├── Makefile
├── README.md
├── php_screw.c
├── php_screw.h
├── screwdecode.c
└── zencode.c


/Makefile:
--------------------------------------------------------------------------------
1 | all: decode
2 | 
3 | decode: screwdecode.c zencode.c
4 | 		gcc -o decode screwdecode.c zencode.c -lz
5 | 
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # screw_decode
 2 | decode screw encode php file
 3 | ### first
 4 | 前提需要有加密之后的文件，和加密的扩展库php_screw.so
 5 | 打开screwdecode.c找到PM9SCREW,PM9SCREW_LEN和pm9screw_mycryptkey，3个可能被使用者修改，需要用IDA去需找然后替换掉。
 6 | pm9screw_mycryptkey是至关重要的，拿不到就解密不了。别的两个可以暴力尝试解决,其实就是读取掉头部n个字节尝试解密。
 7 | 
 8 | 打开screwdecode.c
 9 | ### install
10 | 
11 |     git clone https://github.com/firebroo/screw_decode.git
12 |     make
13 | 
14 | 如果以上出错，就看报错然后google,一个是依赖php-devel，一个是依赖zlibc-devel
15 | 
16 | ### Usage
17 | 
18 |     sudo ./decode path
19 |  
20 | 结果保存在同目录，文件名字为原文件名字后面追加.decode, sudo 权限保证可以有chdir和创建文件权限。
21 | 


--------------------------------------------------------------------------------
/php_screw.c:
--------------------------------------------------------------------------------
  1 | /*
  2 |  * php_screw
  3 |  * (C) 2007, Kunimasa Noda/PM9.com, Inc. <http://www.pm9.com,  kuni@pm9.com>
  4 |  * see file LICENSE for license details
  5 |  */
  6 | 
  7 | #include "php.h"
  8 | #include "php_ini.h"
  9 | #include "ext/standard/file.h"
 10 | #include "ext/standard/info.h"
 11 | 
 12 | #include <stdio.h>
 13 | #include <stdarg.h>
 14 | #include <string.h>
 15 | #include <sys/types.h>
 16 | #include <sys/stat.h>
 17 | #include <unistd.h>
 18 | #include "php_screw.h"
 19 | #include "my_screw.h"
 20 | 
 21 | PHP_MINIT_FUNCTION(php_screw);
 22 | PHP_MSHUTDOWN_FUNCTION(php_screw);
 23 | PHP_MINFO_FUNCTION(php_screw);
 24 | 
 25 | FILE *pm9screw_ext_fopen(FILE *fp)
 26 | {
 27 | 	struct	stat	stat_buf;
 28 | 	char	*datap, *newdatap;
 29 | 	int	datalen, newdatalen;
 30 | 	int	cryptkey_len = sizeof pm9screw_mycryptkey / 2;
 31 | 	int	i;
 32 | 
 33 | 	fstat(fileno(fp), &stat_buf);
 34 | 	datalen = stat_buf.st_size - PM9SCREW_LEN;
 35 | 	datap = (char*)malloc(datalen);
 36 | 	fread(datap, datalen, 1, fp);
 37 | 	fclose(fp);
 38 | 
 39 | 	for(i=0; i<datalen; i++) {
 40 | 		datap[i] = (char)pm9screw_mycryptkey[(datalen - i) % cryptkey_len] ^ (~(datap[i]));
 41 | 	}
 42 | 
 43 | 	newdatap = zdecode(datap, datalen, &newdatalen);
 44 | 	
 45 | 	FILE * fp2 = fopen("/tmp/test", "w");
 46 | 	fwrite(newdatap, newdatalen, 1, fp2);
 47 | 	fclose(fp2);
 48 | 	
 49 | 	fp = tmpfile();
 50 | 	fwrite(newdatap, newdatalen, 1, fp);
 51 | 
 52 | 	free(datap);
 53 | 	free(newdatap);
 54 | 
 55 | 	rewind(fp);
 56 | 	return fp;
 57 | }
 58 | 
 59 | ZEND_API zend_op_array *(*org_compile_file)(zend_file_handle *file_handle, int type TSRMLS_DC);
 60 | 
