Protecting widget code

Is it at all possible?

from WinCustomize Forums
I've recently writeen an HTML application (HTA) that is essentially a PasswordSafe of sorts that allows you to save website usernames and passwords as well as account infomation and payment links in one application with one password protecting them. While I have a few mechanisms in place to protect the data files from someone easily pilfering the contents I realize that if someone can easily browse the code it isn't all that hard to discern the processes used for generating the encrypted data files and therefore decrytping the data. So, to that end I've used a code obfuscator/encrypter on the HTA code that will stop if not severely deter most people from even trying to steal the code. While I know nothing is perfect I don't think the information in these files is interesting enough to really get someone with the capabilities to reverse engineer the code to try.

Anyway, the reason for my post is that I am considering creating a DX widget out of the app but if I can't at the very least obfuscate portions of the code it really wouldn't be worth the trouble. I have DX Professional and I know I can create a widget exe but that is not really any help because anyone with DX Pro can just import the widget and get the script code. So, is there an obfuscator or encryptor for DX widget code?

Any tips would be appreciated.
desktopx
9,025 views 24 replies
Reply #1 from WinCustomize Forums Top
Well.. You could base data encryption on user's password. You could create a hash based on user's password, then use actual password as private key to encrypt the contents.

Basically, it would create new hash on typed password, check if it matches the stored hash, then decrypt the stored information. This way is fastest way to check before loading the possibly huge file and decrypt it.



Well other way would be simply try to decrypt the stored info directly using the password input, but if file is huge it may be a problem when password was wrong or mistyped.


Note: this WILL require user to input a password each time it have too load the data file! But this way it wouldn't matter if someone cracked and got the entire source code. It don't contain the info needed to actually read the worthy private information.
Reply #2 from WinCustomize Forums Top
hmm... DX Pro will open widgets so will the starndard DX. But I haven't found my self able to import Gadgets (stand-alone) with either of them.
Galactic Civilizations IV
Reply #3 from WinCustomize Forums Top
Thomassen is correct. Gadgets cannot 'disected', so you are safe to use your code in the building of a gadget, and only distribute that executable file.
Reply #4 from WinCustomize Forums Top
XX,

Thanks but I'm not looking for a way to encrypt the passwords as I already have several techniques in place to achieve that. I've actually done something similar to what you've suggested but I'm actually using different keys and salt values to encrypt each password, and I have developed a system to re-create the proper information when it comes time to decrypt the data.

Thanks for the suggestions!
Reply #5 from WinCustomize Forums Top
DX Pro will open widgets so will the starndard DX. But I haven't found my self able to import Gadgets (stand-alone) with either of them.


Perfect! Now, the question is can I create gadgets with DX Pro? Sorry for the silly question but it's been a bit since I've messed around with it to actually create anything.
Reply #6 from WinCustomize Forums Top
The "new" Pro was the old Enterprise.
You probably have the "old" Pro, now called "Standard"
https://www.stardock.com/products/desktopx/purchase.asp

To check, try to export an object.

If you can export it as a gadget, you have Pro and are set. If you hae widget, you are standard and need to upgrade. The link above can assist you there too.

Posted via WinCustomize Browser/Stardock Central
Reply #7 from WinCustomize Forums Top
Thanks for the info Zubaz! It turns out I do have the new Pro as I have the export as gadget option. Now all I need to do is re-write it for DX.
Reply #8 from WinCustomize Forums Top
Mine says PRO but I can't make gadgets, so I'm assuming I have the old one. Should I have gotten the new one with ODNT, or would it be extra? I have been wanting to make gadgets and can't.
Reply #9 from WinCustomize Forums Top
The new Pro is an extra cost. I think it's $70 US.

There was a special a while back . . but I couldn't hide the required money from the wife. Missed a great window of oppertunity.

Anyone wanting to donate to my DX Pro fund can reach me by email.

Posted via WinCustomize Browser/Stardock Central
Reply #10 from WinCustomize Forums Top
There was a special a while back


That's when I purchased it. I couldn't have justified the expense otherwise but it was such a deal I had to go ahead and get it! I believe it was something like $40 of the current price. So, instead of $70 it was $30, quite a steal!
Reply #11 from WinCustomize Forums Top
Yeah. I missed the special too. Oh well.

Ohh I thought you wanted to protect the data and was concerned about code revealing a way to decode that data.

Yeah gadgets is best way to prevent code from being read. It's also the reason I want to buy DX pro, but couldn't justify that yet.

