I found way to protect Source Code! :)

ruby-talk
1

Hello!

Hope I found way how to protect Ruby sources.

The Super Product has been created and now we want to sell it. But there
is one problem, we are forced to distribute sources with it.

Solution? - The 'BlackBox' machine. :slight_smile:

We take a computer, setup Linux with encrypted file system and install
our solution. The 'BlackBox' is fully functional as a web server and the
sources are also protected.
So, we can sell these 'BlackBox'es.

I've heard, that there is a way to hack Linux encrypted data if there is
a physical access to server-machine, but as far as i know it's hard
enough.

···

--
Posted via http://www.ruby-forum.com/.

2

Alexey Petrushin wrote:

Hello!

Hope I found way how to protect Ruby sources.

The Super Product has been created and now we want to sell it. But there
is one problem, we are forced to distribute sources with it.

Solution? - The 'BlackBox' machine. :slight_smile:

We take a computer, setup Linux with encrypted file system and install
our solution. The 'BlackBox' is fully functional as a web server and the
sources are also protected.
So, we can sell these 'BlackBox'es.

I've heard, that there is a way to hack Linux encrypted data if there is
a physical access to server-machine, but as far as i know it's hard
enough.

Unless one of your developers is going to type in the encryption key
every time the computer gets rebooted, then the key and/or passphrase
will have to be stored on that computer unencrypted. Which means that
if someone has physical access it will be trivial to gain access to the
encrypted data.

You only solution there is probably going to be to host the website in
your own datacenter and give clients access to it over the internet.

···

--
Posted via http://www.ruby-forum.com/\.

3

As long as the system is up and running, the encrypted file system is accessible as if it were not encrypted. Without securing the system against intrusion in that state encryption is pointless.

Josef 'Jupp' Schugt

···

On Thu, 16 Oct 2008 13:43:37 +0200, Alexey Petrushin <axyd80@gmail.com> wrote:

We take a computer, setup Linux with encrypted file system and install
our solution. The 'BlackBox' is fully functional as a web server and the
sources are also protected.

--
Blog: http://penpen.goodaddress.eu/
PGP key (id 6CC6574F): http://wwwkeys.de.pgp.net/
Jabber - http://www.jabber.org/ - contact information on request

4

Interesting solution. May I also suggest that you try
www.rubyencoder.com as this protects Ruby source code also. I am
involved in this project (disclaimer!) but thought it was appropriate to
mention it

Ade

···

--
Posted via http://www.ruby-forum.com/.

5

Hello

Anyone know how to do domainbase encoding with rubyencoder?

Thanks

···

--
Posted via http://www.ruby-forum.com/.

6

Both of these "solutions" are useful for keeping honest people honest,
but won't protect you against a determined attacker.

···

On Thu, Oct 16, 2008 at 2:20 PM, Ade Inovica <adrian.teasdale@gmail.com> wrote:

Interesting solution. May I also suggest that you try
www.rubyencoder.com as this protects Ruby source code also. I am
involved in this project (disclaimer!) but thought it was appropriate to
mention it

--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -- Benjamin Franklin

7

Ade Inovica wrote:

Interesting solution. May I also suggest that you try
www.rubyencoder.com as this protects Ruby source code also. I am
involved in this project (disclaimer!) but thought it was appropriate to
mention it

The last time you advertised this product here, we had proven the claims
on your website to be false.

You have not made any changes or corrections to the website since.

···

--
Posted via http://www.ruby-forum.com/\.

8

Thou shallst not hijack threads!

robert

···

On Mon, Sep 9, 2013 at 2:20 PM, rakesh patel <lists@ruby-forum.com> wrote:

Anyone know how to do domainbase encoding with rubyencoder?

--
remember.guy do |as, often| as.you_can - without end
http://blog.rubybestpractices.com/

9

Solution? Translate it into perl.

Then no one can read it. :wink:

John Carter Phone : (64)(3) 358 6639
Tait Electronics Fax : (64)(3) 359 4632
PO Box 1645 Christchurch Email : john.carter@tait.co.nz
New Zealand

···

On Fri, 17 Oct 2008, Aaron Turner wrote:

On Thu, Oct 16, 2008 at 2:20 PM, Ade Inovica <adrian.teasdale@gmail.com> wrote:
Both of these "solutions" are useful for keeping honest people honest,
but won't protect you against a determined attacker.

10

Mike Gold wrote:

Ade Inovica wrote:

Interesting solution. May I also suggest that you try
www.rubyencoder.com as this protects Ruby source code also. I am
involved in this project (disclaimer!) but thought it was appropriate to
mention it

The last time you advertised this product here, we had proven the claims
on your website to be false.

Could you suggest anything real to protect the Ruby code? We are still
working on our project and we use Ruby for it and need to protect the
code. We are still searching for a good solution for it. We are not just
Ruby enthusiasts and we are doing a real project. I wish we choose C to
develop our product and then have no problems in protecting the code.
But we use Ruby now for many reasons...

We do not want any conversions like Ruby to C or JRuby. We do not need
or want Java for its slowness. (We just do not need Java - don't want to
get into a battle with Java fans :slight_smile: And also we understand there is no
ideal 100% proved protection solutions for any language. I know there
are some good encoders for PHP but what do we have for Ruby?

···

--
Posted via http://www.ruby-forum.com/\.

11

> Interesting solution. May I also suggest that you try
> www.rubyencoder.com as this protects Ruby source code also. I am
> involved in this project (disclaimer!) but thought it was appropriate to
> mention it

Both of these "solutions" are useful for keeping honest people honest,

I might dispute that. . . .

but won't protect you against a determined attacker.

. . . but not that.

···

On Fri, Oct 17, 2008 at 07:23:32AM +0900, Aaron Turner wrote:

On Thu, Oct 16, 2008 at 2:20 PM, Ade Inovica <adrian.teasdale@gmail.com> wrote:

--
Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ]
McCloctnick the Lucid: "The first rule of magic is simple. Don't waste
your time waving your hands and hopping when a rock or a club will do."

12

Found link to RubyEncoder on InfoQ (
RubyEncoder: Obfuscation and Code Protection for Ruby ), and just for fun,
decided to look how difficult would it be to crack it :slight_smile:

It turns out, that RubyEncoder uses following scheme: modified
Ruby-1.8.7 interpreter,
that stores encoded AST nodes along with encoding/restriction options,
while rgloader simply decodes it back to AST and executes.

So, using just a few quick and dirty hacks it is possible to get source back:

1) one-byte change in library to call external ruby_exic instead of ruby_exec:

···

On Fri, Oct 17, 2008 at 1:55 AM, Mike Gold <mike.gold.4433@gmail.com> wrote:

Ade Inovica wrote:

Interesting solution. May I also suggest that you try
www.rubyencoder.com as this protects Ruby source code also. I am
involved in this project (disclaimer!) but thought it was appropriate to
mention it

The last time you advertised this product here, we had proven the claims
on your website to be false.

Protecting Ruby code - Ruby - Ruby-Forum

You have not made any changes or corrections to the website since.

----------------
$ cmp -l rgloader.linux.so.original rgloader.linux.so
  4616 145 151
----------------

2) A bit patched ruby, ruby-1.8.6/eval.c to keep injected AST:
----------------
NODE *ruby_eval_hack;
int
ruby_exic(){
    volatile NODE *tmp;
    int state;

    Init_stack((void*)&tmp);
    ruby_eval_hack = ruby_eval_tree;
    state = ruby_exec_internal();
    return state;
}
----------------

3) Patch for RawParseTree in ParseTree-3.0.1/lib to retrieve sexp from
intercepted tree:
----------------
builder.prefix " #{extern_mode} NODE *ruby_eval_hack; "
builder.c %Q{
static VALUE parse_tree_full() {
        VALUE result = rb_ary_new();
        add_to_parse_tree(self, result, ruby_eval_hack, NULL);
        return result;
}
----------------

4) And, finally, simple environment to get source code back from RubyEncoder:
----------------
require 'rubygems'
require 'parse_tree'
require 'ruby2ruby'

require 'encoded_script' # protected code, you say?

RawParseTree.new.parse_tree_full().each do |sexp|
  puts Ruby2Ruby.new.process(Unifier.new.process(sexp))
end
----------------

Example:
Original:
----------------
class EncodedHelloWorld
        ENCODER_VERSION = "1.0"

        def initialize
                puts "Hello, world!"
        end
end
----------------

