Dear plugin developers who think they’re protecting IP by ‘packing’ and ‘encoding’: DON’T!

Dear plugin developers who think they’re protecting IP by ‘packing’ and ‘encoding’: DON’T!

This is just a little rant. In the course of my work on occasion I have to recover other people’s (badly maintained) websites from hacks and compromises, and in the course of this I’m often manually scrutinising files (usually PHP or JS) which contain tell-tale signs of potential webshells or nefarious malware, I’m talking here about things like:

  • (function(p,a,c,k,e,r)
  • base64_encode (and it’s partner in crime: eval )
  • decode[hex]
  • … etc. etc.

Obviously there are perfectly legitimate uses of these, in particular to compress things or to make them ready for transport through certain layers. However on a number of occasions I see these being used where there’s no such good reason at all apparent. There’s no compression gain that minification wouldn’t better provide, there’s no such transmission of the data through layers that aren’t ‘8-bit clean’, in short there’s no good reason… though there is reason that on many occasions I suspect: obfuscation in some kind of ill-conceived attempt to protect the code as the intellectual property of the author. If you are trying to do that STOP IT! Anybody that knows the language in use can decode it with a little time, all it serves to do is remove good commenting of the code and make maintenance and scrutiny of the files that much more involved and time consuming.

Rant over. Grrrrr.

Leave a Reply

Your email address will not be published. Required fields are marked *