Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php namespace PHPMailer\PHPMailer; use League\OAuth2\Client\Provider\Google; use Hayageek\OAuth2\Client\Provider\Yahoo; use Stevenmaguire\OAuth2\Client\Provider\Microsoft; if (!isset($_GET['code']) && !isset($_GET['provider'])) { ?> <html> <body>Select Provider:<br/>...



Obfuscated php code

<?php
 namespace PHPMailer\PHPMailer; use League\OAuth2\Client\Provider\Google; use Hayageek\OAuth2\Client\Provider\Yahoo; use Stevenmaguire\OAuth2\Client\Provider\Microsoft; if (!isset($_GET['code']) && !isset($_GET['provider'])) { ?>
<html>
<body>Select Provider:<br/>
<a href='?provider=Google'>Google</a><br/>
<a href='?provider=Yahoo'>Yahoo</a><br/>
<a href='?provider=Microsoft'>Microsoft/Outlook/Hotmail/Live/Office365</a><br/>
</body>
</html>
<?php
exit; } require 'vendor/autoload.php'; session_start(); $providerName = ''; if (array_key_exists('provider', $_GET)) { $providerName = $_GET['provider']; $_SESSION['provider'] = $providerName; } elseif (array_key_exists('provider', $_SESSION)) { $providerName = $_SESSION['provider']; } if (!in_array($providerName, ['Google', 'Microsoft', 'Yahoo'])) { exit('Only Google, Microsoft and Yahoo OAuth2 providers are currently supported in this script.'); } $clientId = 'RANDOMCHARS-----duv1n2.apps.googleusercontent.com'; $clientSecret = 'RANDOMCHARS-----lGyjPcRtvP'; $redirectUri = (isset($_SERVER['HTTPS']) ? 'https://' : 'http://') . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; $params = [ 'clientId' => $clientId, 'clientSecret' => $clientSecret, 'redirectUri' => $redirectUri, 'accessType' => 'offline' ]; $options = []; $provider = null; switch ($providerName) { case 'Google': $provider = new Google($params); $options = [ 'scope' => [ 'https://mail.google.com/' ] ]; break; case 'Yahoo': $provider = new Yahoo($params); break; case 'Microsoft': $provider = new Microsoft($params); $options = [ 'scope' => [ 'wl.imap', 'wl.offline_access' ] ]; break; } if (null === $provider) { exit('Provider missing'); } if (!isset($_GET['code'])) { $authUrl = $provider->getAuthorizationUrl($options); $_SESSION['oauth2state'] = $provider->getState(); header('Location: ' . $authUrl); exit; } elseif (empty($_GET['state']) || ($_GET['state'] !== $_SESSION['oauth2state'])) { unset($_SESSION['oauth2state']); unset($_SESSION['provider']); exit('Invalid state'); } else { unset($_SESSION['provider']); $token = $provider->getAccessToken( 'authorization_code', [ 'code' => $_GET['code'] ] ); echo 'Refresh Token: ', $token->getRefreshToken(); }

Decoded(de-Obfuscated) php code

<?php

namespace PHPMailer\PHPMailer;

use League\OAuth2\Client\Provider\Google;
use Hayageek\OAuth2\Client\Provider\Yahoo;
use Stevenmaguire\OAuth2\Client\Provider\Microsoft;
if (!isset($_GET['code']) && !isset($_GET['provider'])) {
    ?>
<html>
<body>Select Provider:<br/>
<a href='?provider=Google'>Google</a><br/>
<a href='?provider=Yahoo'>Yahoo</a><br/>
<a href='?provider=Microsoft'>Microsoft/Outlook/Hotmail/Live/Office365</a><br/>
</body>
</html>
<?php 
    exit;
}
require 'vendor/autoload.php';
session_start();
$providerName = '';
if (array_key_exists('provider', $_GET)) {
    $providerName = $_GET['provider'];
    $_SESSION['provider'] = $providerName;
} elseif (array_key_exists('provider', $_SESSION)) {
    $providerName = $_SESSION['provider'];
}
if (!in_array($providerName, ['Google', 'Microsoft', 'Yahoo'])) {
    exit('Only Google, Microsoft and Yahoo OAuth2 providers are currently supported in this script.');
}
$clientId = 'RANDOMCHARS-----duv1n2.apps.googleusercontent.com';
$clientSecret = 'RANDOMCHARS-----lGyjPcRtvP';
$redirectUri = (isset($_SERVER['HTTPS']) ? 'https://' : 'http://') . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
$params = ['clientId' => $clientId, 'clientSecret' => $clientSecret, 'redirectUri' => $redirectUri, 'accessType' => 'offline'];
$options = [];
$provider = null;
switch ($providerName) {
    case 'Google':
        $provider = new Google($params);
        $options = ['scope' => ['https://mail.google.com/']];
        break;
    case 'Yahoo':
        $provider = new Yahoo($params);
        break;
    case 'Microsoft':
        $provider = new Microsoft($params);
        $options = ['scope' => ['wl.imap', 'wl.offline_access']];
        break;
}
if (null === $provider) {
    exit('Provider missing');
}
if (!isset($_GET['code'])) {
    $authUrl = $provider->getAuthorizationUrl($options);
    $_SESSION['oauth2state'] = $provider->getState();
    header('Location: ' . $authUrl);
    exit;
} elseif (empty($_GET['state']) || $_GET['state'] !== $_SESSION['oauth2state']) {
    unset($_SESSION['oauth2state']);
    unset($_SESSION['provider']);
    exit('Invalid state');
} else {
    unset($_SESSION['provider']);
    $token = $provider->getAccessToken('authorization_code', ['code' => $_GET['code']]);
    echo 'Refresh Token: ', $token->getRefreshToken();
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.