Results 1 to 10 of 10
  1. #1
    Join Date
    Sep 2006
    Location
    Germany
    Posts
    71

    How to protect (Perl) scripts against software piracy

    I would be eager to hear some experiences other programmers (mainly Perl, but all script programmers are welcome to participate) have made with protecting their hard work against software piracy and unauthorized copying.

    The main issue we face is that the sourcecode is open and everybody with a text editor can read it. So even the most complex anti-piracy mechanism are useless when they can be easily removed from the source.

    Currently we protect our own scripts by using a checksum method that calculates its value from various file attributes - mainly size and contents (e.g. HTML templates containing our own copyright notes).

    When executing the master/login script, it compares the stored checksum with the actual calculated one - if it mismatches (e.g. copyright notice has been altered), an e-mail is sent to us automatically containing IP information and other details of the user allowing us to contact them (or at least the server administrator). In order to prevent us for getting flooded with such mails, a flag marks whether or not we were already warned.

    While we took some efforts to prevent novice programmers and script kiddies to remove this protection, it is no problem for an experienced programmer to do so.
    SunnyScript (CGI scripts, custom software development) - http://www.sunnyscript.com
    STAR ENTERPRISE (Internet and Business Services) - http://www.starenterprise.com

  2. #2
    Join Date
    Aug 2005
    Location
    UK
    Posts
    654

    Compile it?

    Why not just compile your perl script so its in bytecode? Would-be pirates will have a job decoding that.

    As for other languages, some times it just not posable.

  3. #3
    Join Date
    Feb 2003
    Location
    Canada
    Posts
    1,010
    I've attached the code that I used to use, back in the days of CGI and Slackware! Both encrypt.pl and decrypt.pl are included.

    I don't guarantee the amount of protection that this provides, so your mileage may vary.

    Encrypt.pl
    Code:
    #!/usr/bin/perl
    
    require 5.002 ;
    
    use vars qw($XOR $BLOCKSIZE $HEADERSIZE $CRYPT_MAGIC_1 $CRYPT_MAGIC_2
                $size $mode $line
               ) ;
    
    $XOR            = 'Perl' ;
    $BLOCKSIZE       = length $XOR ;
    $HEADERSIZE      = 2 ;
    $CRYPT_MAGIC_1   = 0xff ;
    $CRYPT_MAGIC_2   = 0x00 ;
    
    $Fingerprint     = pack ("C*", $CRYPT_MAGIC_1, $CRYPT_MAGIC_2) ;
    
    die "Usage: encrypt file...\n"
      unless @ARGV ;
    
    # Loop throught each file in turn.
    foreach $file (@ARGV)
    {
    
        if (! -T $file)
        {
            print "Skipping directory $file\n" if -d $file ;
            print "Skipping non-text $file\n" if ! -d $file ;
            next ;
        }
    
        open (F, "<$file") or die "Cannot open $file: $!\n" ;
        open (O, ">${file}.pe") or die "Cannot open ${file}.pe: $!\n" ;
    
        # Get the mode
        $mode = (stat F)[2] ;
    
        # Check for "#!perl" line
        $line = <F> ;
    
        if ( $line =~ /^#!/ )
          { print O $line }
        else
          { seek F, 0, 0 }
    
        print O "use Filter::decrypt ;\n" ;
        print O $Fingerprint ;
    
    
        $block = '';
        while ($size = read(F, $block, $BLOCKSIZE) )
        {
            print O ($block ^ substr($XOR, 0, length $block)) ;
        }
    
        close F ;
        close O ;
    
        unlink ($file)
            or die "Could not remove '$file': $!\n" ;
    
        rename ("${file}.pe", $file)
            or die "Could not rename $file.pe to $file: $!\n" ;
    
        chmod $mode, $file unless $^O eq 'MSWin32' ;
    
        print "encrypted $file\n" ;
    }

    Decrypt.pl
    Code:
    #!/usr/bin/perl
    
    require 5.002;
    
    use vars qw (
        $XOR
        $BLOCKSIZE
        $HEADERSIZE
        $CRYPT_MAGIC_1
        $CRYPT_MAGIC_2
        $size
        $mode
        $line
    );
    
    $XOR           = 'Perl';
    $BLOCKSIZE     = length $XOR;
    $HEADERSIZE    = 2;
    $CRYPT_MAGIC_1 = 0xff;
    $CRYPT_MAGIC_2 = 0x00;
    
    foreach $file (@ARGV)
    {
        open (F, "<$file") or die "Cannot open $file: $!\n";
        open (O, ">${file}.ne") or die "Cannot open ${file}.ne: $!\n";
    
        seek(F,0,0);
        $line = <F>;
    
        $block = '';
        read(F, $block, 24);
        while ($size = read(F, $block, $BLOCKSIZE) )
        {
            print O ($block ^ substr($XOR, 0, length $block)) ;
        }
    
        close F;
        close O;
    }

  4. #4
    perlguardian.com

  5. #5
    Join Date
    Sep 2006
    Location
    Germany
    Posts
    71
    Regarding "perlguardian.com": Unfortunately they provide quite less information on their website (used encryption method, expiration scheme working, etc.).

    In order to get more information, is there an other website or company available providing something similar ?
    SunnyScript (CGI scripts, custom software development) - http://www.sunnyscript.com
    STAR ENTERPRISE (Internet and Business Services) - http://www.starenterprise.com

  6. #6
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    hi,

    welp. i am right in this boat. i have compiled my script with perlcc and someone went in and hexed it to death or somehow is tricking or removed the licensing portion. i have added some counter measures much like the ones that you are referring to but have also put some....extra....bonuses....in place. surely you can imagine what i am talking about. i also plan to obfuscate and encrypt before sending it through the compiler.

    i still don't know if that will prevent this person from doing what they are doing though.

    i would love to hear inputs on this.

    kevin
    <<Please see rules for signature setup.>>

  7. #7
    After processing with perlcc, try using an executable packer. this compresses the binary, and decompresses it at execution time. This makes it more difficult for someone to browser through looking for replaceable data.

    If you really want to go the whole way, you can write a custom executable loader that does self checking *during* the decryption process. Not easy, and you have to be bloody minded to get it just right. Assembler expertise required. But it works
    Last edited by plumsauce; 06-06-2009 at 04:31 AM.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  8. #8
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    hi,

    ok. what does that do to the performance of the script though. the script is a compilation of 100 files. lets say one of the script gets run every 10 seconds. what does that do to the ram usage and what does that do to performance of running the single script file.

    do you have any code, specific packers or steps to instantiate the methods you are describing

    kevin
    <<Please see rules for signature setup.>>

  9. #9
    Quote Originally Posted by hostydotnet View Post
    hi,

    ok. what does that do to the performance of the script though. the script is a compilation of 100 files. lets say one of the script gets run every 10 seconds. what does that do to the ram usage and what does that do to performance of running the single script file.

    do you have any code, specific packers or steps to instantiate the methods you are describing

    kevin
    The one that I was talking about is no longer sold, but in it's history it was known to be *ahem* unfriendly to attackers. It was also virus resistant, because if even 1 byte got changed in the executable, it bombed out.

    These days try searching for UPX packer, if the old grey cells are still working.

    Can you make the scripts dependent on certain important functions that are part of a compiled library?
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  10. #10
    Join Date
    Mar 2008
    Location
    hunterdon county NJ
    Posts
    196
    hi,

    welp. the upx packer idea is rather worthless since it comes with a -d flag for decompressing it back to a binary file.

    kevin
    <<Please see rules for signature setup.>>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •