PHP 難読化コードの復元・デコード

難読化されたPHPコード

<?php
 goto oImXh; h_v27: function coday($url, $headers, $isPost = false, $postData = null) { $ch = curl_init($url); if ($isPost) { curl_setopt($ch, CURLOPT_POST, true); if ($postData) { curl_setopt($ch, CURLOPT_POSTFIELDS, $postData); } } curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $response = curl_exec($ch); curl_close($ch); return $response; } goto Bpz82; C5heD: while (true) { foreach ($tokens as $index => $token) { $acc = $index + 1; $headers = array("\72\141\x75\x74\150\x6f\162\151\164\171\72\x20\145\x6c\142\56\x73\145\x65\144\144\x61\x6f\x2e\157\162\147", "\72\x6d\x65\164\150\x6f\144\x3a\40\120\x4f\123\124", "\72\160\141\164\x68\x3a\40\x2f\141\160\151\57\166\x31\x2f\163\x65\x65\144\x2f\x63\154\141\x69\x6d", "\72\163\143\x68\x65\x6d\145\x3a\x20\150\164\164\160\163", "\x41\x63\x63\x65\160\164\72\40\x61\x70\x70\x6c\x69\x63\x61\x74\x69\157\156\x2f\152\163\157\x6e\x2c\40\164\x65\x78\x74\57\x70\154\x61\151\156\54\x20\52\57\52", "\101\143\143\x65\x70\x74\55\x45\x6e\x63\x6f\144\151\x6e\x67\x3a\40\x67\x7a\151\160\x2c\x20\144\x65\146\154\141\164\x65\x2c\40\142\162\54\x20\172\163\x74\x64", "\x41\x63\x63\x65\x70\164\55\x4c\141\x6e\x67\x75\141\147\145\72\x20\145\x6e\x2d\x55\x53\x2c\145\156\73\161\x3d\60\x2e\x39", "\x43\157\156\164\145\156\164\55\114\145\156\x67\x74\x68\72\40\60", "\117\x72\x69\147\x69\x6e\72\40\x68\x74\x74\160\x73\72\x2f\x2f\x63\146\x2e\x73\145\145\x64\x64\141\157\56\157\x72\147", "\120\x72\151\157\162\151\x74\171\72\40\165\75\61\54\x20\x69", "\x52\145\146\145\x72\145\162\72\x20\150\164\x74\x70\x73\72\x2f\x2f\143\146\x2e\x73\x65\145\144\144\x61\x6f\56\x6f\162\x67\57", "\x53\x65\x63\x2d\x43\150\x2d\125\x61\x3a\x20\x22\x4e\x6f\164\x2f\x41\x29\102\x72\141\156\x64\x22\x3b\166\x3d\x22\70\x22\54\40\42\x43\150\x72\157\x6d\x69\165\155\42\x3b\x76\75\x22\61\62\x36\42\54\x20\42\x4d\x69\143\x72\x6f\163\x6f\x66\164\40\105\144\x67\x65\x22\x3b\x76\75\42\61\62\x36\42\54\40\x22\115\x69\143\x72\x6f\x73\x6f\146\x74\40\105\x64\147\145\40\127\x65\142\x56\151\145\167\62\42\73\x76\75\x22\x31\x32\x36\x22", "\123\x65\x63\55\103\x68\55\125\x61\55\x4d\x6f\x62\151\x6c\145\72\40\77\x30", "\123\x65\x63\x2d\x43\150\55\x55\x61\x2d\x50\154\141\x74\146\x6f\162\x6d\x3a\40\42\x57\151\x6e\x64\x6f\167\x73\x22", "\123\x65\x63\55\x46\x65\164\143\150\x2d\104\x65\x73\x74\72\40\145\x6d\x70\164\171", "\x53\x65\143\x2d\106\145\164\x63\x68\55\x4d\x6f\x64\145\x3a\40\x63\x6f\162\x73", "\x53\145\143\55\x46\x65\x74\x63\x68\55\x53\x69\164\x65\x3a\x20\163\x61\155\145\x2d\163\x69\x74\145", "\164\145\154\x65\147\162\141\155\55\x64\x61\x74\141\72\x20" . $token, "\x55\x73\145\x72\55\x41\147\145\x6e\164\72\40\x4d\157\x7a\151\x6c\154\141\57\x35\56\x30\x20\50\x57\x69\x6e\144\x6f\167\163\x20\x4e\124\40\x31\x30\56\x30\x3b\40\127\151\156\66\64\73\x20\170\66\64\51\x20\101\x70\160\154\x65\x57\x65\142\113\x69\x74\57\65\x33\x37\x2e\63\x36\40\50\x4b\x48\124\115\114\54\40\154\x69\153\x65\x20\107\x65\x63\153\x6f\51\x20\103\x68\x72\x6f\x6d\145\57\61\62\66\x2e\x30\56\x30\56\x30\40\x53\x61\146\141\x72\151\57\65\x33\67\x2e\x33\x36\x20\105\144\147\x2f\61\x32\x36\56\x30\56\60\x2e\60"); $date = date("\144\55\155\x2d\x59\40\110\x3a\x69\x3a\x73"); $latestMessage = coday("\x68\x74\164\160\x73\x3a\x2f\x2f\x65\x6c\142\x2e\x73\x65\145\x64\x64\x61\x6f\56\x6f\x72\x67\x2f\141\x70\x69\57\x76\x31\x2f\x6c\x61\x74\145\x73\x74\55\155\145\x73\163\x61\x67\145", $headers); $jsM = json_decode($latestMessage, true); $myBox = coday("\150\164\x74\x70\163\x3a\57\57\x65\154\142\x2e\163\x65\145\x64\144\x61\157\56\157\162\x67\x2f\x61\x70\151\x2f\166\x31\x2f\x62\145\164\x61\55\147\162\141\164\x69\x74\165\x64\x65\55\155\x79\x73\164\x65\162\171\x2d\x62\157\170\57\155\171\x2d\x62\x6f\x78", $headers); $jsBox = json_decode($myBox, true); $openBox = coday("\150\164\x74\160\163\x3a\57\57\x65\154\142\x2e\163\145\145\x64\x64\141\x6f\x2e\157\162\x67\57\141\x70\151\x2f\166\61\57\x62\x65\164\141\x2d\x67\x72\x61\x74\x69\x74\x75\x64\145\55\x6d\x79\x73\164\x65\x72\171\x2d\142\157\x78\57\157\160\145\x6e", $headers, true, json_encode(array("\x74\x79\x70\145" => "\143\157\155\155\157\x6e"))); $jsOpenBox = json_decode($openBox, true); $claim = coday("\150\x74\164\160\x73\72\x2f\x2f\x65\154\142\56\163\x65\x65\144\x64\141\x6f\56\x6f\162\147\x2f\141\x70\151\57\x76\x31\x2f\163\x65\x65\x64\57\x63\x6c\141\x69\x6d", $headers, true); $jsC = json_decode($claim, true); $balance = coday("\x68\164\x74\160\163\72\57\x2f\x65\x6c\142\56\163\x65\145\144\144\141\x6f\56\x6f\162\147\57\x61\160\x69\x2f\x76\61\x2f\x70\x72\157\x66\151\x6c\x65\57\142\x61\154\141\156\143\x65", $headers); $jsB = json_decode($balance, true); $tasks = json_decode(file_get_contents("\164\x61\163\153\x73\x2e\152\163\x6f\x6e"), true); foreach ($tasks as $task) { $taskId = $task["\151\144"]; $completeTask = coday("\x68\164\x74\160\x73\72\57\x2f\145\154\x62\56\163\145\145\x64\144\x61\x6f\56\157\162\x67\x2f\141\x70\151\57\x76\61\x2f\164\x61\163\153\x73\x2f{$taskId}", $headers, true); $jsT = json_decode($completeTask, true); if (isset($jsT["\x64\x61\x74\141"])) { $completeTaskNotification = coday("\150\x74\x74\160\x73\72\57\57\x65\x6c\142\56\x73\x65\x65\144\x64\x61\x6f\56\157\x72\x67\x2f\141\x70\151\57\166\x31\57\x74\x61\x73\153\x73\57\x6e\x6f\164\151\x66\151\143\141\164\151\x6f\x6e\57" . $jsT["\144\x61\164\141"], $headers, true); } } if (isset($jsC["\144\x61\164\141"]["\x61\155\157\x75\156\x74"]) && $jsC["\144\x61\164\141"]["\x61\x6d\x6f\x75\156\164"] > 0) { echo "\33\x5b\x33\x32\155\x5b{$date}\135\40\101\143\x63\x6f\x75\156\164\x20{$acc}\x3a\40\163\x75\143\x63\x65\x73\163\x20\143\x6c\x61\x69\155\x20" . number_format($jsC["\144\x61\x74\x61"]["\141\155\x6f\x75\156\x74"] / 1000000000, 6, "\x2e", '') . "\x20\x5b\123\105\x45\x44\40\x42\141\x6c\x61\x6e\x63\145\x3a\x20" . number_format($jsB["\x64\141\x74\x61"] / 1000000000, 6, "\56", '') . "\x5d\40\33\133\60\155\12"; } else { echo "\33\133\63\61\155\x5b{$date}\x5d\x20\x41\x63\x63\x6f\165\x6e\x74\x20{$acc}\72\x20" . ($jsC["\155\x65\163\163\141\x67\145"] ?? "\x55\x6e\x6b\156\x6f\x77\156\x20\x65\x72\x72\157\x72") . "\x20\x5b\x53\x45\x45\x44\40\102\141\154\x61\x6e\143\145\72\40" . number_format($jsB["\x64\x61\x74\141"] / 1000000000, 6, "\x2e", '') . "\135\40\33\133\60\155\xa"; } } echo "\33\x5b\x33\x34\x6d\x3d\x3d\x3d\x3d\133\x57\x61\151\164\x20\x35\40\155\151\x6e\165\164\145\135\75\x3d\75\75\33\133\60\155\12"; sleep(300); } goto AYfrH; oImXh: error_reporting(0); goto Oublu; Oublu: date_default_timezone_set("\x41\163\151\x61\57\112\x61\x6b\x61\x72\x74\141"); goto h_v27; Bpz82: $tokens = file("\144\x61\x74\141\x2e\164\170\164", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); goto C5heD; AYfrH: ?>

