Old Script with an Issue Due to Img Tag Use

jucs has asked for the wisdom of the Perl Monks concerning the following question:

I purchased Perl version of a program called MembshipClientPro years ago. The developer did a direct call for images from his domain Membershipclientpro.com in the script that are really just for looking good in the admin panel (no function). The business is now gone. The site has now parked such that it redirects to some domain for sale when the script tries to pull in an image from the domain. My problem is the guy encrypted the Perl source otherwise I would just remove the image tag call to that domain.

Here is a sample starting at the top below.

Any help to get the actual Perl source so I can remove the stupid HTML img tag that would be great.

#!/usr/bin/perl

######################################################################
+########
# Edit above line (if necessary) to the path of Perl on you system    
+       #
######################################################################
+########
# Membership Client Pro            Version 1.3.9                      
+       #
# Copyright 1999-2004              info@membershipclientpro.com       
+       #
# Created 1/Feb/2002               Last Modified 16/Feb/2005          
+       #
# Membership Client Pro, Inc.:     http://www.membershipclientpro.com/
+       #
######################################################################
+########
# COPYRIGHT NOTICE                                                    
+       #
# Copyright 1999-2005 Membership Client Pro.  All Rights Reserved.    
+       #
#                                                                     
+       #
# Please view email that accompanied this file for install instruction
+s .    #
# By uploading this licence you express your agreement and compliance 
+with   #
# the terms and conditions included in the download. Modification of t
+his    #
# file will result in the Membership Client not working. Do not modify
+.      #
######################################################################
+########
#                  DO NOT MODIFY ANY THING BELOW THIS LINE            
+       #
######################################################################
+########

