Reverse Engineering Perl2Exe back to Perl
In the August issue of the Digital Forensics Magazine (DFM) my article on reverse engineering Perl2Exe can be found. The article describes a way to recover the source code of the Perl program back from the executable created with Perl2Exe program.
Perl2Exe is a program which converts Perl source code to standalone Windows executable files which hide the Perl code. When a forensic investigator encounters a Perl2Exe program (for example malware) it can take a lot of effort to analyse these files. This article describes a new and easy to follow approach to recover the full Perl source code from these Perl2Exe executable files, making the analysis of these files much easier..
Perl2Exe converts the source code of the Perl script by packing it inside a single executable together with a Perl interpreter. The Perl source code is included inside the executable in encrypted form and thus it cannot easily be recovered from the executable.
In the past there have been a couple of other projects to retrieve the Perl source code from Perl2Exe executable files (see boxout 1). However, none of these projects work with the current versions of Perl and Perl2Exe. In the past couple of years there have been a number of Perl2Exe versions released (see boxout 2) and each new version seems to break the previously found solutions to recover the Perl source code.
The article can be found in the member section of the DFM website or in the paper version of the magazine. The link to the article can be found here: http://digitalforensicsmagazine.com/index.php?option=com_content&view=article&id=820
More info on DFM can be found here: http://www.digitalforensicsmagazine.com/
Test programs / code
I created two short test programs to test the approach described in the article. The code of these test programs is shown below.
#!/usr/bin/perl print "\n[*] Perl2exe Perl sourcecode revealer test code\n". Â Â Â Â Â "Â Â Â by Thijs (Thice) Bosschert\n". Â Â Â Â Â "Â Â Â v1.0 17-06-2012\n\n"; # Comment: This is a test comment print "\n[*] This is just a test line.\n\n";
The test programs can be downloaded here.
Perl2Exe version 8 & 9: Example_code_Perl2Exe_8-9.exe
Created with Perl2Exe v9.11 and StrawBerry Perl 5.8.8
Perl2exe version 10 & 11: Example_code_Perl2Exe_10-11.exe
Created with Perl2Exe v11.00 and StrawBerry Perl 5.14.2
It seems that two ‘boxouts’ did not make it to the final version of the article (but are still named in it). Both of these boxouts can be found below:
The following projects have been published in the past with the same goals as this article. However none of them work with the current Perl and Perl2Exe versions:
- The exe2perl.c program created by GalaxyMaster which can be found on http://exe2perl.danuk.ru/
- The exec2pl program from 2002 by Chetan Ganatra, more info can be found on http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-01/0105.html
- The write up by â€˜fileoffsetâ€™ which describes a similar approach as described in this article and can be found on http://www.fileoffset.com/re/tutorials/perl2exe.htm
Perl2Exe release timeline
The following Perl2Exe versions have been released over the years:
- Perl2Exe V11.00, released Mar 10, 2012
- Perl2Exe V10.40, released Jun 25, 2011
- Perl2Exe V10.10, released Feb 3, 2011
- Perl2Exe V9.110, released Dec 7, 2009
- Perl2Exe V8.82, release Aug 21, 2007