Stunnix Perl-obfus - the obfuscator for Perl source code

Introduction to Stunnix Perl-obfus

The current trend in the application and web development industry is switching from compiled languages like C/C++ and Delphi to scripting languages like Perl, Javascript or VBScript. One of the main disadvantages of these languages for developers of commercial applications is the great ease by which customers and competitors can study, analyze and reuse the code. For custom solutions the risk of losing control over intellectual property is even higher since it's much more difficult to track violations of intellectual property in them due to the highly targeted or even exclusive distribution of such solutions or products. In such cases, violations of intellectual property can take the form of reuse of the original source code even with an arbitrary level of adaptation! Due to the ease by which study and modification can be performed, it is extremely difficult to enforce the licensing conditions of the applications or sites (for example - permission to use the script only on a single website, and only until a specified date has occurred).

Stunnix Perl-obfus is a unique solution for this problem for code written in Perl programming language. It is an advanced and reliable obfuscator for Perl source code which has advanced support for adding extremely difficult to remove automatic licensing checks. It converts the perl source files (.pl and .pm) into highly mangled and obfuscated form, making it extermely difficult for customers and competitors to study, analyse, reuse and re-work, while fully retaining the original functionality. By default, since version 1.3 that highly mangled and obfuscated code is also encoded afterwards to completely hide the structure of the program. Stunnix Perl-obfus is not a compiler to machine code - the obufscated form will still be the usual perl source code, thus it will work on all platforms the original source worked on. State of the art support for ensuring license conditions (lifetime expiration, several types of hostname checks, user-defined checks) has been present in Stunnix Perl-Obfus since version 1.5.

Please note that tools that convert code into executables like PAR and PerlApp are not a solution to the code hiding, since all source code of the application gets written to some temporary directory once the executable produced by these tools is run. This allows curious users to get to your code quickly. However, using these tools on the output of Stunnix Perl-Obfus is fully supported for cases when standalone executable is required from code protected by Stunnix Perl-Obfus.

 
 

The obfuscation of Perl means

Replacing symbol names with non-meaningfull ones, e.g. replacing list_of_customers with zcadaa4fc81

Of course names that are part of APIs are not mangled otherwise the program will work incorrectly. APIs can be standard (builtin language functions) or user-defined (for 3rd-party libraries that the developer decided not to obfuscate). Names of symbols that are part of APIs are referred to as "obfuscation exceptions" or simply "exceptions".

The following obfuscation methods are supported:

  • Md5 sum with user-specified "salt": sample replacement is zd7b6a02ec5. The salt, number of characters from hexified version of md5 sum and a prefix ("z" in the sample above) are the options of this mangler;
  • Combinations of characters from a user-specified set: e.g. if set is "l" and "I" (i.e. capital 'i' and small 'L'), it will generate names like "lIIlllIl". If the set is all lowercase letters, names like "bjhepjsdlrf" will be generated. Manglers take three options: a set of characters, salt string and length of resultant name;
  • Shortest possible symbol name (great for minimizing output size) - so-called Perl compression mode. All Perl in the project will be studied and symbol use count calculated.
  • Prefixing symbol: listOfCustomers becomes; MyPrefix_listOfCustomers — great for debugging, since all error messages identify which symbol in the input file caused the problem;

The results of all the methods (called "symbol name obfuscators" or "symbol manglers" in documentation ), except the last one (listOfCustomers-> MyPrefix_listOfCustomers) cannot be reveresed. This guarantees obfuscated Perl code cannot be recovered and makes it hard to analyze,

All "symbolname manglers" can be applied to Perl Protection Projects consisting of an arbitrary number of files.

Mapping between the original and replacement symbol names are stored along with the project so developers can always recall the original name of symbol.

Users have an option to manually specify symbol replacement.

Users have an option to specify symbols that shouldn't be renamed (lists can be attached to each individual file). Strictly speaking, there are 2 types of such lists, ones in which symbols are checked case-sensitive, and others in which symbols are checked case-insensitive.

Users can also define lists of suffixes that should be kept in symbols as-is (so everything before the suffix is mangled, while keeping suffix the same) — that is if _onClick is in the list of such suffixes to keep and md5 symbolname mangler is active, then openBtn_onClick it will be replaced with something like zd8ac37d6e_onClick, Lists of symbols for standard interfaces used by Perl are shipped with Perl Obfuscator. Users can easliy disable some of the "exceptions" in these shipped lists by listing some symbols as "antiexceptions" (these can be individually specified for each Perl file in the project).

