Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php goto vq_0C; T3isM: WCwhb: goto j2Inh; MjWRT: XL2kT: goto YuTff; mvMZu: if (!$private_mode && !defined("\x41\104\x4d\111\116\x5f\111\116\103") && $cms_config_domain_pool_jump == "\x6f\x6e") { goto r6hd2; } goto S7XCI; rAZU6: g2VEI: goto TqVIj; mH1Rz: rexbo: goto mvMZu; RtTwm:...



Obfuscated php code

<?php
 goto vq_0C; T3isM: WCwhb: goto j2Inh; MjWRT: XL2kT: goto YuTff; mvMZu: if (!$private_mode && !defined("\x41\104\x4d\111\116\x5f\111\116\103") && $cms_config_domain_pool_jump == "\x6f\x6e") { goto r6hd2; } goto S7XCI; rAZU6: g2VEI: goto TqVIj; mH1Rz: rexbo: goto mvMZu; RtTwm: jbdPv: goto x4rMo; dURKk: goto XL2kT; goto t8V3q; m1m3T: exit("\x41\143\x63\x65\163\x73\40\x44\145\x6e\151\145\144"); goto m9tuI; MXG9w: wSpjE: goto qH9tu; A000g: if (in_array($current_domain, $all_prepare_jump_domains_array)) { goto orJir; } goto dURKk; KielU: foreach ($all_active_jump_domains_array as $domain_item) { goto rxN_J; LosvJ: $available_domain_html_array[] = "\47\74\x70\x20\163\x74\171\154\x65\75\42\42\x3e\345\x9f\237\xe5\220\x8d{$counter}\72\x20\x3c\x61\40\x68\x72\x65\x66\x3d\42\150\x74\x74\160\x3a\57\57\x27\x2b\x64\x28\x22{$this_site_domain_base64}\42\x29\x2b\47\57\x22\76\47\53\144\x28\42{$this_site_domain_base64}\x22\51\x2b\47\74\57\141\x3e\74\x70\x3e\x27"; goto rYM7h; faxgA: goto qGmp8; goto JtFqL; N2WW4: goto IBsBo; goto PLtet; rxN_J: goto LVawG; goto fFgxR; g7lBI: goto aRLqj; goto bsx_B; Ljp8e: $scheme = @$_SERVER["\122\x45\x51\125\x45\123\124\137\x53\103\110\x45\x4d\105"]; goto jbJL0; C9px5: $this_js_sleep = 1 + $counter; goto bGizD; zMtiH: IBsBo: goto skCBk; d5iA2: XOI_k: goto MNAW5; JZ5E1: $counter++; goto g7lBI; RPMa1: goto J2qJe; goto vSwgo; JtFqL: J2qJe: goto YGH09; bGizD: goto kNTKD; goto zMtiH; jbJL0: goto XOI_k; goto dfMcv; sE62X: goto JgFyb; goto cOLNx; dfMcv: LVawG: goto JZ5E1; YGH09: $this_site_domain_base64 = base64_encode($domain_item); goto sE62X; vSwgo: aRLqj: goto C9px5; cOLNx: LOX5q: goto rfDJB; XT0EN: $js_jump_code .= "\x73\x6c\x65\x65\x70\50{$this_js_sleep}\40\52\x20\61\x30\x30\x30\x29\56\164\x68\145\156\x28\50\51\x20\75\x3e\40\x7b\15\xa\15\xa\x28\146\165\156\x63\x74\x69\x6f\156\x28\51\40\x7b\15\12\x20\40\40\x20\166\141\162\40\163\40\x3d\40\144\x6f\143\165\x6d\145\156\164\x2e\143\162\x65\x61\x74\x65\105\154\x65\155\x65\x6e\164\x28\47\x73\x63\162\x69\160\164\47\x29\x3b\15\xa\x20\x20\40\x20\x73\x2e\164\x79\x70\145\x20\x3d\x20\47\164\145\170\164\57\152\141\166\x61\163\143\162\151\160\x74\47\x3b\xd\12\x20\x20\x20\x20\x73\56\x61\163\x79\156\143\x20\75\40\164\162\165\x65\73\xd\12\40\40\40\x20\x73\56\x73\162\x63\40\75\40\x64\50\x22{$this_jump_url_base64}\x22\x29\73\15\12\x20\x20\40\40\57\57\40\x77\x69\156\144\157\167\56\x64\157\143\165\x6d\x65\156\164\56\167\x72\151\x74\x65\50