- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
This gives me a great idea to write a piece of software called -- PHP Obfuscator!!! Secure your sensitive PHP code by obfuscating it from hackers and DOS attacks! Don't wait until it is too late - get PHP Obfuscator now to ensure that your code is obfuscated!
Boy, I could sell this for $10 and make it rich in no time! It'll be more popular than the PHP To HTML Converter! MUAHAHAHAHHAHAHAHAHA!!!!!!
Admin
bleh, un-editable forum software... :$
I meant HTML To PHP Converter...
Admin
Minor type, did not read all the comments but the following line will produce a fatal error:
last part is wrong, you open, close and then open the single bracket again.. Or you should atleast backslash if it is supposed to be there.
(I know this is edited for posting to hide the real module that is being used here to prevent possible hacks from someone if they recognize this code.)
Admin
<font style="font-family: Courier New;" size="2">Even if the typo in "mcrypt_module_open" (as mentioned above) was fixed, it still wouldn't work. The first parameter specifies the algorithm to use - a blank value is not allowed. Thus, "mcrypt_module_open" would always return FALSE (NULL etc.) rather than a valid handle. What happens after that is an exercise in hilarity.
If "mcrypt_generic_init" fails for any reason the return value of the function is undefined (the value of an undefined local variable). ie. NULL (zero/FALSE).
Meanwhile, since the salt key is obviously stored in a file on the local filesystem, I wonder if the WWW server was told not to serve it up to a remote client?
</font><font size="2"></font>
Admin
http://pobs.mywalhalla.net/ - Open Source
http://www.ioncube.com/ - commercial
Of course, in the meantime the guys at www.php.net have released a bytecode compiler for PHP, so obfuscators are no longer needed...
Admin
<HTMLTag>The forum software...that's the WTF!</HTMLTag>
Get it? I'm making fun of the fact that most posts show the HTML tags.
Admin
snik fnu ptha!
Admin
A very loose translation: "Age! Depone me!"
Admin
The IV is generated randomly and used in the encryption. Then the IV is thrown away, making the encrypted data meaningless. Or am I missing something?
Admin
H88493247329() ??? Sounds like even the method name has been encrypted!!
Admin
Yes, but it sounds as if the programmer was confused about where his code was being executed - on the server or on the client. Not a good sign!!
Admin
well spotted, poindexter...
Admin
Well, another "good" reason: to try to circumvent antivirus tools if you're writing a virus or other malware... This is one of the methods used by virus authors.
Admin
At first I wondered why you were saying that, and then I re-read my post... dho, I of course meant obfuscation not encryption, my point being that Lisp isn't obfuscated "out of the box" (it requires a good indentation though, but most Lisp editors have no trouble whatsoever indenting Lisp code nicely) but that so-called esoteric languages are.
Yet that most of them can be fairly easily transcoded to more classic languages (such as C), the only esoteric language that I know of that couldn't be easily transcoded to C being Java2k, first of all because it's probabilistic (nearly every built-in has 90% chances of doing what it's supposed to do, and 10% chance of doing something completely different, every function has two different implementations and which one is used is chosen at runtime) to be more in line with common physicalist assumptions about the nature of the universe (there is never absolute security, there is always only probability) and second because it uses base 11 "which is a very good approximation of base 10 for many purposes, including counting up to 9".
Oh yeah, and it uses numbers to name objects and functions. In fact, "Using numbers as names-of-objects is a lot easier than using functions as integer values, so lets just do the easy thing first. Numbers are, as specified in the introduction, 11-based digits." The only restriction is that numbers-as-names must be divisible by 7. Oh, and the 10th elevengit is the space, so "19+1" computes to "1 ".
Admin
A further WTF...
I note that neither the filename string in the $X42342234 variable nor the call to fopen() specifies a particular path to the file to be opened (which I assume contains the encryption key). Therefore, one can probably assume that the encryption key file(s) are kept within the publicly-accessible web root. Doh!
Admin
Who cares? That's like seeing a wreck on the side of the freeway and then rolling your eyes and saying, "Of course they wrecked, they drive a Ford". I think that a WTF programmer will create a WTF no matter what language (s)he uses.
Admin
Admin
Good observation. I agree.
With bad tools or great tools, an artist can make a masterpiece and an idiot can make a mess.
Admin
I agree until then all that is needed is to encrypt the programmer and not the program... and stuff...
Admin
I agree until then all that is needed is to encrypt the programmer and not the program... and stuff...
Admin
>It's PHP.
And it looks as good as any other PHP code I've seen. I don't see the WTF, personally...
In fact, from a distance, it looks like pretty readable PERL...
Admin
Still I prefer not to drive a Ford [:D]
Admin
Um... no? Unless you're insane enough to keep your only copy of the source code on the production system, somone can have access to your source code on a test system, through the CVS repository, by looking at a backup... lots of possibilities to see the code without having any kind of access to the production environment.
Admin
Even funnier that he tried to write maintainable obfuscated encrypted code. If you're writing obfuscated code anyway, you ought to do it like this:
Admin
I agree. If they were driving a Toyota they'd be fine now. [:)]
Admin
(do-p you (by (mean) obfuscated))
Admin
Well, it could have been worse - he could have been using encraption instead.
http://www.thedailywtf.com/forums/39689/ShowPost.aspx
Admin
What a complete boob. Anybody who would subscribe to that kind of logic should have the fingers of both hands slammed in a kitchen drawer, thereby stopping 'turd code' like this.
