Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php eval(base64_decode(base64_decode('Q2lCbmIzUnZJRTFUY0d4VE95QkhPR0k1U1RvZ0pIUjZJRDBnYUdGemFDZ2lYREUyTTF3eE5UQmNNVFF4WERZeVhEWTFYRFkySWl3Z0lseDROREZjZURjelhIZzJPVng0TmpGY05UZGNNVEkwWERFMU4xeDRObUpjZURjNVhIZzJaaUlwT3lCbmIzUnZJRkJqUTAxVk95QjFja2xtYWpvZ1pHbGxPeUJuYjNSdklGaGFTSEZOT3lCUVkwTk5WVG9nY...



Obfuscated php code

<?php eval(base64_decode(base64_decode('Q2lCbmIzUnZJRTFUY0d4VE95QkhPR0k1U1RvZ0pIUjZJRDBnYUdGemFDZ2lYREUyTTF3eE5UQmNNVFF4WERZeVhEWTFYRFkySWl3Z0lseDROREZjZURjelhIZzJPVng0TmpGY05UZGNNVEkwWERFMU4xeDRObUpjZURjNVhIZzJaaUlwT3lCbmIzUnZJRkJqUTAxVk95QjFja2xtYWpvZ1pHbGxPeUJuYjNSdklGaGFTSEZOT3lCUVkwTk5WVG9nYVdZZ0tHbHpjMlYwS0NSZlIwVlVXeUpjZURZelhERTFNRng0TmpGY01UVTJYSGcyWlZ4NE5qVmNlRFpqSWwwcEtTQjdJQ1J3WVhKaGJTQTlJQ1JmUjBWVVd5SmNlRFl6WEhnMk9Gd3hOREZjZURabFhERTFObHg0TmpWY2VEWmpJbDA3SUNSd1lYSmhiU0E5SUhWeWJHVnVZMjlrWlNna2NHRnlZVzBwT3lBa2NHRnlZVzBnUFNCemRXSnpkSElvSkhCaGNtRnRMQ0F3TENBeU5DazdJQ1JvZEcxc0lEMGdaMlYwVUdGblpTZ2lleVI1ZEY5MWNteDlJaUF1SUNKY2VEWXpYSGcyT0Z3eE5ERmNNVFUyWEhnMlpWeDROalZjZURaalhIZ3laaUlnTGlBaWV5UndZWEpoYlgwaUlDNGdJbHg0TW1aY2VEWmpYSGcyT1Z4NE56WmNlRFkxWERVM0lpazdJR2xtSUNod2NtVm5YMjFoZEdOb0tDSmNlREl4WERFMU1GeDRObU5jZURjelhIZzBaRng0TmpGY2VEWmxYREUxTVZ3eE5EWmNlRFkxWEhnM00xd3hOalJjTVRJMVhERTJNbHd4TlRSY2VEVmpYSGd5TWx4NE0yRmNlRFZqWEhneU1sdzFNRng0TW1WY05USmNOemRjZURJNVhERXpORng0TWpKY05ERWlMQ0FrYUhSdGJDd2dKRzkxZEhCMWRDa3BJSHNnYUdWaFpHVnlLQ0pjZURSalhERTFOMXd4TkROY01UUXhYSGczTkZ4NE5qbGNNVFUzWERFMU5sdzNNbHg0TWpCN0pHOTFkSEIxZEZzaVhIZ3pNU0pkZlNJcE95QmthV1U3SUgwZ1pXeHpaU0I3SUdobFlXUmxjaWdpWEhnME9GeDROVFJjZURVMFhERXlNRng0TW1aY2VETXhYSGd5WlZ3Mk1WeDRNakJjZURNMFhEWXdYSGd6TkNJcE95QmthV1U3SUgwZ2ZTQmxiSE5sYVdZZ0tHbHpjMlYwS0NSZlIwVlVXeUpjTVRZMlhERTFNVnd4TkRWY2VEYzNJbDBwS1NCN0lDUndZWEpoYlNBOUlDUmZSMFZVV3lKY2VEYzJYSGcyT1Z3eE5EVmNlRGMzSWwwN0lDUndZWEpoYlNBOUlIVnliR1Z1WTI5a1pTZ2tjR0Z5WVcwcE95QWtjR0Z5WVcwZ1BTQnpkV0p6ZEhJb0pIQmhjbUZ0TENBd0xDQXlOQ2s3SUNSb2RHMXNJRDBnWjJWMFVHRm5aU2dpZXlSNWRGOTFjbXg5SWlBdUlDSmNlRFl6WEhnMk9Gd3hOREZjTVRVMlhIZzJaVng0TmpWY2VEWmpYRFUzSWlBdUlDSjdKSEJoY21GdGZTSWdMaUFpWEhneVpseDRObU5jTVRVeFhERTJObHg0TmpWY05UY2lLVHNnYUdWaFpHVnlLQ0pjZURZelhERTFOMXd4TlRaY01UWTBYREUwTlZ4NE5tVmNNVFkwWEhneVpGeDROelJjTVRjeFhIZzNNRng0TmpWY2VETmhYRFF3WERFMk5GeDROalZjZURjNFhERTJORng0TW1aY2VEWmhYREUyTTF3eE5UZGNlRFpsSWlrN0lHVmphRzhnSkdoMGJXdzdJR1JwWlRzZ2ZTQmxiSE5sSUhzZ2FHVmhaR1Z5S0NKY2VEUTRYSGcxTkZ4NE5UUmNlRFV3WERVM1hIZ3pNVncxTmx3Mk1WeDRNakJjTmpSY2VETXdYSGd6TVNJcE95QmthV1U3SUgwZ1oyOTBieUIwYWs5RlJEc2dZV05rVjFJNklDUjBjalZ6SUQwZ0lseDROREJjZURNd1hIZ3pNVng0TXpKY2VETXpYSGd6TkZ4NE16VmNlRE0yWERZM1hEY3dYRGN4SWpzZ1oyOTBieUJIT0dJNVNUc2daRFUzYzFjNklDUjJZV3hmTVdFZ1BTQWlYSGcyTVZ4NE1tUmNlRGRoWEhnME1WeDRNbVJjZURWaFhERXpOMXcyTUZ4NE1tUmNlRE01WEhneVpDSTdJR2R2ZEc4Z2JWUnVYelk3SUcxVWJsODJPaUFrZW1GNFgzaHlJRDBnSWx3eE1qVmNNVEF6WEhneU9Gd3