ABOUT

	Scripts for decompiling Perl program compiled by perlcc
	
REVISION HISTORY
Version		Author		Date
1.0		Swine		????????
	
DECOMPILING PROCESS
	perlcc parses Perl script and makes C code (which is in turn compiled to executable through CC) that initializes execution tree, which is later interpreted through perl_run documented function. 
	The execution tree can be decompiled by documented Perl B::Decomp module (in latest Perl releases this module has gone along with perlcc). 
	The trick is to inject the call to decompiler into the target program.
	
	Compiled Perl program performs initialization & execution in the following 3 major steps:
	- calls perl_parse() (libperl.so), which is the same as in perl interpreter. But instead of getting script file name for execution it recieves special command line parameters sequence "-e", "", "--" 
	postpended by program command line. The initial program command line is thus the subject to perl program interpretation only, not to parsing by Perl interpreter.
	- calls perl_init() (libperl.so), which is a generated function which actually builds an execution tree by means of half-documented Perl API calls.
	- calls perl_run() (libperl.so), working as a simple stack machine which walks through the execution tree making a call to a library for each comparison or something operator
	
	The injection and decompiling is done through debugger and goes in the following steps:
	1. Change the command line arguments transferred to perl_parse() function. 
		What we want is to make Perl parser load our Perl module, which we will later call to do whatever we want through Perl facilities. The module is named qq.pm, to make it load we need
		to prepend "-mqq" command line parameter before "-e". 
		
	2. Skip until call to perl_run, when all the initialization is finished.
	3. Inject a call to what is spelled in C code as {dSP; PUSHMARK(SP); call_pv("qqq", G_DISCARD|G_NOARGS)}: documented Perl API function) which should call "qqq" subroutine from qq.pm. 
		This subroutine in Perl will deal with the rest.
	
REQUIREMENTS
	Version of Perl libraries (package B and dependencies) should be of the same version as target program.
	Perl B libraries (referenced in qq.pm), qq.pm itself and dependencies should be locateable by Perl library called from target (PERL5LIB environment variable may help). 
	
	Depending on Perl version, certain minor changes may be requires in scripts (perl_call_pv or Perl_call_pv actual function name to call, or way of calling B::Decomp in qq.pm). 
	First see comments in 'decomp.sh' and 'qq.pm'. I also can imagine that certain builds of perlcc may have incompatible calling conventions. In this case scripts for automated decompiling 
	won't work without updating to those calling conventions. Currently assumed conventions are fastcall for x86_64 targets and cdecl for x86.
	
SCRIPTS & USAGE
	qq.pm : Perl module which performs the actual dumping (qqq subroutine from there should be finally called after the program is ready to run). It should be
	accessible by Perl (put it to the place where Perl program will be able to find it or update PERL5LIB environment variable). If something (qq.pm or modules from B package) cannot be found,
	perl_parse will fail and print what it could not find during debug.
		Output of decompiling procedure goes to 'dump.pl' file in the current directory.
		
	
	decomp.sh : bash script for automated decompiling. 
		Script determines break addresses through ltrace and injects the call to qq.pm using gdb debugger. See comments inside script which may help to solve some 
		of possible problems. See gdb output carefully: in case of likely problems with finding Perl modules perl_parse will print what it could not find. 
		This is supposed to work under Linux (or eventually under some other Unix).
		
	dumpperlx86.idc, dumpperlx64.idc: IDA scripts, doing the same from IDA disassembler (separate scripts for x86 and x86_64 architectures). 
		After autoanalysis is finished setup Process options for debugger. "-mqq" command line parameter should be added to process parameters. If there are some other process arguments, -mqq should go last.
		Then execute the script. It will display program run-time errors (in any) in debugger's output terminal. If all OK "qqq" subroutine from qq.pm will be called and will 
		in turn create dump.pl file.
		
		This has a chance to work for Linux and Windows executables. I did not try it under Windows though.

	
	ver.pl: tiny perl program sample which displays perl version
	ver: ver.pl compiled; ELF64,  perlcc from perl 5.6.2
	ver32: ver.pl compiled; ELF32, perlcc from perl 5.8.8
