Tuesday, June 27, 2017

#1 2017-06-16 11:17:14 pm

Jeffkr
Member
Registered: 2005-11-05
Posts: 455

hide a script from appearing in "Get Info" of a File?

Is there any way to modify the code within a script, or use a 3rd party application, so that the Mac would not reveal the entire code of script in the preview pane when one chooses to "get info" for the .scpt or .app file?

Reason I ask is because I often share scripts that include various Administrator usernames and passwords, which should not be known by this individuals using the scripts.

Yes, I do realize a savvy user could easily open the script in Script Editor, but the get info preview is more glaring and obvious.

Thanks,
-Jeff

Offline

 

#2 2017-06-17 01:22:58 am

StefanK
Member
From: St. Gallen, Switzerland
Registered: 2006-10-21
Posts: 11451
Website

Re: hide a script from appearing in "Get Info" of a File?

In Script Editor

• Choose menu File > Export
• In the dialog check Run-only.

Now nobody (not even you) can open the file in any (Script) Editor


regards

Stefan

Offline

 

#3 2017-06-17 03:48:13 am

Yvan Koenig
Member
Registered: 2006-09-14
Posts: 3059

Re: hide a script from appearing in "Get Info" of a File?

CAUTION. Even when a script is saved as Run-only, everybody may read the strings embedded in it.
Just a sample :

Applescript:

do shell script "abcdef " user name "BillyTheKid" password "openTheDoor" with administrator privileges

Export it as run-only script or run-only application.
If you export as script, drop the file onto TextEdit's icon.
If you export as application, reveal the content of the application them drop, the embedded main.scpt onto TextEdit's icon.
In both cases you will get:

FasdUAS 1.101.10ˇˇˇ˛ˇˇˇ˛ˇ˝ˇ˝ˇ¸
ˇ¸.aevtoappnullÄê****ˇ˚ˇ˙ˇ˘ˇ¯ˇ˜
ˇ˚.aevtoappnullÄê****ˇ˙ˇ˘ˇ¯ˇˆˇı	ˇÙˇÛˇÚ±

abcdef 
ˇˆ
RAun±BillyTheKid
ˇı
RApw	±openTheDoor
ˇÙ
badmˇÛ
ˇÚ.sysoexecTEXTˇˇÄTEXTˇ˜‡·‚„‰ÂeÊascr
˙fifi≠

As you see the supposed hidden strings are perfectly readable.

Yvan KOENIG running Sierra 10.12.5 in French (VALLAURIS, France) samedi 17 juin 2017 10:48:03

Last edited by Yvan Koenig (2017-06-17 03:48:55 am)

Online

 

#4 2017-06-17 10:13:24 am

Jeffkr
Member
Registered: 2005-11-05
Posts: 455

Re: hide a script from appearing in "Get Info" of a File?

Exporting as run only is excellent and it addresses the primary issue I was trying to solve. Thank you very much Stefan.

Dropping the script file into Text Edit will reveal various code strings, but that is not as much of a concern (for me at least). - Not saying that a solution to this would be interesting.

Thanks,
-Jeff

Offline

 

#5 2017-06-17 11:53:46 am

Nigel Garvey
Moderator
From: Warwickshire, England
Registered: 2002-11-19
Posts: 4312

Re: hide a script from appearing in "Get Info" of a File?

If you share scripts containing user names and passwords, you deserve do have them discovered.  wink  But if the scripts are to be distributed as run only, you can at least obfuscate the string's derivations:

Applescript:

local a, b

-- At run time, calculate the ids of "BillyTheKid" and "openTheDoor" and get the equivalent strings.
set a to {20 + 36, 57 + 48, 17 + 91, 34 + 74, 121.997 div 1, 28 * 3, 407 - 303.0, 47 + 54, 200 * 3 / 8, 10 ^ 2 + 5, 37 + 63}
set b to {3 * 37, 28 * 4, 10201 ^ 0.5, 22 * 5, 37 + 47, 2 + 67 + 35, 299 - 198, 17 * 4, 17 * 5 + 26, 10 ^ 2 + 10 ^ 0 + 10 ^ 1, 114}
do shell script "abcdef " user name (string id a) password (string id b) with administrator privileges


NG

Offline

 

#6 2017-06-17 11:54:25 am

Yvan Koenig
Member
Registered: 2006-09-14
Posts: 3059

Re: hide a script from appearing in "Get Info" of a File?

