php XOR bypass the preg_match ()

Principle
to make free to kill a horse, for example:
     ! In the production process to avoid killing the horse, php language features of the characters are based on the calculation will be converted to the character type bool type, and the type bool operator encountered symbol, true will automatically be converted digital 1, false will automatically be converted to digital 0, if the bool type are calculated, using chr () function into character, use. "" connect, it can bypass preg_match match.
Learn more about php part is different from other languages
     but many of preg_match filter out ".", We need to be using the XOR operation to bypass many of the horses are free to kill this production. php XOR character is first converted into ASCII characters and XOR, and a string of directly php XOR string, e.g. "123" ^ "abc" is "1" and "a "XOR then" 2 "and" b "XOR, and so on, at or after the end of exclusive access to the string you want.
     Precautions: when XORed to which the digital form is converted into characters, if the number (int) and the character of the exclusive OR, the result will be a number, such as 1 ^ "a" = 1,the string can be used to convert digital trim () function.
Expansion:
PHP characteristic use of undefined constant, will not quote characters are automatically treated as strings, ASCII codes greater than 0x7F will be treated as a string, can be seen simplify XOR process, any character with 0xff will XOR Instead taken, so the amount of calculation can be reduced.

GET or POST to pass around the characters preg_match for example:
    PHP's eval () function inside if there is a similar "abc" ^ "def" in the implementation of  
    Note 1: find problems during testing, similar phpinfo ();, it is necessary to later (); on the back of the first parameter, e.g. url a = {_ GET} { b} (); & b = phpinfo,? i.e. a = $ {% ff% ff % ff% ff ^% a0% b8% ba% ab} {% ff} ();? &% ff = phpinfo, after passing actually $ {??? ? ????} ^ {} ();? but the eval () function inside will become $ {_ GET} {} ( );? successful implementation.
    Note 2: tests found to be calculated for the portion not enclosed in parentheses traditional values, because the brackets will also be recognized as a string passed, may be used instead of {}, because the use of undefined constant php characteristics, e.g. $ {_ GET} {a} this statement php is not judged as an error, defined as {} used variables, this sentence is automatically _GET will see a string, i.e. $ _GET [ 'a ']

Demo
Suctf EasyPHP
<PHP?
$ HHH = @ $ _ the GET [' _ '];
IF ($ HHH!) {
    highlight_file (__ FILE__);
}
IF (strlen ($ HHH)> 18 is) {
    Die (' One inch Long , One inch strong ');!
}
IF (the preg_match (' / [\ x00- 0-9A-Za-Z \ '. "\ _ ~` &, | = [\ x7F] + / I', $ HHH))
    die ( 'Try something else!' );

IF (strlen ($ character_type)> 12) Die ( "Almost there!");
eval ($ hhh);
?>
? User incoming _ = $ {% ff% ff % ff% ff ^% a0% b8% ba % ab} {% ff} ( ); &% ff = phpinfo
successful page display phpinfo