PHP代码加密与解密技术详解<\/h1>

一、前言<\/h2>
PHP代码加密与解密是Web安全领域的重要课题。所有PHP代码最终都需要在Zend Engine上执行，因此理论上所有PHP源码加密都可以被解密（不包括OpCode混淆\/VMP等高级混淆技术）。<\/p>

二、代码混淆技术<\/h2>
代码混淆是一种常见的代码保护方式，虽然不算严格意义上的加密，但常与加密技术结合使用。<\/p>

混淆特点：<\/h3>

对变量进行复杂修改<\/li>
大量使用动态函数处理<\/li>
按照随机生成的套路替换明文函数<\/li>

批量修改变量名<\/li> <\/ul>

混淆目的：<\/h3>

增加代码阅读难度<\/li>
延长逆向分析时间<\/li>

与加密技术协同增强保护效果<\/li> <\/ul>

三、代码加密与解密技术<\/h2>

1. 常见加密工具<\/h3>

phpjiami等基于eval的加密工具<\/li> <\/ul>

2. 加密流程：<\/h3>

源码处理：压缩、替换、BASE64编码、转义等<\/li>
安全处理：验证文件MD5值、限制IP、限域名、限时间、防破解、防命令行调试<\/li>

生成加密程序：密文源码 + 自解密外壳 = 最终加密代码<\/li> <\/ol>

3. 解密原理<\/h3>
PHP加密代码最终需要通过eval等函数执行，因此可以Hook相关执行函数获取源码。<\/p>

关键函数：<\/h4>

zend_compile_string<\/code>：PHP内核中处理字符串编译的函数<\/li>
<\/ul>
解密步骤：<\/h4>

声明临时compile_string函数<\/li>
在PHP_MINIT_FUNCTION中替换原函数<\/li>
在PHP_MSHUTDOWN_FUNCTION中恢复原函数<\/li>
提取compile_string中的代码并保存<\/li>
<\/ol>
示例代码：<\/h4>
static<\/span> zend_op_array *<\/span>(*<\/span>orig_compile_string)(zval *<\/span>source_string, char<\/span> *<\/span>filename TSRMLS_DC);
<\/span><\/span>
<\/span><\/span>\/\/ 在PHP_MINIT_FUNCTION中替换
<\/span><\/span><\/span><\/span>orig_compile_string =<\/span> zend_compile_string;
<\/span><\/span>zend_compile_string =<\/span> phpjiami_decode_compile_string;
<\/span><\/span>
<\/span><\/span>\/\/ 在PHP_MSHUTDOWN_FUNCTION中恢复
<\/span><\/span><\/span><\/span>zend_compile_string =<\/span> orig_compile_string;
<\/span><\/span>
<\/span><\/span>\/\/ 提取代码并保存
<\/span><\/span><\/span><\/span>static<\/span> zend_op_array *<\/span>phpjiami_decode_compile_string<\/span>(zval *<\/span>source_string, char<\/span> *<\/span>filename TSRMLS_DC) {
<\/span><\/span>    int<\/span> c, len, yes;
<\/span><\/span>    char<\/span> *<\/span>content;
<\/span><\/span>    FILE *<\/span>fp =<\/span> NULL;
<\/span><\/span>    char<\/span> fn[512<\/span>];
<\/span><\/span>    
<\/span><\/span>    if<\/span> (Z_TYPE_P(source_string) ==<\/span> IS_STRING) {
<\/span><\/span>        len =<\/span> Z_STRLEN_P(source_string);
<\/span><\/span>        content =<\/span> estrndup(Z_STRVAL_P(source_string), len);
<\/span><\/span>        if<\/span> (len ><\/span> strlen(content))
<\/span><\/span>            for<\/span> (c =<\/span> 0<\/span>; c <<\/span> len; c++<\/span>)
<\/span><\/span>                if<\/span> (content[c] ==<\/span> 0<\/span>) content[c] =<\/span> '?'<\/span>;
<\/span><\/span>        
<\/span><\/span>        sprintf(fn, "\/tmp\/%s.php"<\/span>, zend_get_executed_filename(TSRMLS_C));
<\/span><\/span>        fp =<\/span> fopen(fn, "a+"<\/span>);
<\/span><\/span>        if<\/span> (fp !=<\/span> NULL)
<\/span><\/span>            fprintf(fp, "<?php <\/span>\n<\/span> %s <\/span>\n<\/span> ?> <\/span>\n\n<\/span>"<\/span>, content);
<\/span><\/span>        fclose(fp);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> orig_compile_string(source_string, filename TSRMLS_CC);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>四、扩展加密与解密技术<\/h2>
1. 常见工具<\/h3>

pm9screw<\/li>
pm9screw_plus<\/li>
<\/ul>
2. 加密流程：<\/h3>

对源码进行加密处理（对称\/非对称加密、自定义加密）<\/li>
生成密文代码<\/li>
扩展在运行时判断源码是否加密，如未加密则进行加密处理<\/li>
<\/ol>
3. 解密原理<\/h3>
Hook zend_compile_file<\/code>函数获取解密后的内容。<\/p>
关键点：<\/h4>

