Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

bleach question

by roadtest (Sexton)
on Sep 24, 2014 at 19:56 UTC ( #1101852=perlquestion: print w/replies, xml ) Need Help??

roadtest has asked for the wisdom of the Perl Monks concerning the following question:

Hello,

I am maintaining an old system with some monitoring scripts written in perl. The fun part is all these scripts are encoded and I could not read them to figure out why they failed from time to time. Here is script text and hexadecimal header. With several hours google search, I understand these are the bleached scripts and people say it is useless to hide source in such way and mention it is easy to decode it. I tried unbleach.pl and it says script is not bleached. I wonder whether it is possible to decode this script. No need to be accurate or runnable, just information of what it is checking, how it is checking. Thanks for any suggestions!
#!/usr/bin/perl $_=<<'';y;\r\n;;d;$_=pack'b*',$_;$_=eval;$@&&die$@;$_ root# od -cx check_services 0000000 # ! / u s r / b i n / p e r l \ +n 2123 752f 7273 622f 6e69 702f 7265 0a6c 0000020 $ _ = < < ' ' ; y ; \ r \ n ; +; 5f24 3c3d 273c 3b27 3b79 725c 6e5c 3b3b 0000040 d ; $ _ = p a c k ' b * ' , $ +_ 3b64 5f24 703d 6361 276b 2a62 2c27 5f24 0000060 ; $ _ = e v a l ; $ @ & & d i +e 243b 3d5f 7665 6c61 243b 2640 6426 6569 0000100 $ @ ; $ _ \n \t \t \t \t \ +n 4024 243b 0a5f 0909 2020 0920 2020 0a09 0000120 \t \t \t \n \t \t \t 2020 2020 2009 0920 0a09 0909 0920 2020 0000140 \t \t \n \t \t \t \t \t \n \t \ +t 2009 0a09 0920 0909 0920 2009 0a20 0909 0000160 \t \t \t \n \t \t \t \t \t \t 2009 0920 2020 0a09 0909 0920 0909 2009 0000200 \t \n \t \t \t \n \t 0a09 2020 0920 2020 0920 0a09 0920 2020 0000220 \t \t \t \n \t \t \t \t \t \t \ +n 2009 0909 0a20 0920 0909 0920 2009 0a09 0000240 \t \t \t \t \n \t \t \t 0909 2009 2009 2020 0a20 2020 0909 2009

Replies are listed 'Best First'.
Re: bleach question
by no_slogan (Deacon) on Sep 25, 2014 at 06:22 UTC

    Replace the visible line of code with:

    $_=<<''; tr/\r\n//d; $_=pack'b*',$_; print;

    Then it'll print out the obfuscated code instead of executing it.

      Thank you very much no_slogan! You hit the nail right in the head. So this is a packed script, when run pack function twice , it will revert back to regular ascii code. Really appreciate your suggestions!! Cheers!
Re: bleach question
by RonW (Parson) on Sep 24, 2014 at 23:59 UTC
      Thanks RonW for your suggestions, Deparse doesn't show me extra information other than some standard output messages. I can dtrace the script to find out which directory/files it is checking.
Re: bleach question
by roadtest (Sexton) on Sep 24, 2014 at 21:17 UTC
    Additional information. The bleached script should have header like: === use Acme::Bleach; === instead of === $_=<<'';y;\r\n;;d;$_=pack'b*',$_;$_=eval;$@&&die$@;$_ === So this might not a bleach script. More study needed.

    Btw, I don't know script author. He/she might hide contact information inside script.:-)

      code to decode script .... Btw, I don't know script author. He/she might hide contact information inside script.:-)

      Funny :)

Re: bleach question (contact author)
by Anonymous Monk on Sep 24, 2014 at 20:26 UTC

    I am maintaining an old system ... I tried unbleach.pl ....is possible to decode this script

    You should contact the original author/developer , and get them to undo it

    Why do I say this? Because you couldn't figure it out yourself , even with the help of the internet -- sad but true

      To elaborate you said I understand these are the bleached scripts and people say it is useless to hide source in such way and mention it is easy to decode it

      It is exactly for this reason that you should ask the author -- it is so easy to decode it ( practically fizz/buzz ), that if you can't figure it out yourself, even with the help of the internet, you really shouldn't be touching the source code :)

Re: bleach question
by Lotus1 (Vicar) on Sep 29, 2014 at 14:38 UTC

    Update: Thank you AnomalousMonk for pointing out how pack works and that the code in the OP does work. I tried it but somehow thought I was only seeing the original plaintext in the header when I saw #!/usr/bin/p and got distracted playing with Acme::Bleach.

    roadtest: The code you provided is missing a step before the pack function. tr/ \t/01/; is needed to translate the spaces and tabs to 0's and 1's before pack can turn them into text. If you look at the brighten subroutine in Acme::Bleach you will see this step. The output from your example is shown below. I also had to add an empty line after the data so the heredoc could find the end.

    #!/usr/bin/p
      The code you provided is missing a step before the pack function. tr/ \t/01/; is needed to translate the spaces and tabs to 0's and 1's before pack can turn them into text.

      Not so. The 'b' and 'B' pack templates only look at the least-significant bit of a character to be packed, so space (0x20) and '0' (0x30) translate | pack to a 0 bit, and \t (0x09) and '1' (0x31) to a 1 bit.

      c:\@Work\Perl\monks>perl -wMstrict -le "for my $s (qq{\t \t \t \t }, '1000001001000010', 'qpppppqppqp +pppqp') { my $p = pack 'b*', $s; print qq{'$s' -> '$p'}; } " ' ' -> 'AB' '1000001001000010' -> 'AB' 'qpppppqppqppppqp' -> 'AB'

        Wow, interesting. Thanks

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1101852]
Approved by Corion
Front-paged by biohisham
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (5)
As of 2020-11-26 02:17 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?