From: Domainbox, Tim Abenath (ta_at_domainbox.de)

Product:
perl2exe, http://www.indigostar.com/

Vunerability:
Perl programs "compiled" into EXEs with Perl2Exe can be decompiled and full, unadulterated source code extracted.

Vendor Status:
Vendor has been notifyed a year ago as Simon Cozens dissected perl2exe's version 5.x and posted his results here.

Analysis:

My research heavily depends on Simon Cozens work which can be found on http://ddtm.simon-cozens.org/~simon/perl2exe
Since version 5.x is already dissected i took a look on the 6.x Version.
This has been tested on the latest release
Perl2Exe V6.00 for Linux (Feb 20, 2003). Here we go:

The 6.0 Version stores a list of the included stuff at the end of the binary:

NAME=p2x_stub.lib;SIZE=811048;ENC=0
NAME=p2x_pre_exec_message;SIZE=0;VALUE=
NAME=p2x_trial_message;SIZE=0;VALUE=~@~@~@~@~@~@~@~@
NAME=p2x_exec_command;SIZE=0;VALUE=_main.pl
NAME=_main.pl;SIZE=6339;ENC=1
NAME=P2X-V06.TOC;SIZE=195

The _main.pl part is what we are looking for. As perl2exe still uses BogoCrypt, (known as XOR) this is gonna be simple to attack using 'known plaintext'.

We start with generating a plaintext file with the length of _main.pl, the content doesn't matter. Lets call that one sample.pl We compile this one using ./perl2exe sample.pl and get the binary 'sample'. We can XOR the plain and cyphertext to get the used key. Now it's time to start up our dirty little code:

#!/usr/bin/perl

$known_plain = `cat sample.pl`;
$known_cipher_file = "sample";
$sizeline = `tail -c +811048 $known_cipher_file | strings | grep
NAME=_main.pl`;
@line = split /;/, $sizeline;
@size = split /\=/, $line[1];
$known_cipher = `tail -c +811048 $known_cipher_file | head -c $size[1]`;
$key = $known_cipher ^ $known_plain;

$unknown_cipher = `tail -c +811048 perl2exe | head -c $size[1]`;

$unknown_plain = $unknown_cipher ^ $key;
print $unknown_plain, "\n";

The output should be redirected to a file, because there are still some binary bits in $unknown_plain.

ta@domainbox.de