Learn how to a build a cloud-first strategyRegister Now


protecting decompiling of ocx  in browser

Posted on 2010-01-01
Medium Priority
Last Modified: 2013-12-13
easy 500..
- ocx running as anActiveX in a browser environment.
- code was written in delphi
- I can check that indeed the ocx is running within the browser, and thus stopping execution is needed.

Just to know that im not wasting my time:

1. can a decompiler execute a specific ocx while its running in a browser?  
2. can a decompiler somehow bypass that check?

Question by:controlr
  • 5
  • 3
LVL 12

Expert Comment

ID: 26160474
The COM/ActiveX structure doesn't provide any native methods to prevent another application from using it's exposed methods.A decompiler isn't even required - any application can run it if it tried.

You *could* pass a value to your ActiveX object so that it verifies it is being used form a web page. However, the "activation" code would be viewable in the HTML source code (it can be obfuscated in HTML source, but that's it).

Alternatively, your ActiveX code could perform a check to verify it was actually running within a web browser. However, a smart program could just send the same signals as an actual user to the web browser. Without knowing what your code actually does and what  needs to be protected, I' m not sure how much useful information could be provided.

Author Comment

ID: 26160483
I am doing a check that indeed its running in a browser.
its ok  that another program assimilates a browser and has access to the public methods, but..
could someone actually decompile it to see the underlying code behind the functionality?
that is my main concern as there is secure encryption algorithms we are protecting in private scope  (so its not suppose to be visible to browser or anything that can close a browser)

Author Comment

ID: 26160486
*clone a browser
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

LVL 12

Expert Comment

ID: 26160532
It's always possible to disassemble the compiled code, and a good mASM programmer can then read how it works. This can be obfuscated, but never 100% protected - even Microsoft's, Adobe's, etc. protection mechanisms have been broken by users that saw what the code was doing via assembly. Nothing is 100% protected.

There are a few very basic decompilers for delphi, but nothing particularly significant. Language-neutral decompilers are even more limited. I wouldn't be particularly concerned about these.

As for the source code - no, ActiveX components are compiled code. It would need to be actually decompiled (see above) to even see pseudo-similar code. That said, a smart mASM programmer could theoretically see what your code was doing and generate an identically functioning algorithm. Unless this is for military-grade protection or wide-scaled usage, I wouldn't be concerned about it as it takes a very large amount of knowledge and experience to be successful.

If you do need added protection, PKI technologies may add a great deal of complexity to understanding how the code works, but the benefit is small compared to the amount of planning/coding and resource overhead involved.

Author Comment

ID: 26160667
your coment is great. i we are just about done here..
Assuming someone is using dede.. (for delphi) I know that it can not handle some opcodes supported in delphi2009/2010 so i guess i can use that so it wont allow decompile. i also know that dede has a problem with units that are not connected to main form.
Having said that.. if someone was to try to dissassemble on a none-delphi compiler.. would they be able to see the actual code?
again, im not worried about someone looking in asm and seeing generally what it does.
LVL 12

Accepted Solution

geowrian earned 2000 total points
ID: 26160721
No, they would not be able to see the source code or a similar equivalent on a generic decompiler. They can mostly interpret basic math operations, conditionals, and loops, but with anything slightly more advanced they fail at making anything remotely similar to the original code. In the future this may change as they develop better decompilers, but it will likely be some time until anything practical is created.

Newer languages that use interpreters and VMs and such are another story. For instance, any .NET language or Java class can usually be "decompiled" extremely well. ALso, reading IL or bytecode is much simpler than mASM.

Author Comment

ID: 26160732
thnks so much. looks like we are safe (for now) as its pure delphi. there is no .java nor net at all in this project.
Happy new year

Author Closing Comment

ID: 31671909
great turnaround time

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Have you ever run into that annoying problem where the computer won't boot?  Wouldn't it be great if you had a tool that would make that disk boot again?  I have found one tool that works more often than not ...
If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question