Protecting widget code

Is it at all possible?

Published on March 22, 2006 By Kevin_C In DesktopX

I've recently writeen an HTML application (HTA) that is essentially a PasswordSafe of sorts that allows you to save website usernames and passwords as well as account infomation and payment links in one application with one password protecting them. While I have a few mechanisms in place to protect the data files from someone easily pilfering the contents I realize that if someone can easily browse the code it isn't all that hard to discern the processes used for generating the encrypted data files and therefore decrytping the data. So, to that end I've used a code obfuscator/encrypter on the HTA code that will stop if not severely deter most people from even trying to steal the code. While I know nothing is perfect I don't think the information in these files is interesting enough to really get someone with the capabilities to reverse engineer the code to try.

Anyway, the reason for my post is that I am considering creating a DX widget out of the app but if I can't at the very least obfuscate portions of the code it really wouldn't be worth the trouble. I have DX Professional and I know I can create a widget exe but that is not really any help because anyone with DX Pro can just import the widget and get the script code. So, is there an obfuscator or encryptor for DX widget code?

Any tips would be appreciated.

Comments (Page 1)

on Mar 23, 2006

Well.. You could base data encryption on user's password. You could create a hash based on user's password, then use actual password as private key to encrypt the contents.

Basically, it would create new hash on typed password, check if it matches the stored hash, then decrypt the stored information. This way is fastest way to check before loading the possibly huge file and decrypt it.

Well other way would be simply try to decrypt the stored info directly using the password input, but if file is huge it may be a problem when password was wrong or mistyped.

Note: this WILL require user to input a password each time it have too load the data file! But this way it wouldn't matter if someone cracked and got the entire source code. It don't contain the info needed to actually read the worthy private information.

thomassen

on Mar 23, 2006

hmm... DX Pro will open widgets so will the starndard DX. But I haven't found my self able to import Gadgets (stand-alone) with either of them.

CerebroJD

on Mar 23, 2006

Thomassen is correct. Gadgets cannot 'disected', so you are safe to use your code in the building of a gadget, and only distribute that executable file.

Kevin_C

on Mar 23, 2006

XX,

Thanks but I'm not looking for a way to encrypt the passwords as I already have several techniques in place to achieve that. I've actually done something similar to what you've suggested but I'm actually using different keys and salt values to encrypt each password, and I have developed a system to re-create the proper information when it comes time to decrypt the data.

Thanks for the suggestions!

Kevin_C

on Mar 23, 2006

DX Pro will open widgets so will the starndard DX. But I haven't found my self able to import Gadgets (stand-alone) with either of them.

Perfect! Now, the question is can I create gadgets with DX Pro? Sorry for the silly question but it's been a bit since I've messed around with it to actually create anything.

ZubaZ

on Mar 23, 2006

The "new" Pro was the old Enterprise.
You probably have the "old" Pro, now called "Standard"
https://www.stardock.com/products/desktopx/purchase.asp

To check, try to export an object.

If you can export it as a gadget, you have Pro and are set. If you hae widget, you are standard and need to upgrade. The link above can assist you there too.

Posted via WinCustomize Browser/Stardock Central

Kevin_C

on Mar 23, 2006

Thanks for the info Zubaz! It turns out I do have the new Pro as I have the export as gadget option. Now all I need to do is re-write it for DX.

PoSmedley

on Mar 23, 2006

Mine says PRO but I can't make gadgets, so I'm assuming I have the old one. Should I have gotten the new one with ODNT, or would it be extra? I have been wanting to make gadgets and can't.

ZubaZ

on Mar 23, 2006

The new Pro is an extra cost. I think it's $70 US.

There was a special a while back . . but I couldn't hide the required money from the wife. Missed a great window of oppertunity.

Anyone wanting to donate to my DX Pro fund can reach me by email.

Kevin_C

on Mar 23, 2006

There was a special a while back

That's when I purchased it. I couldn't have justified the expense otherwise but it was such a deal I had to go ahead and get it! I believe it was something like $40 of the current price. So, instead of $70 it was $30, quite a steal!

on Mar 23, 2006

Yeah. I missed the special too. Oh well.

Ohh I thought you wanted to protect the data and was concerned about code revealing a way to decode that data.

Yeah gadgets is best way to prevent code from being read. It's also the reason I want to buy DX pro, but couldn't justify that yet.

I adready recreated xxcalc using desktopx and it works.

thomassen

on Mar 23, 2006

You might still want to check with Stardock how secure this is. I think perhaps they got utility to open gadgets. I could be wrong, but I imagine that I saw someone who'd lost their source file and only had the gadget file and SD could extract it for him/her.
And I wonder if there might be some temp data which allows you to read the code when it's being run. (REALLY not sure about this one though. I might be confusing it with widget cache.) But since you are making a password manager you probably want to make sure.

Kevin_C

on Mar 23, 2006

Ohh I thought you wanted to protect the data and was concerned about code revealing a way to decode that data

Well, kind of. I have the data files encrypted and then I also compress them so they are very much unreadable. However, if someone had access to the code they could with some work reverse engineer the steps taken to encrypt the data and then write some code to decrypt the encrypted data. This would not be an easy task as I use different data to encrypt every password and the password that is used to protect the data file is encrypted in a random method every time and is stored using an SHA1 hash. Oooh, typing this gives me an idea!! Man, I just wish I could create the graphics for this myself, it would go much faster but I guess non-graphic inclined folks such as myself can't be too picky..

on Mar 23, 2006

Well. Use something that would take a decent computer centuries to crack.

There IS encryption schemes that cannot be reverse engineered to somehow recover the contents without having any private key. Never use obscurity as security. So many people made that mistake.

Hmm interesting website. http://www.cryptography-tutorial.com/cryptosource.htm

CerebroJD

on Mar 23, 2006

Stardock does have a gadget de-compiler that they can use to re-create a widget from a gadget in case of the creature loosing sourcecode etc.

Welcome Guest! Please take the time to register with us.
There are many great features available to you once you register, including:

Richer content, access to many features that are disabled for guests like commenting on the forums.
Access to a great community, with a massive database of many, many areas of interest.
Access to contests & subscription offers like exclusive emails.
It's simple, and FREE!