We Keep Coding

How to decrypt encrypted string?

I almost lost my mind trying to reverse this function, a friend of mine suggested to ask "the pros" so I am here.
<?php
$data = "Data to be encrypted";
$ceva = $data;
$textHos = 'MCRYPT_RIJNDAEL_128';
function encrypt($plaintext,$textHos) {
$textLen=str_pad(dechex(strlen($plaintext)),8, '0', STR_PAD_LEFT);
$salt='WSj2g7jTvc8ISmL60Akn';
$textHosHash=hash('sha256',$salt.$textHos);
$textHos= md5($textHos,true);
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $textHos,
$plaintext, MCRYPT_MODE_CBC,$iv);
$ciphertext = $iv . $textHosHash . $textLen . $ciphertext;
$ciphertext_base64 = base64_encode($ciphertext);
return $ciphertext_base64;
}
$data = encrypt($ceva,$textHos);
echo $data;
?>
The output is:
P8avDeviXdd7bKfNMP0gwmZmZjg1OWMzOWFlNzRiMzU2Y2JiMTQ5OTY4MTI3MWNiYjQzYjBkMTAyNDUzM2ZhNGJjZmZhNzQ4M2QxN2M0ZGYwMDAwMDAxNN2xStdw/bhxIxSOevRp37HiXJeVXz7Ge31KEvq9dZjT
any help with resolving the encrypted text into a readable one again?
Thanks.

Your encrypt function makes a lot of nonsense and I hope it doesn't run in any production environment.
function encrypt($plaintext,$textHos) {
// not needed..
//$textLen=str_pad(dechex(strlen($plaintext)),8, '0', STR_PAD_LEFT);
//$salt='WSj2g7jTvc8ISmL60Akn';
//$textHosHash=hash('sha256',$salt.$textHos);
$textHos = md5($textHos,true);
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $textHos,
$plaintext, MCRYPT_MODE_CBC,$iv);
// i commented out the unneccessary parts..
$ciphertext = $iv /* . $textHosHash . $textLen . */ $ciphertext;
$ciphertext_base64 = base64_encode($ciphertext);
return $ciphertext_base64;
}
So whats left in the encrypted data is the iv vector (and 72 chars of some unneccessary data) and the encrypted data itself - encoded in base64
Reversing this is quite easy
function decrypt($ciphertext, $textHos) {
$text = base64_decode($ciphertext);
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$iv = substr($text, 0, $iv_size);
$textHos = md5($textHos, true);
// the +72 is neccessary for your original code - the code above doesn't need this part
$ciphertext = substr($text, $iv_size + 72);
$encrypted = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $textHos, $ciphertext, MCRYPT_MODE_CBC, $iv);
return rtrim($encrypted, chr(0));
}
Note: DON'T USE THIS CODE IN PRODUCTION! Nowdays AES128 isn't safe

PHP Blowfish encrypt / decrypt with database

I have an encrypt / decrypt code found on stackoverflow.
It is this one:
public function decrypt_blowfish($data,$key){
try{
$iv = pack("H*" , substr($data,0,16));
$x = pack("H*" , substr($data,16));
$res = mcrypt_decrypt(MCRYPT_BLOWFISH, $key, $x , MCRYPT_MODE_CBC, $iv);
return $res;
}catch(Exception $ex){
echo $ex->getMessage();
}
}
function encrypt_blowfish($data,$key){
try{
$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$crypttext = mcrypt_encrypt(MCRYPT_BLOWFISH, $key, $data, MCRYPT_MODE_CBC, $iv);
return bin2hex($iv . $crypttext);
}catch(Exception $ex){
echo $ex->getMessage();
}
}
it works fine if i test it just with a php without values out of a database, but if i use it with values out of a database i get things like "Manuel��" instead of just "Manuel" - can you tell me what is my mistake?

try by encoding to 64 bits and encrypting the string and and after decryption decode it. it will work...
$newDataToEncrypt=base64_encode($data);
And after getting a decrypted text
$data=base64_decode($decryptData);
try it

PHP sending encrypted data via the URL

I'm trying to send encrypted data over the url to another site (using file_get_contents("anotherUrl.php?hash=$encryptedString"). The problem is, sometimes, the encryption contains some special characters, like +, and this causes the decryption to fail.
Here are my encryption / decryption methods:
public function encrypt($string, $key)
{
return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, md5($key), $string, MCRYPT_MODE_CBC, md5(md5($key))));
}
public function decrypt($encrypted, $key)
{
return rtrim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, md5($key), base64_decode($encrypted), MCRYPT_MODE_CBC, md5(md5($key))), "\0");
}
Here's an example encrypted string which contains a +, and I'm guessing that this causes the decryption to fail.
oWCrVPaS+5GbxcQFc0fulUk/zRAkDD60av4zlPiWskE=
Any ideas how I should solve this? I've tried to do urlencode() and urldecode() on the hash, however that also seems to cause the encryption to break. Is there a way to change the encryption algorithm to get it to only return url safe characters?

