Monday, June 2, 2008

More Fun With Security Through Obfuscation On Linux And Unix

Hey There,

A few months ago, we ran a post on security through obfuscation, regarding ways to make your code less comprehensible to folks who didn't understand it as well as you do. While, at the core, this does nothing to actually "secure" your code from anyone with the patience to unravel it, it can be useful for keeping folks who know "just enough to do a lot of damage" from messing with your scripts ;) And, on another level, it can be a useful stalling technique, since you'll be making anyone work to figure out how your script/code works before they can change it without risking destroying it.

While I'm sure there are many more points to cover (and, hopefully, we'll cover them all eventually ;), today's addition to the arsenal is pretty obvious: Messing with your variable names :)

Most decent and responsible scripters will try to have their variable names make sense (if for no one's benefit than for their own - writing a confusing script isn't going to be worth it if even you can't figure it out later ;). So, when they use a variable to use as a counter, they might name it $counter, or something like that. @array_of_files is another such descriptive name. Very helpful later on when you need to modify your own stuff, and good practice so that, if you ever leave a place of employment, you won't be screwing your friends and co-workers who will, inevitably, get stuck maintaining your code.

However, assuming you do something as simple as keeping a separate file with a simple legend, like:

VAR ORIG
a file
b count
...


and so forth, naming your variables as arcanely as possible is a great way to make long, convoluted, stream-of-consciousness scripts as close to incomprehensible as possible ;) Having this sort of legend available can make it easy for you to do variable replacement within the "confusing" version of the script to make it easily understandable once again.

For instance, this Perl script to reverse all lines in a file on Linux or Unix can be rewritten to be even more confusing that it may already be.

Following is a working, but awful looking, revision of the original code, modified to include meaningless variables (scalar, array and filehandle), no indentation, no spaces between lines and no comments (except at the top). I've opted not to include a legend, since we have the original code hosted on this blog (linked to above) and you won't need to go through the hassle of reversing it.

In a future post, we'll look at creating such a legend for any script and backward-applying changes to your code (even though it would be much easier to do with "patch" ;)

Enjoy :)


Creative Commons License


This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

#!/usr/bin/perl

# 2008 - Mike Golvach - eggi@comcast.net
#
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License
#

if ( $#ARGV != 0 ) {
exit(1);
}
$a=$ARGV[0];
open(A, "<$a");
@a = <A>;
close(A);
foreach $b (@a) {
chomp($b);
@b = split(//, $b);
$c = @b;
undef(@c);
while ( $c > 0 ) {
push(@c, $b[$c-1]);
$c--;
}
$e = join(/ /, @c);
unshift(@f, "$e");
}
open(B, ">$a.reverse");
foreach $d (@f) {
print B "$d\n";
}
close(B);
exit(0);


, Mike