View Full Version : PERL Obfuscation

October 28th, 2008, 20:25
I am new to this forum. I am working on a project using a piece of commercial software (that I paid for and have a license for) that is written in PERL and uses a obfuscation process. What I am trying to do is add custom features to this software that I feel are necessary for my customers. However, the writers of the product are not able to justify developing these features in terms of time and money involved. What are my best options here? I am open to suggestions.

October 29th, 2008, 08:10
Are you saying that the application is delivered in plaintext Perl script files, that have obfuscated code in them? Or something else?

October 29th, 2008, 09:31
Yes, that is correct. The product is delivered as a bunch of PERL/CGI files that are already obfuscated. The only clue I have as to how it is encrypted is the PERL module RC4.pm located in one of the directories. Typically, the files would look something like this:

my $xpGD_Z = q"{76:$3U9gn5:8:w/z{);L1Fp8J$_=$xpGD_Z;

Like I said, I paid for this software and have a valid license for it, but I need to add more functionality. Any improvements I make will go into the public domain.

October 29th, 2008, 13:34
why don't you ask author to add those features? would save you a lots of time

October 29th, 2008, 13:52
Dude, I only wish life was that easy. I tried multiple times to no avail. I even asked if I could get access to the source if I signed an NDA and gave him copies of my work in return. The company is not responsive at all.

October 29th, 2008, 14:47
Without knowing much detail about what functionality you wish to add to the program, it is my impression that you risk spending quite a bit of time and effort reconstructing obfuscated code in order to reuse and expand over the package functionality. In fact de-obfuscating the modules could well take you longer than re-writing the necessary code from scratch.

Fortunately PERL and CGI environment share a very convenient feature: The input and the output are accessible, plain text, even if the algorithms may remain hidden in a black box fashion. Ask yourself, how much of the extra functionality you wish to add to the package can be implemented by looking at the raw input data and or the raw output data? In the field I have a little experience with, Mass Spectroscopy analysis, the answer is: Quite a bit.

Another avenue to explore, in case you have not searched before. Is there an open source equivalent to the software package in question? Chances are it will not have all the bells and whistles of the commercial, obfuscated product, but you would be on much safer technical grounds, not to mention safer legal grounds if you plan to repackage and sell your improved product to your clients.

October 30th, 2008, 12:14
It is usually relatively simple to write de-obfuscators for scripting languages, except that you will probably never get back the real names of functions, variables etc.

You will be able to trace the deobfuscated program in a debugger though, which might be enough to find the correct point to inject your patch, which preferably would be done by a small "hook" that jumps to real/readable code in a Perl module of your own.

My condolences for having to deal with obfuscated Perl code though, it's obfuscated enough in its original format.

November 1st, 2008, 00:49
[Originally Posted by dELTA;77538]
My condolences for having to deal with obfuscated Perl code though, it's obfuscated enough in its original format.

eh eh, I agree, even if someone may assert that assembler is more obfuscated than Perl...

to the good hints of dELTA (and naides) I would recommend to use google as usual: it is possible that that kind of obfuscation was made by someone else, and documented in some way... unfortunately RC4.PM is too little as a clue (there are 1180 entries in Google and the dot cannot be forced - by the way, does anybody know if forcing the dot is possible, in other words: searching EXACTLY rc4.pm? -): formulate your search adding something more...

Best regards, bilbo

November 1st, 2008, 16:03
RC4 sounds like the encryption algo.
Here's some hits for rc4.pm:

November 1st, 2008, 21:22
Put the search term in quotes ;




November 2nd, 2008, 01:27
[Originally Posted by Woodmann]Put the search term in quotes

that's not exact: it will give the 1180 superfluous results...
[Originally Posted by reverser]http://www.google.com/codesearch?q=rc4%5C.pm

that's a great hint, and - strangely - the backslash(5C) is required before the dot: without the backslash only 4 results are shown

Anyway, it looks like I was wrong: no ready to use Perl obfscation method using RC4 seems available on the net...

Best regards, bilbo

November 2nd, 2008, 13:26
Backslash escapes the period - otherwise it means "any symbol" (regular expression syntax).

November 3rd, 2008, 00:33
I see, reverser, but if this would be true I should find more hits, not less!
Best regards, bilbo

November 29th, 2008, 17:16
I don't believe the perl code is obfuscated, just encrypted, by calling eval function it will evaluate the encrypted text, decrypt it, and again I bet the decrypted text will call eval to execute itself in it's decrypted state. So eventually eval function will accept the code in clear text. Maybe you should locate eval function and dump it's parameters when called.