Web site security ASP program encryption/decryption method disclosure

Source: Internet
Author: User
Tags date exit execution functions iis switches table name visual studio
Security | procedures | encryption | decryption

Today, Web sites built with ASP technology are everywhere. Because ASP scripts are interpreted on the server (unable to compile), so you have worked hard to develop the ASP code, it is easy to be copied to arbitrary modification, how to protect the ASP source code? This is every ASP webmaster will encounter the problem, online solution to this kind of problem of a lot of posts, Now let's talk about the encryption method of ASP program.

  First, how to encrypt the ASP program?

At present, there are three kinds of encryption methods for ASP programs: Script encoder (SRCENC). EXE) encryption, component encryption, and self-coding program encryption, we will start to introduce these three encryption methods.

1, using Microsoft's Ms Script encode for encryption

Microsoft provides script encoder ms script Encode (download address http://www.itgene.cn/itgene/download/download.aspID=232), which can encrypt ASP programs. This is a simple command-line tool whose execution file is SRCENC.EXE and needs to run under DOS. It only encrypts the embedded script code in the page, converts the ASP code between the pages into unreadable garbled, and the other part remains unchanged. The encrypted program must use Internet Explorer version 5.0 to navigate normally.

After encrypting with Srcenc, the encrypted portion of the file becomes read-only, and if you modify the encrypted part (even if only one word is changed), the entire file cannot be used. For VBScript, the encryption is displayed at the first line of the source file: <script language= "Vbscript.encode" >; and JScript (or JavaScript) is displayed: <script Language= "Jscript.encode" >

(1) Encryption method

To encrypt an ASP file, click Start/Program/attachment/Command Prompt and enter the following command on the MS-DOS command line:

SRCENC [Switches] < to encrypt ASP file name > < encrypted filename >

where the [switches] project can select the following 5 parameters

Examples of [switches] Meanings

/s optional. command with this parameter, there will be no output on the screen during the encryption process. SCRENC/S LACL.SCT ULACL.SCT

LACL.SCT encrypt the Script applet in the current directory, the screen does not display any information during encryption

/f is optional. Specifies whether the output file overwrites an input file with the same name. Ignored, overrides will not be performed. screnc/f lacl.asp

Encrypt the file lacl.asp and overwrite the original file with the encoded file with the same name

/xl Optional. Whether to add the @language directive at the top of the. asp file. Ignored, will be added.

/l Deflanguage Optional. Specifies the default scripting language selected in Script Encoder encryption. Scripts that do not contain this scripting language feature will be ignored by the script encoder.

For HTML files, JScript is the built-in default scripting language; for ASP files, VBScript is the default scripting language; Script encoder also has adaptive capabilities for files with the. vbs or. js extension. screnc/l VBScript lacl.htm ulacl.htm

Encrypt the file lacl.htm and generate the output file ulacl.htm to ensure that script blocks that do not specify language properties use VBScript

/e Defextension Optional. Specifies the file name extension of the file to be encrypted. By default, Script Encoder can recognize ASA,ASP,CDX,HTM,HTML,JS,SCT and VBS files. screnc/e ASP 11\*.* F:\LABXW-JM

For all of the 11 directories. The ASP file is encrypted and the encoded output file is placed in the F:\LABXW-JM directory

(2) Examples of operation

For example, to encrypt the lacl.asp file in the current directory and generate the encrypted file ulacl.asp, enter the command in DOS:

Screnc lacl.asp ulacl.asp

All in the current directory. The ASP file is encrypted and the encoded output file is placed in the F:\LABXW, then the command is used:

Screnc *.asp F:\labxw

2, the use of components to encrypt ASP

The above Screnc encryption of the program, can be decrypted (the decryption method described below), if you want to completely protect your ASP code, you can develop ActiveX DLL components to protect the method.

DLL files are compiled machine code, if there is no source project file, it is impossible to decompile, so component encryption is the safest way, and can not be cracked. Here's an example of how you would like to protect the following ASP code:

Set Rs=server.createobject ("Adodb.recordset")
Sql= "SELECT * from GQ where Xs=1 order by date ASC"
Rs.Open sql,conn,1,1
If rs.eof and Rs.bof then
Response.Write "<a href=new0.asp?lbid=gqx ><%= gqx%></a>"
Else
Response.Write ""
End If
Set rs=nothing
Conn.close
Set conn=nothing

You can rewrite them into a VB component, and then invoke the component in the ASP file. Action steps are as follows:

(1) Create a new VB6 ActiveX DLL project

In the Properties window, name your library module and project file (for example, project name Lacl, module name disp), and later in the ASP file, call the object name Lacl_disp

Select References from the Project menu in VB6 to select the Microsoft ActiveX Data Objects 2.0 Library

(2) Writing VB components

Next, the < to protect the ASP code > rewrite into a VB component, the code is as follows:

Public Function Html_combo (disp_table as String) as String
Dim outstring As String
Dim conn As Adodb.connection
Dim rst As Adodb.recordset
Dim SqlString As String
Set conn = CreateObject ("Adodb.connection")
Set rst = CreateObject ("Adodb.recordset")
SqlString = "SELECT * from" & disp_table & "where Xs=1 Order by date ASC"
' Above is in the VB to open the database operation, the database table name, the field name, you may according to own need to revise
Conn.Open "Dsn=sumnet"
Rst.open SqlString, Conn, 3, 3
If rst.eof and Rst.bof then
Outstring = "There is no such unit information yet"
Else
Rst.movefirst
outstring = "<a href=new0.asp?lbid=" &request ("Lbid") & "></A>"
End If
Html_combo = outstring
Rst.close
Conn.close
End Function

After writing the above VB Code, save the project and start compiling.

