magazine resources subscribe about advertising

 

 

 








 CD Home < Web Techniques < 2001 < August  

Deconstruction Zone

By Brian Wilson

Have you ever heard of obfuscated programming contests? The objective is to write functional code that's so obscure that no other human could possibly understand it. Perl syntax seems made for this form of expression; obfuscated Perl code has become somewhat of an art form. For beautiful examples, visit the Perl Monks Web site.

There are reasons other than aesthetics for generating obfuscated Perl code. When you give someone a Perl script, you're handing over all of your source code. He or she can change it, improve it, or steal your ideas, and there's typically nothing you can do to prevent this.

This is where nexoSoft CodeProtect_Perl comes in: It runs your Perl code through a series of filters. Each filter deconstructs the code, making it harder for humans to read, but (theoretically) leaving it syntactically correct and functionally unchanged. The script compiles and executes exactly as you wrote it, but it becomes incomprehensible to prying eyes.

CodeProtect_Perl 2.02 for Windows
nexoSoft
www.nexo.de/codeprotect
cost: $39.
Pros: It's so inexpensive that you might want a copy. Cons: It crashes easily. German interface confusing to some.

CodeProtect seems to represent the antithesis of the open nature of Perl culture. Yet, when researching for this review, I found that the Perl Monks site had a lengthy message thread discussing ways to do exactly this kind of code protection. No one questioned it.

You might be inclined to use Perl itself to write script for some of these obfuscations; I tried. The transformations aren't as trivial as they first seem. You could use a Perl compiler to produce binary code versions of your scripts. You may already have a copy of the perlcc compiler—it comes with the standard Perl distribution. Its main page describes it as "very experimental." For limited applications this might meet your needs, but CodeProtect is more comprehensive. For the price, CodeProtect will give you time to look elsewhere for interesting problems to solve.

Installation

Although CodeProtect is usable, it still needs more work. It's produced by a German company, but I downloaded the English version of the zip file. When I first attempted to install CodeProtect on Windows NT, the setup program popped up a series of dialog boxes, all in German. I switched to a Windows 98 system and the installation was uneventful. I used the 98 version for the rest of this review.

CodeProtect is easy to use once it's installed. To use it, create a project that defines a source directory, an output directory, and a set of switches that tell which transformations to apply. The source directory can contain any number of Perl files. When you click on the Create Files button, each file is passed through the selected filters and the corresponding output is written to the output directory.

Available Obfuscations

To be useful, CodeProtect must generate code that can't be easily read by humans, but that's still reliable enough to use in production code. Here's a brief description of my favorite filters and my comments on their effectiveness:

Deconstruct variables. This filter changes variable names to long, meaningless strings. For example, $count = 1 might become $gahbahicfefbhh = 1.

Deconstruct functions. This does the same thing to function names. These filters are extremely effective if your code is confined to a single file. But CodeProtect doesn't generate a common symbol table across all files in a project, so you can't use these features if you write your own Perl modules. For example, if you define $template=1 in a file called module.pl, and then include module.pl in a CGI script with require, CodeProtect won't use the same deconstructed name in both output files. Thus, instead of print $template printing a 1, it prints nothing.

Insert pseudo variables. A pure obfuscation measure, this throws extra lines such as $ajklsdajklsda= 70 into the output hither and thither, and it works most of the time. In some cases, I saw CodeProtect insert pseudo variables in the middle of a quoted block of text. I recommend leaving this filter turned off, as it makes any script longer, and hence, slower.

Remove indents and blank lines. This removes most white space. It's effective, but can disrupt a quoted string if the string has leading tabs or blank lines. Your testing must be thorough for this to be usable.

Remove line breaks (except in HERE documents). This crunches the script down into lines of about 1000 characters each. It's very effective. Although this is supposed to leave HERE text untouched, I found that it did not. The nexoSoft programmers need to improve their lexical scanner to better protect quoted strings and HERE documents.

You can toggle settings on and off to choose files with .cgi and .pl extensions. However, there's no option for Perl modules, which normally have a .pm extension.

Using CodeProtect

The basic development cycle is to write and completely debug your Perl code, verify that it works as expected, and then pass the source files through CodeProtect. Finally, you must perform the same verification tests to make sure that the generated scripts still work as expected. CodeProtect reads only your original files, so that if you need to, you can change the Perl later. You can reopen the same CodeProtect project and generate new protected files.

Some of the Perl constructions I use routinely break when I use the full set of filters. When you're developing protected scripts, you'll have to decide between changing troublesome Perl code or turning off some filters to get the protected code to function correctly.

Ho Hum

I've found that when faced with anything slightly unusual, CodeProtect crashes. For example, click on View Results when no project is open: Boom. I learned to avoid these situations. Alternatively, I sent some long and convoluted Perl scripts through CodeProtect and found that it worked reasonably well most of the time. Although I was able to construct Perl that would break it, CodeProtect works well enough to justify its low price.


Brian is cofounder of Harbro Systems in Santa Rosa, CA. Harbro develops Linux-based shared Internet services for home and office. Write to him at bwilson@harbrosystems.com.




Copyright © 2003 CMP Media LLC