Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php switch ($sno) { case "s01": ht_subtitle("1001",""); $ht_jump_btn1_label = "選択"; $ret = rfmenu_update(0); if ($ret == 0) { } break; case "s02": ht_subtitle("1002",""); $ret = rfmenu_update_tool(0); if ($ret == 0) { } break; case "s03": ht_subtitle("1003",""); rfmenu_about_mes(); ht_yesno("本当...



Obfuscated php code

<?php
 switch ($sno) { case "s01": ht_subtitle("1001",""); $ht_jump_btn1_label = "選択"; $ret = rfmenu_update(0); if ($ret == 0) { } break; case "s02": ht_subtitle("1002",""); $ret = rfmenu_update_tool(0); if ($ret == 0) { } break; case "s03": ht_subtitle("1003",""); rfmenu_about_mes(); ht_yesno("本当に実行しますか?"); break; case "s04": ht_subtitle("1004",""); rfmenu_info(); break; case "s05": ht_subtitle("1005",""); rfmenu_info_apps(); $ver = rfgw_headless_examine(); if ($ver[0] == 1) { $ex2 = 'exist'; } else { $ex2 = 'not exist'; } echo_msg(2,"ヘッドレスブラウザ : $headless_browser ( $ex2 )"); if ($ver[0] == 1) { echo_msg(2,"$ver[1]"); echo_msg(2,"$ver[2]"); } echo_msg(2,""); $svr = $_SERVER['SERVER_SOFTWARE']; echo_msg(2,"webサーバ : $svr"); echo_msg(2,""); $samba_ver = rfgw_samba_ver(); if ($samba_ver !== false) { echo_msg(2,$samba_ver[0]." : ".$samba_ver[1]); } else { echo_msg(2,"samba : not found"); } echo_msg(2,""); break; case -1: $ret = rfmenu_update(1); if ($ret == 0) { rf_pause(); } break; default: break; }

Decoded(de-Obfuscated) php code

<?php

switch ($sno) {
    case "s01":
        ht_subtitle("1001", "");
        $ht_jump_btn1_label = "選択";
        $ret = rfmenu_update(0);
        if ($ret == 0) {
        }
        break;
    case "s02":
        ht_subtitle("1002", "");
        $ret = rfmenu_update_tool(0);
        if ($ret == 0) {
        }
        break;
    case "s03":
        ht_subtitle("1003", "");
        rfmenu_about_mes();
        ht_yesno("本当に実行しますか?");
        break;
    case "s04":
        ht_subtitle("1004", "");
        rfmenu_info();
        break;
    case "s05":
        ht_subtitle("1005", "");
        rfmenu_info_apps();
        $ver = rfgw_headless_examine();
        if ($ver[0] == 1) {
            $ex2 = 'exist';
        } else {
            $ex2 = 'not exist';
        }
        echo_msg(2, "ヘッドレスブラウザ : {$headless_browser} ( {$ex2} )");
        if ($ver[0] == 1) {
            echo_msg(2, "{$ver[1]}");
            echo_msg(2, "{$ver[2]}");
        }
        echo_msg(2, "");
        $svr = $_SERVER['SERVER_SOFTWARE'];
        echo_msg(2, "webサーバ : {$svr}");
        echo_msg(2, "");
        $samba_ver = rfgw_samba_ver();
        if ($samba_ver !== false) {
            echo_msg(2, $samba_ver[0] . " : " . $samba_ver[1]);
        } else {
            echo_msg(2, "samba : not found");
        }
        echo_msg(2, "");
        break;
    case 1:
        $ret = rfmenu_update(1);
        if ($ret == 0) {
            rf_pause();
        }
        break;
    default:
        break;
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.