CodeSOD: Classic WTF: Functional Encryption

It's Thanksgiving Day in the US. Yesterday, we looked at a classic "encryption" story, and today, we should all be thankful that we don't have to support this encryption code. Original --Remy

Richard's company builds, hosts, and maintains a variety of small- and mid-sized web-based applications for their clients. Recently, one of their clients asked Richard to help audit a fraudulent transaction, which meant that Richard needed to dig through the code to see how to decrypt bank account numbers stored in the database. The search led him to H88493247329(), the method responsible for encrypting customer data. After spending a minute to add linebreaks and rename the variables, Richard asked his coworker why he obfuscated the code. His coworker scoffed, you should always encrypt your encryption functions -- it's completely insecure otherwise

function H88493247329($B89424235){ //ED: Linkebreaks added global $a,$e,$m,$H; $X42342234 = $H . "." . $m . "-" . $a; $KJD234 = fopen($X42342234,"r"); $MMNVUD884 = fread($KJD234,filesize($X42342234)); fclose($KJD234); $MQUFI3 = mcrypt_module_open('','','''); $MMNVUD884 = substr($MMNVUD884,0,mcrypt_enc_get_key_size($MQUFI3)); $JF8_size = mcrypt_enc_get_iv_size($MQUFI3); $JF8 = mcrypt_create_iv($JF8_size, MCRYPT_RAND); if (mcrypt_generic_init($MQUFI3,$MMNVUD884,$JF8)!=-1) { $KIDO83R4234FFS = mcrypt_generic($MQUFI3,$B89424235); mcrypt_generic_deinit($MQUFI3); mcrypt_module_close($MQUFI3); } return $KIDO83R4234FFS;}

[Advertisement] BuildMaster allows you to create a self-service release management platform that allows different teams to manage their applications. Explore how!