HTAs, code protection and resource compiling.

[runonthespot]

Hi all,

Don't know how many out there actually use HTA's, but I do, and am
looking at protecting javascript code associated with one I look after.

This HTA runs of a network drive, not a webpage.

Basically I've read that it's possible to compile js files and the like
to a "Resource file", and then access it using a call to the res://
protocol.

The trouble is I can't find any information on where to get the
resource compiler from, and how to actually create this resource dll,
does anyone know how to do this, or where I can get a tutorial to step
me through this.

I basically want to protect my js code (at least superficially) from
prying users. Because of the code complexity (the generates html
pages), I've had no luck with obfuscation, and it tends to break the
code irreparably.

Thanks for any help
Mike

 

[VK]

Hi all,

Don't know how many out there actually use HTA's, but I do, and am
looking at protecting javascript code associated with one I look after.

This HTA runs of a network drive, not a webpage.

Basically I've read that it's possible to compile js files and the like
to a "Resource file", and then access it using a call to the res://
protocol.

The trouble is I can't find any information on where to get the
resource compiler from, and how to actually create this resource dll,
does anyone know how to do this, or where I can get a tutorial to step
me through this.

I basically want to protect my js code (at least superficially) from
prying users. Because of the code complexity (the generates html
pages), I've had no luck with obfuscation, and it tends to break the
code irreparably.

Thanks for any help
Mike

If the browser compatibility is not an issue, you may use Microsoft
Script Encoder. It's not some long-key enscription, but still times
better than any home made obfuscator.

<http://www.microsoft.com/downloads/...67-C447-4873-B1B0-21F0626A6329&displaylang=en>

<http://msdn.microsoft.com/library/d.../en-us/script56/html/seusingscriptencoder.asp>

 

[runonthespot]

Alas, I've tried it but get an incomprehensible
"Script encoding failed" when I attempt to encode my js files.

I flailed around the net a bit, but haven't been able to find any
resource that gives me enough information to work out what I should be
looking for in my js pages that would make it fail.

 

[runonthespot]

.... but thanks for the suggestion!

Any idea where I can find a guide as to why/where the encoder might
fail, so I could potentially fix it?

Regards,
Mike

 

[VK]

Alas, I've tried it but get an incomprehensible

"Script encoding failed" when I attempt to encode my js files.

Strange, it works just fine for me. Check your syntacs again:

<html>
<head>
<title>Microsoft Encoder Test</title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
<script language="JScript.Encode" src="sourceEncoded.jse"></script>
</head>
<body bgcolor="#FFFFFF">
</body>
</html>

1) You must to use language declaration strictly this way:
language="JScript.Encode"

2) You have to manually assign .jse extention to ecoded file:
screnc plainScript.js encodedScript.jse

As sucky Google News seems do not allow attachments, I put all relevant
files here:
<http://www.geocities.com/schools_ring/EncodingTest.zip>

 

[runonthespot]

Google groups is a bit sucky, but at least I can access it from work


That worked fine, but the problem for me occurs in the encoding process
itself.
Using the Windows Source Encoder, and from the command line running the
code comes up with
"Encoding failed" when trying to create the jse file in the first
place. I can't seem to find anything on the net that explains the
limitations of the encoder.

Interestingly, I couldn't even compile the original source file you
provided ... I guess this is some kind of encoder failure on my box...
(Windows 2000, SP4)

"Scripting encoder object ("Scripting.Encoder") failed on
c:\test\sourcePlain.js"

Thoughts?

Thanks for the trouble you're going to!

 

[runonthespot]

Aha!
Bingo. I figured out after some trawling that it might be a version
issue, and installed Windows Scripting Host 5.1, which seems to have
fixed the encoder.

Installing 5.5 on top of that and it still works-- must have been
something in 5.1 forgotten in 5.5...

Thanks for your help!

 

[VK]

Google groups is a bit sucky, but at least I can access it from work


That worked fine, but the problem for me occurs in the encoding process
itself.
Using the Windows Source Encoder, and from the command line running the
code comes up with
"Encoding failed" when trying to create the jse file in the first
place. I can't seem to find anything on the net that explains the
limitations of the encoder.

Interestingly, I couldn't even compile the original source file you
provided ... I guess this is some kind of encoder failure on my box...
(Windows 2000, SP4)

"Scripting encoder object ("Scripting.Encoder") failed on
c:\test\sourcePlain.js"

Thoughts?

There is a number of "pseudo-screnc" programs in the Internet. Some
amateurs are hiding their home made obfuscators under the "loud name"
of the Microsoft product.

1) So first of all make sure thay you're using THAT screnc.exe. Go to
the address below and obtain a copy of the latest version. It's free
but requires a legal copy of Windows (runtime check will be done). I
hope it's not a problem? ;-)

Even if you are absolutely sure that you have THAT screnc, still
install the right copy from the scratch, please.

<http://www.microsoft.com/downloads/...67-C447-4873-B1B0-21F0626A6329&displaylang=en>


2) screnc is a DOC program, no Windows-interface is provide. To make
your future life easier, install it to some 8.3-compliant path.
c:\screnc would be a good choice.

