Jump to content

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more here. X
X


Photo

AutoIt Secure Compilation


  • Please log in to reply
34 replies to this topic

#1 Koshy John

Koshy John

    koshyjohn.com

  • Active Members
  • PipPipPipPipPipPip
  • 461 posts

Posted 24 July 2007 - 12:00 PM

This is with regards to the 'problem' of being able to decompile scripts even if they are password protected. Here are a few of my thoughts:

1. To start off, support for the decompiler can be completely removed (so that when developing more secure compilation techniques this won't have to be kept in mind). People who are careless enough to lose their code don't really deserve to have it. You don't see C++ developers complaining about being unable to decompile their programs (I know why you can do it with autoit but not with C++ compiled exes, don't start on this)... They just accept the reality and move on.
2. Instead of attaching the script per se into the executable, the obfuscator or something of that sort can be be added to the main compilation executable itself right?
3. Or at least do what Java does, compile it into some form of bytecode...
4. Or maybe do what the AutoIt engine does at runtime and replace the statements in the script with the actual code used, so you get a proper executable instead of extracting the script into RAM and intepreting it.

I know that the bytecode type thing is not something that can be done overnight, but hey maybe some day years from now, if work was started in this direction...

On the performance front, maybe the compiler can remove variables and functions (from the includes) that are not used in the program. Maybe even do a basic syntax check, so that simple errors like a bracket missing don't turn up at runtime.
Visit: www.KoshyJohn.comMajor projects: neoSearch - DiskMax







#2 Richard Robertson

Richard Robertson

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 10,333 posts

Posted 24 July 2007 - 01:16 PM

Until tokenization makes it into the compiler, the "bytecode" won't happen.

Au3Tidy takes care of syntax checking.

Thousands of users have asked for compilation versus interpretation. These questions have been asked countless times before.

#3 Jos

Jos

    Je maintiendrai

  • Developers
  • 23,443 posts

Posted 24 July 2007 - 02:10 PM

@Richard,
Not sure what you are trying to tell us but:

Until tokenization makes it into the compiler, the "bytecode" won't happen.

Did you discuss this with Jon in the background or something ?

Au3Tidy takes care of syntax checking.

I only know Au3Check and Tidy ... new program? :whistle:

Edited by JdeB, 24 July 2007 - 02:10 PM.

Visit the SciTE4AutoIt3 Download page for the latest versions                                                                 Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)


#4 Koshy John

Koshy John

    koshyjohn.com

  • Active Members
  • PipPipPipPipPipPip
  • 461 posts

Posted 24 July 2007 - 02:18 PM

@Richard,
Not sure what you are trying to tell us but:
Did you discuss this with Jon in the background or something ?
I only know Au3Check and Tidy ... new program? :lmao:


And where is this leading...
Are these features even being considered?
Sometime in the future.. in a galaxy far far away... ?
:whistle:
Visit: www.KoshyJohn.comMajor projects: neoSearch - DiskMax

#5 Jos

Jos

    Je maintiendrai

  • Developers
  • 23,443 posts

Posted 24 July 2007 - 02:22 PM

And where is this leading...
Are these features even being considered?
Sometime in the future.. in a galaxy far far away... ?
:lmao:

It is up to Jon to define the future of AutoIt3 and what is "in" or not.
Ideas are tossed around but leave it to Jon to tell the community what the directions are..

:whistle:

Visit the SciTE4AutoIt3 Download page for the latest versions                                                                 Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)


#6 Jon

Jon

    Up all night to get lucky

  • Administrators
  • 10,630 posts

Posted 24 July 2007 - 02:24 PM

True compilation will never happen - I'm just not that clever. I've been pondering a sort of bytecode in the compiler, but there are some challenges there too (such as how to handle #directives, and different versions of .a3x files). It's all just thoughts atm though.

#7 Koshy John

Koshy John

    koshyjohn.com

  • Active Members
  • PipPipPipPipPipPip
  • 461 posts

Posted 24 July 2007 - 02:25 PM

It is up to Jon to define the future of AutoIt3 and what is "in" or not.
Ideas are tossed around but leave it to Jon to tell the community what the directions are..

:whistle:


He's done an excellent job all these years!
Lets hope he's inclined to take this route when its time to make the decision...

True compilation will never happen - I'm just not that clever. I've been pondering a sort of bytecode in the compiler, but there are some challenges there too (such as how to handle #directives). It's all just thoughts atm though.


True compilation is possible but just beyond your reach at the moment? I'm translating it as if you had a dedicated team physically with you and you had a reasonable amount of resources, you'd be able to do it.... ?

