Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Perl2Exe EXEs Can Be Decompiled (update)

From: "Domainbox, Tim Abenath" <ta () domainbox de>
Date: Fri, 21 Feb 2003 13:09:56 +0100
Product:
    perl2exe, http://www.indigostar.com/

Vunerability:
    Perl programs "compiled" into EXEs with Perl2Exe can be decompiled and
    full, unadulterated source code extracted.

Vendor Status:
    Vendor has been notifyed a year ago as Simon Cozens dissected perl2exe's
version 5.x
    and posted his results here.

Analysis:

My research heavily depends on Simon Cozens work which can be found on
http://ddtm.simon-cozens.org/~simon/perl2exe
Since version 5.x is already dissected i took a look on the 6.x Version.
This has been tested on the latest release
Perl2Exe V6.00 for Linux (Feb 20, 2003). Here we go:

The 6.0 Version stores a list of the included stuff at the end of the
binary:

NAME=p2x_stub.lib;SIZE=811048;ENC=0
NAME=p2x_pre_exec_message;SIZE=0;VALUE=
NAME=p2x_trial_message;SIZE=0;VALUE=~@~@~@~@~@~@~@~@
NAME=p2x_exec_command;SIZE=0;VALUE=_main.pl
NAME=_main.pl;SIZE=6339;ENC=1
NAME=P2X-V06.TOC;SIZE=195

The _main.pl part is what we are looking for. As perl2exe still uses
BogoCrypt,
(known as XOR) this is gonna be simple to attack using 'known plaintext'.

We start with generating a plaintext file with the length of _main.pl, the
content doesn't matter. Lets call that one sample.pl
We compile this one using ./perl2exe sample.pl and get the binary 'sample'.
We can XOR the plain and
cyphertext to get the used key. Now it's time to start up our dirty little
code:

#!/usr/bin/perl

$known_plain = `cat sample.pl`;
$known_cipher_file = "sample";
$sizeline = `tail -c +811048 $known_cipher_file | strings | grep
NAME=_main.pl`;
@line = split /;/, $sizeline;
@size = split /\=/, $line[1];
$known_cipher = `tail -c +811048 $known_cipher_file | head -c $size[1]`;
$key = $known_cipher ^ $known_plain;

$unknown_cipher = `tail -c +811048 perl2exe | head -c $size[1]`;

$unknown_plain = $unknown_cipher ^ $key;
print $unknown_plain, "\n";

The output should be redirected to a file, because there are still some
binary bits in $unknown_plain.

ta () domainbox de
Previous By Date Next
Previous By Thread Next

Current thread: