TheSwamp

Code Red => AutoLISP (Vanilla / Visual) => Topic started by: Amsterdammed on September 09, 2005, 04:20:17 AM

Title: fas file security
Post by: Amsterdammed on September 09, 2005, 04:20:17 AM
Hello experts,

I write some applications for our HVAC Company. And since they pay it they have the desire to keep it "in-house".

So I did build in some check out of the registry, and made it a fas file. But how save is a fas file?

Thanks in Advance,

Bernd
Title: Re: fas file security
Post by: MP on September 09, 2005, 09:13:28 AM
It's apparently cracked; I've seen discussions and links to decompilers for the last couple years (don't ask me, I won't provide).

In short, if security is absolutely critical one way to provide a reasonable amount of privacy is to compile sensitive portions of the program to a dll, and then call the dll from lisp. Further, there are obfuscators available for dlls.
Title: Re: fas file security
Post by: Amsterdammed on September 09, 2005, 09:31:42 AM
Mike,

don't worry, i won't ask. I don't want to crack, i want to secure my stuff.

So how can i comiple a lisp into a dll and call it later?

Title: Re: fas file security
Post by: JohnK on September 09, 2005, 09:39:55 AM
AutoCAD only has the xlisp intrip. included in the core. FAS-VLX is nothing more then character substitution. (Or encryption if you will.)
Title: Re: fas file security
Post by: hudster on September 09, 2005, 09:57:32 AM
From what I've seen on the user groups, vlx files are meant to be perfectly safe & uncrackable, if ever I write something of value, that would be the method I'd choose.
Title: Re: fas file security
Post by: Amsterdammed on September 09, 2005, 10:19:49 AM
so, nothin's safe, se7en?
Title: Re: fas file security
Post by: MP on September 09, 2005, 10:24:24 AM
Mike Michael,

don't worry, i won't ask. I don't want to crack, i want to secure my stuff.

So how can i comiple a lisp into a dll and call it later?


To compile an activex dll you need a suitable compiler, for example, Visual BASIC, Delphi etc. (and the ability to code in the appropriate language).

I've a busy weekend coming up but I'll try to provide a skeleton Visual BASIC version c/w the Visual LISP wrapper.
Title: Re: fas file security
Post by: JohnK on September 09, 2005, 10:44:07 AM
so, nothin's safe, se7en?
Well i wouldnt go that far. Alot of people dont even know the basics about encryption/decryption. (And some think they know and in reality dont know a darn thing.)  I dont think you will have a problem at all if you go with the VLX format. (I was just trying to say that you need to be aware that "compiling" in AutoCAD isnt really compiling. its more like encryption.)
Title: Re: fas file security
Post by: MP on September 09, 2005, 10:52:28 AM
And some think they know and in reality dont know a darn thing.

Anyone we know?
Title: Re: fas file security
Post by: JohnK on September 09, 2005, 11:13:54 AM
*click* Yeah! John for one.

What?! I know encryption...well okay, maybe i dont but i like to think i do.

Told ya.
Title: Re: fas file security
Post by: Keith™ on September 09, 2005, 11:23:24 AM
so, nothin's safe, se7en?
Well i wouldnt go that far. Alot of people dont even know the basics about encryption/decryption. (And some think they know and in reality dont know a darn thing.) I dont think you will have a problem at all if you go with the VLX format. (I was just trying to say that you need to be aware that "compiling" in AutoCAD isnt really compiling. its more like encryption.)

You are correct in so many words ... however you are incorrect about the FAS and VLX files being encrypted. FAS and VLX files are defacto compiled binaries except DCL and Text files that are included as part of the project are merely appended to the end of the VLX file during compilation.

The problem with FAS and VLX files (as with any compiled executable) is that they ALWAYS follow a specific format ... that format can be easily discovered by doing a comparative study of the sequence of commands in the file.

For example, once you have the knowledge of what "0E 4D A1" does you can presumably follow that example and contine with decompilation. The main problem with this is that compiled code is rarely executed in sequential order, thus it becomes difficult to near impossible to reconstitute the original source code, BUT you can produce something that is really close and editable by following conditional jumps, code segments and the like. A good understanding of assembly language is also a prerequisite, but is not required.

My intent is not to debate symantics of encryption vs. compilation because they are essentially the same except during encryption the key is generally not known, while in compilation the key is ALWAYS known, in fact it is the same for every type of compiled binary file ... otherwise we wouldn't be able to read them.

Bottom line is that FAS is readily decompiled back into "pseudo assembly" code with certain code segments being able to be easily reconstituted. VLX files are a little more difficult to decompile, but only if you use a seperate namespace and optimize the code during compilation. It is also advisable to use multiple lisp files rather than have a single lisp file with all of your code in it. This way when the VLX is compiled the individual lisps are seperated and are more difficult to decompile.

VB also has it's share of problems and can also be readily decompiled into readable code segments. In VB it is advisable to NOT use the native P-Code option, as it makes it more readily decompilable.

C and C++ binaries exhibit the best protection against decompilation, but also can be readily decompiled into assembly, and thus with a working knowledge of assembly it too can be reconstituted, albeit much more difficult.

So, it would be safe to assume that "nothin' is safe" ...
Title: Re: fas file security
Post by: Amsterdammed on September 10, 2005, 06:38:49 AM
Keith,
Keith,
you are stunning as usual. :-D

But what i really wanted to know was not if some rocket scientist could break my code, but one of my smart as ex co workers or our it guy (biggest threat) can simply go online and find on the net a way to get into my fas files. And learned form this link that I will change it into a vlx. Should have done before, there are a lot of lisp files in this application, and only compiled them into fas files.

Till now I was save the way I did it, it looks like. Once a ex worker took the stuff with him to a competitor off us but had to see it didn't run there. Than this Einstein called a college of me to ask him why (definitely not one off the rocket scientist).

But in general, what parameter out off the registry would you use to make it run only on your system? (if the code is cracked that doesn't matter, I know, just curios
Title: Re: fas file security
Post by: Crank on September 10, 2005, 09:02:56 AM
...
But in general, what parameter out off the registry would you use to make it run only on your system? (if the code is cracked that doesn't matter, I know, just curios
In the past I've used MaxArray to protect a file from being used in a different environment.
Code: [Select]
(setenv "MaxArray" "99990"); default is 100000
Code: [Select]
(if (/= (getenv "MaxArray") "99990")
    (exit)
)
Title: Re: fas file security
Post by: Keith™ on September 10, 2005, 10:57:34 AM
In an office where everyone is simple hacks I use the environment in the same manner as Crank .. except I use a different item that is office specific ...

Of course if the code is cracked it doesn't matter
Title: Re: fas file security
Post by: MP on September 10, 2005, 11:03:11 AM
I use the user's ipaddress, if it's not in our range, punt (but ditto Keith's last statement).
Title: Re: fas file security
Post by: LE on September 10, 2005, 11:24:20 AM
Hello experts,

I write some applications for our HVAC Company. And since they pay it they have the desire to keep it "in-house".

So I did build in some check out of the registry, and made it a fas file. But how save is a fas file?

Thanks in Advance,

Bernd


There are three decompilers two that are not good or do not produce workable code, but can expose any string data, in the case of a password or whatever, someone with the knowledge can get into.

And there is one that can expose workable code, basically the same as the original code, comming from a FAS or a VLX, this one is not on the net.

You can use the harddisk serial number hardcoded in your fas/vlx fles.... among many other ways.

Good luck,
Luis.
Title: Re: fas file security
Post by: csgoh on September 11, 2005, 01:40:05 AM
Hi all;
I used a software "Lisppro" by ai-design to encrypt the lisp.
Check it out at this website www.ai-d.com

csgoh
Title: Re: fas file security
Post by: Amsterdammed on September 11, 2005, 03:24:47 AM
Mike,
I first used the hostname out of the registry, but then it became a to big pita because a lot of OC were stolen or just replaced by newer ones (we have 250 Acad users) So I changed it to something out of the registry we all have in common in our company.


But how do I get the IP address, and what is the range you tell it is one of your companies IP address or not?
 
