By Brian Wilson
Have you ever heard of obfuscated programming
contests? The objective is to write functional code
that's so obscure that no other human could possibly
understand it. Perl syntax seems made for this form of
expression; obfuscated Perl code has become somewhat
of an art form. For beautiful examples, visit the Perl
Monks Web site.
There are reasons other than aesthetics for generating
obfuscated Perl code. When you give someone a Perl
script, you're handing over all of your source code.
He or she can change it, improve it, or steal your
ideas, and there's typically nothing you can do to
This is where nexoSoft CodeProtect_Perl comes in: It
runs your Perl code through a series of filters. Each
filter deconstructs the code, making it harder for
humans to read, but (theoretically) leaving it
syntactically correct and functionally unchanged. The
script compiles and executes exactly as you wrote it,
but it becomes incomprehensible to prying eyes.
|CodeProtect_Perl 2.02 for Windows
It's so inexpensive that you might want a copy.
It crashes easily. German interface confusing to some.
CodeProtect seems to represent the antithesis of the
open nature of Perl culture. Yet, when researching for
this review, I found that the Perl Monks site had a
lengthy message thread discussing ways to do exactly
this kind of code protection. No one questioned it.
You might be inclined to use Perl itself to write
script for some of these obfuscations; I tried. The
transformations aren't as trivial as they first seem.
You could use a Perl compiler to produce binary code
versions of your scripts. You may already have a copy
of the perlcc compilerit comes with the standard Perl
distribution. Its main page describes it as "very
experimental." For limited applications this might
meet your needs, but CodeProtect is more
comprehensive. For the price, CodeProtect will give
you time to look elsewhere for interesting problems to
Although CodeProtect is usable, it still needs more
work. It's produced by a German company, but I
downloaded the English version of the zip file. When I
first attempted to install CodeProtect on Windows NT,
the setup program popped up a series of dialog boxes,
all in German. I switched to a Windows 98 system and
the installation was uneventful. I used the 98 version
for the rest of this review.
CodeProtect is easy to use once it's installed. To use
it, create a project that defines a source directory,
an output directory, and a set of switches that tell
which transformations to apply. The source directory
can contain any number of Perl files. When you click
on the Create Files button, each file is passed
through the selected filters and the corresponding
output is written to the output directory.
To be useful, CodeProtect must generate code that
can't be easily read by humans, but that's still
reliable enough to use in production code. Here's a
brief description of my favorite filters and my
comments on their effectiveness:
Deconstruct variables. This filter changes variable
names to long, meaningless strings. For example,
$count = 1 might become
$gahbahicfefbhh = 1.
Deconstruct functions. This does the same thing to
function names. These filters are extremely effective
if your code is confined to a single file. But
CodeProtect doesn't generate a common symbol table
across all files in a project, so you can't use these
features if you write your own Perl modules. For
example, if you define
$template=1 in a file called
module.pl, and then include module.pl in a CGI script
require, CodeProtect won't use the same
deconstructed name in both output files. Thus,
print $template printing a
1, it prints
Insert pseudo variables. A pure obfuscation measure,
this throws extra lines such as
into the output hither and thither, and it works most
of the time. In some cases, I saw CodeProtect insert
pseudo variables in the middle of a quoted block of
text. I recommend leaving this filter turned off, as
it makes any script longer, and hence, slower.
Remove indents and blank lines. This removes most
white space. It's effective, but can disrupt a quoted
string if the string has leading tabs or blank lines.
Your testing must be thorough for this to be usable.
Remove line breaks (except in HERE documents). This
crunches the script down into lines of about 1000
characters each. It's very effective. Although this is
supposed to leave HERE text untouched, I found that it
did not. The nexoSoft programmers need to improve
their lexical scanner to better protect quoted strings
and HERE documents.
You can toggle settings on and off to choose files
with .cgi and .pl extensions. However, there's no
option for Perl modules, which normally have a .pm
The basic development cycle is to write and completely
debug your Perl code, verify that it works as
expected, and then pass the source files through
CodeProtect. Finally, you must perform the same
verification tests to make sure that the generated
scripts still work as expected. CodeProtect reads only
your original files, so that if you need to, you can
change the Perl later. You can reopen the same
CodeProtect project and generate new protected files.
Some of the Perl constructions I use routinely break
when I use the full set of filters. When you're
developing protected scripts, you'll have to decide
between changing troublesome Perl code or turning off
some filters to get the protected code to function
I've found that when faced with anything slightly
unusual, CodeProtect crashes. For example, click on
View Results when no project is open: Boom. I learned
to avoid these situations. Alternatively, I sent some
long and convoluted Perl scripts through CodeProtect
and found that it worked reasonably well most of the
time. Although I was able to construct Perl that would
break it, CodeProtect works well enough to justify its
Brian is cofounder of Harbro Systems in Santa Rosa,
CA. Harbro develops Linux-based shared Internet
services for home and office. Write to him at