Deobfuscate a sourcecop protected wp plugin


I came up with a single (linux) terminal command to deal with this. Logic is to just change eval( code_to_eval ) in obfuscated php files to file_put_contents( __FILE__, code_to_eval ). At least that worked for me (my problematic plugin was “Wishlist 1Click Registration” by “HappyPlugins”). Here’s the command:

grep -irl --include \*.php "eval(.*);" . | xargs -i sh -c "echo {}; sed -i 's/eval(\(.*\));/file_put_contents(__FILE__,\1);/g' {}" | xargs -i sh -c "echo {}; php {} > /dev/null || true; sed -i '1s/^?>//g' {}"

What the command does:

  • gets all .php files in current directory (need to cd to plugin root directory) that contain eval() in them,
  • replaces all eval( code ) with file_put_contents( __FILE__, code ),
  • executes those files with php (need to have php available from command line) – this runs all file_put_contents() statements and replaces all current obfuscated code in .php file with whatever was passed to eval().
  • removes ?> from beginning of each of those files afterwards – it was used for eval code to work for some reason, but now it would just echo “?>” to browser, which we don’t need.

Afterwards, you can also probably delete the “scopbin” folder in plugin’s root – it contains one, now unused, .php file.

Danyl Filatov 2 months 2023-02-02T06:49:47-05:00 0 Answers 0 views 0

Leave an answer