Encryption for Executables?
David Kaye
no-cost encryption or compression program to encrypt an executable? I want
to make it hard for someone to decompile a program I've worked many years
creating.
Thanks.
dpb
The chances of somebody getting anything useful out of a decompilation
of an executable is at least approaching vanishingly small.
--
David Kerber
a copy was sent to the cited author.]
In article <is615m$gbr$1...@speranza.aioe.org>, no...@non.net says...
Especially if it's VB classic (which I assume it is).
Jeff Johnson
news:is60uh$k9j$1...@dont-email.me...
If your stuff is actually so valuable you feel the need to encrypt it then
it will be valuable enough for someone to bypass your encryption.
David Kaye
>
> Especially if it's VB classic (which I assume it is).
VB 6.0 Enterprise or whatever the version with all the bells and whistles is
called.
David Kaye
> If your stuff is actually so valuable you feel the need to encrypt it then
> it will be valuable enough for someone to bypass your encryption.
It's for an untouched niche market (yes I really found one), and as
developers discover this market right in front of their noses I suspect that
they're going to want to my efforts. Normally I wouldn't care, but a lot of
work -- coding, interviewing prospective customers, tweaking, refinement,
and testing in real-world situations -- has gone into this project.
I'm sure that the look and feel would be imitated, but the underlying code
has some very unique aspects that I'd like to be able to protect as much as
possible.
Maybe I don't need to worry...I don't know...
Tony Toews
Are there any VB6 decompilers out there? There don't appear to be
any. Especially if you compile to native code.
Tony
--
Tony Toews, Microsoft Access MVP
Tony's Main MS Access pages - http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
For a convenient utility to keep your users FEs and other files
updated see http://www.autofeupdater.com/
BeeJ
> Thanks.
I wrote my own Crypt/Decrypt. It uses MS Encryption APIs in some very
unique ways that I cannot tell you about. But if you think about it,
you too can do something similar by thinking outside the box.
So how would the user decrypt?
Built in to the installer?
Separate decryptor?
?
ralph
<sfdavi...@yahoo.com> wrote:
Some random remarks... <g>
1) If a VB Application is compiled to Native Code using no-debug and
optimizing options there is literally no way to 'de-compile' the
application back to the original 'VB Code'.
[That and what follows is essentially true for any Windows
Applications regardless of the development platform.]
2) There are, however, many ways to reverse-engineer or ferret out
intellectual information from a compiled application. The ability to
do so depends solely on the skill, interest, and stubbornness of the
attacker.
Applications that use a particular 'Framework' such as VB's VB
Runtime, or VC's ATL or MFC can more easily be segmented into 'known'
blocks. For example, with VB it is possible to 'reconstruct' Forms,
Controls, Resources, and Classes.
With common libraries, such as ADO, no attempt is made to de-compile.
All that is needed is to identify the input and outputs.
User Controls can be simply 'stolen' and reused. (A more difficult
task.)
Algorithms can be 'reconstructed' to a degree. Depends on the over all
structure, how self-contained, the inputs, outputs, etc.
Most attackers will not attempt to 'back-track' or reconstruct all or
most of the original code whether Pascal, Delphi, C, C++, or VB - what
they will do is get blocks, functions, or objects back to some kind of
C or Assembly which they can manipulate and re-used in another project
based on one of those platforms. Once again it is not necessarily to
fully de-compile or re-engineer an application to steal intellectual
property.
-ralph
ralph
<sfdavi...@yahoo.com> wrote:
Forgot to address your main question.
Others have given suggestions. Encryption makes it a tad more
difficult/interesting to re-engineer but ultimately would only be a
minor speed-bump.
At some point there will be executable code running - that code can be
viewed.
If an Attacker can run it - they can own it.
-ralph
MikeD
"David Kaye" <sfdavi...@yahoo.com> wrote in message
news:is6b3k$s8f$1...@dont-email.me...
I'm not saying you couldn't have found one of the rare and untouched niche
markets, but that's really irrelevant. The fact is, IF it's untouched and
other people THINK it could be profitable, the simple fact of your app being
out there (enlightening other developers, so to speak) could drive
development of it. Anybody that wanted to get into that same market isn't
likely to be interested in your actual code. Therefore, your concerns are
completely backwards. It's the UI that anybody can copy easily because,
obviously, that's what people see when they run your program. The code
itself, you really don't need to worry too much about. As Jeff said, if
somebody really wanted to decompile your code, they'd find a way regardless
of what you do.
If you REALLY think you've got something that you're first in, then you need
to apply for a patent, and have that awarded, BEFORE you release your app.
What you need to protect is your idea, not your program's code. Now whether
a patent can do that fully, I don't know. A combination of a patent and
officially copyrighting your code might not be a bad idea IF you really,
truly think you've got something that NOBODY else has EVER thought of (sorry
if I sound just a bit skeptical).
--
Mike
MikeD
"BeeJ" <nos...@spamfree.com> wrote in message
news:is6f3h$mqn$1...@speranza.aioe.org...
This coming from a person who has to ask questions about everything...most
of which he could find the answers to if he just put in some time and
investigation.
You're not even in the ballpark about what's he's talking about. Granted,
David didn't really use the right term either.
Do a google search on "obfuscation".
--
Mike
David Kaye
> If you REALLY think you've got something that you're first in, then you
> need to apply for a patent, and have that awarded, BEFORE you release your
> app. What you need to protect is your idea, not your program's code. Now
> whether a patent can do that fully, I don't know.
An idea cannot be patented or copyrighted; the execution of the idea can be
protected, however. For instance, tying your shoes cannot be patented, but
pink shoelaces with pictures of little bunnies on them can be. (The example
is a real one, actually.)
