BugTraq
Perl2Exe EXEs Can Be Decompiled (update) Feb 21 2003 12:09PM
Domainbox, Tim Abenath (ta domainbox de) (1 replies)
Product:
perl2exe, http://www.indigostar.com/

Vunerability:
Perl programs "compiled" into EXEs with Perl2Exe can be decompiled and
full, unadulterated source code extracted.

Vendor Status:
Vendor has been notifyed a year ago as Simon Cozens dissected perl2exe's
version 5.x
and posted his results here.

Analysis:

My research heavily depends on Simon Cozens work which can be found on
http://ddtm.simon-cozens.org/~simon/perl2exe
Since version 5.x is already dissected i took a look on the 6.x Version.
This has been tested on the latest release
Perl2Exe V6.00 for Linux (Feb 20, 2003). Here we go:

The 6.0 Version stores a list of the included stuff at the end of the
binary:

NAME=p2x_stub.lib;SIZE=811048;ENC=0
NAME=p2x_pre_exec_message;SIZE=0;VALUE=
NAME=p2x_trial_message;SIZE=0;VALUE=~@~@~@~@~@~@~@~@
NAME=p2x_exec_command;SIZE=0;VALUE=_main.pl
NAME=_main.pl;SIZE=6339;ENC=1
NAME=P2X-V06.TOC;SIZE=195

The _main.pl part is what we are looking for. As perl2exe still uses
BogoCrypt,
(known as XOR) this is gonna be simple to attack using 'known plaintext'.

We start with generating a plaintext file with the length of _main.pl, the
content doesn't matter. Lets call that one sample.pl
We compile this one using ./perl2exe sample.pl and get the binary 'sample'.
We can XOR the plain and
cyphertext to get the used key. Now it's time to start up our dirty little
code:

#!/usr/bin/perl

$known_plain = `cat sample.pl`;
$known_cipher_file = "sample";
$sizeline = `tail -c +811048 $known_cipher_file | strings | grep
NAME=_main.pl`;
@line = split /;/, $sizeline;
@size = split /\=/, $line[1];
$known_cipher = `tail -c +811048 $known_cipher_file | head -c $size[1]`;
$key = $known_cipher ^ $known_plain;

$unknown_cipher = `tail -c +811048 perl2exe | head -c $size[1]`;

$unknown_plain = $unknown_cipher ^ $key;
print $unknown_plain, "\n";

The output should be redirected to a file, because there are still some
binary bits in $unknown_plain.

ta (at) domainbox (dot) de [email concealed]

[ reply ]
Re: Perl2Exe EXEs Can Be Decompiled (update) Feb 22 2003 07:20AM
Kain (kain kain org)


 

Privacy Statement
Copyright 2010, SecurityFocus