mini-HOWTO: Dumping perl2exe's packed perl scripts

Some thoughts on Perl2exe's security model

In its nature, perl2exe is nothing more than a mere packager. It can be very helpful because everything you need to run a specific script is packed in a compact exe. It figures out what libraries and any other custom file the script needs and packs them in a neat executable, whether for win or any other *nix based distribution. The program also encrypts the files so there is no way to get them via direct disassembling - but there are numerous attack vectors - ranging from dumping perl's interpreter memory while the packed script is executed to basically trick the program in

thinking that .pl are resource files and they need to be dumped on the local hdd.

I'm going to focus on the last attack vector - dumping the decrypted files. Basically the final exe (crammed up with the main script + any additional custom

libraries and resources - JPEGs etc.) dumps those resource files on the disk so that they are easily accessible to the perl script. It dumps the files in its

temp directory, which on linux is /tmp/p2xtmp-$pid (this can be seen by doing "strace" on a packed script):
getpid() = 16051
malloc(103) = 0x812f6c0
strcpy(0x812f6c0, "/tmp") = 0x812f6c0
strcat("/tmp", "/") = "/tmp/"
sprintf("p2xtmp-16051", "p2xtmp-%d", 16051) = 12
strcpy(0x8121fe0, "/tmp/p2xtmp-16051") = 0x8121fe0

The list of the files that are dumped on the local harddrive can be seen when the program is disassembled or if you do strace - this is illustrated on the

following webpage: http://fileoffset.com/papers/perl2exe.htm

Here is the list, taken from a strace log:
strstr("p2x_stub.lib", ".dll") = NULL
strstr("p2x_stub.lib", ".dll") = NULL
strstr("p2x_stub.lib", ".pll") = NULL
strstr("p2x_stub.lib", ".so") = NULL
strstr("p2x_stub.lib", ".o") = NULL
strstr("p2x_stub.lib", ".sl") = NULL
strstr("p2x_stub.lib", ".bundle") = NULL
strstr("p2x_stub.lib", ".bmp") = NULL
strstr("p2x_stub.lib", ".gif") = NULL
strstr("p2x_stub.lib", ".jpg") = NULL
strstr("p2x_stub.lib", ".zip") = NULL
strstr("p2x_stub.lib", ".txt") = NULL
strstr("p2x_stub.lib", ".ico") = NULL
strstr("p2x_stub.lib", ".png") = NULL
strstr("p2x_stub.lib", ".ini") = NULL
strstr("p2x_stub.lib", ".exe") = NULL
strstr("p2x_stub.lib", ".xbm") = NULL


The main difference between the windows and the linux version of the produced executables is that on windows you have an additional dll file that has the

dump code in it (as seen on the aforementioned site) whereas, on linux, this is in the final ELF. Knowing this info we can easily deduct that if we change

some of those extensions to .pl we'll get the perl script dumped on our harddrive in an unencrypted form - and this is just a piece of cake - just start your

favourite hex editor, search for .so (for example) and change it to .pl and save the executable. Now, start the program from gdb and set a breakpoint

somewhere at the end of the program. And voila - you'll have your perl file on your harddisk in no time. And there is no need to tamper with the encryption

algorithm and attack encryption keys and stuff of sort.

I'd like to thank the following people:
fileoffset from openrce.org forum - for taking the time to research how perl2exe operates on windows and writing a wonderful article on the subject - http://fileoffset.com/papers/perl2exe.htm

Paid0 - for trying some crazy stuff that actually worked - he came with the idea of just hexing the file, otherwise I'd have been playing hide and seek with the dump instruction for ages.





This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 2.5 Bulgaria License.


PS. Ahat - Chernata Ovca.mp3