De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.
*Please note that not all obfuscation codes can be decoded.<?php include_once 'Utilities.php'; class IDPMetadataReader { private $identityProviders; private $serviceProviders; public function __construct(DOMNode $l3 = NULL) { $this->identityProviders = array(); $this->serviceProviders = array(); $v4 = SAMLSPUtilities::xpQuery($l3, "\x2e\x2f\163\x61\155\x6c\137\x6d\145\164\141\144\x61\164\141\x3a\x45\x6e\164\151\164\x69\x65\163\104\145\x73\143\162\x69\x70\164\157\162"); if (!empty($v4)) { goto F_; } $la = SAMLSPUtilities::xpQuery($l3, "\56\57\163\x61\155\154\137\x6d\145\x74\141\x64\141\164\141\72\x45\156\x74\x69\x74\171\104\145\163\x63\x72\151\x70\x74\x6f\x72"); goto Gh; F_: $la = SAMLSPUtilities::xpQuery($v4[0], "\56\57\x73\141\155\154\137\155\x65\x74\x61\x64\141\x74\x61\72\x45\156\x74\151\x74\x79\104\x65\x73\143\162\x69\x70\x74\x6f\162"); Gh: foreach ($la as $W_) { $wX = SAMLSPUtilities::xpQuery($W_, "\56\x2f\x73\x61\155\154\x5f\155\x65\164\x61\144\141\164\141\72\111\x44\x50\x53\123\x4f\x44\x65\x73\143\x72\x69\x70\164\157\x72"); if (empty($wX)) { goto Rr; } array_push($this->identityProviders, new IdentityProviders($W_)); Rr: NR: } Tb: } public function getIdentityProviders() { return $this->identityProviders; } public function getServiceProviders() { return $this->serviceProviders; } } class IdentityProviders { private $idpName; private $entityID; private $loginDetails; private $logoutDetails; private $signingCertificate; private $encryptionCertificate; private $signedRequest; public function __construct(DOMElement $l3 = NULL) { $this->idpName = ''; $this->loginDetails = array(); $this->logoutDetails = array(); $this->signingCertificate = array(); $this->encryptionCertificate = array(); if (!$l3->hasAttribute("\145\156\164\151\x74\x79\x49\x44")) { goto W9; } $this->entityID = $l3->getAttribute("\x65\x6e\x74\151\164\171\x49\x44"); W9: if (!$l3->hasAttribute("\127\x61\x6e\x74\101\x75\x74\150\156\122\x65\161\165\x65\163\164\163\x53\x69\147\156\145\x64")) { goto i3; } $this->signedRequest = $l3->getAttribute("\127\x61\x6e\x74\101\x75\164\150\156\122\x65\161\165\145\163\164\163\x53\x69\x67\156\145\144"); i3: $wX = SAMLSPUtilities::xpQuery($l3, "\x2e\x2f\163\x61\x6d\x6c\137\x6d\x65\164\x61\x64\141\164\x61\x3a\111\104\x50\123\x53\x4f\104\145\163\143\162\151\x70\x74\157\x72"); if (count($wX) > 1) { goto cj; } if (empty($wX)) { goto nY; } goto o6; cj: throw new Exception("\115\x6f\x72\145\x20\x74\150\141\x6e\40\x6f\156\145\40\x3c\111\104\x50\123\123\117\x44\145\x73\143\x72\x69\x70\164\x6f\162\x3e\x20\x69\x6e\40\74\105\x6e\x74\151\x74\171\x44\145\163\x63\162\151\160\164\157\162\76\56"); goto o6; nY: throw new Exception("\115\151\163\x73\x69\x6e\x67\40\x72\145\161\x75\151\162\x65\x64\x20\74\x49\x44\120\x53\x53\117\104\145\163\x63\x72\x69\160\x74\x6f\x72\76\40\x69\x6e\40\x3c\105\156\164\151\x74\171\x44\145\x73\143\162\x69\160\x74\157\162\76\x2e"); o6: $oR = $wX[0]; $Yx = SAMLSPUtilities::xpQuery($l3, "\56\57\163\x61\x6d\x6c\x5f\x6d\145\164\141\x64\141\164\x61\72\x45\x78\164\x65\x6e\163\151\x6f\x6e\163"); if (!