Is AutoIt less/more prone to reverse engineering?

[LWC]

The FAQ states there are unofficial decompilers for newer versions, and even an official decompiler for older versions.

But the FAQ doesn't compare this situation to C++ and Visual Basic. Are their EXE files easier or harder to decompile?

Thanks!

Edited August 18, 2010 by LWC

[Juvigy]

C++ is harder to de compile.

[LWC]

Any particular reason?

And how does Visual Basic compare to AutoIt?

[Ascend4nt]

AutoIt doesn't actually compile, not even to byte-code. The 'compiling' that takes place is simply combining the AutoIt interpreter code with the script. Hence, AutoIt is pretty much a freebie for anyone that wants the script/code.

[LWC]

And Visual Basic vs. C++?

P.S.

How do people know something is made by AutoIt in the first place?

Edited August 18, 2010 by LWC

[Richard Robertson]

AutoIt executables all have the same code in them. It's a resource that changes.

Visual Basic relies on a runtime and all the calls to said runtime are traceable using analytical techniques.

C++ compiles to machine code so the most accurate decompilation will give you assembly code. It's nearly impossible to get the original C++ code due to optimizers, compressors, and different compiler options.

[XKahn]

@LWC:

The issue of disassemblers is no more or less an issue than using any other language. If someone wants to crack your code then they will do so no matter what you use. I believe your issues are valid, no one wants people to hack their code any more than one wants people to break into their houses. If your issue is internal security, then you might want to consider hiring a firmware company.

However, if you are just trying to get a handle on what language you desire to learn, you might want to consider some pros and cons of ALL languages. Over the countless years I have many tucked under my belt. I remember the Turbo C vs Turbo Pascal wars. Many programmers flaming each other over FIDOnet for no real valid reason. I learned both and I am better for that experience. I can tell you that AutoIt is a much easier learning curve compared to C++ or other high end languages. The old argument ends with just write your code using MASM32.

If you are just poking around trying to find flaws with AutoIt, then don't bother. There are critical flaws in all programming languages, since humans aren't perfect why should we expect the things we create to be perfect? But it's not like some child will dump your code into a hex editor and yank it out. In the end you have to ask yourself what you want to use and my opinion doesn't even matter.

[LWC]

If someone wants to crack your code then they will do so no matter what you use.Isn't there a huge contradiction there? Even if AutoIt is so much easier, should I use a language that's so "decompilable"? If both your statements are true, than it would take the NSA to decompile C++ while any script kiddie could decompile AutoIt. Edited August 19, 2010 by LWC

[Tvern]

To my knowledge you there is no real way to retrieve the original C code (extremely short programs might be possible), but it is often not needed if the goal is just to disable the security, or add some extra code.

Look at it this way: If a book is translated to japanese and someone makes a summary for a book report, it won't be possible to get the original english text from that. You could easily add some text to the summary though. (provided you know japanese)

With autoit the script is in the executable and as such "easy" to extract, but the extracted script will be one big file, with all includes added in line, all markup, comments and unneeded whitespace removed, making it had to understand.

Furthermore if you run obfuscator when compiling, the resulted script will look like garbage and it would take a very skilled, or patient man to get any sort of understandable code from it.

For the most part AutoIt seem to be secure enough, but it all depends on what you are making with it:

* Your program will probably not be as interesting to crack as, for instance, an OS everyone uses.

* Your program will probably not cost an amount of money people lose sleep over.

* Your program may be used for commercial use only, companies use less cracked software than average.

* Unlike for instance PC games everyone knows will be broken pretty much the moment they release, if your security is broken, there is a good change no one will notice.

If you want an easy to use language for windows to make a tool allot of people will benefit from, AutoIt is generally a great choice.

If you're planning on writing something that's going to be big and well known, there are allot of other reasons to choose another language. (OS compatibility and performance for instance)

Edited August 19, 2010 by Tvern

[trancexx]

There are obviously differences with languages as stated in above posts.

With c(++) situation is that there is absolutely no way of retrieving the source. That's impossible due to a nature of the compiling process. What can be done is analyze binary (machine code) and construct the opcode out of sequences. After that it's only imagination. This is because two different sources can compile to completely same binary.

With AutoIt there is no real compilation involved. The result of that kind of compilation is encoded, compressed binary data attached to interpreter. There are rumors that people can retrieve that binary and even decode and decompress it. That probably ends with .au3 file generation - script.

How to prevent decompilation?

Regardless of the answer to that question, you shouldn't even try.

Main purpose of decompilation is not to retrieve the source, it's to get knowledge of the internal workings of some application.

That saying I'm giving the answer to question how to protect your self. Use condoms. Use obfuscators.

That also means that it's safer to have obfuscated AutoIt script than plain c++ application. Safer in means of protecting the principles of working.

Most people who think they know something about this theme wouldn't agree with me. That's because I know better than them.

- condoms was a joke

[Tvern]

That also means that it's safer to have obfuscated AutoIt script than plain c++ application. Safer in means of protecting the principles of working.

I wouldn't have thought so.

Most people who think they know something about this theme wouldn't agree with me. That's because I know better than them.

That's probably true in my case

[LarryDalooza]

AutoIt is akin to .NET in security and consideration should be given to obfuscating your code.

Lar.

[XKahn]

Isn't there a huge contradiction there? Even if AutoIt is so much easier, should I use a language that's so "decompilable"? If both your statements are true, than it would take the NSA to decompile C++ while any script kiddie could decompile AutoIt.

I don't need the NSA to decompile C++, of course I won't have the C++ "source code" but I will have the code to reprogram. Anything can be reverse engineered. This sounds more like you came in here to poke AutoIt with a stick. There is a word for this behavior. I have no time to spend on forum Trolls. AutoIt is a fine scripting language and anything you decide to write, wouldn't be under attack. The first thing a hacker must find out is what language you used to write your program. Did you plan to advertise? Because it sounds like you are waving the C++ banner.

Now I could be wrong about you but I suspect you wanted someone to just pop in here and say, "Sure it's a breeze and here is how you do it; Step A, B, C..." No one is going to hand you the process, if you believe it is so easy then do it yourself and prove me wrong. It is not an easy process for a kiddie to decompile an AutoIt compiled script.

Like I said, I could be wrong about you and if I am then I sincerely apologize.

[LWC]

I just came here to debate what should I use. I don't even know C++. People could be good, you know. :-)

Edited August 22, 2010 by LWC