Encoded:
----------------
# RubyEncoder v1.0 evaluation
_d = _d0 = File.expand_path(File.dirname(__FILE__)); while 1 do _f =
_d + '/rgloader/loader.rb'; break if File.exist?(_f); _d1 =
File.dirname(_d); if _d1 == _d then raise "Ruby script '"+__FILE__+"'
is protected by RubyEncoder and requires the RubyEncoder loader.
Please visit the http://www.rubyencoder.com/loaders/ RubyEncoder site
to download the required loader and unpack it into '"+_d0+"/rgloader/'
directory to run this protected script."; break; else _d = _d1; end;
end; require _f;
RGLoader::load('AAEAAAAEaAAAAIAAAAAA/1nu5hlzvK93ynRezwoJSWaAXO0XWYMyqYojzdIsXeg/n3sTUToqkcdtx9wMbCcidZy4WpqIq2fj9tHsyREq8dCcvPsiWYISiwZ2jFHadIF3FhHZ9eLhZWJTZuRZDYG3Zk0nttbBzuP6EgAAAPgAAACl6rEqW0Dbrjuf0Nl2ehDd4mtpWkb9bP504YjdDfJj1ZM0tqmLXWMXpXnXL1kFNqoEfnws38xmo1J0E/Ziw4typ+51d572ijDg17Xz7NWj9xEykyN4uXEKn/Dt1mKExla1mnX4eAKxbnOJrNqZPDmpIJdOEqOO+/CLfQIGvvKYt11MIyTZK9I2R4J+/oNK2RGwbmzynpFKV32zxdILn4thrQx3gDLbD5ZPbfR6qWsmtJT6pyxccj7RtwGSat4BetCUKmcHR6b/qvp6rvPtaA1m/1JuuGNLUzg3tHHLkA/U14GfF4af9VyqtLQy5ww+jHB6wz4BkFe06gAAAAA=');
----------------

Output:
----------------
class EncodedHelloWorld
  ENCODER_VERSION = "1.0"
  def initialize
    puts("Hello, world!")
  end
end
----------------

13

Could you suggest anything real to protect the Ruby code? We are still
working on our project and we use Ruby for it and need to protect the
code. We are still searching for a good solution for it. We are not just
Ruby enthusiasts and we are doing a real project. I wish we choose C to
develop our product and then have no problems in protecting the code.
But we use Ruby now for many reasons...

no, not really... anything that has ruby objects and ruby methods involved can be popped wide open. If I can get my grubby paws on it, I can play with it

We do not want any conversions like Ruby to C or JRuby. We do not need
or want Java for its slowness. (We just do not need Java - don't want to
get into a battle with Java fans :slight_smile: And also we understand there is no
ideal 100% proved protection solutions for any language. I know there
are some good encoders for PHP but what do we have for Ruby?

there is zenobfuscate which translates to C, that prevents my above statement from occurring... as others have pointed out, if you are just munging source, you're doing nothing... nothing at all to protect things. encryption? it needs to be decrypted in order to run and then you're dealing with my original claim again...

I don't know of any other method than removing the ruby source entirely.

···

On Oct 16, 2008, at 23:10 , Sasha Bee wrote:

14

Could you suggest anything real to protect the Ruby code? We are still
working on our project and we use Ruby for it and need to protect the
code. We are still searching for a good solution for it. We are not just
Ruby enthusiasts and we are doing a real project. I wish we choose C to
develop our product and then have no problems in protecting the code.

you know C can be de-compiled right?

But we use Ruby now for many reasons...

if you believe in selling software then you believe in market forces, if you believe in market forces you believe that people will not steal when the risk to reward ratio doesn't make sense. consider micro$ and it's products: they are obfusicated, with keys, and anyone can download them from the internet along with keys in an instant. same goes for photoshop, etc. anytime the price is so high that the risk of sharing is stealing, combined with the risk of getting caught, is low, people are going to *immediately* subvert your costly efforts. it's so much simpler just to run your software as a service : so far no one has bootlegged google...

regards.

a @ http://codeforpeople.com/

···

On Oct 17, 2008, at 12:10 AM, Sasha Bee wrote:
--
we can deny everything, except that we have the possibility of being better. simply reflect on that.
h.h. the 14th dalai lama

15

haha! you are awesome. thank you for showing how easy it can be.

···

On Oct 23, 2008, at 14:36 , Dmitry Severin wrote:

Found link to RubyEncoder on InfoQ (
RubyEncoder: Obfuscation and Code Protection for Ruby ), and just for fun,
decided to look how difficult would it be to crack it :slight_smile:

16

Hello
Anyone know how to do domain base encoding with rubyencoder?

Thanks

Sasha Bee wrote in post #739510:

···

Mike Gold wrote:

Ade Inovica wrote:

Interesting solution. May I also suggest that you try
www.rubyencoder.com as this protects Ruby source code also. I am
involved in this project (disclaimer!) but thought it was appropriate to
mention it

The last time you advertised this product here, we had proven the claims
on your website to be false.

Could you suggest anything real to protect the Ruby code? We are still
working on our project and we use Ruby for it and need to protect the
code. We are still searching for a good solution for it. We are not just
Ruby enthusiasts and we are doing a real project. I wish we choose C to
develop our product and then have no problems in protecting the code.
But we use Ruby now for many reasons...

We do not want any conversions like Ruby to C or JRuby. We do not need
or want Java for its slowness. (We just do not need Java - don't want to
get into a battle with Java fans :slight_smile: And also we understand there is no
ideal 100% proved protection solutions for any language. I know there
are some good encoders for PHP but what do we have for Ruby?

