PDA

View Full Version : How To Hide Your Source



I.am
12-18-2003, 09:26 PM
Instead of giving my own, I would rather use what someone has already done and I couldn't have done it more profoundly.


Here are a number of very effective methods of keeping unscrupulous surfers from stealing your HTML source:

1. Use the <INVISIBLE> </INVISIBLE> tags around the entire document.
2. Use the DONTSTEAL attribute in the <BODY> tag.
3. Ftp to your server, select all files and directories, hit "Delete".
4. Put every existing copy of every file on floppies, place them in a shoebox and 5. bury them in the backyard. There is another version of this method which 6. involves placing the floppies in a plastic bag and hiding them in a different sort of hole. Both are equally effective.
6. Password protect your entire site and make sure no one has the password, not even you.
7. Employ a small but fanatically loyal and well-armed band of mercenaries to guard your site.
8. Start>Run>format C:&#092;
9. Attack dogs, preferably rabid.
10. Use any version of Microsoft Frontpage to create your site. (This won&#39;t prevent people from viewing your source, but no one will want to steal it.)
Don&#39;t put your pages on the web.


ok, so that was fun&#33; :D Here is the real lowdown on hiding your source code.

It can&#39;t be done.
The only truly effective method in the list above is #10.

While it is possible to make it difficult for people to view your source code, you cannot stop someone who really wants it. It has been suggested that using javascript to disable right-click or encrypting the HTML may be effective. It is far more likely that employing these easily circumvented techniques will only encourage people to "steal" your code. In all probability, they don&#39;t want it until you tell them they can&#39;t have it.

Moreover, I literally hate and stop and going to sites where right click is disabled. Not because I cant get to the source code but because its annoying. There are 1001 ways to get the source code no matter what you do. If you want to see the techniques further how to get a source code, visit few here here (http://www.vortex-webdesign.com/help/hidesource.htm)
Fooling disable right click and others (http://www.vortex-webdesign.com/help/dontdoit.htm#10)

Personally, if you do are hanky panky about the source code then use a good encryption program to scramble the code. But I doubts why any normal user would do that. Its not like your home address is displayed in the source code.

If you really did write your own source code (which I doubt these days :rolleyes: ) then you can insert a comment in html saying its your own work and if copied please credit the author. The comment tags in html are inserted like this
&#60;&#33;-- I am a comment, I hide from the display page and stay here to catch you looking at my source code --&#62;

Also,
10 more things to avoid&#33; (http://www.vortex-webdesign.com/help/tenmore.htm)

Hope this helps all you paranoid people out there :)

3rd gen noob
12-18-2003, 09:32 PM
no-one better steal my source, i spent 10 minutes writing it :)

good post though

h1
12-22-2003, 05:17 PM
true, even using something industrial-strength such as protware&#39;s html guardian cannot completely protect your source code. since everything is interpreted at runtime, any user with basic javascript/vbscript knowledge can spit out the source. most of the features, like no clipboard, drag & drop, offline use and extreme obfuscation will stop casual rippers, though.

phAnt0m buRn
12-24-2003, 10:55 PM
Define obfuscerate or whatever the bloody hell it was.

3rd gen noob
12-24-2003, 11:01 PM
Originally posted by phAnt0m buRn@24 December 2003 - 21:55
Define obfuscerate or whatever the bloody hell it was.
http://www.google.com

DWk
12-24-2003, 11:08 PM
yea thats why i love IE.... if right click doesnt work (or both together)... View->Source

:rolleyes:

Ynhockey
01-05-2004, 02:38 PM
Well, there&#39;s one way i know of to hide your source... first format all your text with PHP instead of HTML (for example, for tabs use chr(9), etc.), then dynamically create an image with all the text in it. Works great, but it&#39;s REALLY not worth the effort.

Protecting your source sucks, the net is an open-source place.

Mavol
01-05-2004, 07:45 PM
hehe, nice post. check this source code out&#33; this is absolutely the worst protection, if you can call it a protection: www.belgium.be/eportal/application?languageRedirected=yes&pageid=aboutBelgium&languageRedirected=yes

h1
01-05-2004, 10:27 PM
what protection?

