Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Obfuscation is not Security 7 Comments More | Login | Reply /

 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • I wonder if I could get a job obfuscating code :-)
  • I wrote the initial set of code that Larry turned into the CRYPTSWITCH enabled encryption filter in early perl3. Carrying forward that ability for encrypting scripts was the initial purpose of the Filter module in perl5, although the ability to apply arbitrary filtering to the incoming code stream was designed into it and the Filter::Crypt module was one of the initial examples of how to use that ability.

    But, the company I was at was never foolish enough to believe that encrypting scripts made the code saf

    • I recall scaring the hell out of a programmer that was relying on Filter::decrypt. He'd thought it was full on encryption rather than just elaborate obfuscation and apparently the company had bought into that, too. I told him I could bust the obfuscation. He didn't believe me so he sent me a simple sample. IIRC my algorithm was something like...

      require the code
      walk the symbol table looking for globals and subroutines
      Data::Dumper the globals
      B::Deparse the subroutines

      The tricky part was the file-scoped
      • I haven't tried it, but what I figured the easiest method (even before B::Deparse came along) would be to write another filter and name it Filter::Decrypt. It would use the "real" Filter::Decrypt but tee the results before passing them on as its "filtered" output. It's the basic man-in-the-middle attack.

  • Man what the heck is that doing on an O’Reilly site.

    I do have to qualify that obscurity is not the devil: there is no need to help an attacker along, regardless how safe you think you are. It’s way foolish to rely on obscurity as the your sole line of defense, though. That’s just asking for trouble.

  • the vast majority of software pirates won't spend 500 hours reverse engineering and patching a simple $10 shareware application

    Every anti-piracy method is based on this assumption. Every one fails because it is not true. It was not true back when it was a bunch of computer nerds copying 5 1/4" floppies using BitNibbler downloaded off a dial-up BBS and its not even remotely true now with your grandma downloading music over BitTorrent.

    The vast majority do not need to break the obfuscation. Just one.

Stories, comments, journals, and other submissions on use Perl; are Copyright 1998-2006, their respective owners.