All the best with the byte code part though... A lot of people will welcome that with open arms... I know I will..

Edited by Koshy John, 24 July 2007 - 02:28 PM.

Visit: www.KoshyJohn.comMajor projects: neoSearch - DiskMax

#8 MHz

MHz

    Just simple

  • MVPs
  • 5,737 posts

Posted 24 July 2007 - 03:33 PM

1. To start off, support for the decompiler can be completely removed...

Way too late to ask for now. If the included decompiler is removed from the AutoIt installation then users will use the hacked versions. So removal now of Exe2Aut would do more damage then leaving it in.

#9 Richard Robertson

Richard Robertson

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 10,333 posts

Posted 24 July 2007 - 04:49 PM

No, Jon and I have not been talking in the background. Jon himself has mentioned publicly on the forum something about tokenization in the compiler, and his inability to do it yet.

#10 Koshy John

Koshy John

    koshyjohn.com

  • Active Members
  • PipPipPipPipPipPip
  • 461 posts

Posted 25 July 2007 - 05:16 PM

Way too late to ask for now. If the included decompiler is removed from the AutoIt installation then users will use the hacked versions. So removal now of Exe2Aut would do more damage then leaving it in.


What I meant was... not creating a decompiler for a subsequent version (which cannot be decompiled using existing decompilers)... what i'm reasoning is that the hacked decompilers are derivatives of the legitimate decompilers in different versions of the AutoIt installation... If a newer version of the executable with a slightly different layout was introduced and a decompiler for it was never made, it would be that much more harder for a busy-bee to come up with a (hacked) decompiler...

Maybe even stating in strong terms in the EULA that creating a decompiler would not be tolerated, would leave a legal course of action open to Jon... I am not saying he will/should do it but its always wiser to leave options open... This is not of much significance now.. but as the autoit community grows, it would be a big turn off for a newcomer to see his/her code ripped off...

What I am saying is that very few people are bothered by the hacked decompiler thing now, but it will eventually hinder the acceptance of this fine language... And the time to plan for such an eventuality is now... Just my honest opinion as a long time autoit scripter...
Visit: www.KoshyJohn.comMajor projects: neoSearch - DiskMax

#11 Zephir

Zephir

    Prodigy

  • Active Members
  • PipPipPip
  • 184 posts

Posted 25 July 2007 - 05:22 PM

agree with first post.
I've seen a poll on that issue just a few hours ago...

#12 GEOSoft

GEOSoft

    Sure I'm senile. What's your excuse?

  • MVPs
  • 10,573 posts

Posted 25 July 2007 - 05:46 PM

The whole decompiler issue is an old one has been getting hashed around for about 3 years now with a split on those in favor and those against having one.
GeorgeQuestion about decompiling code? Read the decompiling FAQ and don't bother posting the question in the forums.Be sure to read and follow the forum rules. -AKA the AutoIt Reading and Comprehension Skills test.*** The PCRE (Regular Expression) ToolKit for AutoIT - (Updated Oct 20, 2011 ver:3.0.1.13) - Please update your current version before filing any bug reports. The installer now includes both 32 and 64 bit versions. No change in version number.Visit my Blog .. currently not active but it will soon be resplendent with news and views. Also please remove any links you may have to my website. it is soon to be closed and replaced with something else."Old age and treachery will always overcome youth and skill!"

#13 Zedna

Zedna

    AutoIt rulez!

  • MVPs
  • 8,794 posts

Posted 25 July 2007 - 07:06 PM

I've been pondering a sort of bytecode in the compiler, but there are some challenges there too (such as how to handle #directives, and different versions of .a3x files). It's all just thoughts atm though.


Jon this will be GREAT step in Autoit lifetime if it happens someday.
I wish you good luck in solving problems related to this.
I'm looking forward to that.

#14 Jon

Jon

    Up all night to get lucky

  • Administrators
  • 10,630 posts

Posted 03 August 2007 - 08:40 AM

Almost got this working (tokenized compiling). Just some fatal bugs to iron out :)

It will still be possible for someone to write a decompiler - just way way more difficult. And if they do it won't be "pretty" output at least.

#15 Richard Robertson

Richard Robertson

    Universalist

  • Active Members
  • PipPipPipPipPipPip
  • 10,333 posts

Posted 03 August 2007 - 02:51 PM

If they are bothering to decompile it, they want the workings, not the pretty code.

Nice new image in your signature by the way Jon.

