Resurrect the dead

[campbellc]

For whatever reason a Perl script has been lost. I have the compiled executable but not the source. Is there a way to reengineer source code from the executable?


-Chris

 

[travs69]

what did you compile it with? If you use pp you can get the original back out out of it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Travis - Those Who Say It Cannot Be Done Are Usually Interrupted by Someone Else Doing It; Give the wrong symptoms, get the wrong solutions;

 

[campbellc]

Unfortunately, I did not write it or compile it. I have been given the distinct honor of deconstruction a program in which this executable is being called. I assume it is a Perl Script only by the nature that it is being stored in the Perl executables directory. Not one individual on this team has a clue as to what it does, who wrote it or where the source code might be hiding but it runs every 15 minutes in a production run environment.

 

[travs69]

try copying it, and renaming it to a .zip and unzipping it.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Travis - Those Who Say It Cannot Be Done Are Usually Interrupted by Someone Else Doing It; Give the wrong symptoms, get the wrong solutions;

 

[campbellc]

I copied the file. Renamed the .exe to .zip and tried to unzip. It did not work.

 

[travs69]

Then it was compiled using pp (which is all I have used).

Here is some non-tested non-verified code from somewhere else that is supposed to be used to de-compile perlApp compiled scripts. You will need to to edit it for your .exe and location.

use strict;
use warnings;

use Compress::Zlib;

++$|;

open IN, 'test.exe' or die $!;
binmode IN;
read IN, my $data, 1e8;

my $piecenum=0;

my $progress = progress(length $data);
my $piecedata;
for (0..length($data)-1) {
    $progress->($_);
    $piecedata = uncompress("\x78\x9c" . substr $data, $_);
    if (defined $piecedata) {
        print "\nFound piece at $_\n";
        open OUT, sprintf('>piece_%03d.txt', $piecenum++) or die $!; b
+inmode OUT;
        print OUT $piecedata ^ chr(0xAA) x length $piecedata;
    }
}

sub progress {
    my $max = $_[0];
    my $last = 0;
    return sub { print $last = int(100*$_[0]/$max), "%... " if $last !
+= int(100*$_[0]/$max) };
}

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Travis - Those Who Say It Cannot Be Done Are Usually Interrupted by Someone Else Doing It; Give the wrong symptoms, get the wrong solutions;

 

[campbellc]

Thanks Travis.
I made the modification and ran it...ran for a long time but no output was generated.

 

[travs69]

I meant to say
Then it was not compiled using pp (which is all I have used).

The place where I saw that script mentioned that it takes a VERY long time for it to do anything.

You might google decompile perlapp as that is a popular compiler.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Travis - Those Who Say It Cannot Be Done Are Usually Interrupted by Someone Else Doing It; Give the wrong symptoms, get the wrong solutions;

 

[MikeLacey]

Chris - how big is the file? Perl script executables are often quite large as they contain Perl itself.

Mike

When working on any project the value of other people is exactly that - they are other people, with views that don't necessarily match yours. This mismatch, between their views and the view you've been contentedly assuming is right, is where that value lies.

 

[campbellc]

Thanks Travis - I did do a very limited search on decompilers and will continue to do some more. Thanks for the idea. The information that I'm seeing is that PerlApp does sometype of encryption of the data which prevents it from being decompiled. Have you seen this statement as well?

Mike - The executable is 1,105KB.

 

[MikeLacey]

Stands a good chance of being a "compiled" Perl script at that size. I'd bet that your search for decompilers, trying each one, is the best way to go.

It's probably that each Perl compiler vendor will be able to recognise the executables they produce, so you may get some joy if you contact them and ask if they'd identity it as one of theirs.

Mike

When working on any project the value of other people is exactly that - they are other people, with views that don't necessarily match yours. This mismatch, between their views and the view you've been contentedly assuming is right, is where that value lies.

 

[travs69]

campbellc I have heard exactly that about perlApp and each version of perlApp is slightly different and requires a different decompile script Any chance you could just re-write the original script?

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Travis - Those Who Say It Cannot Be Done Are Usually Interrupted by Someone Else Doing It; Give the wrong symptoms, get the wrong solutions;

 

[chazoid]

you might want to try watching your windows %temp% directory when you run the script. I know some compiled scripts extract files to that location, then automatically delete them when the script ends. I just tried this with a pp compiled script, and it seems to only extract some modules and .dll files. In the past, I recall seeing the original script temporarily stored somewhere, but I don't remember which compiler was used.. could have been perl2exe.

If pp was used, you'll see a directory in %temp% named like par_priv.XXXX.tmp