Winbatch Vs. AutoIT Security

[Richard Robertson]

Yeah that's right. I forgot about the original topic. >_

Edited August 24, 2009 by Richard Robertson

[WolfWorld]

If a link exists, it can be followed, regardless of whether a runtime is executing or not. Also, if the decompiler were also written in .Net, wouldn't that runtime be executing?

Okay here I will explain fully, Unpacker(as least what I called and some people) can be see as dumpers. They just rawly dump the MSIL code from the assembly. This CAN'T be protected(unless the obfuscater uses native code). It will be dump(and can be) no matter what happens or what ever the obfuscater does.

On the other hand Decompiler uses the dumped code from the unpacker to RECONSTRUCT the C# fully. Which can be read BUT Smart Assembly uses proxy which can be solve at runtime only(for now) and Overflowing the code(Changing the IL order) making reconstructing the C# impossible. Think of this.

If

int i = 123;

Compile to IL (example not real)

COMMAND 1

COMMAND 2

COMMAND 3

But the overflow changes this to

COMMAND 2

COMMAND 1

COMMAND 3

Which can't be reverse back to c# code(for now >_< ) There are more complicate stuff than this.

And "if the decompiler were also written in .Net, wouldn't that runtime be executing?" No, only the CLR will run the decompiler IL and not the cracking assembly. So it will not solve anything.

If your theory is true then you can't decompile a .NET code with a native decompiler with in a machine without .NET

But normal .NET uses reflection to see the class and all. As I explained SA(short) uses proxy therefor it can only see the proxy and not the class(and yes it can see the class if you put some work into it) and !!! IMPORTANT !!!! because of the nature of the proxy once the IL code changes the program will not run. This mean even you use an UNPACKER and change the IL directly it still won't work unless you remove all of the proxy call to the real call.

Also it can overload function that does not have anything in common this make decompiling very... lets say stupid.

All this refer to stealing to code, cracking application (make it free) can still be done with little(more than normal native) work.

Oops, off topic

Edited August 24, 2009 by athiwatc

[Mobius]

While all of this is interesting, I still do not have a clear rebuttal to the WINBATCH assertion that Autoit is less secure then Winbatch because they do a true compile,

This is not true at all, after about 10 minutes interrogation, Winbatch uses a method that is similar to AutoIt3,

In that the original source is packed and encoded to binary archive like format before being injected into the

Desired Stub. shit it even reads this data from a static offset...(*stub dependent* but static none the less)

Nor can the WB stubs be packed intelligently because this data is not classed as an overlay or embedded in the

Resource table.

A couple more minutes interrogation and you will find that all is needed for this binary format to be decompiled

resides in the file WBDHC44I.dll (Required for any WB binaries to work) and a little bit of time and knowledge.

I mean what were they thinking?? Put all your secret functionality inside a dll that can be hooked and used by anyone!! >_<

There I go again, I could not code such a process any better than they so I will STFU.

while AutoIT just attaches the code to an instance of the AutoITruntime.... and the source can be easily read by any scriptkiddie onthe block

There is a great deal of time skill and effort invested in the process of "just attaching the code to an instance of the interpreter "

I suggest unless you are equally skilled to replicate this for yourself (or improve it) you show a little respect for the Author.

Just my POV, not sure if this answers your question.

Edited September 2, 2009 by Mobius

[everseeker]

I suggest unless you are equally skilled to replicate this for yourself (or improve it) you show a little respect for the Author

NO!!!! .... Not my intent to disparage AutoIT... I LOVE AutoIT

I was discussing the attitude of the Winbatch rep... Who was telling me why I should dump AutoIT and use Winbatch...

I was looking to the forum for a good counterargument...

[Valik]

everseeker, if you talk to WinBatch, WinBatch is the best program. If ask on the AutoIt forum, you're going to mostly find that AutoIt is the best program. Rarely will you find somebody objective. That being said, my suggestion is and always has been use whatever language that gets the job done in the way that best meets your goal. If that's AutoIt, great. If not, so be it, I'm no under no illusion that AutoIt is the end-all of languages. Security is just one of the many aspects that you need to look at when designing an application.

[Kealper]

hmmm...if WinBatch compiles using almost the same (if not easier) method, and no one has made a decompiler for it, one could assume that the language just is not good enough to attract the kind of people required to make said decompiler...but im not a good opinion for this, seeing as im biased tword AutoIt

[Mobius]

hmmm...if WinBatch compiles using almost the same (if not easier) method, and no one has made a decompiler for it, one could assume that the language just is not good enough to attract the kind of people required to make said decompiler...but im not a good opinion for this, seeing as im biased tword AutoIt

You really do put the A in Assumption dude.

Here's a thought..... why not try the language for yourself and draw your own conclusions.

As for the WIL vs AU3 security argument.... neither is particularly fantastic.

There, I think that was objective enough.

Vlad

Edited September 2, 2009 by Mobius

[mbkowns]

You really do put the A in Assumption dude.

Here's a thought..... why not try the language for yourself and draw your own conclusions.

As for the WIL vs AU3 security argument.... neither is particularly fantastic.

There, I think that was objective enough.

Vlad

One thing is for sure WinBatch has crappy support. Least AutoIT has this killer forum to go to if you need coding help.

If any of you security buffs use this thread for reference do understand that AutoIT is a much more robust language than WinBatch.