Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php /** * * @ This file is created by http://DeZender.Net * @ deZender (PHP7 Decoder for ionCube Encoder) * * @ Version : 4.1.0.1 * @ Author : DeZender * @ Release on : 29.08.2020 * @ Official site : http://DeZender.Net * */ function D89A8E3901025Ca6($fa2807b514bf8d02) { goto label7; label2: go...



Obfuscated php code

<?php
/**
*
* @ This file is created by http://DeZender.Net
* @ deZender (PHP7 Decoder for ionCube Encoder)
*
* @ Version			:	4.1.0.1
* @ Author			:	DeZender
* @ Release on		:	29.08.2020
* @ Official site	:	http://DeZender.Net
*
*/

function D89A8E3901025Ca6($fa2807b514bf8d02)
{
	goto label7;

	label2:

	goto label106;

	label3:

	fclose($e1644d67f855686d);

	label6:

	goto label124;

	label7:

	global $Fee0d5a474c96306;
	$C265da002f0a4a8f = [];
	$A6d7047f2fda966c = '';

	if (!file_exists($fa2807b514bf8d02)) {
		goto label6;
	}

	$e1644d67f855686d = fopen($fa2807b514bf8d02, 'r');
	goto label106;

	label22:

	goto label106;

	label23:

	$Ff014d0ebd314fcd = array_map([$Fee0d5a474c96306, 'escape'], $Ff014d0ebd314fcd);
	$A6d7047f2fda966c .= '(' . SERVER_ID . (',' . $Ff014d0ebd314fcd['type'] . ',' . $Ff014d0ebd314fcd['message'] . ',' . $Ff014d0ebd314fcd['extra'] . ',' . $Ff014d0ebd314fcd['line'] . ',' . $Ff014d0ebd314fcd['time'] . ',\'' . $E03b230fd4532f5e . '\'),');
	$C265da002f0a4a8f[] = $E03b230fd4532f5e;
	goto label2;

	label55:

	$Ff014d0ebd314fcd = json_decode(base64_decode($Ff014d0ebd314fcd), true);
	$E03b230fd4532f5e = md5($Ff014d0ebd314fcd['type'] . $Ff014d0ebd314fcd['message'] . $Ff014d0ebd314fcd['extra'] . $Ff014d0ebd314fcd['line']);

	if (in_array($E03b230fd4532f5e, $C265da002f0a4a8f)) {
		goto label2;
	}
	if (!((stripos($Ff014d0ebd314fcd['message'], 'server has gone away') !== false) && (stripos($Ff014d0ebd314fcd['message'], 'socket error on read socket') !== false) && (stripos($Ff014d0ebd314fcd['message'], 'connection lost') !== false))) {
		goto label23;
	}

	goto label22;

	label106:

	if (feof($e1644d67f855686d)) {
		goto label3;
	}

	$Ff014d0ebd314fcd = trim(fgets($e1644d67f855686d));

	if (!empty($Ff014d0ebd314fcd)) {
		goto label55;
	}

	goto label3;
	goto label55;

	label124:

	return $A6d7047f2fda966c;
	goto label126;

	label126:
}

function d4C3Fc66E7083138($F13a1637258a969b, $af276cda00cb8623)
{
	foreach ($F13a1637258a969b as $Dd89cee9be13a3d0) {
		if (!stristr($af276cda00cb8623, $Dd89cee9be13a3d0)) {
			goto label14;
		}

		return true;

		label14:
	}

	return false;
}

function BfCDC975533C45a8()
{
	goto label1;

	label1:

	global $Daee1f49d69c1428;
	global $Fee0d5a474c96306;
	$A6d7047f2fda966c = '';

	foreach ([STREAMS_PATH] as $Bc16cc77a681d1ed) {
		goto label10;

		label10:

		if (!($a8f3762d489787d6 = opendir($Bc16cc77a681d1ed))) {
			goto label48;
		}

		label18:

		if (!(false !== $Ea5af1151cd81ae2 = readdir($a8f3762d489787d6))) {
			goto label55;
		}
		if (!(($Ea5af1151cd81ae2 != '.') && ($Ea5af1151cd81ae2 != '..') && is_file($Bc16cc77a681d1ed . $Ea5af1151cd81ae2))) {
			goto label53;
		}