> A combination of a patent and officially copyrighting your code might not
> be a bad idea IF you really, truly think you've got something that NOBODY
> else has EVER thought of (sorry if I sound just a bit skeptical).
No problem with the skepticism. Believe it or not I know the niche market
thorooughly and nobody else is in it. That is also the crux of the problem:
It's going to be very hard to market it because there is no real generic
name for the kind of program, except for "DJ software". I've actually
called in a music/media attorney to try to figure out how to market the
thing.
dpb
...
> No problem with the skepticism. Believe it or not I know the niche market
> thorooughly and nobody else is in it. That is also the crux of the problem:
> It's going to be very hard to market it because there is no real generic
> name for the kind of program, except for "DJ software". I've actually
> called in a music/media attorney to try to figure out how to market the
> thing.
The question is is there any real money in it? If not, nobody is really
going to care and even if they do other than simply pride you're not out
anything, anyway.
If there is significant potential for money, as was said, folks will
spend whatever time it takes irregardless to get into the market once
it's opened up.
Best bet imo is to be first, be best and simply count on winning the
competition w/ the product. Copyright and document so that if there
ever is an infringement that is worth the money to fight you've got the
tools to prove that if it were to actually be so.
The key to the answer is that none of the big names are doing this for
executables--they have schemes for licensing and so on, but they
recognize that munging on executables to try to protect the code itself
is fools' errand.
--
Jeff Johnson
>> Especially if it's VB classic (which I assume it is).
>
> VB 6.0 Enterprise or whatever the version with all the bells and whistles
> is called.
"VB Classic" means any version of VB before .NET.
David Kaye
> The question is is there any real money in it? If not, nobody is really
> going to care and even if they do other than simply pride you're not out
> anything, anyway.
I'm not sure if there's money in it or not. I do know that when I mentioned
it to several venue operators they wanted to buy it, though it's not ready
yet. That's a good sign, I think.
> Best bet imo is to be first, be best and simply count on winning the
> competition w/ the product. Copyright and document so that if there ever
> is an infringement that is worth the money to fight you've got the tools
> to prove that if it were to actually be so.
I also established prior art about 10 years ago when I first began
developing the software, by distributing copies (actually, embarrassingly
bad versions) to various folks, so I think I'm in decent shape for patent
and trademark issues. You're right about copyright. I should do that as
well.
David Kaye
>
> "VB Classic" means any version of VB before .NET.
Or perhaps, "VB, the great years before Microsoft screwed it up..."
Henning
"David Kaye" <sfdavi...@yahoo.com> skrev i meddelandet
news:is8j50$m72$1...@dont-email.me...
That might screw the patent chances, it's already known in public.
/Henning
dpb
...
> That might screw the patent chances, it's already known in public.
...
Not if didn't disclose the method but only the result (_IF_ {the
proverbial "big if"} there's anything that is truly patentable anyway.
Would seem more likely that simply the copyright and licensing
protection of almost all other commercial software is all there is to be
done unless this truly a multi-million mega-deal block buster about to
be released here...(hey, I'd have never thought something like Facebook
was of any commercial value either being basically (pun intended) a
closet old fogey luddite, so what do I know :) )
--
David Kaye
>
> That might screw the patent chances, it's already known in public.
>
A patent is public. No, by prior art I mean that I've defined the
parameters of the program early on, making it clear what I was doing so that
someone can't come now and claim a patent for things I invented. (No,
there's not much invention here, but enough minutiae that it might be worth
protecting.)
Here's a scary example: About 10 years ago a guy claimed that he had
invented IVR (interactive voice response), or the basic "push 1 for the main
menu, push 2 to reach an operator", etc. He had filed a patent which was
bogus because IVR goes back decades. The problem was in finding prior art
that established that IVR had been done long before the patent was filed.
The guy began suing people left and right, and so cowed MCI that they
actually ended up paying him royalties.
Then the call went out for people to look in their attics and basements for
any devices, operating manuals, even ads in trade magazines proving that IVR
had existed long before the guy had filed the patent.
Finally, some prior art came through and the patent was rejected.
Nobody
You can use digital time stamp services, in which case you download a
software, or upload your files(could be a ZIP file), and they use the time
stamp from their server. This can be done without having to send the actual
file. The software calculates a checksum of the file, and sends that
checksum. This cannot be fooled by setting your PC date to future or past
dates. Search the web for "digital time stamp service". This proofs that the
file was created on or before that date, so it can be used to see who came
up with the idea first, or who did the work. It's better to use more than
one service, just in case one goes out of business, or turn out not to be
trustworthy.
http://en.wikipedia.org/wiki/Trusted_timestamping
http://en.wikipedia.org/wiki/ENotary
Or the classic way:
http://en.wikipedia.org/wiki/Notary_public
David Kaye
> You can use digital time stamp services, in which case you download a
> software, or upload your files(could be a ZIP file), and they use the time
> stamp from their server.
It's a moot point. I've already established prior art by sending the
product to several people who installed it on their computers. They also
have copies of the manual. I'm not concerned about establishing the date I
had version 1.0. It's established.
As to the digital time stamp thing, I don't know how well that would go over
in court. Those kinds of things are easy to fake. All you need is a helper
on the inside who temporarily changes the date. To me this seems as bogus a
solution as mailing a manuscript to yourself to establish the date you wrote
it. It doesn't hold up in court because it's too easy to fake.
David Kerber
a copy was sent to the cited author.]
In article <is6b3k$s8f$1...@dont-email.me>, sfdavi...@yahoo.com says...
People have been trying to find a decompiler for classic VB apps for
ages, and I've never heard of one that would work with any reliability.
The best they can do consistently is dig out a few of your hard-coded
strings from your .exe file, and some simple obfuscation would even hide
those.