Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Is there a script somewhere to de-obfuscate code?

by nashr (Novice)
on Mar 26, 2005 at 18:46 UTC ( [id://442534]=perlquestion: print w/replies, xml ) Need Help??

nashr has asked for the wisdom of the Perl Monks concerning the following question:

I've encountered several small scripts that are obfuscated. I want to know more about what they're doing so I can rewrite something similar. Part of the code looks like this: $A36l105l112l32l61l32l36l69l78l86l123l39l82l69l77l79l84l6 And it goes on and on. How would I go about trying to decode or de-obfuscate this code? Any help would be greatly appreciated.

Replies are listed 'Best First'.
Re: Is there a script somewhere to de-obfuscate code?
by cog (Parson) on Mar 26, 2005 at 18:52 UTC
    Well it ain't easy...

    One thing you can try is to use Perl::Tidy on it, but that might not solve the problem, partly because the only thing that's able to parse Perl is perl itself (meaning that Perl::Tidy itself sometimes fail) and partly because even if it works, it doesn't do everything... but it might be a good start...

    And then you'll have to break it down in chunks and try to understand the flow of the code... it surely helps if you already have an idea of what it does...

    Regarding the code you're posting, it seems just like a variable name...

    Anyway, how did it get to the point that you're left with obfuscated scripts? It seems somebody didn't do his(her) job properly... that's no way to work...

