Sign in to follow this  
Followers 0
BubbleGumDancer

security harden autoit source

12 posts in this topic

Hello : )

I love autoit but one feature I dont quite like so much is that the end user of the script can view the source code. If I compile the au3 to exe then they can just decompile it and boom theres the source code. I need a method of making sure the user of the script has no way of accessing the source code so it does not get modified. So this is what i have come up with so far after much brain things:

I need the script to do this:

encrypted data source code -> password input by user -> file is decrypted -> decrypted file is autorun -> user exits script -> file is deleted and wiped off computer

Is there a way that you can have the decrypted document run but not saved to the computer itself so if the file is deleted the end user cant decompile it after recovering the file.

Basically a launcher that just decrypted documents where the document cannot be saved to the computer so when you want to run the script again it must be decrypted again.

any suggestions or ideas?


If you were twice as smart, you'd still be stupid.

Share this post


Link to post
Share on other sites



You cannot decompile an AutoIt Source code with the native decompiler, I am not so sure about other decompilers out there. If you want more security, you could use the obfuscator.


Share this post


Link to post
Share on other sites

You cannot decompile an AutoIt Source code with the native decompiler, I am not so sure about other decompilers out there. If you want more security, you could use the obfuscator.

If the file cannot be decompiled could i just make the program exe read an ini file to change vars in the exe that i cant open it up to edit it?


If you were twice as smart, you'd still be stupid.

Share this post


Link to post
Share on other sites

The EXE file is easily decompilable . And the obfuscator doesn't help.

It is just the nature of the script language.

You can secure your work by using 3rd party wrappers - which are paid.

But if someone experienced wants your source code badly enough - nothing can help.

Share this post


Link to post
Share on other sites

The EXE file is easily decompilable . And the obfuscator doesn't help.

It is just the nature of the script language.

You can secure your work by using 3rd party wrappers - which are paid.

But if someone experienced wants your source code badly enough - nothing can help.

There's not a single line in that post that doesn't make me think your an idiot.

EASILY decompiled? And have you ever looked at obfuscator code and tried to figure out what it was doing? And then you say you CAN secure your work and turn around and say but if someone really wants it then NOTHING can help.

Share this post


Link to post
Share on other sites

There's not a single line in that post that doesn't make me think your an idiot.

EASILY decompiled? And have you ever looked at obfuscator code and tried to figure out what it was doing? And then you say you CAN secure your work and turn around and say but if someone really wants it then NOTHING can help.

First, there are unofficial decompilers out there in the wild that will decompile AutoIt programs.

Second, even the author of Obfuscator tells you that it isn't foolproof isn't 100% safe if you want to keep your code from someone. Anything that can be scrambled can usually be descrambled if it has to be able to still run correctly after the scrambling.

If someone is determined enough to get at your code, as far as AutoIt goes, there's really nothing that stops them 100%. They may not get the exact same variable or function names as you used, but they don't need those, they just need the structure.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Unofficial decompilers are rarely advertised and hard to find, I haven't searched for one myself but it's not something I'd expect to find on the 1st several google search result pages. And making one yourself would be very difficult. This is why I capitalized easily.

As for obfuscator code. With only the structure and generic variables it is almost impossible for a human to follow what the programmer is trying to do. There are usually 100s of ways to do the same thing, and without some reference to what is being done or how it is being done, you will drive yourself crazy. Believe me I used to think with determination it could be done, but I tried for days on an obfuscated flash source code and quickly changed my mind. And if your just trying to get a computer to read the source what was the point anyway? The only reason to have the source code it to either change it or understand it so if you cannot manually read and understand it then it us useless. It may be possible on small programs but the larger it gets, and the more variables you use, the harder it becomes.

Share this post


Link to post
Share on other sites

Unofficial decompilers are rarely advertised and hard to find, I haven't searched for one myself but it's not something I'd expect to find on the 1st several google search result pages. And making one yourself would be very difficult. This is why I capitalized easily.

I found several references for them when I looked just now.

As for obfuscator code. With only the structure and generic variables it is almost impossible for a human to follow what the programmer is trying to do.

Structure IS what a programmer is trying to do, the structure of a program determines how it will run and what it will do while running and in what order. But you're talking about looking at the obfuscated code directly, all you'd have to do is unobfuscate it and look at THAT code to see what it does. Even following the obfuscated code shouldn't be that hard to follow if you know how the language works, it's actually pretty simple, just time consuming.

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Its obvious to me you have never tried it. I thought this way once. Give it a shot reading code with generic named variables and strings replaced with more generic named variables. etc. there is no way to unobfuscate something with variable replacement since the code actually runs as is but it just makes understanding it a million times more difficult. Seriously... try it on something half way decent in size and complexity, then talk. Don't try it on something easy, if it were easy then there would be no reason to hide it because anyone could write the code themselves.

Share this post


Link to post
Share on other sites

#11 ·  Posted (edited)

ShawnW, just because you can't do it, doesn't mean nobody else can. Unless, you're claiming to be the smartest person ever.

Case in point, there exist people who reverse engineer true compiled code out there. That's in assembly, bub. All they need are operations, values, results and time. Hence the statement: "If someone is determined enough and has the skills, you're SOL."

You're just stuck on variable and function labels, which only exist for readability purposes for humans. Reverse engineering focuses on how data is manipulated and what the data actually means or stands for.

Edited by omikron48

Share this post


Link to post
Share on other sites

One last point and then I'm going to drop this line, because omikron48 said it as well as I could have. Take ANY obfuscated script and run it with the AutoItDebugger. You will QUICKLY learn it's structure and program flow. Will it be easy to duplicate from that, probably not easy for many including myself because I've only been using AutoIt3 for about a month or so now. But for someone like Smoke'N or Valik or Jos, (not leaving anyone out on purpose, just didn't want the list to go on forever.) I'm sure they could duplicate the script functionality pretty easily.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0