Topic: fas compile with a kill switch.

[Lonnie]

My company has asked me to look into protecting their lisps. Seems a few people as of late have moved to new (startup) companies with our entire setup (file pathing/structure and all). I don't think I begrudge them the lisps (I would say half our routines are at least started off someone else's work.) but since our routines dictate all our standards they have virtually stolen years of intellectual property on how we work.

I am thinking of compiling the routines and adding a kill switch if some sort. Expiration date, path to a number (security by obscurity.) server name (or some other environment var) something like that. 

Note this is just to keep the honest people honest and not to make life harder on anyone.

What is this groups feelings on that sort of protection?

[JohnK]

I think hard coded paths (EG: //server/path/to/whatever) in the lisps--compiled to FAS--would go a long way but generic lisps that just do things without the need for locations would need some sort of 'lock'; you can do a check to see if that server location is available before running. However, if you are going down that route I would recommend a "automated build" type thing that can help you change these paths and compile later.

A while back when Vovka described his lisp setup I started thinking about how I could automate something similar to his and I started setting up a Makefile that would allow me to use Accoreconsole to compile a lisp file(s). But a automated build system is not something AutoLisp developers are used to so you may need to do a bit of learning.

[mhupp]

When it fails rather then displaying a message "property of company" look up a common autocad error and have it display that. This keeps people who use it non the wiser and if people ask I'm getting this error it lets you know to update the code.

--edit
if you go the date expiration route

https://help.autodesk.com/sfdcarticles/img/0EM3g000004LZl2

[It's Alive!]

How is your company setup? If you have a central server, you can do something like the entitlement API
https://adndevblog.typepad.com/autocad/2022/05/using-entitlement-api-with-lisp.html

your server would have a database of users, if you’re using AutoCAD, that can just be (getvar "ONLINEUSERID")
or IP , MAC address etc.
compile that up in a .FAS and you’re good to go.

[BIGAL]

I just did this for a client there is a nice old fashioned DOS command you can join 2 files together, so you have you protect lisp and your runtime lisps.

The DOS command for me is copy serial.lsp+program1.lsp c:/protected/program1.lsp
i repeat for all the lisp files using a bat file.

I then just use this lisp to compile all, I copied the serial+program back to original directory deleting the c:/protected.

Code: [Select]

(if (null vlisp-compile) (c:vlide T))
(setq fname (open "d:\\unlocked\\lsp.txt" "R"))
(setq x 1)
(while (setq filename(read-line fname))
(vlisp-compile 'st (strcat "d:\\unlocked\\" filename ".lsp") (strcat "d:\\compiled\\" filename ".fas"))
(princ (setq x (1+ x)))
)
(close fname)

Another trick used a dos command Dir *.lsp /b > lsp.txt to make the lisp names a bit of editing and saved as a bat file.

One commercial package has 237 lisp now fas.

[VovKa]

What is this groups feelings on that sort of protection?

i suggest you start with the simplest protection possible
i does not require any additional programming or changing the existing lisps

create a new lisp file with the following code and name it for example somename.lsp

Code: [Select]

(/ 0 (fix (/ 20230000 (getvar "CDATE"))))
go to VLIDE then 'File \ Make Application \ New Application Wizzard...'
in the 'LISP Files to include' add all your lisps and also add somename.lsp then *IMPORTANT* move somename.lsp to the top of the list, then in the next dialog add your dcls, then build vlx

share it with colleges, it will work till the end of the year

this protection is not very reliable but very easy to implement, 5-10 minutes
it will save you some time to develop a better protection scheme

[BIGAL]

Like Vovka a simple method  (setenv "MYSER" 1000) then in your code (setq num (-  (getenv "MYSER") 1)) (setenv "MYSER" num) if num is less than say 1 then no more goes. Only hiccup is have to set the initial value I hide it in the install code, I have as last entry it loads a lisp then deletes the file. For one client this is fine as manager types the setenv bit.

My client is looking at a server solution check userid etc.

Be careful with time bomb know from personal experience about software stopping but have paid to use it.

[baitang36]

My company has asked me to look into protecting their lisps. Seems a few people as of late have moved to new (startup) companies with our entire setup (file pathing/structure and all). I don't think I begrudge them the lisps (I would say half our routines are at least started off someone else's work.) but since our routines dictate all our standards they have virtually stolen years of intellectual property on how we work.

I am thinking of compiling the routines and adding a kill switch if some sort. Expiration date, path to a number (security by obscurity.) server name (or some other environment var) something like that. 

Note this is just to keep the honest people honest and not to make life harder on anyone.

What is this groups feelings on that sort of protection?

The best way to protect lisp source code is encryption. The fas vlx files can be decompiled, and the decompilation tools have proliferated, which can easily turn them into the lsp source code. I have developed a fas encryption tool that can shell and protect fas files. Currently, there are more than 100 official users. Interested parties can contact me.

[Lonnie]

Thanks so much for all the replies. I am going to do my best to answer the questions asked of me. Here it goes.

JohnK
I think hard coded paths (EG: //server/path/to/whatever)

I have a few and in todays environment they don't work well for us. I've got to send people off grid sometimes. Those routines have to be coded to their computers but it is one of the things I am thinking of. I just cringe thinking about all that pathing.

 

mhupp
When it fails rather then displaying a message "property of company" look up a common autocad error and have it display that. This keeps people who use it non the wiser and if people ask I'm getting this error it lets you know to update the code.