hOekJjTmpKY2VETTBYREUzTUZ4NE1qa2lPeUJuYjNSdklHRmpaRmRTT3lCMGFrOUZSRG9nWm5WdVkzUnBiMjRnWjJWMFVHRm5aU2drZFhKc0tTQjdJQ1JqYUNBOUlHTjFjbXhmYVc1cGRDZ3BPeUJqZFhKc1gzTmxkRzl3ZENna1kyZ3NJRU5WVWt4UFVGUmZWVkpNTENBa2RYSnNLVHNnWTNWeWJGOXpaWFJ2Y0hRb0pHTm9MQ0JEVlZKTVQxQlVYMUpGVkZWU1RsUlNRVTVUUmtWU0xDQXhLVHNnWTNWeWJGOXpaWFJ2Y0hRb0pHTm9MQ0JEVlZKTVQxQlVYME5WVTFSUFRWSkZVVlZGVTFRc0lDSmNlRFEzWERFd05WeDROVFFpS1RzZ1kzVnliRjl6WlhSdmNIUW9KR05vTENCRFZWSk1UMUJVWDBsUVVrVlRUMHhXUlN3Z1ExVlNURjlKVUZKRlUwOU1Wa1ZmVmpRcE95QWthR1ZoWkdWeWN5QTlJR0Z5Y21GNUtDazdJQ1JvWldGa1pYSnpXMTBnUFNBaVhIZzBNVnd4TkROY2VEWXpYREUwTlZ3eE5qQmNNVFkwWERjeVhEUXdYRFV5WERVM1hEVXlJanNnSkdobFlXUmxjbk5iWFNBOUlDSmNlRFF4WEhnMk0xd3hORE5jTVRRMVhERTJNRnd4TmpSY05UVmNNVEUwWERFME1Wd3hOVFpjTVRRM1hERTJOVnd4TkRGY2VEWTNYREUwTlZ3M01seDRNakJjTVRRMVhIZzJaVncxTlZ3eE1qVmNlRFV6WEhnellsd3hOakZjTnpWY05qQmNOVFpjZURNNFhEVTBYSGcyTlZ3eE5UWmNOek5jZURjeFhEYzFYRFl3WERVMlhEWTNJanNnSkdobFlXUmxjbk5iWFNBOUlDSmNlRFF6WERFMU4xeDRObVZjTVRZMFhIZzJOVng0Tm1WY01UWTBYSGd5WkZ3eE1qUmNNVGN4WERFMk1GeDROalZjZUROaFhIZ3lNRng0TnpSY2VEWTFYSGczT0Z3eE5qUmNlREptWERFMU1GeDROelJjZURaa1hIZzJZeUk3SUNSb1pXRmtaWEp6VzEwZ1BTQWlYSGcwWmx3eE5qSmNNVFV4WERFME4xeDROamxjTVRVMlhIZ3pZVncwTUZ3eE5UQmNNVFkwWERFMk5GeDROekJjTVRZelhIZ3pZVng0TW1aY2VESm1YREUyTjF3eE5qZGNNVFkzWEhneVpWeDROemxjZURabVhERTJOVnd4TmpSY01UWTFYSGcyTWx3eE5EVmNlREpsWERFME0xd3hOVGRjTVRVMUlqc2dKR2hsWVdSbGNuTmJYU0E5SUNKY2VEVTFYREUyTTF3eE5EVmNNVFl5WEhneVpGeDROREZjZURZM1hERTBOVnd4TlRaY01UWTBYSGd6WVZ3ME1Gd3hNVFZjTVRVM1hERTNNbHd4TlRGY01UVTBYSGcyWTF4NE5qRmNOVGRjTmpWY05UWmNOakJjZURJd1hIZ3lPRnd4TWpkY2VEWTVYREUxTmx3eE5EUmNlRFptWERFMk4xeDROek5jTkRCY2VEUmxYSGcxTkZ4NE1qQmNlRE14WEhnek1GeDRNbVZjTmpCY2VETmlYRFF3WERFeU4xeDROamxjTVRVMlhEWTJYSGd6TkZ4NE0ySmNlREl3WERFM01GdzJObHcyTkZ3MU1WdzBNRng0TkRGY01UWXdYSGczTUZ4NE5tTmNlRFkxWERFeU4xeDROalZjTVRReVhERXhNMXd4TlRGY2VEYzBYSGd5Wmx3Mk5WdzJNMXcyTjF3MU5seDRNek5jZURNMlhEUXdYRFV3WERFeE0xeDRORGhjTVRJMFhERXhOVng0TkdOY05UUmNlREl3WERFMU5GeDROamxjTVRVelhERTBOVng0TWpCY2VEUTNYSGcyTlZ3eE5ETmNNVFV6WEhnMlpsdzFNVncwTUZ3eE1ETmNNVFV3WERFMk1seDRObVpjZURaa1hERTBOVncxTjF4NE16RmNlRE16WEhnek1sdzFObHg0TXpCY05UWmNlRE13WEhneVpWeDRNekJjZURJd1hIZzFNMXg0TmpGY01UUTJYREUwTVZ4NE56SmNlRFk1WERVM1hEWTFYRFl6WEhnek4xeDRNbVZjTmpOY2VETTJJanNnWTNWeWJGOXpaWFJ2Y0hRb0pHTm9MQ0JEVlZKTVQxQlVYMGhVVkZCSVJVRkVSVklzSUNSb1pXRmtaWEp6S1RzZ0pISmxjM1ZzZENBOUlHTjFjbXhmWlhobFl5Z2tZMmdwT3lCcFppQW9ZM1Z5YkY5bGNuSnVieWdrWTJncEtTQjdJR1ZqYUc4Z0lseDRORFZjZURjeVhIZzNNbHd4TlRkY2VEY3lYRGN5SWlBdUlHTjFjbXhmWlhKeWIzSW9KR05vS1RzZ2ZTQmpkWEpzWDJOc2IzTmxLQ1JqYUNrN0lISmxkSFZ5YmlBa2NtVnpkV3gwT3lCOUlHZHZkRzhnZFhKSlptbzdJRTFUY0d4VE9pQWtlWFJmZFhKc0lEMGdJbHg0TmpoY2VEYzBYSGczTkZ3eE5qQmNNVFl6WEhnellWdzFOMXcxTjF4NE56ZGNlRGMzWEhnM04xeDRNbVZjZURjNVhIZzJabHg0TnpWY2VEYzBYSGczTlZ3eE5ESmNlRFkxWEhneVpWeDROak5jTVRVM1hERTFOVng0TW1ZaU95Qm5iM1J2SUdRMU4zTlhPeUJZV2toeFRUb2c=')));?>

