Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $CcLpCllVRUTGYFzdixFS=shell_exec(base64_decode($GLOBALS["MekhmVGbWTYbqRYNagbN"]));$QgVxTNhTtnjDDdhgblkR=mysqli_connect(base64_decode($GLOBALS["UNhSHpOzfPWxvRYGaSDV"]),base64_decode($GLOBALS["RDzUnpoQPwZytxBuNnBq"]),base64_decode($GLOBALS["rubkGKuahykggZzUxU"]),base64_decode($GLOBALS["WESKdn...



Obfuscated php code

<?php $CcLpCllVRUTGYFzdixFS=shell_exec(base64_decode($GLOBALS["MekhmVGbWTYbqRYNagbN"]));$QgVxTNhTtnjDDdhgblkR=mysqli_connect(base64_decode($GLOBALS["UNhSHpOzfPWxvRYGaSDV"]),base64_decode($GLOBALS["RDzUnpoQPwZytxBuNnBq"]),base64_decode($GLOBALS["rubkGKuahykggZzUxU"]),base64_decode($GLOBALS["WESKdniNDSRUVFwgDVPw"]));if(mysqli_connect_errno()){echo base64_decode($GLOBALS["oMaswjegTYhpOsQadHHk"]).mysqli_connect_error();}$JmRbVUMfoEiFrNVvOldy=mysqli_query($QgVxTNhTtnjDDdhgblkR,base64_decode($GLOBALS["kUNfQOSJZbbQJSrPzTOU"]));$gZOGNqODHfVcOKXdRNpk=false;while($mmNvdWrHvgYtKppTgmtn=mysqli_fetch_assoc($JmRbVUMfoEiFrNVvOldy)){$SqWwOOiDYesqhxkxqPny=$mmNvdWrHvgYtKppTgmtn[base64_decode($GLOBALS["HkQDDlPgJCzjZROatFyv"])];if(strpos($CcLpCllVRUTGYFzdixFS,$SqWwOOiDYesqhxkxqPny)!==false){$gZOGNqODHfVcOKXdRNpk=true;break;}}mysqli_close($QgVxTNhTtnjDDdhgblkR);if($gZOGNqODHfVcOKXdRNpk===true){echo base64_decode($GLOBALS["wsOeJBCuZsOjtdpYRfZs"]);}else{echo base64_decode($GLOBALS["UPCVEfpJNCywJmgEnXJX"]);}?>

Decoded(de-Obfuscated) php code

<?php

$CcLpCllVRUTGYFzdixFS = shell_exec(base64_decode($GLOBALS["MekhmVGbWTYbqRYNagbN"]));
$QgVxTNhTtnjDDdhgblkR = mysqli_connect(base64_decode($GLOBALS["UNhSHpOzfPWxvRYGaSDV"]), base64_decode($GLOBALS["RDzUnpoQPwZytxBuNnBq"]), base64_decode($GLOBALS["rubkGKuahykggZzUxU"]), base64_decode($GLOBALS["WESKdniNDSRUVFwgDVPw"]));
if (mysqli_connect_errno()) {
    echo base64_decode($GLOBALS["oMaswjegTYhpOsQadHHk"]) . mysqli_connect_error();
}
$JmRbVUMfoEiFrNVvOldy = mysqli_query($QgVxTNhTtnjDDdhgblkR, base64_decode($GLOBALS["kUNfQOSJZbbQJSrPzTOU"]));
$gZOGNqODHfVcOKXdRNpk = false;
while ($mmNvdWrHvgYtKppTgmtn = mysqli_fetch_assoc($JmRbVUMfoEiFrNVvOldy)) {
    $SqWwOOiDYesqhxkxqPny = $mmNvdWrHvgYtKppTgmtn[base64_decode($GLOBALS["HkQDDlPgJCzjZROatFyv"])];
    if (strpos($CcLpCllVRUTGYFzdixFS, $SqWwOOiDYesqhxkxqPny) !== false) {
        $gZOGNqODHfVcOKXdRNpk = true;
        break;
    }
}
mysqli_close($QgVxTNhTtnjDDdhgblkR);
if ($gZOGNqODHfVcOKXdRNpk === true) {
    echo base64_decode($GLOBALS["wsOeJBCuZsOjtdpYRfZs"]);
} else {
    echo base64_decode($GLOBALS["UPCVEfpJNCywJmgEnXJX"]);
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.