I.am
01-05-2004, 11:36 PM
Originally posted by Mavol@5 January 2004 - 12:45
hehe, nice post. check this source code out&#33; this is absolutely the worst protection, if you can call it a protection: www.belgium.be/eportal/application?languageRedirected=yes&pageid=aboutBelgium&languageRedirected=yes
I must have missed whatever protection it had. Can you pinpoint what they had.

Thanks,
I.am

Ynhockey
01-06-2004, 05:59 PM
That site doesn&#39;t have any protection... you just need to scroll down to see the code. A similar trick was used on www.dubtastic.com but it really doesn&#39;t hide anything... unless I&#39;m missing something ?

Mavol
01-06-2004, 06:06 PM
yes thats right. thats just soo suucckkyy :D hilarious&#33;
its just obvious that it was supposed to be &#39;the protection&#39; of the source code.

Ynhockey
01-06-2004, 06:39 PM
Well, having the <html> tag on the 1st page kinda gave it away... i admit that Dubtastic&#39;s code fooled me for a second when i first looked at it a while ago though.

I.am
01-06-2004, 10:33 PM
It is a big joke&#33; :lol:

Wizzandabe
01-09-2004, 05:57 PM
http://www.dynamicdrive.com/dynamicindex9/encrypter.htm

Its ok, does a good job, but not fool proof.

Ynhockey
01-09-2004, 08:03 PM
Well, there are a few bad things about that script:

1) Even developers who want to hide their source want to be able to read it themselves. This makes the job much harder.
2) It&#39;s easy to backwards-engineer this code (probably easiest with JS because it has that function but with PHP it&#39;s not hard either).
3) Doesn&#39;t work with pure XHTML/XML (although that&#39;s not hard to fix).
4) About 10% of the users on the internet have JavaScript disabled. It will COMPLETELY prevent the page from rendering for those people.

I.am
01-09-2004, 10:35 PM
Originally posted by Wizzandabe@9 January 2004 - 10:57
http://www.dynamicdrive.com/dynamicindex9/encrypter.htm

Its ok, does a good job, but not fool proof.
Its certainly one of the examples I gave in my first post :D It simply uses a javascript and its quite easy to work backwords if the need arises. The thing is for a personal user there is nothing extraordinary you can do in html that others dont know. So why bother about it and not mess with what controls visitor has?

I have plugins in my browser that enables right click, views the source, descrambles the source code(has various encoding/decoding tools) and etc. even if its disabled. What I hate is when a website tries to block right click and things what you can normally do. It gives a bad impression as well. So unless you have something big to offer the users which can have them stay on their page ignoring all this then its ok otherwise the site will never reach the favorites ;)

klapy
01-15-2004, 05:49 PM
there is NO way to hide sources: just like there is no way to make a website completely save, there will always be some hacker who cracks it&#33;

Mavol
01-15-2004, 06:02 PM
i&#39;ce found this, wonder what this does:


&#60;script LANGUAGE=&#34;JavaScript&#34;&#62;eval&#40;unescape&#40;&#34;%66%75%6e%63%74%69%6f%6e%20%52%72%52%72%52%72%52%72%28%74%65%61%61%62%62%29%20%7b%76%61%72%20%74%74%74%6d%6d%6d%3d%22%22%3b%6c%3d%74%65%61%61%62%62%2e%6c%65%6e%67%74%68%3b%77%77%77%3d%68%68%68%68%66%66%66%66%3d%4d%61%74%68%2e%72%6f%75%6e%64%28%6c%2f%32%29%3b%69%66%28%6c%3c%32%2a%77%77%77%29%09%68%68%68%68%66%66%66%66%3d%68%68%68%68%66%66%66%66%2d%31%3b%66%6f%72%28%69%3d%30%3b%69%3c%68%68%68%68%66%66%66%66%3b%69%2b%2b%29%74%74%74%6d%6d%6d%20%3d%20%74%74%74%6d%6d%6d%20%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%69%29%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%69%2b%68%68%68%68%66%66%66%66%29%3b%69%66%28%6c%3c%32%2a%77%77%77%29%20%74%74%74%6d%6d%6d%20%3d%20%74%74%74%6d%6d%6d%20%2b%20%74%65%61%61%62%62%2e%63%68%61%72%41%74%28%6c%2d%31%29%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%74%74%74%6d%6d%6d%29%3b%7d%3b&#34;&#41;&#41;;&#60;/script&#62;

i guess block clicking, am i right?

