Add decodeRecursive. Add ExplodeDelimiterWithApostropheException.

ganlvtech · ganlvtech · commit 76cd4c775263 · 2019-05-23T16:23:06.000+08:00
diff --git a/README.md b/README.md
@@ -20,15 +20,25 @@ Download the `zip` file and unzip them into a folder. All dependencies have been
 
 ## Usage
 
+### Decode One File
+
 ```bash
 php bin/decode.php input.php output.php
 ```
 
 Call `bin/decode.php` decode `input.php` and save it to `output.php`.
 
-## About EnPHP Bugs
+### Decode All Files in A Directory
+
+```bash
+php bin/decodeRecursive.php dir/
+```
+
+Call `bin/decodeRecursive.php` decode all php files in `dir/` recursively and save it to its original path.
 
-**EnPHP is for php 5. There may be some problem is you use the obfuscated files on php 7.**
+**CAUTION: This will OVERWRITE all php files! If any error happened with the decoder, your files MAY NOT BE RECOVERED! Please backup your files!**
+
+## About EnPHP Bugs
 
 See <docs/enphp_bugs.md>.
 
diff --git a/bin/decodeRecursive.php b/bin/decodeRecursive.php
@@ -0,0 +1,76 @@
+<?php
+/**
+ * EnPHP Decoder
+ *
+ * https://github.com/ganlvtech/php-enphp-decoder
+ *
+ * Copyright (C) 2019  Ganlv
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+use Ganlv\EnphpDecoder\AutoDecoder;
+use Ganlv\EnphpDecoder\KnownEnphpBugs\KnownEnphpBugsException;
+
+error_reporting(E_ALL);
+
+require __DIR__ . '/../vendor/autoload.php';
+
+function endsWith($haystack, $needle)
+{
+    $length = strlen($needle);
+    if ($length == 0) {
+        return true;
+    }
+    return (substr($haystack, -$length) === $needle);
+}
+
+function decodeRecursive($dir)
+{
+    $files = scandir($dir);
+    foreach ($files as $key => $value) {
+        $path = realpath($dir . DIRECTORY_SEPARATOR . $value);
+        if (!is_dir($path)) {
+            if (endsWith($path, '.php')) {
+                echo $path;
+                $modified = false;
+                try {
+                    $code = file_get_contents($path);
+                    $ast = AutoDecoder::parseFile($code);
+                    $decoder = new AutoDecoder($ast);
+                    $modified = $decoder->autoDecode();
+                    if ($modified) {
+                        file_put_contents($path, $decoder->prettyPrintFile());
+                        echo '  Decoded.';
+                    }
+                } catch (KnownEnphpBugsException $e) {
+                    echo '  Known EnPHP Bugs: ', $e->getMessage();
+                } catch (Throwable $e) {
+                    echo '  Decode error.', PHP_EOL;
+                    echo $e->getTraceAsString();
+                }
+                if (!$modified) {
+                    echo '  Unchanged.';
+                }
+                echo PHP_EOL;
+            }
+        } else {
+            if ($value != '.' && $value != '..') {
+                decodeRecursive($path);
+            }
+        }
+    }
+}
+
+decodeRecursive($argv[1]);
diff --git a/docs/enphp_bugs.md b/docs/enphp_bugs.md
@@ -1,77 +1,11 @@
 # About EnPHP Bugs
 
-**EnPHP is for php 5. There may be some problem is you use the obfuscated files on php 7.**
+## explode delimiter with apostrophe
 
-**php 5.5 5.6 7.0 is no longer supported.** See [PHP: Supported Versions](http://php.net/supported-versions.php).
-
-EnPHP has bugs. The obfuscated files cannot even run properly on php 7. You shouldn't ask a decoder to recover a broken file to a normal file.
-
-See [PHP 5.x to 7.x: Changes to the handling of indirect variables, properties, and methods](http://php.net/manual/en/migration70.incompatible.php#migration70.incompatible.variable-handling.indirect).
-
-Here are some known EnPHP bugs running on php 7. They **WON'T** be fixed.
-
-## Class Static Call
-
-```php
-class Foo
-{
-    public static function baz()
-    {
-        echo 'baz';
-    }
-}
-
-class Bar extends Foo
-{
-    public function __construct()
-    {
-        parent::baz();
-    }
-}
-```
-
-class Bar will be obfuscated like this
-
-```php
-class Bar extends Foo
-{
-    public function __construct()
-    {
-        parent::$GLOBALS[GLOBAL_VAR_KEY][0x0]();
-    }
-}
-```
-
-This means `(parent::$GLOBALS)[GLOBAL_VAR_KEY][0x0]();` instead of what we expected `parent::{$GLOBALS[GLOBAL_VAR_KEY][0x0]}();`.
-
-## Class Method Call
-
-```php
-class Foo
-{
-    public function bar()
-    {
-        echo 'bar';
-    }
-
-    public function __construct()
-    {
-        $this->bar();
-    }
-}
-```
-
-The constructor will be encoded like this
+tests/bug_samples/Rush.php
 
 ```php
-class Foo
-{
-    public function __construct()
-    {
-        $v0 = &$GLOBALS[GLOBAL_VAR_KEY];
-        $this->$v0[0x0]();
-    }
-}
+explode('|\'|%|\'', 'post.|\\\'|%|\\\'site_config|\\\'|%|\\\'设置成功|\\\'|%|\\\'API|\\\'|%|\\\'api_config|\\\'|%|\\\'taobao|\\\'|%|\\\'key|\\\'|%|\\\'taobaoAppkey|\\\'|%|\\\'site');
 ```
 
-This means `($this->$v0)[0x0]()` instead of what we expected `$this->{$v0[0x0]}()`.
+This is EnPHP's bug. Won't Fix!
diff --git a/src/KnownEnphpBugs/ExplodeDelimiterWithApostropheException.php b/src/KnownEnphpBugs/ExplodeDelimiterWithApostropheException.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace Ganlv\EnphpDecoder\KnownEnphpBugs;
+
+class ExplodeDelimiterWithApostropheException extends KnownEnphpBugsException
+{
+    public $stringArray;
+    public $dim;
+
+    public function __construct($stringArray, $dim)
+    {
+        $this->stringArray = $stringArray;
+        $this->dim = $dim;
+        parent::__construct('explode delimiter with apostrophe.');
+    }
+
+    public static function test($stringArray, $dim)
+    {
+        if (!isset($stringArray[$dim]) && count($stringArray) === 1 && strpos($stringArray[0],'\\\'') !== false) {
+            throw new self($stringArray, $dim);
+        }
+    }
+}
diff --git a/src/KnownEnphpBugs/KnownEnphpBugsException.php b/src/KnownEnphpBugs/KnownEnphpBugsException.php
@@ -0,0 +1,9 @@
+<?php
+
+namespace Ganlv\EnphpDecoder\KnownEnphpBugs;
+
+use Exception;
+
+abstract class KnownEnphpBugsException extends Exception
+{
+}
diff --git a/src/NodeVisitors/FunctionGlobalStringNodeVisitor.php b/src/NodeVisitors/FunctionGlobalStringNodeVisitor.php
@@ -2,6 +2,7 @@
 
 namespace Ganlv\EnphpDecoder\NodeVisitors;
 
+use Ganlv\EnphpDecoder\KnownEnphpBugs\ExplodeDelimiterWithApostropheException;
 use Ganlv\EnphpDecoder\PrettyPrinter\StandardPrettyPrinter;
 use PhpParser\Node;
 use PhpParser\NodeTraverser;
@@ -37,6 +38,7 @@ public function leaveNode(Node $node)
             && $node->var instanceof Node\Expr\Variable
             && $node->var->name === $this->localVarName
             && $node->dim instanceof Node\Scalar\LNumber) {
+            ExplodeDelimiterWithApostropheException::test($this->stringArray, $node->dim->value);
             return new Node\Scalar\String_($this->stringArray[$node->dim->value]);
         }
         return null;
diff --git a/src/NodeVisitors/GlobalStringNodeVisitor.php b/src/NodeVisitors/GlobalStringNodeVisitor.php
@@ -2,6 +2,7 @@
 
 namespace Ganlv\EnphpDecoder\NodeVisitors;
 
+use Ganlv\EnphpDecoder\KnownEnphpBugs\ExplodeDelimiterWithApostropheException;
 use Ganlv\EnphpDecoder\PrettyPrinter\StandardPrettyPrinter;
 use PhpParser\Node;
 use PhpParser\NodeVisitorAbstract;
@@ -28,6 +29,7 @@ public function leaveNode(Node $node)
             && $node->var->dim !== null
             && StandardPrettyPrinter::prettyPrinter()->prettyPrintExpr($node->var->dim) === $this->globalVarKeyExpr
             && $node->dim instanceof Node\Scalar\LNumber) {
+            ExplodeDelimiterWithApostropheException::test($this->stringArray, $node->dim->value);
             return new Node\Scalar\String_($this->stringArray[$node->dim->value]);
         }
         return null;
diff --git a/tests/bug_samples/Rush.php b/tests/bug_samples/Rush.php
@@ -0,0 +1,4 @@
+<?php /* 程序侠CMS淘宝客系统 程序侠版权所有 技术论坛支持: bbs.chengxuxia.com QQ: 573907419 正版授权防止出现漏洞后门 
+-- enphp : https://git.oschina.net/mz/mzphp2
+ */
+  namespace app\admin\controller;error_reporting(E_ALL^E_NOTICE);define('���', '���');��é������������ڥ�Ԁ��������������ωð�ܬ��Ƞ�퉶�����تꊙ��ˠ���Ӻ��Ş�倆��弤��ؠ�촪���������������՝В¾���;$_SERVER[���] = explode('|\'|%|\'', 'post.|\\\'|%|\\\'site_config|\\\'|%|\\\'设置成功|\\\'|%|\\\'API|\\\'|%|\\\'api_config|\\\'|%|\\\'taobao|\\\'|%|\\\'key|\\\'|%|\\\'taobaoAppkey|\\\'|%|\\\'site');��������å�±���܀��՝���ב���퓑�߀�����Ȃ�������ι�����籐�š�����籁������鳅������Ɯ���������͂逄��������՛��ұČ�����ڔ橗Щ�Ϳ��ψ�����׿�;use think\File;use think\Db;use app\common\controller\Admin;use app\admin\model\Config as ConfigModel;class Rush extends Admin{public function index(){$���=&$_SERVER{���};if($this->request->isAjax()){$�����=input($���[0]);foreach($����� as $ƒ��=>$�){ConfigModel::updateCofig($ƒ��,$���{0x001},$�);}cache($���{0x001},null);return $this->success($���[0x0002]);}else{if($�=get_config($���{0x00003},$���[0x000004])){if($�[$���{0x05}][$���[0x006]]){$this->assign($���{0x0007},trim($�[$���{0x05}][$���[0x006]]));}}$�=get_config();$this->assign($���[0x00008],$�);����Ȉ�ܥε������ŵ冎������㌐����֔�����ǎۜӒ�٠���ϸ�杋��ٺ���;return $this->fetch();��ˡ������������ل�;}}}?>

