找到AKCMS的Powered藏身之处

loveminds

render.inc.bin解码...不解释

1. <?php
   
2. 
   
3. $sysname = 'AKCMS';
   
4. $sysedition = '3.6';
   
5. $authkey = '2011';
   
6. $safecode = base64_decode('Wypha2Ntcypd');
   
7. $itemfields = array('title','shorttitle','aimurl','filename','category','section','template','author','source','dateline','pageview','picture','attach','comment','keywords','digest','data','orderby','orderby2','orderby3','orderby4');
   
8. $authfile = AK_ROOT.'configs/auth.php';
   
9. $authlist = AK_ROOT.'configs/auth.lst';
   
10. $authsuccess = 0;
    
11. if($__callmode == 'web') $_vc = ak_md5($_SERVER['HTTP_USER_AGENT']."\t".$_SERVER['REMOTE_ADDR'],1);
    
12. if(file_exists($authfile)) {
    
13. $auth = readfromfile($authfile);
    
14. $auth = decodeauth($auth);
    
15. if($auth != '') {
    
16. if(strpos($auth,'#') !== false) {
    
17. $auth = substr($auth,0,-11);
    
18. $expire = substr($auth,-11);
    
19. if($expire <$thetime) writetofile('',$authfile);
    
20. }
    
21. $auths = explode("\t",$auth);
    
22. foreach($auths as $auth) {
    
23. if($__callmode != 'web') {
    
24. $authsuccess = 1;
    
25. break;
    
26. }
    
27. if($auth == $_SERVER['SERVER_ADDR']) $authsuccess = 1;
    
28. if($auth == $_SERVER['HTTP_HOST']) $authsuccess = 1;
    
29. if(strlen($_SERVER['HTTP_HOST']) >strlen($auth) &&substr($_SERVER['HTTP_HOST'],strlen($auth) * -1) == $auth) $authsuccess = 1;
    
30. if($authsuccess == 1) break;
    
31. }
    
32. }
    
33. if($auth == ''&&empty($foreflag)) {
    
34. if(file_exists($authlist)) {
    
35. $list = readfromfile($authlist);
    
36. $list = str_replace("\r\n","\n",$list);
    
37. $lists = explode("\n",$list);
    
38. }else {
    
39. $lists = array($_SERVER['SERVER_ADDR'],$_SERVER['HTTP_HOST']);
    
40. }
    
41. $lists = implode(',',$lists);
    
42. $authonline = readfromurl('http://auth.akcms.com/getauth.php?version='.$sysedition.'&key='.$lists);
    
43. if(substr($authonline,0,5) == '<?php'&&strlen($authonline) >41) {
    
44. writetofile($authonline,$authfile);
    
45. exit('auth file update successfully,refresh now.');
    
46. }elseif($authonline == '') {
    
47. exit('auth file update error,please download auth file from <a href="http://auth.akcms.com/" target="_blank">http://auth.akcms.com/</a>');
    
48. }
    
49. }
    
50. }
    
51. unset($authkey,$auth,$auths,$authfile,$authlist,$expire);
    
52. function decodeauth($string) {
    
53. $base64 = substr($string,39,-2);
    
54. $md5 = substr($string,7,32);
    
55. $string = base64_decode($base64);
    
56. $string = ak_xor($string,$GLOBALS['authkey']);
    
57. if(md5($string) != $md5) $string = '';
    
58. return $string;
    
59. }
    
60. function renderdata($data,$options) {
    
61. global $safecode;
    
62. $html = '';
    
63. $array_templates = array();
    
64. $_array = array();
    
65. foreach($data as $value) {
    
66. $_array = array_merge($_array,$value);
    
67. }
    
68. if(count($data) >0) $keys = array_keys($_array);
    
69. if(count($keys) == 0) return $options['emptymessage'];
    
70. foreach($keys as $key) {
    
71. $array_templates[$key] = "[$key]";
    
72. }
    
73. $i = 0;
    
74. foreach($data as $id =>$record) {
    
75. $template = recursiontemplate($options,$record);
    
76. $html .= ak_array_replace($array_templates,$record,$template);
    
77. $i ++;
    
78. if(isset($options['colspan']) &&$options['colspan'] >0) {
    
79. if($i %$options['colspan'] == 0 &&isset($data[$id +1])) $html .= $options['overflow'];
    
80. }
    
81. }
    
82. return $html.$safecode;
    
83. }
    
84. function renderhtml($text,$pagevariables) {
    
85. global $lr,$homepage,$safecode,$setting_forbidstat,$authsuccess,$currenturl;
    
86. if(empty($authsuccess) &&substr($currenturl,-4) != '.xml'&&(empty($pagevariables['htmlfilename']) ||substr($pagevariables['htmlfilename'],-4) != '.xml')) {
    
87. if(strpos($text,'[powered]') === false) {
    
88. $text = preg_replace('/<\/body>/i',"[powered]{$lr}</body>",$text);
    
89. }
    
90. if(strpos($text,'[powered]') === false) $text .= "[powered]";
    
91. }
    
92. if(empty($setting_forbidstat)) {
    
93. if(strpos($text,'[inc]') === false) {
    
94. $text = preg_replace('/<\/body>/i',"[inc]{$lr}</body>",$text);
    
95. }
    
96. if(!empty($pagevariables['_pageid'])) {
    
97. $id = $pagevariables['_pageid'];
    
98. $type = $pagevariables['_pagetype'];
    
99. $inc = getinc($id,$type);
    
100. }else {
     
101. $inc = getinc();
     
102. }
     
103. $text = ak_replace('[inc]',$inc,$text);
     
104. }
     
105. $powered = '';
     
106. if(empty($authsuccess)) $powered = "<!--akcms--><span id='poweredakcms'>Powered by <a href='http://www.akcms.com' target='_blank'>AKCMS</a></span><script>if(isVisible(document.getElementById('poweredakcms'))== false) {var html_doc = document.getElementsByTagName('head')[0];var s = document.createElement("script");
     
107. s.src = "http://www.akcms.com/powered.js";
     
108. html_doc.appendChild(s);} function isVisible(obj){try{obj.focus();}catch(e){return false;}
     
109. return true;}</script>";
     
110. $text = ak_replace('[powered]',$powered,$text);
     
111. $text = ak_replace('[*home*]',$homepage,$text);
     
112. $text = ak_replace('[n]',"\n",$text);
     
113. $text = str_replace($safecode,'',$text);
     
114. if(substr($text,0,17) == '<!--clearspace-->') $text = clearhtml(substr($text,17));
     
115. return $text;
     
116. }
     
117. function getinc($id = 0,$type = 'item') {
     
118. if($id == 0) return '';
     
119. if($type == 'category') $id = 'c'.$id;
     
120. $return = "<img style='display:none;' src='[*home*]akcms_inc.php?i={$id}' />";
     
121. return $return;
     
122. }
     
123. function getcopyrightinfo() {
     
124. return "<center class='mininum' style='margin-top:5px;'><a href='http://www.akcms.com/' target='_blank'>Copyright &copy; 2007-2010 {$GLOBALS['sysname']}&nbsp; ;{$GLOBALS['sysedition']}</a></center>";
     
125. }
     
126. ?>

复制代码

http://www.akcms.com/manual/auth-customer-powered-by-akcms.htm算法摸清楚了,我到时搭伪装验证服务器

到时只要把auth.akcms.com做hosts,升级也不会再出现powered

loveminds

[*akcms*]为密码子(Safecode),为防止改变算法最好还是有哪位拿下 auth.akcms.com的Shell.或者在common.inc.php直接注释掉require_once AK_ROOT.'include/render.inc.bin';应该也可以

jackwalk

下了先看看！！！

萧湘子

太狠了吧，连版权都去？

loveminds

萧湘子 发表于 2011-2-11 22:26

                               
登录/注册后可看大图

太狠了吧，连版权都去？

基本上这些隐藏再深也难不倒姐,就算掘地三尺也要把它揪出来
像之前去除BBSMAX的用Ollydbg,去除ECShop的也是这样解密
不过Discuz/PHPWind等等比较厚道,用EditPlus即可完美去除
http://www.vtscn.net/forum-Killp-1.html  效率中国的专区

cnhope

我都是偷偷解密咯自己研究的，楼主强悍，公开了。
看到没有，人家的最新版已经注意到这个问题了。
人家要是修改加密方式，还得花心思去解密呢。还是别让人家知道的好。

loveminds

cnhope 发表于 2011-3-17 01:27

                               
登录/注册后可看大图

我都是偷偷解密咯自己研究的，楼主强悍，公开了。
看到没有，人家的最新版已经注意到这个问题了。
人 ...

没发到IM286.A5和52JSCN都算厚道了,这个没有加密的必要
任何一款单片机从理论上讲，攻击者均可利用足够的投资和时间来攻破,加密算法亦是如此..连芯片封装都可以剥除进行破译