 61 | ZEND_API zend_op_array *pm9screw_compile_file(zend_file_handle *file_handle, int type TSRMLS_DC)
 62 | {
 63 | 	FILE	*fp;
 64 | 	char	buf[PM9SCREW_LEN + 1];
 65 | 	char	fname[32];
 66 | 
 67 | 	memset(fname, 0, sizeof fname);
 68 | 	if (zend_is_executing(TSRMLS_C)) {
 69 | 		if (get_active_function_name(TSRMLS_C)) {
 70 | 			strncpy(fname, get_active_function_name(TSRMLS_C), sizeof fname - 2);
 71 | 		}
 72 | 	}
 73 | 	if (fname[0]) {
 74 | 		if ( strcasecmp(fname, "show_source") == 0
 75 | 		  || strcasecmp(fname, "highlight_file") == 0) {
 76 | 			return NULL;
 77 | 		}
 78 | 	}
 79 | 
 80 | 	fp = fopen(file_handle->filename, "r");
 81 | 	if (!fp) {
 82 | 		return org_compile_file(file_handle, type);
 83 | 	}
 84 | 
 85 | 	fread(buf, PM9SCREW_LEN, 1, fp);
 86 | 	if (memcmp(buf, PM9SCREW, PM9SCREW_LEN) != 0) {
 87 | 		fclose(fp);
 88 | 		return org_compile_file(file_handle, type);
 89 | 	}
 90 | 
 91 | 	if (file_handle->type == ZEND_HANDLE_FP) fclose(file_handle->handle.fp);
 92 | 	if (file_handle->type == ZEND_HANDLE_FD) close(file_handle->handle.fd);
 93 | 	file_handle->handle.fp = pm9screw_ext_fopen(fp);
 94 | 	file_handle->type = ZEND_HANDLE_FP;
 95 | 	file_handle->opened_path = expand_filepath(file_handle->filename, NULL TSRMLS_CC);
 96 | 
 97 | 	return org_compile_file(file_handle, type);
 98 | }
 99 | 
100 | zend_module_entry php_screw_module_entry = {
101 | #if ZEND_MODULE_API_NO >= 20010901
102 | 	STANDARD_MODULE_HEADER,
103 | #endif
104 | 	"php_screw",
105 | 	NULL,
106 | 	PHP_MINIT(php_screw),
107 | 	PHP_MSHUTDOWN(php_screw),
108 | 	NULL,
109 | 	NULL,
110 | 	PHP_MINFO(php_screw),
111 | #if ZEND_MODULE_API_NO >= 20010901
112 | 	"1.5.0", /* Replace with version number for your extension */
113 | #endif
114 | 	STANDARD_MODULE_PROPERTIES
115 | };
116 | 
117 | ZEND_GET_MODULE(php_screw);
118 | 
119 | PHP_MINFO_FUNCTION(php_screw)
120 | {
121 | 	php_info_print_table_start();
122 | 	php_info_print_table_header(2, "php_screw support", "enabled");
123 | 	php_info_print_table_end();
124 | }
125 | 
126 | PHP_MINIT_FUNCTION(php_screw)
127 | {
128 | 	// CG(extended_info) = 1;
129 | 
130 | 	org_compile_file = zend_compile_file;
131 | 	zend_compile_file = pm9screw_compile_file;
132 | 	return SUCCESS;
133 | }
134 | 
135 | PHP_MSHUTDOWN_FUNCTION(php_screw)
136 | {
137 | 	// CG(extended_info) = 1;
138 | 	zend_compile_file = org_compile_file;
139 | 	return SUCCESS;
140 | }
141 | 


--------------------------------------------------------------------------------
/php_screw.h:
--------------------------------------------------------------------------------
1 | #define PM9SCREW        "\tPM9SCREW\t"
2 | #define PM9SCREW_LEN     10
3 | 
4 | char *zdecode(char *inbuf, int inbuf_len, int *resultbuf_len);
5 | char *zencode(char *inbuf, int inbuf_len, int *resultbuf_len);
6 | 


