Product:
perl2exe, http://www.indigostar.com/
Vunerability:
Perl programs "compiled" into EXEs with Perl2Exe can be decompiled and
full, unadulterated source code extracted.
Vendor Status:
Vendor has been notifyed a year ago as Simon Cozens dissected perl2exe's
version 5.x
and posted his results here.
Analysis:
My research heavily depends on Simon Cozens work which can be found on
http://ddtm.simon-cozens.org/~simon/perl2exe
Since version 5.x is already dissected i took a look on the 6.x Version.
This has been tested on the latest release
Perl2Exe V6.00 for Linux (Feb 20, 2003). Here we go:
The 6.0 Version stores a list of the included stuff at the end of the
binary:
NAME=p2x_stub.lib;SIZE=811048;ENC=0
NAME=p2x_pre_exec_message;SIZE=0;VALUE=
NAME=p2x_trial_message;SIZE=0;VALUE=~@~@~@~@~@~@~@~@
NAME=p2x_exec_command;SIZE=0;VALUE=_main.pl
NAME=_main.pl;SIZE=6339;ENC=1
NAME=P2X-V06.TOC;SIZE=195
The _main.pl part is what we are looking for. As perl2exe still uses
BogoCrypt,
(known as XOR) this is gonna be simple to attack using 'known plaintext'.
We start with generating a plaintext file with the length of _main.pl, the
content doesn't matter. Lets call that one sample.pl
We compile this one using ./perl2exe sample.pl and get the binary 'sample'.
We can XOR the plain and
cyphertext to get the used key. Now it's time to start up our dirty little
code:
#!/usr/bin/perl
$known_plain = `cat sample.pl`;
$known_cipher_file = "sample";
$sizeline = `tail -c +811048 $known_cipher_file | strings | grep
NAME=_main.pl`;
@line = split /;/, $sizeline;
@size = split /\=/, $line[1];
$known_cipher = `tail -c +811048 $known_cipher_file | head -c $size[1]`;
$key = $known_cipher ^ $known_plain;
$unknown_cipher = `tail -c +811048 perl2exe | head -c $size[1]`;
$unknown_plain = $unknown_cipher ^ $key;
print $unknown_plain, "\n";
The output should be redirected to a file, because there are still some
binary bits in $unknown_plain.
taat_private
This archive was generated by hypermail 2b30 : Fri Feb 21 2003 - 13:21:21 PST