$Yx) { goto yX; } $this->parseInfo($oR); yX: $this->parseSSOService($oR); $this->parseSLOService($oR); $this->parsex509Certificate($oR); } private function parseInfo($l3) { $ZA = SAMLSPUtilities::xpQuery($l3, "\x2e\57\x6d\x64\x75\x69\72\125\x49\x49\156\x66\x6f\57\155\x64\x75\151\x3a\104\x69\x73\x70\x6c\141\171\116\141\x6d\145"); foreach ($ZA as $YB) { if (!($YB->hasAttribute("\170\x6d\154\72\154\x61\156\147") && $YB->getAttribute("\170\155\154\x3a\x6c\141\x6e\147") == "\x65\x6e")) { goto j6; } $this->idpName = $YB->textContent; j6: ay: } qn: } private function parseSSOService($l3) { $Zi = SAMLSPUtilities::xpQuery($l3, "\x2e\57\x73\x61\155\154\x5f\x6d\x65\x74\x61\144\x61\x74\x61\x3a\x53\x69\x6e\x67\x6c\145\123\151\147\156\117\156\123\x65\162\166\151\x63\145"); foreach ($Zi as $cu) { $HH = str_replace("\165\162\x6e\72\x6f\141\163\x69\163\x3a\x6e\141\155\145\163\x3a\164\x63\72\x53\101\x4d\114\72\62\x2e\x30\x3a\x62\x69\156\144\151\x6e\x67\x73\x3a", '', $cu->getAttribute("\x42\151\x6e\x64\151\x6e\x67")); $this->loginDetails = array_merge($this->loginDetails, array($HH => $cu->getAttribute("\114\157\x63\141\164\151\x6f\156"))); DQ: } jT: } private function parseSLOService($l3) { $Xf = SAMLSPUtilities::xpQuery($l3, "\x2e\x2f\163\141\x6d\154\137\x6d\145\x74\x61\144\141\164\141\x3a\123\x69\156\147\154\145\x4c\x6f\147\157\165\164\x53\x65\x72\166\x69\143\x65"); if (!empty($Xf)) { goto Ka; } $this->logoutDetails = array("\110\x54\x54\120\x2d\122\145\144\x69\162\145\143\x74" => ''); goto UF; Ka: foreach ($Xf as $Fb) { $HH = str_replace("\165\x72\x6e\x3a\x6f\141\163\x69\163\x3a\156\141\x6d\145\163\72\x74\x63\72\123\x41\115\x4c\x3a\x32\x2e\x30\x3a\x62\x69\x6e\144\x69\x6e\x67\163\72", '', $Fb->getAttribute("\102\151\x6e\x64\x69\x6e\147")); $this->logoutDetails = array_merge($this->logoutDetails, array($HH => $Fb->getAttribute("\x4c\x6f\143\x61\164\x69\x6f\x6e"))); Ri: } t_: UF: } private function parsex509Certificate($l3) { foreach (SAMLSPUtilities::xpQuery($l3, "\56\x2f\163\141\155\154\137\155\x65\x74\141\x64\141\x74\141\72\113\145\171\104\x65\163\143\x72\151\160\164\x6f\x72") as $rF) { if ($rF->hasAttribute("\165\x73\x65")) { goto H_; } $this->parseSigningCertificate($rF); goto F2; H_: if ($rF->getAttribute("\x75\163\x65") == "\x65\x6e\x63\162\x79\x70\164\x69\x6f\156") { goto Gg; } $this->parseSigningCertificate($rF); goto op; Gg: $this->parseEncryptionCertificate($rF); op: F2: MN: } F9: } private function parseSigningCertificate($l3) { $dy = SAMLSPUtilities::xpQuery($l3, "\x2e\57\144\x73\72\x4b\145\x79\111\x6e\146\157\57\x64\x73\x3a\130\65\60\x39\104\141\164\141\x2f\144\163\72\x58\x35\x30\x39\x43\145\x72\x74\151\x66\151\143\141\x74\x65"); $UN = trim($dy[0]->textContent); $UN = str_replace(array("\xd", "\xa", "\11", "\40"), '', $UN); if (empty($dy)) { goto XH; } array_push($this->signingCertificate, SAMLSPUtilities::sanitize_certificate($UN)); XH: } private function parseEncryptionCertificate($l3) { $dy = SAMLSPUtilities::xpQuery($l3, "\56\x2f\x64\163\x3a\x4b\145\171\111\x6e\x66\x6f\x2f\x64\163\x3a\130\65\x30\x39\x44\x61\164\141\x2f\x64\x73\x3a\x58\x35\x30\71\x43\x65\x72\164\151\x66\151\x63\141\x74\x65"); $UN = trim($dy[0]->textContent); $UN = str_replace(array("\xd", "\xa", "\11", "\40"), '', $UN); if (empty($dy)) { goto JA; } array_push($this->encryptionCertificate, $UN); JA: } public function getIdpName() { return $this->idpName; } public function getEntityID() { return $this->entityID; } public function getLoginURL($HH) { return $this->loginDetails[$HH]; } public function getLogoutURL($HH) { return $this->logoutDetails[$HH]; } public function getLoginDetails() { return $this->loginDetails; } public function getLogoutDetails() { return $this->logoutDetails; } public function getSigningCertificate() { return $this->signingCertificate; } public function getEncryptionCertificate() { return $this->encryptionCertificate[0]; } public function isRequestSigned() { return $this->signedRequest; } } class ServiceProviders { }
<?php include_once 'Utilities.php'; class IDPMetadataReader { private $identityProviders; private $serviceProviders; public function __construct(DOMNode $l3 = NULL) { $this->identityProviders = array(); $this->serviceProviders = array(); $v4 = SAMLSPUtilities::xpQuery($l3, "./saml_metadata:EntitiesDescriptor"); if (!empty($v4)) { $la = SAMLSPUtilities::xpQuery($v4[0], "./saml_metadata:EntityDescriptor"); // [PHPDeobfuscator] Implied goto goto Gh; } $la = SAMLSPUtilities::xpQuery($l3, "./saml_metadata:EntityDescriptor"); Gh: foreach ($la as $W_) { $wX = SAMLSPUtilities::xpQuery($W_, "./saml_metadata:IDPSSODescriptor"); if (empty($wX)) { goto Rr; } array_push($this->identityProviders, new IdentityProviders($W_)); Rr: } } public function getIdentityProviders() { return $this->identityProviders; } public function getServiceProviders() { return $this->serviceProviders; } } class IdentityProviders { private $idpName; private $entityID; private $loginDetails; private $logoutDetails; private $signingCertificate; private $encryptionCertificate; private $signedRequest; public function __construct(DOMElement $l3 = NULL) { $this->idpName = ''; $this->loginDetails = array(); $this->logoutDetails = array(); $this->signingCertificate = array(); $this->encryptionCertificate = array(); if (!$l3->hasAttribute("entityID")) { goto W9; } $this->entityID = $l3->getAttribute("entityID"); W9: if (!$l3->hasAttribute("WantAuthnRequestsSigned")) { goto i3; } $this->signedRequest = $l3->getAttribute("WantAuthnRequestsSigned"); i3: $wX = SAMLSPUtilities::xpQuery($l3, "./saml_metadata:IDPSSODescriptor"); if (count($wX) > 1) { throw new Exception("More than one <IDPSSODescriptor> in <EntityDescriptor>."); } if (empty($wX)) { throw new Exception("Missing required <IDPSSODescriptor> in <EntityDescriptor>."); } $oR = $wX[0]; $Yx = SAMLSPUtilities::xpQuery($l3, "./saml_metadata:Extensions"); if (!