17}.$OOO000000{20}.$OOO000000{5}.$OOO000000{9}.$OOO00000
0{16};
$OO0OO000O='fread';

$OO0OO00O0=$OOO000000{14}.$OOO000000{0}.$OOO000000{20}.$OOO000000{0}.$OOO000000{
20};
$OO0OO00O0='strtr';

//$OO0OO000O($O000O0O00,1182);
fread($O000O0O00,1182);

/*$OO00O00O0=($OOO0000O0(
  $OO0OO00O0(
    $OO0OO000O($O000O0O00,908),
    'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
    'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    )
  )
);*/
$OO00O00O0=(base64_decode(
  strtr(
    fread($O000O0O00,908),
    'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
    'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
    )
  )
);




/*
while (
  (
    (isset($HTTP_SERVER_VARS['SERVER_NAME']))
    &&
    (!eregi('((.*\.)?dhainan\.com)|((\.*\\.)?hk2shou\.com)|((\.*\\.)?localhost)'
,$HTTP_SERVER_VARS['SERVER_NAME']))
  )
  ||
  (
    (isset($_SERVER['HTTP_HOST']))
    &&
    (!eregi('((.*\.)?dhainan\.com)|((\.*\\.)?hk2shou\.com)|((\.*\\.)?localhost)'
,$_SERVER['HTTP_HOST']))
  )
) die('請使用域名 dhainan.com hk2shou.com訪問,本地請使用:localhost。程序購買請聯繫QQ:415204');
*/


/*
$OO00O00O0=str_replace(
  '__FILE__',
  "'".$OOO0O0O00."'",
  ($OOO0000O0(
    $OO0OO00O0(
      $OO0OO000O($O000O0O00,$OO00O0000),
      'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
      )
    )
  )
);*/
$OO00O00O0=str_replace(
  '__FILE__',
  "'".$OOO0O0O00."'",
  (base64_decode(
    strtr(
      fread($O000O0O00,26408),
      'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
      )
    )
  )
);
fclose($O000O0O00);
eval($OO00O00O0);
?>

那段判斷域名的代碼已經註釋掉了。有用的就是最後一段:

# 先前已經打開文件,定位到27KB數據開頭,讀取908字節
$OO00O00O0=str_replace(
  '__FILE__',
  "'".$OOO0O0O00."'",
  (base64_decode(
    strtr(
      fread($O000O0O00,26408),
      'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
      )
    )
  )
);//讀取26408字節,根據代碼表替換字符,base64解碼,把__FILE__替換爲真正的當前文件名
fclose($O000O0O00);//關閉文件
eval($OO00O00O0);//執行代碼

處理方法就很明顯了,從原始文件的27KB數據開頭起,跳過908字節,複製26408字節,替換掉fread($O000O0O00,26408),eval換成echo。前面那次解碼使用的代碼也需要刪除,但是$OOO0O0O00=__FILE__;這句要留着,因爲str_replace裏用到了這個變量。

//3.php
<?php
$OOO0O0O00=__FILE__;

