ionCube,一款PHP加密工具。有试用版Encoder,Decoder是免费的。试用版Encoder本身有14天试用期,很容易剁,参看:
《去除试用版ioncube_encoder_xxx_64的14天限制》
http://scz.617.cn:8/web/202104141608.txt
$ ./ioncube_encoder_xxx_64_scz hello.php -o hello_enc.php
这样生成的hello_enc.php只有36小时可用,也可以剁。可能有多种办法,本文简述其中一种逆向思路。
$ php -c php.ini -f hello_enc.php
PHP Fatal error:
The encoded file hello_enc.php has expired.
in Unknown on line 0
strace -v -i -f -ff -o hello_enc.log php -c php.ini -f hello_enc.php
从strace日志看,只有一个write(2,x),可以设断
catch syscall write
不用针对句柄设条件断点。
gdb -q -nx -x /tmp/gdbinit_x64.txt -x "/tmp/ShellPipeCommand.py" -x "/tmp/GetOffset.py" -ex 'display/5i $pc' phpcatch syscall write
r -c php.ini -f hello_enc.php
(gdb) bt
#0 0x00007ffff4e2ba90 in __write_nocancel () from /lib64/libc.so.6
#1 0x00007ffff4db62f3 in _IO_new_file_write () from /lib64/libc.so.6
#2 0x00007ffff4db6b90 in __GI__IO_file_xsputn () from /lib64/libc.so.6
#3 0x00007ffff4d89f1d in buffered_vfprintf () from /lib64/libc.so.6
#4 0x00007ffff4d8486e in vfprintf () from /lib64/libc.so.6
#5 0x00007ffff4e52215 in __fprintf_chk () from /lib64/libc.so.6
#6 0x0000555555618c5e in php_log_err_with_severity
#7 0x0000555555618f87 in php_error_cb
#8 0x000055555561ad8f in zend_error
#9 0x00007fffed33cb35 in ?? () from ioncube_loader_lin_7.x.so
#10 0x00007fffed33957c in ?? () from ioncube_loader_lin_7.x.so
#11 0x00007fffed2f2662 in ?? () from ioncube_loader_lin_7.x.so
#12 0x00005555557f1eac in zend_execute_scripts
#13 0x000055555578d730 in php_execute_script
#14 0x0000555555899c8c in do_cli
#15 0x000055555561e0aa in main
(gdb) i r rdi rsi rdx
rdi 0x2 2
rsi 0x7fffffff8050 140737488322640
rdx 0x67 103
(gdb) x/s $rsi
0x7fffffff8050: "PHP Fatal error: \nThe encoded file hello_enc.php has expired.\n in Unknown on line 0\n"
通过调用栈回溯中0x00007fffed33957c定位:
00007FFFED338EB9 48 8B 3D 00 2B 17 00 mov rdi, cs:off_7FFFED4AB9C0
00007FFFED338EC0 48 81 C7 28 01 00 00 add rdi, 128h ; env
00007FFFED338EC7 E8 8C C3 F5 FF call __setjmp
看到setjmp(),这种比较讨嫌,是从别处longjmp()过来的,一般都不在本函数中。在IDA中去找匹配的longjmp,可能需要一些*nix编程基本功,最终定位:
00007FFFED32DB80 somefunc
...
00007FFFED32DC2A 48 8B 3D 8F DD 17 00 mov rdi, cs:off_7FFFED4AB9C0
00007FFFED32DC31 BE 01 00 00 00 mov esi, 1 ; val
00007FFFED32DC36 48 89 9F F0 01 00 00 mov [rdi+1F0h], rbx
00007FFFED32DC3D 48 81 C7 28 01 00 00 add rdi, 128h ; env
00007FFFED32DC44 E8 0F 7E F6 FF call _longjmp
gdb -q -nx -x /tmp/gdbinit_x64.txt -x "/tmp/ShellPipeCommand.py" -x "/tmp/GetOffset.py" -ex 'display/5i $pc' phpcatch load ioncube_loader
r -c php.ini -f hello_enc.php
断点命中后对somefunc()增设断点。因为ioncube_loader_lin_7.x.so是动态加载的,无法在php的e_entry处直接对位于ioncube_loader_lin_7.x.so中的地址设断,gdb好像没有windbg的延迟断点一说?
可以不对somefunc()设断,直接对longjmp()设断,后者有符号,但忘了为什么我没这么干,本例调用libc!siglongjmp(),有兴趣者自行尝试。
b *0x7fffed32db80
c(gdb) bt
#0 0x00007fffed32db80 in ?? () from ioncube_loader_lin_7.x.so
#1 0x00007fffed32ea3c in ?? () from ioncube_loader_lin_7.x.so
#2 0x00007fffed338dc6 in ?? () from ioncube_loader_lin_7.x.so
#3 0x00007fffed338f0a in ?? () from ioncube_loader_lin_7.x.so
#4 0x00007fffed2f2662 in ?? () from ioncube_loader_lin_7.x.so
#5 0x00005555557f1eac in zend_execute_scripts
#6 0x000055555578d730 in php_execute_script
#7 0x0000555555899c8c in do_cli
#8 0x000055555561e0aa in main
(gdb) x/s $rdi
0x7fffffff6150: "\nThe encoded file hello_enc.php has expired.\n"
通过调用栈回溯中0x00007fffed338dc6可以定位一些检查时间的代码逻辑,其中一处是:
00007FFFED3383B1 48 8B 91 00 02 00 00 mov rdx, [rcx+200h]
00007FFFED3383B8 48 81 C2 80 51 01 00 add rdx, 86400
00007FFFED3383BF 48 39 C2 cmp rdx, rax
tb *0x7fffed3383b1
commands $bpnum
silent
set *(unsigned int*)($rcx+0x200)=$rax
c
end
通过断点热Patch,hello_enc.php得到执行。可以静态Patch:
$ rasm2 -a x86 -b 64 -s intel -o 0x7fffed3383b1 "mov [rcx+0x200],rax;jmp 0x7fffed3383c8"
48898100020000eb0e$ rasm2 -a x86 -b 64 -s intel -o 0x7fffed3383b1 -D 48898100020000eb0e
0x7fffed3383b1 7 48898100020000 mov qword [rcx + 0x200], rax
0x7fffed3383b8 2 eb0e jmp 0x7fffed3383c8
$ fc /b old new
XXXXXXX2: 8B 89
XXXXXXX3: 91 81
XXXXXXX8: 48 EB
XXXXXXX9: 81 0E
静态Patch只需要改4字节。
vi php.ini
zend_extension = ioncube_loader_lin_7.x_scz.so
为减少不必要的麻烦,本文只简述了逆向思路。如有疑问,请勿发问,就当没看过吧。
如有侵权请联系:admin#unsafe.sh