Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php use MiniOrange\Helper\DB; if (isset($_SESSION)) { goto WJ; } session_start(); WJ: if (is_user_registered()) { goto g7; } header("\114\x6f\x63\141\x74\x69\157\156\x3a\x20\162\x65\x67\x69\163\x74\145\162\x2e\160\x68\160"); exit; g7: if (!(isset($_SESSION["\x61\165\x74\x68\157\162\151\172\145\...



Obfuscated php code

<?php


use MiniOrange\Helper\DB;
if (isset($_SESSION)) {
    goto WJ;
}
session_start();
WJ:
if (is_user_registered()) {
    goto g7;
}
header("\114\x6f\x63\141\x74\x69\157\156\x3a\x20\162\x65\x67\x69\163\x74\145\162\x2e\160\x68\160");
exit;
g7:
if (!(isset($_SESSION["\x61\165\x74\x68\157\162\151\172\145\144"]) && !empty($_SESSION["\141\165\x74\x68\157\x72\151\172\145\x64"]))) {
    goto FR;
}
if (!($_SESSION["\x61\x75\x74\x68\157\x72\151\x7a\145\144"] == true)) {
    goto s3;
}
if (mo_saml_is_customer_license_verified()) {
    goto lZ;
}
if (isset($_REQUEST["\157\x70\x74\151\x6f\156"])) {
    goto IM;
}
goto mX;
lZ:
header("\x4c\157\x63\141\x74\151\157\156\72\40\163\x65\164\165\160\56\x70\x68\x70");
exit;
goto mX;
IM:
header("\x4c\x6f\x63\x61\164\x69\157\x6e\x3a\x20\141\x63\143\x6f\165\156\164\56\160\x68\x70");
exit;
mX:
s3:
FR:
if (!(isset($_REQUEST["\157\x70\x74\x69\157\x6e"]) && $_REQUEST["\157\160\x74\x69\157\x6e"] == "\x61\144\x6d\151\156\137\154\157\x67\x69\156")) {
    goto Xg;
}
$Ty = '';
$Jd = '';
if (!(isset($_POST["\145\155\141\x69\154"]) && !empty($_POST["\145\x6d\x61\x69\154"]))) {
    goto Z0;
}
$Ty = $_POST["\x65\x6d\141\151\x6c"];
Z0:
if (!(isset($_POST["\x70\141\163\x73\x77\157\162\x64"]) && !empty($_POST["\x70\x61\x73\163\167\x6f\162\144"]))) {
    goto V0;
}
$Jd = $_POST["\160\x61\x73\163\x77\157\x72\x64"];
V0:
if (empty($Jd)) {
    goto j1;
}
$Jd = sha1($Jd);
j1:
$user = DB::get_registered_user();
$OI = '';
$He = '';
if (!($user != NULL)) {
    goto PA;
}
if (isset($user->password)) {
    goto v6;
}
$_SESSION["\151\x6e\166\x61\154\x69\144\137\143\162\x65\144\x65\x6e\x74\x69\141\x6c\163"] = true;
goto Cq;
v6:
$OI = $user->password;
Cq:
PA:
if (!($user != NULL)) {
    goto Dg;
}
if (isset($user->email)) {
    goto uV;
}
$_SESSION["\151\x6e\166\x61\x6c\x69\x64\x5f\143\162\145\144\145\156\164\x69\141\x6c\163"] = true;
goto b1;
uV:
$He = $user->email;
b1:
Dg:
if (empty($OI)) {
    goto aL;
}
if ($Jd === $OI) {
    goto YA;
}
$_SESSION["\151\x6e\x76\x61\x6c\151\x64\137\x63\162\145\144\145\156\164\151\x61\x6c\163"] = true;
goto EH;
YA:
if (!(!isset($_SESSION["\141\x75\x74\150\x6f\x72\151\x7a\x65\x64"]) || $_SESSION["\141\165\x74\150\x6f\162\151\172\x65\144"] != true)) {
    goto yO;
}
$_SESSION["\x61\x75\x74\150\157\x72\x69\x7a\145\x64"] = true;
yO:
$_SESSION["\x61\144\x6d\151\156\137\145\x6d\141\151\154"] = $Ty;
if (mo_saml_is_customer_license_verified()) {
    goto mQ;
}
header("\x4c\x6f\143\x61\164\151\157\x6e\x3a\x20\x61\143\143\157\x75\156\164\x2e\x70\150\x70");
exit;
goto x_;
mQ:
header("\114\157\x63\141\x74\151\157\x6e\x3a\x20\x73\145\x74\x75\160\56\160\150\x70");
exit;
x_:
EH:
aL:
Xg:

Decoded(de-Obfuscated) php code

<?php

use MiniOrange\Helper\DB;
if (isset($_SESSION)) {
    goto WJ;
}
session_start();
WJ:
if (is_user_registered()) {
    if (!(isset($_SESSION["authorized"]) && !empty($_SESSION["authorized"]))) {
        goto FR;
    }
    if (!($_SESSION["authorized"] == true)) {
        goto s3;
    }
    if (mo_saml_is_customer_license_verified()) {
        header("Location: setup.php");
        exit;
    }
    if (isset($_REQUEST["option"])) {
        header("Location: account.php");
        exit;
    }
    mX:
    s3:
    FR:
    if (!(isset($_REQUEST["option"]) && $_REQUEST["option"] == "admin_login")) {
        goto Xg;
    }
    $Ty = '';
    $Jd = '';
    if (!(isset($_POST["email"]) && !empty($_POST["email"]))) {
        goto Z0;
    }
    $Ty = $_POST["email"];
    Z0:
    if (!(isset($_POST["password"]) && !empty($_POST["password"]))) {
        goto V0;
    }
    $Jd = $_POST["password"];
    V0:
    if (empty($Jd)) {
        goto j1;
    }
    $Jd = sha1($Jd);
    j1:
    $user = DB::get_registered_user();
    $OI = '';
    $He = '';
    if (!($user != NULL)) {
        goto PA;
    }
    if (isset($user->password)) {
        $OI = $user->password;
        // [PHPDeobfuscator] Implied goto
        goto Cq;
    }
    $_SESSION["invalid_credentials"] = true;
    Cq:
    PA:
    if (!($user != NULL)) {
        goto Dg;
    }
    if (isset($user->email)) {
        $He = $user->email;
        // [PHPDeobfuscator] Implied goto
        goto b1;
    }
    $_SESSION["invalid_credentials"] = true;
    b1:
    Dg:
    if (empty($OI)) {
        goto aL;
    }
    if ($Jd === $OI) {
        if (!(!isset($_SESSION["authorized"]) || $_SESSION["authorized"] != true)) {
            goto yO;
        }
        $_SESSION["authorized"] = true;
        yO:
        $_SESSION["admin_email"] = $Ty;
        if (mo_saml_is_customer_license_verified()) {
            header("Location: setup.php");
            exit;
        }
        header("Location: account.php");
        exit;
    }
    $_SESSION["invalid_credentials"] = true;
    x_:
    EH:
    aL:
    Xg:
    // [PHPDeobfuscator] Implied script end
    return;
}
header("Location: register.php");
exit;

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.