I adready recreated xxcalc using desktopx and it works.
Reply #12 from WinCustomize Forums Top
You might still want to check with Stardock how secure this is. I think perhaps they got utility to open gadgets. I could be wrong, but I imagine that I saw someone who'd lost their source file and only had the gadget file and SD could extract it for him/her.
And I wonder if there might be some temp data which allows you to read the code when it's being run. (REALLY not sure about this one though. I might be confusing it with widget cache.) But since you are making a password manager you probably want to make sure.
Reply #13 from WinCustomize Forums Top
Ohh I thought you wanted to protect the data and was concerned about code revealing a way to decode that data


Well, kind of. I have the data files encrypted and then I also compress them so they are very much unreadable. However, if someone had access to the code they could with some work reverse engineer the steps taken to encrypt the data and then write some code to decrypt the encrypted data. This would not be an easy task as I use different data to encrypt every password and the password that is used to protect the data file is encrypted in a random method every time and is stored using an SHA1 hash. Oooh, typing this gives me an idea!! Man, I just wish I could create the graphics for this myself, it would go much faster but I guess non-graphic inclined folks such as myself can't be too picky..
Reply #14 from JoeUser Forums Top
Well. Use something that would take a decent computer centuries to crack.

There IS encryption schemes that cannot be reverse engineered to somehow recover the contents without having any private key. Never use obscurity as security. So many people made that mistake.

Hmm interesting website. http://www.cryptography-tutorial.com/cryptosource.htm
Reply #15 from WinCustomize Forums Top
Stardock does have a gadget de-compiler that they can use to re-create a widget from a gadget in case of the creature loosing sourcecode etc.
Reply #16 from JoeUser Forums Top
lol, creature... you mean creator? Although... on second thought in this place it might be more apt...
Reply #17 from WinCustomize Forums Top
You might still want to check with Stardock how secure this is. I think perhaps they got utility to open gadgets. I could be wrong, but I imagine that I saw someone who'd lost their source file and only had the gadget file and SD could extract it for him/her.


This would be me, and yes they have a de-compiler for the EXE code that DX PRO Generates, as they have the compiler as well. But they would have to be the ones to de-code it.

It helped me, but they were really good to do it for me, i dont see them decompiling someones code just to see how they encrypted something.
Reply #18 from WinCustomize Forums Top
This would be me, and yes they have a de-compiler for the EXE code that DX PRO Generates, as they have the compiler as well. But they would have to be the ones to de-code it.

But if they can do it, some reverse-enginer can most likely do it as well. Sure, you can do that with "normal" software as well, but I'm just wondering how much more easier/difficult it would be.
Reply #19 from WinCustomize Forums Top
Never use obscurity as security


XX, I'm definitely not using just obscurity. I'm using an industry standard 256-bit cypher to encrypt the data. I've simply added some randomness to the key and salt generation such that the values used to encrypt a given piece of text are more unique than if I had used the same key and salt value for every call to encrypt data. The encryption is actually done using an open-source ActiveX dll that I found out on the web, so it's using an actual compiled binary for this purpose. Which is possibly one thing that would keep me from being able to release it if I ever get it to that point.

some reverse-enginer can most likely do it as well


thomassen, I would guess this probably depends on what the actual compilation process does to the data. Seeing as Gadgets are based on a scripting language the scripts have to be kept in such a way that they will actually work when the gadget is executed. So, I would guess they are doing something to possibly encrypt and compress the data that is stored in the exe. The real question is whether the scripts are written to disk when the gadget is run. Maybe I'll run a few gadgets while running one of the fabulous tools from SysInternals to see exactly what the gadget does when it runs..
Reply #20 from WinCustomize Forums Top
OK, downloaded a Gadget, ran it and peeked at its activities. The scripts are most definitely encrypted/compressed on disk. So, someone could get the scripts but I think it would take them a good bit of work to actually get anything usable from them.
Reply #21 from WinCustomize Forums Top
Ah, ok. I had a feeling it'd be something like that.
Reply #22 from WinCustomize Forums Top
huh, So there is a way to "edit" gadgets but it might be a pain. Ive found if you open windows media player skins in WinZip yuo can export all the graphics and scripts. Maybe it is along the lines of that.
Reply #23 from WinCustomize Forums Top
Ahh I see. It would work that way.
Reply #24 from WinCustomize Forums Top
So there is a way to "edit" gadgets but it might be a pain


Uhh, I'd say it would be a tad bit more than a pain. The scripts are encrypted or compressed or both but they are definitely not plain text. The files in a gadget are extracted when you run it, but like I said the scripts are not plain text.