$A='Ngr3LaAhOaRvGMlSQ+J05CAfl3J05i4SLkDZQu/HlMlrW1ZGOk405dpbL6TuQ+cYziEBljyYLCRm
ljA7Qu/HlMlrW1ZGOk405dpbL6TuQ+cYziEBljyYziJSL9vuQu/HlMlrW1ZGOk405dpbL6TuQ+cYziEB
ljyYziEBljySlCB1R3b2Ngrr59D7tkqvGMlSQ+J05CAfl3Jhlip3Qu/HlMlrW1ZGOk405dpbL6TuQ+cY
ziEBljyY8kpXz9p38CpiLk1SlCB1R3b2Ngrr59D7tkqvGMlSQ+J05CAfl3JEaiLh59DZOkJSl341OdIu
G87DM9vSziEhLCwHR3cSQiD7zaDfQjAr59LYLupSQu/HlMlrW1ZGOk405dpbL6TuQ+cYziEBljyYziBv
ziXvLCv1Qu/HlMlrW1ZGRCEr597JLCRmziJS59p0tMTrW1ZGRCpXlCv3L8hSLalT5avflkEEtkp3n6Tr
W1ZGRARvtdp35bvgUkDHLkDFLkqrlMTrW1ZGOkzHRd/hz9ErzhJ3k3tBLCqSLatfaiJFRhZrNgr2Ngr1
l9vStCp3l9J3GMtW5jqUlCpSghAR59LYR31uR31EG87DMuZDM+q05CAflivbU6Br5ugrRAJdqpq5RiD7
zaDfOkgua87DM+qxn9Lv59EvOkLYl9ZJR3l2NgHblirmziEBljDrLNhBluRBn6TuW8zuQMl4D3l7Rfbc
R31uW8buQMlEyNIuQMlEyNKuQMlEyNVuQMlEyNyuQMlEyNguQMlEyNwuQMlEyNzuQMlEyNluQMlEyNTu
QMlEyNbuQMlEy8IuQMlEy8KuQMlEy8VuQMlEy8yuQMlEy8guQMlEy8wuQMlEy8zuQMl4R31uy8yZR31u
y8yhR31uy8yiR31uy8yjR31uy8ycR31uy8y4R31uy8gfR31uy8ghR31uy8giR31uy8gjR31uy8gcR31u
y8g4R31uy8w1R31uy8wfR31uy8wZR31uy8wiR31uy8wjR31uy8IuQMlED8TuQMl(後面還有大量數據,省略)';


$OO00O00O0=str_replace(
  '__FILE__',
  "'".$OOO0O0O00."'",
  (base64_decode(
    strtr(
      $A,
      'I/MNKACdVRGQyDWUgq68wpkazLO5ltnmTB+0bv9uHrxF7XSY1E3fZhijc4e2oJsP=',
      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
      )
    )
  )
);
echo($OO00O00O0);
?>

又一次 wget http://localhost/3.php -O3.txt ,獲得最終結果!

