Visual Lisp ARX application security
Rakesh Rao
Is there any way that a Visual Lisp applcation compiled into an ARX can
be dis-assembled to yield the Lisp source code inside. In other words,
how good is the security of an Visual Lisp-ARX application.
Regards
Rakesh
*************************************************************
Rakesh Rao
GIS Software Development & Consulting
AutoLisp / ARX / menu customization.
GIS/Mapping/GPS AM/FM programming.
GeoData Conversion / QA and processing
email : rakes...@usa.net
http://home.pacific.net.sg/~rakesh.rao/cadgis.htm
Consultant Member of GIS Consultants Network
Visit us at http://www.giscn.com
************************************************************
Jon Fleming
> Is there any way that a Visual Lisp application compiled into an ARX can
> be dis-assembled to yield the Lisp source code inside. In other words,
> how good is the security of an Visual Lisp-ARX application.
Of course there is a way. It is also possible to disassemble ACAD.EXE and
retrieve C source code. Neither is trivial.
It would be easier to retrieve a VL app than it would be to get C source
code out of ACAD.EXE. In either case, the variable names, function names,
and comments would not be retrieved.
It is certain that Autodesk has the knowledge required. Others could (or
may have already) reverse-engineered the file format. There is no data
available (as far as I know) indicating how many people in the world have
the technology. My guess is that very few people know.
There's also the question of how valuable your programs are, and how
likely it is that someone is going to _want_ to steal your program.
jrf
Tony Tanzillo
just .FAS files, and they've been cracked already.
Any byte-code compiled language can be decompiled,
so if security is what you want, then Visual LISP
is not as secure as Autodesk might mislead you into
believing. What's important to them, is that it
gives you a way to distribute LISP code in a form
that doesn't run on IntelliCAD.
If you really want security, I have a program that
can compress .EXE and .DLL files (including ARX)
by > 50%, and that makes it nearly impossible to
find anything in them.
You can find it here:
http://www.alenka.spb.ru/aspack
Rakesh Rao wrote:
>
> Is there any way that a Visual Lisp applcation compiled into an ARX can
> be dis-assembled to yield the Lisp source code inside. In other words,
> how good is the security of an Visual Lisp-ARX application.
>
> Regards
> Rakesh
>
> *************************************************************
> Rakesh Rao
> GIS Software Development & Consulting
>
> AutoLisp / ARX / menu customization.
> GIS/Mapping/GPS AM/FM programming.
> GeoData Conversion / QA and processing
>
> email : rakes...@usa.net
> http://home.pacific.net.sg/~rakesh.rao/cadgis.htm
>
> Consultant Member of GIS Consultants Network
> Visit us at http://www.giscn.com
> ************************************************************
--
/*********************************************************/
/* Tony Tanzillo Design Automation Consulting */
/* Programming & Customization for AutoCAD & Compatibles */
/* ----------------------------------------------------- */
/* tony.t...@worldnet.att.net */
/* http://ourworld.compuserve.com/homepages/tonyt */
/*********************************************************/
Rakesh Rao
Rakesh
Tony Tanzillo wrote:
> What's compiled into an ARX file is essentially
> just .FAS files, and they've been cracked already.
>
> Any byte-code compiled language can be decompiled,
> so if security is what you want, then Visual LISP
> is not as secure as Autodesk might mislead you into
> believing. What's important to them, is that it
> gives you a way to distribute LISP code in a form
> that doesn't run on IntelliCAD.
>
> If you really want security, I have a program that
> can compress .EXE and .DLL files (including ARX)
> by > 50%, and that makes it nearly impossible to
> find anything in them.
>
> You can find it here:
>
> http://www.alenka.spb.ru/aspack
*************************************************************
jda...@my-dejanews.com
rakes...@usa.net wrote:
>
> Is there any way that a Visual Lisp applcation compiled into an ARX can
> be dis-assembled to yield the Lisp source code inside. In other words,
> how good is the security of an Visual Lisp-ARX application.
>
> Regards
> Rakesh
>
> Rakesh Rao
> GIS Software Development & Consulting
>
> AutoLisp / ARX / menu customization.
> GIS/Mapping/GPS AM/FM programming.
