My favorite one-line script spy:
tell application "Extra Suites" to set foo to read resource file "path:to:script" type "scpt"
:twisted:
That’s a good one Rob. Maybe it’s time to bring “Script Spy” to OS X. I hope we’re not upsetting everyone who is writing “Run/Only” scripts ;¬)
I thought of bringing SS to OS X but I doubt that I’ll invest the time. I never got much feedback on the pre-OS X version so I assume that it didn’t interest very many people. Regarding those who are writing RO scripts, it’s best that they are made aware of what’s possible, even if it is on a public forum. I think it’s a common misconception that run-only scripts are vault-like and it benefits no one to pretend that this is true. 
Sorry, I just had to go re-write some of my scripts…
can be:
for those of us who use the free Satimage.osax and are too cheap for Extra Suites. This doesn’t seem to return as much as “strings”, though.
It’s always good to have this information out there but boy, this was an eye opener.
Jon
When the topic was discussed on the applescript-users list, it was an eye opener for a few people too. I’m sure that there was a considerable amount of scrambling to fix scripts during and after that discussion. Maybe MacScripter needs to plaster a banner all over the web site that says “Run-only might not be what you think it is!”.
One of the reasons for saving scripts as R/O is the file size. A read/only script is considerably smaller than one that’s saved as an editable script. But I guess it’s mainly done to obscure the code fragments.
Thank you all for the great information. It’s good stuff to know for a beginning scripter like myself. I even got desparate and tried Resedit. I tried various methods in the terminal so this:
strings -a filename/rsrc
will come in handy. I’ll try it out.
By the way, do these two lines of code below do the same thing as the above code? Do I need a specific program for the first one? Obviously the second one is for a program called “Extra Suites”
set foo to load resource 128 type “scpt” from file “path:to:script” as string
tell application “Extra Suites” to set foo to read resource file “path:to:script” type “scpt”
Thanks again for your patience with the newbie.
No problem twitch, the question brought up some great points and great info. The first script…
“set foo to load resource 128 type “scpt” from file “path:to:script” as string”
requires a “Scripting Addition” named Satimage.Osax, which needs to be in your “Scripting Additions” Folder. btw, the “srtings command” needs the files extension…
strings -a filepath/filename.ext/rsrc
Thanks again. You rock. Must be because you’re a fellow Texan…heh heh Not having much luck with the Extra Suites code. Not sure of the “path:to:script”
I’ll get the scripting addition. The terminal code worked great but I can’t understand most of what was returned. I’ll post what was returned. I CAN see that it is trojan.
mylisttrojan.0
PowerPlug
entss
PartSIT!
<cpntA
N^NuNV
/<NOTI?<
(_
f
`(/
TO(n
N^NuNV
/<aplt/<scptp!
*(_
g
/
/<
N^Nu
#NuCTo run this script application, you must first install AppleScript.
aplt
FREF
ICN#
APPL
@0@(@<@
@0@(@<@
++++
FasdUAS 1.101.10
starts
.aevtoappnull
****
error_code
hotline_path
alias_path
the_path
the_disk
.aevtoappnull
****
ascr
txdl
null
Finderz
alis
Hard Disk G4
Finder
MacOS
IHard Disk G4:System:Library:CoreServices:Finder.app:Contents:MacOS:Finder
<System/Library/CoreServices/Finder.app/Contents/MacOS/Finder
appf
HTLS
kfrmID
ctxt
rslt
hotline_path
citm
.corecnte****
****
TEXT
alias_path
:Files
the_path
:Users:guest:files
cfol
.coredoexbool
obj
alias_there
the_disk
.miscactv****
****
kocl
insh
prdt
pnam
comments
.corecrel****
null
:comments
desk
cdis
.miscslct****
****
alia
to
sele
Thank you for commenting us
file
error_code
[ZkZ
OeE`
hUO_
!O*a
,FO*j+
)*j+
error_code
myname
rtyp
ctxt
.earsffdr****
afdr
citm
The document
X Could not be opened because the application program that created it could not be found.
ret
Ccould not find a translation extention with appropriate translators
disp
stic
btns
dflt
.sysodlogaskr
****
3Server HD:Hotline Server 1.8.5:Hotline Server 1.8.5
0Server HD:Hotline Server 1.8.5:Users:guest:files
$Server HD:Hotline Server 1.8.5:Files
Server HD
ascr
scpt
spsh
CODE
scsz
NOTI
BNDL
FREF
ICN#
icl4
ics#
"ics4
:hfdr
RTEXT
^SIZE
jWPos
vicl8
ics8
aplt
text edito
Twitch, the first line raises an eyebrow “mylisttrojan.0” the word “trojan” may mean it’s a “Trojan Horse”. Some of the text appears to be looking at the System files “System/Library/CoreServices/Finder.app/Contents/MacOS/Finder.app” Then it looks like it does something with Hotline ( a file sharing app ).
Just from the first line, I would advise you to trash the file. Or at least find out who wrote the script. If your Hard Drive is named “Hard Disk G4” then it was written especially for your machine. In any case, I ceartainly would not run the script…
I agree. I saw mylisttrojan.0 and figured that was all I needed to know. Luckily it doesn’t appear to have been targeted to my machine. I don’t know who it’s from.
Thanks again. You’ve been great.
I was looking at the results from the terminal again now that I’m more awake…it appears that the script is written to put something into the contents of the Finder app.
Hard Disk G4:System:Library:CoreServices:Finder.app:Contents:MacOS:Finder
<System/Library/CoreServices/Finder.app/Contents/MacOS/Finder
appf
is that possible?
Thanks again.
Yes, it might be possible if permissions don’t get in the way. The Finder, like many modern applications, is a package which consists of files and folders. To see what I mean, control-click on Finder’s icon and choose “Show Package Contents” from the contextual menu.
Warning: Look but don’t mess.
– Rob
Thanks for the reply, Rob. I knew you could look at most apps contents, but I don’t think control-click shows the “show package contents” on the finder app. I thought one might have to go to the terminal for that. I just didn’t want to take the time to find out how. I’m sure it’s a lengthy process. Of course, if it isn’t and someone knows how, I’m all ears…er…um…I mean eyes.
I can control-click the Finder to see the contents. I am the sole user and have admin status so maybe this makes a difference.
Ok I was control clicking on the fake finder and not the actual app.
Whew…
I tried running “strings -a” on a simple R/O Applescript…
tell application "Finder"
end tell
It returns…
HD_Name:System:Library:CoreServices:Finder.app
&System/Library/CoreServices/Finder.app
But it does not return the line…
So that along with the line that read “mylisttrojan.0” is enough to raise suspicion.
With that said, it’s still a good idea not to run a R/O Applescript unless you know the person who wrote it, or have received the script from a known good source. Especially If there is no ReadMe file or any way of contacting the author.
You can also use the “hexdump -C” command on a file. It will return info kinda like what 'ResEdit" used to return in OS 9 and earlier.
You’re absolutely right. I was never going to run the script anyway, but I really wanted to know what it would have screwed up if I had.
I tried Resedit on it, but I don’t know a thing about hex
You guys have been invaluable.
Thanks
Thanks Twitch, and to everyone who pitched in on this thread. We were glad to help.
I know it’s a bit late, but here is my debug/opinion anyway…
This is most probably related to a multisegment .sit file, but these lines are a lonely island in the script. I’d say they are not part of the scpt executable code, since they are outside of its headers, but a chunk of a different resource in the same file.
I don’t know if this is a trojan, but I can’t see nothing dangerous in the rest of the code. There are not common read/write commands nor shell scripts. This is a pre-X applet thought to examine a Hotline Server’s hierarchy. Look to those “:Files” and “:Users:guest:files” which are built after getting the path of the “Hotline Server” through the Finder. It will create a folder called “comments” if it doesn’t exist and will do anything with “path to me”.
Unless I’m missing something of the code, I’d say this is not dangerous