perl2exe - no more secrets

merlyn on 2003-02-23T21:13:24

perl2exe is no way to hide your source code. Never was. Please recommend PAR instead.


Umm

belg4mit on 2003-02-23T21:49:27

I don't think any knowledgable individual ever recommended perl2exe (or perlapp) as obfuscation. For that matter PAR does not adequately satisfy the requirements which lead many to the aformentioned "compilers". Specifically, it does not create a single distributable excutable. It comes close, but it requires a pre-existing perl environment.

Re:Umm

Ovid on 2003-02-23T22:11:05

What is extremely aggravating about this is that the author credits Simon Cozens as being the source of information about the vulnerability. I was shocked. Simon Cozens should know better!

Of course he knows better. In his email to bugtraq, Simon very plainly states:

The problem is not Perl2Exe itself, which does what it's supposed to do and does it well. The problem is people's expectations of it; they think that once it's in a "executable format", their source code can't be read. They're wrong.

In my opinion, the author of the "vulnerability" warning should have made this clear. Instead, a reader with no knowledge of what is going on will be led to believe that a vulnerability in the software has been discovered when, in fact, it's merely users not understanding their tools (gah! I should be a Microsoft flack :). Further, there is a suggestion that the vendor may have been negligent as the author writes "Vendor has been notifyed a year ago..."

I think that this information should be disseminated, but it should not be spread in such a way as to give a misleading impression, which is certainly what is happening here.

Re:Umm

autrijus on 2003-04-07T06:32:30

PAR does not require a pre-existing perl environment -- all it needs is a libperl.so or Perl5x.dll, if your Perl is compiled dynamically.

Re:Umm

belg4mit on 2003-04-07T14:41:34

You are splitting hairs.

No way to hide your source code

ziggy on 2003-02-24T14:43:34

Please recommend PAR instead.
PAR is not a way to hide your source code, either. Please disabuse users of the notion that they can "hide their source code" and still run it through the Perl interpreter.

PAR is a distribution mechanism to simplify application deployment, no more no less. (It's actually quite ingenious, but that's a side issue.) There may be plans to add cryptographic signatures or even encryption to PAR at some point in the future. Neither of these options are available now, and neither of them will provide a measure of "source code hiding" for Perl programs. PAR archives are simple ZIP files; PAR executables are an executable header prepended in front of a PAR archive. Both of these formats are trivial to "decrypt" using well known tools like unzip.

Even if PAR files were to be encrypted, it would provide about as much "protection" as perl2exe's XOR technique -- the runtime will need to decrypt the application sources using user-accessible keys. Lots more work to arrive at the same problems.

The fact remains that if you want to hide your Perl sources and run them, they need to be compiled down to C/object code. And we're not there yet with Perl5. Given the progress with the Parrot JIT, I doubt that we'll ever see a true Perl5->object code compiler with the Perl5 guts as they exist today.