Script Decompilation Poll

[steve8tch]

I have already voted - but now I thought I would add a comment.

I would like to embed local admin passwords in some of my scripts that I need to deploy on my company LAN. Persuading managers to let me do this is easier when there are no circulating de-compilers.

Previously when a de-compiler was included with AutoIt - I was reluctant to embed passwords. (This , frankly, limited some of the time saving work that AutoIt is able to do). More recently I have been happy to do so because I judged the risks as low and this has made AutoIt far more acceptable to be used in company environment.

I wanted to also say something to some of the contributors to this thread. You are all serious users of AutoIt. You all know its strengths and weaknesses. I think the benefits far exceed the known issues, and I think you probably agree - or you wouldn't be using AutoIt.

It doesn't have to stop you asking questions, but sometimes we might need to just accept the answers.

[weaponx]

For the past year I have provided assistance to my fellow forum members, so much in fact that the only scripts I post are to provide resolution for someone elses problem. Perhaps this has desensitized me to the issue at hand.

I run a Windows operating system so I am not some open source evangelist, but I think if you are posting an example script in an effort to "share", the source code should be provided. If you are worried about code theft then you shouldn't be sharing only half way. If someone can take my code and improve upon it I think that's great, just credit me in the release somewhere.

"Scriptual harmony can only be achieved by two complete strangers bantering back and forth endlessly until a developer posts a working solution using only one line of code - the result being forever captured in the Google cache for our ancestors amusement" - Jesus

[SmOke_N]

For the past year I have provided assistance to my fellow forum members, so much in fact that the only scripts I post are to provide resolution for someone elses problem. Perhaps this has desensitized me to the issue at hand.

I run a Windows operating system so I am not some open source evangelist, but I think if you are posting an example script in an effort to "share", the source code should be provided. If you are worried about code theft then you shouldn't be sharing only half way. If someone can take my code and improve upon it I think that's great, just credit me in the release somewhere.

"Scriptual harmony can only be achieved by two complete strangers bantering back and forth endlessly until a developer posts a working solution using only one line of code - the result being forever captured in the Google cache for our ancestors amusement" - Jesus

Again, this has nothing to do with the topic/question at hand. This isn't a "Should source code be provided" thread.

[Valik]

And if anybody creates a "Should source be provided" thread they can expect a ban.

Get back on topic or this thread is going to get larger.

[H5O20H]

I will not vote,because you're basically asking your members "Do you want to see your hard work remade by someone else or not?"

Mouse people use autoit to start from something small,easy-to-learn gaining knowledge very fast.

In my case,I started learning TCP/UDP with Autoit,it took me 2 days to learn and all of my programs that i'm currently selling were made in AutoIt for testing purposes,but here comes the question,why "Were" and not "are"?

Knowing people with "" that much knowledge can get your hard work in source code format ,would you sell your software unprotected?

Those people who voted "I have no special concerns about my script being decompiled." are the type of programmers that I described above.

To @Dev team,

Don't you realize how many programmers you are losing that way?

Here,In this beautiful forum,you may find 90% simple macro scripts and only 10% hard work that make some sense to a well-good programmer.

Why only 10%?

Guys,improve your software not just by changing UPX to armadillo stub(for example) ,but change it's architecture

I highly appreciate what you've done so far on AutoIt ,so even it's unprotected I say "Thank you!"

H5O50H.

Edited June 27, 2008 by H5O20H

[weaponx]

Again, this has nothing to do with the topic/question at hand. This isn't a "Should source code be provided" thread.

Well it does in the sense that I was trying to say if you are worried about IP theft then you should avoid posting something you consider sensitive in a public forum, even if it is compiled in some manner.

I guess I just overlooked the question of decompilation in the "intranet" sense. I have written some scripts that contained admin credentials and I was worried about both inside and outside parties revealing said information.

[CoderDunn]

Hopefully this is on topic

I have considered selling my Radical 2 application if I finish it, and the issue of decompilation has been a reason not to for sure. I have never had to decompile a script.

Because AutoIt has expanded so much, from a simple automation language to a fully fledged programming language for some people, it would be nice to see more security in the compilation of scripts so they can't be (at least easily) decompiled. I apologize, since I don't know much about how AutoIt works, but would it be possible if anything to have the script encrypted before being packed with the executable, then have the AutoIt engine unencrypt the script on runtime? I realize this could slow down the startup time for a script substantially on large scripts, so a switch to enable/disable could be added in the compiler? Again, I don't even know if it's possible.

And a piece of advice for some of the other members:

Think of the solution, not the problem

Just my 2 cents

~ Hallman

Edited June 29, 2008 by Hallman

[Xenobiologist]

Hi @all,

interesting discussion

To cut a long story short, for me and maybe for some other noobs the main question concerning this thread is:

(although this question wasn't intended by the thread owner)

Autoit can be ("easily") decompiled and deobfuscated. (state today 2008/06/27)

So, will Jon and/or the other devs someday think about changing Autoits architecture (kernel) call it whatever you want, to achieve a more secure executable or not?

Regards

Mega

Anybody who is able to answer this question, please do so. Thanks!

Mega

[LarryDalooza]

Anybody who is able to answer this question, please do so. Thanks!

Mega

Will anybody consider implementing a well researched solution ... yes. Will we invest our time (usually $35-$50 per hour) to researching a solution... probably not.

The great thing about AutoIt is that people with great vision and the willingness to sacrifice invested themselves. I cannot ever remember complaining about the shortcomings of AutoIt... but I do remember spending a lot of my highly valued personal and family time overcoming those faults.

So... dig in people... The internet is full of useful code... go find a solution and leave this thread be. Your next topic should be... "Eureka, My solution to the compiled cript security issue!"

Lar.