There is an option of storing a symbol map as a comment inside protected version of each file.

Replacing numeric constants with expressions, e.g. replacing 232 with (0x14b6+2119-0x1c15)

Obfuscation of numeric constants make code harder to read - e.g. iteration from 1 to 5 will be totally non-obvious if loop limits are obfuscated this way.

The replacement expression can be made different even for the same constant, but in different places in your code (e.g. in one place and (0xd99+5451-0x21fc) 2 lines below it), or it can be the same for a given numeric constant. This makes analysis of changes between different builds of your code more difficult.

Of course there is an option not to obfuscate numeric constants.

Replacing characters in strings with their hex escapes, e.g. turning string "cust" into "\x63\x75\x73\x74"

This obfuscation stage makes the Perl code more difficult to understand at a first glance, more difficult to search for error messages and so on.It slightly increases the size of the code, though.

International characters in the strings will be left as is. There is also an option to replace strings with expressions that are create from individual characters using character codes, e.g. "cust" will look like this: (join("",map { chr($_); } ((0x04f8+ 8150-0x246b),(0x04eb+ 397-0x0603),(0x0783+ 1026-0x0b12),(0x0331+ 2600-0x0ce5)))) or (join("",map { chr($_); } (99,117,115,116))) . Of course it will increase size of your obfuscated code even more.

There is also an option to not obfuscate strings at all.

Adding extra parenthesis around expressions

Perl Obfuscator automatically puts parenthesis around expressions in the code to make them more confusing to read.

Replacing strings with interpolated variables with concatenation of the appropriate components

Perl Obfuscator applies obfuscation to variables used in string interpolation. Strings with variable interpolations are automatically converted into concatenation operations that involve constant strings parts and variables. This makes your code even more difficult to read.

Removing or obfuscation of comments

Comments can be completely removed. Since Perl Obfuscator is very flexible and powerful tool, there are other ways to obfuscate them (besides keeping them as is):

  • Leave only newlines in the comments. I.e. comments will span same number of lines but there won't be any text in them. This will keep line numbers of the protected code same as in original code (if you specify newlines in the protected code are not to be removed),
  • Replace all characters but newlines with 'x'
  • Replace all characters but spaces and newlines with 'x'
These additional Perl obfuscation options demonstrate how well the original code was commented which may aid in selling the code.

Removing spaces and tabs in the lines of code

This Perl obfuscation stage removes all spacing and identation in the code. This makes the code more difficult to read, and greatly reduces its size.

This step won't do anything with linebreaks in the code.

Of course this stage is optional.

Joining all lines in your code

This Perl obfuscation stage turns all the code into single line. Statement separators will be inserted in the appropriate places. This makes even looking at code difficult, since the viewer will have to scroll back and forth.

There is a setting to rewrap the code into several lines, each being no longer than specified number of characters.

Sometimes it's better not to apply this step if your code is not well-debugged and you wish error messages to contain line numbers matching your original code.

Of course this stage is optional.

Encoding the result of previous stages

Encoding means hiding Perl code by converting it into a special form that completely hides program structure. It also adds special advanced code that will decode the encoded script at runtime and execute it. Since the decoding code is automatically included into each protected file, no standalone decoders or interpreters are needed for running protected files.

By default, encoding is applied to the result of obfuscation, but it's possible to apply encoding to original source directly. This allows effortless code hiding that does not require any adaptation of the Perl code.

Of course this stage is optional too.

See samples for how encoded Perl looks like.

Even only obfuscated code with no encoding applied is extremely difficult to understand for a human since the name of variables and subroutines and other symbols are totally meaningless and difficult to remember (e.g. @files becomes @zcadaa4fc81). It is possible to control all aspects of code hiding using the GUI and commandline switches of perl-obfus.

An sample of how cryptic a typical file looks after obfuscation and encoding with Perl-Obfus is available.

 
 

The features summary of Stunnix Perl-obfus:

 
 

Stunnix Perl-obfus features in detail

Project Manager - an advanced user interface for projects of any complexity

The power and flexibility of Stunnix Obfuscators are now available via a graphical user interface, eliminating the need to even read the descriptions of the commandline options supported! Stunnix Obfuscator Project Manager - an advanced intuitive cross-platform graphical user interface is included. It allows the protection of projects of any complexity, consisting of files of any type, and possibly including code of any type (client-side, server-side, .asp pages with both server side and client-side code, .html files with client-side code), even allowing code in some files to be processed with different sets of options or even not processed at all. It has 'build project' functionality available in most popular IDEs that will result in processing only files which are newer than their protected version. Files free from code (like images or .css files) will simply be copied to the directory with protected version of the project, allowing the use of Project Manager as a generic replacement for a 'Make'-like utility. It completely eliminates the need to compose and invoke the commandline manually as all operations can be performed using mouse.

