In the August issue of the Digital Forensics Magazine (DFM) my article on reverse engineering Perl2Exe can be found. The article describes a way to recover the source code of the Perl program back from the executable created with Perl2Exe program.
Reverse Engineering PERL2EXE Back to Perl
Perl2Exe is a program which converts Perl source code to standalone Windows executable files which hide the Perl code. When a forensic investigator encounters a Perl2Exe program (for example malware) it can take a lot of effort to analyse these files. This article describes a new and easy to follow approach to recover the full Perl source code from these Perl2Exe executable files, making the analysis of these files much easier..
Perl2Exe converts the source code of the Perl script by packing it inside a single executable together with a Perl interpreter. The Perl source code is included inside the executable in encrypted form and thus it cannot easily be recovered from the executable.
In the past there have been a couple of other projects to retrieve the Perl source code from Perl2Exe executable files (see boxout 1). However, none of these projects work with the current versions of Perl and Perl2Exe. In the past couple of years there have been a number of Perl2Exe versions released (see boxout 2) and each new version seems to break the previously found solutions to recover the Perl source code.
Read more…
I recently ran into the issue that my new photo-camera (Samsung WB650) somehow decided to erase all the data of my SD card. Since the SD card was filled with a lot of photos and video files I decided to image the SD card and to try to recover my files. The photo files all were JPEGs, so it was pretty easy to recover them by using Scalpel. However the Video format this camera uses was not included in Scalpel so they weren’t recovered. To be able to recover the video files as well I created a Scalpel rule for them myself.
Read more…
During the recent Defcon 19 CTF pre-qualifications, one of the challenges included to connect ‘quicker’ to a web server. While figuring out what the solution was for this challenge one of the things I tried was to send the HTTP GET request already in the TCP handshake stage. Sadly enough this had nothing to do with the real solution of this case, the real solution was making use of SPDY to connect to the server, this is also explained by one of the other teams in a write up here. However it was a nice exercise to create packets with scapy again and since I could not find a lot of information on the topic I decided to create this short write up on the topic.
Read more…
Every networking device contains a MAC address, in general these MAC addresses should be unique for each networking device (not taking into account spoofing at this moment). Each of these MAC addresses contains a OUI (Organizationally_Unique_Identifier) and each OUI that is used should refer to the company making the networking device.
While there are various places where you can lookup OUIs I couldn’t find an easy command line tool for this. So, to enable easier lookups of these OUIs I wrote a small Perl script, the script is made to be used on a BackTrack 4 installation, however it should work on other systems as well.
Read more…
