Request: review my code, please.

[jonsjava]

I was working on this encryption/obfuscation script, and posted it in the beta test section of the forums. That was 3 days ago, and haven't been approved. Still awaiting moderation.  I hate multi-posting, but I could use insight as to what I can do to make it more obfuscated/encrypted.

<?php
class trucrypt{
var $data;
var $salt;
var $date;
var $encrypted;
var $return;
function __construct($data,$salt,$date,$encrypt=true){
	$this->salt = $salt;
	$this->date = $date;
	if ($encrypt == true){
		$this->data = $data;
		$this->crypt();
	}
	else{
		$this->encrypted = $data;
		$this->decrypt();
	}
}
public function crypt(){
	$data = $this->data;
	$salt = $this->salt;
	$date = $this->date;
	$out = array();
	if (!is_numeric($date)){
		$date = date("U",strtotime($date));
	}
	$data_a = str_split($data);
	foreach ($data_a as $key=>$val){
		$out[$key] = md5($val.$salt.$date.$key);
	}
	$this->return = $out;
}
public function decrypt(){
	$encrypted = $this->encrypted;
	$salt = $this->salt;
	$date = $this->date;
	$out = "";
	$charmap = array("\n",0,1,2,3,4,5,6,7,8,9,"A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","!","@","#","$","%","^","&","&","*","(",")","-","_","=","+",";",":","'","\"",",",".","/","\\","|","[","]","{","}","<",">","?","`","~"," ","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z");
	foreach ($encrypted as $key=>$val){
		foreach ($charmap as $val2){
			$crypt = md5($val2.$salt.$date.$key);
			if ($crypt == $val){
				$out .= $val2;
			}
		}
	}
	$this->return = $out;
}
}
$date = date("U");
$test = "This is a test
I hope it works!";
$da = new trucrypt($test,"cheeseburger",$date,true);
$encrypted = $da->return;
print_r($encrypted);
echo "\n<br /><br /><br />\n\n\n";
$da2 = new trucrypt($encrypted,"cheeseburger",$date,false);
echo $da2->return;
?>

[mikesta707]

well, one thing i noticed is since your using md5, which doesn't actually encrypt something, but rather hashes it (a hash can't be unhashed), i don't see how your decrypt function would work (assumign its supposed to decrypt an encrypted string).

 

the encrypting part seems good though

[jonsjava]

Give it a go. I can guarantee it can decrypt it just fine. It re-calculates the hash.

[mikesta707]

kk, ill report back with my findings

 

EDIT:

 

ok a few errors. The variable $this->encrypted never seems to be set (in your example code) because of the if statement in your constructor.

 

because of this calling the decrypt function like so

echo $da->decrypt();

results in an error (invalid argument for foreach. it refers to this foreach:)

foreach ($encrypted as $key=>$val){

[jonsjava]

TODO: write a usage. Sorry. I need to do that.

Here's a brief overview:

to encrypt, you do it as such:

$test_data = "aaaaaaaaaaaaa!@$#///";
$date = "1269639226";
$class = new trucrypt($test_data,"some_salt_goes_here",$date,true);
echo $class->return;

to decrypt, you do pretty much the same thing, but only putting the encrypted array in to it:

$test_data = Array(0 => 'a3372b1b5b7f9a51f4f16f2bb0de08b4',
    1 => "b928aad727461d2090d7ea4cd8840fcb",
    2 => "8a5c80995f3a761e8d172bf8a33158a0",
    3 => "35586bd8deb68dff35240fbebaa9e33f",
    4 => "fbf5027b9dd8e09e881923dea0acaad6",
    5 => "894f5885b146d9391e0d6c8409e7479c",
    6 => "c8cc0fc5e05ee6a1c74177481fa55c41",
    7 => "f394cdfe38e11127d1cfcb29fa32edce",
    8 => "158621523d2133e11b8f41b32f210a20",
    9 => "9cce4a1c5d55b5259f3111ca4f21cb05",
    10 => "a373afa6210085ef202777ba9391b465",
    11 => "8c607b517ce804fd1b7aeca956c8dbcc",
    12 => "cb79d3111ce3b197c03330506c89cfd1",
    13 => "6d09c1fe8523c19a70286440fb400391",
    14 => "7773e559351770c4907ffe727b98f662",
    15 => "5c72343aa62983df003acc2a734f721b",
    16 => "210cfb2dfc9aee347468b1b8d09cb866",
    17 => "1d74930ede0e2e46dbf71413526448de",
    18 => "d8f61b3c7bd2fe584c73704d82bef568",
    19 => "17b13c8b7354a56ef8955d3f2c3b1fe8");
$date = "1269639226";
$class = new trucrypt($test_data,"some_salt_goes_here",$date,false);
echo $class->return;

See how I changed true to false. That determines if it is encrypting or decrypting. Sorry for not explaining the usage.

[oni-kun]

[jonsjava]

Could you please tell me how my script is obfuscation?  I said obfuscation because I wanted to make sure I covered all bases, but now, I realize that it's no way near obfuscation.  Each character gets hashed, and it's undecipherable unless you know the salt and generation date to the second. You could supposedly get a rough estimate of what it says, if you put a 100 character encrypted file through a rainbow list for about 3 years or so, but by then, the message shouldn't matter.

[ignace]

My Tips:

 

1. Constructor should never do real work

2. The $encrypt = false|true is IMO bad use encrypt() and decrypt() instead or if that's not possible use a separate class for each.

3. If your using PHP5 then make everything PHP5 (format appropriatly)

4. MD5 is for hashing not encryption/decryption and dictionary lookups don't count (+ are to slow) see http://stackoverflow.com/questions/1240852/is-it-possible-to-decrypt-md5-hashes

[Kieran Menor]

For encrypting, you seem to be splitting the string up and then creating an MD5 hash for every character in the string, along with $salt, $date and $key (which all act as salts). For decrypting you loop through every hash, and loop through a limited character list in an attempt to find out which character was used when the hash was generated.

 

It would be incredibly slow for strings of considerable length, and due to the limited character list you use for "decrypting", it only works with plaintext. Not multiline plaintext, either, since the carriage return, \r, isn't in the "decryption" character list.