- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
eval("fi" . "rst")
Admin
Amateur. Real programmers who obfuscate things in publically visible Javascript convert the function to hex first. Even better ones convert the entire Javascript codebase to hex and then decode it before execution. Even better ones convert it to hex, then rot13, then back to hex, then pig latin, and finally Egyptian hieroglyphic unicode before repeating everything twice for good measure.
Admin
This is PHP, not Javascript.
Admin
Think how obfuscated it'd be if they wrote their PHP in JavaScript!
Admin
That's an idea. Imagine if JavaScript creates PHP code using string concatenation (for obfuscation purposes, obviously - we're all about security), then sends it to the server using XHR, and that code is executed using PHP's
eval. This would achieve total obfuscation (and therefore security!) - nobody can ever find the PHP code which runs in the PHP source files.Admin
eval, my favorite function for making something secure!
Admin
I'd rather not. Thanks for the nightmares, though.
Admin
That how my ransomware remains undetected. Good luck with your heuristics.
Admin
Using function names that have nothing to do with the actual function seems to be part of the obfuscation.
Admin
If I found that in one of my clients' codebases, I'd put the thing offline for likely breach first and ask questions later. Somebody took "learn from hackers" waaaaay too seriously here.
Admin
You people talk all about obfuscating by eval and code generation...
Just use Perl