PHP代码混淆与解混淆技术详解<\/h1>

概述<\/h2>
本文详细讲解如何开发PHP代码混淆器与解混淆器，基于PHP-Parser库实现代码的抽象语法树(AST)转换。<\/p>

基本原理<\/h2>

编译器前端概念<\/h3>

混淆器开发类似于编译器开发，主要分为两个部分：<\/p>

编译器前端<\/strong>：负责代码解析<\/p>

词法分析：将字符流转换为词素(lexeme)和词法单元(token)<\/li>
语法分析：将token序列转换为抽象语法树(AST)<\/li> <\/ul> <\/li>

编译器后端<\/strong>：负责代码生成<\/p> <\/li> <\/ol>
PHP解析工具<\/h3>
PHP提供了以下工具帮助我们处理代码：<\/p>

token_get_all()<\/code>：将PHP代码转换为token数组<\/li>
php-parser<\/code>库：将PHP代码解析为AST<\/li> <\/ul> 基础实现<\/h2> 变量重命名示例<\/h3> $file =<\/span> file_get_contents<\/span>($path); <\/span><\/span>$variable =<\/span> 0<\/span>; <\/span><\/span>$map =<\/span> []; <\/span><\/span>$tokens =<\/span> token_get_all<\/span>($file); <\/span><\/span>foreach<\/span> ($tokens as<\/span> $token) { <\/span><\/span> if<\/span> ($token[0<\/span>] ===<\/span> T_VARIABLE<\/span>) { <\/span><\/span> if<\/span> (!<\/span>isset<\/span>($map[$token[1<\/span>]])) { <\/span><\/span> if<\/span> (!<\/span>preg_match<\/span>('\/^\$[a-zA-Z0-9_]+$\/'<\/span>, $token[1<\/span>])) { <\/span><\/span> $file =<\/span> str_replace<\/span>($token[1<\/span>], '$v'<\/span> .<\/span> $variable++<\/span>, $file); <\/span><\/span> $map[$token[1<\/span>]] =<\/span> $variable; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>基于AST的基本框架<\/h3> use<\/span> PhpParser\Parser<\/span>; <\/span><\/span>use<\/span> PhpParser\ParserFactory<\/span>; <\/span><\/span>use<\/span> PhpParser\NodeTraverser<\/span>; <\/span><\/span>use<\/span> PhpParser\NodeVisitor\NameResolver<\/span>; <\/span><\/span>use<\/span> PhpParser\PrettyPrinter\Standard<\/span>; <\/span><\/span> <\/span><\/span>require<\/span> '.\/vendor\/autoload.php'<\/span>; <\/span><\/span> <\/span><\/span>\/\/ 初始化解析器 <\/span><\/span><\/span><\/span>$parser =<\/span> (new<\/span> ParserFactory<\/span>())-><\/span>create<\/span>(ParserFactory<\/span>::<\/span>PREFER_PHP7<\/span>); <\/span><\/span>\/\/ 将代码解析成AST <\/span><\/span><\/span><\/span>$ast =<\/span> $parser-><\/span>parse<\/span>(file_get_contents<\/span>('test\/test1.php'<\/span>)); <\/span><\/span> <\/span><\/span>$traverser =<\/span> new<\/span> NodeTraverser<\/span>(); <\/span><\/span>\/\/ 注册自定义Visitor <\/span><\/span><\/span><\/span>$traverser-><\/span>addVisitor<\/span>(new<\/span> CustomVisitor<\/span>($parser)); <\/span><\/span>\/\/ 开始遍历AST <\/span><\/span><\/span><\/span>$ast =<\/span> $traverser-><\/span>traverse<\/span>($ast); <\/span><\/span> <\/span><\/span>\/\/ 将AST转换成代码 <\/span><\/span><\/span><\/span>$prettyPrinter =<\/span> new<\/span> Standard<\/span>(); <\/span><\/span>$ret =<\/span> $prettyPrinter-><\/span>prettyPrint<\/span>($ast); <\/span><\/span>echo<\/span> '<?php '<\/span> .<\/span> $ret; <\/span><\/span><\/code><\/pre>混淆技术实现<\/h2> 字符串ROT13混淆<\/h3> 将字符串替换为ROT13编码的函数调用：<\/p> class<\/span> StringToROT13<\/span> extends<\/span> NodeVisitorAbstract<\/span> <\/span><\/span>{ <\/span><\/span> public<\/span> function<\/span> leaveNode<\/span>(Node<\/span> $node) <\/span><\/span> { <\/span><\/span> if<\/span> ($node instanceof<\/span> Node\Scalar\String_<\/span>) { <\/span><\/span> $name =<\/span> $node-><\/span>value<\/span>; <\/span><\/span> return<\/span> new<\/span> Expr\FuncCall<\/span>( <\/span><\/span> new<\/span> Node\Name<\/span>("str_rot13"<\/span>), <\/span><\/span> [new<\/span> Node\Arg<\/span>(new<\/span> Node\Scalar\String_<\/span>(str_rot13<\/span>($name)))] <\/span><\/span> ); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>常量数组混淆<\/h3> 