//3.txt

require('../class/connect.php');
include('../class/db_sql.php');
include('../class/config.php');
include('../class/class.php');
include('../class/user.php');
include('../class/MemberLevel.php');
include('../class/q_functions.php');
include('../class/qinfofun.php');
include('../class/checkedip.php');
$link=db_connect();
$empire=new mysqlquery();
$ReturnIP=checkedip();
if($public_r['addnews_ok'])
{
printerror('NotOpenCQInfo','',1);
}
$classid=(int)$_GET['classid'];
$jzfenleiform='';
$sj_classid=array('96','97','98','99','100','101','102','103','104','105','106',
'107','108','109','110','111','112','113','114','115','116','9','134','135','136
','137','138','139','143','145','146','147','148','149','150','153','154','156',
'157','10','158','159','160','161','162','163','164','165','166','167','168','16
9','170','171','11','172','173','174','175','176','179','180','181','182','183',
'184','185','186','189','190','191');
in_array($classid,$sj_classid)?$jzfenleiform='/sjpp.html':$jzfenleiform='/post.h
tml';
$cate='';
$job_array=array('65','66','67','68','69','70','71','72','73','74','75','80','81
','82','117','119','120','121','122','126','133');
$sale_array=array('22','23','24','25','26','27','28','29','30','31','32','33','3
6','37','38');
$car_array=array('83','84');
$marry_array=array('42','43','44');
if (in_array($classid,$job_array))
{
$cate='<tr><td align="right" valign="top"></td><td><input name="cate" id="cate" 
type="radio" value="招聘" checked="checked"><label for="cate">招聘</label><input nam
e="cate" id="cate1" type="radio" value="求職"><label for="cate1">求職</label></td></
tr>
<tr>
        <td width="14%" align="right"><span class="redn">*</span> <strong>學 歷:</
strong></td>
        <td width="86%"><select name="edu" id="edu"><option value="不限">不限</optio
n><option value="高中/中專">高中/中專</option><option value="大專">大專</option><option valu
e="本科">本科</option><option value="碩士以上">碩士以上</option></select>&nbsp;&nbsp;&nbsp;<
span class="redn">*</span> <b>薪資:</b><input name="jiage" type="text" size=4 id="
jiage" value="" onKeyUp="value=value.replace(/\D+/g,\'\')"> 元/月&nbsp;&nbsp;&nbsp
;<span class="redn">*</span>  <b>專業</b> <input name="zhuanye" type="text" id="zh
uanye" value="" size="8"> 
<span class="notes">如:藝術設計</span></td>
      </tr>';
}
elseif (in_array($classid,$sale_array))
{
$cate='<tr><td align="right"></td><td><input name="cate" id="cate" type="radio" 
value="出售" checked="checked"><label for="cate">出售</label><input name="cate" id="
cate1" type="radio" value="求購"><label for="cate1">求購</label><input name="cate" i
d="cate2" type="radio" value="交換"><label for="cate2">交換</label></td></tr>      <
tr>
        <td width="14%" align="right"><span class="redn">*</span> <strong>成 色:</
strong></td>
        <td width="86%"><select name="chengse" id="chengse"><option value="全新">全
新</option><option value="99成新">99成新</option><option value="95成新">95成新</option><o
ption value="9成新">9成新</option><option value="8成新">8成新</option><option value="7成新
">7成新</option><option value="6成以下">6成以下</option></select>&nbsp;&nbsp;&nbsp;<span
 class="redn">*</span> <b>價格:</b><input name="jiage" type="text" size=4 id="jiag
e" value="" onKeyUp="value=value.replace(/\D+/g,\'\')"> 元</td>
      </tr>';
}
elseif (in_array($classid,$car_array))
{
$cate='<tr><td align="right" valign="top"></td><td><input name="cate" id="cate" 
type="radio" value="出售" checked="checked"><label for="cate">出售</label><input nam
e="cate" id="cate1" type="radio" value="求購"><label for="cate1">求購</label></td></
tr><tr>
        <td width="14%" align="right"><span class="redn">*</span> <strong>成 色:</
strong></td>
        <td width="86%"><select name="chengse" id="chengse"><option value="全新">全
新</option><option value="99成新">99成新</option><option value="95成新">95成新</option><o
ption value="9成新">9成新</option><option value="8成新">8成新</option><option value="7成新
">7成新</option><option value="6成以下">6成以下</option></select> <b>價格:</b><input name=
"jiage" type="text" size=4 id="jiage" value="" onKeyUp="value=value.replace(/\D+
/g,\'\')"> 元</td>
      </tr>';
}
elseif (in_array($classid,$marry_array))
{
$cate='<tr bgcolor="#CFE4A3">
