Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Obfuscation is not Security 4 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • I wrote the initial set of code that Larry turned into the CRYPTSWITCH enabled encryption filter in early perl3. Carrying forward that ability for encrypting scripts was the initial purpose of the Filter module in perl5, although the ability to apply arbitrary filtering to the incoming code stream was designed into it and the Filter::Crypt module was one of the initial examples of how to use that ability.

    But, the company I was at was never foolish enough to believe that encrypting scripts made the code safely unreadable to all end users. It does make it unreadable to coldshot users and it lets the hotshot programmer type users know that the copyright owners of the code don't want to share it with them so if they were to actually copy the code they will clearly be aware of taking part in copyright infringement. Which they generally respect (although they might break the encryption just to prove to themselves that they can). The company didn't believe it because the two of us who implemented the encryption taught them that it was impossible - if the script is going to run at all, then Perl has to be able to read it which means that at some point it has to be in readable form. So, they were foolish enough to ask for the impossible but smart enough to accept that it couldn't be done.

    • I recall scaring the hell out of a programmer that was relying on Filter::decrypt. He'd thought it was full on encryption rather than just elaborate obfuscation and apparently the company had bought into that, too. I told him I could bust the obfuscation. He didn't believe me so he sent me a simple sample. IIRC my algorithm was something like...

      require the code
      walk the symbol table looking for globals and subroutines
      Data::Dumper the globals
      B::Deparse the subroutines

      The tricky part was the file-scoped
      • I haven't tried it, but what I figured the easiest method (even before B::Deparse came along) would be to write another filter and name it Filter::Decrypt. It would use the "real" Filter::Decrypt but tee the results before passing them on as its "filtered" output. It's the basic man-in-the-middle attack.
Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.