将分散的常量赋值转换为数组引用：<\/p> class<\/span> ConstantToArray<\/span> extends<\/span> NodeVisitorAbstract<\/span> <\/span><\/span>{ <\/span><\/span> private<\/span> $_variableName =<\/span> ''<\/span>; <\/span><\/span> private<\/span> $_constants =<\/span> []; <\/span><\/span> private<\/span> $_inStatic =<\/span> false<\/span>; <\/span><\/span> <\/span><\/span> public<\/span> function<\/span> __construct($_parser) <\/span><\/span> { <\/span><\/span> $this-><\/span>_variableName<\/span> =<\/span> generate_random_variable<\/span>(5<\/span>); <\/span><\/span> $this-><\/span>_parser<\/span> =<\/span> $_parser; <\/span><\/span> } <\/span><\/span> <\/span><\/span> public<\/span> function<\/span> afterTraverse<\/span>(array<\/span> $nodes) <\/span><\/span> { <\/span><\/span> $keys =<\/span> []; <\/span><\/span> foreach<\/span> ($this-><\/span>_constants<\/span> as<\/span> $key =><\/span> $value) { <\/span><\/span> $keys[] =<\/span> unserialize<\/span>($key); <\/span><\/span> } <\/span><\/span> $items =<\/span> base64_encode<\/span>(serialize<\/span>($keys)); <\/span><\/span> $nodes =<\/span> array_merge<\/span>($this-><\/span>_parser<\/span>-><\/span>parse<\/span>( <\/span><\/span> "<?php <\/span>\$<\/span>{<\/span>$this-><\/span>_variableName<\/span>}<\/span>=unserialize(base64_decode('<\/span>$items<\/span>'));"<\/span> <\/span><\/span> ), $nodes); <\/span><\/span> return<\/span> $nodes; <\/span><\/span> } <\/span><\/span> <\/span><\/span> public<\/span> function<\/span> enterNode<\/span>(Node<\/span> $node) <\/span><\/span> { <\/span><\/span> if<\/span> ($node instanceof<\/span> Node\Stmt\Function_<\/span>) { <\/span><\/span> $global =<\/span> new<\/span> Node\Stmt\Global_<\/span>([new<\/span> Expr\Variable<\/span>($this-><\/span>_variableName<\/span>)]); <\/span><\/span> array_unshift<\/span>($node-><\/span>stmts<\/span>, $global); <\/span><\/span> } <\/span><\/span> if<\/span> ($node instanceof<\/span> Node\Param<\/span> ||<\/span> $node instanceof<\/span> Node\Stmt\Static_<\/span>) { <\/span><\/span> $this-><\/span>_inStatic<\/span> =<\/span> true<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> public<\/span> function<\/span> leaveNode<\/span>(Node<\/span> $node) <\/span><\/span> { <\/span><\/span> if<\/span> ($node instanceof<\/span> Node\Param<\/span> ||<\/span> $node instanceof<\/span> Node\Stmt\Static_<\/span>) { <\/span><\/span> $this-><\/span>_inStatic<\/span> =<\/span> false<\/span>; <\/span><\/span> } <\/span><\/span> if<\/span> ($this-><\/span>_inStatic<\/span>) { <\/span><\/span> return<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> ($node instanceof<\/span> Node\Scalar<\/span> &&<\/span> (!<\/span>$node instanceof<\/span> Node\Scalar\MagicConst<\/span>)) { <\/span><\/span> $name =<\/span> serialize<\/span>($node-><\/span>value<\/span>); <\/span><\/span> if<\/span> (!