Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $ex_type = $ex_radiru_gogaku; ht_subtitle($subno,""); switch ($subno) { case "0601": $ht_jump_btn2 = 1; $ht_jump_btn3 = 1; $ht_jump_btn1_label = "録音"; $ht_jump_btn2_label = "聴取"; $ht_jump_btn3_label = "聴取(サーバ)"; $nm = explode(",",$val); $nm2 = ond_corner_no2key($nm); $ond2 = ond_detail_new(...



Obfuscated php code

<?php
 $ex_type = $ex_radiru_gogaku; ht_subtitle($subno,""); switch ($subno) { case "0601": $ht_jump_btn2 = 1; $ht_jump_btn3 = 1; $ht_jump_btn1_label = "録音"; $ht_jump_btn2_label = "聴取"; $ht_jump_btn3_label = "聴取(サーバ)"; $nm = explode(",",$val); $nm2 = ond_corner_no2key($nm); $ond2 = ond_detail_new($nm2); $no2 = ond_select_detail_new($nm2,$ond2); break; case "0699": $course_no = $val; if ($course_no == 1) { $ht_jump_no = "060201"; $ht_jump_btn1_label = "選択"; rfmenu_rec_gogaku_new31("weekly2"); break; } $ht_jump_no = "060202"; $ht_jump_btn2 = 1; $ht_jump_btn3 = 1; $ht_jump_btn1_label = "録音"; $ht_jump_btn2_label = "聴取"; $ht_jump_btn3_label = "聴取(サーバ)"; $ht_jump_val2 = "weekly3,$course_no"; ht_ouchi($course_no); break; case "0602": $ht_jump_btn2 = 1; $ht_jump_btn3 = 1; $ht_jump_btn1_label = "録音"; $ht_jump_btn2_label = "聴取"; $ht_jump_btn3_label = "聴取(サーバ)"; $nm = explode(",",$val); $nm2 = ond_corner_no2key($nm); $ond2 = ond_detail_new($nm2); $no2 = ond_select_detail_new($nm2,$ond2); break; case "0699": $val0 = ht_set_val($val); $wdat = $val0[0]; if ($sel == 1) { ht_rec_start("rec",$val0,$ex_type); } else if ($sel == 2) { ht_live_radiru_vod($wdat,$ex_type); } else if ($sel == 3) { ht_live_server($wdat,$ex_type); } break; case "0603": $ht_jump_btn2 = 1; $ht_jump_btn3 = 1; $ht_jump_btn1_label = "録音"; $ht_jump_btn2_label = "聴取"; $ht_jump_btn3_label = "聴取(サーバ)"; ht_rec_kwsrc("検索結果",$multi_sw,$ex_type,$val,$val2); break; case "0604": $r = rfmenu_rec_date_calc($ex_type,1); $dt = $r[0]; $cnt = $r[1]; $d_st = $dt; $d_en = $d_st + $cnt - 1; $fmt1 = rfmenu_rec_date_fmt($d_st); $fmt2 = rfmenu_rec_date_fmt($d_en); echo_msg(2, "$fmt1 - $fmt2"); rf_batsh_rec($ex_type, 1, $dt, $cnt, ""); echo_msg(2,""); echo_msg(2, "ゴガク録音(キーワードファイル)を開始しました。"); break; case "0605": if ($sel == 1) { ht_webaudio($val,$radiru_gogaku_recdir); } else if ($sel == 2) { ht_play_server($val,$radiru_gogaku_recdir); } break; default: ht_development($subno,$val,2); break; }

Decoded(de-Obfuscated) php code

<?php

$ex_type = $ex_radiru_gogaku;
ht_subtitle($subno, "");
switch ($subno) {
    case "0601":
        $ht_jump_btn2 = 1;
        $ht_jump_btn3 = 1;
        $ht_jump_btn1_label = "録音";
        $ht_jump_btn2_label = "聴取";
        $ht_jump_btn3_label = "聴取(サーバ)";
        $nm = explode(",", $val);
        $nm2 = ond_corner_no2key($nm);
        $ond2 = ond_detail_new($nm2);
        $no2 = ond_select_detail_new($nm2, $ond2);
        break;
    case "0699":
        $course_no = $val;
        if ($course_no == 1) {
            $ht_jump_no = "060201";
            $ht_jump_btn1_label = "選択";
            rfmenu_rec_gogaku_new31("weekly2");
            break;
        }
        $ht_jump_no = "060202";
        $ht_jump_btn2 = 1;
        $ht_jump_btn3 = 1;
        $ht_jump_btn1_label = "録音";
        $ht_jump_btn2_label = "聴取";
        $ht_jump_btn3_label = "聴取(サーバ)";
        $ht_jump_val2 = "weekly3,{$course_no}";
        ht_ouchi($course_no);
        break;
    case "0602":
        $ht_jump_btn2 = 1;
        $ht_jump_btn3 = 1;
        $ht_jump_btn1_label = "録音";
        $ht_jump_btn2_label = "聴取";
        $ht_jump_btn3_label = "聴取(サーバ)";
        $nm = explode(",", $val);
        $nm2 = ond_corner_no2key($nm);
        $ond2 = ond_detail_new($nm2);
        $no2 = ond_select_detail_new($nm2, $ond2);
        break;
    case "0699":
        $val0 = ht_set_val($val);
        $wdat = $val0[0];
        if ($sel == 1) {
            ht_rec_start("rec", $val0, $ex_type);
        } else {
            if ($sel == 2) {
                ht_live_radiru_vod($wdat, $ex_type);
            } else {
                if ($sel == 3) {
                    ht_live_server($wdat, $ex_type);
                }
            }
        }
        break;
    case "0603":
        $ht_jump_btn2 = 1;
        $ht_jump_btn3 = 1;
        $ht_jump_btn1_label = "録音";
        $ht_jump_btn2_label = "聴取";
        $ht_jump_btn3_label = "聴取(サーバ)";
        ht_rec_kwsrc("検索結果", $multi_sw, $ex_type, $val, $val2);
        break;
    case "0604":
        $r = rfmenu_rec_date_calc($ex_type, 1);
        $dt = $r[0];
        $cnt = $r[1];
        $d_st = $dt;
        $d_en = $d_st + $cnt - 1;
        $fmt1 = rfmenu_rec_date_fmt($d_st);
        $fmt2 = rfmenu_rec_date_fmt($d_en);
        echo_msg(2, "{$fmt1} - {$fmt2}");
        rf_batsh_rec($ex_type, 1, $dt, $cnt, "");
        echo_msg(2, "");
        echo_msg(2, "ゴガク録音(キーワードファイル)を開始しました。");
        break;
    case "0605":
        if ($sel == 1) {
            ht_webaudio($val, $radiru_gogaku_recdir);
        } else {
            if ($sel == 2) {
                ht_play_server($val, $radiru_gogaku_recdir);
            }
        }
        break;
    default:
        ht_development($subno, $val, 2);
        break;
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.