		$e2f848a82a80c113 = $Bc16cc77a681d1ed . $Ea5af1151cd81ae2;
		goto label57;

		label45:

		closedir($a8f3762d489787d6);

		label48:

		goto label132;

		label50:

		unlink($e2f848a82a80c113);

		label53:

		goto label18;

		label55:

		goto label45;

		label57:

		list($F26087d31c2bbe4d, $F9452a7efafa1aba) = explode('.', $Ea5af1151cd81ae2);

		if (!($F9452a7efafa1aba == 'errors')) {
			goto label53;
		}

		$Db09f9628b0daff0 = array_values(array_unique(array_map('trim', explode("\n", file_get_contents($e2f848a82a80c113)))));

		foreach ($Db09f9628b0daff0 as $D370fc32f973c6ca) {
			if (!(empty($D370fc32f973c6ca) || d4c3fc66e7083138($Daee1f49d69c1428, $D370fc32f973c6ca))) {
				goto label106;
			}

			goto label128;

			label106:

			if (!XUI::$rSettings['stream_logs_save']) {
				goto label128;
			}

			$A6d7047f2fda966c .= '(' . $F26087d31c2bbe4d . ',' . SERVER_ID . ',' . time() . ',' . $Fee0d5a474c96306->escape($D370fc32f973c6ca) . '),';

			label128:
		}

		goto label50;

		label132:
	}
	if (!(XUI::$rSettings['stream_logs_save'] && !empty($A6d7047f2fda966c))) {
		goto label173;
	}

	goto label162;

	label144:

	$A6d7047f2fda966c = rtrim(d89a8e3901025ca6($fa2807b514bf8d02), ',');
	$Fee0d5a474c96306->query('INSERT IGNORE INTO `panel_logs` (`server_id`,`type`,`log_message`,`log_extra`,`line`,`date`,`unique`) VALUES ' . $A6d7047f2fda966c . ';');
	unlink($fa2807b514bf8d02);

	label161:

	goto label183;

	label162:

	$A6d7047f2fda966c = rtrim($A6d7047f2fda966c, ',');
	$Fee0d5a474c96306->query('INSERT INTO `streams_errors` (`stream_id`,`server_id`,`date`,`error`) VALUES ' . $A6d7047f2fda966c . ';');

	label173:

	$fa2807b514bf8d02 = LOGS_TMP_PATH . 'error_log.log';

	if (!file_exists($fa2807b514bf8d02)) {
		goto label161;
	}

	goto label144;

	label183:
}

function shutdown()
{
	global $Fee0d5a474c96306;
	global $E18c40e895ee55c2;

	if (!is_object($Fee0d5a474c96306)) {
		goto label10;
	}

	$Fee0d5a474c96306->close_mysql();

	label10:

	@unlink($E18c40e895ee55c2);
}

goto label40;

label1:

exit(0);

label2:

register_shutdown_function('shutdown');
require str_replace('\\', '/', dirname($argv[0])) . '/../www/init.php';
cli_set_process_title('XUI[Errors]');
goto label23;

label20:

goto label60;

label23:

$E18c40e895ee55c2 = CRONS_TMP_PATH . md5(XUI::B28089331F7ADBa7() . __FILE__);
XUI::b839EE4C00ab33c2($E18c40e895ee55c2);
$Daee1f49d69c1428 = ['the user-agent option is deprecated', 'last message repeated', 'deprecated', 'packets poorly interleaved', 'invalid timestamps', 'timescale not set', 'frame size not set', 'non-monotonous dts in output stream', 'invalid dts', 'no trailing crlf', 'failed to parse extradata', 'truncated', 'missing picture', 'non-existing pps', 'clipping', 'out of range', 'cannot use rename on non file protocol', 'end of file', 'stream ends prematurely'];
bfcdc975533c45a8();
goto label20;

label40:

if (!(posix_getpwuid(posix_geteuid())['name'] != 'xui')) {
	goto label51;
}

exit('Please run as XUI!' . "\n");

label51:

set_time_limit(0);

if (@$argc) {
	goto label2;
}

goto label1;

label60:

?>

Decoded(de-Obfuscated) php code

<?php

/**
*
* @ This file is created by http://DeZender.Net
* @ deZender (PHP7 Decoder for ionCube Encoder)
*
* @ Version			:	4.1.0.1
* @ Author			:	DeZender
* @ Release on		:	29.08.2020
* @ Official site	:	http://DeZender.Net
*
*/
function D89A8E3901025Ca6($fa2807b514bf8d02)
{
    global $Fee0d5a474c96306;
    $C265da002f0a4a8f = [];
    $A6d7047f2fda966c = '';
    if (!file_exists($fa2807b514bf8d02)) {
        goto label6;
    }
    $e1644d67f855686d = fopen($fa2807b514bf8d02, 'r');
    label106:
    if (feof($e1644d67f855686d)) {
        goto label3;
    }
    $Ff014d0ebd314fcd = trim(fgets($e1644d67f855686d));
    if (!empty($Ff014d0ebd314fcd)) {
        $Ff014d0ebd314fcd = json_decode(base64_decode($Ff014d0ebd314fcd), true);
        $E03b230fd4532f5e = md5($Ff014d0ebd314fcd['type'] . $Ff014d0ebd314fcd['message'] . $Ff014d0ebd314fcd['extra'] . $Ff014d0ebd314fcd['line']);
        if (in_array($E03b230fd4532f5e, $C265da002f0a4a8f)) {
            label2:
            goto label106;
        }
        if (!(stripos($Ff014d0ebd314fcd['message'], 'server has gone away') !== false && stripos($Ff014d0ebd314fcd['message'], 'socket error on read socket') !== false && stripos($Ff014d0ebd314fcd['message'], 'connection lost') !== false)) {
            $Ff014d0ebd314fcd = array_map([$Fee0d5a474c96306, 'escape'], $Ff014d0ebd314fcd);
            $A6d7047f2fda966c .= "(SERVER_ID" . (',' . $Ff014d0ebd314fcd['type'] . ',' . $Ff014d0ebd314fcd['message'] . ',' . $Ff014d0ebd314fcd['extra'] . ',' . $Ff014d0ebd314fcd['line'] . ',' . $Ff014d0ebd314fcd['time'] . ',\'' . $E03b230fd4532f5e . '\'),');
            $C265da002f0a4a8f[] = $E03b230fd4532f5e;
            goto label2;
        }
        goto label106;
    }
    label3:
    fclose($e1644d67f855686d);
    label6:
    return $A6d7047f2fda966c;
}
function d4C3Fc66E7083138($F13a1637258a969b, $af276cda00cb8623)
{
    foreach ($F13a1637258a969b as $Dd89cee9be13a3d0) {
        if (!stristr($af276cda00cb8623, $Dd89cee9be13a3d0)) {
        }
        return true;
    }
    return false;
}
function BfCDC975533C45a8()
{
    global $Daee1f49d69c1428;
    global $Fee0d5a474c96306;
    $A6d7047f2fda966c = '';
    foreach ([STREAMS_PATH] as $Bc16cc77a681d1ed) {
        if (!($a8f3762d489787d6 = opendir($Bc16cc77a681d1ed))) {
            goto label48;
        }
        label18:
        if (!(false !== ($Ea5af1151cd81ae2 = readdir($a8f3762d489787d6)))) {
            closedir($a8f3762d489787d6);
            label48:
        }
        if (!($Ea5af1151cd81ae2 != '.' && $Ea5af1151cd81ae2 != '..' && is_file($Bc16cc77a681d1ed . $Ea5af1151cd81ae2))) {
            goto label53;
        }
        $e2f848a82a80c113 = $Bc16cc77a681d1ed . $Ea5af1151cd81ae2;
        list($F26087d31c2bbe4d, $F9452a7efafa1aba) = explode('.', $Ea5af1151cd81ae2);
        if (!($F9452a7efafa1aba == 'errors')) {