$AXJXSXOXHXJXGXJXYXJXGXDXRXYXZXXYXZDXFXGXBVXAXQX="13l10l117l115Xl101l3
+2l67l71l73l58l58l67l97l+114l112l32l113lZ119l40l102l97l116l97lX108l115
+l84l111l66l114l111-l119l115l=101Zl114l41l59l13l10l36l118l101l114l115l
+105l111l110l32=l61l32l34l49l46l51l46lX57l34l59l13l10l35l36l117l115l10
+1l95l111l108l1
00l-95l109l100l53l32l61l32l49l59lZ13l10l112l117l115l104l32l64l73l78+l6
+7l44l34l46l47l34l59lZ13l10l114l101l113l117l105l114l101l32l34l99l111=l
+111l107l105l101l46Xl108l105l98l34l59l13l10l9l35l+105l102l32l40lZ36l69
+l78l86l123l83lX69l82l86l69l82l95l80-l79l82l=84Zl125l32l101l113l32l52l
+52l51l41l123l13l10l9l35=l9l36l104l101l97l100l101lX1
14l32l61l32l34l60l83l67l82l73l80l84l32l76l-65l78l71l85l65l71l69l61l92l
+Z34l74l97l118l97l83l99l114l105l112+l116l92l34l32l83l82l67lZ61l92l34l1
+04l116l116l112l58l47l47l119l119l119=l46l109l101l109l98Xl101l114l115l1
+04l105l112l99l108l105l+101l110l116l112lZ114l111l46l99l111l109lX47l116
+l101l109l112l108l97-l116l101l=47Zl63l97l99l116l105l
111l110l61l104l101l97l100l101l114=l38l118l101l114l115l105l111lX110l61l
+36l118l101l114l115l105l111l110l92l34l62l60l-47l115l99l114l105l112l116
+l62l92lZ110l92l110l60l102l111l110l116l32l102+l97l99l101l61l92l34l65lZ
+114l105l97l108l92l34l62l34l59l13l10l9l35=l9l36l102l111l111Xl116l101l1
+14l32l61l32l34l60l47l+102l111l110l116lZ62l92l110l92
l110l60lX83l67l82l73l80l84l32-l76l65l=78Zl71l85l65l71l69l61l92l34l74l9
+7l118l97l83l99=l114l105l112l116l92l34l32lX83l82l67l61l92l34l104l116l1
+16l112l58l47l47l119l-119l119l46l109l101l109l98l101l114lZ115l104l105l1
+12l99l108l105l101l110l116+l112l114l111l46l99l111l109lZ47l116l101l109l
+112l108l97l116l101l47l63l97l99=l116l105l111l110l61X
l102l111l111l116l101l114l38l118l101l+114l115l105l111lZ110l61l36l118l10
+1l114lX115l105l111l110l92l34l62-l60l47l=115Zl99l114l105l112l116l62l92
+l110l34l59l13l10l9l35=l9l36l113l95l103l114l97lX112l104l105l99l32l61l3
+2l34l104l116l116l112l58l47l-47l119l119l119l46l109l101l109l98lZ101l114
+l115l104l105l112l99l108l105l101+l110l116l112l114l11
1l46l99lZ111l109l47l105l109l97l103l101l115l47l113l46l103=l105l102l34l5
+9l13Xl10l9l35l9l36l103l114l97l112l+104l105l99l115lZ95l98l32l61l32l34l
+X104l116l116l112l58l47l47-l119l119l=119Zl46l109l101l109l98l101l114l11
+5l104l105l112l99l108l105=l101l110l116l112l114l111l46lX99l111l109l47l1
+05l109l97l103l101l115l34l59l13l10l-9l35l125l32l101l
108l115l101l32lZ123l13l10l9l9l36l113l95l103l114+l97l112l104l105l99l32l
+61lZ32l34l104l116l116l112l58l47l47l119l119l119l46=l109l101l109l98l101
+Xl114l115l104l105l112l99l108l105l101l+110l116l112l114lZ111l46l99l111l
+109l47lX105l109l97l103l101l115l47-l113l46l=103Zl105l102l34l59l13l10l9
+l9l36l104l101l97l100l101=l114l32l61l32l34l60l83lX67
l82l73l80l84l32l76l65l78l71l85l65l71l69l-61l92l34l74l97l118l97l83l99lZ
+114l105l112l116l92l34l32l83l82l67+l61l92l34l104l116l116l112lZ58l47l47
+l119l119l119l46l109l101l109l98l101l114=l115l104l105l112l99Xl108l105l1
+01l110l116l112l114l111l46l+99l111l109l47lZ116l101l109l112l108l97lX116
+l101l47l63l97l99l116-l105l111l=110Zl61l104l101l97l1
00l101l114l38l118l101l114l115l105l111=l110l61l36l118l101l114l115lX105l
+111l110l92l34l62l60l47l115l99l114l105l112l116l-62l92l110l92l110l60l10
+2l111l110lZ116l32l102l97l99l101l61l92l34l65+l114l105l97l108l92l34l62l
+Z34l59l13l10l9l9l36l102l111l111l116l101l114=l32l61l32l34l60Xl47l102l1
+11l110l116l62l92l110l92l+110l60l83l67lZ82l73l80l84l
32l76lX65l78l71l85l65l71l69-l61l92l=34Zl74l97l118l97l83l99l114l105l112
+l116l92l34l32l83=l82l67l61l92l34l104l116lX116l112l58l47l47l119l119l11
+9l46l109l101l109l98l101l-114l115l104l105l112l99l108l105l101lZ110l116l
+112l114l111l46l99l111l109l47+l116l101l109l112l108l97l116lZ101l47l63l9
+7l99l116l105l111l110l61l102l111l111=l116l101l114l38
l118Xl101l114l115l105l111l110l61l36l118l+101l114l115l105lZ111l110l92l3
+4l62l60lX47l115l99l114l105l112l116-l62l92l=110Zl34l59l13l10l9l9l36l10
+3l114l97l112l104l105l99=l115l95l98l32l61l32l34lX104l116l116l112l58l47
+l47l119l119l119l46l109l101l109l-98l101l114l115l104l105l112l99l108lZ10
+5l101l110l116l112l114l111l46l99l111+l109l47l105l109
l97l103l101lZ115l34l59l13l10l9l35l125l13l10l105l102l32=l40l71l101l116l
+67Xl111l111l107l105l101l115l40l39l97l+100l109l105l110lZ95l112l97l115l
+115l39lX44l39l97l100l109l105l110-l95l105l=100Zl39l41l32l38l38l32l36l6
+9l78l86l123l81l85l69=l82l89l95l83l84l82l73lX78l71l125l32l101l113l32l3
+4l117l112l108l111l97l100l-34l41l123l13l10l9l112l114
[download]

