duplo1
Posts: 67
|
| Posted: 07/16/2008, 8:22 AM |
|
Does someone know a good and reliable way to protect / encrypt ASP files.
Since we have started to distribute our application we have noticed clients working and modifiying the asp files. In 99% they do not know what they are doing and the app stops working which causes an increase in support. LOL.
Please advise.
C.
|
 |
 |
JimmyCrackedCorn
Posts: 583
|
| Posted: 07/16/2008, 3:38 PM |
|
we used to use a product called ASPLightning which would compile your ASP code into a component. It worked really well for keeping customers out of the source code but it added an extra step to the workflow. I think the company that made it went out of business.
If I were trying to do this today I'd start by googling "ASP Obfuscation". Or you might look into creating your own components to hide some of your code.
_________________
Walter Kempees...you are dearly missed. |
|
|
|
marcwolf
Posts: 361
|
| Posted: 07/16/2008, 6:02 PM |
|
It is a difficult situation when distributed scripting language applications.
Something to think about is this -
CodeCharge does a very nice feature of encapsulating the code in brackets, and then generating a checksum on the contents to work out if the user has changed them.
That way is how when you modify a block of generated code the code immediately changes colour.
Now - as an offshoot to this (and if you are comforable about creating DLL's and COM objects) is when your application is first run it will call a COM object.
The COM object (being run in the IIS area) will then do a FileObjectSys check on all of the files and check their generated checksums against the ones the COM object has within it.
Any changes will automatically popup a prompt that the source code has changed.
As there are several javascript obfusicators out there you can include this call as part of a javascript/AJAX call and so unless someone does a REAL hard look at the javascript they willl not know what is happening.
And if the Javascript module also contain a few other essential javascript functions for the application then the more the better.. Your security check code will be hiddened even further :>
I know it is not the best solutions but it might work, or atleast give you some idea's to move on with.
Take Care
Dave
_________________
' Coding Coding Coding
Keep Those Keyboards Coding.
Raw Code!!!!!!!
|
|
|
|
duplo1
Posts: 67
|
| Posted: 07/16/2008, 7:35 PM |
|
Thank you both, Jimmy and Marc for your input.
I like the idea of encapsulating the code in brackets and generating a checksum. Could you please provide me with more info how to do that ????
In regards to the DLL's and Com objects: I assume they have to be installed serverside ??? If yes, then this might cause problems as most ISP's are very anal about serverside components.
Christoph
|
|
|
|
marcwolf
Posts: 361
|
| Posted: 07/17/2008, 5:46 PM |
|
I'll put my thinking cap on :>
Ok - since this is in the ASP I take it you will be running IIS on your server.
Take care
Dave
_________________
' Coding Coding Coding
Keep Those Keyboards Coding.
Raw Code!!!!!!!
|
|
|
|
JimmyCrackedCorn
Posts: 583
|
| Posted: 07/17/2008, 10:09 PM |
|
Quote duplo1:
Thank you both, Jimmy and Marc for your input.
I like the idea of encapsulating the code in brackets and generating a checksum. Could you please provide me with more info how to do that ????
In regards to the DLL's and Com objects: I assume they have to be installed serverside ??? If yes, then this might cause problems as most ISP's are very anal about serverside components.
Christoph
we have used Intermedia.net for hosting several times in the past when we needed to be able to install our own ASP components. it worked out very well.
_________________
Walter Kempees...you are dearly missed. |
|
|
|
duplo1
Posts: 67
|
| Posted: 07/18/2008, 7:20 AM |
|
Yes, there is IIS running ....
Christoph
|
|
|
|
marcwolf
Posts: 361
|
| Posted: 07/20/2008, 5:14 AM |
|
Hi there.
Been pretty busy this wekend but I have been able to do some research
Have a look at this link
http://rossm.net/Electronics/Computers/Software/ASP/
Now - what you can do is to generate a MD5 of all the files and then do a check on the fly to see if the code on the server matches your initally generated MD5..
For official code releases you can have a special function that will quickly run through a server and generate new MD5's after the update.
Anyway - hope this gives some idea's.
Take care
Dave
_________________
' Coding Coding Coding
Keep Those Keyboards Coding.
Raw Code!!!!!!!
|
|
|
|
Benjamin Krajmalnik
|
| Posted: 07/25/2008, 12:50 AM |
|
Microsoft has an ASP script encoder.
http://www.microsoft.com/downloads/details.aspx?FamilyI...&displaylang=en
You can use it to encode your pages.
Included pages (common files, events) need to be enocded in a slightly
different manner - I will show you my batch file and workflow in a minute.
Just be aware that this is not copy protection - the files can be decoded,
but it will keep the casual idiot from messing with your code.
Now, to the workflow.
Under the project file, I have a directory called "preencoded", and under it
another one called "encoded".
I copy the asp pages from the project dir to the preencoded subdir, which
contains the batch file and the encoder, in addition to the asp pages.
When it is done, all of the encoded files will be in the encoded subdir.
Here is the contents of the batch file:
del .\encoded\*.asp
screnc *.asp .\encoded
screnc -xl *_events.asp .\Encoded
screnc -xl Header.asp .\Encoded\Header.asp
screnc -xl Footer.asp .\Encoded\Footer.asp
screnc -xl Navigator.asp .\Encoded\Navigator.asp
screnc -xl Common.asp .\Encoded\Common.asp
screnc -xl Classes.asp .\Encoded\Classes.asp
screnc -xl Cache.asp .\Encoded\Cache.asp
screnc -xl Adovbs.asp .\Encoded\Adovbs.asp
screnc -xl Template.asp .\Encoded\Template.asp
screnc -xl Sorter.asp .\Encoded\Sorter.asp
A while back I was looking at a product from Ireland which actually
encrypted the files, but it had issues with the multi-level includes, and
was very slow at decrypting on the fly to run the pages, so I abandoned it.
There is a commercial product claiming to "enctypt" asp pages called HTML
Guardian. It does not encrypt it, but rather encodes it using the exact
same way that the free microsoft encoder does. Don;t waste your money on
it.
|
|
|
|
