Appendix E. The Script Encoder

The Script Encoder, screnc.exe, is a command-line utility that encodes script, including the script embedded in HTML page, ASP pages (including incline ASP script), and .wsf scripts for the Windows Script Host. The encoded script, rather than the original source code, is then decoded and executed when the script is run. Using the Script Encoder to encode script offers two advantages:

Source code protection

Ordinarily, script is plainly visible to prying eyes. Client-side script in particular can be inspected by anyone who requests a web page. Although both ASP and WSH scripts are accessible to a smaller number of users, they nevertheless can be read by anyone with access to the system on which they reside. By encrypting the code, the Script Component renders it illegible.

Security

Not only can scripts be viewed, but in some cases they can even be modified. Once a script is encoded, however, any further modification renders it inoperable. By permitting scripts to be encoded, the Script Encoder has two objectives:

• Stop casual inspection and modification of a script.
• Provide a legal recourse, should inspection or modification take place.

At the same time, it is important to recognize that the script encoder is not cryptographically strong; encoded scripts can be unencoded very easily (and unencoders are readily downloadable from the Internet). The Script Encoder ultimately offers the same level of minimal protection as locking a car provides to its contents. It mitigates casual inspection of code, but should not be used to protect valuable or sensitive information like passwords.

The Script Encoder can successfully encode most scripts written in VBScript. An exception, however, is script written for Outlook forms, in part because their script is not stored in standalone script files, and in part because Outlook forms support only one language, VBScript, whereas from the viewpoint of the host, encoded script is a separate language: VBScript.Encode. In addition, problems arise when using encoded script on Far East operating systems. In particular, it is possible for collisions with DBCS characters to occur, causing the encoded script to be incorrectly decoded. As a result, the Script Encoder should not be used if a script is ever going to be run on a Far East operating system.