ok. i have an extensive program written predominantly in borne shell. i have to give an "evaluation" copy of this program to a user so she can test it out and see if she wants it. problem is, i dont have an evaluation copy. and even if i did, im worried the evaluation copy can be edited to override whatever logic i built into it to prevent it from being used as though it were the full product.
my question is, how can i edit the script so that the user can only run it on a specific number of hosts? or how do i package the script altogether so as to prevent unauthorized use?
Well, have the script check the host name and/or datem and embed the script into C. To prevent tampering and keep the C simple, run the script through a compressor and an encryption and a base 64 encoder into a static string variable. The C can run it backwards from string to decoder to uncompress to sh, so it only exists on the pipe, and the values in the script cannot be patched over in the C object file. I am not sure even a crypto layer is necessary after compression and base 64.
I like the script compiler! Unfortunately you can find strings in code and change them, and it still runs, so you may need to do more. For instance, I had a lib with a trapdoor password so I changed the trapdoor password to be different and invalid. I worte a simple c program to copy binary files finding and replacing strings $1 to $2 (same length).
Well, encoding usually means taking 6 bits at a time of the binary and encoding them in some of the innocuous ascii valuse between ' ' and '~', for instance adding them to '!'. Hex is just a 4 bit version of the same. Nobody has been desperate enough to find a way to encode using 96 characters for 6.5 bits a character. Here is an example of what a hacker sees if you compress plain text and then convert it to hex:
i read this multiple times but i cant seem to understand. let me break this down in my simple terms and hopefully you can help me understand what you're doing it.
say i have a script that contains:
#!/bin/bash
echo "You are welcome"
echo "You are the greatest"
Now this script is named
aboutme
I need to send this script to a user, but i dont want this user to be able to view what's in aboutme.
when i zip up aboutme and i send it to the user, i want to make sure all that the user needs to do, in order to run this script will be:
unzip aboutme.zip
./aboutme
how can your encryption method make this feasible?
In place of a shell script, you deliver a C program that has the shell script, compressed and uuencoded, in a static string variable, which it runs by popen( "uudecode | gunzip | sh", "w" ) and writing the encrypted script to the pipe. The C program never changes but in the string variable and name, to run any number of scripts. If there are command line variables, you need to move them from argv to quoted on the popen command line, or restructure the script for them to arrive on stdin.
You could even just put the script in the string variable as hex and un-hex it as you write the pipe, so you need no uudecode or gunzip. The hexification means it is not obvious to the 'string' command.