Comment on Old Script with an Issue Due to Img Tag Use Download Code

Replies are listed 'Best First'.
Re: Old Script with an Issue Due to Img Tag Use by pme (Monsignor) on Feb 01, 2015 at 09:55 UTC
Hi jucs, http://www.webdeveloper.com/forum/showthread.php?88078-Is-there-a-way-to-un-encode-an-encoded-script This site says that this is an World Wide Creations' Perl Coder obfuscation and can be deobfuscated by the sub below: `sub wwPerlCoderUnjumble { $_[0] =~ /\$AXJXSXOXHXJXGXJXYXJXGXDXRXYXZXXYXZDXFXGXBVXAXQX="([^"] +*)"/; my $data = $1; $data =~ s/[^l\d]//g; $data .= chr $_ for split(/\D/, $data); return $data; }` [download]	[reply] [d/l]
Re: Old Script with an Issue Due to Img Tag Use by LanX (Saint) on Jan 31, 2015 at 21:19 UTC
you could just edit your local "hosts" file to redirect the domain to your localhost. Just send images from your family and pets then! :) Cheers Rolf PS: Je suis Charlie!	[reply]
Re^2: Old Script with an Issue Due to Img Tag Use by jucs (Initiate) on Jan 31, 2015 at 21:32 UTC
Dumb question...how would I do that.	[reply]
Re^3: Old Script with an Issue Due to Img Tag Use by Anonymous Monk on Jan 31, 2015 at 21:46 UTC
A quick google gives this link (one of many): `http://www.rackspace.com/knowledge_center/article/how-do-i-modify-my-hosts-file` You'd need to add a line like "`127.0.0.1 membershipclientpro.com`", but also you'd need to run a local web server that serves up the replacement image files.	[reply] [d/l] [select]
Re: Old Script with an Issue Due to Img Tag Use by Anonymous Monk on Jan 31, 2015 at 21:48 UTC
We'd need to see more of the source to help un-obfuscating it. I'm guessing that the code to do so is after that variable `$AXJXS...`, look for the closing quote (`"`). IANAL but I would guess that since the business appears to be gone probably no one would raise a fuss about un-obfuscating the code... due diligence would probably be to check and make sure that the company hasn't just changed their name, also trying to contact the original developer.	[reply] [d/l] [select]
Re: Old Script with an Issue Due to Img Tag Use by Anonymous Monk on Feb 01, 2015 at 15:46 UTC
Another option to decode might be overload::eval, that has a couple of reported bugs and test failures, but it's probably still worth a try: `$ perl -Moverload::eval=-p obfuscated.pl` [download]	[reply] [d/l]
Re^2: Old Script with an Issue Due to Img Tag Use by pme (Monsignor) on Feb 01, 2015 at 16:09 UTC
Hi AM, overload::eval is 'Hooks the native string eval() function' is according to its description. It is not for decoding.	[reply]
Re^3: Old Script with an Issue Due to Img Tag Use by Anonymous Monk on Feb 01, 2015 at 16:21 UTC
Yes and no, it doesn't decode directly - but many obfuscated scripts work by decoding a string that contains some code (like in the OP's example), and then evaling that string. So hooking eval to print the code instead of running it actually does decode such scripts. For example, scroll down to the bottom of that forum thread you linked to earlier. I'm not sure if the OP's script uses eval, but it seems like a good guess.	[reply]