COMMAND

	Perl2Exe EXEs Can Be Decompiled

SYSTEMS AFFECTED

	Perl2Exe 5.x, 6.x versions

PROBLEM

	Tim Abenath [ta@domainbox.de] found :
	
	My research heavily depends on Simon Cozens work which can be found on
	
	 http://ddtm.simon-cozens.org/~simon/perl2exe
	
	Since version 5.x is  already  dissected  i  took  a  look  on  the  6.x
	Version. This has been tested on the latest release Perl2Exe  V6.00  for
	Linux (Feb 20, 2003). Here we go:
	
	The 6.0 Version stores a list of the included stuff at the  end  of  the
	binary:
	
	NAME=p2x_stub.lib;SIZE=811048;ENC=0
	NAME=p2x_pre_exec_message;SIZE=0;VALUE=
	NAME=p2x_trial_message;SIZE=0;VALUE=~@~@~@~@~@~@~@~@
	NAME=p2x_exec_command;SIZE=0;VALUE=_main.pl
	NAME=_main.pl;SIZE=6339;ENC=1
	NAME=P2X-V06.TOC;SIZE=195
	
	The _main.pl part is what we are looking for.  As  perl2exe  still  uses
	BogoCrypt, (known as XOR) this  is  gonna  be  simple  to  attack  using
	'known plaintext'.
	
	We start with generating a plaintext file with the length  of  _main.pl,
	the content doesn't matter. Lets call  that  one  sample.pl  We  compile
	this one using ./perl2exe sample.pl and get the binary 'sample'. We  can
	XOR the plain and cyphertext to get the  used  key.  Now  it's  time  to
	start up our dirty little code:
	
	#!/usr/bin/perl
	
	$known_plain = `cat sample.pl`;
	$known_cipher_file = "sample";
	$sizeline = `tail -c +811048 $known_cipher_file | strings | grep
	NAME=_main.pl`;
	@line = split /;/, $sizeline;
	@size = split /\=/, $line[1];
	$known_cipher = `tail -c +811048 $known_cipher_file | head -c $size[1]`;
	$key = $known_cipher ^ $known_plain;
	
	$unknown_cipher = `tail -c +811048 perl2exe | head -c $size[1]`;
	
	$unknown_plain = $unknown_cipher ^ $key;
	print $unknown_plain, "\n";
	
	The output should be redirected to a file, because there are still  some
	binary bits in $unknown_plain.

SOLUTION

	Check perl2exe, [http://www.indigostar.com/]