Preventing script from being replicated on a defined number of hosts

SkySmart · February 15, 2013, 1:58pm

ok. i have an extensive program written predominantly in borne shell. i have to give an "evaluation" copy of this program to a user so she can test it out and see if she wants it. problem is, i dont have an evaluation copy. and even if i did, im worried the evaluation copy can be edited to override whatever logic i built into it to prevent it from being used as though it were the full product.

my question is, how can i edit the script so that the user can only run it on a specific number of hosts? or how do i package the script altogether so as to prevent unauthorized use?

panyam · February 15, 2013, 2:26pm

Use script compiler such as shc to creates a executable version of your script and pass the same to your colleague.

refer this link for example:

http://nixcraft.com/shell-scripting/15784-secure-script-code-hide-bash-source-code.html

DGPickett · February 15, 2013, 2:34pm

Well, have the script check the host name and/or datem and embed the script into C. To prevent tampering and keep the C simple, run the script through a compressor and an encryption and a base 64 encoder into a static string variable. The C can run it backwards from string to decoder to uncompress to sh, so it only exists on the pipe, and the values in the script cannot be patched over in the C object file. I am not sure even a crypto layer is necessary after compression and base 64.

I like the script compiler! Unfortunately you can find strings in code and change them, and it still runs, so you may need to do more. For instance, I had a lib with a trapdoor password so I changed the trapdoor password to be different and invalid. I worte a simple c program to copy binary files finding and replacing strings $1 to $2 (same length).

SkySmart · February 15, 2013, 3:06pm

thank you guys. i'll check these out.

DGPickett · February 15, 2013, 3:56pm

If you cannot find base64, uuencode or even hex is an alternative. Put the host and date checks inside the encrypted/encoded/compressed script.

SkySmart · February 15, 2013, 4:27pm

can you please provide an example?

DGPickett · February 15, 2013, 4:48pm

Well, encoding usually means taking 6 bits at a time of the binary and encoding them in some of the innocuous ascii valuse between ' ' and '~', for instance adding them to '!'. Hex is just a 4 bit version of the same. Nobody has been desperate enough to find a way to encode using 96 characters for 6.5 bits a character. Here is an example of what a hacker sees if you compress plain text and then convert it to hex:

$ echo hidden data string |bzip2|od -x
0000000 425a 6839 3141 5926 5359 e937 8426 0000
0000020 0551 8000 1040 0026 e11c 0020 0031 0340
0000040 d029 a635 3c45 9ac0 17b9 7f4d 8256 68bb
0000060 9229 c284 8749 bc21 3000
0000071

Encoding 4 bits is easy:

$ vim hexify 
 
#include <stdio.h>
main(){
int c ;
int o ;
int llen = 0;
 while ( EOF != ( c = getchar())){
   putchar( '0' + ( c & 15 ));
   putchar( '0' + ( c >> 4 ));
   if ( 70 < ( llen += 2 )){
        putchar( '\n' );
        llen = 0 ;
    }
  }
 if ( llen ) putchar( '\n' );
}
~
~
~
"mysrc/hexify.c" 21 lines, 264 characters 
$ mycc hexify
$ echo hidden data string | bzip2 | hexify
24:586931314956235959>734862000050150800010400621><10002001330040=926:53
<354:90<719;?7=4286586;;29922<487894<;1203
$

It seems bzip2 expands small things a lot!

SkySmart · February 19, 2013, 5:53pm

dgpickett:

Well, encoding usually means taking 6 bits at a time of the binary and encoding them in some of the innocuous ascii valuse between ' ' and '~', for instance adding them to '!'. Hex is just a 4 bit version of the same. Nobody has been desperate enough to find a way to encode using 96 characters for 6.5 bits a character. Here is an example of what a hacker sees if you compress plain text and then convert it to hex:
$ echo hidden data string |bzip2|od -x
0000000 425a 6839 3141 5926 5359 e937 8426 0000
0000020 0551 8000 1040 0026 e11c 0020 0031 0340
0000040 d029 a635 3c45 9ac0 17b9 7f4d 8256 68bb
0000060 9229 c284 8749 bc21 3000
0000071
Encoding 4 bits is easy:
$ vim hexify 
 
#include <stdio.h>
main(){
int c ;
int o ;
int llen = 0;
 while ( EOF != ( c = getchar())){
   putchar( '0' + ( c & 15 ));
   putchar( '0' + ( c >> 4 ));
   if ( 70 < ( llen += 2 )){
   putchar( '\n' );
   llen = 0 ;
   }
  }
 if ( llen ) putchar( '\n' );
}
~
~
~
"mysrc/hexify.c" 21 lines, 264 characters 
$ mycc hexify
$ echo hidden data string | bzip2 | hexify
24:586931314956235959>734862000050150800010400621><10002001330040=926:53
<354:90<719;?7=4286586;;29922<487894<;1203
$ 
It seems bzip2 expands small things a lot!

i read this multiple times but i cant seem to understand. let me break this down in my simple terms and hopefully you can help me understand what you're doing it.

say i have a script that contains:

#!/bin/bash

echo "You are welcome"
echo "You are the greatest"

Now this script is named

aboutme

I need to send this script to a user, but i dont want this user to be able to view what's in aboutme.

when i zip up aboutme and i send it to the user, i want to make sure all that the user needs to do, in order to run this script will be:

unzip aboutme.zip
./aboutme

how can your encryption method make this feasible?

uuencode aboutme.uu

./aboutme.uu ?

DGPickett · February 20, 2013, 2:35pm

In place of a shell script, you deliver a C program that has the shell script, compressed and uuencoded, in a static string variable, which it runs by popen( "uudecode | gunzip | sh", "w" ) and writing the encrypted script to the pipe. The C program never changes but in the string variable and name, to run any number of scripts. If there are command line variables, you need to move them from argv to quoted on the popen command line, or restructure the script for them to arrive on stdin.

You could even just put the script in the string variable as hex and un-hex it as you write the pipe, so you need no uudecode or gunzip. The hexification means it is not obvious to the 'string' command.