Coding Forum

**web20sitemakerp** · 02:38 PM

This is really a Unix-ish type question. Here's the scenario.

I developed a perl script offline that users will be able to install on their own webservers. For obvious reasons, part of the script has been "ofusicated". The code that 'unscrambles' that script - a single substitution line - is currently "hidden" in the libs folder which cannot be accessed by the user. Thus, the user sees a jumbled code, but cannot see the code required to unjumble.

However, I now find that to put a file into the "lib" directory requires root access, (I'm on a shared server) So that has sort of "messed up" that solution!!

Then I wondered if I could place the decoder in a folder within my webspace ... but now of course, that's visible to anyone using their FTP browser.

So I either need to make that file "vanish", or be put somewhere that cannot be seen by the FTP browser. Anyone any ideas???

**TwistMyArm** · 02-20-2008, 03:37 PM

Obfuscated code shouldn't have to be 'decoded'... it should still work entirely as it is. Just so we are all on the same page: is your code obfuscated (whereby all functions, variables and so on are renamed so as to be meaningless) or has it been 'encrypted' in some way that actually requires decrypting before running?

**web20sitemakerp** · 02-21-2008, 07:35 AM

For obvious reasons, I cannot reveal the whole code, so I have provided "snippets" so you get the concept.

The first part within the "use dml" and "no dml" tags is the script, which I think you'll agree is obfusicated(!)

The FILTER at present resides in the lib library area in my offline test area. A you can see, it reverses the code so that it becomes legible again.

Now providing all the user sees is the script, they will not be able to see what's happening. If they can view the filter too, they could - albeit slowly - decipher the script.

So my options is to "hide" the obfusicated part, or make sure the filter is in a place that cannot be normally accessed, (ie I install it in "folderX" via my installer routine)

Hope this helps.

use dml;
qfrvjqf 1_!nk_fqq.ok1_!1_I1_1dpcfl_Iobqbn!_10_0d0_0!_!1_I@ ...
no dml;

FILTER {
$_=~s/1_1/\$/g;
$_=~s/1_!/"/g;
$_=~s/1_I/\;/g;
$_=~s/1_l/\//g;
$_=~s/!_1/\(/g;
..
.
$_=~tr/[acegikmoqsuwybdfhjlnprtvxzBDFHJLNPRTV ...]/[bdfhjlnpr ...]/g;

**TwistMyArm** · 02-21-2008, 08:43 AM

Quote:

Originally Posted by web20sitemakerp

The first part within the "use dml" and "no dml" tags is the script, which I think you'll agree is obfusicated(!)

For the exact reasons I laid out above, I do NOT agree that it's obfuscated... that is 'encrypted' more than anything, but I wouldn't call if obfuscated. It may sound like I'm nitpicking here, but it is important that we all know exactly what we mean when we use certain words. I'm not saying that one of us is right and one of us is wrong, I'm just saying that we need to agree on definitions for the course of the thread.

Anyway, generally there is no real way to hide what you are trying to hide, the way you are trying to hide it. Even if you hide the library somewhere, that doesn't really change things as at some point the script that the user DOES have access to will have to access the library and do the decryption before running the code... and you're assuming that that script DOES run the code and DOES NOT, instead, dump the unencrypted code to a file, for example...

**web20sitemakerp** · 02-21-2008, 09:49 AM

I'm sure an experienced perl user could crack the script given time, although it should thwart the average user. I have written several scripts, but I still class myself as an amateur. I don't use all this cryptic stuff such as $0, $$; I write it all "long hand", using for loops and conectation etc. I mention that as I don't THINK there is a way to print the encrypted code to a file.

You see, the encoded script is called from another script. Its decoded and then run by host script in memory. Could they add a code within the original script to print the code in memory to an external file? I don't know.

See, what I'm trying to avoid is allowing others to sell my software to others. My theory being that if there was a "key" hidden away, (the filter within the library), then the scripts wouldn't run if other people simply installed the files they found installed within the CGI-BIN on their server. (And the average person wouldn't know the "key" existed as they wouldn't be able to read the "encrypted" script. Of course, if the "key" is in the same folder as the rest of the cgi scripts, it sort of defeats the object.

I suppose the best option would be a host who would place the file in libs, and then offer my software as only running on a particular host.