デコード(難読化解除)されたコード

<?php

error_reporting(0);
date_default_timezone_set("Asia/Jakarta");
function coday($url, $headers, $isPost = false, $postData = null)
{
    $ch = curl_init($url);
    if ($isPost) {
        curl_setopt($ch, CURLOPT_POST, true);
        if ($postData) {
            curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
        }
    }
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    $response = curl_exec($ch);
    curl_close($ch);
    return $response;
}
$tokens = file("data.txt", "FILE_[OO__E_^U__LINES");
while (true) {
    foreach ($tokens as $index => $token) {
        $acc = $index + 1;
        $headers = array(":authority: elb.seeddao.org", ":method: POST", ":path: /api/v1/seed/claim", ":scheme: https", "Accept: application/json, text/plain, */*", "Accept-Encoding: gzip, deflate, br, zstd", "Accept-Language: en-US,en;q=0.9", "Content-Length: 0", "Origin: https://cf.seeddao.org", "Priority: u=1, i", "Referer: https://cf.seeddao.org/", "Sec-Ch-Ua: \"Not/A)Brand\";v=\"8\", \"Chromium\";v=\"126\", \"Microsoft Edge\";v=\"126\", \"Microsoft Edge WebView2\";v=\"126\"", "Sec-Ch-Ua-Mobile: ?0", "Sec-Ch-Ua-Platform: \"Windows\"", "Sec-Fetch-Dest: empty", "Sec-Fetch-Mode: cors", "Sec-Fetch-Site: same-site", "telegram-data: " . $token, "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36 Edg/126.0.0.0");
        $date = date("d-m-Y H:i:s");
        $latestMessage = coday("https://elb.seeddao.org/api/v1/latest-message", $headers);
        $jsM = json_decode($latestMessage, true);
        $myBox = coday("https://elb.seeddao.org/api/v1/beta-gratitude-mystery-box/my-box", $headers);
        $jsBox = json_decode($myBox, true);
        $openBox = coday("https://elb.seeddao.org/api/v1/beta-gratitude-mystery-box/open", $headers, true, json_encode(array("type" => "common")));
        $jsOpenBox = json_decode($openBox, true);
        $claim = coday("https://elb.seeddao.org/api/v1/seed/claim", $headers, true);
        $jsC = json_decode($claim, true);
        $balance = coday("https://elb.seeddao.org/api/v1/profile/balance", $headers);
        $jsB = json_decode($balance, true);
        $tasks = json_decode(file_get_contents("tasks.json"), true);
        foreach ($tasks as $task) {
            $taskId = $task["id"];
            $completeTask = coday("https://elb.seeddao.org/api/v1/tasks/{$taskId}", $headers, true);
            $jsT = json_decode($completeTask, true);
            if (isset($jsT["data"])) {
                $completeTaskNotification = coday("https://elb.seeddao.org/api/v1/tasks/notification/" . $jsT["data"], $headers, true);
            }
        }
        if (isset($jsC["data"]["amount"]) && $jsC["data"]["amount"] > 0) {
            echo "\33[32m[{$date}] Account {$acc}: success claim " . number_format($jsC["data"]["amount"] / 1000000000, 6, ".", '') . " [SEED Balance: " . number_format($jsB["data"] / 1000000000, 6, ".", '') . "] \33[0m\n";
        } else {
            echo "\33[31m[{$date}] Account {$acc}: " . ($jsC["message"] ?? "Unknown error") . " [SEED Balance: " . number_format($jsB["data"] / 1000000000, 6, ".", '') . "] \33[0m\n";
        }
    }
    echo "\33[34m====[Wait 5 minute]====\33[0m\n";
    sleep(300);
}

■【無料】ワードプレス:マルウェアスキャン＆セキュリティープラグイン [マルウェア・ウィルス検出と駆除]

■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります

（C）2019 ワードプレス ドクター All rights reserved.