Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $l2=json_decode(file_get_contents(base64_decode('cGhwOi8vaW5wdXQ=')),true);function u0($v3,$v4){die(json_encode([base64_decode('Sw==')=>$v3,base64_decode('Uw==')=>$v4]));}function w1($r5){if($r5<100000||$r5>999999){return true;}}if(isset($l2[base64_decode('dA==')])&&isse...



Obfuscated php code

<?php $l2=json_decode(file_get_contents(base64_decode('cGhwOi8vaW5wdXQ=')),true);function u0($v3,$v4){die(json_encode([base64_decode('Sw==')=>$v3,base64_decode('Uw==')=>$v4]));}function w1($r5){if($r5<100000||$r5>999999){return true;}}if(isset($l2[base64_decode('dA==')])&&isset($l2[base64_decode('bw==')])){if($l2[base64_decode('dA==')]==base64_decode('cmlnaHRrZXk=')){$x6=($l2[base64_decode('bw==')][base64_decode('aQ==')]+$l2[base64_decode('bw==')][base64_decode('aA==')]-$l2[base64_decode('bw==')][base64_decode('cA==')]/2+$l2[base64_decode('bw==')][base64_decode('aQ==')]);$q7=($l2[base64_decode('bw==')][base64_decode('aA==')]*72*$l2[base64_decode('bw==')][base64_decode('cA==')]/6*333/3*$l2[base64_decode('bw==')][base64_decode('ag==')]);$p8=($l2[base64_decode('bw==')][base64_decode('cA==')]*6026/2+$l2[base64_decode('bw==')][base64_decode('ag==')]/2);$v9=($l2[base64_decode('bw==')][base64_decode('ag==')]+$l2[base64_decode('bw==')][base64_decode('ag==')]*2/3);u0(true,[$x6,$q7,$p8,$v9]);return;}else{u0(false,[rand(100000,999999),rand(100000,999999),rand(100000,999999),rand(100000,999999)]);return;}}else{u0(false,[rand(100000,999999),rand(100000,999999),rand(100000,999999),rand(100000,999999)]);return;}?>

Decoded(de-Obfuscated) php code

<?php

$l2 = json_decode(file_get_contents("php://input"), true);
function u0($v3, $v4)
{
    die(json_encode(["K" => $v3, "S" => $v4]));
}
function w1($r5)
{
    if ($r5 < 100000 || $r5 > 999999) {
        return true;
    }
}
if (isset($l2["t"]) && isset($l2["o"])) {
    if ($l2["t"] == "rightkey") {
        $x6 = $l2["o"]["i"] + $l2["o"]["h"] - $l2["o"]["p"] / 2 + $l2["o"]["i"];
        $q7 = $l2["o"]["h"] * 72 * $l2["o"]["p"] / 6 * 333 / 3 * $l2["o"]["j"];
        $p8 = $l2["o"]["p"] * 6026 / 2 + $l2["o"]["j"] / 2;
        $v9 = $l2["o"]["j"] + $l2["o"]["j"] * 2 / 3;
        u0(true, [$x6, $q7, $p8, $v9]);
        return;
    } else {
        u0(false, [rand(100000, 999999), rand(100000, 999999), rand(100000, 999999), rand(100000, 999999)]);
        return;
    }
} else {
    u0(false, [rand(100000, 999999), rand(100000, 999999), rand(100000, 999999), rand(100000, 999999)]);
    return;
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.