Ins and outs of the Windows script encoder

If you create Web application scripts and you want to make them available for other people to use (whether for a fee or free) then you are pretty much giving away your intellectual property. That is, unless you can hide the script somehow.

Whether such a facility exists depends on the language you use. In a previous newsletter we discussed what can be done with various tools but they are all very lightweight in the sense that the hiding they confer on the script is not terribly hard to break.

Note that there are two approaches to hiding your code that are commonly talked about: encoding and encryption.

While it is hard to distinguish between encoding and encryption, in general encoding means to change the symbol set used to represent the data while encrypting means to encode in such a way as to make decoding difficult without special knowledge.

The latter is in theory a more powerful approach because encrypting can make it very hard to get at the hidden script but there are overheads – complexity, increased processor power and decryption time required.

PHP programmers can use the Zend Encoder to protect their scripts (see links below) and as far as I can determine, this provides very secure script hiding.

If you’re using any of the scripting languages under Microsoft IIS such as VBScript and JScript with Active Server Pages (ASP), you can use the Windows Script Encoder.

Windows Script Encoder was introduced in Microsoft Script Engine 5.0 and is very simple to use. WSE is a command line utility that takes two parameters: the name of the script file and the name of the output file.

Which sections of the input file will be encoded depends on both the filename extension and the presence of encoding markers.

Encoding markers, which include the text “**Start Encode”, allow one or more parts of the input script to be excluded from being encoded. This is important because the encoded client-side JScript will only work on MSIE 5.0 or higher.

Encoding markers under VBScript look like:

‘**Start Encode**

[[Code goes here]]

And in Jscript:

//**Start Encode**

[[Code goes here]]

Encoding is applied to everything from the start marker to the end of the script block. After encoding the

And for Jscript it will be:

There are several command line switches that allow “silent” operation of the encoder and define the default scripting language.

So how robust is this encoding of Windows Script Encoder? Well, pretty good but the encoding system has been cracked. Does this mean that your encoded scripts are exposed? Absolutely, but only to those who really, really want to see what’s going on, otherwise, the Windows Script Encoder is the best tool for hiding your ASP script source.