> GeoData Conversion / QA and processing
>
> email : rakes...@usa.net
> http://home.pacific.net.sg/~rakesh.rao/cadgis.htm
>
> Consultant Member of GIS Consultants Network
> Visit us at http://www.giscn.com
> ************************************************************
>
>
Of course anything is possible with the right amount of work and
effort. The FAS (Fast Load) byte code compiled format is proprietary
to Visual LISP and is what gets embedded into a compiled ARX. Its very
secure in terms of obscurity. In other words, its not a industry
common format with a long history where a large comminity of hackers
have had time or desire to develope decompilers or editors for it.
In order to break it, someone would have to decode the FAS format
then write an interpreter to convert it into its equivelent AutoLISP
code. But even then, theres alot more work because of the nature of
the VL enviornment, there are many extended functions integrated along
with the AutoLISP --> FAS that are purely Object ARX (i.e. C++) based.
Such a conglomeration of disciplines and obscurity serves to be a very
secure application. I am reminded of a few occasions when people I
didn't know personally had contacted me with some seemingly innocent questions
reagarding my applications. Of course, being innately suspicious by nature
I never assume innocence, just never eluding to that disposition I may
have allowed them to assume that being an ARX application, it must have been
written in C++ and compiled with MSVC++, if they wish to do so. Of course
if there intention was infact to attempt to decompiled, that assumption
would have caused a great deal of frustration.
In any event, these observations are predominently theoretical in nature.
There may very well be a hidden tunnel, so to speak. For example, maybe the
FAS format is actually based on some once well known and archaic format that
once this connection was discovered, an avid hacker would suddenly realize
a host of tools and techniques available for breaking into the format.
In addition to the obscurity of the FAS format is also the sheer lack
in the number of those who would be skilled enough within the AutoCAD
community to accomplish it *as compared to* say the world of MicroSoft
applications. To be more specific, there is a vastly larger community of
highly skilled hackers out there ripping into MicroSoft applications
than there are AutoCAD. I doubt many of them have even heard of VL
let alone have an interest in hacking any third party applications
for AutoCAD developed with it.
But this is only at present. Since VL has become more of a mainline
part of AutoCAD since Autodesk purchased it from Basis Software
(thats another story, so don't get me started!), it has dropped in
price from about $600 to $100, making it more accessible to a larger
market. But it is slated to become even moreso when Autodesk integrates
it into AutoCAD, rather than it running externally (here again I have
great apprehensions and concern for the quality and stability as I did
when Autodesk purchased VL from Basis). All this increasing accessibility
and exposure considered, the present obscurity of VL will become less
a means of security. So things are fairly safe now, but I think this will
become much less the case, as things move along. These are many
of the reasons I disagreed with Basis selling out to Autodesk. Apparently
I didn't have much of a following early on in my comments on the newsgroups.
But I am sure in time, those who have been using VL long enough will put two
and two together will begin to see what I was talking about. Not only with
the security issues, but also the quality and stability issues.
Jesse Danes
Senior Draftsman / AutoCAD Admin
Honeywell, Home & Building Controls
Golden Valley, MN
-----------== Posted via Deja News, The Discussion Network ==----------
http://www.dejanews.com/ Search, Read, Discuss, or Start Your Own
Reini Urban
> What's compiled into an ARX file is essentially
> just .FAS files, and they've been cracked already.
FAS has been cracked already???
i missed that. i hope you don't just refer to convert 7,
which even cannot decrypt it, not talking about disassembling.
The encryption or the byte-code VM or both?
disassembling MSVC C++ is quite easy in comparison to FAS.
--
Reini Urban
http://xarch.tu-graz.ac.at/autocad/news/faq/autolisp.html
Tony Tanzillo
is only because you are a proponent of LISP over
everything else, and your opinion is not in the
least bit objective.
Any byte-code compiled language can be decompiled
very easily, much easier than Decompiling C++.
That is why Java .class files must be encrypted.
Yes, FAS has been cracked.
--
Reini Urban
: You are quite wrong about this. But, of course that
: is only because you are a proponent of LISP over
: everything else, and your opinion is not in the
: least bit objective.
it is true that i favour LISP over everything else, but this didn't harm my
objectivity on this certain subject.
: Any byte-code compiled language can be decompiled
: very easily, much easier than Decompiling C++.
this is generally true, because the abstract machine in a
VM is usually much easier to understand and decompilable
than machine code.
and almost every byte-code based compiler has a disassembling
function included. this intermediate code for the abstract and easy to
understand machine is clearly easier to read than the typical disassembled
code. plus you don't need to find the segments typical for an exe or dll.