Quick and dirty way to hide the username and password.

Run this first script :

Applescript:

set liste1 to my encode("BillyTheKid")
set liste2 to my encode("openTheDoor")
{"userName", liste1, "password", liste2}

on encode(aString)
   set characterIDs to text items of aString
   
   set numberValues to {}
   repeat with aChar in characterIDs
       set itsID to id of aChar
       set itsKey to random number from 50 to 100
       set numberValues to numberValues & {itsID + itsKey, itsID - itsKey}
   end repeat
   return numberValues
end encode

The result will be something like :

{"userName", {165, -33, 177, 33, 184, 32, 179, 37, 200, 42, 179, -11, 200, 8, 183, 19, 139, 11, 199, 11, 163, 37}, "password", {199, 23, 191, 33, 162, 40, 192, 28, 176, -8, 192, 16, 171, 31, 150, -14, 199, 23, 176, 46, 209, 19}}

Create the real script in a temporary version:

Applescript:

main()

on main()
   do shell script "abcdef " user name my _("username") password my _("password") with administrator privileges
end main
on _(l)
   set s to ""
   repeat with i from 1 to count l by 2
       set s to s & character id (((l's item i) + (l's item (i + 1))) div 2)
   end repeat
   return s
end _

Replace "username" by the first list returned by the first script.
Replace "password" by the second list returned by the first script.

The script will become something like :

Applescript:

main()

on main()
   do shell script "abcdef " user name my _({134, -2, 155, 55, 206, 10, 159, 57, 181, 61, 137, 31, 163, 45, 195, 7, 148, 2, 197, 13, 190, 10}) password my _({184, 38, 177, 47, 168, 34, 206, 14, 162, 6, 162, 46, 192, 10, 153, -17, 209, 13, 167, 55, 185, 43}) with administrator privileges
end main
on _(l)
   set s to ""
   repeat with i from 1 to count l by 2
       set s to s & character id (((l's item i) + (l's item (i + 1))) div 2)
   end repeat
   return s
end _

Save it .
Open it in TextEdit. You will get something like :

