Jaa


I hate people viewsourcing my code

I hate people viewsourcing [hey ! I coined a new word :)] my code, what do I do ?

People who did not understand my newly invented word even after spending 5 or more seconds, please do not bother.. read on

Lets suppose I designed a great web page which contains some cleverly designed scripts and I want to protect its source code what do I do ? There are multiple ways, one of the common way is encoding using Microsoft Script Encoder ( It's a simple command line tool)

It's all good for a simple web page, but things are not so easy when we add a few variables like: what if your page dynamic ? ( e.g. being generated using some server side code), or what if you want to protect some XML data or HTML data ? (something important like connection string)

I recently handled one case like this, instinctively I suggested using "Microsoft Script Encoder" but on further discussion with the customer, I realized they finally need to protect HTML/XML not a script and their page is dynamically generated using ASP.

Now, running a command line tool on a web server is surely not a great idea [ok..sorry ..all generalizations are false!]. But still its not even not a great way of coding where you would need to persist your dynamically generated page to the disk then programmatically launch a commandline tool which will convert the page to the encoded page and sending this page to the user agent.

On researching further I realized that "Microsoft Script Encoder" uses "Microsoft Scripting Runtime" Scripting.Encoder object under the hoods.. so I thought of playing with it a bit..just to give you a backgrounder [oh..new word again! Are you reading this oxford !], I never used encoder object before this case came to me. When I looked for the documentation for this object, it was limited [I just want to avoid saying that there was no documentation.. but don't worry, I already looped in MSDN support].

So, the only option was playing with it, after some trial, error and testing I was able to device the following method for achieving the desired results:

1)    Create an object of “Scripting.Encoder” (e.g oScrEnc)
2)    Rather than directly writing the HTML that’s generated on server side wrap it in “document.write” [because script encoder or Microsoft Scripting Runtime can only encode script] and store it in a string (e.g strHTML )
3)    Pass this string in EncodeScriptFile (e.g oScrEnc.EncodeScriptFile(“.js”,strHTML, 0, “js”)). This will return the encoded script.
4)    Now, write the encoded script wherever you want in your page in between <script language = Jscript.Encode> </script> [note the language attribute, that’s required for the browser to understand the encoded script]

Have a look at the following code snippet for the completed code:  

[We are not talking about protecting the source code from seasoned hackers, its about protecting it from the people who will do a quick view source and put the script in their web page]

Technorati tags: Encoding, Microsoft Blogger, Script Encoder, Troubleshooting, Microsoft Script Encoder

del.icio.us tags: Encoding, Microsoft Blogger, Script Encoder, Troubleshooting, Microsoft Script Encoder

Encode.asp

Comments

  • Anonymous
    June 14, 2007
    I hate people viewsourcing [hey ! I coined a new word :)] my code, what do I do ? People who did not

  • Anonymous
    June 14, 2007
    Why invest so much time in obfuscating the code when, as you mention, someone that knows what they're doing will be able to get around it anyway. How about sprinkling your clever code with comments so people can understand exactly what you're doing.  Make it as modular as possible and write up a short readme so people can get an idea of how it works.  Put your email address in the code so people will have a place to go with questions or ideas for enhancements. Maybe that person viewsourcing your code will be able to stand on your shoulders and make something even cooler. Six months from now you might see your code doing something you never even thought of - that's the beauty of the open web.  Share with others and we all improve. I agree 101% whatever you say in (2) and (3) para. About why to invest so much time in obfuscating the code ? here are my views: 1) Doing and improving in obfuscation is always a good mental exercise :) 2) Not everybody is a programmer or somebody who knows how to get around the obfuscated code, he may not even know what obfuscation of the code is ..or.. ok.. the point is, sometimes you just want to make your code unreadable for a specific group, and believe it or not, there are groups in which just a page sprinkled with obfuscated variable names and method names will make the code useless[to borrow ]for users, and offcourse some groups are other extreme .. so my friend, it’s all relative.. and all generalizations are false

  • Anonymous
    June 14, 2007
    The comment has been removed

  • Anonymous
    June 15, 2007
    The comment has been removed