Title: Re: fas file security
Post by: Amsterdammed on September 11, 2005, 03:32:14 AM
Sorry Michael,
I called you Mike again. Won't happen again. Stupid, since I'm Austrian it should be more common for me anyway. Guess I have been in Florida to long.

Bernd
 :oops:
Title: Re: fas file security
Post by: MP on September 11, 2005, 09:59:42 AM
Mike,
I first used the hostname out of the registry, but then it became a to big pita because a lot of OC were stolen or just replaced by newer ones (we have 250 Acad users) So I changed it to something out of the registry we all have in common in our company.


But how do I get the IP address, and what is the range you tell it is one of your companies IP address or not?
 

There's a number of ideas in this (http://www.theswamp.org/forum/index.php?topic=4272.0) thread.

As for ranges, all you do is compare individual octants with the ranges for your company -- you can get the latter from your network administrator.

Sorry Michael,
I called you Mike again. Won't happen again. Stupid, since I'm Austrian it should be more common for me anyway. Guess I have been in Florida to long.

Bernd
 :oops:

(http://www.theswamp.org/screens/mp/spank.png)

:-D
Title: Re: fas file security
Post by: MP on September 12, 2005, 02:05:02 AM
To compile an activex dll you need a suitable compiler, for example, Visual BASIC, Delphi etc. (and the ability to code in the appropriate language).

I've a busy weekend coming up but I'll try to provide a skeleton Visual BASIC version c/w the Visual LISP wrapper.

For this example I decide to kill a couple birds with one stone: Write a quick/small dll example in Visual BASIC, use said dll to return the IPAddress to the caller, and use the dll from Visual LISP. Note, in order to concisely demonstrate just how easy this is I'm leaving out error trapping and additional utility functions I would normally code as part of the application. While you may call WMI (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_start_page.asp) functionality directly from Visual LISP (haven't tried it myself, but it should be no different than using the File System or Scripting Objects, which I have used in Visual LISP), I thought I'd do it from a dll for fun, so it's a somewhat contrived example.

So ... In Visual BASIC 6 (Professional or Enterprise) Start a new ActiveX project, call it DLLTest.

Add one class to the project and name it Utility. Put the following (minimilistic) code into said class (code was distilled from this MSDN page (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wmi_tasks__networking.asp)):

Code: [Select]
Option Explicit

Private myWMIService As Object

Private Sub Class_Initialize()

    On Error Resume Next

    Set myWMIService = GetObject("winmgmts:\\.\root\cimv2")

End Sub

Private Sub Class_Terminate()

    Set myWMIService = Nothing

End Sub

Function GetIPAddress() As String

    On Error Resume Next

    Dim IPConfigSet As Object, _
        IPConfig    As Variant, _
        i           As Integer

    Set IPConfigSet = _
        myWMIService.ExecQuery( _
            "Select IPAddress " & _
            "from Win32_NetworkAdapterConfiguration " & _
            "where IPEnabled=TRUE")
     
    For Each IPConfig In IPConfigSet
        If Not IsNull(IPConfig.IPAddress) Then
            GetIPAddress = IPConfig.IPAddress(0)
            Exit Function
        End If
    Next
   
End Function

Compile the project to DLLTest.dll.

When you compile the DLLTest.dll it (the dll) will automatically be registered on that machine. If you copy the DLLTest.dll file to other machines you will have to register it via RegSvr32.exe (e.g. at dos: RegSvr32.exe path\dlltest.dll). This can be done at the DOS command line (as previously noted), a batch file, a shelled process from Visual BASIC, or even via a Visual LISP wrapper. I'm not going to supply that code in this post.

Now call the registered DLLTest.dll from Visual LISP (minimal, non error trapped code):

Code: [Select]
(defun c:DLLTest ( )

    (alert
        (strcat
            "IPAddress = ["
            (vlax-invoke
                (vla-GetInterfaceObject
                    (vlax-get-acad-object)
                    "DLLTest.Utility"
                )   
                'GetIPAddress           
            )
            "]"
        )   
    )
   
    (princ)
   
)

Enjoy.