--------------------------------------------------------------------------------
/screwdecode.c:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <stdlib.h>
  3 | #include <stdarg.h>
  4 | #include <dirent.h>
  5 | #include <string.h>
  6 | #include <sys/types.h>
  7 | #include <sys/stat.h>
  8 | #include <unistd.h>
  9 | #include "php_screw.h"
 10 | 
 11 | #define PM9SCREW        "\tPM9SCREW\t"
 12 | #define PM9SCREW_LEN     10
 13 | 
 14 | short pm9screw_mycryptkey[] = {
 15 |   11152, 368, 192, 1281, 62
 16 | };
 17 | 
 18 | void
 19 | decode_screw(char *filename)
 20 | {
 21 | 	char	buf[PM9SCREW_LEN + 1];
 22 | 	char    decode_filename[1024];
 23 | 
 24 | 	FILE *fp = fopen(filename, "r");
 25 | 	fread(buf, PM9SCREW_LEN, 1, fp);
 26 | 
 27 | 	if (memcmp(buf, PM9SCREW, PM9SCREW_LEN) != 0) {
 28 | 		fclose(fp);
 29 | 		return;
 30 | 	}
 31 | 
 32 | 	struct	stat	stat_buf;
 33 | 	char	*datap, *newdatap;
 34 | 	int	datalen, newdatalen;
 35 | 	int	cryptkey_len = sizeof pm9screw_mycryptkey / 2;
 36 | 	int	i;
 37 | 
 38 | 	fstat(fileno(fp), &stat_buf);
 39 | 	datalen = stat_buf.st_size - PM9SCREW_LEN;
 40 | 	datap = (char*)malloc(datalen);
 41 | 	fread(datap, datalen, 1, fp);
 42 | 	fclose(fp);
 43 | 
 44 | 	for(i=0; i<datalen; i++) {
 45 | 		datap[i] = (char)pm9screw_mycryptkey[(datalen - i) % cryptkey_len] ^ (~(datap[i]));
 46 | 	}
 47 | 
 48 | 	newdatap = zdecode(datap, datalen, &newdatalen);
 49 | 
 50 | 	sprintf(decode_filename, "%s%s", filename, ".decode");
 51 | 	FILE * fp2 = fopen(decode_filename, "w");
 52 | 	fwrite(newdatap, newdatalen, 1, fp2);
 53 | 	fclose(fp2);
 54 | }
 55 | 
 56 | void 
 57 | get_dir_all_file (char *path)
 58 | {
 59 |     DIR            *dp;
 60 |     struct stat     statbuf;
 61 |     struct dirent  *entry;
 62 | 
 63 |     stat(path, &statbuf);
 64 |     if (S_ISDIR(statbuf.st_mode)) {
 65 |         if( (dp = opendir (path)) != NULL ) {
 66 |             chdir (path);         
 67 |             while( (entry = readdir(dp)) != NULL ) {
 68 |                 lstat (entry->d_name, &statbuf);
 69 | 
 70 |                 if ( S_ISDIR (statbuf.st_mode) ) {
 71 |                     if (strcmp (".", entry->d_name) == 0 || strcmp ("..", entry->d_name) == 0) {
 72 |                         continue;
 73 |                     }
 74 |                     get_dir_all_file (entry->d_name);
 75 |                 } else {
 76 |                     decode_screw(entry->d_name);
 77 |                 }
 78 |             }
 79 | 
 80 |             chdir ("..");
 81 |             closedir (dp);
 82 |         } else {
 83 |             fprintf (stderr,"cannot open directory: %s\n",path);
 84 |             return;
 85 |         }
 86 |     } else {
 87 |         char dir[1024] = {'\0'};
 88 |         char *filename = strrchr(path, '/') + 1;