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +<?php /* 遞句ｺ丈ｾCMS豺伜ｮ晏ｮ｢邉ｻ扈 遞句ｺ丈ｾ迚域揀謇譛 謚譛ｯ隶ｺ蝮帶髪謖: bbs.chengxuxia.com QQ: 573907419 豁｣迚域肢譚�亟豁｢蜃ｺ邇ｰ貍乗ｴ槫錘髣ｨ
 +-- enphp : https://git.oschina.net/mz/mzphp2
 + */
 +  namespace app\admin\controller;error_reporting(E_ALL^E_NOTICE);define('ｺ佗', 'ﾅﾅﾂ');湘ｩｽ鎌ﾟ苻荢ｨ屎ﾚ･靫�ﾁ菖ｱ杦ﾁｲｪﾏ嘉ｰ汯ｬｆﾈ瑙恩煜��ｪ鼕匆ﾋﾋﾊﾓｺ｡ﾂ佩ﾅ棊蛟�ｶｼ､�ﾎﾘ闃�ｪｷｫ寥貍ﾏ虚椒墲ｩ鰈斷陳ｾｨ著;$_SERVER[ｺ佗] = explode('|\'|%|\'', 'post.|\\\'|%|\\\'site_config|\\\'|%|\\\'隶ｾ鄂ｮ謌仙粥|\\\'|%|\\\'API|\\\'|%|\\\'api_config|\\\'|%|\\\'taobao|\\\'|%|\\\'key|\\\'|%|\\\'taobaoAppkey|\\\'|%|\\\'site');｢ｶｰﾌ飼顯ﾃ･ﾋﾂｱ珥ﾕﾜﾇﾕ撕鞜ﾗ拓�崧憎ﾟ揵釮鏸ぃｪ胯�ｹ碑｢ｴ邀跡ﾅ｡｢�洌ﾞ邀％抱奠�ｳ�ﾖ哿娯ﾆ愡言ｮｲ燹｢∀る�酪墲ﾃ幟鬨ﾒｱﾄ言┰ﾚ疲ｩ厘ｩ嶇ｿ吝ﾏ郁美ｾｯ�ﾗｿﾚ;use think\File;use think\Db;use app\common\controller\Admin;use app\admin\model\Config as ConfigModel;class Rush extends Admin{public function index(){$｢┷=&$_SERVER{ｺ佗};if($this->request->isAjax()){$ｺ｢ﾍ脣=input($｢┷[0]);foreach($ｺ｢ﾍ脣 as $ﾆ賃ﾘ=>$){ConfigModel::updateCofig($ﾆ賃ﾘ,$｢┷{0x001},$);}cache($｢┷{0x001},null);return $this->success($｢┷[0x0002]);}else{if($=get_config($｢┷{0x00003},$｢┷[0x000004])){if($犱$｢┷{0x05}][$｢┷[0x006]]){$this->assign($｢┷{0x0007},trim($犱$｢┷{0x05}][$｢┷[0x006]]));}}$=get_config();$this->assign($｢┷[0x00008],$);星ﾀｲﾈ威ﾜ･ﾎｵ｡華�ﾓﾅｵ蜀守讎蔕ｶ励倹届ﾂﾛﾖ隼鏞釚桒杓慱窒ﾙ�ﾇﾏｸ譚遇ｱﾙｺ鴫ﾏ;return $this->fetch();生ﾋ｡ﾚ岼裾桶缶�;}}}?>