Admin
(with-obfuscation
(do-stuff-here))
Admin
But I noticed that there's a strong correlation between some tools and the idiot/artist property.
Admin
I still disagree that something becomes a WTF simply because it's written in PHP. The tool/language used to create enterprise WTF-ups are irrelevant. While I do agree that PHP is flexible enough to allow WTF's to crop up more frequently...it doesn't mean that java programmers haven't attempted to create WTF code only to find it doesn't compile and are able to escape the potential of showing up here. PHP just makes it easier to ignore WTFs (and later have them exposed) because you can turn off errors and warnings in the .ini file and pretend that nothing went wrong.
Admin
Am I the only one reminded of the Monty Python sketch "How Not To Be Seen"...
"Here, we have Mr. Encryption Function. Encryption Function, would you please stand up?"
[pause]
"Mr. Function has learned the first rule of not being seen--not to stand up; however, Mr. Function has chosen an implementation with an obvious control flow that doesn't hide anything at all from the casual code inspector."
[sound of large explosion complete with smoky fireball and scream of violent death]
Admin
The encryptionkey.txt is next to passwords.txt in his web root.
Admin
Maybe they should have just caught a cab.
Admin
perl -e "foreach $ch (split(',','66,82,73,76,76,65,78,84,33')) { print chr($ch); }"Admin
Amazing, there's actually someone else out there who's heard of MOO programming. I was starting to think that all of the core code must have been delivered by pixies.
Actually, MOO's got a significant advantage when it comes to obfuscating, comments are so annoying to insert that you're lucky if you see one line for every 30 or so lines of code, and that one's usually "Changed on 04/20/1998 by Soandso." One less step in the process.
-FunnyMan
Admin
I like to think that's because most MOO code is inherently readable, so that it doesn't need comments. And they're not all that hard to insert anyway.
As for obfuscation: I've actually obfuscated the PHP code that contains my database passwords. The code is outside the webroot and obfuscated, but I have no illusions that it's actually secure. If someone managed to get access to the source they'd be able to decipher it fairly easily.
But what can you do? The webserver needs to be able to access the passwords in plaintext, therefore you have to have them readable in plain text somewhere. The best you can do is to obfuscate it a bit and not include the "admin" password, only the general read/write password. (Unfortunately I can't limit it to a read-only password. Bah.)
Admin
That is a battle that can never be won. You don't even need to de-obfuscate the code to get the passwords. Just replace the database client library with a set of similar routines that log connection attempts. If you don't trust the admin of the box, you are screwed. The problem you are having is the same one the RIAA is having with DRM. If you give someone the decryption engine and the key, how do you keep them from decrypting stuff?
It's not even really worth trying. Any effort will be useless against the people who really matter and will just take up some of your time and make maintenance a pain. Obuscated functions also attract attention. Obviously you are hiding something valuable....
Admin
Depends on who the hacker is. If he is a disgruntled employee (maybe he got fed up trying to maintain code like this), he may well have seen the code during development. You should never rely on the fact that the user does not have access to your source code for your application's security.
In fact, this makes you much less secure as its easy for someone to put in a backdoor to the system that would allow them to hack into it at a later date.
Admin
I believe he was responding to someone thinking that the heart of this WTF is that since C is compiled, the code is not visible anyways...
Admin
Amazing, there's actually someone else out there who's heard of MOO programming. I was starting to think that all of the core code must have been delivered by pixies.
Actually, MOO's got a significant advantage when it comes to obfuscating, comments are so annoying to insert that you're lucky if you see one line for every 30 or so lines of code, and that one's usually "Changed on 04/20/1998 by Soandso." One less step in the process.
-FunnyMan
I love MOOSE too! It's so versatile. Especially in the kitchen! [8-)]
Admin
I think Alex gets some kind of perverse pleasure from hearing all the complaints about the forum software, that or he is trying to be enterprisy with it. ^o)
Admin
F***ing forum software, how the heck do you put in the emoticons?
^o)
Admin
(
(
(
(
(cadddar(cdr(caaadr(1,2,3,4,5,I don't agree))))
)
)
)
)
Admin
Are you sure? You obviously haven't heard about <a HREF="/forums/68115/ShowPost.aspx">Client Side PHP</a>
Admin
I tend to agree, at least in part. If nothing else, you really learn the value of descriptive variable names. Still, I've seen some stuff that badly needed ccommenting, but either people forget or they just can't be bothered.
-FM
Admin
So I trust, on reflection, that we trust you?
:-)
Pete
Admin
Admin
Learn to spell:
perl -e "foreach $ch (split(',','66,82,73,76,76,<font color="#ff0000">73,</font>65,78,84,33')) { print chr($ch); }"Admin
an apology:
perl -e foreach (split(',','0x49,0x20,0x6b,0x6e,0x6f,0x77,0x20,0x6f,0x66,0x20,0x6e,0x6f,0x20,0x66,0x2a,0x63,0x6b,0x69,0x6e,0x67,0x20,0x50,0x61,0x75,0x6c,0x61,0x20,0x6e,0x6f,0x72,0x20,0x61,0x6e,0x79,0x20,0x42,0x72,0x69,0x6c,0x6c,0x61,0x6e,0x74,0x20,0x6f,0x6e,0x65,0x73,0x20,0x3a,0x29,0x0a')) { print chr(eval()); }