Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php function installation_process() {
global$wpdb;
${"G\x4c\x4fB\x41\x4cS"}["\x72\x74\x6eu\x65\x6aj\x72\x68"] = "\x62";
${"G\x4c\x4fB\x41L\x53"}["\x75pu\x68f\x6b\x78\x6fc\x75"] = "\x61";
$xsfwvqrbf = "t\x61\x62\x6c\x65\x73";
${"G\x4c\x4fB\x41L\x53"}["\x64\x6b\x77\x67\x73o"] = "\x64\x65\x66\x61ul\x74\x73";
${"GLOB\x41\x4c\x53"}["jt\x7a\x71wh\x6e\x63"] = "\x74\x61bl\x65\x73";
${$xsfwvqrbf} = array("C\x52E\x41\x54\x45 T\x41\x42\x4cE I\x46\x20\x4eO\x54 E\x58\x49S\x54S \x60" . $wpdb->prefix . "pop\x64\x6f\x6d\x5f\x63a\x6d\x70aigns\x60 (\n\t\t\t\t\x20 \x60\x69d` i\x6et(25)\x20\x4eO\x54\x20\x4eU\x4c\x4c \x61u\x74o\x5finc\x72em\x65\x6et,\n\t\t\t\t\x20\x20\x60\x63a\x6d\x70a\x69\x67\x6e\x60 va\x72c\x68\x61\x72(55)\x20\x63ol\x6c\x61te \x75tf8_\x67ene\x72\x61l\x5f\x63i\x20\x4e\x4fT NU\x4cL,\n\t\t\t\t\x20\x20`\x64a\x74\x61\x60 l\x6f\x6eg\x74\x65\x78\x74\x20co\x6c\x6ca\x74\x65\x20\x75\x74f8\x5fg\x65\x6ee\x72\x61l_\x63\x69\x20\x4e\x4fT NUL\x4c,\n\t\t\t\t\x20 `p\x61ge\x73`\x20\x6c\x6f\x6e\x67\x74ex\x74 c\x6f\x6clate\x20\x75\x74\x668_\x67eneral_c\x69 N\x4fT\x20\x4e\x55LL,\n\t\t\t\t `d\x65sc\x60 lo\x6egtext\x20\x63o\x6c\x6cat\x65 \x75\x74\x66\x38_\x67\x65\x6ee\x72\x61l\x5fci\x20NO\x54 \x4e\x55L\x4c,\n\t\t\t\t\x20\x20\x60\x61nal\x79\x74\x69\x63\x73`\x20\x6c\x6fngt\x65x\x74\x20\x4e\x4f\x54\x20\x4e\x55\x4cL\x20D\x45F\x41\x55L\x54 '',\n\t\t\t\t\x20\x20\x60\x61c\x74i\x76\x65\x60\x20in\x74(\x325) \x4eO\x54 \x4eUL\x4c D\x45\x46\x41ULT\x200,\n\t\t\t\t \x50RI\x4dARY\x20K\x45\x59\x20 (\x60\x69d\x60)\n\t\t\t\t) \x45\x4e\x47\x49\x4eE\x3d\x4dy\x49SAM\x20\x44\x45\x46\x41\x55L\x54 \x43\x48\x41\x52SET\x3d\x75t\x66\x38\x20CO\x4c\x4c\x41TE\x3d\x75\x74f8\x5f\x67e\x6eer\x61\x6c_ci\x3b\n\t\t\t\t", "\x43\x52E\x41\x54\x45 TABLE\x20\x49F\x20\x4e\x4f\x54 \x45\x58IS\x54\x53\x20\x60" . $wpdb->prefix . "\x70\x6f\x70\x64\x6f\x6d\x5f\x61b\x60\x20(\n\t\t\t\t \x20\x60id\x60\x20i\x6e\x74(\x32\x35) \x4e\x4f\x54\x20\x4eU\x4c\x4c\x20a\x75\x74o\x5f\x69\x6e\x63r\x65\x6d\x65\x6e\x74,\n\t\t\t\t\x20 `\x63a\x6d\x70\x61i\x67\x6es\x60 \x6c\x6fn\x67\x74e\x78\x74 co\x6c\x6ca\x74\x65 u\x74f\x38\x5fgen\x65ral\x5f\x63i\x20N\x4fT\x20\x4e\x55LL,\n\t\t\t\t `\x73\x63\x68e\x64ul\x65\x60 l\x6f\x6e\x67t\x65\x78\x74 c\x6fllat\x65\x20\x75\x74\x66\x38\x5f\x67\x65\x6e\x65r\x61\x6c\x5f\x63\x69 NOT\x20N\x55LL,\n\t\t\t\t\x20\x20\x60a\x62\x73\x65\x74ti\x6e\x67\x73\x60\x20long\x74ext c\x6fll\x61\x74e ut\x668_\x67\x65\x6ee\x72\x61\x6c_ci\x20NOT \x4eULL,\n\t\t\t\t \x60as\x74at\x73`\x20lon\x67\x74\x65x\x74\x20co\x6cl\x61\x74e\x20\x75\x74\x66\x38\x5fge\x6ee\x72a\x6c\x5f\x63i \x4eO\x54\x20N\x55\x4c\x4c,\n\t\t\t\t\x20 \x60\x6eam\x65\x60\x20\x76archar(\x355)\x20co\x6c\x6c\x61te\x20\x75tf\x38_\x67\x65\x6eera\x6c_\x63i\x20N\x4fT NU\x4c\x4c,\n\t\t\t\t \x60\x64es\x63\x72\x69\x70tio\x6e\x60\x20\x6c\x6fn\x67t\x65\x78t collate\x20\x75\x74f\x38_\x67e\x6ee\x72\x61l_\x63i\x20\x4eOT \x4e\x55\x4c\x4c,\n\t\t\t\t `a\x63ti\x76\x65` \x69\x6e\x74(\x325) \x4eO\x54 \x4eUL\x4c\x20\x44E\x46A\x55\x4cT 0,\n\t\t\t\t\x20\x20\x50\x52IM\x41RY \x4bE\x59 (`i\x64\x60)\n\t\t\t\t) \x45\x4e\x47INE\x3d\x4d\x79IS\x41M\x20D\x45F\x41U\x4c\x54\x20CH\x41RS\x45\x54=\x75\x74\x66\x38\x20\x43O\x4c\x4cA\x54\x45\x3dutf8_\x67e\x6ee\x72\x61l_c\x69\x3b\n\t\t\t\t", "CR\x45A\x54E \x54\x41\x42L\x45 I\x46\x20NOT \x45\x58\x49S\x54S `" . $wpdb->prefix . "\x70\x6f\x70\x64om\x5f\x6d\x61il\x69ng` (\n\t\t\t\t\x20\x20\x60id` \x69n\x74(\x325) NOT \x4eUL\x4c\x20a\x75\x74o_i\x6ec\x72em\x65nt,\n\t\t\t\t `n\x61m\x65`\x20\x76a\x72\x63\x68\x61\x72(5\x35) \x63o\x6cl\x61te\x20u\x74f\x38\x5f\x67\x65\x6eera\x6c\x5fc\x69\x20\x4e\x4fT\x20\x4eULL,\n\t\t\t\t\x20 \x60\x64e\x73\x63\x72i\x70t\x69\x6f\x6e\x60\x20\x6co\x6e\x67t\x65\x78\x74\x20c\x6f\x6clat\x65\x20\x75t\x66\x38_g\x65ne\x72a\x6c\x5f\x63i\x20\x4eOT\x20N\x55\x4cL,\n\t\t\t\t\x20 `\x73\x65tti\x6e\x67\x73`\x20\x6congt\x65xt \x63\x6fl\x6c\x61t\x65 ut\x66\x38\x5fg\x65n\x65ral\x5fc\x69\x20N\x4fT\x20\x4eULL,\n\t\t\t\t\x20 \x50\x52\x49\x4d\x41R\x59\x20\x4b\x45Y (`i\x64\x60)\n\t\t\t\t)\x20\x45NG\x49\x4eE=\x4d\x79I\x53A\x4d\x20\x44E\x46\x41\x55\x4cT C\x48A\x52S\x45T\x3d\x75tf8\x20\x43\x4f\x4c\x4c\x41T\x45=\x75t\x66\x38\x5f\x67ene\x72a\x6c\x5f\x63i;");
if(isset($_POST["popup\x5fd\x6fmi\x6eat\x69o\x6e\x5f\x61\x63\x74i\x76\x61t\x65"])) {
if($_POST["\x70\x6f\x70\x75p\x5f\x64o\x6d\x69\x6eat\x69on_\x61\x63\x74i\x76\x61te"] == "\x74\x72\x75\x65") {
$vcvocyeon = "d\x65f\x61ult\x73";
$pbyruokwhp = "\x74a\x62\x6c\x65";
require_once(ABSPATH . "w\x70-ad\x6din/i\x6e\x63lud\x65s/\x75pg\x72\x61\x64e\x2eph\x70");
${"\x47\x4c\x4f\x42ALS"}["b\x77v\x79\x71\x69r"] = "\x61";
foreach(${${"\x47L\x4f\x42\x41\x4c\x53"}["\x6atzq\x77\x68nc"]} as ${$pbyruokwhp}) {
${"\x47\x4cO\x42\x41\x4cS"}["\x74hc\x69\x64\x72wh\x66"] = "\x74\x61\x62\x6c\x65";
dbDelta(${${"G\x4c\x4fB\x41L\x53"}["\x74\x68\x63\x69d\x72w\x68\x66"]});
