Sure. Message taken on board - once you have the script then it can be reverse engineered. (anyone tried using stunnix to see if it adds *any* obfuscation at all once Deparse has had a go at it?)
However, if you package up stuff with the activestate thing then the perl script file is at least moderately well hidden, for example there is only one useful reference on google on how to reverse engineer it, and the method appears to be inapplicable for the latest version. (It is certainly beyond anyone who is not at least extremely keen to look inside) There is clearly no need to go overboard with XXX bit encryption algorithms, since the key is always going to be wired into the file, even XOR will be sufficient if the file is compressed. I was just thinking one could then start to add thin veneers to increase security, for example if the key is known or in a fixed place then a simple perl script to whack off the header, and grab the key is trivial to write. However, if we split the key up and place it in a slightly different location each time, then our perl script has now got substantially more complicated. I'm sure that we can dream up other incremental improvements There are many hackers quite easily capable of reverse engineering this, and I have no intention of aiming at them, however, if one can prevent a customer opening it up in winzip then this is a step forward... (if you see what I mean) Clearly this all depends on NOT having someone who thinks it is useful to pop a decompile script on CPAN. This is clearly feasible and I would not suggest that we even try to compete, however, my opinion is that this is not a creative and helpful use of peoples time. Anyway, not meant to take the focus away from all the other excellent features that PAR already has. Thanks again for PAR! Ed W -----Original Message----- From: Nicholas Clark [mailto:[EMAIL PROTECTED] Sent: 29 July 2003 11:00 To: Edward Wildgoose Cc: [EMAIL PROTECTED] Subject: Re: PAR 0.70 Released. On Tue, Jul 29, 2003 at 10:46:13AM +0100, Edward Wildgoose wrote: > No doubt a decrypt can easily be written, but with luck those people > with the ability to do so will not actually circulate an example script > (giving those without, the leg up) and so the integrity will be > sufficient for many peoples requirements. Source code recovery has been in core since 5.005_03. The version in 5.8.0 is getting very good: http://search.cpan.org/author/JHI/perl-5.8.0/ext/B/B/Deparse.pm Obfuscators (such as Stunnix) will help, in that people have to know to go to CPAN to find help: http://search.cpan.org/author/JJORE/B-Deobfuscate-0.10/lib/B/Deobfuscate.pod Encrypting with a key that the script has to get from somewhere else (such as a user typing in a startup passphrase) would work. Nicholas Clark
