script encoder 
Author Message
 script encoder


Michael,

Quote:
>So is this the tool that lets you 'encode' your
>scripts so they may be run/executed but not
>have the ource code viewed?

Yes, but no, the encryption is trivial to defeat - in fact IMO, so trivial as
to wonder why MS put it in, something a fraction stronger would've cost little
effort and yet had a more real effect.  but feel free to use it.

Jim.



Fri, 19 Apr 2002 03:00:00 GMT  
 script encoder

Quote:
> Yes, but no, the encryption is trivial to defeat - in fact IMO, so trivial
as
> to wonder why MS put it in, something a fraction stronger would've cost
little
> effort and yet had a more real effect.  but feel free to use it.

Hi,

It's not encryption - it's obfuscation. Doesn't matter how "strong" we made
it - it only takes one person to reverse engineer the algorithm and publish
a decoding tool on a web page or a newsgroup.

The point of the encoder is not to encrypt or otherwise make your pages
unreadable by a determined hacker. It is to make them impossible to read "by
mistake". In other words, say I sell you an ASP-based JScript web
application for $10,000 and it has lots of secret code in it. In the license
I say you may not look at the source code, reverse engineer it, etc.

Now, obviously you have a valid reason to look at the ASP pages (to change
the HTML source code, for example) and you could quite easily "accidentally"
read some of the JScript code. Now even if you don't intentionally use it
later on, you may remember something you saw and inadvertently use it later
on. Then I see you using *MY* secret technology in one of your products, and
sue you.

How am I going to prove that you deliberately and maliciously stole my
ideas, when you had a legitimate reason to be viewing the source code in the
first place? But if, in order to see my source code, you have to decode the
page (no matter how simple the decoding mechanism is), then I have a better
chance of proving you were up to no good.

Because we're not using real encryption (which would be too expensive), any
form of encoding will be equally as trivial to break. Given that rule, it's
best to make a simple algorithm that is not CPU intensive and is less likely
to have code defects.

Peter

--
Peter J. Torr - Microsoft Windows Script Program Manager

Please do not e-mail me with questions - post them to this
newsgroup instead. Thankyou!



Fri, 19 Apr 2002 03:00:00 GMT  
 script encoder
howdy--

Good answer, Peter.

T


Quote:


> > Yes, but no, the encryption is trivial to defeat - in fact IMO, so trivial
> as
> > to wonder why MS put it in, something a fraction stronger would've cost
> little
> > effort and yet had a more real effect.  but feel free to use it.

> Hi,

> It's not encryption - it's obfuscation. Doesn't matter how "strong" we made
> it - it only takes one person to reverse engineer the algorithm and publish
> a decoding tool on a web page or a newsgroup.

> The point of the encoder is not to encrypt or otherwise make your pages
> unreadable by a determined hacker. It is to make them impossible to read "by
> mistake". In other words, say I sell you an ASP-based JScript web
> application for $10,000 and it has lots of secret code in it. In the license
> I say you may not look at the source code, reverse engineer it, etc.

> Now, obviously you have a valid reason to look at the ASP pages (to change
> the HTML source code, for example) and you could quite easily "accidentally"
> read some of the JScript code. Now even if you don't intentionally use it
> later on, you may remember something you saw and inadvertently use it later
> on. Then I see you using *MY* secret technology in one of your products, and
> sue you.

> How am I going to prove that you deliberately and maliciously stole my
> ideas, when you had a legitimate reason to be viewing the source code in the
> first place? But if, in order to see my source code, you have to decode the
> page (no matter how simple the decoding mechanism is), then I have a better
> chance of proving you were up to no good.

> Because we're not using real encryption (which would be too expensive), any
> form of encoding will be equally as trivial to break. Given that rule, it's
> best to make a simple algorithm that is not CPU intensive and is less likely
> to have code defects.

> Peter

> --
> Peter J. Torr - Microsoft Windows Script Program Manager

> Please do not e-mail me with questions - post them to this
> newsgroup instead. Thankyou!