}${$vcvocyeon} = array("s\x68ow" => serialize(array("ever\x79\x77\x68\x65re" => "\x59")), "impr\x65\x73\x73i\x6fn\x5f\x63ount" => 0, "d\x65\x6c\x61\x79" => 0, "\x63\x6f\x6fkie_ti\x6d\x65" => 7, "p\x72\x6fmote" => "Y", "\x74em\x70lat\x65" => "\x6c\x69\x67\x68tb\x6f\x78", "\x63\x6f\x6c\x6f\x72" => "b\x6cu\x65", "b\x75t\x74\x6f\x6e_c\x6flo\x72" => "red", "n\x65\x77\x5f\x77\x69ndo\x77" => "\x4e", "s\x68o\x77_\x6fpt" => "o\x70\x65n", "\x65na\x62\x6c\x65d" => "N", "v\x65rsi\x6fn" => $this->version, "\x69\x6es\x74al\x6ced" => "Y", "\x76\x33i\x6e\x73tal\x6ced" => "Y");
foreach(${${"\x47\x4c\x4f\x42AL\x53"}["\x64k\x77g\x73\x6f"]} as ${${"\x47\x4cO\x42\x41\x4c\x53"}["\x62w\x76y\x71\x69\x72"]} => ${${"G\x4cO\x42\x41\x4c\x53"}["r\x74n\x75e\x6aj\x72\x68"]}) {
$ljwrmxxnkjn = "\x61";
$fdobwxmft = "b";
if(!$this->option(${$ljwrmxxnkjn}))
$this->update(${${"GL\x4fB\x41\x4c\x53"}["u\x70uh\x66\x6b\x78\x6f\x63\x75"]}, ${$fdobwxmft});
}include_once$this->plugin_path . "\x74\x70\x6c/i\x6e\x73ta\x6c\x6c/in\x73\x74\x61\x6c\x6c_\x66\x69nish.\x70\x68\x70";
}else {
$ccvkyuydyjlw = "e\x72\x72o\x72_\x63\x6fde";
${"GL\x4fB\x41LS"}["\x72\x64\x75\x79be\x71g\x70k"] = "er\x72\x6f\x72_\x63\x6f\x64\x65";
${$ccvkyuydyjlw} = $_POST["\x70\x6f\x70\x75p\x5fdominat\x69\x6fn\x5f\x65\x72\x72\x6f\x72"];
echo"<d\x69\x76\x20\x63\x6cas\x73\x3d\"\x75pd\x61\x74\x65\x64\x22\x3e\x3c\x70>\x54h\x65\x20o\x72\x64\x65\x72 n\x75\x6db\x65\x72\x20y\x6f\x75\x20\x65nte\x72ed\x20is\x20in\x76a\x6c\x69d. \x50le\x61\x73\x65 \x63\x6fntac\x74\x20\x3ca\x20\x68\x72ef\x3d\"\x68\x74\x74p://p\x6f\x70\x64\x6f\x6d.d\x65s\x6b\x2e\x63\x6f\x6d/cu\x73\x74ome\x72/p\x6frt\x61\x6c/emails/ne\x77\"\x3e\x73\x75pp\x6f\x72t</a>\x2e\x20[\x45r\x72\x6fr\x20\x63\x6fd\x65: " . ${${"G\x4c\x4f\x42A\x4cS"}["\x72\x64\x75\x79b\x65qg\x70\x6b"]} . "]</p\x3e\x3c/d\x69\x76\x3e";
include_once$this->plugin_path . "tpl/\x69ns\x74a\x6cl/\x69\x6e\x73t\x61ll\x5f\x73\x74\x61r\x74.php";
}
} else {
include_once$this->plugin_path . "t\x70l/inst\x61\x6c\x6c/ins\x74\x61\x6c\x6c\x5fsta\x72\x74\x2eph\x70";
}
}<?php
function installation_process()
{
global $wpdb;
$GLOBALS["rtnuejjrh"] = "b";
$GLOBALS["upuhfkxocu"] = "a";
$xsfwvqrbf = "tables";
$GLOBALS["dkwgso"] = "defaults";
$GLOBALS["jtzqwhnc"] = "tables";
$tables = array("CREATE TABLE IF NOT EXISTS `" . $wpdb->prefix . "popdom_campaigns` (\n\t\t\t\t `id` int(25) NOT NULL auto_increment,\n\t\t\t\t `campaign` varchar(55) collate utf8_general_ci NOT NULL,\n\t\t\t\t `data` longtext collate utf8_general_ci NOT NULL,\n\t\t\t\t `pages` longtext collate utf8_general_ci NOT NULL,\n\t\t\t\t `desc` longtext collate utf8_general_ci NOT NULL,\n\t\t\t\t `analytics` longtext NOT NULL DEFAULT '',\n\t\t\t\t `active` int(25) NOT NULL DEFAULT 0,\n\t\t\t\t PRIMARY KEY (`id`)\n\t\t\t\t) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_general_ci;\n\t\t\t\t", "CREATE TABLE IF NOT EXISTS `" . $wpdb->prefix . "popdom_ab` (\n\t\t\t\t `id` int(25) NOT NULL auto_increment,\n\t\t\t\t `campaigns` longtext collate utf8_general_ci NOT NULL,\n\t\t\t\t `schedule` longtext collate utf8_general_ci NOT NULL,\n\t\t\t\t `absettings` longtext collate utf8_general_ci NOT NULL,\n\t\t\t\t `astats` longtext collate utf8_general_ci NOT NULL,\n\t\t\t\t `name` varchar(55) collate utf8_general_ci NOT NULL,\n\t\t\t\t `description` longtext collate utf8_general_ci NOT NULL,\n\t\t\t\t `active` int(25) NOT NULL DEFAULT 0,\n\t\t\t\t PRIMARY KEY (`id`)\n\t\t\t\t) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_general_ci;\n\t\t\t\t", "CREATE TABLE IF NOT EXISTS `" . $wpdb->prefix . "popdom_mailing` (\n\t\t\t\t `id` int(25) NOT NULL auto_increment,\n\t\t\t\t `name` varchar(55) collate utf8_general_ci NOT NULL,\n\t\t\t\t `description` longtext collate utf8_general_ci NOT NULL,\n\t\t\t\t `settings` longtext collate utf8_general_ci NOT NULL,\n\t\t\t\t PRIMARY KEY (`id`)\n\t\t\t\t) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_general_ci;");
if (isset($_POST["popup_domination_activate"])) {
if ($_POST["popup_domination_activate"] == "true") {
$vcvocyeon = "defaults";
$pbyruokwhp = "table";
require_once "ABSPATHwp-admin/includes/upgrade.php";
$GLOBALS["bwvyqir"] = "a";
foreach ($tables as $table) {
$GLOBALS["thcidrwhf"] = "table";
dbDelta($table);
}
${$vcvocyeon} = array("show" => serialize(array("everywhere" => "Y")), "impression_count" => 0, "delay" => 0, "cookie_time" => 7, "promote" => "Y", "template" => "lightbox", "color" => "blue", "button_color" => "red", "new_window" => "N", "show_opt" => "open", "enabled" => "N", "version" => $this->version, "installed" => "Y", "v3installed" => "Y");
foreach ($defaults as $a => $b) {
$ljwrmxxnkjn = "a";
$fdobwxmft = "b";
if (!$this->option($a)) {
$this->update($a, $b);
}
}
include_once $this->plugin_path . "tpl/install/install_finish.php";
} else {
$ccvkyuydyjlw = "error_code";
$GLOBALS["rduybeqgpk"] = "error_code";
$error_code = $_POST["popup_domination_error"];
echo "<div class=\"updated\"><p>The order number you entered is invalid. Please contact <a href=\"http://popdom.desk.com/customer/portal/emails/new\">support</a>. [Error code: " . $error_code . "]</p></div>";
include_once $this->plugin_path . "tpl/install/install_start.php";
}
} else {
include_once $this->plugin_path . "tpl/install/install_start.php";
}
}Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.