$Yx) { goto yX; } $this->parseInfo($oR); yX: $this->parseSSOService($oR); $this->parseSLOService($oR); $this->parsex509Certificate($oR); } private function parseInfo($l3) { $ZA = SAMLSPUtilities::xpQuery($l3, "./mdui:UIInfo/mdui:DisplayName"); foreach ($ZA as $YB) { if (!($YB->hasAttribute("xml:lang") && $YB->getAttribute("xml:lang") == "en")) { goto j6; } $this->idpName = $YB->textContent; j6: } } private function parseSSOService($l3) { $Zi = SAMLSPUtilities::xpQuery($l3, "./saml_metadata:SingleSignOnService"); foreach ($Zi as $cu) { $HH = str_replace("urn:oasis:names:tc:SAML:2.0:bindings:", '', $cu->getAttribute("Binding")); $this->loginDetails = array_merge($this->loginDetails, array($HH => $cu->getAttribute("Location"))); } } private function parseSLOService($l3) { $Xf = SAMLSPUtilities::xpQuery($l3, "./saml_metadata:SingleLogoutService"); if (!empty($Xf)) { foreach ($Xf as $Fb) { $HH = str_replace("urn:oasis:names:tc:SAML:2.0:bindings:", '', $Fb->getAttribute("Binding")); $this->logoutDetails = array_merge($this->logoutDetails, array($HH => $Fb->getAttribute("Location"))); } // [PHPDeobfuscator] Implied goto goto t_; } $this->logoutDetails = array("HTTP-Redirect" => ''); t_: } private function parsex509Certificate($l3) { foreach (SAMLSPUtilities::xpQuery($l3, "./saml_metadata:KeyDescriptor") as $rF) { if ($rF->hasAttribute("use")) { if ($rF->getAttribute("use") == "encryption") { $this->parseEncryptionCertificate($rF); // [PHPDeobfuscator] Implied goto goto op; } $this->parseSigningCertificate($rF); goto op; } $this->parseSigningCertificate($rF); op: F2: } } private function parseSigningCertificate($l3) { $dy = SAMLSPUtilities::xpQuery($l3, "./ds:KeyInfo/ds:X509Data/ds:X509Certificate"); $UN = trim($dy[0]->textContent); $UN = str_replace(array("\r", "\n", "\t", " "), '', $UN); if (empty($dy)) { goto XH; } array_push($this->signingCertificate, SAMLSPUtilities::sanitize_certificate($UN)); XH: } private function parseEncryptionCertificate($l3) { $dy = SAMLSPUtilities::xpQuery($l3, "./ds:KeyInfo/ds:X509Data/ds:X509Certificate"); $UN = trim($dy[0]->textContent); $UN = str_replace(array("\r", "\n", "\t", " "), '', $UN); if (empty($dy)) { goto JA; } array_push($this->encryptionCertificate, $UN); JA: } public function getIdpName() { return $this->idpName; } public function getEntityID() { return $this->entityID; } public function getLoginURL($HH) { return $this->loginDetails[$HH]; } public function getLogoutURL($HH) { return $this->logoutDetails[$HH]; } public function getLoginDetails() { return $this->loginDetails; } public function getLogoutDetails() { return $this->logoutDetails; } public function getSigningCertificate() { return $this->signingCertificate; } public function getEncryptionCertificate() { return $this->encryptionCertificate[0]; } public function isRequestSigned() { return $this->signedRequest; } } class ServiceProviders { }
Malware detection & removal plugin for WordPress
(C)2020 Wordpress Doctor All rights reserved.