php screw.so扩展下载,PHP代码被修改过的phpscrew保护,结合IDA分析还原PHP文件
[Python] 纯文本查看 复制代码# -*- coding: utf8 -*-
from __future__ import print_function
import zlib
import sys
import os
from struct import unpack
def eprint(*args, **kwargs):
print(*args, file=sys.stderr, **kwargs)
# 文件头特征
sig = b'\tCopyrightwww.131313.net\t'
def decompile(path):
data = b''
with open(path, "rb") as f:
data = f.read()
if data[:len(sig)] != sig:
raise TypeError("Sig not match!")
# 如果用 c 的 zlib 库需要提供缓冲区大小,就是这两个值了
# 既然不是 c,那就拿来检测数据解出来的大小对不对
remove_hdr = data[len(sig):]
unpacked_size, packed_size = unpack("
crypted = list(map(lambda b: b if type(b) == int else ord(b), remove_hdr[16:]))
assert packed_size == len(crypted)
index = 0
decrypted = []
while index < packed_size:
# c = c - 7 - i
# 因为原始算法是用 int 数据大小,
# 将 -7 转换成 32 位正整数:
# value - 7 => value + 0xFFFFFFF9
# 除非文件很大(一般网页文件也没那么大的)会导致数据溢出
decrypted.append((crypted[index] + 0xFFFFFFF9 - index) & 0xFF)
index += 1
decrypted_bin = bytearray(decrypted)
try:
# py3
decrypted = zlib.decompress(decrypted_bin)
except TypeError:
# py2
decrypted = zlib.decompress(str(decrypted_bin))
assert len(decrypted) == unpacked_size
decrypted = decrypted.decode("utf8")
return decrypted
if __name__ == "__main__":
eprint("php screw 修改版(特征:131313) 解密工具 by jixun66@62pojie [LCG]")
if len(sys.argv) < 2:
eprint("使用: %s " % sys.argv[0])
sys.exit(1)
path = sys.argv[1]
if not os.path.exists(path):
eprint("输入文件不存在")
sys.exit(2)
print(decompile(path), end="")