      The code I'm looking at right now is a counter to track the number of users currently on a website. I downloaded it from a website, but they clearly state that it connects back to them. I'd rather learn from this code to rewrite my own counter for this purpose, but the code is a single string of obfuscated code.
      $A36l105l112l32l61l32l36l69l78l86l123l39l82l69l77l79l84l69l95l65l68l68 +l82l39l125l59l36l116l105l109l101l32l61l32l116l105l109l101l59l36l102l1 +11l117l110l100l32l61l32l48l59l36l117l115l101l114l115l32l61l32l48l59l6 +4l112l97l105l114l115l32l61l32l115l112l108l10=q#36l105l112l32l61l32l36 +l69l78l86l123l39l82l69l77l79l84l69l95l65l68l68l82l39l125l59l36l116l10 +5l109l101l32l61l32l116l105l109l101l59l36l102l111l117l110l100l32l61l32 +l48l59l36l117l115l101l114l115l32l61l32l48l59l64l112l97l105l114l115l32 +l61l32l115l112l108l105l116l40l47l38l47l44l32l36l69l78l86l123l34l81l85 +l69l82l89l95l83l84l82l73l78l71l34l125l41l59l102l111l114l101l97l99l104 +l32l36l112l97l105l114l32l40l64l112l97l105l114l115l41l32l123l40l36l110 +l97l109l101l44l32l36l118l97l108l117l101l41l32l61l32l115l112l108l105l1 +16l40l47l61l47l44l32l36l112l97l105l114l41l59l36l118l97l108l117l101l32 +l61l126l32l116l114l47l43l47l32l47l59l36l118l97l108l117l101l32l61l126l +32l115l47l37l40l91l97l45l102l65l45l70l48l45l57l93l91l97l45l102l65l45l +70l48l45l57l93l41l47l112l97l99l107l40l34l67l34l44l32l104l101l120l40l3 +6l49l41l41l47l101l103l59l99l104l111l109l112l40l36l118l97l108l117l101l +41l59l36l81l85l69l82l89l123l36l110l97l109l101l125l32l61l32l36l118l97l +108l117l101l59l125l105l102l32l40l33l32l40l45l102l32l34l100l97l116l97l +47l117l115l101l114l115l46l116l120l116l34l41l41l32l123l111l112l101l110 +l32l40l67l82l69l65l84l69l44l32l34l62l100l97l116l97l47l117l115l101l114 +l115l46l116l120l116l34l41l59l99l108l111l115l101l32l67l82l69l65l84l69l +59l99l104l109l111l100l40l48l54l54l54l44l32l34l100l97l116l97l47l117l11 +5l101l114l115l46l116l120l116l34l41l59l125l111l112l101l110l32l70l73l76 +l69l44l34l43l60l100l97l116l97l47l117l115l101l114l115l46l116l120l116l3 +4l59l38l108l111l99l107l40l70l73l76l69l41l59l64l117l115l101l114l115l32 +l61l32l60l70l73l76l69l62l59l99l104l111l109l112l40l64l117l115l101l114l +115l41l59l115l101l101l107l40l70l73l76l69l44l48l44l48l41l59l116l114l11 +7l110l99l97l116l101l40l70l73l76l69l44l48l41l59l102l111l114l101l97l99l +104l32l36l108l105l110l101l32l40l64l117l115l101l114l115l41l32l123l40l3 +6l115l97l118l101l100l105l112l44l36l115l97l118l101l100l116l105l109l101 +l41l32l61l32l115l112l108l105l116l47l92l124l47l44l36l108l105l110l101l5 +9l105l102l32l40l36l115l97l118l101l100l105l112l32l101l113l32l36l105l11 +2l41l32l123l36l115l97l118l101l100l116l105l109l101l32l61l32l36l116l105 +l109l101l59l36l102l111l117l110l100l32l61l32l49l59l125l105l102l32l40l3 +6l116l105l109l101l32l60l32l36l115l97l118l101l100l116l105l109l101l32l4 +3l32l40l36l109l105l110l117l116l101l115l32l42l32l54l48l41l41l32l123l11 +2l114l105l110l116l32l70l73l76l69l32l34l36l115l97l118l101l100l105l112l +124l36l115l97l118l101l100l116l105l109l101l92l110l34l59l9l36l117l115l1 +01l114l115l32l61l32l36l117l115l101l114l115l32l43l32l49l59l125l125l105 +l102l32l40l36l102l111l117l110l100l32l61l61l32l48l41l32l123l112l114l10 +5l110l116l32l70l73l76l69l32l34l36l105l112l124l36l116l105l109l101l92l1 +10l34l59l36l117l115l101l114l115l32l61l32l36l117l115l101l114l115l32l43 +l32l49l59l125l99l108l111l115l101l32l40l70l73l76l69l41l59l36l99l111l10 +0l101l32l61l32l34l60l97l32l104l114l101l102l61l92l34l104l116l116l112l5 +8l47l47l119l119l119l46l112l101l114l108l111l110l108l105l110l101l46l99l +111l109l92l34l32l115l116l121l108l101l61l92l34l36l115l116l121l108l101l +92l34l62l36l117l115l101l114l115l60l47l97l62l34l59l105l102l32l40l36l81 +l85l69l82l89l123l39l111l117l116l112l117l116l39l125l32l101l113l32l34l1 +06l97l118l97l115l99l114l105l112l116l34l32l111l114l32l36l111l117l116l1 +12l117l116l32l101l113l32l34l106l97l118l97l115l99l114l105l112l116l34l4 +1l32l123l112l114l105l110l116l32l34l67l111l110l116l101l110l116l45l116l +121l112l101l58l32l116l101l120l116l47l104l116l109l108l92l110l92l110l34 +l59l36l99l111l100l101l32l61l126l32l115l47l92l39l47l92l92l92l39l47l105 +l103l59l36l99l111l100l101l32l61l126l32l115l47l92l34l47l92l92l92l34l47 +l105l103l59l112l114l105l110l116l32l34l100l111l99l117l109l101l110l116l +46l119l114l105l116l101l40l92l34l36l99l111l100l101l92l34l41l59l34l59l1 +01l120l105l116l59l125l101l108l115l101l123l112l114l105l110l116l32l34l6 +7l111l110l116l101l110l116l45l116l121l112l101l58l32l116l101l120l116l47 +l104l116l109l108l92l110l92l110l34l59l112l114l105l110l116l32l34l36l99l +111l100l101l34l59l101l120l105l116l59l125l115l117l98l32l108l111l99l107 +l123l109l121l32l36l108l111l99l107l32l61l32l48l59l119l104l105l108l101l +32l40l36l108l111l99l107l32l60l32l53l41l32l9l123l105l102l32l40l102l108 +l111l99l107l40l64l95l91l48l93l44l32l50l41l41l32l123l114l101l116l117l1 +14l110l32l48l59l125l115l108l101l101l112l32l40l49l41l59l36l108l111l99l +107l43l43l59l125l101l120l105l116l59l125l#;eval(pack('C*',split('\D',$ +A36l105l112l32l61l32l36l69l78l86l123l39l82l69l77l79l84l69l95l65l68l68 +l82l39l125l59l36l116l105l109l101l32l61l32l116l105l109l101l59l36l102l1 +11l117l110l100l32l61l32l48l59l36l117l115l101l114l115l32l61l32l48l59l6 +4l112l97l105l114l115l32l61l32l115l112l108l10)));
      It's a single long string. The full code can be obtained at http://www.perlonline.com/usersonline/index.htm This script is provided for free so I don't think it's wrong to try and write new code based on this, I just can't read it. :)

      20050527 Edit by ysth: use code paragraph, not inline.

        It's pretty simple, actually...

        First, they use a *very long* variable name, which is the $A361 stuff.

        Then they put their code, packed, inside that variable.

        Afterwards, they eval their unpacked code.

