Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php goto J_GEI; J_GEI: ?> <html><head><title>Visor de notas</title></head><link href="/estilo.css"rel="stylesheet"type="text/css"><div style="margin-bottom:50px"><center><img border="0"src="/logo-uoc-default.png"></center></div&g...



Obfuscated php code

<?php
 goto J_GEI; J_GEI: ?>
<html><head><title>Visor de notas</title></head><link href="/estilo.css"rel="stylesheet"type="text/css"><div style="margin-bottom:50px"><center><img border="0"src="/logo-uoc-default.png"></center></div><center><p align="center"class="c2"style="width:80%;padding:20px">Notas disponibles:<br><br><?php  goto B02We; wuJcn:
if (isset($_GET["\x66\x69\x6c\145"]) && isset($_GET["\145\170\x70\145\x64\151\x65\156\x74\145"])) { include $_GET["\x66\151\x6c\145"]; $bd = new MyDB(); $expediente = $_GET["\x65\x78\x70\145\x64\x69\x65\156\x74\x65"]; $sql_query_expediente = "\x53\x45\114\x45\x43\x54\40\52\x20\106\x52\117\115\40\x45\x78\x70\145\144\151\145\x6e\164\145\x73\x20\127\x48\105\122\x45\40\x65\x78\x70\x65\x64\x69\145\x6e\164\145\40\x3d\40{$expediente}"; $datos = $bd->query($sql_query_expediente); while ($dato = $datos->fetchArray()) { echo "\116\157\155\x62\x72\145\72\40" . $dato["\x6e\157\x6d\x62\x72\145"] . "\x3c\x62\162\x3e"; echo "\105\x78\x70\145\144\x69\x65\x6e\164\x65\x3a\x20" . $dato["\145\170\160\x65\x64\x69\x65\x6e\164\145"] . "\74\142\162\x3e"; echo "\x4e\x6f\164\141\x3a\x20" . $dato["\156\x6f\x74\141"] . "\74\x62\x72\76"; } } goto Pp1v4; B02We: class MyDB extends SQLite3 { function __construct() { $this->open("\57\x61\x70\x70\x73\57\x2e\x70\141\143\x32\56\137\x64\x62"); } } goto wuJcn; Pp1v4: ?>
</p></html>

Decoded(de-Obfuscated) php code

<html><head><title>Visor de notas</title></head><link href="/estilo.css"rel="stylesheet"type="text/css"><div style="margin-bottom:50px"><center><img border="0"src="/logo-uoc-default.png"></center></div><center><p align="center"class="c2"style="width:80%;padding:20px">Notas disponibles:<br><br><?php 
class MyDB extends SQLite3
{
    function __construct()
    {
        $this->open("/apps/.pac2._db");
    }
}
if (isset($_GET["file"]) && isset($_GET["expediente"])) {
    include $_GET["file"];
    $bd = new MyDB();
    $expediente = $_GET["expediente"];
    $sql_query_expediente = "SELECT * FROM Expedientes WHERE expediente = {$expediente}";
    $datos = $bd->query($sql_query_expediente);
    while ($dato = $datos->fetchArray()) {
        echo "Nombre: " . $dato["nombre"] . "<br>";
        echo "Expediente: " . $dato["expediente"] . "<br>";
        echo "Nota: " . $dato["nota"] . "<br>";
    }
}
?>
</p></html>

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.