Obfuscating Ruby Code

Does anyone know of a Ruby source code obfuscator that’s reliable and
readily available? If so, I’d appreciate a pointer to it (apparently, both
ruby-lang and rubygarden are down at the time of this posting so I can’t
check for myself.)

Thanks in advance,

Ken.

You could just let me write the program for you. That should keep anyone
from reading it.

“Well if it makes you feel any better, he’s probably doing her right now.”

···

Website - http://www.retrobbs.org
Tradewars - telnet tradewars.retrobbs.org
BBS - http://bbs.retrobbs.org:8000
IRC - irc.retrobbs.org #main
WIKI - http://www.tpoh.org/cgi-bin/tpoh-wiki

----- Original Message -----
From: “Ken Hilton” kenosis@comcast.net
Newsgroups: comp.lang.ruby
To: “ruby-talk ML” ruby-talk@ruby-lang.org
Sent: Tuesday, June 01, 2004 10:08 PM
Subject: Obfuscating Ruby Code.

Does anyone know of a Ruby source code obfuscator that’s reliable and
readily available? If so, I’d appreciate a pointer to it (apparently,
both
ruby-lang and rubygarden are down at the time of this posting so I can’t
check for myself.)

Thanks in advance,

Ken.

Take a look at bRuby. It can dump the interal node-tree and then load it
again (as far as I understand it). No Ruby sourcecode anymore. See also
the Exerb project.

http://bruby.sourceforge.jp/index.en.html

Regards,

Michael

···

On Wed, Jun 02, 2004 at 06:08:39AM +0900, Ken Hilton wrote:

Does anyone know of a Ruby source code obfuscator that’s reliable and
readily available? If so, I’d appreciate a pointer to it (apparently, both
ruby-lang and rubygarden are down at the time of this posting so I can’t
check for myself.)

Hi,

Wouldn’t it be possible to convert the ruby code to C code? Each ruby
class etc. can also be written in C with different syntax, so a 1:1
conversion should be possible, not? Once it is C code you can compile it
just like any ordinary program.

Regards,

Peter

“Ken Hilton” kenosis@comcast.net wrote in message news:<ub6vc.31832$js4.6571@attbi_s51>…

Does anyone know of a Ruby source code obfuscator that’s reliable and
readily available? If so, I’d appreciate a pointer to it (apparently, both
ruby-lang and rubygarden are down at the time of this posting so I can’t
check for myself.)

Thanks in advance,

Ken.

This obfuscated enough?

foo.rb

class Foo
attr_accessor :arg1, :arg2
def initialize(arg1,arg2)
@arg1, @arg2 = arg1, arg2
end
def test
puts “Arg1 is #{@arg1}”
puts “Arg2 is #{@arg2}”
end
end

f = Foo.new(“hello”,“world”)
f.test

cfoo.rb

#(foo.rb after being encrypted with crypt-fog and a salt of 44)
\217\230\215\237\237Lr\233\2336LLL\215\240\240\236\213\215\217\217\221\237\237\233\236Lf\215\236\223]XLf\215\236\223^
6LLL\220\221\222L\225\232\225\240\225\215\230\225\246\221T\215\236\223]X\215\236\223^U6LLLLLLl\215\236\223]XLl\215\23
6\223^LiL\215\236\223]XL\215\236\223^6LLL\221\232\2206LLL\220\221\222L\240\221\237\2406LLLLLL\234\241\240\237LNm\236
223]L\225\237LO\247l\215\236\223]\251N6LLLLLL\234\241\240\237LNm\236\223^L\225\237LO\247l\215\236\223^\251N6LLL\221\2
32\2206\221\232\22066\222LiLr\233\233Z\232\221\243TN\224\221\230\230\233NXN\243\233\236\230\220NU6\222Z\240\221\237\2
40

Running the code

ruby -e ‘require “crypt/fog”;eval(Crypt::Fog.decrypt(IO.readlines(“cfoo.rb”).to_s.chomp,44))’

Result

Arg1 is hello
Arg2 is world

Regards,

Dan

eval(Crypt::Fog.decrypt(…)’

Well, you happen to know the method and the salt with which to decrypt
the example I gave you. Besides, the OP only hasked for obfuscation,
not encryption.

