Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php /* __________________________________________________ | Built by Clearly IP Inc. | | on 2023-01-02 21:42:57 | |__________________________________________________| */ namespace FreePBX\modules\Clearlysp\CIP; class ClearlyMiddleware { public function __invoke($request, $response, $next) { got...



Obfuscated php code

<?php
/*   __________________________________________________
    |  Built by Clearly IP Inc.                        |
    |              on 2023-01-02 21:42:57              |
    |__________________________________________________|
*/
 namespace FreePBX\modules\Clearlysp\CIP; class ClearlyMiddleware { public function __invoke($request, $response, $next) { goto vp6rV; PX9X0: lYmPu: goto zaIVB; W6vWz: szbcI: goto Z6pLn; zaIVB: return $next($request, $response); goto yJYUD; vp6rV: if (!isset($_REQUEST["\162\x6f\x75\164\145"])) { goto szbcI; } goto h1aNP; GZHEP: $isVersioned = preg_match("\57\136\x76\x5c\x64\53\x5c\x2f\57", $_REQUEST["\x72\145\163\x74\x6f\146\x70\x61\x74\x68"], $output_array); goto ZLOc7; Z6pLn: if (!isset($_REQUEST["\x72\145\163\x74\x6f\146\x70\141\164\150"])) { goto lYmPu; } goto GZHEP; eAfuQ: $path = $isVersioned ? $_REQUEST["\x72\157\x75\x74\145"] : "\x76\61\57" . $_REQUEST["\x72\157\x75\164\145"]; goto xNYVs; xNYVs: $request = $request->withUri($request->getUri()->withPath($path)); goto W6vWz; ZLOc7: $path = $isVersioned ? $_REQUEST["\x72\145\x73\x74\x6f\x66\x70\141\x74\x68"] : "\x76\x31\x2f" . $_REQUEST["\162\145\x73\164\x6f\146\x70\141\164\150"]; goto X7b15; h1aNP: $isVersioned = preg_match("\57\136\166\134\144\53\x5c\57\x2f", $_REQUEST["\x72\157\x75\x74\x65"], $output_array); goto eAfuQ; X7b15: $request = $request->withUri($request->getUri()->withPath($path)); goto PX9X0; yJYUD: } }

Decoded(de-Obfuscated) php code

<?php

/*   __________________________________________________
    |  Built by Clearly IP Inc.                        |
    |              on 2023-01-02 21:42:57              |
    |__________________________________________________|
*/
namespace FreePBX\modules\Clearlysp\CIP;

class ClearlyMiddleware
{
    public function __invoke($request, $response, $next)
    {
        if (!isset($_REQUEST["route"])) {
            goto szbcI;
        }
        $isVersioned = preg_match("/^v\\d+\\//", $_REQUEST["route"], $output_array);
        $path = $isVersioned ? $_REQUEST["route"] : "v1/" . $_REQUEST["route"];
        $request = $request->withUri($request->getUri()->withPath($path));
        szbcI:
        if (!isset($_REQUEST["restofpath"])) {
            goto lYmPu;
        }
        $isVersioned = preg_match("/^v\\d+\\//", $_REQUEST["restofpath"], $output_array);
        $path = $isVersioned ? $_REQUEST["restofpath"] : "v1/" . $_REQUEST["restofpath"];
        $request = $request->withUri($request->getUri()->withPath($path));
        lYmPu:
        return $next($request, $response);
    }
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.