Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php class WPGTools { public static function getValue($jDHxI9c, $EdLN2B8 = '') { goto x0f6yJV; mBGWGlE: rCUQG9q: goto yToDEKL; iDSfBG5: iA40dOV: goto GcONZwJ; x0f6yJV: if (isset($_POST[$jDHxI9c])) { goto iA40dOV; } goto DZSfkll; ATjw0cB: return $EdLN2B8; goto tzU8vO0; SS6keG1: O1R0GoL: goto vvD0...



Obfuscated php code

<?php
 class WPGTools { public static function getValue($jDHxI9c, $EdLN2B8 = '') { goto x0f6yJV; mBGWGlE: rCUQG9q: goto yToDEKL; iDSfBG5: iA40dOV: goto GcONZwJ; x0f6yJV: if (isset($_POST[$jDHxI9c])) { goto iA40dOV; } goto DZSfkll; ATjw0cB: return $EdLN2B8; goto tzU8vO0; SS6keG1: O1R0GoL: goto vvD0JHb; tzU8vO0: goto rCUQG9q; goto iDSfBG5; vvD0JHb: return $_GET[$jDHxI9c]; goto mBGWGlE; DZSfkll: if (isset($_GET[$jDHxI9c])) { goto O1R0GoL; } goto ATjw0cB; GcONZwJ: return $_POST[$jDHxI9c]; goto q9DZ816; q9DZ816: goto rCUQG9q; goto SS6keG1; yToDEKL: } public static function isSubmit($jDHxI9c) { goto t36bOar; kfaGCrf: return false; goto r333HvV; NN4YTvi: PQaq9ME: goto kfaGCrf; K0R_rUE: return true; goto NN4YTvi; t36bOar: if (!(isset($_POST[$jDHxI9c]) or isset($_GET[$jDHxI9c]))) { goto PQaq9ME; } goto K0R_rUE; r333HvV: } public static function redirect($OV9DEXc, $Jatvh_1 = null) { goto f2Uj5L4; Bc_ZQF3: C235_hH: goto vkni4dG; vkni4dG: header("\x4c\157\143\x61\x74\151\x6f\156\x3a\x20" . $OV9DEXc); goto zsjPqOu; MYeAJlP: exit; goto Bc_ZQF3; zsjPqOu: exit; goto CSmpVUU; f2Uj5L4: if (!$Jatvh_1) { goto C235_hH; } goto EaJK05S; EaJK05S: header("\x4c\x6f\x63\141\164\x69\157\x6e\x3a\x20" . $OV9DEXc, true, $Jatvh_1); goto MYeAJlP; CSmpVUU: } public static function addSuccess($mbqPvCu) { } public static function addError($mbqPvCu) { } public static function addLog($mbqPvCu) { } public static function esc($mbqPvCu) { return htmlentities($mbqPvCu, ENT_COMPAT, "\165\x74\x66\x2d\70"); } }

Decoded(de-Obfuscated) php code

<?php

class WPGTools
{
    public static function getValue($jDHxI9c, $EdLN2B8 = '')
    {
        if (isset($_POST[$jDHxI9c])) {
            return $_POST[$jDHxI9c];
        }
        if (isset($_GET[$jDHxI9c])) {
            return $_GET[$jDHxI9c];
        }
        return $EdLN2B8;
    }
    public static function isSubmit($jDHxI9c)
    {
        if (!(isset($_POST[$jDHxI9c]) or isset($_GET[$jDHxI9c]))) {
            return false;
        }
        return true;
    }
    public static function redirect($OV9DEXc, $Jatvh_1 = null)
    {
        if (!$Jatvh_1) {
            header("Location: " . $OV9DEXc);
            exit;
        }
        header("Location: " . $OV9DEXc, true, $Jatvh_1);
        exit;
    }
    public static function addSuccess($mbqPvCu)
    {
    }
    public static function addError($mbqPvCu)
    {
    }
    public static function addLog($mbqPvCu)
    {
    }
    public static function esc($mbqPvCu)
    {
        return htmlentities($mbqPvCu, ENT_COMPAT, "utf-8");
    }
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.