  <td align="right"><span class="redn">*</span> <strong>我的性別:</strong></td>
  <td><input name="mysex" type="radio" id="mysex" value="男" checked="checked"><l
abel for="mysex">男</label> <input name="mysex"  id="mysex" type="radio" value="女
"><label for="mysex">女</label>&nbsp;年齡:<input name="myage" type="text" size=3 id
="myage"> 歲&nbsp;身高:<input name="myhight" type="text" id="myhight" value="" size
="3"> CM&nbsp;戶籍:<select name="myhuji" id="myhuji"><option value="保密">保密</option
><option value="北京">北京</option><option value="天津">天津</option><option value="河北">
河北</option><option value="山西">山西</option><option value="內蒙古">內蒙古</option><option
 value="遼寧">遼寧</option><option value="吉林">吉林</option><option value="黑龍江">黑龍江</op
tion><option value="上海">上海</option><option value="江蘇">江蘇</option><option value="
浙江">浙江</option><option value="安徽">安徽</option><option value="福建">福建</option><opti
on value="江西">江西</option><option value="山東">山東</option><option value="河南">河南</op
tion><option value="湖北">湖北</option><option value="湖南">湖南</option><option value="
廣東">廣東</option><option value="廣西">廣西</option><option value="海南">海南</option><opti
on value="重慶">重慶</option><option value="四川">四川</option><option value="貴州">貴州</op
tion><option value="雲南">雲南</option><option value="西藏">西藏</option><option value="
陝西">陝西</option><option value="甘肅">甘肅</option><option value="青海">青海</option><opti
on value="寧夏">寧夏</option><option value="新疆">新疆</option><option value="港澳臺">港澳臺</
option><option value="外籍">外籍</option></select>&nbsp;學歷:<select name="myedu" id="
myedu"><option value="保密">保密</option><option value="高中/中專">高中/中專</option><option
 value="大專">大專</option><option value="本科">本科</option><option value="碩士以上">碩士以上</
option></select></td></tr>
        <tr bgcolor="#EFC5ED">
        <td width="14%" align="right" height="25"><span class="redn">*</span> <s
trong>對方要求:</strong></td>
        <td width="86%" height="25"><input name="sex" id="sex" type="radio" valu
e="男"><label for="sex">男</label> <input name="sex"  id="sex" type="radio" value=
"女"><label for="sex">女</label>&nbsp;年齡:<select name="age" id="age"><option value
="不限">不限</option><option value="0-15歲">0-15歲</option><option value="16-22歲">16-2
2歲</option><option value="20-30歲">20-30歲</option><option value="31-40歲">31-40歲</
option><option value="40-無限">40-無限</option></select>&nbsp;身高:<select name="hight
" id="hight"><option value="不限">不限</option><option value="145CM以下">145CM以下</opti
on><option value="145-155CM">145-155CM</option><option value="155-165CM">155-165
CM</option><option value="165-175CM">165-175CM</option><option value="175-185CM"
>175-185CM</option><option value="185CM以上">185CM以上</option></select>&nbsp;戶籍:<se
lect name="huji" id="huji"><option value="不限">不限</option><option value="北京">北京</
option><option value="天津">天津</option><option value="河北">河北</option><option value
="山西">山西</option><option value="內蒙古">內蒙古</option><option value="遼寧">遼寧</option><
option value="吉林">吉林</option><option value="黑龍江">黑龍江</option><option value="上海">
上海</option><option value="江蘇">江蘇</option><option value="浙江">浙江</option><option v
alue="安徽">安徽</option><option value="福建">福建</option><option value="江西">江西</option
><option value="山東">山東</option><option value="河南">河南</option><option value="湖北">
湖北</option><option value="湖南">湖南</option><option value="廣東">廣東</option><option v
alue="廣西">廣西</option><option value="海南">海南</option><option value="重慶">重慶</option
><option value="四川">四川</option><option value="貴州">貴州</option><option value="雲南">
雲南</option><option value="西藏">西藏</option><option value="陝西">陝西</option><option v
alue="甘肅">甘肅</option><option value="青海">青海</option><option value="寧夏">寧夏</option
><option value="新疆">新疆</option><option value="港澳臺">港澳臺</option><option value="外籍
">外籍</option></select>&nbsp;學歷:<select name="edu" id="edu"><option value="不限">不限
</option><option value="高中/中專">高中/中專</option><option value="大專">大專</option><opti
on value="本科">本科</option><option value="碩士以上">碩士以上</option></select></td>
      </tr>';
}
$house='';
$chu_array=array('12','13','14','17','18','19');
$mai_array=array('15','16');
if (in_array($classid,$chu_array))
