http://pastebin.com/9GtgXwAe первый - это c99madshell 1.0 shadow edition http://pastebin.com/f5imRHeT второй битый,с третьим я хз что делать
Его первая часть читает картинки из директории и вываливает в браузер. Второй кусок читает файлы из какой-то другой директории, предварительно заменяя одну ссылку на другую в считанном содержимом. Эти моменты, кстати, уязвимы, так как проверок вообще нет никаких.
#RewriteRule ^(auto/)$ /index.php?level=20 [R] #RewriteRule ^(\x{D0}\x{B0}\x{D0}\x{B2}\x{D1}\x{82}\x{D0}\x{BE}/)$ /index.php [R] что за шифр во 2 строчке? пс. Можно зашифровать php скрипт примерно так? = <? blbabla code ( тут половина скрипта) потом инклайд вторую часть со своего домена ?> ???
Народ, по какому алгоритму шифруют эти 2 функции? Code: function __if_az(_if_fh,_if_ey) { var _i_ad=[0x1010400,0,0x10000,0x1010404,0x1010004,0x10404,0x4,0x10000,0x400,0x1010400,0x1010404,0x400,0x1000404,0x1010004,0x1000000,0x4,0x404,0x1000400,0x1000400,0x10400,0x10400,0x1010000,0x1010000,0x1000404,0x10004,0x1000004,0x1000004,0x10004,0,0x404,0x10404,0x1000000,0x10000,0x1010404,0x4,0x1010000,0x1010400,0x1000000,0x1000000,0x400,0x1010004,0x10000,0x10400,0x1000004,0x400,0x4,0x1000404,0x10404,0x1010404,0x10004,0x1010000,0x1000404,0x1000004,0x404,0x10404,0x1010400,0x404,0x1000400,0x1000400,0,0x10004,0x10400,0,0x1010004]; var _i_ae=[-0x7fef7fe0,-0x7fff8000,0x8000,0x108020,0x100000,0x20,-0x7fefffe0,-0x7fff7fe0,-0x7fffffe0,-0x7fef7fe0,-0x7fef8000,-0x80000000,-0x7fff8000,0x100000,0x20,-0x7fefffe0,0x108000,0x100020,-0x7fff7fe0,0,-0x80000000,0x8000,0x108020,-0x7ff00000,0x100020,-0x7fffffe0,0,0x108000,0x8020,-0x7fef8000,-0x7ff00000,0x8020,0,0x108020,-0x7fefffe0,0x100000,-0x7fff7fe0,-0x7ff00000,-0x7fef8000,0x8000,-0x7ff00000,-0x7fff8000,0x20,-0x7fef7fe0,0x108020,0x20,0x8000,-0x80000000,0x8020,-0x7fef8000,0x100000,-0x7fffffe0,0x100020,-0x7fff7fe0,-0x7fffffe0,0x100020,0x108000,0,-0x7fff8000,0x8020,-0x80000000,-0x7fefffe0,-0x7fef7fe0,0x108000]; var _i_af=[0x208,0x8020200,0,0x8020008,0x8000200,0,0x20208,0x8000200,0x20008,0x8000008,0x8000008,0x20000,0x8020208,0x20008,0x8020000,0x208,0x8000000,0x8,0x8020200,0x200,0x20200,0x8020000,0x8020008,0x20208,0x8000208,0x20200,0x20000,0x8000208,0x8,0x8020208,0x200,0x8000000,0x8020200,0x8000000,0x20008,0x208,0x20000,0x8020200,0x8000200,0,0x200,0x20008,0x8020208,0x8000200,0x8000008,0x200,0,0x8020008,0x8000208,0x20000,0x8000000,0x8020208,0x8,0x20208,0x20200,0x8000008,0x8020000,0x8000208,0x208,0x8020000,0x20208,0x8,0x8020008,0x20200]; var _i_ag=[0x802001,0x2081,0x2081,0x80,0x802080,0x800081,0x800001,0x2001,0,0x802000,0x802000,0x802081,0x81,0,0x800080,0x800001,0x1,0x2000,0x800000,0x802001,0x80,0x800000,0x2001,0x2080,0x800081,0x1,0x2080,0x800080,0x2000,0x802080,0x802081,0x81,0x800080,0x800001,0x802000,0x802081,0x81,0,0,0x802000,0x2080,0x800080,0x800081,0x1,0x802001,0x2081,0x2081,0x80,0x802081,0x81,0x1,0x2000,0x800001,0x2001,0x802080,0x800081,0x2001,0x2080,0x800000,0x802001,0x80,0x800000,0x2000,0x802080]; var _i_ah=[0x100,0x2080100,0x2080000,0x42000100,0x80000,0x100,0x40000000,0x2080000,0x40080100,0x80000,0x2000100,0x40080100,0x42000100,0x42080000,0x80100,0x40000000,0x2000000,0x40080000,0x40080000,0,0x40000100,0x42080100,0x42080100,0x2000100,0x42080000,0x40000100,0,0x42000000,0x2080100,0x2000000,0x42000000,0x80100,0x80000,0x42000100,0x100,0x2000000,0x40000000,0x2080000,0x42000100,0x40080100,0x2000100,0x40000000,0x42080000,0x2080100,0x40080100,0x100,0x2000000,0x42080000,0x42080100,0x80100,0x42000000,0x42080100,0x2080000,0,0x40080000,0x42000000,0x80100,0x2000100,0x40000100,0x80000,0,0x40080000,0x2080100,0x40000100]; var _i_ai=[0x20000010,0x20400000,0x4000,0x20404010,0x20400000,0x10,0x20404010,0x400000,0x20004000,0x404010,0x400000,0x20000010,0x400010,0x20004000,0x20000000,0x4010,0,0x400010,0x20004010,0x4000,0x404000,0x20004010,0x10,0x20400010,0x20400010,0,0x404010,0x20404000,0x4010,0x404000,0x20404000,0x20000000,0x20004000,0x10,0x20400010,0x404000,0x20404010,0x400000,0x4010,0x20000010,0x400000,0x20004000,0x20000000,0x4010,0x20000010,0x20404010,0x404000,0x20400000,0x404010,0x20404000,0,0x20400010,0x10,0x4000,0x20400000,0x404010,0x4000,0x400010,0x20004010,0,0x20404000,0x20000000,0x400010,0x20004010]; var _i_aj=[0x200000,0x4200002,0x4000802,0,0x800,0x4000802,0x200802,0x4200800,0x4200802,0x200000,0,0x4000002,0x2,0x4000000,0x4200002,0x802,0x4000800,0x200802,0x200002,0x4000800,0x4000002,0x4200000,0x4200800,0x200002,0x4200000,0x800,0x802,0x4200802,0x200800,0x2,0x4000000,0x200800,0x4000000,0x200800,0x200000,0x4000802,0x4000802,0x4200002,0x4200002,0x2,0x200002,0x4000000,0x4000800,0x200000,0x4200800,0x802,0x200802,0x4200800,0x802,0x4000002,0x4200802,0x4200000,0x200800,0,0x2,0x4200802,0,0x200802,0x4200000,0x800,0x4000002,0x4000800,0x800,0x200002]; var _i_ak=[0x10001040,0x1000,0x40000,0x10041040,0x10000000,0x10001040,0x40,0x10000000,0x40040,0x10040000,0x10041040,0x41000,0x10041000,0x41040,0x1000,0x40,0x10040000,0x10000040,0x10001000,0x1040,0x41000,0x40040,0x10040040,0x10041000,0x1040,0,0,0x10040040,0x10000040,0x10001000,0x41040,0x40000,0x41040,0x40000,0x10041000,0x1000,0x40,0x10040040,0x1000,0x41040,0x10001000,0x40,0x10000040,0x10040000,0x10040040,0x10000000,0x40000,0x10001040,0,0x10041040,0x40040,0x10000040,0x10040000,0x10001000,0x10001040,0,0x10041040,0x41000,0x41000,0x1040,0x1040,0x40040,0x10000000,0x10041000]; var _i_al=_i_ac.__if_bj(_if_fh); var _i_am=0; var _i_an=_if_ey.length; var _i_ao=0; var _i_g; var _i_ap; var _i_aq; var _i_ar; var _i_as; var _i_at; var _i_au; var _i_av; var _i_aw=[0,32,2]; var _i_ax; var _i_ay; var _i_az; var _i_ba; var _i_bb; var _i_bc; var _i_bd=3; _if_ey+="\0\0\0\0\0\0\0\0"; var _i_e=""; var _i_be=""; while(_i_am<_i_an) { _i_au=(_if_ey.charCodeAt(_i_am++)<<24)^(_if_ey.charCodeAt(_i_am++)<<16)^(_if_ey.charCodeAt(_i_am++)<<8)^ _if_ey.charCodeAt(_i_am++); _i_av=(_if_ey.charCodeAt(_i_am++)<<24)^(_if_ey.charCodeAt(_i_am++)<<16)^(_if_ey.charCodeAt(_i_am++)<<8)^ _if_ey.charCodeAt(_i_am++); _i_aq=((_i_au>>>4)^ _i_av)&0x0f0f0f0f; _i_av ^=_i_aq; _i_au ^=(_i_aq<<4); _i_aq=((_i_au>>>16)^ _i_av)&0x0000ffff; _i_av ^=_i_aq;_i_au ^=(_i_aq<<16); _i_aq=((_i_av>>>2)^ _i_au)&0x33333333; _i_au ^=_i_aq; _i_av ^=(_i_aq<<2); _i_aq=((_i_av>>>8)^ _i_au)&0x00ff00ff; _i_au ^=_i_aq; _i_av ^=(_i_aq<<8); _i_aq=((_i_au>>>1)^ _i_av)&0x55555555; _i_av ^=_i_aq;_i_au ^=(_i_aq<<1); _i_au=((_i_au<<1)|(_i_au>>>31)); _i_av=((_i_av<<1)|(_i_av>>>31)); for(_i_ap=0;_i_ap<_i_bd;_i_ap+=3) { _i_bb=_i_aw[_i_ap+1]; _i_bc=_i_aw[_i_ap+2]; for(_i_g=_i_aw[_i_ap];_i_g!=_i_bb;_i_g+=_i_bc) { _i_as=_i_av ^ _i_al[_i_g]; _i_at=((_i_av>>>4)|(_i_av<<28))^ _i_al[_i_g+1]; _i_aq=_i_au; _i_au=_i_av; _i_av=_i_aq ^(_i_ae[(_i_as>>>24)&0x3f]|_i_ag[(_i_as>>>16)&0x3f]|_i_ai[(_i_as>>>8)&0x3f]|_i_ak[_i_as&0x3f]|_i_ad[(_i_at>>>24)&0x3f]|_i_af[(_i_at>>>16)&0x3f]|_i_ah[(_i_at>>>8)&0x3f]|_i_aj[_i_at&0x3f]); } _i_aq=_i_au; _i_au=_i_av; _i_av=_i_aq; } _i_au=((_i_au>>>1)|(_i_au<<31)); _i_av=((_i_av>>>1)|(_i_av<<31)); _i_aq=((_i_au>>>1)^ _i_av)&0x55555555; _i_av ^=_i_aq; _i_au ^=(_i_aq<<1); _i_aq=((_i_av>>>8)^ _i_au)&0x00ff00ff; _i_au ^=_i_aq; _i_av ^=(_i_aq<<8); _i_aq=((_i_av>>>2)^ _i_au)&0x33333333; _i_au ^=_i_aq; _i_av ^=(_i_aq<<2); _i_aq=((_i_au>>>16)^ _i_av)&0x0000ffff; _i_av ^=_i_aq;_i_au ^=(_i_aq<<16); _i_aq=((_i_au>>>4)^ _i_av)&0x0f0f0f0f; _i_av ^=_i_aq; _i_au ^=(_i_aq<<4); _i_be+=String.fromCharCode((_i_au>>>24),((_i_au>>>16)&0xff),((_i_au>>>8)&0xff),(_i_au&0xff),(_i_av>>>24),((_i_av>>>16)&0xff),((_i_av>>>8)&0xff),(_i_av&0xff)); _i_ao+=8; if(_i_ao==512) { _i_e+=_i_be; _i_be=""; _i_ao=0; } } return _i_e+_i_be; } function __if_bj(_if_fh) { var _i_bf=[0,0x4,0x20000000,0x20000004,0x10000,0x10004,0x20010000,0x20010004,0x200,0x204,0x20000200,0x20000204,0x10200,0x10204,0x20010200,0x20010204]; var _i_bg=[0,0x1,0x100000,0x100001,0x4000000,0x4000001,0x4100000,0x4100001,0x100,0x101,0x100100,0x100101,0x4000100,0x4000101,0x4100100,0x4100101]; var _i_bh=[0,0x8,0x800,0x808,0x1000000,0x1000008,0x1000800,0x1000808,0,0x8,0x800,0x808,0x1000000,0x1000008,0x1000800,0x1000808]; var _i_bi=[0,0x200000,0x8000000,0x8200000,0x2000,0x202000,0x8002000,0x8202000,0x20000,0x220000,0x8020000,0x8220000,0x22000,0x222000,0x8022000,0x8222000]; var _i_bj=[0,0x40000,0x10,0x40010,0,0x40000,0x10,0x40010,0x1000,0x41000,0x1010,0x41010,0x1000,0x41000,0x1010,0x41010]; var _i_bk=[0,0x400,0x20,0x420,0,0x400,0x20,0x420,0x2000000,0x2000400,0x2000020,0x2000420,0x2000000,0x2000400,0x2000020,0x2000420]; var _i_bl=[0,0x10000000,0x80000,0x10080000,0x2,0x10000002,0x80002,0x10080002,0,0x10000000,0x80000,0x10080000,0x2,0x10000002,0x80002,0x10080002]; var _i_bm=[0,0x10000,0x800,0x10800,0x20000000,0x20010000,0x20000800,0x20010800,0x20000,0x30000,0x20800,0x30800,0x20020000,0x20030000,0x20020800,0x20030800]; var _i_bn=[0,0x40000,0,0x40000,0x2,0x40002,0x2,0x40002,0x2000000,0x2040000,0x2000000,0x2040000,0x2000002,0x2040002,0x2000002,0x2040002]; var _i_bo=[0,0x10000000,0x8,0x10000008,0,0x10000000,0x8,0x10000008,0x400,0x10000400,0x408,0x10000408,0x400,0x10000400,0x408,0x10000408]; var _i_bp=[0,0x20,0,0x20,0x100000,0x100020,0x100000,0x100020,0x2000,0x2020,0x2000,0x2020,0x102000,0x102020,0x102000,0x102020]; var _i_bq=[0,0x1000000,0x200,0x1000200,0x200000,0x1200000,0x200200,0x1200200,0x4000000,0x5000000,0x4000200,0x5000200,0x4200000,0x5200000,0x4200200,0x5200200]; var _i_br=[0,0x1000,0x8000000,0x8001000,0x80000,0x81000,0x8080000,0x8081000,0x10,0x1010,0x8000010,0x8001010,0x80010,0x81010,0x8080010,0x8081010]; var _i_bs=[0,0x4,0x100,0x104,0,0x4,0x100,0x104,0x1,0x5,0x101,0x105,0x1,0x5,0x101,0x105]; var _i_al=[32]; var _i_bt=[0,0,1,1,1,1,1,1,0,1,1,1,1,1,1,0]; var _i_bu; var _i_bv; var _i_aq; var _i_am=0; var _i_bw=0; var _i_au=(_if_fh.charCodeAt(_i_am++)<<24)|(_if_fh.charCodeAt(_i_am++)<<16)|(_if_fh.charCodeAt(_i_am++)<<8)|_if_fh.charCodeAt(_i_am++); var _i_av=(_if_fh.charCodeAt(_i_am++)<<24)|(_if_fh.charCodeAt(_i_am++)<<16)|(_if_fh.charCodeAt(_i_am++)<<8)|_if_fh.charCodeAt(_i_am++); _i_aq=((_i_au>>>4)^ _i_av)&0x0f0f0f0f; _i_av ^=_i_aq;_i_au ^=(_i_aq<<4); _i_aq=((_i_av>>>-16)^ _i_au)&0x0000ffff; _i_au ^=_i_aq; _i_av ^=(_i_aq<<-16); _i_aq=((_i_au>>>2)^ _i_av)&0x33333333; _i_av ^=_i_aq; _i_au ^=(_i_aq<<2); _i_aq=((_i_av>>>-16)^ _i_au)&0x0000ffff; _i_au ^=_i_aq; _i_av ^=(_i_aq<<-16); _i_aq=((_i_au>>>1)^ _i_av)&0x55555555; _i_av ^=_i_aq; _i_au ^=(_i_aq<<1); _i_aq=((_i_av>>>8)^ _i_au)&0x00ff00ff; _i_au ^=_i_aq; _i_av ^=(_i_aq<<8); _i_aq=((_i_au>>>1)^ _i_av)&0x55555555; _i_av ^=_i_aq; _i_au ^=(_i_aq<<1); _i_aq=(_i_au<<8)|((_i_av>>>20)&0x000000f0); _i_au=(_i_av<<24)|((_i_av<<8)&0xff0000)|((_i_av>>>8)&0xff00)|((_i_av>>>24)&0xf0); _i_av=_i_aq; for(var _i_g=0;_i_g<_i_bt.length;_i_g++) { if(_i_bt[_i_g]) { _i_au=(_i_au<<2)|(_i_au>>>26); _i_av=(_i_av<<2)|(_i_av>>>26); } else { _i_au=(_i_au<<1)|(_i_au>>>27); _i_av=(_i_av<<1)|(_i_av>>>27); } _i_au&=-0xf; _i_av&=-0xf; _i_bu=_i_bf[_i_au>>>28]|_i_bg[(_i_au>>>24)&0xf]|_i_bh[(_i_au>>>20)&0xf]|_i_bi[(_i_au>>>16)&0xf]|_i_bj[(_i_au>>>12)&0xf]|_i_bk[(_i_au>>>8)&0xf]|_i_bl[(_i_au>>>4)&0xf]; _i_bv=_i_bm[_i_av>>>28]|_i_bn[(_i_av>>>24)&0xf]|_i_bo[(_i_av>>>20)&0xf]|_i_bp[(_i_av>>>16)&0xf]|_i_bq[(_i_av>>>12)&0xf]|_i_br[(_i_av>>>8)&0xf]|_i_bs[(_i_av>>>4)&0xf]; _i_aq=((_i_bv>>>16)^ _i_bu)&0x0000ffff; _i_al[_i_bw++]=_i_bu ^ _i_aq; _i_al[_i_bw++]=_i_bv ^(_i_aq<<16); } return _i_al; }
http://pastebin.com/mJmbbNW4 очень нужен сам ява апплет с етого кода, чтобы декомпилировать но ето уже мои проблемы , заранее спасибо.
Недавно столкнулся с необходимостью расшифровать PHP файл, который закодировали PHPLockIT. Дело в том что один нехороший человек обманул на деньги и вместо исходников, предоставил закодированные PHP файлы, да еще и привязанные к домену. Пробовал различными методами, результат одинаков. Вытащить удается только скрипт самой привязки к домену, а не весь код. Вот пример одного из таких файлов: http://pastebin.com/hD5SXR9Y
Народ что за алгоритм используется тут? http://pastebin.com/RHCgKWfC Может есть готовое решение для его декодирования на php?
Ура, нашёл таки эту тему Сабж: шелл на одном из источников дал прочитать вот такие странные, но все подобные файлы. Просьба подсказать как они выглядят в первозданном виде. Ссылка на пример - http://pastebin.com/FpyCHrGX Если есть онлайн дешифровщик был бы благодарен.
