Likewise, I've witnessed a reversible variant of SHA-1. They must have somehow messed up the break condition because it essentially only did one round.
Oh my, yes. 128-bit RSA signatures, anyone? AES-256... in ECB mode, with a static key that's the MD5 of a super-secret string in the binary with each byte sign-extended to 16-bit? ^0xA5? ROT13? I have seen them all, and I have despaired.
So many vendor "engineering" backdoors, too. Gah.