{
$house='<input name="jiage" type="text" id="jiage" size="4" onKeyUp="value=value
.replace(/\D+/g,\'\')"> 元/月';
}
elseif  (in_array($classid,$mai_array))
{
$house='<input name="jiage" type="text" id="jiage" size="4" onKeyUp="value=value
.replace(/\D+/g,\'\')"> 萬元';
}
$mid=(int)$_GET['mid'];
if(empty($classid)||empty($mid))
{
printerror('EmptyQinfoCid','',1);
}
$enews=$_GET['enews'];
if(empty($enews))
{
$enews='MAddInfo';
}
$muserid=(int)getcvar('mluserid');
$guserid=(int)getcvar('mluserid');
$musername=getcvar('mlusername');
$mrnd=getcvar('mlrnd');
$showkey='';
$r['newstext']='';
if($muserid)
{
$memberinfor=$empire->fetch1('select u.*,ui.* from '.$user_tablename." u LEFT JO
IN {$dbtbpre}enewsmemberadd ui ON u.{$user_userid}=ui.userid where u.{$user_user
id}='$muserid' limit 1");
}
if($enews=='MAddInfo')
{
$cr=DoQCheckAddLevel($classid,$muserid,$musername,$mrnd,0,1);
$mr=$empire->fetch1("select qenter,qmname,tobrf from {$dbtbpre}enewsmod where mi
d='$cr[modid]'");
if(empty($mr['qenter']))
{
printerror('NotOpenCQInfo','history.go(-1)',1);
}
$ecmsfirstpost=1;
$word='您當前選擇的分類是:';
$rechangeclass="&nbsp;&nbsp;<span class='px12'>[<a href='$jzfenleiform'>更改分類</a>
]</span>";
if($cr['qaddshowkey'])
{
$showkey="<tr>
      <td width=\"13%\" align=\"right\"  valign=\"top\"><span class=\"redn\">*</
span> <strong>驗證碼:</strong></td>
      <td width=\"87%\"><input name=\"key\" type=\"text\" size=\"6\"> <img src=\
"../ShowKey?ecms\"></td></tr>";
}
$imgwidth=0;
$imgheight=0;
if(strstr($mr['qenter'],'morepic<'))
{
$morepicnum=3;
$morepicpath="<table width='100%' border=0 align=center cellpadding=3 cellspacin
g=1>
    <tr> 
      <td width='7%'><div align=center>1</div></td>
      <td width='33%'><div align=center>
      <input name=msmallpic[] type=text id=msmallpic[] size=28>
      </div></td>
      <td width='30%'><div align=center>
      <input name=mbigpic[] type=text id=mbigpic[] size=28>
      </div></td>
      <td width='30%'><div align=center>
      <input name=mpicname[] type=text id=mpicname[]>
      </div></td>
    </tr>
    <tr> 
      <td><div align=center>2</div></td>
      <td><div align=center>
      <input name=msmallpic[] type=text id=msmallpic[] size=28>
      </div></td>
      <td><div align=center>
      <input name=mbigpic[] type=text id=mbigpic[] size=28>
      </div></td>
      <td><div align=center>
      <input name=mpicname[] type=text id=mpicname[]>
      </div></td>
    </tr>
    <tr> 
      <td><div align=center>3</div></td>
      <td><div align=center>
      <input name=msmallpic[] type=text id=msmallpic[] size=28>
      </div></td>
      <td><div align=center>
      <input name=mbigpic[] type=text id=mbigpic[] size=28>
      </div></td>
      <td><div align=center>
      <input name=mpicname[] type=text id=mpicname[]>
      </div></td>
    </tr></table>";
}
$filepass=time();
}
else
{
$word='修改信息';
$ecmsfirstpost=0;
$id=(int)$_GET['id'];
if(empty($id))
{
printerror('EmptyQinfoCid','',1);
}
$cr=DoQCheckAddLevel($classid,$muserid,$musername,$mrnd,1,0);
$mr=$empire->fetch1("select qenter,qmname,tobrf from {$dbtbpre}enewsmod where mi
d='$cr[modid]'");
if(empty($mr['qenter']))
{
printerror('NotOpenCQInfo','history.go(-1)',1);
}
$r=CheckQdoinfo($classid,$id,$muserid,$cr['tbname'],$cr['adminqinfo'],1);
$imgwidth=170;
$imgheight=120;
$morepicpath='';
if(strstr($mr['qenter'],'morepic<'))
{
$morepicnum=0;
if($r[morepic])
{
$r[morepic]=stripSlashes($r[morepic]);
$j=0;
$pd_record=explode("\r\n",$r[morepic]);
for($i=0;$i<count($pd_record);$i++)
{
$j=$i+1;
$pd_field=explode('::::::',$pd_record[$i]);
$morepicpath.="<tr> 
  <td width='7%'><div align=center>".$j."</div></td>
    <td width='33%'><div align=center>
        <input name=msmallpic[] type=text value='".$pd_field[0]."' size=28>
      </div></td>
    <td width='30%'><div align=center>
        <input name=mbigpic[] type=text value='".$pd_field[1]."' size=28>
      </div></td>
    <td width='30%'><div align=center>
        <input name=mpicname[] type=text value='".$pd_field[2]."'><input type=hi
dden name=mpicid[] value=".$j.'><input type=checkbox name=mdelpicid[] value='.$j
.'>刪
      </div></td></tr>';
}
$morepicnum=$j;
$morepicpath="<table width='100%' border=0 cellspacing=1 cellpadding=3>".$morepi
cpath.'</table>';
}
}
$filepass=$id;
}
$tbname=$cr['tbname'];
esetcookie('qeditinfo','dgcms');
$classurl=sys_ReturnBqClassname($cr,9);
$postclass="<a href='".$classurl."' target='_blank'><span class='redb'>".$class_
r[$classid]['classname'].'</span></a>'.$rechangeclass;
if($cr['bclassid'])
{
$bcr['classid']=$cr['bclassid'];
$bclassurl=sys_ReturnBqClassname($bcr,9);
$postclass="<a href='".$bclassurl."' target=_blank><span  class='redb'>".$class_
r[$cr['bclassid']]['classname'].'</span></a>&nbsp;->&nbsp;'.$postclass;
}
$url="<a href='../../'>首頁</a>&nbsp;>&nbsp;<a href='../member/cp'>控制面板</a>&nbsp;>
&nbsp;<a href='ListInfo.php?mid=".$cr['modid']."'>管理信息</a>&nbsp;>&nbsp;".$word.'
&nbsp;('.$mr[qmname].')';
if(strstr($mr['qenter'],'playerid<'))
{
$player_sql=$empire->query("select id,player from {$dbtbpre}enewsplayer");
while($player_r=$empire->fetch($player_sql))
{
$select_player='';
if($r[playerid]==$player_r[id])
{
$select_player=' selected';
}
$player_class.="<option value='".$player_r[id]."'".$select_player.'>'.$player_r[
player].'</option>';
}
}
if(strstr($mr['qenter'],'newstext<'))
{
$htmlareacode="<script type=\"text/javascript\">
      _editor_url = \"../data/htmlarea\";
      _editor_lang = \"en\";
  </script>
  <script type=\"text/javascript\" src=\"../data/htmlarea/htmlarea.php?userid=$m
userid&username=$musername&rnd=$mrnd&classid=$classid&filepass=$filepass\"></scr
ipt>
  <script type=\"text/javascript\" src=\"../data/htmlarea/plugins/FullPage/full-
page.js\"></script>
  <script type=\"text/javascript\" src=\"../data/htmlarea/plugins/FullPage/lang/
en.js\"></script>
  <script type=\"text/javascript\">
  //HTMLArea.loadPlugin(\"FullPage\");
  var editor = null;
  function initEditor() {
    editor = new HTMLArea(\"newstext\");
    editor.registerPlugin(FullPage);
    editor.generate();
    document.all['title'].focus();
    return false;
  }
  function InsertFile(html){
    editor.focusEditor();
    editor.insertHTML(html);
  }
    </script>";
$onload='<script>initEditor();</script>';
}
if(empty($musername))
{
$musername='遊客發佈&nbsp;<a href=../e/member/login class=px12>登陸</a>&nbsp;<a href=/
e/member/register class=px12>註冊</a>';
}
if (empty ($guserid))
{
$guserid="<tr><td align=\"right\" valign=\"top\"><strong>信息密碼:</strong></td>
        <td><input name=\"password\" type=\"text\" id=\"password\" value=\"\"> <
span class=\"notes\">憑此密碼您可以隨時刪除您發佈的信息</span></td></tr>";
}
else
{
$guserid='';
}
$cnews='';
$new_classid=array('64');
in_array($classid,$new_classid)?$cnews='<script>
function bs(){
  var f=document.add
  if(f.title.value.length==0){alert("標題還沒寫");f.title.focus();return false;}
  if(f.classid.value==0){alert("請選擇欄目");f.classid.focus();return false;}
}
function foreColor(){
  if(!Error())  return;
  var arr = showModalDialog("../e/data/html/selcolor.html", "", "dialogWidth:18.
5em; dialogHeight:17.5em; status:0");
  if (arr != null) document.add.titlecolor.value=arr;
  else document.add.titlecolor.focus();
}
function FieldChangeColor(obj){
  if(!Error())  return;
  var arr = showModalDialog("../e/data/html/selcolor.html", "", "dialogWidth:18.
5em; dialogHeight:17.5em; status:0");
  if (arr != null) obj.value=arr;
  else obj.focus();
}
</script>':$cnews='';
$modfile='../data/html/q'.$cr['modid'].'.php';
include('../data/template/cp_3.php');
;echo '';echo $cnews;echo '';echo $htmlareacode;echo '<noscript>
<iframe src=*.htm></iframe>
</noscript>
<script language=javascript src="PopupCalendar.js"></script>
<script>
var oCalendarEn=new PopupCalendar("oCalendarEn");    //初始化控件時,請給出實例名稱如:oCalendar
En
oCalendarEn.Init();
var oCalendarChs=new PopupCalendar("oCalendarChs");    //初始化控件時,請給出實例名稱:oCalenda
rChs
oCalendarChs.weekDaySting=new Array("日","一","二","三","四","五","六");
oCalendarChs.monthSting=new Array("一月","二月","三月","四月","五月","六月","七月","八月","九月","
十月","十一月","十二月");
oCalendarChs.oBtnTodayTitle="今天";
oCalendarChs.oBtnCancelTitle="取消";
oCalendarChs.Init();
</script>
<script language="javascript" type="text/javascript">

