解密混淆的Perl脚本 [英] Decrypt obfuscated perl script
问题描述
我的服务器上出现了一些垃圾邮件问题,在找出并删除了一些Perl和PHP脚本后,我决定检查它们的实际作用,尽管我是高级PHP程序员,但对Perl经验很少,在这里帮我看一下脚本:
Had some spam issues on my server and, after finding out and removing some Perl and PHP scripts I'm down to checking what they really do, although I'm a senior PHP programmer I have little experience with Perl, can anyone give me a hand with the script here:
(这是一长行代码,脚本称为list.pl)
(It was one long line of code, script was called list.pl)
脚本的开始是:
$??s:;s:s;;$?::s;(.*); ]="&\%[=.*.,-))'-,-#-*.).<.'.+-<-~-#,~-.-,.+,~-{-,.<'`.{'`'<-<--):)++,+#,-.{).+,,~+{+,,<)..})<.{.)-,.+.,.)-#):)++,+#,-.{).+,,~+{+,,<)..})<*{.}'`'<-<--):)++,+#,-.{).+:,+,+,',~+*+~+~+{+<+,)..})<'`'<.{'`'<'<-}.<)'+'.:*}.*.'-|-<.+):)~*{)~)|)++,+#,-.{).+:,+,+,',~+*+~+~+{+<+,)..})
它以很少的非标点字符继续,直到最后:
It continues with precious few non-punctuation characters until the very end:
0-9\;\\_rs}&a-h;;s;(.*);$_;see;
推荐答案
将s;(.*);$_;see;替换为print,以获得此.在有效负载的前半部分中再次用print替换s;(.*);$_;see;,以获得此 ,这是解密代码.有效负载的后半部分是要解密的代码,但是我无法再对其作进一步介绍了,因为如您所见,解密代码正在寻找envvar或cookie中的密钥(因此只有脚本的创建者可以控制它或解码它,大概),而我没有那个钥匙.实际上,这是合理地巧妙完成的.
Replace the s;(.*);$_;see; with print to get this. Replace s;(.*);$_;see; again with print in the first half of the payload to get this, which is the decryption code. The second half of the payload is the code to decrypt, but I can't go any further with it, because as you see, the decryption code is looking for a key in an envvar or a cookie (so that only the script's creator can control it or decode it, presumably), and I don't have that key. This is actually reasonably cleverly done.
这篇关于解密混淆的Perl脚本的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
