Creating Secure Standalone Binaries for 9/X
Kevin Spencer
I got a special project dumped on me recently. I'm an experienced Mac
tech with some strong, but basic, programming knowledge, so I get the
gist of code I read, and can write it after a bit of practice.
I was handed a Tcl script created for Windows that was used just fine
with an Internet access hardware product built by a company I contract
for. I've installed Tcl/Tk Aqua on my 10.3 system and also installed
the latest Tcl build in my Mac OS 9 layer.
My instructions were to
1) Create a standalone binary of the script usable in Mac OS 9 and X
2) Keep the script's code hidden so the company's IP is unreadable
3) Minimize the need to install any Tcl/Tk components in the OS, if possible
The script ran fine using Wish Shell (OS X) as well within its
counterpart in OS 9--that is, after I commented out a "package require
iwidgets" line that caused the script to abort, despite iwidgets being
from the Tcl/Tk Aqua install and likely the OS 9 Tcl install.
After a few hours research I was able to create a "fake" app by
inserting the script in a copy of a Wish Shell app package, which works
fine for OS X. However, I can't figure out how to lock down the app
bundle, so the IP of the script is unprotected.
The somewhat older Mac OS 9 Tcl parts included a Drag and Drop Tclets
app, described on many sites as the solution for creating the Tcl
binary for OS 9. However, I cannot drop my Tcl script on the applet for
some reason.
If I could use Xcode to create a Carbon application that works in 9 and
X that contains the script AND compile the app in such a way that
leaves its script non-human-readable, it would satisfy my goal. I'm
sure I can get Xcode to do the job--I just lack the expertise, but may
figure it out.
My question to any of you is: Am I barking up the right tree, or is
there a simplier method?
Thanks in advance....
Kevin
Andreas Leitgeb
> 2) Keep the script's code hidden so the company's IP is unreadable
Not least, because there is no such thing as "unreadable"
(well, short of normal perl-scripts).
Given enough motivation, one can even disassemble compiled C-code.
So, the necessary effort depends on how strong the barrier should be.
For 99% of the users, it's likely enough that it is not coded in
english language to make it intellegible for them.
> The somewhat older Mac OS 9 Tcl parts included a Drag and Drop Tclets
> app, described on many sites as the solution for creating the Tcl
> binary for OS 9. However, I cannot drop my Tcl script on the applet for
> some reason.
Most likely, the source you wanted to drop on the "D&D Tclets"
is marked as binary. Unless you have more comfortable tools to
change the type to TEXT, you can open a tclsh and use the command
resource (iirc) to change the file's type to TEXT. After that, you
should be able to drop it on "D&D Tclets". Of course the "companies IP",
(which I would have defined as the creativity and intelligence
of its staff, rather than their products)... forget it. The script
itself can always be retrieved by a sufficiently motivated techie.
Spencerian
they provided. I know that nothing is strictly uncrackable, but I have
to reduce the ability to easily obtain the information in the app. I
couldn't drag and drop my script for some reason, and I'll use your
idea to check on that...I suspected your idea as well.
--KS
On 2004-03-25 03:01:23 -0500, Andreas Leitgeb
Spencerian
Thanks for the tips. Fixing the type-creator codes to TEXT and WIsH
resolved the drag and drop issue, allowing me to create the OS 9
counterpart to the manually-created OS X app.
I've all but given up taking up the challenge of fully securing the
code in the app--it's really beyond my abilities for now. For now, I'd
love to be able to keep the console from appearing in the OS 9 app.
Everything else works fine, except for the code security, of course.
You pointed out the most significant part. Time to test the little apps
on systems without a Tcl/Tk install. If that works, well, 3 out of 4
ain't bad.
Although I'm running a newer version of Tcl that might not have the
glitch you noted, I will double check to ensure that known issue won't
resurface in my apps.
Much obliged to all for your help.
--KS
On 2004-03-25 23:08:59 -0500, Melissa Schrumpf
<reverse-comDOTy...@bogus.address> said:
> Kevin Spencer wrote:
>
>> My instructions were to
>
>> 1) Create a standalone binary of the script usable in Mac OS 9 and X
>
> Okay, not too bad...
>
>
>> 2) Keep the script's code hidden so the company's IP is unreadable
>
> Ergh.
>
>
>> 3) Minimize the need to install any Tcl/Tk components in the OS, if possible
>
>> After a few hours research I was able to create a "fake" app by
>> inserting the script in a copy of a Wish Shell app package, which works
>> fine for OS X. However, I can't figure out how to lock down the app
>> bundle, so the IP of the script is unprotected.
>
> We'll get back to this...
>
>
>> The somewhat older Mac OS 9 Tcl parts included a Drag and Drop Tclets
>> app, described on many sites as the solution for creating the Tcl
>> binary for OS 9. However, I cannot drop my Tcl script on the applet for
>> some reason.
>
>> If I could use Xcode to create a Carbon application that works in 9 and
>> X that contains the script AND compile the app in such a way that
>> leaves its script non-human-readable, it would satisfy my goal. I'm
>> sure I can get Xcode to do the job--I just lack the expertise, but may
>> figure it out.
>
>> My question to any of you is: Am I barking up the right tree, or is
>> there a simplier method?
>
> Okay, for OS 9...
>
> The MacOS Classic way of doing this is to cram the text of the tcl
> script into a resource of a copy of the Wish binary. All the Drag &
> Drop Tcllets thing does is copy the text of your script into the
> resource: TEXT -- ID 3114. If you get a copy of ResEdit (or Resourcer,
> or what have you), you can copy & paste your own code into this
> resource with ease.
>
> Of course, as Andreas said, it's probably just a matter that the file
> type appears wrong. However, the EASIEST way to make the file type and
> creator change is to open the script file in SimpleText, make a minor
> change (type a space and delete it), and save the file. This _should_
> change the type & creator, and Drag & Drop Tcllets should now accept
> it. But that might not give you a stand-alone app.
>
> Something else you should know about the MacOS Classic app...
> Earlier versions had a bug in the stand-alone Wish app. I'm not sure
> if this has been fixed since, but they would fail to run on machines
> without a full Tcl/Tk installation. This was back in the 8.3.3 days.
> It seemed that the "Simple Tk" didn't include msgcat. From my archives:
>
>> "Simple Tk (PPC)" (or 68k) is the correct binary. It is somewhat
>> broken in the 8.3.4 release: it is missing bgerror and msgcat, which
>> are contained in tcl/library/msgcat/msgcat.tcl.
>
>> Do this:
>
>> Copy "Simple Tk (PPC)" to "Simple Tk (PPC).edit"
>
>> Run ResEdit (or Resourcer, or whathaveyou). Open a "Simple Tk
>> (PPC).edit" in ResEdit. Open the "TEXT" resources. Open resource ID
>> 3014 "bgerror." Find the line that says:
>>
>> "package require msgcat"
>>
>> This will be right at the top.
>>
>> Next, open tcl/library/msgcat/msgcat.tcl in a text editor. Copy from
>> the beginning of the line:
>>
>> package provide msgcat 1.1.1
>>
>> through to the end of the file.
>>
>> Return to ResEdit. Delete the line "package require msgcat" and, in
>> its place, paste the code you copied from msgcat.tcl. Close all
>> resources and save.
>
>> Viola! You now have a fixed stand-alone Tk shell.
>
>
> As for encoding the IP, you might be able to make some sort of
> obfuscation... you could encrypt your code and store it in a resource,
> but you'll ultimately have to have a plain text proc that shows how to
> decrypt it. Beyond that, you may have to compile yourself a custom
> application. But even then it will contain its own decryption scheme,
> if only in machine code.