I got here up with a single (linux) terminal command to cope with this. Logic is to only change eval( code_to_eval )
in obfuscated php information to file_put_contents( __FILE__, code_to_eval )
. A minimum of that labored for me (my problematic plugin was “Wishlist 1Click Registration” by “HappyPlugins”). Here is the command:
grep -irl --include *.php "eval(.*);" . | xargs -i sh -c "echo {}; sed -i 's/eval((.*));/file_put_contents(__FILE__,1);/g' {}" | xargs -i sh -c "echo {}; php {} > /dev/null || true; sed -i '1s/^?>//g' {}"
What the command does:
- will get all .php information in present listing (must cd to plugin root listing) that include
eval()
in them, - replaces all
eval( code )
withfile_put_contents( __FILE__, code )
, - executes these information with php (must have
php
out there from command line) – this runs allfile_put_contents()
statements and replaces all present obfuscated code in .php file with no matter was handed toeval()
. - removes
?>
from starting of every of these information afterwards – it was used for eval code to work for some cause, however now it could simply echo “?>” to browser, which we do not want.
Afterwards, you may as well in all probability delete the “scopbin” folder in plugin’s root – it incorporates one, now unused, .php file.