Hello all
Is there a way to obfuscate my ruby source code.
I have come across ZenObfuscate which at about $2500.
Does anyone know of any other options to protect ruby source code when
it is
distributed to clients?
Thanks
Hiren
Hiren B. wrote:
Hello all
Is there a way to obfuscate my ruby source code.
I have come across ZenObfuscate which at about $2500.
Does anyone know of any other options to protect ruby source code when it is
distributed to clients?Thanks
Hiren
For a trivial approach, rubyscript2exe might give some protection
provided you don’t make shrinkwrapped software. If $2500 (which I
presume to be half a senior developer’s monthly pay) for a site licence
is too expensive, I don’t expect there to be too much valuable IP and
R&D investment to protect. (No offense meant.)
David V.
Is there a way to obfuscate my ruby source code.
I have come across ZenObfuscate which at about $2500.
Does anyone know of any other options to protect ruby source code when it is
distributed to clients?
Greetings.
In a similar situation, we ended up building the sensitive parts in C,
compiling those and using Ruby elsewere. That met our cost / benefit
requirements. Often, large parts of applications aren’t really
sensitive,
it’s a lot of standard stuff in GUIs and data massage etc.
Good luck
From: “Hiren B.” [email protected]
Is there a way to obfuscate my ruby source code.
I have come across ZenObfuscate which at about $2500.
Does anyone know of any other options to protect ruby source code when it is
distributed to clients?
http://ruby2cext.rubyforge.org/ might do it.
(I still have yet to try it, but it looks promising.)
Regards,
Bill
On Nov 17, 2006, at 2:42 AM, Hiren B. wrote:
Is there a way to obfuscate my ruby source code.
I have come across ZenObfuscate which at about $2500.
Does anyone know of any other options to protect ruby source code
when it is
distributed to clients?
With ZenObfuscate you get support for the software that has been
written on top of a well-tested open-source framework that’s been
under years of development.
You plan on making money off of ruby while protecting your IP. Why
shouldn’t you be giving something back to the community in exchange?
–
Eric H. - [email protected] - http://blog.segment7.net
This implementation is HODEL-HASH-9600 compliant
Hiren B. wrote:
I suppose the obvious answer is “it depends on what your business model
is.” For example, it’s very easy to protect the source of a hosted web
application. 
Seriously, though, what is your business model? Do you
develop one-of-a-kind packages for individual clients, or do you have a
“shrink-wrapped application” written in Ruby?
Given how easy it is to crack binary products like Windows and Office,
perhaps obfuscation isn’t the answer anyhow. I guess I don’t have
anything but questions at this point.
–
M. Edward (Ed) Borasky, FBG, AB, PTA, PGS, MS, MNLP, NST, ACMC(P)
http://borasky-research.blogspot.com/
If God had meant for carrots to be eaten cooked, He would have given
rabbits fire.
On 17/11/06, Hiren B. [email protected] wrote:
Is there a way to obfuscate my ruby source code.
I have come across ZenObfuscate which at about $2500.
Does anyone know of any other options to protect ruby source code when it is
distributed to clients?
I was thinking about this problem ealier this week and trying to come
up with a simple obfuscation-through-obscurity solution – possible to
crack with the aid of a debugger but good enough to defeat casual
browsing of the contents of an executable.
One solution that seemed reasonably simple yet effective was to zip up
all the Ruby source code libraries you want to hide and then in your C
source, initialise the Ruby interpreter with a basic bootstrap and
intialise a hash with your obfuscated libraries.
The bootstrap then defines a new ‘require’ method which first looks
for an obfuscated version of the library and evals that or, if the
file was not in the hash, uses Kernel::require.
I have knocked up a proof of concept using a ‘Deobfuscator’ module
below. As I’m still a Ruby rookie, others may want to point out
improvements or problems with this.
module Deobfuscator
require ‘zlib’
def self.add_lib(lib_name, obfuscated)
@@zipped ||= {}
@@zipped[lib_name] = obfuscated
end
def self.has_lib?(lib_name)
@@zipped ||= {}
puts “Looking for library #{lib_name} in our hash
#{@@zipped.keys.inspect}”
@@zipped.has_key? lib_name
end
def self.deobfuscate(lib_name)
Zlib::Inflate.inflate(@@zipped[lib_name])
end
def dump
puts @@zipped.inspect
end
end
def require(lib_name)
if Deobfuscator::has_lib? lib_name
puts “Using Deobfuscator to deobfuscate library (#{lib_name})”
eval Deobfuscator::deobfuscate(lib_name)
else
puts “Using Kernel::require(#{lib_name})”
Kernel::require(lib_name)
end
end
TEST1 = <<ENDTEST1
def say_hello(name)
puts “Hello #{name}! from library test1.”
end
ENDTEST1
TEST2 = <<ENDTEST2
require ‘test1’
say_hello “World”
ENDTEST2
Deobfuscator::add_lib(“test1”, Zlib::Deflate.deflate(TEST1))
Deobfuscator::add_lib(“test2”, Zlib::Deflate.deflate(TEST2))
require ‘test2’ # which in turn requires ‘test1’
=> outputs the following:
Looking for library test2 in our hash [“test2”, “test1”]
Using Deobfuscator to deobfuscate library (test2)
Looking for library test1 in our hash [“test2”, “test1”]
Using Deobfuscator to deobfuscate library (test1)
Hello World! from library test1.
Of course there could be more improvements to the final
implementation, such as compressing the initial bootstrap code so the
Ruby code is hidden until runtime (thereby ensuring people don’t see
any 'deflate’s or 'inflate’s in the executable strnigs and get ideas).
Also one giveaway is that the hash keys are stored in plaintext here
for ease of viewing. You’d probably want to obfuscate those
similarly, which is easy enough.
Again, this is pretty noddy obfuscation and it’s not going to stop a
hacker with a spare evening from getting hold of your code. For that
you should probably go with the commercial option as they will almost
certainly have invested time and effort on coming up with a far robust
solution.
Writing Ruby code to obfuscate a set of library files in a directory
using the same method of obfuscation as above and generate C source to
initialise the bootstrap should not be too difficult.