|Keep It Simple, Stupid|
Re^3: Code hiding in Perlby afoken (Canon)
|on Jun 26, 2015 at 09:33 UTC||Need Help??|
The encryption is done through custom C executable and the execution of encrypted binary code can only be done through another C executable (dummy Perl interpreter) and it does in-memory execution like this.
It was explained a thousand times or more, but once more for you:
Perl is designed to evaluate unencrypted source code, so at some point, you have to decrypt the encrypted code. Alternatively, you can feed perl a prepared parse tree, in unencrypted form. Again, you have to decrypt the encrypted tree before passing it to perl. B::Deparse can reconstruct perl source code from the tree, so you gain exactly nothing from using a tree.
Both ways, you have to decrypt the encrypted data, so your executable must contain the decryption algorithm and the required decryption key. Both can be exctracted from the executable to create an independant decryption tool. Or, as I explained above, one can simply stop the execution of the program at the point where the decrypted data is passed to perl API functions. That's usually much less work.
And there is NO WAY to prevent that.
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)