Re: perl scrambling

["Tim Greer" <chatmaster () charter net>]

Hi,

For mod_perl, I don't think you can do as much as you can for CGI. You'd
likely have to use CGI (or better yet, depending on your application, just
create your own daemonized service). Let's face it, most people won't know
how to get the source code from a Perl script that uses something like the
Filter module or others, but people could if determined and know how.

Someone else stated that even compiling Perl isn't enough. I've never
personally seen this and maybe someone thought I meant scrambled or
encrypted code? I mean, basically, to get the source code--I don't see how
they could, since there's no "Perl" source to get from the compiled
Perl--since it's turned into a mess of C code before it's finally compiled.
I could be wrong, since I never had a reason or need or desire to bother.
Perhaps it's easy, but I don't see any definite information that points to
that showing it being as simple or possible as compromising other methods,
such as "obfuscated Perl code"--that would be easy to bypass.

The C code that perlcc outputs to create the resulting C code file(s) to
compile (*the end result that's actually then compiled), is utterly
non-readable and doesn't have "Perl code" before it's compiled. Someone
could see what's going on in the program by using a number of methods and
crack it anyway, as with any other program that's compiled, but I really
don't see how they could get the raw source code from that. Maybe we're
talking about something else, but it sounds like a reasonable solution to
your problem, at least.

You can use perlcc to compile the program, and have it do the checking for
the key and do an md5check on itself--but that would be inefficient. Someone
could still crack it. Obviously C and assembly would be best, but with Perl,
I think some decent logic and compiled Perl would do. You can do more than
just compile it anyway. Just be aware that people can use a hex editor,
strings, strace, etc. and see what the program is doing anyway and it
wouldn't be a big feat to modify it to have a crack. Then again, would that
many (or any) people bother and try and distribute it?
--
Regards,
Tim Greer  chatmaster () charter net
Server administration, security, programming, consulting.


----- Original Message -----
From: "Charles Lacroix" <chuck () linuxquebec com>
To: <security-basics () securityfocus com>; <chuck () linuxquebec com>
Sent: Friday, June 20, 2003 12:14 PM
Subject: perl scrambling



Hi group,

The main reason i want to scramble the application is "it's on my todo list
at
work". The second reason is to make it as hard as possible for people to
modify the code mainly because we do not want to deal
with supporting our application if it has been modified by a client.

We had troubles with that in the past, and we do not want to deal with it
anymore.

We what to protect the code because we sale the application and do not
want some other company to use what we have and modify it to sale it again.
I know that a good licence will protect you legally for that but it's not
enough, we all know that some companies do not respect licences.
using file integrity check software like tripwire can be disable
by just about any admin.

Other part is we do not want the code to actually work before we
give them a key to use the software. but that isn't the main priority.

This key would also be used to updates available, and other special
features.

So bottom line, we should have written it in another language but we didin't
so from there how can i secure up this mod_perl / cgi application ?

we need to do the following :

- Give a headache to the persone who will read the source.
- Make sure they cannot alter the code, and be warned if it does
- use a key that will let them use the code if they paied for the software.

Thanks





---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------