Reverse Engineering Perl2Exe back to Perl

Categories Code, Forensics, Malware

In the August issue of the Digital Forensics Magazine (DFM) my article on reverse engineering Perl2Exe can be found. The article describes a way to recover the source code of the Perl program back from the executable created with Perl2Exe program.

Reverse Engineering PERL2EXE Back to Perl

Perl2Exe is a program which converts Perl source code to standalone Windows executable files which hide the Perl code. When a forensic investigator encounters a Perl2Exe program (for example malware) it can take a lot of effort to analyse these files. This article describes a new and easy to follow approach to recover the full Perl source code from these Perl2Exe executable files, making the analysis of these files much easier..
Perl2Exe converts the source code of the Perl script by packing it inside a single executable together with a Perl interpreter. The Perl source code is included inside the executable in encrypted form and thus it cannot easily be recovered from the executable.
In the past there have been a couple of other projects to retrieve the Perl source code from Perl2Exe executable files (see boxout 1). However, none of these projects work with the current versions of Perl and Perl2Exe. In the past couple of years there have been a number of Perl2Exe versions released (see boxout 2) and each new version seems to break the previously found solutions to recover the Perl source code.

The article can be found in the member section of the DFM website or in the paper version of the magazine. The link to the article can be found here: http://digitalforensicsmagazine.com/index.php?option=com_content&view=article&id=820

More info on DFM can be found here: http://www.digitalforensicsmagazine.com/

Test programs / code

I created two short test programs to test the approach described in the article. The code of these test programs is shown below.

#!/usr/bin/perl

print "\n[*] Perl2exe Perl sourcecode revealer test code\n".
      "    by Thijs (Thice) Bosschert\n".
      "    v1.0 17-06-2012\n\n";

# Comment: This is a test comment

print "\n[*] This is just a test line.\n\n";

The test programs can be downloaded here.

Perl2Exe version 8 & 9: Example_code_Perl2Exe_8-9.exe

Created with Perl2Exe v9.11 and StrawBerry Perl 5.8.8

Perl2exe version 10 & 11: Example_code_Perl2Exe_10-11.exe

Created with Perl2Exe v11.00 and StrawBerry Perl 5.14.2

Boxouts

It seems that two ‘boxouts’ did not make it to the final version of the article (but are still named in it). Both of these boxouts can be found below:

Boxout 1:

Past projects

The following projects have been published in the past with the same goals as this article. However none of them work with the current Perl and Perl2Exe versions:

Boxout2:

Perl2Exe release timeline

The following Perl2Exe versions have been released over the years:

  • Perl2Exe V11.00, released Mar 10, 2012
  • Perl2Exe V10.40, released Jun 25, 2011
  • Perl2Exe V10.10, released Feb 3, 2011
  • Perl2Exe V9.110, released Dec 7, 2009
  • Perl2Exe V8.82, release Aug 21, 2007

Source: http://www.indigostar.com/perl2exe.php

2 Comments

  • Colin
    04/07/2013

    Hi,
    I bought the magazine where you included this article.
    However, the perl2exe program I am trying to recover is a 64 bit executable (I believe) and therefore Ollydbg – the tool that you rely on in the article – does not open it, because it only handles 32 bit programs.

    Do you have any advice on what to do?

    Thanks

  • Thice.nl » Perl2Exe back to Perl – 2014
    12/08/2014

    […] back to Perl article in Digital Forensics Magazine, more information can be found in my post here. Since I published this article in a magazine I was not allowed to post it on my own website as […]

Leave a Reply

Your email address will not be published. Required fields are marked *