Risks
Vulnerabilities
Browse by
Perl2Exe EXEs Can be Decompiled
22 February 2003
Bookmark and Share
From: Domainbox, Tim Abenath (ta_at_domainbox.de)

Product:
perl2exe, http://www.indigostar.com/

Vunerability:
Perl programs "compiled" into EXEs with Perl2Exe can be decompiled and full, unadulterated source code extracted.

Vendor Status:
Vendor has been notifyed a year ago as Simon Cozens dissected perl2exe's version 5.x and posted his results here.

Analysis:

My research heavily depends on Simon Cozens work which can be found on http://ddtm.simon-cozens.org/~simon/perl2exe
Since version 5.x is already dissected i took a look on the 6.x Version.
This has been tested on the latest release
Perl2Exe V6.00 for Linux (Feb 20, 2003). Here we go:

The 6.0 Version stores a list of the included stuff at the end of the binary:

NAME=p2x_stub.lib;SIZE=811048;ENC=0
NAME=p2x_pre_exec_message;SIZE=0;VALUE=
NAME=p2x_trial_message;SIZE=0;VALUE=~@~@~@~@~@~@~@~@
NAME=p2x_exec_command;SIZE=0;VALUE=_main.pl
NAME=_main.pl;SIZE=6339;ENC=1
NAME=P2X-V06.TOC;SIZE=195

The _main.pl part is what we are looking for. As perl2exe still uses BogoCrypt, (known as XOR) this is gonna be simple to attack using 'known plaintext'.

We start with generating a plaintext file with the length of _main.pl, the content doesn't matter. Lets call that one sample.pl We compile this one using ./perl2exe sample.pl and get the binary 'sample'. We can XOR the plain and cyphertext to get the used key. Now it's time to start up our dirty little code:

#!/usr/bin/perl

$known_plain = `cat sample.pl`;
$known_cipher_file = "sample";
$sizeline = `tail -c +811048 $known_cipher_file | strings | grep
NAME=_main.pl`;
@line = split /;/, $sizeline;
@size = split /\=/, $line[1];
$known_cipher = `tail -c +811048 $known_cipher_file | head -c $size[1]`;
$key = $known_cipher ^ $known_plain;

$unknown_cipher = `tail -c +811048 perl2exe | head -c $size[1]`;

$unknown_plain = $unknown_cipher ^ $key;
print $unknown_plain, "\n";

The output should be redirected to a file, because there are still some binary bits in $unknown_plain.

ta@domainbox.de




Spotlight

Bash Shellshock bug: More attacks, more patches

Posted on 29 September 2014.  |  As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //