Obfuscation of Perl code.
Stunnix Perl-Obfus. Alternatives.
This is S5-based presentation. If viewing in browser, using keyboard arrows to navigate between slides.
What is obfuscation?
It's converting source code into non-readable form that behaves exactly like original code, without ability to recover original code form it.
Sample of obfuscation (before and after):
my $error_level = 4; # error level to show alerts for sub log_error { my ($whereStr,$msg) = @_; log_common(3,"error:$whereStr",$msg); #call common function }
(my $zfafb4b3d80=(0x125a+ 395-0x13e1)); sub z9fe5826ce8 { (my ( $zce55a28aab,$zea4cd01646)=@_);za56048cb23 ((0x05b7+ 6823-0x205b),( "\x65\x72\x72\x6f\x72\x3a".$zce55a28aab),$zea4cd01646);}
What transformations?
(my $zfafb4b3d80=(0x125a+ 395-0x13e1)); sub z9fe5826ce8 { (my (
$zce55a28aab, $zea4cd01646) =@_); za56048cb23 ((0x05b7+ 6823 -0x205b),(
"\x65\x72\x72\x6f\x72\x3a". $zce55a28aab), $zea4cd01646);}
- Renaming of symbol names that are allowed to be renamed
- Removing comments
- Adding extra parenthesis
- Turning interpolation of strings into concatenation
- Removal of whitespace characters
- Escaping strings "\x72\x3a"
- Replacing int constants with expressions: (0x125a+ 395-0x13e1)
Why it's useful?
- If you are ashamed of code quality :-)
- If you need to give a demo of your code to a customer without a fear of your work not being paid in full
- When distributing your perl-based product (to avoid illegal integration of your code into other projects)
- Outsourcing development of modules for complex project to untrusted team (giving them obfuscated code with API symbols unchanged)
Advanced features of obfuscation
- Obfuscated code is still source code - it works on all platforms where Perl is available - any version of Perl
- You can leave any 3rd-party modules unchanged (obfuscating only your code)
- You can leave public API symbol names unchanged (so that non-obfuscated code can call your obfuscated code)
- Eval can be used in the code too (after small modifications)
Features of Stunnix Perl Obfuscator
- Reliable: does not use regexps for parsing source code
- Supports code watermarking (to identify the customer who leaked the code)
- Supports encoding after obfuscation to hide logical structure of the program (eval("eval('something')")
- Expiration, binding to network domain
- Command-line interface, as well as cross-platform GUI interface (based on Stunnix Perl Web Server)
- Various tools to make preparing code for obfuscation easier
- Mature - over 10 years on the market.
Alternatives to obfuscation for code protection
- Usual approach: Perl is very cryptic for non-perl programmers, so no obfuscation is necessary ?
- Par, PerlApp - aim to pack perl interpreter along your code but do not hide your code, original code is easy to get
- Perl2Exe - encrypts perl files somehow, possibly it can be decrypted or stolen from memory dump; no mod_perl support at all; needs building for each platform