PerlAPP security?

jdtoronto has asked for the wisdom of the Perl Monks concerning the following question:

A few weeks back I started looking into packaging a GUI app built using Perl and Tk. I asked for advice on what packaging system to use and received some useful input at the time.

PAR - well, it just works! It essentially produces a self-extracting archive (on Windows) but by comparison it is slow to run.

perl2exe - it seems to work okay - I used the demo version and it did the job. I probably won't buy it because I have since had purchased for me...

KOMODO and the PDK - kindly provided by the folk I am working for right now. I had used v2.5 of Komodo and not particularly liked it. But v3.0 is much better. I am still using Eclipse on some other projects despite the Eclipse editor being very slow on larger ( > 1000 line ) files.

The .exe produced by PerlAPP seems to be a binary structure - not just a self extracting archive like PAR. Can anybody tell me what technique is used by PerlAPP? How 'reverse engineerable' is it? THe client is happy that when he looks at the .exe he cant see inside it with WinZip or TextPad, but I am curious as to what technique they use to produce the final file.

jdtoronto

Comment on PerlAPP security?

Replies are listed 'Best First'.
Re: PerlAPP security? by waswas-fng (Curate) on Sep 16, 2004 at 19:18 UTC
Try using UPX to make the internals of par exe a little less transparent. Any way you cut it is is not really possible to completely make your compiled perl source unavailable. -Waswas	[reply]
Re^2: PerlAPP security? by jdtoronto (Prior) on Sep 16, 2004 at 20:03 UTC
waswas-fng Very interesting! Your suggestion would obscure the code somewhat in the .exe file, that would be useful. But when the UPX package de-compresses and the PAR package is unpacked into the directory where it is to be run the code is totally exposed. Using PerlAPP the code is still somewhat obscured, but can apparently be recovered by decompiling it (as I found in a thread here in the Monastery). The client is concerned only that your basic 'simple thief' can't get to the code. Of course, we all know that opnce you go beyond that the code is not safe at all! Your suggestion is, however, useful nevertheless and I have bookmarked the site, thank you! jdtoronto	[reply]
Re: PerlAPP security? by tachyon (Chancellor) on Sep 17, 2004 at 04:28 UTC
Perlapp 'encrypts' the perl source code. The output is wrapped into a standard win32 PE (portable executable) with the necessary binary extras (ie perl) and can be disassmbled with simple tools. See Security, is it to much to ask? for details on extracting the original data. Note that the trivial XOR encryption against the string 'Copyright © 2000 ActiveState Tool Corp.' has not been used for some time and it is now harder to extract the original source. How much harder? You will just have to RTFB but as MeowChow pointed out it is/must be extractable. cheers tachyon	[reply]
Re^2: PerlAPP security? by jdtoronto (Prior) on Sep 17, 2004 at 05:45 UTC
tachyon My most grateful thanks. I downloaded the trial version of PE explorer and took it for a run. Not bad product, lots of interesting information - kinda confirms my hope that using PerlAPP will at least keep our code away fomr the tinkerers who have caused me many problems in the past. It is obviously extractable and could be 'got at' by someone of a more malicious bent. But RTFB is more fun this way. jdtoronto	[reply]