Below are screenshots of Stunnix Perl-Obfus Project Manager GUI. There is a LIVE ONSITE demo of it too!

Users who prefer to use the commandline will be able to compose a build script (a special project-specific perl program that is effectively a smart stand-alone replacement for project-specific Makefile that already includes the functionality of the Make utility). Just invoke that build script to perform any desired operations such as cleaning all output files, rebuilding only changed files or rebuilding all files (with ability to specify only a subset of files).

You can see Stunnix Perl-Obfus Project Manager running on our site in demo mode (destructive and editing operations are disabled).

You can download Project Manager to evaluate it.

Full support for all Perl language constructs

Due to the deep integration with Perl language interpreter, Stunnix Perl-obfus provides a unique level of support for all Perl language constructs and their advanced use. No other product aiming at obfuscation of Perl source code technically and theoretically provides this. Stunnix Perl-obfus supports advanced Perl constructs including nested regular expressions (i.e. regular expressions inside substitution part of s///e operator), all forms of interpolating variables of all types in strings and in regular expressions even with so-called extened patterns, perl formats, all quote and quote-like operators, "<<EOF" constructs and several ways of handling POD documentation and data after __DATA__ sections. This means that majority of the Perl source code obfuscated with Stunnix Perl-obfus will truly function the same as non-obfuscated code. This is a unique feature of the Stunnix Perl-obfus. In order to ease the checking of obfuscated code for correctness, a special utility is provided that detects the names of undeclared subroutines and other symbols.

Full support for applications consisting of several Perl modules

Stunnix Perl-Obfus, unlike other tools, was designed with multi-module programs in mind. Stunnix Perl-obfus keeps a module export list (i.e. @EXPORT=qw();) and arbitrary strings that contain symbol names (e.g. portions of the argument of eval builtin function) in sync with the obfuscated names of variables and subroutines automatically. Developer has to mark up such strings in a special way though (by wrapping them in call of helper function that Perl-Obfus treats specially), while preparing code for obfuscation.

Full support for keeping library modules application uses in non-obfuscated (original) form

Most applications use Perl standard modules like File::Path or third-party modules. In the case of standard Perl modules it's preferable to not ship obfuscated version of such standard modules, but force the program to use the version that comes with Perl in order to reduce distribution size and to avoid licensing issues. In the case of third-party modules, licensing conditions frequently disallow modification of those modules, thus there are no options except shipping them in original, non-obfuscated form. Stunnix Perl-obfus allows such cases by providing a utility to generate exception lists.

Encoding of the file is performed by default

To make the results of processing bear no resemblance to the code of any programming language, those results are encoded. No stand alone decoder is required to support the encoding of files.

Support for ensuring license conditions

There is state of the art support for program expiration and several variants of hostname checking (single allowed host name, list of hostname tails, regular expression hostname matching). If licensing conditions are not met, the program can remove itself automatically. There is also an option to print a custom notification message after which the program will terminate. User-defined checks with actions are supported as well. A special initialization code is applied to blocks of code. Without this intialization code, the program won't work correctly. The whole block is also encoded to protect it from analysis and modification. This block of code can't be removed from the program body without making it malfunction. Several sources of information about current time and host name are suported. See more details here.

Supports source compression mode

Stunnix Perl-Obfus supports source code compression mode via the inclusion of special aid. In this mode symbols are renamed to the shortest random allowed symbol name in order to minimize the resultant size of output (the more frequently used symbols are renamed to shorter symbols). This turns Stunnix Perl-Obfus into a so-called "source code compressor" tool. This module works for multimodule projects too.

Available in Standard and Lite Editions

Stunnix Perl-Obfus is available in Standard and Lite Editions in order to be even more cost-effective. You don't have to pay for very advanced features if you don't need them! There is a document listing the differences between editions.

Special mode for the quickest preparing of a project for protection

A special obfuscation mode is present that allows a project to be adapted for obfuscation quickly. There is no need to spend valuable time while performing the trial-and-error preparation process. Due to the availability of unique symbol extraction utilities not available with any other products, the preparation process is as short as theoretically possible.