3) Unpack my zip to c:\screnc and remove sourceEncoded.jse

4) Now run MS-DOS prompt and type:
cls<enter>
cd c:\screnc<enter>
screnc sourcePlain.js sourceEncoded.jse<enter>

sourceEncoded.jse should appear in your c:\screnc\ directory.

Tell me if it fails.

Thanks for the trouble you're going to!

No problem, I'm just charing what I already used for a while.
Plus *sometimes* I'm getting some sadistic plesure to talk about things
no one but IE can do

 

[michael elias]

Hi,

I too use HTA's a lot and use a resource DLL to store all my script
files and images.

To create a resource DLL you have to create a resource description
file. Then compile this file with a resource compiler which will give
you a .RES file. This file must be used in a linker to create a DLL
file. Check this website for the tools and more explanation.
http://www.godevtool.com/

 

[VK]

Hi,

I too use HTA's a lot and use a resource DLL to store all my script
files and images.

To create a resource DLL you have to create a resource description
file. Then compile this file with a resource compiler which will give
you a .RES file. This file must be used in a linker to create a DLL
file. Check this website for the tools and more explanation.
http://www.godevtool.com/

And another bist of this kind (but this I never tried):

you may install the free Microsoft .NET Framework, it has JScript
compiler in it (jsc.exe) This way you can compile .js files into .exe
or .dll

But this is getting to much I guess...

 

[Baconbutty]

If the browser compatibility is not an issue, you may use Microsoft

Script Encoder

A quick Google search will usually reveal lots of decoders on the
market, so it offers no protection.

Assuming you only want compatibility with IE, another alternative to
look at is a web-book compiler.

I use WebPacker from http://www.bersoft.com/webpacker/index.htm

It is paid for software but it does a good job - I am not on comission!

 

[runonthespot]

Hmnm thanks all.

I'll do some research on the resource compiler- at godev-- that looks
useful.
I'm not sure about JSC and .NET-- as unfortunately it's very
non-trivial to get the .NET runtimes installed in a corporate
environment.

Baconbutty, I guess rugged protection is not my issue-- I'm not running
from a browser nor using a webserver. I run this from a network
similar to an exe. The joy of HTA is the relative ease of development,
and being able to leverage a very complete presentation language (Well,
HTML isn't perfect, but it certainly is flexible enough for my needs).

The only issue with HTA's is that they are like html pages-- uncompiled
and readable to a user. I'm fairly confident that script encoding is
the answer here for me, but like the idea of resource compilation too,
dll's being like kryptonite to the average user...!

 

[runonthespot]

VK,
I have one last quick question about source encoder, now I've
thankfully solved the versioning issue--

How does one reference the functions in a script from outside of the
encoded bit?

Quite often I'd have something like

<script ... etc src="test.jse"></script>
<table>
<tr>
<td onclick = "xyz ()"> Where this function exists in test.jse
</td>
</tr>
</table>

But this now seems to fail?

 

[Baconbutty]

One rough option would be to give td an id or other attribute and pick
up the click when it has bubbled up to the document.

e.f.

<td id=myTD></td>


document.onclick=function(eEvent)
{
var eClicked=(eEvent?)? eEvent.target: window.event.srcElement;

var sID=eClicked.id;

switch(sID)
{
case "myID":
xyz();
return;
break;
}
}

 

[VK]

VK,
I have one last quick question about source encoder, now I've
thankfully solved the versioning issue--

How does one reference the functions in a script from outside of the
encoded bit?

Quite often I'd have something like

<script ... etc src="test.jse"></script>
<table>
<tr>
<td onclick = "xyz ()"> Where this function exists in test.jse
</td>
</tr>
</table>

But this now seems to fail?

Another specific of your installation?

<http://www.geocities.com/schools_ring/encodingTest2.zip>

Works just fine for me. Does it for you?


About the possibility to decode the encoded source: of course "caring
people" already provided decoders and you can get them from the
Internet.

There are not unbreakable codes. It's all the question of knowledge,
time and resources.

Still as I said it's times better than some escape()/no-space
obfuscator.

There is also another fine detail here: script encoded with Microsoft
screnc falls under the category of "compiled code".

So if anyone uses a decoder to reach your source code, it's called
"reverse engineering with intention to bypass license limitations".

The difference between this and simple use of a 3rd party .js file is
like between an armed robbery and a shop lifting. So in this case your
rights are much better protected. At least is some lawer places like
Bay Area or so

 

[runonthespot]

.... um ... it works now

Must have been some other unrelated coding problem. Yes-- the
difficulty to decompile (making it an explicit activity in this case)
is sufficient for my purposes.

It's actually a simple report generator, and frankly, would be easier
to circumvent by simply faking the report...

It's been fun too-- a versatile solution based on javascript generated
XSLT templates rendered in HTML-- it's provided a degree of flexibility
and extensibility that was perfect for its purpose.

Thanks for your help all.