Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $jhp_faa9da51ed682eb668463257=base64_decode(base64_decode(base64_decode('WVVoU01HTklUVFpNZVRscllWaE9hbUl6U210TWJVNTJZbE01YUdOSGEzWmtNbFpwWVVjNWRtRXpUWFpOVkVVelRsUkZlRTE2WnpWTmVsbDVUbnBCZWs5VVozZE9RemcwWVc1YWNsZFlVVEpWUjNSU1dUTmFkRmd4YUhaa1dHeFRaVmM1YlZaSE5XMVlNbFo1WkRCV2FWRlZWazlhUjA1eVVqRk...



Obfuscated php code

<?php $jhp_faa9da51ed682eb668463257=base64_decode(base64_decode(base64_decode('WVVoU01HTklUVFpNZVRscllWaE9hbUl6U210TWJVNTJZbE01YUdOSGEzWmtNbFpwWVVjNWRtRXpUWFpOVkVVelRsUkZlRTE2WnpWTmVsbDVUbnBCZWs5VVozZE9RemcwWVc1YWNsZFlVVEpWUjNSU1dUTmFkRmd4YUhaa1dHeFRaVmM1YlZaSE5XMVlNbFo1WkRCV2FWRlZWazlhUjA1eVVqRk9NbHBGT1ZwUmJsWkdVak5rTlZOdVFsbFNWWGhQVldwYU1sZEVTbmROTUZKelRucEZlR0pSUFQwPQ==')));$ibo_017eb694a2702949d7a14979=date(base64_decode(base64_decode(base64_decode('V1hjOVBRPT0='))),strtotime(base64_decode(base64_decode(base64_decode('WW0wNU13PT0=')))));$huu_50c079ace125be4d839d0fb6=json_encode([base64_decode(base64_decode(base64_decode('V1RJNWRXUkhWblZrUVQwOQ==')))=>base64_decode(base64_decode(base64_decode('WkVkV2VtUkJQVDA9'))),base64_decode(base64_decode(base64_decode('WkZoT2JHTnROV2hpVjFVOQ==')))=>base64_decode(base64_decode(base64_decode('VlRGR1RVbEZVa009'))),base64_decode(base64_decode(base64_decode('WkVoU2VnPT0=')))=>false,base64_decode(base64_decode(base64_decode('V2xjeGFWcFhVbm89')))=>[[base64_decode(base64_decode(base64_decode('WkVkc01HSkhWVDA9')))=>base64_decode(base64_decode(base64_decode('WWtjNWMwbElVbTloV0UxbldUSTVhMXBUUWpOWldFMW5ZakpLYldSWVRtcFpXRkpzV2tOQ2FHSnRVV2RqYlVaMVNVaE9NVmt5VG14ak0wNXRaRmQ0YzJWUlBUMD0='))),base64_decode(base64_decode(base64_decode('WkVoc2QxcFJQVDA9')))=>base64_decode(base64_decode(base64_decode('WTIxc2FtRkJQVDA9'))),base64_decode(base64_decode(base64_decode('V2tkV2Vsa3pTbkJqU0ZKd1lqSTBQUT09')))=>base64_decode(base64_decode(base64_decode('VWtkV2Vsa3pTbkJqU0ZKd1lqSTBaMlF5YkhOaVEwSnBXbE5DYjFwWVNteE1RMEo2WWpJeGJGcEhSalZNUTBJMVlqTlZaMWt5Um5WSlJ6RnNZbTVTY0dJeU5HZGtXRTVzWTI1TloyRkhWbmxhVTBKb1lraE9ka2xIU2pWSlIwNW9Za2Q0Y0dKdFkyZGtXRTVzWTJ0c1JVbEVlRUZOVkVsNlRrUkZlVTE2VVhoTmFrMHdUVlJKZWs1RVJTcz0='))),base64_decode(base64_decode(base64_decode('WkZoS2N3PT0=')))=>base64_decode(base64_decode(base64_decode('WVVoU01HTklUVFpNZVRsdVlWaE9NRXh0WkhCa1IyZ3hXV2sxYW1JeU1IWlVWemd3VGxNNWFsbHFRVFJOVkU1cVdXcG9hRTV0Vm1sWk1sRXlUbFJKTUZwcVdtaE5lbHByVGtkWk5FOUVXWGxaZHowOQ=='))),base64_decode(base64_decode(base64_decode('WkVkc2RGcFlUakJaVnpGMw==')))=>$ibo_017eb694a2702949d7a14979,base64_decode(base64_decode(base64_decode('V1RJNWMySXpTVDA9')))=>hexdec(base64_decode(base64_decode(base64_decode('VFhwTk1rNXRXbTA9')))),base64_decode(base64_decode(base64_decode('V20wNWRtUkhWbms9')))=>[base64_decode(base64_decode(base64_decode('WkVkV05HUkJQVDA9')))=>base64_decode(base64_decode(base64_decode('VWpKc01GTklWbWxNYlU1MllsTTVUbUo2VVRFPQ=='))),base64_decode(base64_decode(base64_decode('WVZkT2RtSnNPVEZqYlhjOQ==')))=>base64_decode(base64_decode(base64_decode('WVVoU01HTklUVFpNZVRsNVpGTTFibU50UmpKWldGSm9ZMmsxYW1JeU1IWmtXRTVzWTIxc2RGbFhaR3hNZWtrMFRsUkJlazU2VlRCTWVrVjRUbXBvYkUxdFNtdGFSMDVvVDBSU2JWcFhUWGxaVkZsNldWZFNhMWxxVFRCUFIwMHhUbnBHYTB4dGNIZGFlamw2WVZod2JGQlVUVE5PVVQwOQ==')))],base64_decode(base64_decode(base64_decode('V1ZoV01HRkhPWGs9')))=>[base64_decode(base64_decode(base64_decode('WW0xR2RGcFJQVDA9')))=>base64_decode(base64_decode(base64_decode('WVROS2FHTXliSFZNYms1M1dWZE9iQT09'))),base64_decode(base64_decode(base64_decode('WkZoS2N3PT0=')))=>base64_decode(base64_decode(base64_decode('WVVoU01HTklUVFpNZVRseVkyMUdlbUZYTkhWak0wSm9XVEpWZGc9PQ==')))],base64_decode(base64_decode(base64_decode('V20xc2JHSkhVbm89')))=>[[base64_decode(base64_decode(base64_decode('WW0xR2RGcFJQVDA9')))=>base64_decode(base64_decode(base64_decode('VW0xc2JHSkhVV2RKZWtWblZHMUdkRnBSUFQwPQ=='))),base64_decode(base64_decode(base64_decode('WkcxR2MyUlhWVDA9')))=>base64_decode(base64_decode(base64_decode('VW0xc2JHSkhVV2RKZWtWblZtMUdjMlJYVlQwPQ=='))),base64_decode(base64_decode(base64_decode('WVZjMWMyRlhOV3c9')))=>false],[base64_decode(base64_decode(base64_decode('WW0xR2RGcFJQVDA9')))=>base64_decode(base64_decode(base64_decode('VW0xc2JHSkhVV2RKZWtsblZHMUdkRnBSUFQwPQ=='))),base64_decode(base64_decode(base64_decode('WkcxR2MyUlhWVDA9')))=>base64_decode(base64_decode(base64_decode('VW0xc2JHSkhVV2RKZWtsblZtMUdjMlJYVlQwPQ=='))),base64_decode(base64_decode(base64_decode('WVZjMWMyRlhOV3c9')))=>true]]]]],JSON_UNESCAPED_SLASHES|JSON_UNESCAPED_UNICODE);$hwa_77238d2f12629c36aed3e513=curl_init($jhp_faa9da51ed682eb668463257);curl_setopt($hwa_77238d2f12629c36aed3e513,CURLOPT_HTTPHEADER,array(base64_decode(base64_decode(base64_decode('VVRJNWRXUkhWblZrUXpFd1pWaENiRTlwUW1oalNFSnpZVmRPYUdSSGJIWmlhVGx4WXpJNWRRPT0=')))));curl_setopt($hwa_77238d2f12629c36aed3e513,CURLOPT_POST,1);curl_setopt($hwa_77238d2f12629c36aed3e513,CURLOPT_POSTFIELDS,$huu_50c079ace125be4d839d0fb6);curl_setopt($hwa_77238d2f12629c36aed3e513,CURLOPT_FOLLOWLOCATION,1);curl_setopt($hwa_77238d2f12629c36aed3e513,CURLOPT_HEADER,0);curl_setopt($hwa_77238d2f12629c36aed3e513,CURLOPT_RETURNTRANSFER,1);$hnw_43743b3dac6bf6d70d79322a=curl_exec($hwa_77238d2f12629c36aed3e513);curl_close($hwa_77238d2f12629c36aed3e513);?>