(3) Generate installation files

Open the Package Deployment Wizard program that is included with Visual Studio 6, select the ActiveX project file you just created Lacl, select Package, select the script to package or use the default script, select the standard installation, Select a single cab for the generated installation file. All others are default, and then click Next, and the installation files are automatically generated!

(4) Installing components on the IIS server

Run the installation file on the IIS server and install the component on the server.

(5) Calling components in a Web page

Later, in the ASP file, the original functionality is accomplished by calling the component. Call the component you made in the Web page as follows:

<%@ language= "VBScript"%>
<%
Set Diaoyong = Server.CreateObject ("Lacl_disp.disp")
%>
<body>
<%= Diaoyong.html_combo ("GQ")%>
<br>
</body>

You see, now the contents of the ASP file is only a component of the call (and the previous completely different), even if you get the file, you can not edit the source code, because the code is encapsulated in the VB component, for the components of the code, outsiders are unable to see, can not decompile!

3. Write your own encryption program

  Although the component encryption method can not be cracked, but requires you to be familiar with VB programming, the need to rewrite the ASP code into VB components, the workload is very large, so we recommend their own programming to protect the ASP code, the basic idea is: Write a cryptographic function Base64Encode and decryption function Base64decode, First with the encryption function to deal with < to protect the ASP code, get the corresponding redaction hu; then use Execute (Base64decode (HU)) to replace < to protect the ASP code >.

For example, we want to protect the above ASP code, you can do this:

(1) in word processing < to protect the ASP code >

< The ASP code you want to protect > copy to Word; in Word, replace the paragraph mark in the code (carriage return line) with the Chinese character "water" by clicking "Edit"/replace, the cursor moving to the "Find what" column, "advanced"/special character, select "paragraph mark"; Move the cursor to the "Replace with" field, enter "water" and the last point "replace all". In the same way, replace all the single quotes in the code with the character "plus".

(2) Write and run the encryption program

In FrontPage to write encryption program, the program has initialization function Initcodecs, encryption function Base64Encode (the code below), the word processing code, copy paste in INP = "" "This sentence, and finally to test1.asp name disk; Enter http://127.0.0.1/test1.asp in IE to run the file locally; a large piece of garbled text (such as C2v0ihjzpxnlcnzlci5jcmvhd ...) is displayed on the screen, which is the corresponding redaction of the ASP code to be protected.

OPTION EXPLICIT
Const BASE_64_MAP_INIT = "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789+/"
Dim newline
Dim Base64encmap (63)
Dim Base64decmap (127)
Dim Inp,hu,encode
Call Initcodecs ' initialization
INP = "<word after processing ASP code >" ' will be protected by the ASP code in Word processing, and then fill in here
hu= Base64Encode (INP) ' calls function Base64Encode to encrypt, get redaction hu
Response.Write (HU) ' Show redaction
Public SUB initcodecs () ' Initialization function initcodecs
NewLine = "<P>" & Chr (km) & Chr (10)
Dim max, IDX
max = Len (base_64_map_init)
For idx = 0 to Max-1
Base64encmap (IDX) = Mid (Base_64_map_init, IDX + 1, 1)
Next
For idx = 0 to Max-1
Base64decmap (ASC (Base64encmap (idx)) = IDX
Next
End SUB
Public Function Base64Encode (plain) ' cryptographic function Base64Encode
If Len (plain) = 0 Then
Base64Encode = ""
Exit function
End If
Dim ret, Ndx, By3, second, third
By3 = (len (plain) \ 3) * 3
NDX = 1
Do While Ndx <= by3
A = ASC (Mid (Plain, ndx+0, 1))
Second = ASC (Mid (Plain, ndx+1, 1))
Third = ASC (Mid (Plain, ndx+2, 1))
RET = ret & Base64encmap ((4) and 63)
RET = ret & Base64encmap ((a) + ((second) and 15))
RET = ret & Base64encmap ((Second * 4) and + ((third) and 3))
RET = ret & Base64encmap (third and 63)
NDX = ndx + 3
Loop
If By3 < Len (plain) Then
A = ASC (Mid (Plain, ndx+0, 1))
RET = ret & Base64encmap ((4) and 63)
if (Len (plain) MOD 3) = 2 Then
Second = ASC (Mid (Plain, ndx+1, 1))
RET = ret & Base64encmap ((a) + ((second) and 15))
RET = ret & Base64encmap ((Second * 4) and 60))
Else
RET = ret & Base64encmap ((a) and 48)
ret = Ret ' & ' = '
End If
ret = Ret ' & ' = '
End If
Base64Encode = RET
End FUNCTION

