복호화 eval(gzinflate(base64_decode()))
2가지 중에서 eval_decode가 좀더 정확.
<?php
/*
* Basic script to decrypt files encoded with eval(gzinflate(base64_decode($data)));
*/
$file = 'proc.php';
$content = file_get_contents($file);
function eval_decode($content, $step = 0)
{
$content = preg_replace('/\s*<\?php/', '', $content);
$pattern = '/eval\s*\(/';
$step++;
if (preg_match($pattern, $content)) {
$content = preg_replace($pattern, 'print(', $content);
ob_start();
eval($content);
$content = ob_get_contents();
ob_end_clean();
}
$content = trim($content);
if (preg_match($pattern, $content)) {
$content = eval_decode($content, $step);
}
return $content;
}
function evaldecode($content, $step = 0) {
//echo "STEP $step\n";
$step++;
if(preg_match('/^eval\(/', $content)) {
$content = str_replace('eval(', 'print(', $content);
ob_start();
eval($content);
$content = ob_get_contents();
ob_end_clean();
}
$content = trim($content);
if(preg_match('/^eval\(/', $content)) {
$content = evaldecode($content, $step);
}
return $content;
}
echo evaldecode($content)."\n";
echo eval_decode($content)."\n";