- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
VW01S2NHTXpVV2c9
Admin
I laughed out loud at reversing the name of base64.
You can't make this up!!
Admin
PHP is super slow by itself, I wonder how much slower the code runs because of this
Admin
Best comment so far...
Admin
That’s frickin’ hilarious
Admin
The true WTF is that they think that someone who figured out one layer of reversed decode would stop there!
Admin
Ya got me! Hahahaha!
Admin
The devs know something about cryto. Not much, but something. They know hashes and some crypto systems repeat the hashing/encryption process multiple times to improve security. So clearly 3 base-64 encodings are far more secure than 1. I fear what'll happen when some HPC points out that as processors get faster, they need more iterations to retain teh same degree of security. Some current legit crypto systems really do use 80 iterations.
Some of us are old enough to remember when original DES was the new hotness, quickly superceded by, yep, triple-DES, which is, roughly speaking, just 3 iterations of basic DES.
A scarier possibility is that this is the result of running the whole codebase through multiple rounds of obfuscation. And different numbers of rounds in different areas of that codebase. Soon they'll lose the unobfuscated version in their non-source control and the whole outfit will collapse in a cloud of self-referential obfuscation.
IOW, it's obfuscation all the way down.
Admin
This whole thing reminds me of Amazon. I have some friends who sell on their own website, eBay and Amazon alike. For reasons I won't go into here (but might make an interesting WTF in its own right) I needed to write a scraper for my friends' pages on Amazon. In the process, I was stunned to find that a lot of what appears to be static text and graphics on a page would actually be encoded in a way very similar to the story's add-on. Base-64 encrypted, reversed, eval'ed into more text to be decoded, and only applied to portions of a page randomly. About the only thing missing was use of JSFuck and Double Rot-13 encryption. To this day I'm not sure if I should be appalled or impressed.
Admin
I can see absolutely no way that this could negatively impact on website performance, whether it be in terms of download time or time to execute the code.
No way whatsoever.
Reminds me of a TV station in Australia that used to(?) do essentially the same thing to its TV schedule on its website. It took forever to load, and I reckon that this sort of "trickery" was the reason for that.
Admin
Obfuscation is usually just a clear indicator that something in the code is super fishy and they want to hide it. Nothing more, nothing less. It's literally doesn't matter what the source code is, if you want to reverse engineer it, you can do it easily these days whatever it is and 99% of code is usually made out of so easy and well understood patterns, there is no point at all to hide anything in the first place.
Admin
This brings back memories. Many years ago, at a former employer, one of our servers got infected with a PHP exploit kit. It was obfuscated in the exact same way as this plugin...
Admin
The problem is that they don't know why repeating the hashing process improves security. All it does is increase the time it takes for the algorithm to run. When you want to prevent brute-force attacks on passwords, that's a good thing. When you want to display a web page, not so much.
Admin
Except it turns out that doing DES three times isn't cryptographically sound, so 3DES runs the text through the encryption algorithm once, then decrypts with a second key, then encrypts with a third. They are 56 bit keys, but the algorithm is only rated at 112 bits of strength (2 keys) because the second pass does nothing but fix the weakness of "doing the same thing several times in a row hoping it gets better". So, it turns out that your comparison of this monstrosity to 3DES isn't really fair since 3DES exhibits none of the stupidity seen here.
Admin
TRWTF is Magento :/
Admin
So glad that when I decoded the Easy Reader it went where I thought it would!