Beefy Boxes and Bandwidth Generously Provided by pair Networks
Your skill will accomplish
what the force of many cannot

Source Filters

by lanval (Novice)
on Apr 28, 2004 at 03:13 UTC ( #348702=perlquestion: print w/replies, xml ) Need Help??
lanval has asked for the wisdom of the Perl Monks concerning the following question:

I'm looking for a recommendation regarding source filters.
My requirements in order of importance are as follows:
  1. My aim in using a source filter is to make my code very unreadable and not easily reversed.
  2. I don't want to write one myself.
  3. I want a filter with one of the highest degrees of "encryption" available.
  4. I want an approximate 1:1 ratio between original source and "encrypted" source. (I realise this might not be feasible, what I mean is I don't want my 20KB script turning into a 5MB script)
I am having some serious problems finding anything that fits my needs on CPAN (... or many source filters at ALL.)
Can anyone please suggest a decent source filter?
Thanks for your help,

Update: I am not looking for a discussion on why I shouldn't use source filters. I am looking for a source filter. If the only source filters you know don't fulfil my requirements (as they most likely won't), perhaps suggest one that is close to something like what I want. I am aware of the problems with using source filters, and I still want to go ahead and test one out. It is in combination with several other encryption techniques if you were interested.

Replies are listed 'Best First'.
Re: Source Filters
by diotalevi (Canon) on Apr 28, 2004 at 04:19 UTC
    See Re: Here is a commercial obfuscator. That's the right idea anyway. Remove the rest of the whitespace to taste. What you *don't* want to do is use a source filter since nothing parses perl except the interpreter. You could look at some of the other examples in Acme:: like Acme::Bleach or Acme::Buffy.
Re: Source Filters
by lanval (Novice) on Apr 28, 2004 at 06:53 UTC
    A stream of consciousness follows...

    Management's requirements are funny.

    Sometimes you get ordered to do things that don't make sense to programmers, but make some sense in the real world.

    (There appears to be quite a lack of suitable Filter:: modules. Obfuscators are often only commercially available, as mentioned previously in this thread.)

    Obfuscating/filtering/compiling perl is an oft breached topic. Lots of programmers get offended by the suggestion, but here I am having to implement it somehow for work.

    The source needs to be "de-filtered" at some stage (unless we're using obfuscation), so using a source filter written in Perl doesn't seem to be the answer because it would need to be delivered with our product - meaning that the filter itself could easily be viewed by "potential bad-guys", and in turn reverse engineered. Maybe I need a filter written in C - but is even rarer to find (and harder to code myself.) So should I write a black box encoder/decoder in C? ... Should I perlcc the filter? ... Why wouldn't I just perlcc the original script instead?! ... So many lame, half-baked solutions!

    The only thing that makes management's idea kind of make sense is this: if someone would really go to the trouble of (unobfuscating|reading from memory dumps|insert technique here) my code... then they are most likely talented enough to have written my code in the first place! (Seeing as this project is not that hard)

    I guess I have two points for anyone interested in this thread:
    1. Apparently in the real world, a certain degree of obfuscation (especially chained with other techniques) makes it a bit harder for people to crack AND MOST IMPORTANTLY keeps your pay cheques coming through.
    2. You won't find good filters/obfuscators for free very easily.
    Thanks for your help on such a brain-dead exercise. Now I'm off to prepare a mish-mash of solutions for review.

      I don't have much to add to your actual question, but there is something I'd like to bring up. This should have been your original post. What you originally asked -- including your followup "clarification" -- sounds suspiciously like a request that someone do all your work for you. To me, the reaction shows other monks thought the same way. Your Stream of Consciousness node, in contrast, makes it clear that you've put some thought and effort toward the goal, and are just looking for any further ideas. If you'd put this much effort into the OP, I believe you would have received a much better response. Sorry for the meta-discussion, but I thought it might be helpful to hear someone else's take on the situation.

Re: Source Filters
by davido (Archbishop) on Apr 28, 2004 at 03:31 UTC
    Have a look at perlfaq3. This question has been asked a few times. The topic in perlfac3 that you want to look for is, "How can I hide the source for my Perl program?"

    You can also read a pretty good discussion on the topic right here at the Monastery: Why is it bad to hide the source?.


      Yes I have read perlfaq3 already. Yes I have read perlfilter. I am totally aware that I will not be able to completely hide my source. I have read and understood that "All decryption filters work on the principle of security through obscurity." However I am NOT asking for a recommendation on WHETHER to use one. I am asking for a pointer to a decent source filter. Do you know of one?
      Update: Made this clear in original question, plus this was antagonistic, quite sorry :(
Re: Source Filters
by Aragorn (Curate) on Apr 28, 2004 at 08:01 UTC
    What I've seen regularly is that when commercial (as in, to sell for profit) products are being implemented in Perl, then the Perl community should come up with some magic for free. Disregarding the discussion about the pros and cons of obfuscating the source, I think that's a pretty lame attitude. You have quite a wishlist, and I think the second one (I don't want to write one myself) is offensive. Perlmonks (IMO) is about people who try to help themselves, and not a "Do my assignment for me, for free" forum.

    Apparently, you don't want to do what management asked of you. There some things that you can do:

    • Let management hire someone to do this assignment
    • Convince management to spend some money on a commercial obfuscator. After all, they expect to make money on the product, and often, you have to invest some money before you can reap the benefits. They probably already saved a lot of money by using Perl and CPAN
    The one thing you shouldn't do is to ask for a free solution to a problem which you don't want to solve yourself, and is highly controversial anyway.


Re: Source Filters
by duff (Vicar) on Apr 28, 2004 at 05:06 UTC
    I know you said you don't want to write one, but it seems to me that it would be "easy" to write one that uses a PGP key to encrypt the meat of the code such that someone running the program would need to know and enter that same key to run the main program.

    In any case you might want to try "perl source encryption" or something at a google near you if you aren't finding what you want on CPAN.

Re: Source Filters
by eserte (Deacon) on Apr 28, 2004 at 08:27 UTC
Re: Source Filters
by lanval (Novice) on Apr 28, 2004 at 23:58 UTC
    Firstly, I've solved my problem (to the required extent). I will be using a facility of our main product to encrypt the script, then when it needs to be run, decrypt it and pipe it directly through to a perl instance. Some might contend (with good cause) that there is a problem with our main product's automated encryption black box (think: `strings mainproduct` for a start) but that issue is... well... not my problem (you need to know where to stop, sometimes!) This solution is an adequate amount of obscurity for our purpose.

    Secondly, in reply to this and this, I think you make a good point. I should have asked my question differently and not expected to find a solution already out there that I could just take. Sorry to offend! My mistake :)
Re: Source Filters
by dug (Chaplain) on Apr 28, 2004 at 04:14 UTC
    I wrote an unbreakable source dis-combobulator that you may want to try:

    package SuperDuperObfuscated; use warnings; use strict; use Filter::Simple; FILTER { s///; # don't do jack } 1;

    -- Douglas

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://348702]
Approved by coec
[stevieb]: the top-level Raspberry Pi distribution, that sucks in all sub modules. All of this software have imminent updated releases coming
[choroba]: Integration testing

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (5)
As of 2017-06-25 23:22 GMT
Find Nodes?
    Voting Booth?
    How many monitors do you use while coding?

    Results (572 votes). Check out past polls.