[ASK] How safe is my code?

[michaelslamet]

Hi,

I'm going to build a small application using AutoIT to support the sales department. I need to put the MYSQL username and password on the code to connect to office's database. My main concern is somebody at the office can copy the exe files, decompile (or other way) and find out the username and password.

Am I worry too much? Should I concern about this... or not??

Thanks for reading and please reply if you have opinion.

[Rogue5099]

There are decompilers out there but not to the mass public (AutoIt's newer releases are safer).

You can use Obfuscator to disguise your code also.

Edited February 21, 2011 by rogue5099

[water]

This has been discussed many times.

Please search the forum for "secure source code" and you'll find a lot of discussions.

The conclusion is: Nothing you put in a AutoIt script or exe is save.

[Chimaera]

Well it depends how important in the real world sense your program is as to whether someone will take the time to crack it open.

There is code to stop this happeneing available for eg

http://www.autoitscript.com/forum/topic/19370-autoit-wrappers/page__view__findpost__p__199600

Maybe tie the software to something on your machine so it wont work anywhere but your machine

I sometimes make a fake .dll and add the name of it in the code as a Fileexists search so without the file it wont start

Im sure others will offer more advanced solutions for you

Chimaera

[michaelslamet]

This has been discussed many times.

Please search the forum for "secure source code" and you'll find a lot of discussions.

The conclusion is: Nothing you put in a AutoIt script or exe is save.

Thanks for your reply

At least can I hide a information about what compiler I use for the exe files? My current AutoIT apps, when I right click, choose "properties", on "version" tab, the compiler including what version is display. Everyone can see what the language is. I'm using Windows XP

CompilesScript: AutoIt v3 Script: 3. 3. 6. 1

[water]

Please have a look in the SciTE help -> Extra utilities -> AutoIt3Wrapper.

With directive #AutoIt3Wrapper_Res_ProductVersion=you can set the version.

[michaelslamet]

Please have a look in the SciTE help -> Extra utilities -> AutoIt3Wrapper.

With directive #AutoIt3Wrapper_Res_ProductVersion=you can set the version.

Thanks, Water

Can I hide the "AutoIT" text? So nobody will know what programming language I use to create the app. By that I hope it will more difficult to decompile the code.

[water]

I use

#AutoIt3Wrapper_Res_Fileversion=1
#AutoIt3Wrapper_Res_Description=Test

and the AutoIt info is gone (on Windows XP SP 3).

[Juvigy]

You can Encrypt or Hash the Usernames/Passwords in your code so if someone de compiles it

will see nothing. It is not completely safe but increases security quite a bit.

[michaelslamet]

I use

#AutoIt3Wrapper_Res_Fileversion=1
#AutoIt3Wrapper_Res_Description=Test

and the AutoIt info is gone (on Windows XP SP 3).

I test it with Windows XP SP2 (I'm using SP2), the information is about the same. Is there any other way that working in SP2 or previous version?

Thanks a lot

[water]

I'm not sure if SP2 or SP3 makes that much difference.

In SciTE use Ctrl+F7 and switch to the "Resource Update" tab.

F1 gives you the SciTE help file.

Test the different Wrapper settings and see if you get the desired results.

You can post your settings (found in the header of the script between "#Region ;**** Directives created by AutoIt3Wrapper_GUI ****" and "#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****") for us to test.

[jvanegmond]

Create accounts on the Offices SQL database for each of your users. Then have your users log in with their own username/password in order to use the application. If a password is then lost to an attacker, it's not because it was stored plain-text in your program but because your user is an idiot (pleonasm intended).

[michaelslamet]

I'm not sure if SP2 or SP3 makes that much difference.

In SciTE use Ctrl+F7 and switch to the "Resource Update" tab.

F1 gives you the SciTE help file.

Test the different Wrapper settings and see if you get the desired results.

You can post your settings (found in the header of the script between "#Region ;**** Directives created by AutoIt3Wrapper_GUI ****" and "#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****") for us to test.

Hi water,

Honestly I dont understand what you were saying But i will find out

Thanks a lot

[michaelslamet]

Create accounts on the Offices SQL database for each of your users. Then have your users log in with their own username/password in order to use the application. If a password is then lost to an attacker, it's not because it was stored plain-text in your program but because your user is an idiot (pleonasm intended).

Wow, this is a great idea! I think I'm going to use you solution for this mysql app.

Thanks a lot

[DigitalDave99]

When I needed to use a secure password I stored it within another file then encrypted it

with aes. Then anyone that just copied the script then decompiled it would only get your

encryption key, that you can change as many times as your like. Code below should it be of use to anyone.

AES crypto I used can be found here

#Include "aes.au3"
#include <file.au3>
Func Decript()
    $File = FileOpen("X:\fox2.ini", 16)
    $Data = FileRead($File)
    FileClose($File)
    $Key = "yourkey"
    $PlainText = _AesDecrypt($Key, $Data)
    ;ConsoleWrite($PlainText)
    ; Its a Binary encripted string we need to convert it then split the seprate values out with , seperating
    $StringDeEncripted = StringSplit(BinaryToString(_AesDecrypt($Key, $Data)), ",")
    $OldPass=$StringDeEncripted[2]
EndFunc

Func Encript()
    ; Part 1 - To save the password
    $Enable="True,"
    $PlainText = $Enable&$NewPass
    ;ConsoleWrite($PlainText)
    $Key = "yourkey"
    $Data = _AesEncrypt($Key, $PlainText)
    $File = FileOpen("X:\fox2.ini", 2)
    FileWrite($File, $Data)
    FileClose($File)
EndFunc

Wow, this is a great idea! I think I'm going to use you solution for this mysql app.

Thanks a lot

Edited February 21, 2011 by DigitalDave99