Security Basics mailing list archives
Re: perl scrambling
From: "Tim Greer" <chatmaster () charter net>
Date: Sat, 21 Jun 2003 11:29:07 -0700
Hi, For mod_perl, I don't think you can do as much as you can for CGI. You'd likely have to use CGI (or better yet, depending on your application, just create your own daemonized service). Let's face it, most people won't know how to get the source code from a Perl script that uses something like the Filter module or others, but people could if determined and know how. Someone else stated that even compiling Perl isn't enough. I've never personally seen this and maybe someone thought I meant scrambled or encrypted code? I mean, basically, to get the source code--I don't see how they could, since there's no "Perl" source to get from the compiled Perl--since it's turned into a mess of C code before it's finally compiled. I could be wrong, since I never had a reason or need or desire to bother. Perhaps it's easy, but I don't see any definite information that points to that showing it being as simple or possible as compromising other methods, such as "obfuscated Perl code"--that would be easy to bypass. The C code that perlcc outputs to create the resulting C code file(s) to compile (*the end result that's actually then compiled), is utterly non-readable and doesn't have "Perl code" before it's compiled. Someone could see what's going on in the program by using a number of methods and crack it anyway, as with any other program that's compiled, but I really don't see how they could get the raw source code from that. Maybe we're talking about something else, but it sounds like a reasonable solution to your problem, at least. You can use perlcc to compile the program, and have it do the checking for the key and do an md5check on itself--but that would be inefficient. Someone could still crack it. Obviously C and assembly would be best, but with Perl, I think some decent logic and compiled Perl would do. You can do more than just compile it anyway. Just be aware that people can use a hex editor, strings, strace, etc. and see what the program is doing anyway and it wouldn't be a big feat to modify it to have a crack. Then again, would that many (or any) people bother and try and distribute it? -- Regards, Tim Greer chatmaster () charter net Server administration, security, programming, consulting. ----- Original Message ----- From: "Charles Lacroix" <chuck () linuxquebec com> To: <security-basics () securityfocus com>; <chuck () linuxquebec com> Sent: Friday, June 20, 2003 12:14 PM Subject: perl scrambling Hi group, The main reason i want to scramble the application is "it's on my todo list at work". The second reason is to make it as hard as possible for people to modify the code mainly because we do not want to deal with supporting our application if it has been modified by a client. We had troubles with that in the past, and we do not want to deal with it anymore. We what to protect the code because we sale the application and do not want some other company to use what we have and modify it to sale it again. I know that a good licence will protect you legally for that but it's not enough, we all know that some companies do not respect licences. using file integrity check software like tripwire can be disable by just about any admin. Other part is we do not want the code to actually work before we give them a key to use the software. but that isn't the main priority. This key would also be used to updates available, and other special features. So bottom line, we should have written it in another language but we didin't so from there how can i secure up this mod_perl / cgi application ? we need to do the following : - Give a headache to the persone who will read the source. - Make sure they cannot alter the code, and be warned if it does - use a key that will let them use the code if they paied for the software. Thanks --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- perl scrambling Charles Lacroix (Jun 21)
- Re: perl scrambling Devdas Bhagat (Jun 23)
- Re: perl scrambling Tim Greer (Jun 23)
- <Possible follow-ups>
- RE: perl scrambling Dave Killion (Jun 24)
- Re: perl scrambling Tim Greer (Jun 25)