[James]

The great thing about AutoIt is that people with great vision and the willingness to sacrifice invested themselves. I cannot ever remember complaining about the shortcomings of AutoIt... but I do remember spending a lot of my highly valued personal and family time overcoming those faults.

The amazing thing about AutoIt is the developers themselves. The time they have spent and the work they have put towards us.

Who knows, maybe one day there will be a securer "kernel" and maybe it won't be interpreted, we will have to wait. Who expected what they got from V2 to V3? Not me.

James

[Linux]

hi all! i was reading this topic with a lot of interest.

Like me, a lot of people come to autoit looking for the next language to learn, or looking for the language for the next project.

Im now working in a project that I plan to get some income . The problem is that I can be cracked in a few days. Right now my only concern is that.

I have already donated to autoit. Im not demanding anything. but I think new users will fell more secure with that aspect of autoit isnt a tabu.

Kind regards, Linux

[GEOSoft]

@Linux (and everyone else)

From what I understand these security changes mean a full re-write of AutoIts base code. I don't see that happening until AutoIt4 and I'm not holding my breath waiting for that release. Is a Version 4 being considered? Perhaps? Is it in the works? Possibly. Is there a long list of changes that would be made? Probably, but only if answers to the first 2 questions is yes. AutoIt is what it is. It does the job for most people and it makes absolutly no difference what language you use, there is no such a thing as code which is 100% secure and there never will be. Now can we just quit harping about it? I hope so.

[Xenobiologist]

Will anybody consider implementing a well researched solution ... yes. Will we invest our time (usually $35-$50 per hour) to researching a solution... probably not.

The great thing about AutoIt is that people with great vision and the willingness to sacrifice invested themselves. I cannot ever remember complaining about the shortcomings of AutoIt... but I do remember spending a lot of my highly valued personal and family time overcoming those faults.

So... dig in people... The internet is full of useful code... go find a solution and leave this thread be. Your next topic should be... "Eureka, My solution to the compiled cript security issue!"

Lar.

Larry who complains about what? I just asked a normal question not expecting a change for Autoit - only a good answer.

Why do all people in here have to be so aggressive?

All the thread is about is: Many people would like to have a more secure Autoit executable and now the devs can think about whether it is possible and if they want to put effort into it.

Mega

[Valik]

Larry who complains about what? I just asked a normal question not expecting a change for Autoit - only a good answer.

Why do all people in here have to be so aggressive?

Did you read this thread? Did you see me to tell you guys to stop jumping to conclusions? Do you not comprehend that asking us this question is stupid and pointless?

All the thread is about is: Many people would like to have a more secure Autoit executable

It is? I thought the thread was to satisfy DaveF's curiosity and nothing more than that.

and now the devs can think about whether it is possible and if they want to put effort into it.

Thank you for insulting our intelligence by implying we couldn't possibly have ever thought or discussed this issue without bringing this wonderfully brilliant community into it first.

Seriously. This is retarded it. You people need to learn to COMPREHEND what you read. This thread means absolutely nothing. The results mean nothing. The outcome of this thread will be... nothing. This is no harbinger of change. This is no open forum to discuss ideas on the subject. This is not an invitation to pester with incessant questions that don't need to be asked in the first place. It's not the place to start getting your hopes up. There's no secret agenda. The thread has no more value than face value. And I'm really sick of you people trying to make it more than it is. Read and comprehend what I say or face the consequences for failing to take the initiative to turn your brain on before posting.

[LarryDalooza]

When people prod charitable people to be MORE charitable, or inquire if a charitable entity is likely to be more charitable, it is slightly irritating. Sometimes you can come to a reasonable conclusion, on your own, without being irritating.

Lar.

[Xenobiologist]

Thank you for insulting our intelligence by implying we couldn't possibly have ever thought or discussed this issue without bringing this wonderfully brilliant community into it first.

Valik you must be a funny guy. Nice post!

Nevertheless thanks for having answered my question almost 50 %. You highly likely thought about it and do not share the result. OK

(All I wanted was the result of your discussion.)

Okay, to not quicken your pulse any longer I switch on my brain again and leave this thread alone.

Mega

[system24]

Seriously. This is retarded it. You people need to learn to COMPREHEND what you read. This thread means absolutely nothing. The results mean nothing. The outcome of this thread will be... nothing. This is no harbinger of change. This is no open forum to discuss ideas on the subject. This is not an invitation to pester with incessant questions that don't need to be asked in the first place. It's not the place to start getting your hopes up. There's no secret agenda. The thread has no more value than face value. And I'm really sick of you people trying to make it more than it is. Read and comprehend what I say or face the consequences for failing to take the initiative to turn your brain on before posting.

Whatever we do, decompilers are here to stay.

[tlokz]

I have no worries of decompiling as I do my my work to better something and somebody can take my work and put effort into that and make it better then that just makes it better. Also for people who steal somebodies work and advertise as there own there just sorry and its obvious they lack the brain power to even create something that you have. Lmao to be honest I was wondering why the decompilier that came with Auto-It doesn't work

[NELyon]

I have no worries of decompiling as I do my my work to better something and somebody can take my work and put effort into that and make it better then that just makes it better. Also for people who steal somebodies work and advertise as there own there just sorry and its obvious they lack the brain power to even create something that you have. Lmao to be honest I was wondering why the decompilier that came with Auto-It doesn't work muttley

It "Works" for script made before the ability to compile was removed from Autoit. I.E Scripts made before a certain version can still be compiled with the included compiler. Newer scripts cannot.

[tlokz]

It "Works" for script made before the ability to compile was removed from Autoit. I.E Scripts made before a certain version can still be compiled with the included compiler. Newer scripts cannot.

Ah thanks for the information muttley