Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php /* __________________________________________________ | Built by Clearly IP Inc. | | on 2023-01-02 21:42:57 | |__________________________________________________| */ namespace FreePBX\modules\Clearlysp\CIP\Controllers\v1; use FreePBX\modules\Clearlysp\CIP\Controllers\Base; class VPN extends...



Obfuscated php code

<?php
/*   __________________________________________________
    |  Built by Clearly IP Inc.                        |
    |              on 2023-01-02 21:42:57              |
    |__________________________________________________|
*/
 namespace FreePBX\modules\Clearlysp\CIP\Controllers\v1; use FreePBX\modules\Clearlysp\CIP\Controllers\Base; class VPN extends Base { public static function getVPNStartupUrl($xml, $apiUrl, $token) { return $xml->createElement("\166\160\156\x53\164\x61\162\x74\165\x70\x55\x72\154", $apiUrl . "\57\x73\x74\x61\162\x74\x75\x70\x2f\45\141\143\143\x6f\165\x6e\x74\133\143\154\157\165\x64\137\165\x73\x65\x72\156\x61\155\x65\135\x25\x3f\164\x6f\x6b\145\x6e\75" . $token); } public function vpnStartUpUrl($request, $response, $args) { goto p7IrU; DxMuU: LUq47: goto smvNZ; iZJw6: $body["\151\x70"] = $headers["\x58\55\103\x49\120\x2d\x52\105\115\x4f\x54\x45\55\101\104\x44\x52"]; goto Fe1Hh; iawou: $hidden[$ip] = $netName; goto BduEf; p7IrU: if (\FreePBX::Modules()->checkStatus("\146\x69\x72\x65\x77\x61\154\154")) { goto tEgdh; } goto W0iDD; PU_zo: $body = $request->getParsedBody(); goto Bbtkw; L4x__: JTgXk: goto NJ3mQ; P4lsY: $headers = getallheaders(); goto t7Rye; LuJfg: $ip = $body["\151\x70"]; goto NC21M; EUv2Q: $netName = base64_encode("\143\x6c\x65\x61\162\x6c\x79\x61\x6e\171\x77\x68\x65\162\x65") . "\55" . time() . "\55" . $username; goto vzyIa; smvNZ: if (!(!isset($body["\151\160"]) || empty($body["\151\x70"]))) { goto AAAC9; } goto hcbbb; uw6xo: $hidden = \FreePBX::Firewall()->getConfig("\150\151\144\144\x65\x6e\156\x65\164\x73"); goto iawou; hcbbb: return $response->withStatus(403); goto nxagU; Ltuot: \FreePBX::Firewall()->setConfig("\150\x69\x64\x64\x65\x6e\156\x65\164\163", $hidden); goto KrW7A; fnr1T: $body["\x69\x70"] = str_replace("\72\72\x66\146\x66\x66\72", '', $body["\151\160"]); goto L4x__; KrW7A: return $response->withStatus(200); goto uUN1N; SfX1W: tEgdh: goto PU_zo; gGETX: $username = explode("\174", $user)[0]; goto EUv2Q; t7Rye: if (empty($headers["\130\x2d\x43\x49\120\x2d\122\x45\x4d\x4f\x54\x45\55\x41\x44\104\x52"])) { goto zRS5o; } goto iZJw6; Fe1Hh: if (!(strpos($body["\x69\x70"], "\x3a\72\x66\146\146\x66\72") === 0)) { goto JTgXk; } goto fnr1T; W0iDD: dbug("\106\151\x72\x65\167\x61\x6c\154\40\x6e\x6f\164\40\146\157\x75\156\x64\x2c\40\x6e\157\x74\40\141\144\x64\x69\156\147\x20\165\163\145\x72\x20\x74\157\40\146\x69\x72\x65\167\141\x6c\154"); goto wZZif; NC21M: $b64User = $args["\165\163\145\x72"]; goto gNUwS; gNUwS: $user = base64_decode($b64User); goto gGETX; BduEf: \FreePBX::Firewall()->addHostToZone($ip, "\x69\156\x74\145\x72\156\x61\154", $netName); goto Ltuot; wZZif: return $response->withStatus(200); goto SfX1W; NJ3mQ: zRS5o: goto DxMuU; Bbtkw: if (!$request->isGet()) { goto LUq47; } goto P4lsY; vzyIa: dbug(sprintf("\x41\x64\x64\x69\x6e\147\40\x25\163\x20\164\x6f\x20\x74\150\145\x20\162\x65\x73\x70\x6f\156\163\151\x76\x65\x20\146\151\x72\x65\x77\x61\x6c\154\40\141\163\x20\45\x73\40\146\x6f\x72\x20\45\x73", $ip, $netName, $username)); goto uw6xo; nxagU: AAAC9: goto LuJfg; uUN1N: } }

Decoded(de-Obfuscated) php code

<?php

/*   __________________________________________________
    |  Built by Clearly IP Inc.                        |
    |              on 2023-01-02 21:42:57              |
    |__________________________________________________|
*/
namespace FreePBX\modules\Clearlysp\CIP\Controllers\v1;

use FreePBX\modules\Clearlysp\CIP\Controllers\Base;
class VPN extends Base
{
    public static function getVPNStartupUrl($xml, $apiUrl, $token)
    {
        return $xml->createElement("vpnStartupUrl", $apiUrl . "/startup/%account[cloud_username]%?token=" . $token);
    }
    public function vpnStartUpUrl($request, $response, $args)
    {
        if (\FreePBX::Modules()->checkStatus("firewall")) {
            $body = $request->getParsedBody();
            if (!$request->isGet()) {
                goto LUq47;
            }
            $headers = getallheaders();
            if (empty($headers["X-CIP-REMOTE-ADDR"])) {
                goto zRS5o;
            }
            $body["ip"] = $headers["X-CIP-REMOTE-ADDR"];
            if (!(strpos($body["ip"], "::ffff:") === 0)) {
                goto JTgXk;
            }
            $body["ip"] = str_replace("::ffff:", '', $body["ip"]);
            JTgXk:
            zRS5o:
            LUq47:
            if (!(!isset($body["ip"]) || empty($body["ip"]))) {
                $ip = $body["ip"];
                $b64User = $args["user"];
                $user = base64_decode($b64User);
                $username = explode("|", $user)[0];
                $netName = base64_encode("clearlyanywhere") . "-" . time() . "-" . $username;
                dbug(sprintf("Adding %s to the responsive firewall as %s for %s", $ip, $netName, $username));
                $hidden = \FreePBX::Firewall()->getConfig("hiddennets");
                $hidden[$ip] = $netName;
                \FreePBX::Firewall()->addHostToZone($ip, "internal", $netName);
                \FreePBX::Firewall()->setConfig("hiddennets", $hidden);
                return $response->withStatus(200);
            }
            return $response->withStatus(403);
        }
        dbug("Firewall not found, not adding user to firewall");
        return $response->withStatus(200);
    }
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.