WebApp Sec mailing list archives
Re: protecting perl script source
From: H D Moore <sflist () digitaloffense net>
Date: Fri, 31 Jan 2003 12:39:57 -0600
On Thursday 30 January 2003 03:03 am, Eyal Udassin wrote:
Hi As mentioned a here quite a few times, source filters are far from being a worthy solution to this problem. In case you're using a windows box, I strongly suggest moving your sensitive code to a dll, and call it from perl using Win32::API. There's no place like C :-)
The perl decrypt module uses a shared library written in C to manipulate the script. Common practice is to detect and exit if perl was called with a compiler backend, too bad you can just patch the library to not exit ;) I was auditing some web mail software and the evaluation version has been run through the Perl "encryption" filter. The "decryption" filter is written in C and the compiled version is shipped with the product. Perl has a really nice method of reformatting source, called the Deparse module, it can be used to rip the plain source code from an "encrypted" script. One of the features of the decryption filter is that detects when the script is being run through a compiler (ie. the Deparse module) and kills itself. It took maybe 5 minutes to nop out all calls to Perl_croak in the decrypt.so binary and proceed to audit the code... The recommended implementation of Filter::decrypt is to compile the filter staticly into the Perl binary and then strip it, apparently this company didn't think it was worth the bother to ship a giant static perl executable with thier eval version. There are a dozen other ways to extract the source code, this one just happened to be the easiest and took just a few minutes to do. You could write a program which links directly to the exported Decrypt function, create your own library which loads the real filter and logs the input/output, or just halt the app after the filter code executes and just rip it out of memory. Not sure what the point of the "decrypt" filter is if there are so many ways to bypass it. -HD --- hdm@ice:/downloads/someapp > perl -MO=Deparse crypted.pl Aborting, Compiler detected at /usr/lib/perl5/5.6.1/i686-linux/DynaLoader.pm line 225. Compilation failed in require at crypted.pl line 4. BEGIN failed--compilation aborted at crypted.pl line 4. ( 5 minutes later after patching the shared library) hdm@ice:/downloads/someapp > cp xyz.so libs/auto/Filter/decrypt/decrypt.so hdm@ice:/downloads/someapp > perl -MO=Deparse crypted.pl Content-type: text/html [ snip ] my $var=...
Current thread:
- Re: protecting perl script source Tim Valdez (Jan 29)
- Re: protecting perl script source Peter Sergeant (Jan 30)
- RE: protecting perl script source Eyal Udassin (Jan 30)
- Re: protecting perl script source H D Moore (Jan 31)
- RE: protecting perl script source Eyal Udassin (Jan 30)
- Re: protecting perl script source Jim McGarvey (Jan 30)
- <Possible follow-ups>
- RE: protecting perl script source Ogston, Iain M (Jan 30)
- Re: protecting perl script source Peter Sergeant (Jan 30)