FasdUAS 1.101.10ˇˇˇˇ
k
lˇ˛ˇ˝
Iˇ¸ˇ˚ˇ˙ˇ¸0mainˇ˚ˇ˙ˇ˛ˇ˝	
lˇ˘ˇ¯ˇ˜ˇ˘ˇ¯ˇ˜	


i

IˇˆˇıˇÙˇˆ0mainˇıˇÙ

IˇÛ
ˇÛ.sysoexecTEXTˇˇÄTEXT
m±abcdef ˇÚ
ˇÚ
RAun
n-
I-ˇÒˇˇÒ0_ˇÔ
J)
mˇÓˇÓÜ
mˇÌˇÌˇ˛
mˇÏˇÏõ 
mˇÎˇÎ7 !"
!mˇÍˇÍŒ"#$
#m	ˇÈˇÈ
$%&
%m	
ˇËˇËü&'(
'm
ˇÁˇÁ9()*
)mˇÊˇÊµ*+,
+m
ˇÂˇÂ=,-.
-m
ˇ‰ˇ‰â./0
/mˇ„ˇ„012
1mˇ‚ˇ‚£234
3mˇ·ˇ·-456
5mˇ‡ˇ‡√678
7mˇflˇfl89:
9mˇfiˇfiî:;<
;mˇ›ˇ›<=>
=mˇ‹ˇ‹≈>?@
?m!ˇ€ˇ€
@AB
Am!$ˇ⁄ˇ⁄æBCˇŸ
Cm$%ˇÿˇÿ
ˇŸˇÔˇ
fˇ◊DE
ˇ◊
RApw
Dn0uFG
FI1uˇ÷Hˇ’ˇ÷0_HIˇ‘
IJ1qJJKL
Km14ˇ”ˇ”∏LMN
Mm47ˇ“ˇ“&NOP
Om7:ˇ—ˇ—±PQR
Qm:=ˇ–ˇ–/RST
Sm=@ˇœˇœ®TUV
Um@CˇŒˇŒ"VWX
WmCDˇÕˇÕŒXYZ
YmDGˇÃˇÃZ[\
[mGJˇÀˇÀ¢\]^
]mJMˇ ˇ ^_`
_mMPˇ…ˇ…¢`ab
amPSˇ»ˇ».bcd
cmSVˇ«ˇ«¿def
emVWˇ∆ˇ∆
fgh
gmWZˇ≈ˇ≈ôhij
imZ]ˇƒˇƒˇÔjkl
km]`ˇ√ˇ√—lmn
mm`cˇ¬ˇ¬
nop
omcfˇ¡ˇ¡ßpqr
qmfgˇ¿ˇ¿7rst
smgjˇøˇøπtuˇæ
umjmˇΩˇΩ+ˇæˇ‘ˇ’
Gf01Eˇºvˇª
ˇº
badm
vmxyˇ∫
ˇ∫boovtrueˇªwx
wiyz
yIˇπ{ˇ∏ˇπ0_{|ˇ∑
|oˇ∂ˇ∂0lˇ∑ˇ∏
zk/}}~
~rÄÅ
ÄmÇDZÉÉ
Åoˇµˇµ0sÑÖ
ÑY,ܡ¥áàâ
Ür'äã
äb%åç
åoˇ≥ˇ≥0s
ç5$ˇ≤顱
ˇ≤
cha 
él"èˇ∞ˇØ
è_"êë
êl íˇÆˇ≠
í[ ìî
ìlïˇ¨ˇ´
ïnñó
ñ4ˇ™ò
ˇ™
cobj
òoˇ©ˇ©0i
óoˇ®ˇ®0lˇ¨ˇ´
îlôˇßˇ¶
ônöõ
ö4ˇ•ú
ˇ•
cobj
úlùˇ§ˇ£
ù[ûü
ûoˇ¢ˇ¢0i
ümˇ°ˇ°ˇ§ˇ£
õoˇ†ˇ†0lˇßˇ¶ˇÆˇ≠
ëm !ˇüˇüˇ∞ˇØ
ˇ±kfrmID  
ãoˇûˇû0sˇ¥0i
ámˇùˇù
àI
ˇú†ˇõ
ˇú.corecnte********
†o	ˇöˇö0lˇõ
âm
ˇôˇôÖ°ˇò
°L-/¢
¢o-.ˇóˇó0sˇòx£ˇñ
£lˇïˇîˇìˇïˇîˇìˇñˇí§•¶ßˇí§ˇëˇêˇèˇë0mainˇê0_
ˇè.aevtoappnullÄê****•ˇé
ˇçˇå®©ˇãˇé0mainˇçˇå®©,ˇäˇâˇàˇáˇÜˇÖˇÑˇÉˇÇˇÅˇÄˇˇ~ˇ}ˇ|ˇ{ˇzˇyˇxˇwˇvˇuˇtˇsˇrˇqˇpˇoˇnˇmˇlˇkˇjˇiˇhˇgˇfˇeˇdˇcˇbˇaˇ`
ˇä
RAunˇâÜˇàˇ˛ˇáõˇÜ7ˇÖŒˇÑ
ˇÉüˇÇ9ˇÅµˇÄ=ˇâˇ~ˇ}£ˇ|-ˇ{√ˇzˇyîˇx≈ˇw
ˇvæˇuˇt0_
ˇs
RApwˇr∏ˇq&ˇp±ˇo/ˇn®ˇm"ˇlˇk¢ˇjˇi.ˇh¿ˇgôˇfˇÔˇe—ˇdߡcπˇb+
ˇa
badm
ˇ`.sysoexecTEXTˇˇÄTEXTˇãć·)‚„‰ÂÊÁËÈÍÎÏÌÓÔaaalaaaÁavk+a)aaaaaaÊaa a!a a"a#Áa$a%a&aa'Âa(a)avk+a*ea!+¶ˇ_zˇ^ˇ]™´ˇ\ˇ_0_ˇ^ˇ[¨ˇ[¨ˇZˇZ0lˇ]™ˇYˇXˇWˇY0lˇX0sˇW0i´ǡVˇUˇTˇS
ˇV.corecnte********
ˇU
cha 
ˇT
cobj
ˇSkfrmID  ˇ\0‡E±O'k†jlh°*‚†„¢/†„¢k/l"‰0%E±[OYˇÂO°ßˇR≠ˇQˇPÆØˇO
ˇR.aevtoappnullÄê****
≠k∞∞ˇNˇNˇQˇPÆØˇMˇM0mainˇO*j+ascr˙fifi≠