Let’s have a little fun. I’ll give you some obfuscated code and you
tell me how long it takes you to decipher it.

\255\257\244\265\254\245\215\257\266\251\245J```\243\254\241\263\263\203\250\262\251\263\264\255\241\263\223\264\257
\262\271J\244\245\246`\263\245\243\262\245\264\237\255\245\263\263\241\247\245J`````````\260\265\264\263`b\202\2 45`\263\265\262\245`\264\257`\244\262\251\256\253`\271\257\265\262`\217\266\241\254\264\251\256\245bJ\245\256\24
4J```\245\256\244J\245\256\244JJ\243\263}\215\257\266\251\245zz\203\250\262\251\263\264\255\241\263\223\264\257\262
271n\256\245\267J\243\263n\263\245\243\262\245\264\237\255\245\263\263\241\247\245

Regards,

Dan

PS - Attempts to print the results to a terminal using a brute force
approach may cause your terminal to freeze (though not because of my
code). The code itself is harmless. For example:

str = “foo”

1.upto(100){ |x|
puts str.unpack(“C*”).map{ |e| e -= x }.pack(“C*”)
}

This causes my terminal to go wonky, though I’m using CDE on Solaris
9. YMMV.

···

On Wed, 2 Jun 2004, David A. Black wrote:

This is probably a stupid question, but… what if someone did:

ruby -e 'require “crypt/fog”; puts

Wow - what a great thread - so many ideas and points of view. This is what
I appreciate most about the Ruby community: everyone comes to the e-table
with an open mind and an opinion. So, now that the dust has settled, allow
me to weigh in. Clearly, a hacker-proof solution is problematic, not just
specifically WRT Ruby but in general (despite Macrovision’s claims to the
contrary.) In my case, the objective is obfuscation, not piracy protection
(via encryption ) as the work I’m doing is generally of little use to
parties other than my clients. That said, I’d like to keep my clients
honest with respect to their contracts and to protect certain technologies
from being unreasonably pilfered and obfuscation more or less satisfies the
80/20 rule for this purpose: it poses a reasonable barrier to misuse and
appears to meet a minimal standard for trade secret/IP protection (i.e.,
should someone exploit such code their intent would be undeniable; intent
generally being very hard to prove.) If those who support the idea of a
Ruby obfuscator continue to think such a utility would be of some value, I’d
be interested in collaborating to develop a solution that would be of wide
appeal.

Sincere Regards,

Ken.

“Ken Hilton” kenosis@comcast.net wrote in message
news:ub6vc.31832$js4.6571@attbi_s51…

Does anyone know of a Ruby source code obfuscator that’s reliable and
readily available? If so, I’d appreciate a pointer to it (apparently,
both

···

ruby-lang and rubygarden are down at the time of this posting so I can’t
check for myself.)

Thanks in advance,

Ken.

Too funny, I expected as much :wink: Seriously, I have certain customers who do
not want to purchase a source code license but since Ruby source is required
(no pun intended) to deliver a Ruby app., customers must receive the source
(and converting to C is not generally an option.) I’m actually designing an
obfuscator and will happily share it should a suitable alternative not
already exist. (And I hope your code is not so unreadable as to be
considered self-obfuscating, unless of course you planned on everything
being written in Deutsch :slight_smile:

Ken.

“I want to leave this world the same way I came into it: naked, spanked and
screaming.”

“Mark Firestone” hash_bang@retrobbs.org wrote in message
news:016c01c4481f$d9cb6c70$4601a8c0@ebrius…

···

You could just let me write the program for you. That should keep anyone
from reading it.

“Well if it makes you feel any better, he’s probably doing her right now.”


Website - http://www.retrobbs.org
Tradewars - telnet tradewars.retrobbs.org
BBS - http://bbs.retrobbs.org:8000
IRC - irc.retrobbs.org #main
WIKI - http://www.tpoh.org/cgi-bin/tpoh-wiki

----- Original Message -----
From: “Ken Hilton” kenosis@comcast.net
Newsgroups: comp.lang.ruby
To: “ruby-talk ML” ruby-talk@ruby-lang.org
Sent: Tuesday, June 01, 2004 10:08 PM
Subject: Obfuscating Ruby Code.

Does anyone know of a Ruby source code obfuscator that’s reliable and
readily available? If so, I’d appreciate a pointer to it (apparently,
both
ruby-lang and rubygarden are down at the time of this posting so I can’t
check for myself.)

Thanks in advance,

Ken.

Hello Michael,

Does anyone know of a Ruby source code obfuscator that's reliable and
readily available? If so, I'd appreciate a pointer to it (apparently, both
ruby-lang and rubygarden are down at the time of this posting so I can't
check for myself.)

Take a look at bRuby. It can dump the interal node-tree and then load it
again (as far as I understand it). No Ruby sourcecode anymore. See also
the Exerb project.

http://bruby.sourceforge.jp/index.en.html

But this is easy to reverse. It does not much more then removing the
comment lines. You can traverse the sourcecode and sometimes get a much
more readable source code - because the output routine is able to do
correct indentation. So there could be one generic tool(!!) to crack
protected ruby code and this is the main problem. The heart of copy
protection is to make the cracking process so difficult that only a
few very very skilled programmer can crack your application and need a
long time to do this.

···

On Wed, Jun 02, 2004 at 06:08:39AM +0900, Ken Hilton wrote:

--
Best regards, emailto: scholz at scriptolutions dot com
Lothar Scholz http://www.ruby-ide.com
CTO Scriptolutions Ruby, PHP, Python IDE 's

Hi –

···

On Wed, 2 Jun 2004, Daniel Berger wrote:

“Ken Hilton” kenosis@comcast.net wrote in message news:<ub6vc.31832$js4.6571@attbi_s51>…

Does anyone know of a Ruby source code obfuscator that’s reliable and
readily available? If so, I’d appreciate a pointer to it (apparently, both
ruby-lang and rubygarden are down at the time of this posting so I can’t
check for myself.)

Thanks in advance,

Ken.

This obfuscated enough?

foo.rb

class Foo
attr_accessor :arg1, :arg2
def initialize(arg1,arg2)
@arg1, @arg2 = arg1, arg2
end
def test
puts “Arg1 is #{@arg1}”
puts “Arg2 is #{@arg2}”
end
end

f = Foo.new(“hello”,“world”)
f.test

cfoo.rb

#(foo.rb after being encrypted with crypt-fog and a salt of 44)
\217\230\215\237\237Lr\233\2336LLL\215\240\240\236\213\215\217\217\221\237\237\233\236Lf\215\236\223]XLf\215\236\223^
6LLL\220\221\222L\225\232\225\240\225\215\230\225\246\221T\215\236\223]X\215\236\223^U6LLLLLLl\215\236\223]XLl\215\23
6\223^LiL\215\236\223]XL\215\236\223^6LLL\221\232\2206LLL\220\221\222L\240\221\237\2406LLLLLL\234\241\240\237LNm\236
223]L\225\237LO\247l\215\236\223]\251N6LLLLLL\234\241\240\237LNm\236\223^L\225\237LO\247l\215\236\223^\251N6LLL\221\2
32\2206\221\232\22066\222LiLr\233\233Z\232\221\243TN\224\221\230\230\233NXN\243\233\236\230\220NU6\222Z\240\221\237\2
40

Running the code

ruby -e ‘require “crypt/fog”;eval(Crypt::Fog.decrypt(IO.readlines(“cfoo.rb”).to_s.chomp,44))’

Result

Arg1 is hello
Arg2 is world

This is probably a stupid question, but… what if someone did:

ruby -e ‘require “crypt/fog”; puts eval(Crypt::Fog.decrypt(…)’

?

David


David A. Black
dblack@wobblini.net

Hi,

Let’s have a little fun. I’ll give you some obfuscated code and you
tell me how long it takes you to decipher it.

\255\257\244\265\254\245\215\257\266\251\245J```\243\254\241\263 \263\203\250\262\251\263\264\255\241\263\223\264\257
[…]

Hehe… See, that’s cheating. Contest rules should
require your program to actually run! We can all distribute
un-runnable encrypted binaries that no-one can reasonably
decipher. What I mean by “actually run” is the program needs
to be in a form where we can type its name from the command
line, and the program has to be responsible for decrypting
itself, and running. Because that is the problem we’re dealing
with. If you were to present your program in that manner, I’d
be happy to spend a couple minutes extracting the unencrypted
source.

Unless I’m missing your point…? If so, apologies!

Regards,

Bill

···

From: “Daniel Berger” djberg96@hotmail.com

Hi –

This is probably a stupid question, but… what if someone did:

ruby -e ‘require “crypt/fog”; puts
eval(Crypt::Fog.decrypt(…)’

Well, you happen to know the method and the salt with which to decrypt
the example I gave you. Besides, the OP only hasked for obfuscation,
not encryption.

I’m assuming that if people running the program know that they have to
use crypt/fog, then so will the rogue people who want to decipher it.
I’m also (perhaps wrongly) assuming that salts are all two characters.

Anyway, didn’t I say it was a stupid question? :slight_smile:

Let’s have a little fun. I’ll give you some obfuscated code and you
tell me how long it takes you to decipher it.

[…]

No fair – RAA is down and I don’t have Crypt::Fog :slight_smile:

David

···

On Thu, 3 Jun 2004, Daniel Berger wrote:

On Wed, 2 Jun 2004, David A. Black wrote:


David A. Black
dblack@wobblini.net

Quoteing djberg96@hotmail.com, on Thu, Jun 03, 2004 at 12:33:48AM +0900:

>> This is probably a stupid question, but... what if someone did:
>>
>> ruby -e 'require "crypt/fog"; puts
eval(Crypt::Fog.decrypt(......)'

Well, you happen to know the method and the salt with which to decrypt
the example I gave you. Besides, the OP only hasked for obfuscation,
not encryption.

Let's have a little fun. I'll give you some obfuscated code and you
tell me how long it takes you to decipher it.

\255\257\244\265\254\245`\215\257\266\251\245J```\243\254\241\263\263`\203\250\262\251\263\264\255\241\263\223\264\257
\262\271J``````\244\245\246`\263\245\243\262\245\264\237\255\245\263\263\241\247\245J`````````\260\265\264\263`b\202\2
45`\263\265\262\245`\264\257`\244\262\251\256\253`\271\257\265\262`\217\266\241\254\264\251\256\245bJ``````\245\256\24
4J```\245\256\244J\245\256\244JJ\243\263`}`\215\257\266\251\245zz\203\250\262\251\263\264\255\241\263\223\264\257\262\
271n\256\245\267J\243\263n\263\245\243\262\245\264\237\255\245\263\263\241\247\245

Not fair. Send me a working example of it running, as you would do if
you ship me an application, and it might be very easy.

Building the encryption key into the ruby binary would work a little
better, you could try and hide the key bits in various places, which
would make it harder to reverse engineer.

Cheers,
Sam

···

>On Wed, 2 Jun 2004, David A. Black wrote:

And how do you obfuscate the salt? Because that’s the problem we try to deal
with. As soon as you call the decrypter you need the password available.

