Re: protecting perl script source

[H D Moore <sflist () digitaloffense net>]

On Thursday 30 January 2003 03:03 am, Eyal Udassin wrote:
> Hi
>
> As mentioned a here quite a few times, source filters are far from
> being a worthy solution to this problem.
> In case you're using a windows box, I strongly suggest moving your
> sensitive code to a dll, and call it from perl using Win32::API.
>
> There's no place like C :-)

The perl decrypt module uses a shared library written in C to manipulate 
the script. Common practice is to detect and exit if perl was called with 
a compiler backend, too bad you can just patch the library to not exit ;)

I was auditing some web mail software and the evaluation version has been 
run through the Perl "encryption" filter. The "decryption" filter is 
written in C and the compiled version is shipped with the product. Perl 
has a really nice method of reformatting source, called the Deparse 
module, it can be used to rip the plain source code from an "encrypted" 
script. One of the features of the decryption filter is that detects when 
the script is being run through a compiler (ie. the Deparse module) and 
kills itself. It took maybe 5 minutes to nop out all calls to Perl_croak 
in the decrypt.so binary and proceed to audit the code...

The recommended implementation of Filter::decrypt is to compile the filter 
staticly into the Perl binary and then strip it, apparently this company 
didn't think it was worth the bother to ship a giant static perl 
executable with thier eval version.

There are a dozen other ways to extract the source code, this one just 
happened to be the easiest and took just a few minutes to do. You could 
write a program which links directly to the exported Decrypt function, 
create your own library which loads the real filter and logs the 
input/output, or just halt the app after the filter code executes and 
just rip it out of memory. Not sure what the point of the "decrypt" 
filter is if there are so many ways to bypass it.

-HD

---
hdm@ice:/downloads/someapp > perl -MO=Deparse crypted.pl
Aborting, Compiler detected at 
/usr/lib/perl5/5.6.1/i686-linux/DynaLoader.pm line 225.
Compilation failed in require at crypted.pl line 4.
BEGIN failed--compilation aborted at crypted.pl line 4.

( 5 minutes later after patching the shared library)

hdm@ice:/downloads/someapp > cp xyz.so libs/auto/Filter/decrypt/decrypt.so
hdm@ice:/downloads/someapp > perl -MO=Deparse crypted.pl
Content-type: text/html
[ snip ]
my $var=...