Hosting Provided By

Re: protecting perl script source

From: H D Moore <sflist(at)digitaloffense.net>
Date: Fri Jan 31 2003 - 13:39:57 EST

On Thursday 30 January 2003 03:03 am, Eyal Udassin wrote:
> Hi
>
> As mentioned a here quite a few times, source filters are far from

The perl decrypt module uses a shared library written in C to manipulate the script. Common practice is to detect and exit if perl was called with a compiler backend, too bad you can just patch the library to not exit ;)

I was auditing some web mail software and the evaluation version has been run through the Perl "encryption" filter. The "decryption" filter is written in C and the compiled version is shipped with the product. Perl has a really nice method of reformatting source, called the Deparse module, it can be used to rip the plain source code from an "encrypted" script. One of the features of the decryption filter is that detects when the script is being run through a compiler (ie. the Deparse module) and kills itself. It took maybe 5 minutes to nop out all calls to Perl_croak in the decrypt.so binary and proceed to audit the code...

The recommended implementation of Filter::decrypt is to compile the filter staticly into the Perl binary and then strip it, apparently this company didn't think it was worth the bother to ship a giant static perl executable with thier eval version.

There are a dozen other ways to extract the source code, this one just happened to be the easiest and took just a few minutes to do. You could write a program which links directly to the exported Decrypt function, create your own library which loads the real filter and logs the input/output, or just halt the app after the filter code executes and just rip it out of memory. Not sure what the point of the "decrypt" filter is if there are so many ways to bypass it.

-HD

---
hdm@ice:/downloads/someapp > perl -MO=Deparse crypted.pl
Aborting, Compiler detected at 
/usr/lib/perl5/5.6.1/i686-linux/DynaLoader.pm line 225.
Compilation failed in require at crypted.pl line 4.
BEGIN failed--compilation aborted at crypted.pl line 4.

( 5 minutes later after patching the shared library)

hdm@ice:/downloads/someapp > cp xyz.so libs/auto/Filter/decrypt/decrypt.so
hdm@ice:/downloads/someapp > perl -MO=Deparse crypted.pl
Content-type: text/html
[ snip ]
my $var=...

Received on Fri Jan 31 16:15:33 2003

This message: [ Message body ]
Next message: Ste: "How to execute System Calls in a secure way?"
Previous message: Jim McGarvey: "Re: protecting perl script source"
In reply to Eyal Udassin: "RE: protecting perl script source"
Next in thread: Jim McGarvey: "Re: protecting perl script source"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:48 EDT

Do you need help?