Comments for Stunnix Perl-Obfus

19 May 2003 01:54 gvy

Re: How Lame Can You Get?

> And there is a demand for Perl obfuscator - it's obvious.


Hey pal, there's a demand for child porn. Go post a Other/Proprietary tarball here?

This kind of thing really doesn't have it's moral place here.

2 all: go to scoop and ask to remove it? (sorry stunnix)

14 Apr 2003 07:31 pardus

Re: Compleet bogus


# Entry Word: bogus

# Function: adjective

# Synonyms COUNTERFEIT, brummagem, fake, false,

# phony, pinchbeck, pseudo, sham, snide, spurious

# Related Word forged; imitation

# Contrasted Words bona fide, good

# Antonyms authentic, genuine, real


Like in "bogus security" or "bogus protection". Yes, it is
harder to read obfuscated code, but as long as it's perl it's easily reversed to a readable form.

Obfuscation as practiced within the perl community has nothing to do with protecting source code.

01 Apr 2003 21:24 nicc777

Re: How Lame Can You Get?
Classic :)

25 Mar 2003 01:16 eterps

Re: How Lame Can You Get?
% Also, there is a problem of guessing
> that '$z5da4d3837d'
> was '$files' before obfuscation, and not
> '$slots' (or whatever).


Okay, so you cannot know that '$z5da4d3837d' corresponds with '$files' after obfuscation. But the code is not really hard to read and understand when you use distinguishable dictionary words, there is already a Perl module for that:

http://search.cpan.org/author/JJORE/B-Deobfuscate-0.03/lib/B/Deobfuscate.pm

24 Mar 2003 20:48 nicc777

You are missing the point ...
Perl was never intended to be "un-readable". I can't think of a single line of Perl code I would ever want to "hide"/"obfuscate" from anybody.

If you want to code closed source commercial apps - use C.

Let's also consider some of the practical issues:

* Debugging. If something goes wrong, I must _hope_ it's not the mangled code. There is no easy way to know for sure. Personally I would not trust this at all.

* Version control. What meganism is there to tie the mangled code to an original source file? Also consider the line: "Unique! Means to make analysis of changes between different releases of the obfuscated product more difficult" ( source: http://www.stunnix.com/prod/perl-obfus.shtml ).

* Easy to reverse. This has been commented on already. I have experimented a bit and it took about 30 minutes to solve the puzzle ( given your own example ). The only thing I haven't done was to give the function names a more interesting name, but then again - it's easy to add.

* $879 !!! Are you serious? This is the best get-rich-quick-scheme I have ever seen. You can purchase commercial compilers for less then that.

In a nutshell then - I think you people should grow up. I hope somebody that did indeed make the mistake of purchasing this junk take you to court - There must be some kind of law against this obvious attempt to make people belief stuff that just isn't true.

To all prospective buyers out there - give this a miss.

Cheers

24 Mar 2003 08:51 stunnix

Re: Compleet bogus

> Check this (perlmonks) thread for an
> elaborate discussion.

If Perl-Obfus is bogus, then all obfuscators are bogus too. Or the therm "bogus" is inapropriate.

24 Mar 2003 07:59 pardus

Compleet bogus
Check this (perlmonks) (http://www.perlmonks.org/index.pl?node_id=243011) thread for an elaborate discussion.

24 Mar 2003 07:46 stunnix

Re: How Lame Can You Get?

>
> %
> % % The deobfuscator for this tool is
> % 'perl
> % % -MO=Deparse'. It doesn't rename
> the
> % % variables to something meaningful
> and
> % it
> % % doesn't restore doublequoted
> strings,
> % % but apart from that it does a good
> % job
> % % on the example code given on the
> % site.
> % %
> % % (And BTW, the obfuscated code given
> % on
> % % their website does not run:
> % 'Undefined
> % % subroutine &main::zb463d7d1b4'.)
> %
> % The code won't run due to this error
> % because
> % the *PIECE* of original and
> obfuscated
> % files is present on the webpage, not
> % entire file.
> %
>
>
> Well, either way no one's going to be
> buying your assinine software through
> freshmeat now that they've demonstrate
> how reversible it is.
>
>
> sed 's/z5da4d3837d/a/g' stunnixsucks.pl
> | sed ....


That's essentially a feature of all obfuscators that do
not require shipment of modified interpreter with obfuscated code.


Also, there is a problem of guessing that '$z5da4d3837d'
was '$files' before obfuscation, and not '$slots' (or whatever).

24 Mar 2003 07:36 lamp666

Re: How Lame Can You Get?

>
> % The deobfuscator for this tool is
> 'perl
> % -MO=Deparse'. It doesn't rename the
> % variables to something meaningful and
> it
> % doesn't restore doublequoted strings,
> % but apart from that it does a good
> job
> % on the example code given on the
> site.
> %
> % (And BTW, the obfuscated code given
> on
> % their website does not run:
> 'Undefined
> % subroutine &main::zb463d7d1b4'.)
>
> The code won't run due to this error
> because
> the *PIECE* of original and obfuscated
> files is present on the webpage, not
> entire file.
>


Well, either way no one's going to be buying your assinine software through freshmeat now that they've demonstrate how reversible it is.


sed 's/z5da4d3837d/a/g' stunnixsucks.pl | sed ....

24 Mar 2003 06:44 stunnix

Re: How Lame Can You Get?

> The deobfuscator for this tool is 'perl
> -MO=Deparse'. It doesn't rename the
> variables to something meaningful and it
> doesn't restore doublequoted strings,
> but apart from that it does a good job
> on the example code given on the site.
>
> (And BTW, the obfuscated code given on
> their website does not run: 'Undefined
> subroutine &main::zb463d7d1b4'.)


The code won't run due to this error because
the *PIECE* of original and obfuscated files is present on the webpage, not entire file.

Screenshot

Project Spotlight

ReciJournal

An open, cross-platform journaling program.

Screenshot

Project Spotlight

Veusz

A scientific plotting package.