In which it will not be easy to recognize the username and the password.

Yvan KOENIG running Sierra 10.12.5 in French (VALLAURIS, France) samedi 17 juin 2017 18:54:19

Online

 

#7 2017-06-17 01:00:08 pm

Jeffkr
Member
Registered: 2005-11-05
Posts: 455

Re: hide a script from appearing in "Get Info" of a File?

You are correct Nigel, I am not as concerned as it may appear. Nevertheless, these workarounds to mask them with are extremely NICE and I will use test and use them. Thank you all very much.

Offline

 

#8 2017-06-18 08:17:20 pm

DJ Bazzie Wazzie
Member
From: the Netherlands
Registered: 2004-10-20
Posts: 2654

Re: hide a script from appearing in "Get Info" of a File?

Yvan Koenig wrote:

CAUTION. Even when a script is saved as Run-only, everybody may read the strings embedded in it.

That's why you write encryptors. Simple math operators can easily be decrypted so you need an public/private key encoding so that even the same username and password is saved differently. Having a plain text or static code is equally dangerous because the op-code of AppleScript is quite easy to read.

Last edited by DJ Bazzie Wazzie (2017-06-18 08:19:18 pm)

Offline

 

#9 2017-06-20 12:09:01 pm

t.spoon
Member
From: BFE, Massachusetts
Registered: 2013-01-12
Posts: 185

Re: hide a script from appearing in "Get Info" of a File?

I'm getting a bit off-topic here, but thought this might be useful to someone:

I'm in a situation where it's extremely practical to store usernames and passwords in Applescripts. And having those usernames and passwords in the hands of a malicious actor could have devastating consequences.

Our solution to the potential security issues is this:

- Make the scripts containing them accessible via cloud synced folder
- Have a metascript that automatically opens scripts with usernames and passwords on a regular basis and changes the usernames and passwords to new random ones, changing them on the related system at the same time.

Thus people can extract the usernames and passwords if they want, but they're not useful for anything nefarious. If they had access to the script to get the username and password, then they already had access to the resource that username and password go to, because the script connects them. (We're only using this for things like connecting to remote volumes where there are not greater privileges to be abused with the username and password than the script itself makes use of.)

When we need to revoke someone's access, then we just revoke folder syncing for the script's folder. It doesn't matter if the user copied the folder and thus still has the script, or if they extracted the username/password, because these things change regularly and the newly changed credentials won't sync to them.

Also, it isn't annoying that the usernames and passwords are constantly changing, because they're only used by the scripts, which sync, so nobody ever has to actually know them / keep track of them.

Last edited by t.spoon (2017-06-20 12:09:36 pm)


Hackintosh built February, 2012 |  Mac OS Sierra
GIGABYTE GA-Z68X-UD3H-B3 | Core i5 2500k | 16 GB DDR3 | GIGABYTE Geforce 1050 TI 4GB
250 GB Samsung 850 EVO | 4 TB RAID
Dell Ultrasharp U3011 | Dell Ultrasharp 2007FPb

Offline

 

Board footer

Powered by FluxBB

[ Generated in 0.048 seconds, 8 queries executed ]

RSS (new topics) RSS (active topics)