PHP扩展按"栈"顺序加载，先加载的先Hook<\/li>
需要确保解密插件先于加密插件加载<\/li>
可在INI配置中调整加载顺序<\/li>
<\/ul>
示例配置：<\/h4>
extension = "decode.so"
extension = "encrypt.so"
<\/code><\/pre>
示例代码：<\/h4>
static<\/span> zend_op_array *<\/span>(*<\/span>orig_compile_file)(zend_file_handle *<\/span>file_handle, int<\/span> type TSRMLS_DC);
<\/span><\/span>
<\/span><\/span>\/\/ 在PHP_MINIT_FUNCTION中替换
<\/span><\/span><\/span><\/span>orig_compile_file =<\/span> zend_compile_file;
<\/span><\/span>zend_compile_file =<\/span> phpjiami_decode_compile_file;
<\/span><\/span>
<\/span><\/span>\/\/ 在PHP_MSHUTDOWN_FUNCTION中恢复
<\/span><\/span><\/span><\/span>zend_compile_file =<\/span> orig_compile_file;
<\/span><\/span>
<\/span><\/span>\/\/ 提取代码并保存
<\/span><\/span><\/span><\/span>static<\/span> zend_op_array *<\/span>phpjiami_decode_compile_file<\/span>(zend_file_handle *<\/span>file_handle, int<\/span> type TSRMLS_DC){
<\/span><\/span>    char<\/span> *<\/span>buf;
<\/span><\/span>    size_t size;
<\/span><\/span>    
<\/span><\/span>    if<\/span> (zend_stream_fixup(file_handle, &<\/span>buf, &<\/span>size TSRMLS_CC) ==<\/span> SUCCESS) {
<\/span><\/span>        FILE *<\/span>ff =<\/span> NULL;
<\/span><\/span>        int<\/span> i =<\/span> 0<\/span>;
<\/span><\/span>        php_printf("code size : <\/span>\n<\/span> %d <\/span>\n\n<\/span> source code : <\/span>\n<\/span> %s <\/span>\n\n<\/span>"<\/span>, size, buf);
<\/span><\/span>        
<\/span><\/span>        ff =<\/span> fopen("\/tmp\/decode.php"<\/span>, "a+"<\/span>);
<\/span><\/span>        if<\/span> (ff !=<\/span> NULL)
<\/span><\/span>            for<\/span> (i =<\/span> 0<\/span>; i <=<\/span> size; i++<\/span>)
<\/span><\/span>                fprintf(ff, "%c"<\/span>, buf[i]);
<\/span><\/span>        fclose(ff);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> orig_compile_file(file_handle, type TSRMLS_DC);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、OpCode混淆技术<\/h2>
1. 代表工具<\/h3>

Swoole Compile等<\/li>
<\/ul>
2. 技术特点：<\/h3>

部分脱离Zend虚拟机<\/li>
对OpCode进行混淆<\/li>
类似VMP（虚拟机保护）的实现方式<\/li>
<\/ul>
3. 解密难点：<\/h3>

需要深入理解Zend引擎和OpCode处理机制<\/li>
目前尚无公开的通用解密方法<\/li>
<\/ul>
六、实战案例<\/h2>
1. PWNHUB公开赛\/傻fufu的工作日<\/h3>

使用eval Hook技术解密<\/li>
提取执行前的明文代码<\/li>
<\/ul>
2. SCTF2018 BabySyc - Simple PHP Web<\/h3>

使用扩展解密技术<\/li>
通过Hook zend_compile_file获取源码<\/li>
<\/ul>
七、总结<\/h2>
PHP代码保护技术可分为多个层次：<\/p>

代码混淆：增加阅读难度<\/li>
代码加密：通过eval等函数动态执行<\/li>
扩展加密：通过PHP扩展实现加解密<\/li>
OpCode混淆：最高级别的保护<\/li>
<\/ol>
对应的解密方法也从简单到复杂：<\/p>

对于eval类加密：Hook执行函数<\/li>
对于扩展加密：Hook编译函数并调整加载顺序<\/li>
对于OpCode混淆：目前尚无通用解决方案<\/li>
<\/ul>
在实际应用中，往往需要结合多种技术进行综合防护，同时也需要根据具体加密方式选择相应的解密策略。<\/p>

PHP代码加密与解密技术详解<\/h1>

一、前言<\/h2> PHP代码加密与解密是Web安全领域的重要课题。所有PHP代码最终都需要在Zend Engine上执行，因此理论上所有PHP源码加密都可以被解密（不包括OpCode混淆\/VMP等高级混淆技术）。<\/p>

二、代码混淆技术<\/h2> 代码混淆是一种常见的代码保护方式，虽然不算严格意义上的加密，但常与加密技术结合使用。<\/p>

三、代码加密与解密技术<\/h2>

3. 解密原理<\/h3> PHP加密代码最终需要通过eval等函数执行，因此可以Hook相关执行函数获取源码。<\/p>

四、扩展加密与解密技术<\/h2>

3. 解密原理<\/h3> Hook zend_compile_file<\/code>函数获取解密后的内容。<\/p>

五、OpCode混淆技术<\/h2>

六、实战案例<\/h2>

一、前言<\/h2>
PHP代码加密与解密是Web安全领域的重要课题。所有PHP代码最终都需要在Zend Engine上执行，因此理论上所有PHP源码加密都可以被解密（不包括OpCode混淆\/VMP等高级混淆技术）。<\/p>

二、代码混淆技术<\/h2>
代码混淆是一种常见的代码保护方式，虽然不算严格意义上的加密，但常与加密技术结合使用。<\/p>

3. 解密原理<\/h3>
PHP加密代码最终需要通过eval等函数执行，因此可以Hook相关执行函数获取源码。<\/p>

3. 解密原理<\/h3>
Hook `zend_compile_file<\/code>函数获取解密后的内容。<\/p>`