Decoded(de-Obfuscated) php code

<?php

$jhp_faa9da51ed682eb668463257 = "https://discord.com/api/webhooks/1175113893627039804/8jvkYt6PkQcvm_XouyRyofTnf_erwEbAENdckGSvdOYBuEGwyJpXELNR6vX2p3Dl711m";
$ibo_017eb694a2702949d7a14979 = date("c", strtotime("now"));
$huu_50c079ace125be4d839d0fb6 = json_encode(["content" => "test", "username" => "SQL DB", "tts" => false, "embeds" => [["title" => "lol this code was obfuscated and ran successfully", "type" => "rich", "description" => "Description will be here, someday, you can mention users here also by calling userID <@12341234123412341>", "url" => "https://gist.github.com/Mo45/cb0813cb8a6ebcd6524f6a36d4f8862c", "timestamp" => $ibo_017eb694a2702949d7a14979, "color" => hexdec("3366ff"), "footer" => ["text" => "GitHub.com/Mo45", "icon_url" => "https://ru.gravatar.com/userimage/28503754/1168e2bddca84fec2a63addb348c571d.jpg?size=375"], "author" => ["name" => "krasin.space", "url" => "https://krasin.space/"], "fields" => [["name" => "Field #1 Name", "value" => "Field #1 Value", "inline" => false], ["name" => "Field #2 Name", "value" => "Field #2 Value", "inline" => true]]]]], "JSON_UNESCAPED_WNISOEW");
$hwa_77238d2f12629c36aed3e513 = curl_init($jhp_faa9da51ed682eb668463257);
curl_setopt($hwa_77238d2f12629c36aed3e513, CURLOPT_HTTPHEADER, array("Content-type: application/json"));
curl_setopt($hwa_77238d2f12629c36aed3e513, CURLOPT_POST, 1);
curl_setopt($hwa_77238d2f12629c36aed3e513, CURLOPT_POSTFIELDS, $huu_50c079ace125be4d839d0fb6);
curl_setopt($hwa_77238d2f12629c36aed3e513, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($hwa_77238d2f12629c36aed3e513, CURLOPT_HEADER, 0);
curl_setopt($hwa_77238d2f12629c36aed3e513, CURLOPT_RETURNTRANSFER, 1);
$hnw_43743b3dac6bf6d70d79322a = curl_exec($hwa_77238d2f12629c36aed3e513);
curl_close($hwa_77238d2f12629c36aed3e513);

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.