nashr has asked for the wisdom of the Perl Monks concerning the following question:
|
|---|
| Replies are listed 'Best First'. | |
|---|---|
|
Re: Is there a script somewhere to de-obfuscate code?
by cog (Parson) on Mar 26, 2005 at 18:52 UTC | |
One thing you can try is to use Perl::Tidy on it, but that might not solve the problem, partly because the only thing that's able to parse Perl is perl itself (meaning that Perl::Tidy itself sometimes fail) and partly because even if it works, it doesn't do everything... but it might be a good start... And then you'll have to break it down in chunks and try to understand the flow of the code... it surely helps if you already have an idea of what it does... Regarding the code you're posting, it seems just like a variable name... Anyway, how did it get to the point that you're left with obfuscated scripts? It seems somebody didn't do his(her) job properly... that's no way to work... | [reply] |
by nashr (Novice) on Mar 27, 2005 at 13:56 UTC | |
It's a single long string. The full code can be obtained at http://www.perlonline.com/usersonline/index.htm This script is provided for free so I don't think it's wrong to try and write new code based on this, I just can't read it. :) 20050527 Edit by ysth: use code paragraph, not inline. | [reply] [d/l] |
by cog (Parson) on Mar 27, 2005 at 14:06 UTC | |
First, they use a *very long* variable name, which is the $A361 stuff. Then they put their code, packed, inside that variable. Afterwards, they eval their unpacked code. Simply replace the eval statement with a print and you'll get their code out, which looks like this: $ip = $ENV{'REMOTE_ADDR'};$time = time;$found = 0;$users = 0;@pairs = split(/&/, $ENV{"QUERY_STRING"});foreach $pair (@pairs) {($name, $value) = split(/=/, $pair);$value =~ tr/+/ /;$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;chomp($value);$QUERY{$name} = $value;}if (! (-f "data/users.txt")) {open (CREATE, ">data/users.txt");close CREATE;chmod(0666, "data/users.txt");}open FILE,"+<data/users.txt";&lock(FILE);@users = <FILE>;chomp(@users);seek(FILE,0,0);truncate(FILE,0);foreach $line (@users) {($savedip,$savedtime) = split/\|/,$line;if ($savedip eq $ip) {$savedtime = $time;$found = 1;}if ($time < $savedtime + ($minutes * 60)) {print FILE "$savedip|$savedtime\n"; $users = $users + 1;}}if ($found == 0) {print FILE "$ip|$time\n";$users = $users + 1;}close (FILE);$code = "<a href=\"http://www.perlonline.com\" style=\"$style\">$users</a>";if ($QUERY{'output'} eq "javascript" or $output eq "javascript") {print "Content-type: text/html\n\n";$code =~ s/\'/\\\'/ig;$code =~ s/\"/\\\"/ig;print "document.write(\"$code\");";exit;}else{print "Content-type: text/html\n\n";print "$code";exit;}sub lock{my $lock = 0;while ($lock < 5) {if (flock(@_[0], 2)) {return 0;}sleep (1);$lock++;}exit;} Simply run perltidy on that code and you'll be able to see, clearly, everything that is going on. | [reply] [d/l] |
|
Re: Is there a script somewhere to de-obfuscate code?
by ambs (Pilgrim) on Mar 26, 2005 at 19:15 UTC | |
The low experience I had de-obfuscating code, I went down step by step. Take a line, start trying to understand it. Try to find delimiters. Copy and paste small sections and try to compile them with perl, and see the result. This can all be fun, but be careful. There is malicious obfustated code out there. Just take care whenever you use Perl to interpret a piece of code you don't understand. Alberto Simões | [reply] |
|
Re: Is there a script somewhere to de-obfuscate code?
by Corion (Patriarch) on Mar 27, 2005 at 03:06 UTC | |
The computer cannot really guess sensible variable names for your program, and most automated obfuscation techniques replace the variable names with gibberish names. diotalevi wrote B::Deobfuscate, which will help you to deobfuscate any Perl code. | [reply] |
by diotalevi (Canon) on Mar 27, 2005 at 17:51 UTC | |
B::Deobfuscate is a backend module for the Perl compiler that generates perl source code, based on the internal compiled structure that perl itself creates after parsing a program. It adds symbol renaming functions to the B::Deparse module. An obfuscated program is already parsed and interpreted correctly by the B::Deparse program. Unfortunately, if the obfuscation involved variable renaming then the resulting program also has obfuscated symbols. B::Deobfuscate takes the last step and fixes names like $z5223ed336 to be a word from a dictionary. While the name still isn’t meaningful it is at least easier to distinguish and read. Here are two examples − one from B::Deparse and one from B::Deobfuscate. Initial input if(@z6a703c020a){(my($z5a5fa8125d,$zcc158ad3e0)=File::Temp::tempfile('UNLINK’,1));print($z5a5fa8125d "=over 8\n\n");(print($z5a5fa8125d @z6a703c020a)or die(((("Can’t print $zcc158ad3e0: $!"))); print($z5a5fa8125d "=back\n");(close(*$z5a5fa8125d)or die(((("Can’t close ".*$za5fa8125d.": $!") ));(@z8374cc586e=$zcc158ad3e0);($z9e5935eea4=1);}After B::Deparse:
After B::Deobfuscate:
You’ll note that the only real difference is that instead of variable names like $z9e5935eea4 you get $propagandist. Future versions of this will also add in some guessed types of variables so you'll get some Hungarian notation out too for filehandles, strings, numbers, etc. | [reply] [d/l] [select] |