Not sure I care about anything like that though the more I think of a little note saying "PROPERTY OF COMPANY" casually coming up the more I think the new company might worry a wee bit about what they are doing.
I can just see a little note coming up 6 months after they are using everything scaring the bejeebers out of em. Might not scare them enough that far down the line but an immediate one my make em remove the software really fast.

your server would have a database of users, if you’re using AutoCAD, that can just be (getvar "ONLINEUSERID")

That's more in line with my thinkings Getting one of the os vars like userdomain and making sure it's set. Something really simple like that.

Another trick used a dos command Dir *.lsp /b > lsp.txt to make the lisp names a bit of editing and saved as a bat file.

I run about 250 lisp some having somewhere in the neighborhood of 90 nested lisps. I am hoping to use an simple (getenv "userdomain") or something like that wraping the lisps.

i suggest you start with the simplest protection possible
i does not require any additional programming or changing the existing lisps

create a new lisp file with the following code and name it for example somename.lsp

Code: [Select]

(/ 0 (fix (/ 20230000 (getvar "CDATE"))))
go to VLIDE then 'File \ Make Application \ New Application Wizzard...'
in the 'LISP Files to include' add all your lisps and also add somename.lsp then *IMPORTANT* move somename.lsp to the top of the list, then in the next dialog add your dcls, then build vlx

share it with colleges, it will work till the end of the year

this protection is not very reliable but very easy to implement, 5-10 minutes
it will save you some time to develop a better protection scheme

YES! Something like that is where I am headed. One of my hesitations on DATE is if they run for 6 months what's more efficient as a company. Restarting and figuring out how to do dwg's from scratch or hiring someone to break the fas code. If they get no front end head start then perhaps they never use our lisps. Keeping the honest people honest so to speak.

 

[Lee Mac]

There are many ways to accomplish this, ranging from a simplistic hardcoded expiration date (as VovKa as demonstrated) to a full-blown licensing system whereby validation is obtained either via verifying an accepted (and hashed) MAC address or perhaps via successful communication with a server or other online resource under your control.

If all the users within your company operate under the same domain or workgroup, a very simple check could be to hardcode a domain validation prior to defining the set of functions as part of the loading process.

For example:

Code - Auto/Visual Lisp: [Select]

1. (if (= "yourdomain" (strcase (getenv "userdomain") t))
2.     (progn
3.         ;; < permit load >
4.     )
5.     (progn
6.         ;; < display message >
7.     )
8. )

And you may want to disguise/obfuscate this so that it's not as easy to discern as a literal string if the FAS were to be decompiled, e.g. even a basic XOR of the ASCII codes would suffice -

Code - Auto/Visual Lisp: [Select]

1. (
2.     (lambda ( f )
3.         (if (= "\177istbikgoh" (f (strcase (getenv (f "suctbikgoh")) t)))
4.             (progn
5.                 ;; < permit load >
6.             )
7.             (progn
8.                 ;; < display message >
9.             )
10.         )
11.     )
12.     (lambda ( s ) (vl-list->string (mapcar '(lambda ( x ) (boole 6 6 x)) (vl-string->list s))))
13. )

[BIGAL]

While there are big hints about decrypting fas files you should still take into account how many end users are going to try to crack your code ?

I know from personal experience of "given to the friend" luckily did not work as we had a check built in.

The second example was code given to a client for testing and we never got paid for it, turned up a few years later at a company who had bought out the first company. Yes our fault did not protect properly. But it was the only version I ever heard of out there.

3rd $9500 software could be bought overseas cracked for like $100 it was all .exe so a lot harder to crack.

Looking back at older Autocad Cracks were very available.

[It's Alive!]

I did the hardcoded date once, terrible. I was on vacation and the company couldn’t work with them until I got back.

[baitang36]

There are many ways to accomplish this, ranging from a simplistic hardcoded expiration date (as VovKa as demonstrated) to a full-blown licensing system whereby validation is obtained either via verifying an accepted (and hashed) MAC address or perhaps via successful communication with a server or other online resource under your control.

If all the users within your company operate under the same domain or workgroup, a very simple check could be to hardcode a domain validation prior to defining the set of functions as part of the loading process.

For example:

Code - Auto/Visual Lisp: [Select]

1. (if (= "yourdomain" (strcase (getenv "userdomain") t))
2.     (progn
3.         ;; < permit load >
4.     )
5.     (progn
6.         ;; < display message >
7.     )
8. )

And you may want to disguise/obfuscate this so that it's not as easy to discern as a literal string if the FAS were to be decompiled, e.g. even a basic XOR of the ASCII codes would suffice -

Code - Auto/Visual Lisp: [Select]

1. (
2.     (lambda ( f )
3.         (if (= "\177istbikgoh" (f (strcase (getenv (f "suctbikgoh")) t)))
4.             (progn
5.                 ;; < permit load >
6.             )
7.             (progn
8.                 ;; < display message >
9.             )
10.         )
11.     )
12.     (lambda ( s ) (vl-list->string (mapcar '(lambda ( x ) (boole 6 6 x)) (vl-string->list s))))
13. )

There are many ways to add restrictions to the program, but there is a problem. If the cracker gets your source code, he can easily remove these restrictions. Therefore, it is more important to prevent decompilation.

[BIGAL]

Back to Lonnie, yeah the magic of a USB just copy the files, email yourself all the files. internal staff copy is a problem. As suggested at least compile with some form of company check, server, hard disk, user name, Acad serial number. Keep the source in a sperate directory on the server with limited access rights. You and maybe your IT.

https://www.manageengine.com/data-security/how-to/restrict-copying-files-from-server.html#:~:text=1%20Under%20Prevention%20Policies%2C%20select%20File%20Copy%20Policy.,menu.%206%20Click%20Save%20to%20save%20the%20policy.