<\/span>isset<\/span>($this-><\/span>_constants<\/span>[$name])) { <\/span><\/span> $this-><\/span>_constants<\/span>[$name] =<\/span> count<\/span>($this-><\/span>_constants<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> new<\/span> Expr\ArrayDimFetch<\/span>( <\/span><\/span> new<\/span> Expr\Variable<\/span>($this-><\/span>_variableName<\/span>), <\/span><\/span> Node\Scalar\LNumber<\/span>::<\/span>fromString<\/span>($this-><\/span>_constants<\/span>[$name]) <\/span><\/span> ); <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> ($node instanceof<\/span> Node\Expr\ConstFetch<\/span> &&<\/span> $node-><\/span>name<\/span> instanceof<\/span> Node\Name<\/span> &&<\/span> count<\/span>($node-><\/span>name<\/span>-><\/span>parts<\/span>) ===<\/span> 1<\/span>) { <\/span><\/span> $name =<\/span> $node-><\/span>name<\/span>-><\/span>parts<\/span>[0<\/span>]; <\/span><\/span> switch<\/span> (strtolower<\/span>($name)) { <\/span><\/span> case<\/span> 'true'<\/span>:<\/span> $name =<\/span> true<\/span>; break<\/span>; <\/span><\/span> case<\/span> 'false'<\/span>:<\/span> $name =<\/span> false<\/span>; break<\/span>; <\/span><\/span> case<\/span> 'null'<\/span>:<\/span> $name =<\/span> null<\/span>; break<\/span>; <\/span><\/span> default<\/span>:<\/span> return<\/span>; <\/span><\/span> } <\/span><\/span> $name =<\/span> serialize<\/span>($name); <\/span><\/span> if<\/span> (!<\/span>isset<\/span>($this-><\/span>_constants<\/span>[$name])) { <\/span><\/span> $this-><\/span>_constants<\/span>[$name] =<\/span> count<\/span>($this-><\/span>_constants<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> new<\/span> Expr\ArrayDimFetch<\/span>( <\/span><\/span> new<\/span> Expr\Variable<\/span>($this-><\/span>_variableName<\/span>), <\/span><\/span> Node\Scalar\LNumber<\/span>::<\/span>fromString<\/span>($this-><\/span>_constants<\/span>[$name]) <\/span><\/span> ); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>解混淆技术实现<\/h2> ROT13字符串还原<\/h3> class<\/span> ROT13ToString<\/span> extends<\/span> NodeVisitorAbstract<\/span> <\/span><\/span>{ <\/span><\/span> public<\/span> function<\/span> leaveNode<\/span>(Node<\/span> $node) <\/span><\/span> { <\/span><\/span> if<\/span> ($node instanceof<\/span> Node\Expr\FuncCall<\/span> &&<\/span> <\/span><\/span> $node-><\/span>name<\/span> instanceof<\/span> Node\Name<\/span> &&<\/span> <\/span><\/span> $node-><\/span>name<\/span>-><\/span>parts<\/span>[0<\/span>] ==<\/span> 'str_rot13'<\/span> &&<\/span> <\/span><\/span> $node-><\/span>args<\/span>[0<\/span>]-><\/span>value<\/span> instanceof<\/span> Node\Scalar\String_<\/span> <\/span><\/span> ) { <\/span><\/span> $value =<\/span> $node-><\/span>args<\/span>[0<\/span>]-><\/span>value<\/span>-><\/span>value<\/span>; <\/span><\/span> return<\/span> new<\/span> Node\Scalar\String_<\/span>(str_rot13<\/span>($value)); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>常量数组还原<\/h3> class<\/span> ArrayToConstant<\/span> extends<\/span> NodeVisitorAbstract<\/span> <\/span><\/span>{ <\/span><\/span> private<\/span> $_variableName =<\/span> ''<\/span>; <\/span><\/span> private<\/span> $_constants =<\/span> []; <\/span><\/span> <\/span><\/span> public<\/span> function<\/span> enterNode<\/span>(Node<\/span> $node) <\/span><\/span> { <\/span><\/span> if<\/span> ($node instanceof<\/span> Node\Expr\Assign<\/span> &&<\/span> <\/span><\/span> $node-><\/span>expr<\/span> instanceof<\/span> Node\Expr\FuncCall<\/span> &&<\/span> <\/span><\/span> $node-><\/span>expr<\/span>-><\/span>name<\/span> instanceof<\/span> Node\Name<\/span> &&<\/span> <\/span><\/span> $node-><\/span>expr<\/span>-><\/span>name<\/span>-><\/span>parts<\/span>[0<\/span>] ==<\/span> 'unserialize'<\/span> &&<\/span> <\/span><\/span> count<\/span>($node-><\/span>expr<\/span>-><\/span>args<\/span>) ===<\/span> 