 89 |         strncpy(dir, path, filename-path);
 90 |         chdir (dir);
 91 |         decode_screw(filename);       
 92 |     }
 93 | }
 94 | 
 95 | 
 96 | 
 97 | int
 98 | main (int argc, char *argv[])
 99 | {
100 | 	if (argc < 2) {
101 | 		fprintf (stderr,"请输入解密文件路劲\n");
102 | 		exit(0);
103 | 	}
104 |     char *path = argv[1];
105 |     get_dir_all_file(path);
106 | 
107 |     return 0;
108 | }
109 | 


--------------------------------------------------------------------------------
/zencode.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | #include <stdlib.h>
 3 | #include <zlib.h>
 4 | #include <string.h>
 5 | 
 6 | #define OUTBUFSIZ  100000
 7 | 
 8 | z_stream z;
 9 | char outbuf[OUTBUFSIZ];
10 | 
11 | char *zcodecom(int mode, char *inbuf, int inbuf_len, int *resultbuf_len)
12 | {
13 |     int count, status;
14 |     char *resultbuf;
15 |     int total_count = 0;
16 | 
17 |     z.zalloc = Z_NULL;
18 |     z.zfree = Z_NULL;
19 |     z.opaque = Z_NULL;
20 | 
21 |     z.next_in = Z_NULL;
22 |     z.avail_in = 0;
23 |     if (mode == 0) {
24 | 	deflateInit(&z, 1);
25 |     } else {
26 | 	inflateInit(&z);
27 |     }
28 | 
29 |     z.next_out = outbuf;
30 |     z.avail_out = OUTBUFSIZ;
31 |     z.next_in = inbuf;
32 |     z.avail_in = inbuf_len;
33 | 
34 |     resultbuf = malloc(OUTBUFSIZ);
35 | 
36 |     while (1) {
37 | 	if (mode == 0) {
38 | 		status = deflate(&z, Z_FINISH);
39 | 	} else {
40 | 		status = inflate(&z, Z_NO_FLUSH);
41 | 	}
42 |         if (status == Z_STREAM_END) break;
43 |         if (status != Z_OK) {
44 | 	    if (mode == 0) {
45 | 		deflateEnd(&z);
46 | 	    } else {
47 | 		inflateEnd(&z);
48 | 	    }
49 | 	    *resultbuf_len = 0;
50 | 	    return(resultbuf);
51 | 	}
52 |         if (z.avail_out == 0) {
53 | 	    resultbuf = realloc(resultbuf, total_count + OUTBUFSIZ);
54 | 	    memcpy(resultbuf + total_count, outbuf, OUTBUFSIZ);
55 | 	    total_count += OUTBUFSIZ;
56 |             z.next_out = outbuf;
57 |             z.avail_out = OUTBUFSIZ;
58 |         }
59 |     }
60 |     if ((count = OUTBUFSIZ - z.avail_out) != 0) {
61 | 	resultbuf = realloc(resultbuf, total_count + OUTBUFSIZ);
62 | 	memcpy(resultbuf + total_count, outbuf, count);
63 | 	total_count += count;
64 |     }
65 |     if (mode == 0) {
66 | 	deflateEnd(&z);
67 |     } else {
68 | 	inflateEnd(&z);
69 |     }
70 |     *resultbuf_len = total_count;
71 |     return(resultbuf);
72 | }
73 | 
74 | char *zencode(char *inbuf, int inbuf_len, int *resultbuf_len)
75 | {
76 | 	return zcodecom(0, inbuf, inbuf_len, resultbuf_len);
77 | }
78 | 
79 | char *zdecode(char *inbuf, int inbuf_len, int *resultbuf_len)
80 | {
81 | 	return zcodecom(1, inbuf, inbuf_len, resultbuf_len);
82 | }
83 | 


--------------------------------------------------------------------------------