|No such thing as a small change|
Re^3: Hide DBI password in scriptsby afoken (Abbot)
|on Jan 13, 2018 at 00:53 UTC||Need Help??|
No, I was not talking specifically about the perl debugger, but of course, the perl debugger usually has source access (except for XS code).
Source code is not needed to debug a compiled program. You won't have nice C source in the debugger output, but you can step through the disassembled code and set breakpoints, even if the debug information has been stripped from the binary.
Semi-automatic disassemblers like IDA can be very helpful to find places to set breakpoints at runtime. Just reading the relevant parts of the disassembly can be sufficient, if the de-obfuscation / decryption code is a single function. And yes, IDA can disassemble executables for many different processors and operating systems.
I can make the perl program print out the secret and stop without ever touching the main script. Have a look at how I injected the DBIspy module.
I can have a second perl script modify the script and restore all meta-data in the inode (see lstat and especially utime). File size won't change for an injected die, I can easily pad the file with some commented-out garbage to the old size.
I can use environment variables to modify @INC and thus load modified modules. Your code surely uses strict somewhere. Guess how hard it would be to include DBIspy or similar in a modifed copy of strict.pm.
I can use LD_PRELOAD to load an additional library into the perl interpreter. Code in the library would be executed before perl's main(), would call the magic password program and abort the program before perl's main() is reached.
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)