1<\/span> &&<\/span> <\/span><\/span> $node-><\/span>expr<\/span>-><\/span>args<\/span>[0<\/span>] instanceof<\/span> Node\Arg<\/span> &&<\/span> <\/span><\/span> $node-><\/span>expr<\/span>-><\/span>args<\/span>[0<\/span>]-><\/span>value<\/span> instanceof<\/span> Node\Expr\FuncCall<\/span> &&<\/span> <\/span><\/span> $node-><\/span>expr<\/span>-><\/span>args<\/span>[0<\/span>]-><\/span>value<\/span>-><\/span>name<\/span> instanceof<\/span> Node\Name<\/span> &&<\/span> <\/span><\/span> $node-><\/span>expr<\/span>-><\/span>args<\/span>[0<\/span>]-><\/span>value<\/span>-><\/span>name<\/span>-><\/span>parts<\/span>[0<\/span>] ==<\/span> 'base64_decode'<\/span> <\/span><\/span> ) { <\/span><\/span> $string =<\/span> $node-><\/span>expr<\/span>-><\/span>args<\/span>[0<\/span>]-><\/span>value<\/span>-><\/span>args<\/span>[0<\/span>]-><\/span>value<\/span>-><\/span>value<\/span>; <\/span><\/span> $array =<\/span> unserialize<\/span>(base64_decode<\/span>($string)); <\/span><\/span> $this-><\/span>_variableName<\/span> =<\/span> $node-><\/span>var<\/span>-><\/span>name<\/span>; <\/span><\/span> $this-><\/span>_constants<\/span> =<\/span> $array; <\/span><\/span> return<\/span> new<\/span> Node\Expr\Assign<\/span>($node-><\/span>var<\/span>, Node\Scalar\LNumber<\/span>::<\/span>fromString<\/span>("0"<\/span>)); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> public<\/span> function<\/span> leaveNode<\/span>(Node<\/span> $node) <\/span><\/span> { <\/span><\/span> if<\/span> ($this-><\/span>_variableName<\/span> ===<\/span> ''<\/span>) return<\/span>; <\/span><\/span> if<\/span> ($node instanceof<\/span> Node\Expr\ArrayDimFetch<\/span> &&<\/span> $node-><\/span>var<\/span>-><\/span>name<\/span> ===<\/span> $this-><\/span>_variableName<\/span>) { <\/span><\/span> $val =<\/span> $this-><\/span>_constants<\/span>[$node-><\/span>dim<\/span>-><\/span>value<\/span>]; <\/span><\/span> if<\/span> (is_string<\/span>($val)) { <\/span><\/span> return<\/span> new<\/span> Node\Scalar\String_<\/span>($val); <\/span><\/span> } elseif<\/span> (is_double<\/span>($val)) { <\/span><\/span> return<\/span> new<\/span> Node\Scalar\DNumber<\/span>($val); <\/span><\/span> } elseif<\/span> (is_int<\/span>($val)) { <\/span><\/span> return<\/span> new<\/span> Node\Scalar\LNumber<\/span>($val); <\/span><\/span> } else<\/span> { <\/span><\/span> return<\/span> new<\/span> Node\Expr\ConstFetch<\/span>(new<\/span> Node\Name\FullyQualified<\/span>(json_encode<\/span>($val))); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>开发注意事项<\/h2> 混淆器开发要点<\/h3> 收集大量PHP样本，处理各种语法兼容问题<\/li> 利用信息不对称性，将混淆代码与业务代码混合<\/li> 尽可能破坏原始代码结构，去除可识别信息(如变量名)<\/li> <\/ol> 解混淆器开发要点<\/h3> 准确识别混淆模式及其依赖的外部信息<\/li> 提取运行时才能获取的密钥和数据<\/li> 当信息无法完全恢复时，使用规则还原近似信息<\/li> <\/ol> 高级混淆技术<\/h2> 控制流混淆<\/strong>：打乱代码执行流程，如yakpro-po工具<\/li> 模块化设计<\/strong>：使用组合模式，便于维护和扩展<\/li> 多层混淆<\/strong>：多种混淆技术叠加使用<\/li> <\/ol> 总结<\/h2> 本文详细介绍了PHP代码混淆与解混淆的核心技术，包括：<\/p> 基于AST的代码转换原理<\/li> 基础混淆技术实现(变量重命名、字符串编码)<\/li> 高级混淆技术(常量数组转换)<\/li> 对应的解混淆技术实现<\/li> 开发中的注意事项和最佳实践<\/li> <\/ul> 通过合理运用这些技术，可以开发出比市面上大多数混淆器更强大的工具。解混淆器的开发思路与混淆器类似，但侧重点不同，需要针对特定混淆模式进行精确识别和还原。<\/p>

PHP代码混淆与解混淆技术详解<\/h1>

概述<\/h2> 本文详细讲解如何开发PHP代码混淆器与解混淆器，基于PHP-Parser库实现代码的抽象语法树(AST)转换。<\/p>

基本原理<\/h2>

基础实现<\/h2>

混淆技术实现<\/h2>

解混淆技术实现<\/h2>

开发注意事项<\/h2>

概述<\/h2>
本文详细讲解如何开发PHP代码混淆器与解混淆器，基于PHP-Parser库实现代码的抽象语法树(AST)转换。<\/p>