Take a look at this thread:
Passing base64 encoded strings in URL
Essentially you DO want to urlencode() before sending the string, however you do NOT want to urldecode() at the other end.

In order to solve this problem I now use the following (after 3 hours of pain), and it works great.
Feel free to copy and paste
function encrypt($pure_string) {
$dirty = array("+", "/", "=");
$clean = array("_PLUS_", "_SLASH_", "_EQUALS_");
$iv_size = mcrypt_get_iv_size(MCRYPT_BLOWFISH, MCRYPT_MODE_ECB);
$_SESSION['iv'] = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$encrypted_string = mcrypt_encrypt(MCRYPT_BLOWFISH, $_SESSION['encryption-key'], utf8_encode($pure_string), MCRYPT_MODE_ECB, $_SESSION['iv']);
$encrypted_string = base64_encode($encrypted_string);
return str_replace($dirty, $clean, $encrypted_string);
}
function decrypt($encrypted_string) {
$dirty = array("+", "/", "=");
$clean = array("_PLUS_", "_SLASH_", "_EQUALS_");
$string = base64_decode(str_replace($clean, $dirty, $encrypted_string));
$decrypted_string = mcrypt_decrypt(MCRYPT_BLOWFISH, $_SESSION['encryption-key'],$string, MCRYPT_MODE_ECB, $_SESSION['iv']);
return $decrypted_string;
}

Instead of using Base64 for encoding your data you can also use Base32 (RFC 4648) which is URL-safe because it only uses letters A–Z (case-insensitive) and the digits 2–7. There is already a PHP library for encoding/decoding. Note that Base32 takes ~20% more space than Base64.
You can also use URLcrypt which is a handy library helping you with encryption and Base32 encoding.

class Encryption {
var $skey = "SuPerEncKey2010"; // you can change it
public function safe_b64encode($string) {
$data = base64_encode($string);
$data = str_replace(array('+','/','='),array('-','_',''),$data);
return $data;
}
public function safe_b64decode($string) {
$data = str_replace(array('-','_'),array('+','/'),$string);
$mod4 = strlen($data) % 4;
if ($mod4) {
$data .= substr('====', $mod4);
}
return base64_decode($data);
}
public function encode($value){
if(!$value){return false;}
$text = $value;
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $this->skey, $text, MCRYPT_MODE_ECB, $iv);
return trim($this->safe_b64encode($crypttext));
}
public function decode($value){
if(!$value){return false;}
$crypttext = $this->safe_b64decode($value);
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $this->skey, $crypttext, MCRYPT_MODE_ECB, $iv);
return trim($decrypttext);
}
}

Wrong decryption with mcrypt_decrypt

I am encrypting a string with PHP's mcrypt_encrypt function. This is my code:
$ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$this->iv = mcrypt_create_iv($ivSize, MCRYPT_RAND);
$encryptionKey = pack('H*', $key);
$stringToEncryptUTF8 = utf8_encode($stringToEncrypt);
$ciphertext = mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $encryptionKey, $stringToEncryptUTF8, MCRYPT_MODE_CBC, $this->iv);
$ciphertext = $this->iv . $ciphertext;
$ciphertextBase64 = base64_encode($ciphertext);
$cipherTextURLEncoded = rawurlencode($ciphertextBase64);
return $cipherTextURLEncoded;
Now I send the encrypted string to a client which later sends it back through an URL. Then I want to decrypt it using:
$stringToDecrypt = base64_decode($stringToDecrypt);
$ivSize = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$iv = substr($stringToDecrypt, 0, $ivSize);
$stringToDecrypt = substr($stringToDecrypt, $ivSize);
$encryptionKey = pack('H*', $key);
$decodedText = mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $encryptionKey, $stringToDecrypt, MCRYPT_MODE_CBC, $iv);
return $decodedText;
This is giving me garbage though and not the original string. The variable $key has the same value in both cases. What is wrong?

I had to trim the decrypted string to remove \0 characters at the end of it. Now it works.

You don't reverese the rawurlencode step:
$cipherTextURLEncoded = rawurlencode($ciphertextBase64);
Try to add this:
$stringToDecrypt = rawurldecode($stringToDecrypt);

PHP AES 256 encrypt weird characters

I have the following encrypt code:
function encryptData($value){
$key = "7685647tfyr65413285746352413sgfh";
$text = $value;
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
return $crypttext;
}
echo 'Encrpt: ' . encryptData('This is just a test');
The output is: Encrpt: yUB�F3�*ľ�G-�ۅd�8�f�_�X/O
I'm going to place this into a mySQL database but was unsure if it would accept those types of weird characters?
Am i doing this correctly?

Yes, you are doing it correctly, however the output is a binary value. To be save, it's good practice to encode it to a 'regular' string via
$encrypted_base64 = base64_encode($crypttext);
Just remember to do the opposite before decoding;
$crypttext = base64_decode($encrypted_base64);