:)
Title: Re: fas file security
Post by: Amsterdammed on September 12, 2005, 04:37:48 AM
Michael,
one little Problem. I have no VB6. I only work sometimes with VBA

Bernd
Title: Re: fas file security
Post by: MP on September 12, 2005, 09:06:43 AM
There were other solutions in this thread Bernd, I was just trying to make good on my "... I'll try to provide a skeleton Visual BASIC version c/w the Visual LISP wrapper ..." statement.

:)
Title: Re: fas file security
Post by: SPDCad on September 14, 2005, 11:32:48 AM
Every piece of code out there can be re-engineered :wink:. The thing is not too many people know how to re-engineer/ decompile the file. Yes there are programmes that will do it for you and yes 'fas', 'arx', 'vba' etc can be re-engineered. The thing is the people with the knowledge to do this, don't care about your code. They wouldn't waste their time trying to re-engineer something they probably could write quicker and better themselves.
I say don't worry about absolute security. Produce the vlx, fas files and forget about it. This level of protection is enough to deter 90% of the population.
I have been using fas and vlx files for years and I have been selling lisps for years. I distribute the lisp files as time trials from my website and I have had lots of people buy the lisp when the time trial ends.
The funny things is a lot of the programme I write and encrypt and sell over the internet are distributed freely and in open source at the swamp.  :O)
Title: Re: fas file security
Post by: Jim Yadon on September 14, 2005, 12:56:20 PM
It's funny you should mention the population statistic. I've found that number not only to hold true but that the same 90% have no interest in how it works, only that it does what they want it to. I personally have always used encrypted LISPs and never had any real issue with them. Once decrypted, the only pepole who would understand how to follow the psuedo object oriented method in which I program are usually found at forums like this. The majority of those could probably write what I wrote even better. :-P
Title: Re: fas file security
Post by: SPDCad on September 15, 2005, 11:01:46 AM
90% have no interest in how it works, only that it does what they want it to

Unfortunately I am part of the 10%, who does care.
Why, you ask???
So I can improve the code or change it slightly to suite my needs exactly.
I never find a lisp that does exactly what i want done. Some come close though.

Title: Re: fas file security
Post by: Andrea on September 17, 2005, 04:41:30 PM
I suggest you to put your code in VLX...not fas...

why !!??

because I have many FAS uncrypter...

Just let you know...

Also, did you hear about SDUCT ?
HVAC ductwork program ?
Title: Re: fas file security
Post by: Kerry on September 17, 2005, 04:53:42 PM
.......................The funny things is a lot of the programme I write and encrypt and sell over the internet are distributed freely and in open source at the swamp. :O)


Which code would that be PDCad ???
Title: Re: fas file security
Post by: Chuck Gabriel on September 17, 2005, 08:03:24 PM
I assume he didn't literally mean his code, just code that does the same thing (but I've been wrong before).
Title: Re: fas file security
Post by: MP on September 17, 2005, 09:59:20 PM
... I have many FAS uncrypter ...

Adjusting Scorecard.
Title: Re: fas file security
Post by: Amsterdammed on September 20, 2005, 07:07:11 AM
Andera,

I only read about SDUCT here in this forum. Our company works with a HVAC application, considered as the best on the Dutch market, it is written C++ (not written by me, I only start where they stop, writing Applications tailor made for our Company).

But thanks about hint that you have a lot of fas uncryptors.

Bernd
Title: Re: fas file security
Post by: SPDCad on September 20, 2005, 12:15:31 PM
I suggest you to put your code in VLX...not fas...

why !!??

because I have many FAS uncrypter...

Just let you know...

I know of similar programmes that will decrypt vlx files.
The thing is that both fas and vlx decompilers are hard to find. Or at least they were a year ago.
Title: Re: fas file security
Post by: Andrea on September 23, 2005, 11:51:10 AM
you can also use this code..

Make a list of your LSP file..
or use (getfiled....) single file selection

(defun c:LSP2FAS ()
(setq str1 (list "file1.lsp" "file2.lsp" "file3.lsp"))

(foreach str str1
(setq num1 (strlen str))
(setq str2 (strcat (substr str 1 (- num1 4)) ".fas"))
(vlisp-compile 'st str str2) 
)
);;