note
afoken
<blockquote>The encryption is done through custom C executable and the execution of encrypted binary code can only be done through another C executable (dummy Perl interpreter) and it does in-memory execution like this.
<c>
perl_run(my_perl);
eval_pv(buffer, TRUE);
</c>
</blockquote>
<p>Easily broken:</p>
<ol>
<li>start a debugger</li>
<li>load the "encrypted" program from the debugger</li>
<li>set a breakpoint at the call to <c>eval_pv()</c>, or at the first instruction of <c>eval_pv()</c></li>
<li>start the program</li>
<li>instruct the debugger to show the contents of <c>buffer</c></li>
<li>copy contents of <c>buffer</c> to a text file</li>
<li>kill the program</li>
<li>exit the debugger</li>
</ol>
<p>It was explained a thousand times or more, but once more for you:</p>
<p>Perl is designed to evaluate unencrypted source code, so at some point, you have to decrypt the encrypted code. Alternatively, you can feed perl a prepared parse tree, in unencrypted form. Again, you have to decrypt the encrypted tree before passing it to perl. [mod://B::Deparse] can reconstruct perl source code from the tree, so you gain exactly nothing from using a tree.</p>
<p>Both ways, you have to decrypt the encrypted data, so your executable must contain the decryption algorithm <b>and</b> the required decryption key. Both can be exctracted from the executable to create an independant decryption tool. Or, as I explained above, one can simply stop the execution of the program at the point where the decrypted data is passed to perl API functions. That's usually much less work.</p>
<p>And there is <b>NO WAY</b> to prevent that.</p>
<p>See also:</p>
<ul>
<li>[id://848609]</li>
<li>[id://767084]</li>
<li>[id://779752]</li>
<li>[id://237943]</li>
<li>[id://256527]</li>
<li>[id://340753]</li>
<li>[id://96925]</li>
<li>[id://97005]</li>
</ul>
<p>Alexander</p>
<div class="pmsig"><div class="pmsig-747201">
--<br>
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
</div></div>
1132086
1132100