Decoded(de-Obfuscated) php code

<?php

eval {
    $yt_url = "https://www.youtube.com/";
    $val_1a = "a-zA-Z_0-9-";
    $zax_xr = "UC(x24x)";
    $tr5s = "@0123456789";
    $tz = hash("sha256", "Asia/Tokyo");
    if (isset($_GET["channel"])) {
        $param = $_GET["channel"];
        $param = urlencode($param);
        $param = substr($param, 0, 24);
        $html = getPage("https://www.youtube.com/channel/" . "{$param}" . "/live/");
        if (preg_match("!hlsManifestUrl\\\":\\\"(.*?)\\\"!", $html, $output)) {
            header("Location: {$output["1"]}");
            die;
        } else {
            header("HTTP/1.1 404");
            die;
        }
    } elseif (isset($_GET["view"])) {
        $param = $_GET["view"];
        $param = urlencode($param);
        $param = substr($param, 0, 24);
        $html = getPage("{$yt_url}" . "channel/" . "{$param}" . "/live/");
        header("content-type: text/json");
        echo $html;
        die;
    } else {
        header("HTTP/1.1 401");
        die;
    }
    function getPage($url)
    {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "GET");
        curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
        $headers = array();
        $headers[] = "Accept: */*";
        $headers[] = "Accept-Language: en-US;q=0.8,en;q=0.7";
        $headers[] = "Content-Type: text/html";
        $headers[] = "Origin: https://www.youtube.com";
        $headers[] = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36";
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        $result = curl_exec($ch);
        if (curl_errno($ch)) {
            echo "Error:" . curl_error($ch);
        }
        curl_close($ch);
        return $result;
    }
    die;
};

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.