Seeing the source

[Michel Cabili]

Hello. I'm new to Ruby (and also to scripting languages).

I'd like to know if, since Ruby is a scripting language, there's a way
to hide the code when deploying an application. I'd users to be unable
to see the source.

Is there a solution for that?

Thanks in advance

 

[Phil]

Hello. I'm new to Ruby (and also to scripting languages).

=20
I'd like to know if, since Ruby is a scripting language, there's a way
to hide the code when deploying an application. I'd users to be unable
to see the source.
=20
Is there a solution for that?

http://www.rubyinside.com/px-a-quick-and-silly-ruby-obfuscation-system-7.=
html

If you want to obfuscate code for business reasons, though, you might =
want to use a different language (Perl is naturally obfuscated ), =
where obfuscators are available on a larger scale (Java and .NET =
languages should offer that, with them being enterprise-y and all).

The question is: Why do you need that? If you license your software, you =
could include a section on using the source in other applications a big, =
big no-no (well, you'd reiterate copyright laws, basically), and that =
your code is a trade secret. IANAL, though, nor do I play one on TV, so =
take that with a grain of salt.

 

[John Joyce]

http://www.rubyinside.com/px-a-quick-and-silly-ruby-obfuscation-
system-7.html

If you want to obfuscate code for business reasons, though, you
might want to use a different language (Perl is naturally
obfuscated ), where obfuscators are available on a larger scale
(Java and .NET languages should offer that, with them being
enterprise-y and all).

The question is: Why do you need that? If you license your
software, you could include a section on using the source in other
applications a big, big no-no (well, you'd reiterate copyright
laws, basically), and that your code is a trade secret. IANAL,
though, nor do I play one on TV, so take that with a grain of salt.

If you really think you need to obfuscate your code, then you're
doing something wrong. It is always possible to decompile stuff even
with compiled languages. PHP users often use obfuscation to try and
hide stuff.
Consider crafty use of file permissions settings, and simply burying
things in modules with hard to read names.
But ultimately, simply put pen to paper and make somebody sign a
contract if you have to. You could go to great lengths, but if it's
really worth it, you'll just use lawyers.

 

[Michel Cabili]

Well, then I guess that we can't obfuscate the code with Ruby.

It's not a necessity. It's just that I'm used to compiled languages in
wich, if the project isn't that complex, you basically give one file to
the user.

<troll>
If I really need this kind of feature I guess I could develop a library
in C that would encrypt all my '.rb' files into another file and decode
them when launching the application... or something like that.
</troll>

Thanks for your answers.

 

[Tim Hunter]

Well, then I guess that we can't obfuscate the code with Ruby.

It's not a necessity. It's just that I'm used to compiled languages in
wich, if the project isn't that complex, you basically give one file to
the user.

<troll>
If I really need this kind of feature I guess I could develop a library
in C that would encrypt all my '.rb' files into another file and decode
them when launching the application... or something like that.
</troll>

Thanks for your answers.

I actually worked on something like this but I finally decided that it
was hopeless. Since the encrypted Ruby code must be decrypted before
being handed off to the Ruby interpreter, there's always going to be a
way for a sufficiently-motivated user to get their hands on the
unencrypted version of the program.

 

[Michel Cabili]

Why is that "trolling"? It's actually "shrouding". Not sure if that came
up
in this thread.

Could you use JRuby and ship .class files? That's pretty shrouded. But,
as
usual, you are only raising the cost of hacking, not preventing it...

Trolling because that came up just like that... Didn't know if that kind
of technique was really used (I'm just a student).

But thanks.
Do you have any usefull link that give some light on that matter?

 

[Michel Cabili]

Responding to the thread in general - just put your family jewels into
C++
behind a Ruby layer, and ship Ruby for the easy stuff that your clients
don't need to steal...

That seems a fair solution. Although I'm not that deep into Ruby yet, I
saw some links concerning creating extensions for Ruby... but in C.
There must be something equivalent for C++...

That means that when I create for instance my extension (let's say
"funky_extension"), the file concerning the extension will be compiled
therefore obfuscated? Is that what you're talking about?

 

[John Joyce]

That seems a fair solution. Although I'm not that deep into Ruby
yet, I
saw some links concerning creating extensions for Ruby... but in C.
There must be something equivalent for C++...

That means that when I create for instance my extension (let's say
"funky_extension"), the file concerning the extension will be compiled
therefore obfuscated? Is that what you're talking about?

You should use C for Ruby extensions.
Ruby is implemented in C.
JRuby might allow Java extensions...?
If you know C++ you can probably handle the C stuff.

Oh, one other idea for obfuscation, you could always also use Ruby
Inline for some things. (like a routine you run first to decrypt your
Ruby files or whatever.) Depending on the size of your app, you could
pretty easily make it at least confusing to look at with a simple
Rot13, or just replacing all newline characters in the Ruby files
with some unique identifier string. (other than the first one called,
which would include Inline C or whatever to decrypt)

You could make it even simpler. Consider Ruby's predefined variables
(they're globals that start with $) and command line flags and
arguments.
there might some simple to implement but not so obvious tricks you
could do there.

 

[Phlip]

----- Original Message -----

That seems a fair solution. Although I'm not that deep into Ruby yet, I
saw some links concerning creating extensions for Ruby... but in C.
There must be something equivalent for C++...

That means that when I create for instance my extension (let's say
"funky_extension"), the file concerning the extension will be compiled
therefore obfuscated? Is that what you're talking about?

Yes. But...

In general, asking how to obfuscate code so others can't steal it is
"solution probleming". It's just appeasing clue-impaired investors who think
their investment will return nothing if someone "steals" the code, re-skins
it, and publishes it as an alternate solution.

This is self-aggrandizing. The problem of people going crazy trying to steal
your software is a problem most ISVs would dearly love to have. And studies
have shown that competitors generally don't _want_ to use your code, when
they can see it. The code is only useful to you.

An investor's money goes to building a team and a system to create, test,
deploy, and market that code. This _system_ is what a competitor needs, and
it's very hard to steal it.

So, write lots of unit tests, and don't publish them. The code's source will
be useless!

 

[Phlip]

You should use C for Ruby extensions.

The best thing about these extensions is wrapping rVALUE (IIRC) in a C++
class that presents all its native methods as C++ methods. From there the
rest is easy!

 

[Bill Kelly]

Hello. I'm new to Ruby (and also to scripting languages).

I'd like to know if, since Ruby is a scripting language, there's a way
to hide the code when deploying an application. I'd users to be unable
to see the source.

Is there a solution for that?

A commercial obfuscator was announced last year, ZenObfuscate:
http://blog.zenspider.com/archives/2006/07/zenobfuscate_no.html

This free project, Ruby2CExtension, works along similar principles:
http://ruby2cext.rubyforge.org/

Both have some limitations on certain kinds of ruby expressions
that can't be handled.

(I've never used either one, just read about them.)


On the balance, I agree with what others are saying in this thread:
If you can find a way to avoid needing to obfuscate the code, so
much the better.

My current project is part C++, part Ruby. So I figure I'll just
leave all the ruby code open source, and put the registration check
logic in the C++ components.


Regards,

Bill

 

[Charles Oliver Nutter]

If you really think you need to obfuscate your code, then you're doing
something wrong. It is always possible to decompile stuff even with
compiled languages. PHP users often use obfuscation to try and hide stuff.
Consider crafty use of file permissions settings, and simply burying
things in modules with hard to read names.

Disassemble, sure. But it's fairly easy to generate sequences of
assembly instructions or bytecodes that can't be decompiled into any
reasonable language. JRuby's compiler, for example, emits bytecode that
could never be reversed into .java files, largely because it uses the
operand stack much more heavily and forgoes the use of local variables.

- Charlie

 

[Charles Oliver Nutter]

Hello. I'm new to Ruby (and also to scripting languages).

I'd like to know if, since Ruby is a scripting language, there's a way
to hide the code when deploying an application. I'd users to be unable
to see the source.

Is there a solution for that?

There's a couple for JRuby that have been briefly mentioned:

- JRuby can load .rb files from within a .jar file. Since most people
don't know a .jar is just a zip file, many would never think to look in
there.
- JRuby can also compile most .rb into Java .class files. From there
it's nearly impossible to get decompiled output that resembles either
Java or Ruby.

- Charlie

 

[Phlip]

- JRuby can load .rb files from within a .jar file. Since most people
don't know a .jar is just a zip file, many would never think to look in
there.\

Thus extending the cracking time by nearly 15 seconds. (-;

 

[John Joyce]

JRuby's main problem: you still need to know Java to use Ruby!

 

[Phlip]

JRuby's main problem: you still need to know Java to use Ruby!

Oh, I'm just laying awake at night wondering when someone's going to invent
RJava...

(-;

 

[Charles Oliver Nutter]

JRuby's main problem: you still need to know Java to use Ruby!

Well, we're hoping to solve that too; jrubyc already provides a
mechanism for compiling to class files, and generally of the class files
are just in the "right places" in your load path they'll load fine. For
example:

~/NetBeansProjects/jruby $ jrubyc test/foo.rb
Compiling file "test/foo.rb" as class "test.foo"
~/NetBeansProjects/jruby $ rm test/foo.rb
~/NetBeansProjects/jruby $ jruby -I. -e "require 'test/foo'"
hello from compiled Ruby

So there's no need for you to worry yourself about classpaths and jar
files and whatnot. Simply lay the compiled versions in the same
directory structure as the uncompiled versions, point load paths to the
appropriate roots, and you're off.

We'll also look into providing Ruby-friendly packaging logic, probably
through Java-specific Rake tasks, once the compiler is 100% complete.

- Charlie

 

[John Joyce]

Well, we're hoping to solve that too; jrubyc already provides a
mechanism for compiling to class files, and generally of the class
files are just in the "right places" in your load path they'll load
fine. For example:

~/NetBeansProjects/jruby $ jrubyc test/foo.rb
Compiling file "test/foo.rb" as class "test.foo"
~/NetBeansProjects/jruby $ rm test/foo.rb
~/NetBeansProjects/jruby $ jruby -I. -e "require 'test/foo'"
hello from compiled Ruby

So there's no need for you to worry yourself about classpaths and
jar files and whatnot. Simply lay the compiled versions in the same
directory structure as the uncompiled versions, point load paths to
the appropriate roots, and you're off.

We'll also look into providing Ruby-friendly packaging logic,
probably through Java-specific Rake tasks, once the compiler is
100% complete.

- Charlie

That sounds very cool.
A real Ruby interface to Java!
I do want to learn Java at some point though, just because there is a
wealth of stuff there.

 

[Rebhan, Gilbert]

=20
Hi,

-----Original Message-----
From: (e-mail address removed) [mailto:[email protected]] On
Behalf Of Charles Oliver Nutter
Sent: Sunday, September 02, 2007 5:39 PM
To: ruby-talk ML
Subject: Re: Seeing the source

/*
[ ... ]

- JRuby can load .rb files from within a .jar file. Since most people=20
don't know a .jar is just a zip file, many would never think to look in=20
there.
- JRuby can also compile most .rb into Java .class files. From there=20
it's nearly impossible to get decompiled output that resembles either=20
Java or Ruby.
*/

Are there any examples / snippets about =3D
loading rb files from a jar
compile rb files to class files
with Java (JRuby)

available ?

Regards, Gilbert