Bye,
phil

···

On 2004-06-02, Daniel Berger djberg96@hotmail.com wrote:

ruby -e ‘require “crypt/fog”;eval(Crypt::Fog.decrypt(IO.readlines(“cfoo.rb”).to_s.chomp,44))’


Please send replies (not followups) to the address set in Reply-To.
Philipp Kern - PK2186-RIPE - http://www.philkern.de

Well, you happen to know the method and the salt with which to decrypt
the example I gave you. Besides, the OP only hasked for obfuscation,
not encryption.’

Where does obfuscation stop and encryption begin?

...In my case, the objective is obfuscation, not piracy protection
(via encryption ) as the work I'm doing is generally of little use to
parties other than my clients. That said, I'd like to keep my clients
honest with respect to their contracts and to protect certain technologies
from being unreasonably pilfered and obfuscation more or less satisfies the
80/20 rule for this purpose: it poses a reasonable barrier to misuse and

If that's the goal, why not use exerb with the ZLib option turned on? The resulting binaries can't be grepped for source.

Sure, all someone would need to do is a little reverse engineering on exerb to figure out how to extract the source, or simply have memorized what a ZLib header looks like, but seems to me it's a "reasonable barrier" for the purpose you're describing.

That said, it'd still be a great thing to have a general, more secure way of securing ruby source. I'd like to be able to take advantage of it as well.

Jim Moy

Received: Wed, 2 Jun 2004 10:18:39 +0900
And lo, Ken wrote:

Too funny, I expected as much :wink: Seriously, I have certain customers who do
not want to purchase a source code license but since Ruby source is required
(no pun intended) to deliver a Ruby app., customers must receive the source
(and converting to C is not generally an option.) I’m actually designing an
obfuscator and will happily share it should a suitable alternative not
already exist. (And I hope your code is not so unreadable as to be
considered self-obfuscating, unless of course you planned on everything
being written in Deutsch :slight_smile:

Ken.

Err …

Obfuscate Ruby code? I’m at a loss here … :D. Perl is inanely obfuscated by default, but Ruby?

How does obfuscating solve your problem? How is that even a problem? Just include a compiled ruby interpreter for your target platform, and have a link in your code that says “For more info about ruby and to download the interpreter, go to www.ruby-lang.org” …

Obfuscaters serve no real use - as long as somebody can pass your code through a lexer, it’s instantly unobfuscated.

  • Greg

Ken Hilton wrote:

[…] I’m actually designing an obfuscator and will happily share it
should a suitable alternative not already exist.

I think you’re on safe ground, Ken.

This thread may confirm:
www.ruby-talk.org/100469 (9 messages)

daz

Hi, Ken,

I’m actually designing an
obfuscator and will happily share it should a suitable alternative not
already exist.

I’m very interested in this, and would be willing to help if I
could be of any assistance.

Have you decided on an approach? I presume there must be
restrictions on certain dynamic aspects of Ruby, such as
string eval() not being able to reference any obfuscated code?

Regards,

Bill

···

From: “Ken Hilton” kenosis@comcast.net

Hm, I thought, a node-dump does not contain the variable names (local
variables), or at least does not require them for execution? I am
probably wrong.

Hm, sure, the method names must be stored. But one could modify the
interpreter to only store hashes of the method names, and use them to
call the methods. That might give quite good obfusciation.

Regards,

Michael

···

On Wed, Jun 02, 2004 at 01:04:55PM +0200, Lothar Scholz wrote:

Hello Michael,

On Wed, Jun 02, 2004 at 06:08:39AM +0900, Ken Hilton wrote:

Does anyone know of a Ruby source code obfuscator that’s reliable and
readily available? If so, I’d appreciate a pointer to it (apparently, both
ruby-lang and rubygarden are down at the time of this posting so I can’t
check for myself.)

Take a look at bRuby. It can dump the interal node-tree and then load it
again (as far as I understand it). No Ruby sourcecode anymore. See also
the Exerb project.

http://bruby.sourceforge.jp/index.en.html

But this is easy to reverse. It does not much more then removing the