Breaking a Filter::decrypt like source filter

olego has asked for the wisdom of the Perl Monks concerning the following question:

Hello everybody,

every now and then I read that it would be 'easy' to get the plain source code of a Perl file that has been scrambled and is decoded by a Filter::decrypt like tool.

Then I got curious and tested it on an application that uses something like this. It does not seem easy to me at all, I have to admit.

The encrypters seem to have done some things right:

The encryption algorithm is not the Filter::decrypt one, so let's assume it is not easy to find it by guessing, brute force etc
The encryption extension is no Shared Object (not an .so file, but an .a file, and running it with a Perl executable different from that one provided with the extension ends up in 'Can't find shared object file for ... in @INC'). So it seems it is not possible to use this extension with a patched version of Perl to get the code. But I'm a C beginner, perhaps there IS a way?
The Perl executable provided is build without -DDEBUGGING.
A check for Perl compiler is included, so the process dies if you try something like perl -MO=Deparse

The only 'weaknesses' I see is that the presence of another filter is not checked, as it seems. Perhaps one could add another filter to get the code, but how?
Also, both the extension and the perl executable are not stripped. But I'm not so deep into things that this would help in any way...

So, does anyone have a clue why and how it is so 'easy' to get the source code out of this?

Cheers,
Ole

Comment on Breaking a Filter::decrypt like source filter

Replies are listed 'Best First'.
Re: Breaking a Filter::decrypt like source filter by ikegami (Patriarch) on Jan 24, 2007 at 17:35 UTC
The ease comes from necessarily having the decryptor at hand. You can't run the script without the decryptor, and with the decryptor, you can get the source back. Update: Just to be clear, when people say the script can easily be decrypted, they mean it can easily be decrypted by someone who can run it. If proper encrpytion is used, is can be perfectly safe while attached to an email, etc.	[reply]
Re^2: Breaking a Filter::decrypt like source filter by olego (Acolyte) on Jan 24, 2007 at 20:59 UTC
Hello, Thx for your reply. Of course I have the decrypter. And you are right, without it the scripts could not be run. Only thing is, the decrypter is a source filter. So after the source is decrypted, it is somewhere located in memory and from there parsed, compiled, executed. I see no real chance to get a look on it (apart from searching in memory dumps like was proposed in this thread also).	[reply]
Re^3: Breaking a Filter::decrypt like source filter by ikegami (Patriarch) on Jan 24, 2007 at 21:04 UTC
It's trivial to patch Perl to display the source code it parses.	[reply]
Re^4: Breaking a Filter::decrypt like source filter by olego (Acolyte) on Jan 24, 2007 at 21:13 UTC
Re^5: Breaking a Filter::decrypt like source filter by ikegami (Patriarch) on Jan 24, 2007 at 22:57 UTC
Re^3: Breaking a Filter::decrypt like source filter (Filter::ExtractSource) by ikegami (Patriarch) on Jan 25, 2007 at 19:16 UTC
oo! I just came across Filter::ExtractSource. Check it out!	[reply]
Re^4: Breaking a Filter::decrypt like source filter (Filter::ExtractSource) by olego (Acolyte) on Jan 25, 2007 at 21:13 UTC
Re: Breaking a Filter::decrypt like source filter by ferreira (Chaplain) on Jan 24, 2007 at 18:17 UTC
This discussion initiated by brian_d_foy at use.perl may be inspiring: Perl source obfuscators are stupid	[reply]
Re^2: Breaking a Filter::decrypt like source filter by olego (Acolyte) on Jan 24, 2007 at 21:01 UTC
Hello, thx for your answer, unfortunately I'm not talking on some obfuscator, but encrypted sources. Thx for the input anyway.	[reply]
Re: Breaking a Filter::decrypt like source filter by kyle (Abbot) on Jan 24, 2007 at 17:37 UTC
I'd be tempted to `cp /proc/kcore haystack` and have a look through it. (This is the method I've used to recover accidentally deleted emails a few times.)	[reply] [d/l]
Re: Breaking a Filter::decrypt like source filter by ikegami (Patriarch) on Jan 24, 2007 at 17:55 UTC
The encryption extension is no Shared Object (not an .so file, but an .a file, and running it with a Perl executable different from that one provided with the extension ends up in 'Can't find shared object file for ... in @INC'). So it seems it is not possible to use this extension with a patched version of Perl to get the code. But I'm a C beginner, perhaps there IS a way? Wait, does that mean a custom Perl is needed? If so, you're not talking about the strength of a filter.	[reply]
Re: Breaking a Filter::decrypt like source filter by diotalevi (Canon) on Jan 24, 2007 at 19:48 UTC
A check for Perl compiler is included, so the process dies if you try something like perl -MO=Deparse What's it looking for? I'm sure there are ways around that. ⠤⠤ ⠙⠊⠕⠞⠁⠇⠑⠧⠊	[reply]
Re^2: Breaking a Filter::decrypt like source filter by olego (Acolyte) on Jan 24, 2007 at 21:06 UTC
It's in the XS file (I don't have the sources of it, just the libryry file). I'd think it's like in Filter::decrypt, where it goes like this: `BOOT: /* Check for the presence of the Perl Compiler */ if (gv_stashpvn("B", 1, FALSE)) croak("Aborting, Compiler detected") ;` [download]	[reply] [d/l]
Re^3: Breaking a Filter::decrypt like source filter by diotalevi (Canon) on Jan 24, 2007 at 21:30 UTC
So rename it. You'll need to edit B.pm, B.xs, O.pm, and B/Deparse.pm. Or cause Filter::decrypt to load prior to B::Deparse so its BOOT is done in advance. `perl -MFilter::decrypt -MO=Deparse ...` ⠤⠤ ⠙⠊⠕⠞⠁⠇⠑⠧⠊	[reply] [d/l]
Re^4: Breaking a Filter::decrypt like source filter by olego (Acolyte) on Jan 24, 2007 at 22:12 UTC
Re^5: Breaking a Filter::decrypt like source filter by diotalevi (Canon) on Jan 24, 2007 at 22:13 UTC
A reply falls below the community's threshold of quality. You may see it by logging in.