Below is a quick obfuscation script I wrote. That is, a script which obfuscates other scripts. The obfuscation isn't terribly good, but it's been successful in terms of keeping other peoples hands off of my code, which was the object in this case. Quite handy for those 700 line scripts that you don't want to obfuscate by hand. (Multi file scripts will need to be catted together before being run through the obfuscater.) Also, I have a question. I wonder if one of you obfuscation fans could give me a nice little obfuscation of this one line, such that I might add it to my automatically obfuscated script: 
unless ($ENV{HTTP_HOST} ~= m/licensed_site.com/) {die "Code thief!"}

[download]
Of course, I need te be able to replace the domain name fairly easily. Perhaps a Perl one liner that obfuscates the string? Anyway, here's auto_obfuscate.pl: 
#!/usr/bin/perl

$debug = 0;

my %varname;
my $varnum = 0;
my %subname;
my $subnum;

my $sub = 0;

$infile = $ARGV[0];

open(IN, "<$infile");
@prog = <IN>;
close IN;

open(TIDY, "|perltidy --mangle -st");

foreach $line (@prog)
{
   @token = split (/[^A-Za-z0-9_\$\@\%\\]+|\\./, "$line");
   foreach $tok (@token)
   {
      if ("$tok" eq "sub")
      {
         $sub = 1;
      }
      elsif ($sub)
      {
         $subnum++;
         $sub = 0;
         if ($subname{$tok} eq "")
         {
            $subname{$tok} =~ s/[a-z0-9]*/s_$subnum/;
         }
      }
   }
}

foreach $line (@prog)
{
   if ($debug)
   {
      print "$line";
   }

   # "$first$last" comes out as one token, so split them
   $line =~
     s/(\".*)(\$[A-Za-z0-9_\-]*)(\$[A-Za-z0-9_\-]*)(.*\")/\1\2\".\"\3\
+4/g;
   @token = split (/[^A-Za-z0-9_\$\@\%\\\#]+|\\./, "$line");
   foreach $tok (@token)
   {
      if ($debug)
      {
         print "$tok:";
      }
      if ($tok =~ m/[\$\@\%\#][a-z][a-z0-9]*/)
      {
         $oldname = "$tok";

         $oldname =~ s/[\$\@\%\#]*//;
         if ($varname{$oldname} eq "")
         {
            $varname{$oldname} =~ s/[a-z0-9]*/v_$varnum/;
            $varnum++;
         }
         $line =~ s/([\$\%\@]#?)$oldname([^a-z0-9A-Z])/\1$varname{$old
+name}\2/g;
      }
   }
   while (($oldname, $newname) = each %subname)
   {
      $line =~ s/$oldname([ \(\;])/$newname\1/g;
      $line =~ s/sub *$oldname([^a-zA-Z])/sub $newname\1/g;
   }

   $line =~ s/^\s*//g;
   unless (($line =~ m/^$/) || ($line =~ m/^#[^\!\-]/))
   {
      $outline++;
      if ($debug)
      {
         print "\n$line\n\n";
      }
      else
      {
         print TIDY "$line";
      }
   }
   if ($line =~ m/[\$\@\%]\{[^v]/)
   {
      print STDERR
        "Warning: bracketed variable not changed line $outline:\n$line
+";
   }
}
print "\n\n";

close TIDY;

[download]

Replies are listed 'Best First'.
Re: An obfuscation script, and a question
by Jazz (Curate) on Mar 15, 2003 at 09:38 UTC

    The most effective "obfuscation" is a well-written program.

    "script kiddies" can't figure it out (and would never be able to pass it off as their own), and the ones who know better can de-obfuscate your code anyway with minimal effort.

[reply]
Re: An obfuscation script, and a question
by diotalevi (Canon) on Mar 21, 2003 at 13:46 UTC

    I never came up with anything stunning. Perhaps symbolic reference to %ENV and some munging of the strings. For all constant strings I just used a normal double quote operator and each character is octal and hex encoded in turn. The regex uses alternation to either match the right value or die.

    ${"\145\x6e\166"}{ ... encoded HTTP_HOST } =~ "(?: ... encoded site name.com |(?{die})"</code>
[reply]
[d/l]
A reply falls below the community's threshold of quality. You may see it by logging in.

Back to Obfuscated Code