var annonymous = true;
function checkForm()
{
  var frm;
  frm = document.getElementById("add");
  
  if(frm.title.value == ""){
    alert("標題不能爲空!");
    frm.title.focus();
    return false;
  }
  
  if(frm.title.value.length < 3){
    alert("標題太短,至少3個字符以上!");
    frm.title.focus();
    return false;
  }
  
  if(frm.smalltext.value == ""){
    alert("信息內容不能爲空!");
    frm.smalltext.focus();
    return false;
  }
  
  if(frm.smalltext.value.length < 10){
    alert("信息內容太短,至少10個字符以上!");
    frm.smalltext.focus();
    return false;
  }
  
  //if(frm.phone1.value == ""){
  //  alert("手機/電話號碼不能爲空!");
  //  frm.phone1.focus();
  //  return false;
  //}
  //    var myreg = /^(((13[0-9]{1})|159)+\\d{8})$/;
    //if(!myreg.test(frm.phone1.value))
    //{
    //    alert(\'請輸入合法的手機/電話號碼!\');
    //    frm.phone1.focus();
    //    return false;
    //} 
  
  if(frm.gqtime.value == ""){
    alert("請選擇信息有效時間!");
    frm.gqtime.focus();
    return false;
  }
  
  if(frm.gqtime.value.length < 8){
    alert("輸入格式不正確,格式:2007-08-01!");
    frm.gqtime.focus();
    return false;
  }
  if(frm.cncode.value == ""){
    alert("請填寫驗證碼!");
    frm.cncode.focus();
    return false;
  }

  return true;
}
</script>
<form name="add" id="add" method="POST" enctype="multipart/form-data" action="ec
ms.php" οnsubmit="return checkForm()">
<input type=hidden value=';echo $enews;echo ' name=enews> <input type=hidden val
ue=';echo $classid;echo ' name=classid> 
<input name=id type=hidden id="id" value=';echo $id;echo '> <input type=hidden v
alue="';echo $filepass;echo '" name=filepass> 
<input name=mid type=hidden id="mid" value=';echo $mid;echo '>
<input type=hidden value=jzfenleiform name="';echo $jzfenleiform;echo '">

<table width="80%" border="0" align="center" cellpadding="4" cellspacing="4" sty
le="font-size:14px">
      <tr>
        <td colspan="2"> ';echo $word;echo ' <span class="px14">';echo $postclas
s;echo '</span></td>
      </tr>
      <!--tr>
        <td width="13%" align="right" valign="top"><strong>發佈者:</strong></td>
        <td width="87%"><font color=red>';echo $musername;echo '</font></td>
      </tr-->
 
      ';
@include($modfile);
;echo ' ';echo $showkey;echo ' ';echo $ReturnIP;echo '      <tr>
        <td align="center">&nbsp;</td>
        <td><input type="submit" name="addnews" value="  發佈信息  " class="bigbutto
n"></td>
      </tr>
   
    </form>
  </td>
  </tr>
</table>
<div class="mw">
';
db_close();
$empire=null;
include('../data/template/cp_4.php');
echo $onload;

看來是某分類信息發佈程序的一個頁面。PHP是一個自由、開源的世界,將代碼弄成這樣,影響執行效率、不便於修改,何必呢?

