Encrypting / Obsfuscate a TCL File

[danielre...@gmail.com]

Hi,

I'm looking for some help in regards to protecting a TCL file from being copied.

We are using TCL files to run macros/scripts in Surpac (Mining software), currently when viewed as a text file they are in the native code. We would however like to make it so that they cannot be read.

They would however still need to be executed by Surpac.

Any help would be greatly apprechiated.

Thanks,
Dan

[Donal K. Fellows]

On 04/05/2019 03:58, danielre...@gmail.com wrote:
> I'm looking for some help in regards to protecting a TCL file from
> being copied.

Files can be copied. It's pretty much impossible to prevent that; it's a
fundamental feature of operating systems. :-)

But that's not to say there's nothing that can be done.

> We are using TCL files to run macros/scripts in Surpac (Mining
> software), currently when viewed as a text file they are in the
> native code. We would however like to make it so that they cannot be
> read.
>
> They would however still need to be executed by Surpac.

Are you packaging the Tcl files with the software that reads them? If
so, you can use things like the TDK compiler (if you can find a working
version) to generate shrouded bytecode files that can be executed by any
Tcl interpreter that has the tbcload package (which you statically build
into the reading software).

Alternatively in 8.7 onwards, you can package all your Tcl code as an
attached encrypted ZIP archive. It's a way to build applications where
the Tcl code is locked down.

Neither technique is designed to prevent an actually determined
attacker. (ZIP encryption is famously weak, and the .tbc format is
merely very weird and very horrible, not *actually* deeply encrypted.)
The only method that stands a reasonable chance there is to run the code
on a server you control and make sure that users can't ever get access
to the code at all (standard client-server stuff). You probably don't
want to do that in your case.

But it wouldn't be too hard to do a custom code reading command that
decrypts (based on an algoithm like RC4, for which there are both Tcl
and C implementations, and using a key you compile into your program)
code before running it. You could even do something like this:

package require rc4; # See Tcllib package
set key "MYSECRET"; # Not the right format for an RC4 key! Get
your own

proc decryptingSource {interpreter filename} {
# Read the file as RAW BYTES
set f [open $filename rb]
set data [read $f]
close $f

# Decrypt if encrypted
if {[file extension $filname] eq ".encTcl"} {
global key
set data [rc4::rc4 -key $key $data]
}

# Convert to text (important!)
set sourceCode [encoding convertfrom [encoding systm] $dat]

# Evaluate in the child interp
$interpreter eval $sourceCode
}

interp create shroudedEnvironment
interp alias shroudedEnvironment source \
{} decryptingSource shroudedEnvironment
shroudedEnvironment eval {source main.encTcl}

There's a few extra nuances, but that sort of thing (where you perhaps
implement the decryption engine in C to shroud the key better) is the
core of how to do moderately strong protection.

Donal.
--
Donal Fellows — Tcl user, Tcl maintainer, TIP editor.

[Gerald Lester]

How about a good license agreement and a good lawyer?

--
+----------------------------------------------------------------------+
| Gerald W. Lester, President, KNG Consulting LLC |
| Email: Gerald...@kng-consulting.net |
+----------------------------------------------------------------------+

[Tane Coad]

Hi Donal,

Thanks for the reply,

I must admit that I am not too farmiliar with much of what you said and so this could be quite a struggle for me.

I believe heading down the TDK compiler route would be the easiest for my skillset, it appears that some of the other macros delivered from third parties are shrouded in a similar way... and the corresponding interpreter is active and working within Surpac.

the following reads within one of these such macros:

if {[catch {package require tbcload 1.3} err] == 1} {
error "The TclPro ByteCode Loader is not available or does not
support the correct version"
}
tbcload::bceval {
TclPro ByteCode 1 0 1.3 8.3
141 0 1361 74 14 0 700 2 5 141 173 -1 -1
1361

and then it is followed by a obfuscated code, this is ideally what we are looking to achieve in our efforts. So mimicking this would probably be our easiest route I gather; as it would avoid building in a different interpreter.

So what would basically be involved is using TDK Compiler to convert a tcl file to a tbc file? Forgive my ignorance, but is there a GUI based program that does this? or is it done by a script based program?

Thanks,
Dan

[Tane Coad]

It's probably not worth that much effort to be honest.

[Tane Coad]

So it seems that using tcl pro 1.4 this can be achived, thanks for the help

[Alexandru]

Am Sonntag, 5. Mai 2019 08:59:20 UTC+2 schrieb Tane Coad:
> So it seems that using tcl pro 1.4 this can be achived, thanks for the help

Unfortunately TclPro 1.4 bundles only Tcl 8.3.2. Seems like an ancient thing...

[tombert]

Years ago I bought TDK from ActiveState to compile my TCL code. It's a command-line tool and works flawlessly for TCL 8.5 and 8.6

[onem...@gmail.com]

I bought it long ago as well. The good news is that ActiveState recently open-sourced it. It's available on github now (https://github.com/ActiveState/tdk). The bad news is that they no longer sell or support it, so open source is the only way to get it now.

[.]

The good news, the tdk open source package works like a charm.

compiler::compile <tclfile>

Output:
<tclfile>.tbc