#16 Bot

Bot

    Wayfarer

  • Active Members
  • Pip
  • 61 posts

Posted 04 August 2007 - 01:49 PM

Use the SoftwarePassport by Silicon Realms and you will never be concern about unauthorized decompiling :)

#17 Koshy John

Koshy John

    koshyjohn.com

  • Active Members
  • PipPipPipPipPipPip
  • 461 posts

Posted 25 August 2007 - 03:41 PM

Use the SoftwarePassport by Silicon Realms and you will never be concern about unauthorized decompiling :)


Exe2aut has finally been removed from AutoIt... As per the latest version: 3.2.6.0
Thank you Jon!!!

psst: have you implemented bytecode like functionality fully... not that i'd make any difference to me at the scripting level... but just curious since you once said you were nearly done with it... and u were just ironing out some problems...
Visit: www.KoshyJohn.comMajor projects: neoSearch - DiskMax

#18 fowmow

fowmow

    Wayfarer

  • Active Members
  • Pip
  • 52 posts

Posted 26 August 2007 - 03:24 AM

I am just wondering the general thoughts or motives of everyone on this matter. If you want something compiled to bytecode or whatnot, why not just use Visual Basic? Or are we attempting a freeware Visual Basic?

I personally think this is a move in the wrong direction. I have already seen the general opinion of AutoIt on security forums and the like. Making the signature of a file even more difficult to read just seems a little... I do not know... counterproductive maybe?

I realize a lot of people love AutoIt and want to make commercial programs with it or perhaps sincerely just want to hide its source, but hiding what an automation language is doing is a sure way to get someone to label this movement incorrectly.

So, in the newest version then are our wrapped EXEs no longer able to be decompiled or is it just that Exe2Aut is gone? If the compilation is different, I will be sticking with my 3.2.4.9 version. I have no intentions of offering closed-source software.

Just my preference.

NOTE: Wait a second... I just download the latest (regular) version. Exe2Aut *is* there. What am I missing?

#19 Fossil Rock

Fossil Rock

    ASCII a stupid question,… get a stupid ANSI.

  • Active Members
  • PipPipPipPipPipPip
  • 1,084 posts

Posted 26 August 2007 - 04:45 AM

NOTE: Wait a second... I just download the latest (regular) version. Exe2Aut *is* there. What am I missing?


Note: Only 3.2.5.1 and earlier compiled scripts are supported.

Agreement is not necessary - thinking for one's self is!

Posted Image

Posted Image


#20 Koshy John

Koshy John

    koshyjohn.com

  • Active Members
  • PipPipPipPipPipPip
  • 461 posts

Posted 26 August 2007 - 04:55 AM

I am just wondering the general thoughts or motives of everyone on this matter. If you want something compiled to bytecode or whatnot, why not just use Visual Basic? Or are we attempting a freeware Visual Basic?

I personally think this is a move in the wrong direction. I have already seen the general opinion of AutoIt on security forums and the like. Making the signature of a file even more difficult to read just seems a little... I do not know... counterproductive maybe?

I realize a lot of people love AutoIt and want to make commercial programs with it or perhaps sincerely just want to hide its source, but hiding what an automation language is doing is a sure way to get someone to label this movement incorrectly.

So, in the newest version then are our wrapped EXEs no longer able to be decompiled or is it just that Exe2Aut is gone? If the compilation is different, I will be sticking with my 3.2.4.9 version. I have no intentions of offering closed-source software.

Just my preference.

NOTE: Wait a second... I just download the latest (regular) version. Exe2Aut *is* there. What am I missing?


I prefer AutoIt over Visual Basic, coz you can do more powerful things in AutoIt with fewer lines of code... the abstraction is what makes it easier... because of this a single person can create programs that would have normally taken a team to create and support... my point of view...

I'm not very familiar with how compiliing different scripts changes the signature of the executable. I was under the impression that the signature of the executable stub is the same signature for all AutoIt compiled scripts unless the author hexedited the stub... enlighten me coz i've never had to venture into the details of the file signature before...

Exe2Aut is gone (and only scripts compiled with stubs upto v3.2.5.1 can be decompiled henceforth.. eveything beyond that will not be decompilable because of some changes in the compilation process (I'm fairly certain that there are significant changes, from reading past threads))... You still see exe2aut because you *probably* installed it over your previous installation of AutoIt (the exe2aut file is probably from the previous installation)... Try uninstalling and then reinstalling.. you'll see that its gone... and the fact that exe2aut has indeed been removed is listed in the version history of the file...

You do not automatically become closed source by switching to the latest version... you can just combined the exe and script into a single zip file for distibution... its a little inconvenient, i do agree, but the benefits of moving along with the latest version cannot be denied...

Edited by Koshy John, 26 August 2007 - 06:16 AM.

Visit: www.KoshyJohn.comMajor projects: neoSearch - DiskMax




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users