PHP Screw解密，PHP Screw加密解密算法实现

发表于 2019年07月19日
Crack

PHP Screw是一个PHP加密工具。当您使用PHP开发商业软件包时，该脚本可以帮您实现脚本加密，保护您的知识产权。

目录表

PHP Screw加密解密算法

效果

条件

加密key密钥

IDA获取加密key

现在尝试用ida进行静态分析，获取隐藏在so文件中的密钥。密过程是在pm9screw_ext_fopen函数中实现的，所以只需要到这个函数中去找加密部分即可。

ida导入so，通过导图查找，然后右边的Proximity Browser就会如图所示：

很明显，我标黄的就是加密密钥了，双击跳转至其指针保存处，再次双击黄标：

pm9screw_mycryptkey即为加密密钥：

pm9screw_mycryptkey dw 2B90h, 170h, 0C0h, 501h, 3Eh

1	pm9screw_mycryptkey dw 2B90h, 170h, 0C0h, 501h, 3Eh

Python解密

# coding:utf-8

import os
import shutil
import zlib

PM9SCREW = b'\tPM9SCREW\t'
PM9SCREW_LEN = len(PM9SCREW)
pm9screw_mycryptkey = [11152, 368, 192, 1281, 62]
cryptkey_len = len(pm9screw_mycryptkey)


def decrypt(path, write=True):
    data = bytearray(open(path, 'rb').read())

    if len(data) < PM9SCREW_LEN:
        return False

    if data[:PM9SCREW_LEN] != PM9SCREW:
        return False
    data = data[PM9SCREW_LEN:]
    data_len = len(data)
    out = bytearray(data_len)
    for i in range(data_len):
        out[i] = (pm9screw_mycryptkey[(data_len - i) % cryptkey_len]
                  ^ (~data[i])) % 256
    try:
        new = zlib.decompress(out)
    except TypeError:
        new = zlib.decompress(bytes(out)).encode()
    if write:
        shutil.move(path, path + ".bak")
        open(path, 'wb').write(new)
    else:
        print(new)


def multi_decrypt(path):
    if not os.path.exists(path):
        print('Error: %s not Found.' % path)
        return

    if os.path.isdir(path):
        folder = os.walk(path)

        for fpathe, dirs, fs in folder:
            for f in fs:
                if f.endswith('.php'):
                    decrypt(os.path.join(fpathe, f), True)
    else:
        decrypt(path)


if __name__ == '__main__':
    multi_decrypt('./')