Risks
Vulnerabilities
Browse by
Perl2Exe EXEs Can be Decompiled
22 February 2003
Bookmark and Share
From: Domainbox, Tim Abenath (ta_at_domainbox.de)

Product:
perl2exe, http://www.indigostar.com/

Vunerability:
Perl programs "compiled" into EXEs with Perl2Exe can be decompiled and full, unadulterated source code extracted.

Vendor Status:
Vendor has been notifyed a year ago as Simon Cozens dissected perl2exe's version 5.x and posted his results here.

Analysis:

My research heavily depends on Simon Cozens work which can be found on http://ddtm.simon-cozens.org/~simon/perl2exe
Since version 5.x is already dissected i took a look on the 6.x Version.
This has been tested on the latest release
Perl2Exe V6.00 for Linux (Feb 20, 2003). Here we go:

The 6.0 Version stores a list of the included stuff at the end of the binary:

NAME=p2x_stub.lib;SIZE=811048;ENC=0
NAME=p2x_pre_exec_message;SIZE=0;VALUE=
NAME=p2x_trial_message;SIZE=0;VALUE=~@~@~@~@~@~@~@~@
NAME=p2x_exec_command;SIZE=0;VALUE=_main.pl
NAME=_main.pl;SIZE=6339;ENC=1
NAME=P2X-V06.TOC;SIZE=195

The _main.pl part is what we are looking for. As perl2exe still uses BogoCrypt, (known as XOR) this is gonna be simple to attack using 'known plaintext'.

We start with generating a plaintext file with the length of _main.pl, the content doesn't matter. Lets call that one sample.pl We compile this one using ./perl2exe sample.pl and get the binary 'sample'. We can XOR the plain and cyphertext to get the used key. Now it's time to start up our dirty little code:

#!/usr/bin/perl

$known_plain = `cat sample.pl`;
$known_cipher_file = "sample";
$sizeline = `tail -c +811048 $known_cipher_file | strings | grep
NAME=_main.pl`;
@line = split /;/, $sizeline;
@size = split /\=/, $line[1];
$known_cipher = `tail -c +811048 $known_cipher_file | head -c $size[1]`;
$key = $known_cipher ^ $known_plain;

$unknown_cipher = `tail -c +811048 perl2exe | head -c $size[1]`;

$unknown_plain = $unknown_cipher ^ $key;
print $unknown_plain, "\n";

The output should be redirected to a file, because there are still some binary bits in $unknown_plain.

ta@domainbox.de




Spotlight

New Zeus variant targets users of 150 banks

Posted on 19 December 2014.  |  A new variant of the infamous Zeus banking and information-stealing Trojan has been created to target the users of over 150 different banks and 20 payment systems in 15 countries, including the UK, the US, Russia, Spain and Japan.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Mon, Dec 22nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //