How safe are my scripts in PrimalScript/PrimalForms packages?

This is a question that has come up a lot lately. Our Script Packager used in PrimalScript 2009 and PrimalForms 2009 stores the scripts and additional data files encrypted and in some cases, compressed inside the executable.
Some formats create temporary files and use the original Windows tool to run a script; others execute directly from memory with no temporary files whatsoever.

The table below explains what uses which technique:

Hosting option Encrypted Compressed Execution method
CScript (Windows Script Host) Temp file
WScript (Windows Script Host) Temp file
MSHTA Temp file
Microsoft Windows PowerShell (Command line)   Temp file
SAPIEN Script Host (Windows) Memory
SAPIEN Script Host (Command line) Memory
SAPIEN PowerShell Host (Windows)   Memory
SAPIEN PowerShell Host (Command line)   Memory

The encryption used is a DES derivative that is quick but not unbreakable by today’s standards. We will have higher encryption level versions for government use available soon (send inquiries to “info at”).

For most applications, the encryption prevents any user from simply looking at the executable and seeing the script. Choosing a packaging option with a temporary file execution obviously creates an unencrypted file during the time the script runs and is not a good choice if security is your main concern.

To put this in perspective, your script is safer inside a package (when executed in memory) than any C# or VB.NET code inside an unobfuscated assembly, since most of these assemblies can be converted back into source code with very little effort.

If you have a skilled hacker with a system debugger and administrative access to the computer running the script, it is possible to retrieve the entire script from memory. But if you have that situation happen, you have already quite a number of other problems.

Can we “rescue” your script from a package? If you lost the source code and all you have left is the package you created you can email it to us and we can extract it for you. You need to have a registered license key and email from that registered account.

And no, we will not give you the recovery tool. We guard that thing with our lives and you can’t have it.