Fri, 19 Apr 2002 03:00:00 GMT  
 script encoder



Quote:


> > Yes, but no, the encryption is trivial to defeat - in fact IMO, so trivial
> as
> > to wonder why MS put it in, something a fraction stronger would've cost
> little
> > effort and yet had a more real effect.  but feel free to use it.

> Hi,

> It's not encryption - it's obfuscation. Doesn't matter how "strong" we made
> it - it only takes one person to reverse engineer the algorithm and publish
> a decoding tool on a web page or a newsgroup.

As T-Man said, Good Answer, but wouldn't Windows Script Obfuscator be a less
confusing name - in any case message filed for all those "IE5 has great
encryption messages."

Quote:
> Then I see you using *MY* secret technology in one of your products, and
> sue you.

Already getting into the American habit I see :-)

Quote:
> Because we're not using real encryption (which would be too expensive), any
> form of encoding will be equally as trivial to break. Given that rule, it's
> best to make a simple algorithm that is not CPU intensive and is less likely
> to have code defects.

Would this not have been an opportunity to create a byte-code that would lead
to faster executing scripts? if Obfuscation was your only aim? - Any thoughts
in that direction?

Also any chance ECMAScript 3.0/4.0 reserved words as early as possible? or
have no new ones been added?

Jim.



Sat, 20 Apr 2002 03:00:00 GMT  
 script encoder
Peter,

    Shades of MBasic and Save "progname.bas" /p

    I understand your reply and the reason for the obfuscation.

    Now that I know ... I'll have to try it out.

    Thanks,

    Les J
--
Remove 'n_o_s_p_a_m' to respond.


Quote:


> > Yes, but no, the encryption is trivial to defeat - in fact IMO, so
trivial
> as
> > to wonder why MS put it in, something a fraction stronger would've cost
> little
> > effort and yet had a more real effect.  but feel free to use it.

> Hi,

> It's not encryption - it's obfuscation. Doesn't matter how "strong" we
made
> it - it only takes one person to reverse engineer the algorithm and
publish
> a decoding tool on a web page or a newsgroup.

> The point of the encoder is not to encrypt or otherwise make your pages
> unreadable by a determined hacker. It is to make them impossible to read
"by
> mistake". In other words, say I sell you an ASP-based JScript web
> application for $10,000 and it has lots of secret code in it. In the
license
> I say you may not look at the source code, reverse engineer it, etc.

> Now, obviously you have a valid reason to look at the ASP pages (to change
> the HTML source code, for example) and you could quite easily
"accidentally"
> read some of the JScript code. Now even if you don't intentionally use it
> later on, you may remember something you saw and inadvertently use it
later
> on. Then I see you using *MY* secret technology in one of your products,
and
> sue you.

> How am I going to prove that you deliberately and maliciously stole my
> ideas, when you had a legitimate reason to be viewing the source code in
the
> first place? But if, in order to see my source code, you have to decode
the
> page (no matter how simple the decoding mechanism is), then I have a
better
> chance of proving you were up to no good.

> Because we're not using real encryption (which would be too expensive),
any
> form of encoding will be equally as trivial to break. Given that rule,
it's
> best to make a simple algorithm that is not CPU intensive and is less
likely
> to have code defects.

> Peter

> --
> Peter J. Torr - Microsoft Windows Script Program Manager

> Please do not e-mail me with questions - post them to this
> newsgroup instead. Thankyou!



Sat, 20 Apr 2002 03:00:00 GMT  
 script encoder

Quote:
> As T-Man said, Good Answer, but wouldn't Windows Script Obfuscator be a
less
> confusing name

Hey,

Are you nuts?!?!? :-)

How many people outside of computer security know what obfuscation is? (OK,
I'm not in computer security and I know, but hey... ;-) ). I think "Encoder"
gets the message across well enough, although some people are a little
optimistic and think encode===encrypt.

Quote:
> Already getting into the American habit I see :-)

That's defamation of character! You'll be hearing from my lawyers ;-)

Quote:
> Would this not have been an opportunity to create a byte-code that would
lead
> to faster executing scripts? if Obfuscation was your only aim? - Any
thoughts
> in that direction?

