Archive for January 4th, 2007
Protecting Web Scripts
If you are in web development, and want to protect your Client-side or Server-side script from getting into wrong hands, read on. All applications (includes Internet Explorer 5.0 and above and IIS) that use Microsoft Scripting runtime and above are capable of executing scripts which are in an encoded form. However browsers other that IE will not be able to handle the script.
The best application of this encoding is for HTA files (HTML Applications), which are desktop applications that are executed by Internet Explorer (I will take it later sometime).
How to encode the scripts? Microsoft has made available a command line utility SCRENC which allows you to do it. As the encoding method is available with “Microsoft Scripting Runtime” why not develop a GUI for it.
Create a project and create references to “Microsoft ActiveX Data Objects 2.6 Library” (we will use its stream object to read from and write to files) and “Microsoft Scripting Runtime” (for encoding the script).
Add two TextBoxes named “txtFileOpen” and “txtFileSaveTo” which will hold input & output file names, two buttons “cmdOpen” and “cmdSaveAs” besides them. Create a checkbox “chkSaveToOriginal” and a comboBox “cmbScript” which list items (Default), VBScript & JScript. Add a CommonDialog control “dlgFileDialog” available with “Microsoft Common Dialog Control 6.0″ and lastly a button “cmdEncode” which will handle the encoding stuff.
Add code for “Open” button, which will open a Open Dialog when clicked. On selecting a file the name is populated in relevant textBox.
Private Sub cmdOpen_Click()
dlgFileDialog.ShowOpen
If Trim(dlgFileDialog.FileName) <> "" Then
txtFileOpen.Text = dlgFileDialog.FileName
End If
End Sub
Similarly add code for “Save As…” button, which will open a SaveAs Dialog when clicked. On giving a filename the name is populated in relevant textBox.
Private Sub cmdSaveAs_Click()
dlgFileDialog.ShowSave
If Trim(dlgFileDialog.FileName) <> "" Then
txtFileSaveTo.Text = dlgFileDialog.FileName
End If
End Sub
Now add code for the Checkbox. This will ensure that if the encoded file is to be written over original file the controls for specifying the Save As filename are disabled.
Private Sub chkSaveToOriginal_Click()
If chkSaveToOriginal.Value = 1 Then
txtFileSaveTo.Enabled = False
cmdSaveAs.Enabled = False
txtFileSaveTo.Text = txtFileOpen.Text
Else
txtFileSaveTo.Enabled = True
cmdSaveAs.Enabled = True
End If
End Sub
Add code for txtFileOpen so that every time its value changes and the checkbox is checked, the filename in txtFileSaveTo reflects the same name.
Private Sub txtFileOpen_Change()
If chkSaveToOriginal.Value = 1 Then
txtFileSaveTo.Text = txtFileOpen.Text
End If
End Sub
Now finally the code for “Encode’ button. ADODB stream object takes care of reading and writing of file and encoding is done by EncodeScriptFile method of Scripting.Encoder which takes for parameter the file extension, text string, conversion flag and default script. The default script is useful for ASP pages where scripting language (VBScript/JScript) may not be declared. For other cases an empty string may suffice. It is for this reason that we have added the comboBox.
Private Sub cmdEncode_Click()
Dim objEncoder As New Scripting.Encoder
Dim objStream As New ADODB.Stream
Dim strOriginalCode As String
Dim strEncodedCode As String
Dim strFileExt As String
Dim strDefScript As String
objStream.Open
objStream.LoadFromFile txtFileOpen
strOriginalCode = objStream.ReadText
objStream.Close
strFileExt = Mid(txtFileOpen, InStrRev(txtFileOpen, "."))
If cmbScript.Text = "(Default)" Then
strDefScript = ""
Else
strDefScript = cmbScript.Text
End If
strEncodedCode = objEncoder.EncodeScriptFile(strFileExt, strOriginalCode, 0, "")
objStream.Open
objStream.WriteText strEncodedCode
objStream.SaveToFile txtFileSaveTo, adSaveCreateOverWrite
objStream.Close
Set objStream = Nothing
Set objEncoder = Nothing
MsgBox "Encoding Finished", vbInformation
End Sub
The application is complete and you can encode all your scripts one by one. However be aware that a decoding utility may be available with dedicated hackers. To be positive, You don’t stop living fearing Death.