(3) Rewrite the ASP file to be protected

Rewrite the original ASP file, add the Unencode and Base64decode functions in the file, complete the code as follows:

Dim HU,HU2
"Copy" to protect the ASP code of the ciphertext will be stored in the HU variable
Hu= " C2v0ihjzpxnlcnzlci5jcmvhdgvvymply3qo12fkb2rilnjly29yzhnldompicagicduc3fspenzzwxly3qgkibmcm9tigdxicb3agvyzsb4cz0xig9yzgvyi gj5igrhdgugyxnj1yagicagsnjzlm9wzw4gc3fslgnvbm4smswxicagicduawygcnmuzw9migfuzcbycy5ib2ygdghlbiducmvzcg9uc2uud3jpdgutvsd7in ag5iagilugvyafilitsmvsc2ugsiagicagumvzcg9uc2uuv3jpdgug1zxbiehsruy9bmv3mc5hc3a/ bgjpzd0tjnjlcxvlc3qo12xiawqtksamiom+ Pc9bpupuzw5kiglmicagil5zzxqgcnm9bm90agluzyagicagicagsmnvbm4uy2xvc2ugicagicduc2v0ignvbm49bm90agluzyagil4 "
hu2= Base64decode (HU) ' Restore the ASP code to be protected
Execute (Unencode (HU2)) ' Restores single quotes, carriage returns, and executes the original code
' Decryption function Base64decode
FUNCTION Base64decode (scrambled)
If Len (scrambled) = 0 Then
Base64decode = ""
Exit function
End If
Dim Reallen
Reallen = Len (scrambled)
Do while mid (scrambled, Reallen, 1) = "="
Reallen = realLen-1
Loop
Dim ret, Ndx, By4, A, second, third, fourth
ret = ""
By4 = (reallen \ 4) * 4
NDX = 1
Do While Ndx <= by4
i = BASE64DECMAP (ASC (Scrambled, ndx+0, 1))
Second = BASE64DECMAP (ASC (Scrambled, ndx+1, 1))
Third = Base64decmap (ASC (Scrambled, ndx+2, 1))
Fourth = BASE64DECMAP (ASC (Scrambled, ndx+3, 1))
RET = ret & Chr (((4) and 255) + ((second) and 3))
RET = ret & Chr ((second *) and 255) + ((third \ 4) and 15))
RET = ret & Chr ((third *) and 255) + (fourth and 63))
NDX = ndx + 4
Loop
If Ndx < Reallen Then
i = BASE64DECMAP (ASC (Scrambled, ndx+0, 1))
Second = BASE64DECMAP (ASC (Scrambled, ndx+1, 1))
RET = ret & Chr (((4) and 255) + ((second) and 3))
If Reallen MOD 4 = 3 Then
Third = Base64decmap (ASC (mid scrambled,ndx+2,1))
RET = ret & Chr ((second *) and 255) + ((third \ 4) and 15))
End If
End If
Base64decode = RET
End FUNCTION
' Restore single quotes, carriage return line-wrapping functions Unencode
function Unencode (CC)
For i = 1 to Len (cc)
If Mid (cc,i,1) <> "Water" then
If mid (cc,i,1) = "Plus" Then
temp = "" "& Temp
Else
temp = Mid (CC, I, 1) + Temp
End If
Else
Temp=newline&temp
End If
Next
Unencode=temp
End Function

Save the above code in Test2.asp name.

(4) Encrypt test2.asp with Srcenc

With Srcenc encryption test2.asp, and then publish it to the server, so that others even get the file, cracked the Srcenc encryption, also can not see the original code, because the original code in the test2.asp is ciphertext (hu= "C2V0IHJZPXNLCNZLC ...), So the ASP code is protected!

  Second, the encrypted ASP program how to decrypt?

How to decrypt the encrypted ASP program? First of all we have to tell you that the use of components encryption of the ASP program can not be decrypted, and SCRENC encryption of the program is able to decrypt, the method is: the use of decryption software (Zwdecode. EXE).

Zwdecode. EXE (download address http://www.mydown.com/softdown/45/45183.html) can decrypt the MS Script encode encrypted ASP file, restore the source code.

(1) Decryption method

To recover the original code, click Start/Program/attachment/Command Prompt and enter the following command on the MS-DOS command line:

Zwdecode < Encrypted ASP file name >

where < encrypted ASP file name > required input, the file name can be directory path, also required input, this is the output file name to be generated, can also take path information.

(2) Examples

For example, F:\22\lacl.asp has been processed by Screnc encryption, and now to recover the source code, you can enter the following command in MS-DOS:

Zwdecode F:\22\lacl.asp d:\ulacl.asp

Execution completed, on D disk will generate a ulacl.asp file, open the file, you can see the source code!



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.