--
Posted via http://www.ruby-forum.com/\.

17

Remember DOS games? These employed many baroque copy protection
schemes including specially formatted or perhaps even specially
manufactured floppies so that nobody could make a copy with standard
software or even any standard floppy drive. Still the popular ones
were disassembled and circulated without the protection, and the lame
ones forgotten.

So if your software is worth anything you can only reasonably protect
it by selling it as service hosted on servers protected both in
software and physically.

If you just want people paying money for using your software forget
protection. It's just additional effort and if you are lucky it does
not get in your way too much. Sell the software for price that people
who are likely going to use it can afford, and make the payment method
an easy one.

Also services like support and customization help getting some money
from your users.

If your application is that lame that anybody looking at the source
would run away screaming in horror then you probably need a better
coder.

I guess that's pretty much all that can be said about code protection.

Thanks

Michal

···

On 17/10/2008, Ryan Davis <ryand-ruby@zenspider.com> wrote:

On Oct 16, 2008, at 23:10 , Sasha Bee wrote:

> Could you suggest anything real to protect the Ruby code? We are still
> working on our project and we use Ruby for it and need to protect the
> code. We are still searching for a good solution for it. We are not just
> Ruby enthusiasts and we are doing a real project. I wish we choose C to
> develop our product and then have no problems in protecting the code.
> But we use Ruby now for many reasons...
>

no, not really... anything that has ruby objects and ruby methods involved
can be popped wide open. If I can get my grubby paws on it, I can play with
it

> We do not want any conversions like Ruby to C or JRuby. We do not need
> or want Java for its slowness. (We just do not need Java - don't want to
> get into a battle with Java fans :slight_smile: And also we understand there is no
> ideal 100% proved protection solutions for any language. I know there
> are some good encoders for PHP but what do we have for Ruby?
>

there is zenobfuscate which translates to C, that prevents my above
statement from occurring... as others have pointed out, if you are just
munging source, you're doing nothing... nothing at all to protect things.
encryption? it needs to be decrypted in order to run and then you're dealing
with my original claim again...

I don't know of any other method than removing the ruby source entirely.

18

Thanks for advices :slight_smile:

So, as I understood, there are:

- Software as a Service, with owned hosting.
Yes! This is the best one, but sometimes clients wants something
'physically' tangible :).

- JRuby Compiler (http://wiki.jruby.org/wiki/JRuby_Compiler)
It's fully finished and ready to use.

Translates <name>.rb => <name>.class and because it's not one to one
mapping there is an information lost, that can be seen as the
obfuscation.

There is no .class to .rb decompiler, and (though, I'm not sure) these
.class files cannot be decompiled even to .java ones.

- Zenobfuscate (http://blog.zenspider.com/zenobfuscate/)
Has some limitations.
I've choose Ruby for all it's goodnesses, and don't want to give back
any of it. I'll better leave the product open than will agree to any
limitation.

- rubyencoder (rubyencoder.com)
Somehow they do it, don't know though how.

It seems, that JRuby Compiler is really what i need :).

I just want to rise barrier, to buy time if some company will try to
build a copy-product. For sure they'll can reverse engineer it, but not
so fast as if they will have original sources.
There is no need to protect from hackers & cracks, my product will be
free (but not open).

···

--
Posted via http://www.ruby-forum.com/.

19

you could try software like rubyscript2exe:
http://www.erikveen.dds.nl/rubyscript2exe/

···

-----Original Message-----
From: ara.t.howard [mailto:ara.t.howard@gmail.com]
Sent: Friday, October 17, 2008 10:09 PM
To: ruby-talk ML
Subject: [OT] Re: I found way to protect Source Code! :slight_smile:

On Oct 17, 2008, at 12:10 AM, Sasha Bee wrote:

Could you suggest anything real to protect the Ruby code? We are still

working on our project and we use Ruby for it and need to protect the
code. We are still searching for a good solution for it.

20

Trying to "protect" your Ruby source code is like trying to "protect"
music with DRM: doomed to ineffectiveness.

  http://blogs.techrepublic.com.com/security/?p=363

···

On Fri, Oct 24, 2008 at 02:41:58PM +0900, Ryan Davis wrote:

On Oct 23, 2008, at 14:36 , Dmitry Severin wrote:

>Found link to RubyEncoder on InfoQ (
>RubyEncoder: Obfuscation and Code Protection for Ruby ), and just for fun,
>decided to look how difficult would it be to crack it :slight_smile:

haha! you are awesome. thank you for showing how easy it can be.

--
Chad Perrin [ content licensed PDL: http://pdl.apotheon.org ]
from an MS Access tutorial manual: "Programmatically is a Microsoft
euphemism for 'with many lines of code.'"