How to Deobfuscate a sourcecop protected WordPress plugin?

4 Views

I have a plugin, which was obfuscated by plugin developer with sourcecop. At some point it began sending out lots of php warnings to debug.log. I couldn’t debug it myself since it was obfuscated, but plugin support was also silent. Online Deobfuscateors I tried didn’t help. How to Deobfuscate it?

Post Views: 4

Related posts

Leave a Reply

1 comment

  1. I came up with a single (linux) terminal command to deal with this. Logic is to just change eval( code_to_eval ) in obfuscated php files to file_put_contents( __FILE__, code_to_eval ). At least that worked for me (my problematic plugin was “Wishlist 1Click Registration” by “HappyPlugins”). Here’s the command:

    grep -irl --include \*.php "eval(.*);" . | xargs -i sh -c "echo {}; sed -i 's/eval(\(.*\));/file_put_contents(__FILE__,\1);/g' {}" | xargs -i sh -c "echo {}; php {} > /dev/null || true; sed -i '1s/^?>//g' {}"

    What the command does:

    • gets all .php files in current directory (need to cd to plugin root directory) that contain eval() in them,
    • replaces all eval( code ) with file_put_contents( __FILE__, code ),
    • executes those files with php (need to have php available from command line) – this runs all file_put_contents() statements and replaces all current obfuscated code in .php file with whatever was passed to eval().
    • removes ?> from beginning of each of those files afterwards – it was used for eval code to work for some reason, but now it would just echo “?>” to browser, which we don’t need.

    Afterwards, you can also probably delete the “scopbin” folder in plugin’s root – it contains one, now unused, .php file.