Not sure what direction my thoughts are in... probably due west when I'm
sitting at my desk.

Quote:
> Also any chance ECMAScript 3.0/4.0 reserved words as early as possible? or
> have no new ones been added?

Hmmm (again). "try-throw-catch-finally" have been added as official
keywords. Amazingly, "finally" was in JScript 5.0, just not documented! Try
it out! :-). "instanceof" is also now a keyword, but I'm not sure if that
was in the standard before (and opening the ECMA 2 document is too much like
hard work right now ;-) ).

Lots of new functions have been added to the various prototype objects, but
I can' really say what until... well, until quite soon, actually.

Peter

--
Peter J. Torr - Microsoft Windows Script Program Manager

Please do not e-mail me with questions - post them to this
newsgroup instead. Thankyou!



Sat, 20 Apr 2002 03:00:00 GMT  
 script encoder



Quote:


> > As T-Man said, Good Answer, but wouldn't Windows Script Obfuscator be a
> less
> > confusing name

> Hey,

> Are you nuts?!?!? :-)

I thought you knew....

Quote:
> How many people outside of computer security know what obfuscation is? (OK,
> I'm not in computer security and I know, but hey... ;-) ). I think "Encoder"
> gets the message across well enough, although some people are a little
> optimistic and think encode===encrypt.

Sorry too much Perl I guess... I was just thinking along the number of
newsgroups postings, jumping up and down going  "can too protect your
code..." - but I've got your message to throw at them now, so it's okay...

Quote:
> > Also any chance ECMAScript 3.0/4.0 reserved words as early as possible? or
> > have no new ones been added?

> Hmmm (again). "try-throw-catch-finally" have been added as official
> keywords. Amazingly, "finally" was in JScript 5.0, just not documented! Try
> it out! :-). "instanceof" is also now a keyword, but I'm not sure if that
> was in the standard before (and opening the ECMA 2 document is too much like
> hard work right now ;-) ).

<Ctrl-X><Ctrl-f>D:/do<tab>e<tab>.t<tab><Ctrl-S>reserved
w<ret><Ctrl-S>7.4.1<ret>  and they are - you're obviously using the wrong
tools (openning the pdf now that is too much hard work.)

But yeah they were all reserved before.

Quote:
> Lots of new functions have been added to the various prototype objects, but
> I can' really say what until... well, until quite soon, actually.

Well December presumably.. Do you get a free junket to Switzerland out of it?

Jim.



Sun, 21 Apr 2002 03:00:00 GMT  
 script encoder

[try/catch, etc.]

Quote:
> But yeah they were all reserved before.

Correct, but they were not keywords! They are now keywords, meaning they
should actually do something!

Quote:
> > Lots of new functions have been added to the various prototype objects,
but
> > I can' really say what until... well, until quite soon, actually.

> Well December presumably.. Do you get a free junket to Switzerland out of

it?

Yeah, hopefully. Or maybe.... But no-one's offering me a free trip to
Europe, unfortunately. I am going back to Australia over New Year though!

Peter

--
Peter J. Torr - Microsoft Windows Script Program Manager

Please do not e-mail me with questions - post them to this
newsgroup instead. Thankyou!



Mon, 22 Apr 2002 03:00:00 GMT  
 
 [ 8 post ] 

 Relevant Pages 

1. VB / Script Encoder question for the MVP Scripting team

2. Script Encoder Beta 1 Released to the scripting web site

3. Script Encoder Beta 1 Released to the scripting web site

4. Script Encoder Beta 1 Released to the scripting web site

5. Script encoder and script debugger

6. Encode scripts using Scripting.Encoder

7. Windows Script Encoder

8. Script Encoder for mixed lang file

9. URGENT**Script Encoder Problem

10. Script Encoder 1.0 error

11. windows script encoder on Unix

12. Script Encoder Error

 

 
Powered by phpBB® Forum Software