[prog] 'protecting' perl code

Fri May 7 08:45:42 EST 2004

On Fri, May 07, 2004 at 04:14:12AM +0200, Riccarda Cassini wrote:
> 
> If I'm understanding this correctly, the protection level achieved by
> some properly done obfuscation would roughly be the same as that of an
> ordinary binary program.  In the latter case you'd have to reverse
> engineer the binary in the debugger, while with the obfuscated perl
> script, you'd have to crack the special perl interpreter containing the
> decryption routines. Is that right?

Essentially yes - with one exception: if you have several different
binary programs, a potential cracker would have to reverse engineer
every single one seperately.  With encrypted perl scripts, however,
it would suffice to crack the special perl interpreter _once_ (and
then patch the perl binary to have it output the internally decrypted
source, for example). Once the decryption logic and the way it's built
into the perl interpreter is compromised, a cracker would essentially
have free access to the plaintext code of all other scripts encrypted
with the same crypt-algorithm/random seed, etc.
Depending on context, this could be an important distinction.

I'll add some more on this in my reply to Jacinta's mails.
I'm afraid this is going to be more than just three lines, though, so
I'll do that some time later the day - as soon as I get around to it.

For the moment, let me only say that there seems to be some fundamental
misunderstanding as to the technique I'm proposing. More on that later.

> 
> Looks like I have to learn some C.  Sooner than I thought.  Actually,
> I wanted to dive into Perl first...
> Looks like an almost perpendicular learning curve, if you ask me ;-)
> Well, I'm not the one to be discouraged easily, whatever the obstacle.
> Other people have done it, so why shouldn't I?

Sorry, I didn't mean to discourage you...
Well, with some sample implementation to look at, I think you'll have
a realistic chance to figure out how it works, and how to modify it.

Having said this, I'll have to admit that the learning curve probably
_will_ be steep -- unfortunately, learning some C is not the only task
you'll have to master. You'll also need some minimal understanding of
perl's guts, how to write extension (XS) modules, and so on.
So, if you plan to take on this project, try to get as much time
allotted for it as anyhow possible, so you won't be fighting against
deadlines sooner than necessary.

> 
> I guess I can request the details as required...?

Sure.

> > For various reasons I don't want to go into here, I can't make the
> > source of the solution I wrote publically available. But you (Riccarda)
> > can have the code, makefiles, etc. as an example solution, if you
> > promise to modify it sufficiently and not sell it to someone in the
> > immediate vicinity of the company I originally wrote it for.
> 
> That'd be very nice! - I'll promise whatever you want...

...sounds promising  (sorry, couldn't resist ;)

> I'm sure any of my attempts to recast the code will disfigure it
> beyond recognition.

:-)   c'mon, Riccarda!
I'm sure you'll take that challenge and pass it with flying colors!

> > Well, you know what to do first...
> > 
> Yes...

...that was more than I was asking for -- you're making me weak :) :*

You apologized so nicely. In turn, I promise to behave myself. Okay?
Just gimme a call sometime in the evening - I guess there are a couple
of things to discuss (technical and non-technical).

Almut