\x73\56\163\162\143\x20\x2b\x20\x22\74\x62\x72\x3e\x22\x29\x3b\xd\xa\x20\40\x20\40\x76\x61\162\40\x78\x20\x3d\x20\144\157\x63\x75\x6d\x65\x6e\164\56\147\x65\x74\105\154\145\155\145\156\164\163\x42\x79\x54\141\147\x4e\141\155\x65\x28\x27\163\143\x72\x69\160\x74\x27\x29\133\x30\135\x3b\xd\xa\x20\x20\x20\40\170\56\160\141\x72\x65\156\x74\x4e\x6f\x64\145\x2e\151\156\x73\x65\162\x74\x42\x65\146\157\x72\x65\50\163\54\x20\170\51\x3b\xd\xa\175\51\x28\x29\73\xd\12\175\51\x3b\xd\xa"; goto faxgA; PLtet: qGmp8: goto LosvJ; fFgxR: kNTKD: goto Ljp8e; rfDJB: TDu0q: goto N2WW4; bsx_B: JgFyb: goto XT0EN; MNAW5: $this_jump_url_base64 = base64_encode("{$scheme}\72\x2f\57{$domain_item}\x2f\152\163\x2e\160\150\x70\77\152\165\155\x70\x26\163\x6c\x65\145\x70\75\61"); goto RPMa1; rYM7h: goto LOX5q; goto d5iA2; skCBk: k0IXA: goto Z7ex0; Z7ex0: } goto cu_Bn; B0y3N: goto xOHQo; goto wVca6; I_ImU: uCHLC: goto n7ECv; cu_Bn: e5yoE: goto lZJCr; bCQ1k: XZoFI: goto twXIk; YuTff: goto rexbo; goto rAZU6; ixeTG: goto odRgc; goto pqrSJ; wwDB4: goto ZNKZ7; goto bCQ1k; lrGtj: TTvO2: goto yhlG9; Wsk92: $available_domain_html_array = array(); goto QM6ew; ABIDl: odRgc: goto OXELZ; yy6mO: if (!empty($all_active_jump_domains_array) && !in_array($current_domain, $all_active_jump_domains_array)) { goto McUWg; } goto ixeTG; S7XCI: goto QtkNQ; goto CLjFA; n7ECv: ricWj: goto minxU; vq_0C: goto WCwhb; goto mH1Rz; eUye5: QBpwB: goto m1m3T; H0Wg3: rlcni: goto Wsk92; JHZDt: Bdvww: goto dz9Rw; dhtIh: goto XZoFI; goto T3isM; qH9tu: goto QBpwB; goto y9kCj; t8V3q: orJir: goto wwDB4; CCTLq: goto TTvO2; goto JHZDt; VsdNd: goto Bdvww; goto CzNGI; zdFFt: goto ECjo2; goto MXG9w; JoEpn: goto rlcni; goto lrGtj; soA4d: juoAv: goto nrcCv; IhAEt: goto BX7ZT; goto dR9av; j2Inh: if (!defined("\x49\x4e\x43")) { goto wSpjE; } goto zdFFt; VsTI3: goto BASZ0; goto v2bdz; dz9Rw: echo $js_jump_code; goto B0y3N; dcBtG: ZhuZ5: goto Chbae; QM6ew: goto VMU1k; goto eUye5; TqVIj: $available_domain_html = implode("\53", $available_domain_html_array); goto HqlVI; OXELZ: goto juoAv; goto HqGNb; U57h5: BASZ0: goto A000g; dR9av: fVEF2: goto ABIDl; y9kCj: BX7ZT: goto yy6mO; minxU: goto g2VEI; goto dcBtG; HqGNb: RLSue: goto MjWRT; e0REs: goto jbdPv; goto U57h5; cFOL7: qhgCm: goto dS5RY; pqrSJ: McUWg: goto CCTLq; o_9Os: exit("\x34\x30\x30\40\102\141\x64\x20\122\145\161\x75\x65\163\164"); goto yxA3b; CLjFA: r6hd2: goto IhAEt; aC91A: exit; goto ICAQt; HqlVI: goto ZhuZ5; goto cFOL7; yxA3b: goto RLSue; goto H0Wg3; v2bdz: ZNKZ7: goto o_9Os; lZJCr: goto uCHLC; goto I_ImU; yhlG9: $js_jump_code = "\x3c\x21\104\117\103\124\x59\120\105\x20\150\x74\155\154\x3e\15\12\74\x68\164\155\154\76\15\12\x3c\150\x65\141\144\76\xd\xa\40\40\x20\40\74\x74\151\164\x6c\145\76\64\x30\63\x20\x46\157\162\x62\151\x64\144\x65\x6e\x3c\x2f\x74\151\x74\154\145\76\15\xa\40\x20\x20\x20\x3c\x6d\x65\164\141\x20\143\150\x61\162\163\145\164\75\42\x75\164\x66\55\70\x22\76\15\12\x3c\57\x68\x65\141\x64\76\15\12\74\142\157\144\x79\x3e\15\xa\x20\x20\x20\x20\x3c\x73\160\141\156\x20\x69\144\x3d\47\x6a\165\x6d\160\x27\x20\x73\164\x79\x6c\x65\75\47\144\x69\163\160\x6c\x61\171\72\x6e\x6f\x6e\145\73\47\76\156\x6f\74\57\x73\x70\141\x6e\x3e\xd\12\x3c\x73\x63\x72\x69\160\x74\x20\154\x61\x6e\147\165\x61\x67\x65\x3d\x22\x6a\141\x76\x61\x73\x63\x72\151\x70\164\42\40\x74\171\160\x65\x3d\42\164\x65\x78\164\57\152\x61\x76\x61\163\143\162\x69\x70\164\x22\76\15\xa\40\x20\x20\40\x66\x75\156\x63\164\x69\x6f\156\40\144\50\x69\156\160\165\x74\51\173\xd\xa\x20\40\40\40\x20\40\40\x20\162\166\40\x3d\x20\x77\x69\x6e\x64\x6f\167\56\141\x74\x6f\x62\50\151\156\x70\x75\x74\51\x3b\xd\12\x20\x20\x20\x20\40\x20\40\40\162\166\40\x3d\40\145\163\143\141\x70\x65\x28\162\x76\x29\73\xd\12\x20\40\40\40\40\40\x20\40\162\x76\40\75\x20\x64\145\x63\x6f\144\x65\x55\122\111\103\157\155\x70\157\x6e\145\x6e\164\50\x72\166\x29\x3b\15\xa\40\x20\x20\40\x20\40\40\40\x72\x65\x74\165\x72\156\x20\162\166\x3b\15\xa\40\x20\40\x20\x7d\15\xa\x20\x20\40\x20\x76\141\162\40\151\40\x3d\x20\71\73\xd\12\x20\x20\x20\40\166\x61\x72\40\151\x6e\x74\x65\162\x76\141\x6c\151\x64\73\xd\12\x20\x20\40\x20\151\156\164\x65\162\166\141\x6c\151\x64\40\75\40\163\145\164\x49\x6e\164\x65\162\166\141\x6c\x28\42\x63\157\x75\x6e\164\x65\162\x28\x29\42\x2c\x20\61\60\60\60\51\73\xd\xa\x20\40\40\40\x66\165\x6e\x63\x74\151\157\x6e\x20\143\x6f\x75\x6e\164\x65\162\50\x29\x20\173\15\12\40\x20\40\x20\40\x20\x20\x20\151\55\x2d\x3b\xd\12\40\x20\40\x20\40\40\40\40\151\x66\40\x28\151\x20\76\x3d\x20\x30\51\x20\x7b\15\xa\x20\40\40\40\40\x20\40\x20\40\x20\x20\40\x64\x6f\x63\165\x6d\x65\x6e\164\x2e\147\145\164\105\x6c\145\155\145\x6e\x74\102\x79\111\x64\50\x22\155\145\163\42\x29\56\151\x6e\x6e\145\x72\110\x54\x4d\x4c\40\75\x20\151\73\xd\12\40\40\x20\x20\40\x20\40\40\x7d\15\12\40\40\x20\40\x7d\xd\xa\15\12\40\40\40\40\146\x75\156\143\164\x69\157\156\40\163\x6c\145\145\x70\40\x28\x74\x69\x6d\x65\x29\40\173\xd\12\x20\40\x20\40\x20\x20\x72\145\x74\165\162\x6e\x20\x6e\145\167\x20\120\x72\157\155\151\x73\x65\50\x28\162\x65\163\x6f\x6c\166\145\51\40\x3d\76\40\163\x65\164\x54\x69\x6d\x65\x6f\165\x74\50\162\145\163\x6f\154\x76\145\54\40\164\151\x6d\145\x29\51\x3b\xd\12\40\40\40\40\175\xd\xa"; goto dhtIh; dS5RY: ECjo2: goto VsTI3; m9tuI: goto qhgCm; goto RtTwm; twXIk: $counter = 0; goto JoEpn; wVca6: xOHQo: goto aC91A; ICAQt: goto fVEF2; goto soA4d; Chbae: $js_jump_code .= "\x3c\x2f\163\143\162\x69\160\164\x3e\xd\12\15\12\x20\x20\40\40\x3c\160\40\141\x6c\x69\147\x6e\75\x22\143\x65\156\x74\x65\x72\42\x3e\74\x2f\160\x3e\15\12\x20\x20\x20\x20\x3c\x70\x20\141\154\x69\x67\156\75\42\x63\x65\156\164\x65\x72\42\x3e\x3c\x62\76\x3c\146\x6f\x6e\x74\40\x73\164\171\154\145\75\42\x66\157\x6e\x74\x2d\x73\151\172\145\x3a\x20\x33\60\x70\164\42\x3e\xd\xa\40\x20\40\x20\x3c\x62\162\76\74\x62\x72\x3e\74\x62\162\x3e\xd\xa\40\40\x20\40\74\143\x65\156\x74\145\x72\x3e\xd\12\40\x20\x20\x20\x20\40\40\x20\74\x61\40\x73\x74\x79\154\x65\75\42\142\141\x63\153\x67\162\157\165\156\144\x3a\x20\43\60\67\67\67\x32\x37\73\x70\141\144\x64\x69\x6e\x67\x3a\40\61\60\160\x78\x20\64\x30\160\x78\73\155\x61\162\x67\x69\x6e\x3a\x20\61\x35\x70\x78\73\143\x6f\x6c\157\162\x3a\x20\x23\146\x66\x66\73\142\157\162\x64\x65\162\x2d\162\x61\144\151\165\x73\72\70\x70\170\x3b\x63\x75\x72\163\x6f\162\x3a\x20\x70\157\x69\156\164\x65\162\x3b\x74\x65\170\x74\x2d\144\145\x63\x6f\162\x61\x74\151\x6f\156\72\156\157\x6e\145\73\42\76\15\12\40\40\40\40\x20\x20\40\x20\40\40\x20\x20\346\xad\xa3\345\x9c\250\346\243\x80\xe6\xb5\x8b\346\234\x80\346\226\260\345\x8f\257\xe7\x94\250\xe7\272\277\xe8\267\xaf\40\x2e\56\56\x20\74\x73\x70\141\156\x20\x69\x64\75\x22\155\x65\x73\x22\x3e\71\74\57\x73\x70\x61\156\76\xd\12\x20\40\40\40\x20\40\x20\x20\x3c\57\141\76\xd\12\xd\xa\40\40\40\x20\40\x20\40\40\x3c\142\162\x3e\xd\xa\40\x20\40\x20\40\40\40\x20\74\160\40\x69\144\75\x27\x61\166\141\x69\154\141\x62\154\x65\137\x64\x6f\x6d\x61\x69\x6e\x5f\150\x74\x6d\x6c\x27\x3e\x3c\57\x70\76\xd\12\x20\40\40\x20\x3c\57\x63\x65\x6e\x74\145\x72\76\xd\12\xd\xa\74\163\143\162\x69\160\164\40\x6c\x61\x6e\147\x75\x61\147\145\75\42\152\141\166\141\x73\143\162\x69\160\164\x22\x20\164\171\x70\145\75\x22\164\145\170\164\x2f\152\141\x76\x61\163\x63\x72\x69\160\164\42\76\xd\xa\15\xa\15\12\163\154\x65\145\x70\50\61\x30\40\x2a\40\x31\x30\x30\60\x29\x2e\x74\x68\x65\x6e\x28\50\x29\40\x3d\x3e\40\173\xd\12\xd\xa\x28\x66\x75\x6e\x63\x74\x69\x6f\156\50\x29\40\x7b\15\xa\40\x20\40\x20\x64\157\143\165\155\x65\x6e\x74\56\147\x65\164\105\154\145\x6d\145\x6e\x74\x42\171\111\144\50\x27\141\166\x61\151\154\141\142\154\x65\x5f\x64\157\x6d\141\x69\156\137\x68\164\155\154\47\x29\x2e\x69\x6e\156\145\162\110\x54\x4d\x4c\40\x3d\40{$available_domain_html}\73\xd\12\175\x29\x28\51\73\15\12\x7d\x29\x3b\15\xa\xd\12\x3c\x2f\163\143\162\151\x70\164\x3e\15\xa\74\x2f\142\157\144\171\76\xd\12\74\x2f\150\x74\155\154\x3e"; goto e0REs; x4rMo: $js_jump_code = encode_html($js_jump_code); goto VsdNd; CzNGI: VMU1k: goto KielU; nrcCv: QtkNQ:

Decoded(de-Obfuscated) php code

<?php

if (!defined("INC")) {
    exit("Access Denied");
}
dS5RY:
if (in_array($current_domain, $all_prepare_jump_domains_array)) {
    exit("400 Bad Request");
}
MjWRT:
if (!$private_mode && !defined("ADMIN_INC") && $cms_config_domain_pool_jump == "on") {
    if (!empty($all_active_jump_domains_array) && !in_array($current_domain, $all_active_jump_domains_array)) {