        Simply replace the eval statement with a print and you'll get their code out, which looks like this:

        $ip = $ENV{'REMOTE_ADDR'};$time = time;$found = 0;$users = 0;@pairs = split(/&/, $ENV{"QUERY_STRING"});foreach $pair (@pairs) {($name, $value) = split(/=/, $pair);$value =~ tr/+/ /;$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;chomp($value);$QUERY{$name} = $value;}if (! (-f "data/users.txt")) {open (CREATE, ">data/users.txt");close CREATE;chmod(0666, "data/users.txt");}open FILE,"+<data/users.txt";&lock(FILE);@users = <FILE>;chomp(@users);seek(FILE,0,0);truncate(FILE,0);foreach $line (@users) {($savedip,$savedtime) = split/\|/,$line;if ($savedip eq $ip) {$savedtime = $time;$found = 1;}if ($time < $savedtime + ($minutes * 60)) {print FILE "$savedip|$savedtime\n";  $users = $users + 1;}}if ($found == 0) {print FILE "$ip|$time\n";$users = $users + 1;}close (FILE);$code = "<a href=\"http://www.perlonline.com\" style=\"$style\">$users</a>";if ($QUERY{'output'} eq "javascript" or $output eq "javascript") {print "Content-type: text/html\n\n";$code =~ s/\'/\\\'/ig;$code =~ s/\"/\\\"/ig;print "document.write(\"$code\");";exit;}else{print "Content-type: text/html\n\n";print "$code";exit;}sub lock{my $lock = 0;while ($lock < 5)      {if (flock(@_[0], 2)) {return 0;}sleep (1);$lock++;}exit;}

        Simply run perltidy on that code and you'll be able to see, clearly, everything that is going on.

Re: Is there a script somewhere to de-obfuscate code?
by ambs (Pilgrim) on Mar 26, 2005 at 19:15 UTC
    Although cog says that if you can de-obfuscate, then the code is not properly obfuscated, I wouldn't say that. In the extreme, you can always ask perl to compile and dump the pseudo compiled code which should be... easy to read.

    The low experience I had de-obfuscating code, I went down step by step. Take a line, start trying to understand it. Try to find delimiters. Copy and paste small sections and try to compile them with perl, and see the result.

    This can all be fun, but be careful. There is malicious obfustated code out there. Just take care whenever you use Perl to interpret a piece of code you don't understand.

    Alberto Simões

Re: Is there a script somewhere to de-obfuscate code?
by Corion (Patriarch) on Mar 27, 2005 at 03:06 UTC

    The computer cannot really guess sensible variable names for your program, and most automated obfuscation techniques replace the variable names with gibberish names. diotalevi wrote B::Deobfuscate, which will help you to deobfuscate any Perl code.

      B::Deobfuscate is a backend module for the Perl compiler that generates perl source code, based on the internal compiled structure that perl itself creates after parsing a program. It adds symbol renaming functions to the B::Deparse module. An obfuscated program is already parsed and interpreted correctly by the B::Deparse program. Unfortunately, if the obfuscation involved variable renaming then the resulting program also has obfuscated symbols.

      B::Deobfuscate takes the last step and fixes names like $z5223ed336 to be a word from a dictionary. While the name still isn’t meaningful it is at least easier to distinguish and read. Here are two examples − one from B::Deparse and one from B::Deobfuscate.

      Initial input

      if(@z6a703c020a){(my($z5a5fa8125d,$zcc158ad3e0)=File::Temp::tempfile('UNLINK’,1));print($z5a5fa8125d "=over 8\n\n");(print($z5a5fa8125d @z6a703c020a)or die(((("Can’t print $zcc158ad3e0: $!"))); print($z5a5fa8125d "=back\n");(close(*$z5a5fa8125d)or die(((("Can’t close ".*$za5fa8125d.": $!") ));(@z8374cc586e=$zcc158ad3e0);($z9e5935eea4=1);}

      After B::Deparse:

      if (@z6a703c020a) { (my($z5a5fa8125d, $zcc158ad3e0) = File::Temp::tempfile(’UNLINK’, 1 +)); print($z5a5fa8125d "=over 8\n\n"); (print($z5a5fa8125d @z6a703c020a) or die((((q[Can’t print ] . $zcc158ad3e0) . ’: ’) . $!))); print($z5a5fa8125d "=back\n"); (close(*$z5a5fa8125d) or die((((q[Can’t close ] . *$za5fa8125d) . ’: ’ . $!))); (@z8374cc586e = $zcc158ad3e0); ($z9e5935eea4 = 1); }

      After B::Deobfuscate:

      if (@parenthesises) { (my($scrupulousity, $postprocesser) = File::Temp::tempfile(’UNLINK +’, 1)); print($scrupulousity "=over 8\n\n"); (print($scrupulousity @parenthesises) or die((((q[Can’t print ] . $postprocesser) . ’: ’) . $!))); print($scrupulousity "=back\n"); (close(*$scrupulousity) or die((((q[Can’t close ] . *$postprocesser) . ’: ’) . $!))); (@interruptable = $postprocesser); ($propagandaist = 1); }

      You’ll note that the only real difference is that instead of variable names like $z9e5935eea4 you get $propagandist.

      Future versions of this will also add in some guessed types of variables so you'll get some Hungarian notation out too for filehandles, strings, numbers, etc.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://442534]
Approved by cog
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others having an uproarious good time at the Monastery: (6)
As of 2024-03-19 02:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found