找到AKCMS的Powered藏身之处
render.inc.bin解码...不解释<?php$sysname = 'AKCMS';
$sysedition = '3.6';
$authkey = '2011';
$safecode = base64_decode('Wypha2Ntcypd');
$itemfields = array('title','shorttitle','aimurl','filename','category','section','template','author','source','dateline','pageview','picture','attach','comment','keywords','digest','data','orderby','orderby2','orderby3','orderby4');
$authfile = AK_ROOT.'configs/auth.php';
$authlist = AK_ROOT.'configs/auth.lst';
$authsuccess = 0;
if($__callmode == 'web') $_vc = ak_md5($_SERVER['HTTP_USER_AGENT']."\t".$_SERVER['REMOTE_ADDR'],1);
if(file_exists($authfile)) {
$auth = readfromfile($authfile);
$auth = decodeauth($auth);
if($auth != '') {
if(strpos($auth,'#') !== false) {
$auth = substr($auth,0,-11);
$expire = substr($auth,-11);
if($expire <$thetime) writetofile('',$authfile);
}
$auths = explode("\t",$auth);
foreach($auths as $auth) {
if($__callmode != 'web') {
$authsuccess = 1;
break;
}
if($auth == $_SERVER['SERVER_ADDR']) $authsuccess = 1;
if($auth == $_SERVER['HTTP_HOST']) $authsuccess = 1;
if(strlen($_SERVER['HTTP_HOST']) >strlen($auth) &&substr($_SERVER['HTTP_HOST'],strlen($auth) * -1) == $auth) $authsuccess = 1;
if($authsuccess == 1) break;
}
}
if($auth == ''&&empty($foreflag)) {
if(file_exists($authlist)) {
$list = readfromfile($authlist);
$list = str_replace("\r\n","\n",$list);
$lists = explode("\n",$list);
}else {
$lists = array($_SERVER['SERVER_ADDR'],$_SERVER['HTTP_HOST']);
}
$lists = implode(',',$lists);
$authonline = readfromurl('http://auth.akcms.com/getauth.php?version='.$sysedition.'&key='.$lists);
if(substr($authonline,0,5) == '<?php'&&strlen($authonline) >41) {
writetofile($authonline,$authfile);
exit('auth file update successfully,refresh now.');
}elseif($authonline == '') {
exit('auth file update error,please download auth file from <a href="http://auth.akcms.com/" target="_blank">http://auth.akcms.com/</a>');
}
}
}
unset($authkey,$auth,$auths,$authfile,$authlist,$expire);
function decodeauth($string) {
$base64 = substr($string,39,-2);
$md5 = substr($string,7,32);
$string = base64_decode($base64);
$string = ak_xor($string,$GLOBALS['authkey']);
if(md5($string) != $md5) $string = '';
return $string;
}
function renderdata($data,$options) {
global $safecode;
$html = '';
$array_templates = array();
$_array = array();
foreach($data as $value) {
$_array = array_merge($_array,$value);
}
if(count($data) >0) $keys = array_keys($_array);
if(count($keys) == 0) return $options['emptymessage'];
foreach($keys as $key) {
$array_templates[$key] = "[$key]";
}
$i = 0;
foreach($data as $id =>$record) {
$template = recursiontemplate($options,$record);
$html .= ak_array_replace($array_templates,$record,$template);
$i ++;
if(isset($options['colspan']) &&$options['colspan'] >0) {
if($i %$options['colspan'] == 0 &&isset($data[$id +1])) $html .= $options['overflow'];
}
}
return $html.$safecode;
