Risks
Vulnerabilities
Browse by
Perl2Exe EXEs Can be Decompiled
22 February 2003
Bookmark and Share
From: Domainbox, Tim Abenath (ta_at_domainbox.de)

Product:
perl2exe, http://www.indigostar.com/

Vunerability:
Perl programs "compiled" into EXEs with Perl2Exe can be decompiled and full, unadulterated source code extracted.

Vendor Status:
Vendor has been notifyed a year ago as Simon Cozens dissected perl2exe's version 5.x and posted his results here.

Analysis:

My research heavily depends on Simon Cozens work which can be found on http://ddtm.simon-cozens.org/~simon/perl2exe
Since version 5.x is already dissected i took a look on the 6.x Version.
This has been tested on the latest release
Perl2Exe V6.00 for Linux (Feb 20, 2003). Here we go:

The 6.0 Version stores a list of the included stuff at the end of the binary:

NAME=p2x_stub.lib;SIZE=811048;ENC=0
NAME=p2x_pre_exec_message;SIZE=0;VALUE=
NAME=p2x_trial_message;SIZE=0;VALUE=~@~@~@~@~@~@~@~@
NAME=p2x_exec_command;SIZE=0;VALUE=_main.pl
NAME=_main.pl;SIZE=6339;ENC=1
NAME=P2X-V06.TOC;SIZE=195

The _main.pl part is what we are looking for. As perl2exe still uses BogoCrypt, (known as XOR) this is gonna be simple to attack using 'known plaintext'.

We start with generating a plaintext file with the length of _main.pl, the content doesn't matter. Lets call that one sample.pl We compile this one using ./perl2exe sample.pl and get the binary 'sample'. We can XOR the plain and cyphertext to get the used key. Now it's time to start up our dirty little code:

#!/usr/bin/perl

$known_plain = `cat sample.pl`;
$known_cipher_file = "sample";
$sizeline = `tail -c +811048 $known_cipher_file | strings | grep
NAME=_main.pl`;
@line = split /;/, $sizeline;
@size = split /\=/, $line[1];
$known_cipher = `tail -c +811048 $known_cipher_file | head -c $size[1]`;
$key = $known_cipher ^ $known_plain;

$unknown_cipher = `tail -c +811048 perl2exe | head -c $size[1]`;

$unknown_plain = $unknown_cipher ^ $key;
print $unknown_plain, "\n";

The output should be redirected to a file, because there are still some binary bits in $unknown_plain.

ta@domainbox.de




Spotlight

Patching: The least understood line of defense

Posted on 29 August 2014.  |  How many end users, indeed how many IT pros, truly get patching? Sure, many of us see Windows install updates when we shut down our PC and think all is well. Itís not.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 2nd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //