CUFP
shmem
<p>
Sigh... people are still using perl2exe to "secure",i.e. hide their code - despite [id://237943|warnings] [id://256527|all] [id://340753|over] [id://96925|the] [id://97005|place] - and to "enforce the license".
</p>
<p>
I've seen that again, today. A co-worker asked me, "hey, inside that debian package there are some executables of which I don't know what the heck they are doing. They look like compiled perl. Can you have a look?" I did.
</p>
<p>Please point anybody using perl2exe for "code hiding" or "license enforcement" to this node.
</p>
<p><small>(yes, this is crude and could be refined...)</small></p>
<code>
qwurx [shmem] ~/stuff > file foo
foo: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.0.0, stripped
qwurx [shmem] ~/stuff > strings foo | grep perl2exe | head -2
~/perl2exe/lib/
qwurx [shmem] ~/stuff > gdb foo
GNU gdb (GDB) Fedora (6.8.50.20090302-32.fc11)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i586-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
(gdb) break Perl_pp_entereval
Breakpoint 1 at 0x8070931
(gdb) run
Starting program: /home/shmem/stuff/foo
[Thread debugging using libthread_db enabled]
Breakpoint 1, 0x08070931 in Perl_pp_entereval ()
Missing separate debuginfos, use: debuginfo-install glibc-2.10.1-2.i686 nss-softokn-freebl-3.12.3-4.fc11.i586
(gdb) dump memory bar 0x08070931 0x08200931
(gdb) quit
The program is running. Quit anyway (and kill it)? (y or n) y
lt-gm [shmem] ~/stuff >
</code>
<p>That's all... fire up your editor with the file <c>bar</c> and search for <c>#!perl</c>.</p>
<code>
1^@^@^@NAME=auto/POSIX/atol.al;SIZE=122;ENC=1^@#####1^@^@^@NAME=auto/POSIX/longjmp.al;SIZE=136;ENC=1^@-i1^@^@^@NAME=auto/POSIX/fprintf.al;SIZE=139;ENC=1^@gu)^@^@^@NAME=Dumper.so;SIZE=30409;ENC=0^@(^@^@^@Áv^A^@#!perl
# keep perl2exe quiet, better not exclude things you need!
#perl2exe_exclude Expect
#perl2exe_exclude File::BSDGlob
#perl2exe_exclude IO::String
#perl2exe_exclude XML::DOM
#perl2exe_exclude Log::Log4perl::Config::LDAPConfigurator
#perl2exe_exclude Net::LDAP
#perl2exe_exclude VMS::Stdio
# this is fancy text in licence; 'use' in first column makes perl2exe complain
#perl2exe_exclude the
#perl2exe_exclude these
use strict;
use warnings;
use Carp::Heavy;
use Cwd qw (getcwd abs_path);
use Data::Dump qw(dump);
use Fcntl;
use File::Basename;
...
</code>
<p>Now delete all above the first line, seek to the where the next binary stuff starts, delete from there to end.
<code>
=cut
^@^@1^@^@^@NAME=auto/POSIX/atan2.al;SIZE=145;ENC=1^@^@^@^@^@1^@^@^@NAME=auto/POSIX/remove.al;SIZE=146;ENC=1^@^@^@^@1^@^@^@NAME=auto/POSIX/execl.al;SIZE=124;ENC=1^@^@^@^@^@1
</code>
<p>Done, main script extracted. The rest is just as easy.</p>
<p>At the root of any file inclusion, any source text compilation, there's <b>eval</b>. And it's <i>string eval</i>. For eval to be able to eval something, that must be <b>plain perl source code</b>, even if it is a decompiling function of some sort for other chunks to transform. So there you have it. When <c>Perl_pp_entereval</c> is called, the source code is somewhere in memory <i>as a string</i> to be fed to the perl parser and lexer. And memory can be dumped and the dump examined.</p>
<p>
<p><b>It is utterly futile to use perl2exe for code hiding or license enforcement purposes.</b></p>
<p>
I don't post this trivial piece to incite code stealing, but rather - to prevent developers from choosing the wrong proceedings based on failed principles. I have this to tell them:
</p>
<p>
A successful business is based on the <i>mutual trust</i> between you and your customer. A rightful license isn't a terrible EULA which denies you doing this or that, risking draconian measures doing otherwise, but a <i>mutual trust seal</i> which cannot be gained cheating one of the parties. Your best way to show trustfulness is integrity, which in my book reads as respecting the long term Open Source Effort of all those who created perl and their endeavour in letting others participate, which you counter concealing your source code from the eyes of your trustful customers.
</p>
Your better best way to show your integrity is <i>transparency</i> in your proceedings. And I, as a customer, would appraise being able to study the source of any product of yours which runs on my computer. If the result of those studies leads to approval, it will deepen our relationship as vendor and customer.
</p>
<p>Lastly, to you, [http://www.indigostar.com/perl2exe.htm|perl2exe]. Much has been written that you don't claim to make source code inaccessible, that you don't claim you are able to enforce licenses and such - well I say: <b>be honest. You can't because perl doesn't. Then say so.</b> Otherwise, [id://615219|get off my lawn].</p>
<p></rant></p>
<p>update: Again, please don't get me wrong. I don't want to talk down this tool - it might be a wonderful packager, simplify your packaging tasks, allow for cross-compiling and anything else it claims: I don't know, I have never used it. But the sentence "You can ship the exe file without having to ship your perl source code" goes against the camel's hair, and it insinuates that you can hide the source.
</p>
<p>Indigostar should state on their website "while you don't have to ship your source code in separate files, be aware that perl2exe is unsuitable to hide code, and it should not be used for that purpose."
</p>