Help-Site Computer Manuals
Software
Hardware
Programming
Networking
  Algorithms & Data Structures   Programming Languages   Revision Control
  Protocols
  Cameras   Computers   Displays   Keyboards & Mice   Motherboards   Networking   Printers & Scanners   Storage
  Windows   Linux & Unix   Mac

B::Deobfuscate
Extension to B::Deparse for use in de-obfuscating source code

B::Deobfuscate - Extension to B::Deparse for use in de-obfuscating source code


NAME

B::Deobfuscate - Extension to B::Deparse for use in de-obfuscating source code


SYNOPSIS


  perl -MO=Deobfuscate,-csynthetic.yml,-y synthetic.pl


DESCRIPTION

B::Deobfuscate is a backend module for the Perl compiler that generates perl source code, based on the internal compiled structure that perl itself creates after parsing a program. It adds symbol renaming functions to the the B::Deparse manpage module. An obfuscated program is already parsed and interpreted correctly by the the B::Deparse manpage program. Unfortunately, if the obfuscation involved variable renaming then the resulting program also has obfuscated symbols.

This module takes the last step and fixes names like $z5223ed336 to be a word from a dictionary. While the name still isn't meaningful it is at least easier to distinguish and read. Here are two examples - one from the B::Deparse manpage and one from B::Deobfuscate.

Initial input


  if(@z6a703c020a){(my($z5a5fa8125d,$zcc158ad3e0)=File::Temp::tempfile(

  'UNLINK',1));print($z5a5fa8125d "=over 8\n\n");(print($z5a5fa8125d

  @z6a703c020a)or die(((("Can't print $zcc158ad3e0: $!"))); print($z5a5fa8125d

  "=back\n");(close(*$z5a5fa8125d)or die(((("Can't close ".*$za5fa8125d.": $!")

  ));(@z8374cc586e=$zcc158ad3e0);($z9e5935eea4=1);}

After the B::Deparse manpage:


  if (@z6a703c020a) {

      (my($z5a5fa8125d, $zcc158ad3e0) = File::Temp::tempfile('UNLINK', 1));

      print($z5a5fa8125d "=over 8\n\n");

      (print($z5a5fa8125d @z6a703c020a)

          or die((((q[Can't print ] . $zcc158ad3e0) . ': ') . $!)));

      print($z5a5fa8125d "=back\n");

      (close(*$z5a5fa8125d)

          or die((((q[Can't close ] . *$za5fa8125d) . ': ' . $!)));

      (@z8374cc586e = $zcc158ad3e0);

      ($z9e5935eea4 = 1);

  }

After B::Deobfuscate:


  if (@parenthesises) {

      (my($scrupulousity, $postprocesser) = File::Temp::tempfile('UNLINK', 1));

      print($scrupulousity "=over 8\n\n");

      (print($scrupulousity @parenthesises)

          or die((((q[Can't print ] . $postprocesser) . ': ') . $!)));

      print($scrupulousity "=back\n");

      (close(*$scrupulousity)

          or die((((q[Can't close ] . *$postprocesser) . ': ') . $!)));

      (@interruptable = $postprocesser);

      ($propagandaist = 1);

  }

You'll note that the only real difference is that instead of variable names like $z9e5935eea4 you get $propagandist.


OPTIONS

As with all compiler backend options, these must follow directly after the '-MO=Deobfuscate', separated by a comma but not any white space. All options defined in B::Deparse are supported here - see the B::Deparse documentation page to see what options are provided and how to use them.

-dDICTIONARY
Normally B::Deobfuscate reads an internal dictionary of easily pronounced keywords. If you would like to specify a different dictionary follow the -d parameter with the path to the dictionary file. The path may not have commas in it and only lines in the dictionary that do not match /\W/ will be used. The entire dictionary will be loaded into memory at once.

  -d/usr/share/dict/stop

For an alternate approach, see the Acme::Floral manpage's source code and how it installs an alternate dictionary of flower names. This writes a new dictionary to the *B::Deobfuscate::DATA filehandle before the B::Deobfuscate object decompiles the input perl code.

-mREGEX
Supply a different regular expression for deciding which symbols to rename. The default value is /\A[[:lower:][:digit:]_]+\z/. Your expression must be delimited by the '/' characters and you may not use that character within the expression. That shouldn't be an issue because '/' isn't valid in a symbol name anyway.

  -a/\A[[:lower:][:digit:]_]+\z/

-y
print two YAML documents to STDOUT instead of the deparsed source code. The first document is a configuration document suitable for use with the -c parameter. The second document is the deparsed source code. Use this feature to generate a configuration document for further, iterative reverse engineering.

The intention here is that you could write some software to read this YAML document, present the information to the user, accept some alterations to the configuration and re-run the deobfuscator with the new input.

-cFILENAME
Supply a filename to a YAML configuration file. Normally you would generate this file by saving the results of the -y parameter to a file. You can then edit the file to provide your own names for symbols and not rely on the random symbol picker in B::Deobfuscate. You may create your own YAML configuration file as well.


CONFIGURATION FILE

The B::Deobfuscation symbol renamer can be controlled with by a configuration file. Use of this feature requires the YAML module be installed.


 dictionary: '/usr/share/dict/propernames'

 global_regex: '(?:)'

 globals:

   kSDsfDS: Slartibartfast

   HGFdsfds: Triantaphyllos

 lexicals:

   '$SdfSd': '$No'

   '$GsdDd': '$Ed'

   '$Ksdfs': '$Ji'
dictionary
This is a filename path to the operative dictionary.

 dictionary: /usr/share/dict/stop

global_regex
This regular expression tests global symbols. Only symbols that match this expression may be renamed. The default value is '\A[[:lower:][:digit:]_]\z/. In perl, global symbols are independent of their sigil so the values being tested are bare. Future versions of B::Deobfuscate may add the sigil to the symbol name.

 global_regex: '\A[[:lower:][:digit:]_]\z'

globals
This is a hash detailing symbol names as used in the original source and the name used in the deobfuscated source. For example - if the original source has a variable named @z12345 and you wish to rename all occurrances to @URLList then the hash would associate 'z12345' with 'URLList'. The dictionary picker fills these values in automatically.

If you wish to prevent B::Deobfuscate from renaming a symbol then specify the new value as '~' (which in YAML terms is undef).


 globals:

   catfile: ~

   opt_n: ~

   opt_t: ~

   opt_u: ~

   z1234567890: Postprocesser

   z2345678901: Constructable

   z3456789012: Photosynthesises

   z4567890123: Undiscriminate

   z5678901234: Parenthesises

   z6789012345: Animadvertion

lexicals
Lexicals is a hash exactly like `globals' except that all the symbol names include the sigil which doesn't currently happen for globals.

 lexicals:

   '$k1234567890': '$ivs'

   '$k2345678901': '$ehs'

   '$k3456789012': '$ans'

   '$k4567890123': '$ons'

   '$k5678901234': '$ofs'

   '$k6789012345': '$gos'

   '$k7890123456': '$dus'

   '$k8901234567': '$iis'

   '$k9012345678': '$ats'

   '$k0123456780': '$ets'


AUTHOR

Joshua b. Jore <jjore@cpan.org>


SEE ALSO

the B::Deparse manpage http://www.perlmonks.org/index.pl http://www.perlmonks.org/index.pl YAML

Programminig
Wy
Wy
yW
Wy
Programming
Wy
Wy
Wy
Wy