: That is why Java .class files must be encrypted.
my insights came from the knowledge that the sources for the compiler and
the vlisp vm is not known, in contrast to java, perl, python bytecode or
msvc, gcc, ... produced machine code. there it is quite easy to guess these
complicated parts out, because of known libraries, compilation of typical
and often used constructs. segments are a problem but i.e. with the IDA
(interactive disassmebler) it is quite easy to play with these unknown
borders till you get it. much better than the stupid sourcer.
for vlisp you don't know the encryption, and not the vm, if a pure
stack-machine, a pure register machine or mixed model. guessing bytecodes
and abstract commands is kind of hard too in comparison to known vm's as the
java, perl or python (as the most popular ones)
a point for you is that lisp byte-code is much better described in
literature than others. "structure and interpretation of computer programs" or
"lisp in small pieces" are goldmines for compiler writers.
: Yes, FAS has been cracked.
hmm, that's bad indeed.
Tony Tanzillo
Dave Lewis wrote:
>
> How? Lets see.
>
> Tony Tanzillo <tony.t...@worldnet.att.net>
> |>Yes, FAS has been cracked.
>
> Dave Lewis
> Senior Cad Drafter/Designer
> Pacific Advanced Civil Engineering, Inc.
Ralph Gimenez
Tony Tanzillo wrote in message <36BFB035...@worldnet.att.net>...
>Get lost.
.... Is apropriate.
It's a viable question, one that developers should be concerned about.
Ok lets "re-phrase" question.
1. Who cracked FAS?
2. What kind of "stuff" is revealed from the out-put of a cracked fas file?
Ralph Gimenez
Tony Tanzillo
>
> I don't think your reply to Dave Lewis ...
With regards to my comment to Dave, I don't really
care what you think.
> It's a viable question, one that developers should
> be concerned about.
>
> Ok lets "re-phrase" question.......
No, it is not a viable question. If you were to
employ even a modest amount of common sense, you
would realize that this newsgroup is read by those
who want to protect their work, AS WELL AS those
who have a desire to defeat such protection.
So, as far as reverse-engineering .FAS goes, there
will be no further discussion or information on that
topic from me.
Byron Blattel
Byron Blattel
items were removed. I don't think that the comments were nasty or
diverging from the topic. The rest of the thread remains, so the topic
wasn't the problem. Anne?
Dave Lewis wrote:
>
> oH you mean this 1
>
> Even though autodesk tries to delete it, it still lives on thousands of hard disks.
>
> Tony, I am working on a visual lisp shareware app where my partner is concerned
> about the FAS being cracked. So it is a valid question, so don't be a ahole because
> you think you know it all.
> Byron Blattel <cad...@texas.net>
> |>What happened to the messages posted to this thread this morning?
>
> Dave Lewis
> Senior Cad Drafter/Designer
> Pacific Advanced Civil Engineering, Inc.
--
|
----+----------------------------------------------
| Byron Blattel
| CADwerx---Applications for AutoCAD
|
| e-mail: cad...@texas.net
| web site: http://lonestar.texas.net/~cadwerx
| fax #: 1(512)892-0920
Tony Tanzillo
response I gave you earlier.
Anne Brown
The messages removed this morning were not technical. They were a
personal confrontation between three members of the newsgroup.
They were removed according to the Ground Rules for the
Newsgroups. There are other messages that have been removed
lately due to profane (but unfortunately all too commonly used)
words scattered throughout the messages. Please refrain from
personal attacks and nasty words! An email is always sent to the
poster telling them their message has been removed, pointing them
to the groundrules and asking them to repost without profanity
and with politeness.
***
Following are the basic ground rules for the Professional
Networks Newsgroups. The full text including a Questions and
Answers section may be found at
http://www.autodesk.com/support/discsgrp/discqa.htm#gr.
The Autodesk-sponsored discussion groups are intended to be
constructive, informative, and helpful for our customers and
industry partners, so please note:
Messages containing offensive language or references will be
removed.
Messages containing personal attacks against other
discussion-group members will be removed. (snip)
--
Anne Brown
Autodesk Sysop
Discussion Q&A: http://www.autodesk.com/discussion