Sign in to follow this  
Followers 0
hell0we

how secure are compiled to executables

8 posts in this topic

Hi everyone,

Sorry if this sounds basic, but we all start off as n00bs sometime :x.

I want to use a script to use the runas feature of autoit to run some commands as the local admin of a group of computers.

My question is, how secure is the password saved in the script when the script is compiled to exe, can the script be reverse engineered to gain access to the password?

runas ("admin","testpc","admintest",0,"c:\windows\system32\notepad.exe")

Share this post


Link to post
Share on other sites



hell0we,

Welcome to the Autoit forum. :x

Searching the forums will provide you with a lot more information in greater detail, but in brief:

- Your plain language script is within the compiled .exe, but in compressed form. It is not immediately viewable with a hex editor, but is by no means secure as it is expanded in memory when the .exe is run.

- Obfuscator (part of the full SciTE4AutoIt3 package) will obscure your script by changing variable and constant names (and a lot more!), which makes it harder to decompile but again does not render the .exe secure.

So, compiling an AutoIt script will prevent quick snooping, but a determined, experienced hacker can relatively easily get your source - including passwords, specific filenames, etc - or the encryption routines you have used in your script to encrypt/decrypt them if they are stored in another file.

Probably not what you wanted to hear, sorry! :P

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

Adding to what Melba said, it's all about getting it in proportion. No matter what security systems you use, a determined and knowledgeable hacker given enough time will get to what they want. What you need to think about is how secure it needs to be, and that depends on what the prospective hacker would stand to gain from getting such a password. Usually the answer is "Very little". In which case, _StringEncrypt + obfuscator + compiling is more than adequate. If lots of money is involved then I would definitely look at other solutions.

One good idea would be to have a semi-admin, who can do some normal unimportant tasks, but it not allowed to do some of the more dangerous tasks. Then it's not so much of a problem any more.

Share this post


Link to post
Share on other sites

Cheers chaps,

I will obfuscate the file, setup another local admin account for running what i need to run and if by some freak chance i get a computing geek in there that does have the time then i will re-image the computers if they play up :x

realisticaly it's a controlled environment so it's an acceptable risk.

Thanks for your help chaps.

Aus.

Share this post


Link to post
Share on other sites

In the AD that I maintain I created a user that I use to join computers to our domain, the user name and password is stored in plaintext in the SysPrep file. It's in plaintext so it's not very secure, but I have also made it so that this user can't log in to any computer, can't do much of anything except to join computers to the domain. It's like Mat said, you can make it so that the user that you want to have in your script only has credentials to do only so much on your systems, so if someone gets the username and password they can't do all that much with it.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

If you Google around you might find it. there are things to look at your source sadly.

It seriously will always be a problem to deal with in any type of programing C, Java, python. your source is obtainable through some guy with no life just spending days/weeks/months of countless work, just to undo your work. and sad as it is there are more and more everyday

so to answer your question your password is somewhat not secure. one suggestion you could rar the .exe and put a password lock on it.but it sounds like you want your password in your .exe to be protected. And you want to have your .exe just open ready for use.

so my rar suggestion might not be good solution for you.

Edited by Cars0n66

Share this post


Link to post
Share on other sites

Cars0n66,

I would remove all reference to a "decompiler" from your last post NOW!

It is not acceptable to even mention such things here. :)

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

If you Google around you might find it. I once lost the source to my .exe and i found

Some dude who made a AutoIT script to decompile a AutoIT.exe file. I have tested it and it works.

and his decompiler still works on the new Au3 .exe files.

so to answer your question your password is somewhat not secure. one suggestion you could rar the .exe and put a password lock on it.but it sounds like you want your password in your .exe to be protected. And you want to have your .exe just open ready for use.

so my rar suggestion might not be good solution for you.

Congratulations, you just admitted you violated the AutoIt license agreement. Why shouldn't I ban you from this forum?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0