}
function renderhtml($text,$pagevariables) {
global $lr,$homepage,$safecode,$setting_forbidstat,$authsuccess,$currenturl;
if(empty($authsuccess) &&substr($currenturl,-4) != '.xml'&&(empty($pagevariables['htmlfilename']) ||substr($pagevariables['htmlfilename'],-4) != '.xml')) {
if(strpos($text,'') === false) {
$text = preg_replace('/<\/body>/i',"{$lr}</body>",$text);
}
if(strpos($text,'') === false) $text .= "";
}
if(empty($setting_forbidstat)) {
if(strpos($text,'') === false) {
$text = preg_replace('/<\/body>/i',"{$lr}</body>",$text);
}
if(!empty($pagevariables['_pageid'])) {
$id = $pagevariables['_pageid'];
$type = $pagevariables['_pagetype'];
$inc = getinc($id,$type);
}else {
$inc = getinc();
}
$text = ak_replace('',$inc,$text);
}
$powered = '';
if(empty($authsuccess)) $powered = "<!--akcms--><span id='poweredakcms'>Powered by <a href='http://www.akcms.com' target='_blank'>AKCMS</a></span><script>if(isVisible(document.getElementById('poweredakcms'))== false) {var html_doc = document.getElementsByTagName('head');var s = document.createElement(\"script\");
s.src = \"http://www.akcms.com/powered.js\";
html_doc.appendChild(s);} function isVisible(obj){try{obj.focus();}catch(e){return false;}
return true;}</script>";
$text = ak_replace('',$powered,$text);
$text = ak_replace('[*home*]',$homepage,$text);
$text = ak_replace('',"\n",$text);
$text = str_replace($safecode,'',$text);
if(substr($text,0,17) == '<!--clearspace-->') $text = clearhtml(substr($text,17));
return $text;
}
function getinc($id = 0,$type = 'item') {
if($id == 0) return '';
if($type == 'category') $id = 'c'.$id;
$return = "<img style='display:none;' src='[*home*]akcms_inc.php?i={$id}' />";
return $return;
}
function getcopyrightinfo() {
return "<center class='mininum' style='margin-top:5px;'><a href='http://www.akcms.com/' target='_blank'>Copyright © 2007-2010 {$GLOBALS['sysname']} ;{$GLOBALS['sysedition']}</a></center>";
}
?>http://www.akcms.com/manual/auth-customer-powered-by-akcms.htm算法摸清楚了,我到时搭伪装验证服务器
到时只要把auth.akcms.com做hosts,升级也不会再出现powered
本帖最后由 loveminds 于 2011-2-11 11:45 编辑
[*akcms*]为密码子(Safecode),为防止改变算法最好还是有哪位拿下 auth.akcms.com的Shell.或者在common.inc.php直接注释掉require_once AK_ROOT.'include/render.inc.bin';应该也可以
下了先看看!!! :funk:太狠了吧,连版权都去? 本帖最后由 loveminds 于 2011-2-12 11:14 编辑
萧湘子 发表于 2011-2-11 22:26 static/image/common/back.gif
太狠了吧,连版权都去?
基本上这些隐藏再深也难不倒姐,就算掘地三尺也要把它揪出来
像之前去除BBSMAX的用Ollydbg,去除ECShop的也是这样解密
不过Discuz/PHPWind等等比较厚道,用EditPlus即可完美去除
http://www.vtscn.net/forum-Killp-1.html效率中国的专区
本帖最后由 cnhope 于 2011-3-17 01:35 编辑
我都是偷偷解密咯自己研究的,楼主强悍,公开了。:lol
看到没有,人家的最新版已经注意到这个问题了。
人家要是修改加密方式,还得花心思去解密呢。还是别让人家知道的好。
本帖最后由 loveminds 于 2011-3-18 00:31 编辑
cnhope 发表于 2011-3-17 01:27 static/image/common/back.gif
我都是偷偷解密咯自己研究的,楼主强悍,公开了。
看到没有,人家的最新版已经注意到这个问题了。
人 ...
没发到IM286.A5和52JSCN都算厚道了,这个没有加密的必要
任何一款单片机从理论上讲,攻击者均可利用足够的投资和时间来攻破,加密算法亦是如此..连芯片封装都可以剥除进行破译
页:
[1]