I came up with a single (linux) terminal command to deal with this. Logic is to just change eval( code_to_eval )
in obfuscated php files to file_put_contents( __FILE__, code_to_eval )
. At least that worked for me (my problematic plugin was “Wishlist 1Click Registration” by “HappyPlugins”). Here’s the command:
grep -irl --include \*.php "eval(.*);" . | xargs -i sh -c "echo {}; sed -i 's/eval(\(.*\));/file_put_contents(__FILE__,\1);/g' {}" | xargs -i sh -c "echo {}; php {} > /dev/null || true; sed -i '1s/^?>//g' {}"
What the command does:
- gets all .php files in current directory (need to cd to plugin root directory) that contain
eval()
in them, - replaces all
eval( code )
withfile_put_contents( __FILE__, code )
, - executes those files with php (need to have
php
available from command line) – this runs allfile_put_contents()
statements and replaces all current obfuscated code in .php file with whatever was passed toeval()
. - removes
?>
from beginning of each of those files afterwards – it was used for eval code to work for some reason, but now it would just echo “?>” to browser, which we don’t need.
Afterwards, you can also probably delete the “scopbin” folder in plugin’s root – it contains one, now unused, .php file.