Japanese English

PHP deobfuscation, decryption, reconstruction tool

De-obfuscate PHP malware/viruses and tampering code on Wordpress to original readable code.

*Please note that not all obfuscation codes can be decoded.

Decoded the code below.

<?php /* __________________________________________________ | Built by Clearly IP Inc. | | on 2023-01-02 21:42:57 | |__________________________________________________| */ namespace FreePBX\modules\Clearlysp\CIP\Clients; use GuzzleHttp\Client; class RazrClient { const cU14G = "\150\x74\x74\160\16...



Obfuscated php code

<?php
/*   __________________________________________________
    |  Built by Clearly IP Inc.                        |
    |              on 2023-01-02 21:42:57              |
    |__________________________________________________|
*/
 namespace FreePBX\modules\Clearlysp\CIP\Clients; use GuzzleHttp\Client; class RazrClient { const cU14G = "\150\x74\x74\160\163\x3a\57\x2f\162\141\x7a\x72\x2e\x63\x6c\x65\141\162\154\x79\x69\160\56\143\157\x6d"; const N_zLZ = 5.0; public static function updateSettings($token, $settings, $url = self::cU14G) { $client = new Client(array("\142\x61\x73\x65\x5f\x75\162\x69" => $url, "\x74\x69\x6d\x65\x6f\165\164" => self::N_zLZ)); try { $response = $client->request("\120\x4f\123\124", "\57\141\x70\151\x2f\x73\145\164\x74\151\156\x67\163\57" . $token, array("\x6a\163\157\156" => $settings)); return array("\x73\x74\141\x74\x75\x73" => true, "\x62\157\x64\171" => $response->getBody()->getContents()); } catch (\Exception $e) { goto yTLNV; JhgSU: $responseJSON = json_decode($responseBodyAsString); goto Fu4qq; Fu4qq: if (!(!empty($responseJSON) && isset($responseJSON->status) && !$responseJSON->status && !empty($responseJSON->message))) { goto IE3Hs; } goto bWIe7; yTLNV: $response = $e->getResponse(); goto cBmpj; bWIe7: return array("\163\x74\141\x74\x75\163" => false, "\142\157\x64\x79" => $responseJSON->message); goto OREWL; OREWL: IE3Hs: goto dUqdM; dUqdM: return array("\x73\x74\x61\x74\x75\163" => false, "\142\157\144\171" => "\125\156\x61\142\154\145\40\x74\157\40\162\x65\141\x63\150\40\x74\150\x65\40\x41\120\111"); goto w6FXg; cBmpj: $responseBodyAsString = $response->getBody()->getContents(); goto JhgSU; w6FXg: } } public static function checkApiConnection($token, $url = self::cU14G) { goto C6M_w; JgUyN: if (!($response->getStatusCode() === 200)) { goto U8Z1X; } goto jFXgS; C6M_w: $client = new Client(array("\142\141\163\145\137\x75\162\151" => $url, "\164\151\x6d\x65\x6f\165\164" => self::N_zLZ)); goto jpMJl; xyChp: U8Z1X: goto j7lls; jFXgS: return true; goto xyChp; j7lls: return false; goto VU7Wx; jpMJl: try { $response = $client->post("\x2f\141\160\x69\57\164\145\163\x74", array("\146\157\162\x6d\137\x70\141\162\141\155\x73" => array("\x74\x6f\153\x65\156" => $token))); } catch (\Exception $e) { return false; } goto JgUyN; VU7Wx: } public static function getAccountData($token, $url = self::cU14G) { goto CfX7F; CfX7F: $client = new Client(array("\142\141\163\x65\x5f\x75\x72\151" => $url, "\x74\x69\x6d\x65\157\x75\164" => self::N_zLZ)); goto Jx_Zw; PQ9Ah: return json_decode($response->getBody()->getContents(), true); goto uk4sm; Jx_Zw: $response = $client->get($url . "\57\x61\x70\x69\x2f\166\141\154\x69\144\141\164\145\x2f" . $token); goto PQ9Ah; uk4sm: } }

Decoded(de-Obfuscated) php code

<?php

/*   __________________________________________________
    |  Built by Clearly IP Inc.                        |
    |              on 2023-01-02 21:42:57              |
    |__________________________________________________|
*/
namespace FreePBX\modules\Clearlysp\CIP\Clients;

use GuzzleHttp\Client;
class RazrClient
{
    const cU14G = "https://razr.clearlyip.com";
    const N_zLZ = 5.0;
    public static function updateSettings($token, $settings, $url = self::cU14G)
    {
        $client = new Client(array("base_uri" => $url, "timeout" => self::N_zLZ));
        try {
            $response = $client->request("POST", "/api/settings/" . $token, array("json" => $settings));
            return array("status" => true, "body" => $response->getBody()->getContents());
        } catch (\Exception $e) {
            $response = $e->getResponse();
            $responseBodyAsString = $response->getBody()->getContents();
            $responseJSON = json_decode($responseBodyAsString);
            if (!(!empty($responseJSON) && isset($responseJSON->status) && !$responseJSON->status && !empty($responseJSON->message))) {
                return array("status" => false, "body" => "Unable to reach the API");
            }
            return array("status" => false, "body" => $responseJSON->message);
        }
    }
    public static function checkApiConnection($token, $url = self::cU14G)
    {
        $client = new Client(array("base_uri" => $url, "timeout" => self::N_zLZ));
        try {
            $response = $client->post("/api/test", array("form_params" => array("token" => $token)));
        } catch (\Exception $e) {
            return false;
        }
        if (!($response->getStatusCode() === 200)) {
            return false;
        }
        return true;
    }
    public static function getAccountData($token, $url = self::cU14G)
    {
        $client = new Client(array("base_uri" => $url, "timeout" => self::N_zLZ));
        $response = $client->get($url . "/api/validate/" . $token);
        return json_decode($response->getBody()->getContents(), true);
    }
}

Malware detection & removal plugin for WordPress

(C)2020 Wordpress Doctor All rights reserved.