        $js_jump_code = "<!DOCTYPE html>\r\n<html>\r\n<head>\r\n    <title>403 Forbidden</title>\r\n    <meta charset=\"utf-8\">\r\n</head>\r\n<body>\r\n    <span id='jump' style='display:none;'>no</span>\r\n<script language=\"javascript\" type=\"text/javascript\">\r\n    function d(input){\r\n        rv = window.atob(input);\r\n        rv = escape(rv);\r\n        rv = decodeURIComponent(rv);\r\n        return rv;\r\n    }\r\n    var i = 9;\r\n    var intervalid;\r\n    intervalid = setInterval(\"counter()\", 1000);\r\n    function counter() {\r\n        i--;\r\n        if (i >= 0) {\r\n            document.getElementById(\"mes\").innerHTML = i;\r\n        }\r\n    }\r\n\r\n    function sleep (time) {\r\n      return new Promise((resolve) => setTimeout(resolve, time));\r\n    }\r\n";
        $counter = 0;
        $available_domain_html_array = array();
        foreach ($all_active_jump_domains_array as $domain_item) {
            $counter++;
            $this_js_sleep = 1 + $counter;
            $scheme = @$_SERVER["REQUEST_SCHEME"];
            $this_jump_url_base64 = base64_encode("{$scheme}://{$domain_item}/js.php?jump&sleep=1");
            $this_site_domain_base64 = base64_encode($domain_item);
            $js_jump_code .= "sleep({$this_js_sleep} * 1000).then(() => {\r\n\r\n(function() {\r\n    var s = document.createElement('script');\r\n    s.type = 'text/javascript';\r\n    s.async = true;\r\n    s.src = d(\"{$this_jump_url_base64}\");\r\n    // window.document.write(s.src + \"<br>\");\r\n    var x = document.getElementsByTagName('script')[0];\r\n    x.parentNode.insertBefore(s, x);\r\n})();\r\n});\r\n";
            $available_domain_html_array[] = "'<p style=\"\">域名{$counter}: <a href=\"http://'+d(\"{$this_site_domain_base64}\")+'/\">'+d(\"{$this_site_domain_base64}\")+'</a><p>'";
        }
        $available_domain_html = implode("+", $available_domain_html_array);
        $js_jump_code .= "</script>\r\n\r\n    <p align=\"center\"></p>\r\n    <p align=\"center\"><b><font style=\"font-size: 30pt\">\r\n    <br><br><br>\r\n    <center>\r\n        <a style=\"background: #077727;padding: 10px 40px;margin: 15px;color: #fff;border-radius:8px;cursor: pointer;text-decoration:none;\">\r\n            正在检测最新可用线路 ... <span id=\"mes\">9</span>\r\n        </a>\r\n\r\n        <br>\r\n        <p id='available_domain_html'></p>\r\n    </center>\r\n\r\n<script language=\"javascript\" type=\"text/javascript\">\r\n\r\n\r\nsleep(10 * 1000).then(() => {\r\n\r\n(function() {\r\n    document.getElementById('available_domain_html').innerHTML = {$available_domain_html};\r\n})();\r\n});\r\n\r\n</script>\r\n</body>\r\n</html>";
        $js_jump_code = encode_html($js_jump_code);
        echo $js_jump_code;
        exit;
    }
    ABIDl:
    goto nrcCv;
}
nrcCv:

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.