A variety of options to tightly control the obfuscation

As with all Stunnix products, programs of a Stunnix Perl-obfus suite have a lot of commandline options to tightly control each aspect of their operation. All options have intuitive names, and there is extensive documentation on each option available. Default options for the main part of the Stunnix Perl-obfus suite can be conveniently stored in a globally-visible file.

There are free and very useful web-based commandline builders for Perl-Obfus too; they are very useful for getting impressions of what abilities Perl-Obfus provides.

Utilities to make code preparing for obfuscation easier are included

Three extra utilities are included to make preparing code for obfuscation - gen-ident-exceptions.pl, find-undeclared-subs.pl and get-idents-from-html.pl. The gen-ident-exceptions.pl allows the generation of a list of symbol names that shouldn't be obfuscated (e.g. ones from third-party modules). The find-undeclared-subs.pl is designed to check the obfuscated code for the absence of undeclared subroutines and other types of symbols, and get-idents-from-html.pl is designed for the extraction of names of html form fields.

Included utilities to gather project-specific exceptions

Unique utilities to gather project-specific exceptions are included: utility to gather html form fields' names and IDs of html elements, and ability to extract all symbols from ActiveX or OLE components.

These utilities are a must have for any professional obfuscator. Without them composing lists of exceptions for a project of even medium size is very time-consuming, dull and error-prone process typically accomplished by using trial-and-error technique.

The functionality of both utilities is fully integrated into Project Manager user interface and thus can be carried on by using the mouse only.

Includes utility to simplify turning protected code into standalone executable using third-party utilities like Perl2Exe

Special utility - get-mods-list.pl - is included to create lists of modules that perl code uses or requires. Such lists of modules may be needed by various tools for converting perl code into standalone executables - like Perl2Exe and PAR toolkit.

Means to make the analysis of changes between different releases of the obfuscated product more difficult

Among a variety of options that control each aspect of obfuscation and encoding are ones that make only obfuscated (but not encoded) versions of the same source code different from each other after each run of Perl-Obfus. This can be used to make analysis of changes between different versions of the software much more difficult. Another use is distributing unique versions of the obfuscated code to each customer. This way a developer can track license violations to a specific customer (so called perl source code watermarking).

Key internal parameters of encoding already depend on random values, so the encoded version of the same file will be different on each run.

Easy to install on any Unix/Linux or Windows server

Stunnix Perl-obfus is a suite of Perl applications. It requires a working Perl version 5.8 or greater installed somewhere in your system (a so-called "interpreter for backend"). It needn't be a default perl interpreter in your system - you can install this version of perl into non-standard location for it to coexist with your system perl. Of course the perl version 5.8 or greater is required by Stunnix Perl-obfus itself only, obfuscated version of the code won't require any particular perl version if it didn't require one before. No additional non-standard Perl modules are required for Stunnix Perl-obfus. In case the "interpreter for backend" is different from the system perl, no modules required by the program being obfuscated need to be installed for "interpreter for backend".

Stunnix Perl-obfus comes as an archive file in tar.gz or self-extracting archive format. It can be extracted to any directory you like. Optionally one can set default values for the site-specific options in the configuration file, however most people won't need to change the defaults.

Web-based commandline builder is available

Despite the fact that primary interface to Stunnix Perl-Obfus is commandline-based, there are very useful commandline builders for Perl-Obfus. There is a link to the documentation near each form field, that fully explains the purpose and semantics of each option.

They are very useful for getting impressions of the capabilities of Perl-Obfus.

There are two editions of Stunnix Perl-obfus - Standard and Lite. There is a document listing differences between these editions.

 
 

Related links

Evaluation version of the Stunnix Perl Web Server can be used as a sample of protecting complex and big project using Stunnix Perl-Obfus. Also all our obfuscation tools like JavaScript Obfuscator, C/C++ Obfuscator , VBScript and ASP Obfuscator and Encoder and of course Perl-Obfuscator itself are all protected using Perl-Obfus.

Full documentation for Stunnix Perl-Obfus is available online.

You can see a Project Manager for Perl Obfuscator demo on our site, or go straight to the page with obfuscation and encoding options available.

An example of how cryptic a typical file looks after obfuscation with Perl-Obfus is available.

Stunnix Perl-obfus can be purchased in our online store.

An Obfuscator for JavaScript language - Stunnix JS-Obfus - is also available from us.