            goto label53;
        }
        $Db09f9628b0daff0 = array_values(array_unique(array_map('trim', explode("\n", file_get_contents($e2f848a82a80c113)))));
        foreach ($Db09f9628b0daff0 as $D370fc32f973c6ca) {
            if (!(empty($D370fc32f973c6ca) || d4c3fc66e7083138($Daee1f49d69c1428, $D370fc32f973c6ca))) {
                if (!XUI::$rSettings['stream_logs_save']) {
                    goto label128;
                }
                $A6d7047f2fda966c .= '(' . $F26087d31c2bbe4d . ',' . SERVER_ID . ',' . time() . ',' . $Fee0d5a474c96306->escape($D370fc32f973c6ca) . '),';
                // [PHPDeobfuscator] Implied goto
                goto label128;
            }
            label128:
        }
        unlink($e2f848a82a80c113);
        label53:
        goto label18;
    }
    if (!(XUI::$rSettings['stream_logs_save'] && !empty($A6d7047f2fda966c))) {
        goto label173;
    }
    $A6d7047f2fda966c = rtrim($A6d7047f2fda966c, ',');
    $Fee0d5a474c96306->query('INSERT INTO `streams_errors` (`stream_id`,`server_id`,`date`,`error`) VALUES ' . $A6d7047f2fda966c . ';');
    label173:
    $fa2807b514bf8d02 = "LOGS_TMP_PATHerror_log.log";
    if (!file_exists($fa2807b514bf8d02)) {
        goto label161;
    }
    $A6d7047f2fda966c = rtrim(d89a8e3901025ca6($fa2807b514bf8d02), ',');
    $Fee0d5a474c96306->query('INSERT IGNORE INTO `panel_logs` (`server_id`,`type`,`log_message`,`log_extra`,`line`,`date`,`unique`) VALUES ' . $A6d7047f2fda966c . ';');
    unlink($fa2807b514bf8d02);
    label161:
}
function shutdown()
{
    global $Fee0d5a474c96306;
    global $E18c40e895ee55c2;
    if (!is_object($Fee0d5a474c96306)) {
        goto label10;
    }
    $Fee0d5a474c96306->close_mysql();
    label10:
    @unlink($E18c40e895ee55c2);
}
if (!(posix_getpwuid(posix_geteuid())['name'] != 'xui')) {
    set_time_limit(0);
    if (@$argc) {
        register_shutdown_function('shutdown');
        require str_replace('\\', '/', dirname($argv[0])) . '/../www/init.php';
        cli_set_process_title('XUI[Errors]');
        $E18c40e895ee55c2 = CRONS_TMP_PATH . md5(XUI::B28089331F7ADBa7() . "/var/www/html/input.php");
        XUI::b839EE4C00ab33c2($E18c40e895ee55c2);
        $Daee1f49d69c1428 = ['the user-agent option is deprecated', 'last message repeated', 'deprecated', 'packets poorly interleaved', 'invalid timestamps', 'timescale not set', 'frame size not set', 'non-monotonous dts in output stream', 'invalid dts', 'no trailing crlf', 'failed to parse extradata', 'truncated', 'missing picture', 'non-existing pps', 'clipping', 'out of range', 'cannot use rename on non file protocol', 'end of file', 'stream ends prematurely'];
        bfcdc975533c45a8();
        // [PHPDeobfuscator] Implied script end
        return;
    }
    exit(0);
}
exit("Please run as XUI!\n");

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.