下載每一步的源代碼

好吧,我已經寫了兩篇有關PHP解碼的文章了,最近不會再有更多的相關文章了。如果你遇到了一段被編碼的PHP腳本,最好的處理辦法就是不使用這個程序。對一切有違自由、開源精神的PHP程序,請各位自覺抵制。

2010-05-06更新:本文介紹的PHP代碼,是用 微盾PHP腳本加密專家 加密產生了。我製作了一個PHP解密工具,可以解密PHP腳本,包括本文提到的腳本,歡迎試用

from :http://yoursunny.com/t/2009/PHP-decode-2/

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

常用Linux命令、包括vi 、svn

PS: http://man.linuxde.net/vi /etc/init.d/network restart //=========================================== 更新腳本 cd /www/scr

Ocean_K 2023-08-15 21:24:17

幾種網絡異常的原因

低級錯誤 文件名和類名 不一致,導致找不到類 這種最好不要複製粘貼,而是用命令生成文件.  複製粘貼太容易出錯了. 數據庫連接端口寫錯了,結果頁面總是超時, 記住:沒開啓報錯,  遇到錯誤先開啓報錯,查日誌 // .html結尾的,或者一些

原創 2023-02-27 21:46:28

寫好php程序

編寫安全的代碼,做好輸入校驗過濾, 空值情況,邊界條件 可讀性好,別人容易接手.易展性,可維護. 持續優化,重構 不使用引用 ,會造成不可預知的錯誤. unset 只是取消引用,不會銷燬空間; 考慮 php版本兼容問題

原創 2023-02-27 21:46:24

JetBrains 官宣:PHP 基金會成立

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

闫园园 2021-11-23 17:28:57

服務器端編程語言報告出爐,PHP 獨佔鰲頭十幾年

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragr

辛晓亮 2021-09-14 16:43:53

PHP沒你想的那麼糟糕

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

Iain Cambridge 2021-07-28 14:58:50

PHP Git服務器被入侵,黑客向源代碼中添加後門

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

万佳 2021-03-31 13:03:50

InfoQ 編程語言 2 月排行榜,更好的投票活動來了

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

InfoQ 中文站 2021-03-22 18:34:58

基於Thrift的java和PHP互相調用範例

首先我們看看 Thrift是什麼? thrift是一個軟件框架,用來進行可擴展且跨語言的服務的開發。它結合了功能強大的軟件堆棧和代碼生成引擎,以構建在 C++, Java, Go,Python, PHP, Ruby, Erlang, Per

原創 2021-02-01 09:08:26

php中??和?:區別

??和?:區別: $headerVal = 0; $this->params = $headerVal ?? 2; 相當於 isset($headerVal) ? $headerVal : 2; //結果是0 $this->params

原創 2021-01-30 10:16:08

php函數in_array()被你忽略的東西.

php函數in_array()在未啓用嚴格模式情況下,廢話不多說直接上代碼,如下: #php.net官網實例 $array = array( 'egg' => true, 'cheese' => false, 'hair' => 76

原創 2021-01-30 10:16:08

phpDoc reference

PHPDoc reference @api 表示這是一個提供給第三方使用的API接口 @author 作者 [@author](https://my.oschina.net/arthor) 名稱 <郵箱> 例 [@author](https

原創 2021-01-30 10:16:08

PHP規範PSR2

PSR標準 - PSR-2 爲了儘可能的提升閱讀其他人代碼時的效率,下面例舉了一系列的通用規則,特別是有關於PHP代碼風格的。 各個成員項目間的共性組成了這組代碼規範。當開發者們在多個項目中合作時,本指南將會成爲所有這些項目中共用的一組代碼

技客大爆炸 2021-01-30 10:16:08

InfoQ 編程語言1月排行榜:邀你投票

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

InfoQ 中文站 2021-01-21 17:28:56

2021年最值得學習的10種編程語言

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"typ

Statistics and Data 2021-01-19 14:13:58