Obfuscation of Perl code

Obfuscation of Perl code.

Stunnix Perl-Obfus. Alternatives.

This is S5-based presentation. If viewing in browser, using keyboard arrows to navigate between slides.

What is obfuscation?

It's converting source code into non-readable form that behaves exactly like original code, without ability to recover original code form it.

Sample of obfuscation (before and after):

my $error_level = 4; # error level to show alerts for sub log_error { my ($whereStr,$msg) = @_; log_common(3,"error:$whereStr",$msg); #call common function }

(my $zfafb4b3d80=(0x125a+ 395-0x13e1)); sub z9fe5826ce8 { (my ( $zce55a28aab,$zea4cd01646)=@_);za56048cb23 ((0x05b7+ 6823-0x205b),( "\x65\x72\x72\x6f\x72\x3a".$zce55a28aab),$zea4cd01646);}

What transformations?

(my $zfafb4b3d80=(0x125a+ 395-0x13e1)); sub z9fe5826ce8 { (my ( $zce55a28aab, $zea4cd01646) =@_); za56048cb23 ((0x05b7+ 6823 -0x205b),( "\x65\x72\x72\x6f\x72\x3a". $zce55a28aab), $zea4cd01646);}

  • Renaming of symbol names that are allowed to be renamed
  • Removing comments
  • Adding extra parenthesis
  • Turning interpolation of strings into concatenation
  • Removal of whitespace characters
  • Escaping strings "\x72\x3a"
  • Replacing int constants with expressions: (0x125a+ 395-0x13e1)

Why it's useful?

  • If you are ashamed of code quality :-)
  • If you need to give a demo of your code to a customer without a fear of your work not being paid in full
  • When distributing your perl-based product (to avoid illegal integration of your code into other projects)
  • Outsourcing development of modules for complex project to untrusted team (giving them obfuscated code with API symbols unchanged)

Advanced features of obfuscation

  • Obfuscated code is still source code - it works on all platforms where Perl is available - any version of Perl
  • You can leave any 3rd-party modules unchanged (obfuscating only your code)
  • You can leave public API symbol names unchanged (so that non-obfuscated code can call your obfuscated code)
  • Eval can be used in the code too (after small modifications)

Features of Stunnix Perl Obfuscator

  • Reliable: does not use regexps for parsing source code
  • Supports code watermarking (to identify the customer who leaked the code)
  • Supports encoding after obfuscation to hide logical structure of the program (eval("eval('something')")
  • Expiration, binding to network domain
  • Command-line interface, as well as cross-platform GUI interface (based on Stunnix Perl Web Server)
  • Various tools to make preparing code for obfuscation easier
  • Mature - over 10 years on the market.

Alternatives to obfuscation for code protection

  • Usual approach: Perl is very cryptic for non-perl programmers, so no obfuscation is necessary ?
  • Par, PerlApp - aim to pack perl interpreter along your code but do not hide your code, original code is easy to get
  • Perl2Exe - encrypts perl files somehow, possibly it can be decrypted or stolen from memory dump; no mod_perl support at all; needs building for each platform