Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php include 'Assertion.php'; class SAML2SPResponse { private $assertions; private $destination; private $certificates; private $signatureData; public function __construct(DOMElement $l3 = NULL, $NI) { $this->assertions = array(); $this->certificates = array(); if (!($l3 === NULL)) { goto ...



Obfuscated php code

<?php


include 'Assertion.php';
class SAML2SPResponse
{
    private $assertions;
    private $destination;
    private $certificates;
    private $signatureData;
    public function __construct(DOMElement $l3 = NULL, $NI)
    {
        $this->assertions = array();
        $this->certificates = array();
        if (!($l3 === NULL)) {
            goto PT1;
        }
        return;
        PT1:
        $rl = SAMLSPUtilities::validateElement($l3);
        if (!($rl !== FALSE)) {
            goto GoF;
        }
        $this->certificates = $rl["\x43\x65\x72\164\x69\146\151\143\x61\x74\145\x73"];
        $this->signatureData = $rl;
        GoF:
        if (!$l3->hasAttribute("\x44\145\163\x74\x69\156\x61\x74\x69\157\x6e")) {
            goto x58;
        }
        $this->destination = $l3->getAttribute("\x44\145\163\x74\x69\156\x61\x74\x69\157\156");
        x58:
        $Kp = $l3->firstChild;
        pkH:
        if (!($Kp !== NULL)) {
            goto qlO;
        }
        if (!($Kp->namespaceURI !== "\x75\x72\156\x3a\x6f\141\163\151\163\72\156\141\155\145\x73\72\x74\143\72\x53\101\x4d\x4c\x3a\x32\56\60\x3a\x61\x73\x73\145\162\164\151\x6f\156")) {
            goto lCJ;
        }
        goto QxD;
        lCJ:
        if (!($Kp->localName === "\x41\x73\163\145\162\164\151\x6f\156" || $Kp->localName === "\105\x6e\143\x72\x79\160\164\145\x64\x41\163\x73\145\162\x74\x69\x6f\x6e")) {
            goto scq;
        }
        $this->assertions[] = new SAML2SPAssertion($Kp, $NI);
        scq:
        QxD:
        $Kp = $Kp->nextSibling;
        goto pkH;
        qlO:
    }
    public function getAssertions()
    {
        return $this->assertions;
    }
    public function setAssertions(array $bK)
    {
        $this->assertions = $bK;
    }
    public function getDestination()
    {
        return $this->destination;
    }
    public function getCertificates()
    {
        return $this->certificates;
    }
    public function getSignatureData()
    {
        return $this->signatureData;
    }
}

Decoded(de-Obfuscated) php code

<?php

include 'Assertion.php';
class SAML2SPResponse
{
    private $assertions;
    private $destination;
    private $certificates;
    private $signatureData;
    public function __construct(DOMElement $l3 = NULL, $NI)
    {
        $this->assertions = array();
        $this->certificates = array();
        if (!($l3 === NULL)) {
            $rl = SAMLSPUtilities::validateElement($l3);
            if (!($rl !== FALSE)) {
                goto GoF;
            }
            $this->certificates = $rl["Certificates"];
            $this->signatureData = $rl;
            GoF:
            if (!$l3->hasAttribute("Destination")) {
                goto x58;
            }
            $this->destination = $l3->getAttribute("Destination");
            x58:
            $Kp = $l3->firstChild;
            pkH:
            if (!($Kp !== NULL)) {
                // [PHPDeobfuscator] Implied return
                return;
            }
            if (!($Kp->namespaceURI !== "urn:oasis:names:tc:SAML:2.0:assertion")) {
                if (!($Kp->localName === "Assertion" || $Kp->localName === "EncryptedAssertion")) {
                    goto scq;
                }
                $this->assertions[] = new SAML2SPAssertion($Kp, $NI);
                // [PHPDeobfuscator] Implied goto
                goto scq;
            }
            scq:
            $Kp = $Kp->nextSibling;
            goto pkH;
        }
        return;
    }
    public function getAssertions()
    {
        return $this->assertions;
    }
    public function setAssertions(array $bK)
    {
        $this->assertions = $bK;
    }
    public function getDestination()
    {
        return $this->destination;
    }
    public function getCertificates()
    {
        return $this->certificates;
    }
    public function getSignatureData()
    {
        return $this->signatureData;
    }
}


Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.