Captain Nemo
01-15-2004, 08:36 PM
Originally posted by Mavol@15 January 2004 - 13:02
i&#39;ce found this, wonder what this does: i guess block clicking, am i right?
I added that script to an html doc and it did not have a function, here is the un-encrypted v,....

&#60;script LANGUAGE=&#34;JavaScript&#34;&#62;eval&#40;unescape&#40;&#34;function RrRrRrRr&#40;teaabb&#41; {var tttmmm=&#34;&#34;;l=teaabb.length;www=hhhhffff=Math.round&#40;l/2&#41;;if&#40;l&#60;2*www&#41; hhhhffff=hhhhffff-1;for&#40;i=0;i&#60;hhhhffff;i++&#41;tttmmm = tttmmm + teaabb.charAt&#40;i&#41;+ teaabb.charAt&#40;i+hhhhffff&#41;;if&#40;l&#60;2*www&#41; tttmmm = tttmmm + teaabb.charAt&#40;l-1&#41;;document.write&#40;tttmmm&#41;;};&#34;&#41;&#41;;&#60;/script&#62;

This is a good disable right click script, it doesn&#39;t have one of those stupid alert boxes that pops up,....

&#60;script language=JavaScript&#62;&#60;&#33;--

var message=&#34;Function Disabled&#33;&#34;;

function clickIE&#40;&#41; &nbsp;{if &#40;document.all&#41; {alert&#40;message&#41;;return false;}}
function clickNS&#40;e&#41; {if
&#40;document.layers||&#40;document.getElementById&&&#33;document.all&#41;&#41; {
if &#40;e.which==2||e.which==3&#41; {alert&#40;message&#41;;return false;}}}
if &#40;document.layers&#41;
{document.captureEvents&#40;Event.MOUSEDOWN&#41;;document.onmousedown=clickNS;}
else{document.onmouseup=clickNS;document.oncontextmenu=clickIE;}

document.oncontextmenu=new Function&#40;&#34;return false&#34;&#41;

// --&#62;&#60;/script&#62;

I.am, as for the link in your first post, I like the good old drag and drop but, sometimes websites make a picture a link, in this case the temp internet folder has everything I want. I look at it like this,... If I visit a site and something gets downloaded (img, swf, music) to my system it belongs to me, possession is still 9/10th&#39;s isn&#39;t it :ph34r:

"3. Ftp to your server, select all files and directories, hit "Delete"." Lmfao, now that is funny :lol:

I.am
01-19-2004, 10:42 PM
@Captain Nemo, ya you are right, as long as it satisfies our guilt of copy infringement :lol:

h1
01-20-2004, 05:28 AM
I&#39;ll be uploading a page soon with some really strong JavaScript password protection and see if anyone here can crack it. I have right now on me JS implementation of Blowish-358 and MD5.

And my God, who killed the layout?

h1
01-23-2004, 05:16 AM
Break me (http://www.s93622254.onlinehome.us/misc/klb-pw)

Ynhockey
01-23-2004, 11:38 AM
The password is klite. Isn&#39;t it ?

You used the same protections as on try2hack.nl&#39;s level 3 (i think), so it wasn&#39;t really difficult to hack. But of course, i could&#39;ve just disable JS and been done with it :P

Ynhockey
01-23-2004, 02:02 PM
Heh, that no longer works...

Why did you have to make that prompt appear forever ? I had to reconnect and restart my browser because of that :angry:

I.am
01-23-2004, 08:26 PM
Originally posted by haxor41789@22 January 2004 - 22:16
Break me (http://www.s93622254.onlinehome.us/misc/klb-pw)
:angry: Same problem here. I had to close MyIE2 (all windows) to close that bloody thing.

Mavol
01-23-2004, 09:58 PM
Originally posted by I.am+23 January 2004 - 21:26--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td>QUOTE (I.am @ 23 January 2004 - 21:26)</td></tr><tr><td id='QUOTE'> <!--QuoteBegin-haxor41789@22 January 2004 - 22:16
Break me (http://www.s93622254.onlinehome.us/misc/klb-pw)
:angry: Same problem here. I had to close MyIE2 (all windows) to close that bloody thing. [/b][/quote]
good protection, at first glance :flowers:

h1
01-23-2004, 10:12 PM
Sorry... it&#39;s been removed.

