I found way to protect Source Code! :)

Michal Suchanek wrote:

>
> are some good encoders for PHP but what do we have for Ruby?
>

there is zenobfuscate which translates to C, that prevents my above
statement from occurring... as others have pointed out, if you are just
munging source, you're doing nothing... nothing at all to protect things.
encryption? it needs to be decrypted in order to run and then you're dealing
with my original claim again...

I don't know of any other method than removing the ruby source entirely.

Remember DOS games? These employed many baroque copy protection
schemes including specially formatted or perhaps even specially
manufactured floppies so that nobody could make a copy with standard
software or even any standard floppy drive. Still the popular ones
were disassembled and circulated without the protection, and the lame
ones forgotten.

So if your software is worth anything you can only reasonably protect
it by selling it as service hosted on servers protected both in
software and physically.

If you just want people paying money for using your software forget
protection. It's just additional effort and if you are lucky it does
not get in your way too much. Sell the software for price that people
who are likely going to use it can afford, and make the payment method
an easy one.

Also services like support and customization help getting some money
from your users.

If your application is that lame that anybody looking at the source
would run away screaming in horror then you probably need a better
coder.

I guess that's pretty much all that can be said about code protection.

Thanks

Michal

C can be reverse engineered and java jars can be converted back to
source code. No program's source is 100% safe. The suggestion of
selling it as a service and hosting the app on your own servers is as
close as you're going to get. So don't freak out too much because you
can't get perfect code protection. It just doesn't exist and yet
millions of people still pay for software.

Personally I do use rubyscript2exe for all my software (used internally
around the office). That is mainly so I don't have to install the
entire ruby interpreter on every computer that uses the applications,
but it also has an added bonus of not making your source code readily
available. It would be trivial to get to the source for someone that
knows rubyscript2exe, but most people aren't even going to give that a
thought.

Thanks for advices

So, as I understood, there are:

- Software as a Service, with owned hosting.
Yes! This is the best one, but sometimes clients wants something
'physically' tangible :).

- JRuby Compiler (http://wiki.jruby.org/wiki/JRuby_Compiler\)
It's fully finished and ready to use.

Translates <name>.rb => <name>.class and because it's not one to one
mapping there is an information lost, that can be seen as the
obfuscation.

There is no .class to .rb decompiler, and (though, I'm not sure) these
.class files cannot be decompiled even to .java ones.

It can be decompiled easily, there are decompilers for a long time already.

- Zenobfuscate (http://blog.zenspider.com/zenobfuscate/\)
Has some limitations.
I've choose Ruby for all it's goodnesses, and don't want to give back
any of it. I'll better leave the product open than will agree to any
limitation.

- rubyencoder (rubyencoder.com)
Somehow they do it, don't know though how.

It seems, that JRuby Compiler is really what i need :).

I just want to rise barrier, to buy time if some company will try to
build a copy-product. For sure they'll can reverse engineer it, but not
so fast as if they will have original sources.
There is no need to protect from hackers & cracks, my product will be
free (but not open).

I would really like to understand the thinking of the 'freeware' authors.

Since the software is free anyway there is no need for competition to
develop a copy-product. They can have it, and for free.

On the other hand, if they want to improve on the product it is easier
if it is opensource, and you as the author of the original can have
the improvement then as well if you choose a license that warrants
that.

The most annoying part of 'freeware' is when it contains a bug or is
incompatible with a newer system, and the original author is no longer
reachable or won't bother to fix the problem.

But since it's your software use whatever feels right for you.

I am free to use the software - or not use it. Or perhaps only to not
use it if you translate it into java classes, and I am by chance
sitting at a system for which there is no decent Java runtime.

Thanks

Michal

Thanks for advices

So, as I understood, there are:

- Software as a Service, with owned hosting.
Yes! This is the best one, but sometimes clients wants something
'physically' tangible :).

- JRuby Compiler (http://wiki.jruby.org/wiki/JRuby_Compiler\)
It's fully finished and ready to use.

Translates <name>.rb => <name>.class and because it's not one to one
mapping there is an information lost, that can be seen as the
obfuscation.

There is no .class to .rb decompiler, and (though, I'm not sure) these
.class files cannot be decompiled even to .java ones.

- Zenobfuscate (http://blog.zenspider.com/zenobfuscate/\)
Has some limitations.
I've choose Ruby for all it's goodnesses, and don't want to give back
any of it. I'll better leave the product open than will agree to any
limitation.

- rubyencoder (rubyencoder.com)
Somehow they do it, don't know though how.

. . . or come up with a business model that doesn't rely on the
government trying to subvert natural laws.

It seems, that JRuby Compiler is really what i need :).

I just want to rise barrier, to buy time if some company will try to
build a copy-product. For sure they'll can reverse engineer it, but not
so fast as if they will have original sources.
There is no need to protect from hackers & cracks, my product will be
free (but not open).

So . . . what's the point of obscuring the code?

Alexey Petrushin wrote:

Thanks for advices

So, as I understood, there are:

- Software as a Service, with owned hosting.
Yes! This is the best one, but sometimes clients wants something
'physically' tangible :).

Hi,

just my 5 cents worth (that's Euro cents, then).

If you only have a few clients, it's basically OK to give them the
source code as well: as the source code is protected by copyright laws
(unless you live in a very exotic contry like Somalia), your clients are
legally bound not to redistribute or even use the software elsewhere
(even in-house!). It probably isn't even in the clients' best interest
to give the source code out, especially if the code supports some
business functionality that gives them advantage over competition. The
risk of getting caught in such case is moderately high, with severe
fines backed up by copyright law and hopefully your SW license/contract.
In fact, you can probably get customers more easily by handing out
source code as well, as that gives them some guarantees in case you get
hit by the truck or your company bankrupts or something as bad from a
market-economy-point-of-view.

As for commercial, consumer-targeted mass distribution, I suppose I
would use something else than ruby. At least for the moment.

Anyhow, for all that GPL-style code lying around, companies are becoming
more approving of SaaS solutions (even asking for it -- as a plus side
you get all that system administration out of the house). I don't think
there are many good business reasons having your servers in-house,
unless your business is server farming...

Cheers,

Joni

Hello

Thanks for advices

So, as I understood, there are:

- Software as a Service, with owned hosting.
Yes! This is the best one, but sometimes clients wants something
'physically' tangible :).

If clients want something they can touch and poke, a nice alternative,
not so "safe" as hosted but not so open as source code, it's making it
an appliance. Deploy a virtualized server with your app hosted inside.

- JRuby Compiler (http://wiki.jruby.org/wiki/JRuby_Compiler\)
It's fully finished and ready to use.

Translates <name>.rb => <name>.class and because it's not one to one
mapping there is an information lost, that can be seen as the
obfuscation.

There is no .class to .rb decompiler, and (though, I'm not sure) these
.class files cannot be decompiled even to .java ones.

Forget it, decompiling classes to very readable java source has been
trivial for many years.

Michal Suchanek wrote:

>
> are some good encoders for PHP but what do we have for Ruby?
>

there is zenobfuscate which translates to C, that prevents my above
statement from occurring... as others have pointed out, if you are just
munging source, you're doing nothing... nothing at all to protect things.
encryption? it needs to be decrypted in order to run and then you're dealing
with my original claim again...

I don't know of any other method than removing the ruby source entirely.

Remember DOS games? These employed many baroque copy protection
schemes including specially formatted or perhaps even specially
manufactured floppies so that nobody could make a copy with standard
software or even any standard floppy drive. Still the popular ones
were disassembled and circulated without the protection, and the lame
ones forgotten.

You can also consider hardware keys (dongles), when these programs are
cracked, typically the software that interfaces with the dongle is
merely replaced.

I think what (a lot of) people are trying to say here is that you're
spinning your wheels; there are plenty of successful ways to license and
sell your software, but copy protection typically isn't one of them,
especially when you're dealing with a product that caters to a technical
market.... I mean, the average gamer isn't really that technical, but
they can go to oodles of websites and download a 100K file that fixes
their problem of being forced to purchase the latest $50 entertainment
extravaganza, and they've been trying to solve this since computers had
ways to play games that didn't come on ROM.

-Erik

well... to varying levels of difficulty, yes...

I can guarantee that I can obfuscate code better than rubyencoder can... well enough that you can't get meaningful information back out automatically (it would probably be quicker and more effective to translate it back by hand after doing an automated pass on it). Well enough that it isn't worth your time for nearly everything put through it.

C can be reverse engineered and java jars can be converted back to
source code. No program's source is 100% safe. The suggestion of
selling it as a service and hosting the app on your own servers is as
close as you're going to get. So don't freak out too much because you
can't get perfect code protection. It just doesn't exist and yet
millions of people still pay for software.

http://blogs.techrepublic.com.com/security/?p=363

That might be relevant. Getting paid is more about your business model
than it is about trying to stifle competition.

Personally I do use rubyscript2exe for all my software (used internally
around the office). That is mainly so I don't have to install the
entire ruby interpreter on every computer that uses the applications,
but it also has an added bonus of not making your source code readily
available. It would be trivial to get to the source for someone that
knows rubyscript2exe, but most people aren't even going to give that a
thought.

Personally, I consider making source code more troublesome to recover a
bug, not a feature.

you can use rubyscript2exe too (rb2exe) <-- Good compiler (i'm using it) but
you can show the source code by entering the "prog name"
--eee-justextract(to extract) or list(to list the content)...

This language is opensource I think if everyone use it with closed source it
will be like the C language not open source, just, encrypt it and
send the decrypt key to the peoples that ask you for it, and make the key
only work for X days or X ... (corrupt it) like with the GPG option ...

I can probably guarantee that, if you do that, it's not worth *your* time
either.

Pedro Arnal Puente wrote:

There is no .class to .rb decompiler, and (though, I'm not sure) these
.class files cannot be decompiled even to .java ones.

Forget it, decompiling classes to very readable java source has been
trivial for many years.

I had missed this...but even if you could decompile .class to .java, it's still nearly worthless to you because it's a bunch of JRuby internals calls. I suppose the important bit is what you're trying to protect. If it's the original Ruby code, then compiling to .class is certainly good enough.

- Cahrlie

I don't always trust my ISPs so I'd very much like to run my Rails apps
encrypted.

You'd be wrong. The effort to refactor IP needing obfuscation and getting it converted and tested/able in its new form took less than 30 minutes. After that all conversions are simply part of the rake build process (read: free). The amount of time it'd take to decompile and then discern actual meaning would be much much greater than that.

Ryan Davis wrote:

Ha! I'm good at that! }:>

Todd

I find that the best solution is probably to encourage people that want
to "obfuscate" code to write unreadable (and, thus, unmaintainable) code
from the beginning. Evolution takes over at that point.

I rather suspect someone is overestimating the "protective" value of
obscurity in this case, anyway.