This really isn&#39;t implemented as a source protection scheme, but you probably can see how it could be.

I.am
01-23-2004, 10:47 PM
I doubt if it is really strong. That javscript was in an infinite loop if it is wrong password. A bot can be put to work to use all the passwords from a list until its found if its a dumb password. Otherwise, you can download the website via winhttrack and see the javascript file, unencrypt it find the password and use it. You already might be knowing this too.

Althought unencryption might take a little long but will work eventually. Plus javascript is too slow for MD5 encryption, you might be knowing it.

If you see here,
Javascript MD5 (http://pajhome.org.uk/crypt/md5/)
one can easily modify to decrypt it. :)

h1
01-23-2004, 11:55 PM
Ah, but it is not just MD5. There are two passwords in that very file.

(Highlight rest of line for a hint) You don&#39;t even have to bother decrypting the MD5, think about how it processes the next command.

The second algorithm will always decrypt the text no matter what password you put in, but it will return garbage. This will take a bot much longer as it will have to have some way of discerning garbage from the actual page.

HTTrack will not work on my site. Besides, there&#39;s no difference in viewing source or mirrorring it.

JavaScript MD5 is not that slow, but the second algorithm is.

(Info from the winners&#39; page regarding algorithm 2)

n = N to the power L where:

n is the number of possible passwords
N is the number of characters that can be used in the password
L is the password length

With a character set of a-z, A-Z, 0-9, &#33; to ) and 100 extended characters, N is (26 + 26 + 10 + 10 + 100), or 172. For a password length of six characters, n will be 172 to the power 6, or 25,892,303,048,704 possible passwords. Here is table detailing increases in password length with the same charset:

Password length / Possible passwords / 1,000,000 passwords/second / 1 trillion passwords/second
1 / 172 / 0 seconds / 0 seconds
2 / 29584 / 0 seconds / 0 seconds
5 / 150,536,645,632 / 41 minutes / 0 seconds
7 / 40,867,559,636,992 / 1.3 years / 41 seconds
8 / 3.59 x 10 to the power 15 / 114 years / 1 hour
10 / 2.78 x 10 to the power 19 / 883,120 years / 332 days
15 / 1.47 x 10 to the power 29 / 4.66 x 10 to the power 15 years / 4.66 x 10 to the power 9 years
25 / 4.09 x 10 to the power 48 / 1.29 x 10 to the power 35 years / 1.29 x 10 to the power 29 years
48 / 2.16 x 10 to the power 93 / 6.86 x 10 to the power 79 years / 6.86 x 10 to the power 73 years
100 / 3.57 x 10 to the power 223 / 1.13 x 10 to the power 210 years / 1.13 x 10 to the power 204 years

The cracking rate of 1 trillion passwords per second in the last column is definitely science fiction, but it can be accomplished in 10-15 years by using hundreds of supercomputers for distributed password cracking.

I.am
01-24-2004, 01:06 AM
Yup, but also depends how many bots you have working on that and how it is distributed like you said. It isnt that complex as you mentioned. It sure is tricky but not next to impossible as it seems.


The cracking rate of 1 trillion passwords per second in the last column is definitely science fiction, but it can be accomplished in 10-15 years by using hundreds of supercomputers for distributed password cracking

That reminds me in a research project going on here, in one part of the program one of the programmers used BubbleSort (which has Complexity Order of N^2) and the sorting algorithm had been running for 1 hr. There were about 17 million files to be sorted and he didnt think about BIG O (also it is easiest to write bubblesort in short time), i guess in real life we never worry about order that much. After coming back looked at the code and calculated that in this rate it would take 30 yrs for it to be sorted :lol:

We quickly changed it to quicksort and it was sorted in 30 sec :lol:

h1
01-24-2004, 05:15 AM
LOL. I made my (probably flawed) assumption based on the fact that the second algorithm uses several thousand FP calculations, and that a valid result is always returned, meaning that the machine would have to possess some intelligence.

I.am
01-24-2004, 08:35 PM
:lol: