Sign in to follow this  
Followers 0
civilcalc

Undeletable autoit compiled exe

26 posts in this topic

So Ive made my code, compiled it and saved it to a memory stick.

I really want to make it so this exe cannot be deleted from the stick, any way to do it?

Before anyone suggests anything sinister, this is not a keylogger, or anything like that, I know some people sit on the edge of their seat all day waiting to attack someone or point out the rules. So I will elaborate....

I have created a very complex engineering program, hence my handle Civil(as in engineer)Calc(as in calculator). And to say its been a long time in the works is a under statement. I have been looking at ways to protect my work, and stop it being copied. So I am pretty much at the stage of installing it on a USB stick and using the script here

to get the device ID and make it so the exe can only be run from this device. It works perfect! It means I have to compile each device individually, but I dont expect to sell thousands, so thats ok. I just dont want the end user to somehow delete the file, and have to send the stick back for programming.

If this is not possible, and I kind of think it might not be, I think I might create a page on my website for each user with their own unique exe on, should they somehow delete it. Does any see a problem doing this, other than webspace?

Am I right in thinking that using the Obfuscator with the latest compiler is the most secure Autoit has been to date? and that someone would have to go to great lengths to get the source code? Also if anyone thinks they could crack it, does anyone want to have a go?

Thanks in advance for your advice.

Share this post


Link to post
Share on other sites



civilcalc,

I know some people sit on the edge of their seat all day waiting to attack someone or point out the rules

Why the attack mode? Would you prefer that the forum was over-run by "script kiddies"? ;)

I cannot help with the "undeletable" bit - as to the "security" side I am sorry to rain on your parade but:

Am I right in thinking that using the Obfuscator with the latest compiler is the most secure Autoit has been to date?

With the official release tools, yes. :)

and that someone would have to go to great lengths to get the source code?

No, it would take about 30 seconds to deobfuscate and decompile your code. :)

Also if anyone thinks they could crack it, does anyone want to have a go?

I do hope no-one answers publicly. :D

You could perhaps use Mobius' tool here to further protect the code, but remember that it is all expanded and visible in memory when you run the exe. :cheer:

In the end it is all a question of how much effort you want to put into protecting your work and how determined your opponents are to get at it - unfortunately they will always win if they really want to. ;)

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

civilcalc,

Why the attack mode? Would you prefer that the forum was over-run by "script kiddies"? ;)

I cannot help with the "undeletable" bit - as to the "security" side I am sorry to rain on your parade but:

With the official release tools, yes. :)

No, it would take about 30 seconds to deobfuscate and decompile your code. :)

I do hope no-one answers publicly. :D

You could perhaps use Mobius' tool here to further protect the code, but remember that it is all expanded and visible in memory when you run the exe. :cheer:

In the end it is all a question of how much effort you want to put into protecting your work and how determined your opponents are to get at it - unfortunately they will always win if they really want to. ;)

M23

Melba,

Its not an attack on the majority of people here, most are very helpful and I know your posts are some of the best and the mods do a great job. But I made a post about poker last year and got absolutely slaughtered, despite me being very clear I wasnt breaking any rules. Sure enough someone reported it, I got angry, as I expected it, nobody know anything about poker or the point of the post and I got a warning, a thread locked and I felt like shit for ages. I handled it very badly, I over reacted, but it really ruined my week, and I want to avoid it this time before some clueless wannabe trys to point out the obvious to a long time member. Anyway rant over.

Do you have any suggestions, on how I can make the code secure enough that its just too difficult to decompile it.

do the hackers need to know it was written with Au to decompile it? Or are they one stop shops for all decompiling? Can I somehow hide the fact it was written in Au so they dont know what to decompile?

Share this post


Link to post
Share on other sites

You know that in the world of computers and software, no data is safe from unrelenting eyes. I would fully expect it to be decompiled, and the time and effort put into adding security to keep it from being decompiled probably isn't worth it.


Spoiler

“Hello, ladies, look at your man, now back to me, now back at your man, now back to me. Sadly, he isn’t me, but if he stopped using ladies scented body wash and switched to Old Spice, he could smell like he’s me. Look down, back up, where are you? You’re on a boat with the man your man could smell like. What’s in your hand, back at me. I have it, it’s an oyster with two tickets to that thing you love. Look again, the tickets are now diamonds. Anything is possible when your man smells like Old Spice and not a lady. I’m on a horse.”

 

Share this post


Link to post
Share on other sites

If they decompile it, what do they see?

do they see the code as I wrote it?

Can I write it in a way that makes it hard to find the important bits relating to serial numbers?

Share this post


Link to post
Share on other sites

civilcalc,

I handled it very badly, I over reacted, but it really ruined my week

That is your problem, not ours. You were moderated for your attitude, not the content of your post - although that was also actionable - and here you are starting off again in the same vein. Is there a lesson in there somewhere?:)

If they decompile it, what do they see? do they see the code as I wrote it?

The decompiled code does not have the same function and variable names, nor any comment lines, but other than that it is entirely as you wrote it - with all literal strings visible. And that is as far as any discussion on AutoIt decompilation in this thread will go. ;)

Just accept that nothing is uncrackable - Flame and StuxNet were probably created by a major nation state and they have been cracked - what chance do you have? As I said before, it is just a question of how much effort your adversaries will put into cracking your code. Obfuscator will make it more difficult, but by no means impossible. :)

M23


Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind._______My UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Share this post


Link to post
Share on other sites

The application sounds super secret... G14 Classified. I don't know what the uses of your application are, but I would try my mostest bestest to not hard-code sensitive data directly into the application. Utilizing a database system or a protected ini/xml... maybe even encrypt certain data streams.


Spoiler

“Hello, ladies, look at your man, now back to me, now back at your man, now back to me. Sadly, he isn’t me, but if he stopped using ladies scented body wash and switched to Old Spice, he could smell like he’s me. Look down, back up, where are you? You’re on a boat with the man your man could smell like. What’s in your hand, back at me. I have it, it’s an oyster with two tickets to that thing you love. Look again, the tickets are now diamonds. Anything is possible when your man smells like Old Spice and not a lady. I’m on a horse.”

 

Share this post


Link to post
Share on other sites

How many civil engineers do you know that like to steal software in their spare time?

It has been said many times, spend the time and effort you would trying in vain to

secure your code from possible theives, on improving, and developing your product.

You simply cannot secure it from curious prying eyes.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

The application sounds super secret... G14 Classified. I don't know what the uses of your application are, but I would try my mostest bestest to not hard-code sensitive data directly into the application. Utilizing a database system or a protected ini/xml... maybe even encrypt certain data streams.

Ok, I admit im out of my depth a little, but I did think I could put certain resources on my website. Could that work? How do I use protected ini's? that could work! and its G13 classified, which is why I am allowed to discuss it on this forum, G14 requires either encrypted posts or posts written in dingbats.

Edited by civilcalc

Share this post


Link to post
Share on other sites

How many civil engineers do you know that like to steal software in their spare time?

It has been said many times, spend the time and effort you would trying in vain to

secure your code from possible theives, on improving, and developing your product.

You simply cannot secure it from curious prying eyes.

Not many I guess, but they are generally inquisitive by their nature, and they are generally smart enough to know a few things about programming and computers. So anything is possible.

Share this post


Link to post
Share on other sites

Not many I guess, but they are generally inquisitive by their nature, and they are generally smart enough to know a few things about programming and computers. So anything is possible.

I don't doubt it, but I'd guess that most of your possible clients will never even have heard

about autoit, but regardless, the fact remains, if they want to enough, they can.

What resources were you thinking of putting on your website?


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

#12 ·  Posted (edited)

One idea... if the sensitive data is constant... WILL NEVER EVER CHANGE... you can encrypt the data, and plug the encrypted data into the program.

; A little example on how encryption works.
#include 
_Crypt_Startup()
$key = _Crypt_DeriveKey("password", $CALG_AES_256) ; Build the key for encryption
$encrypt = _Crypt_EncryptData("EncryptThis", $key, $CALG_USERKEY) ; Encrypts "EncryptThis" string and outputs to variable
msgbox(0,"", $encrypt & @LF & @error) ; shows output
$decrypt = _Crypt_DecryptData($encrypt, $key, $CALG_USERKEY) ; Decrypts the encrypted string.
msgbox(0,"",BinaryToString($decrypt)) ; shows output
_Crypt_DestroyKey($key) ; destroys the generated key
_Crypt_Shutdown()

So encrypt the sensitive data string, and hard code the encrypted data, then run the decryption process to output it when you need, so the sensitive data cannot be seen raw on decompile.

If the app has access to the web and you have a MYSQL database, you can utilize the MySQL udf and store the sensitive data on the server.

As far as protected ini/xml files, you can figure that out =D. It's basic file permission/network admin stuff.

Edited by mechaflash213

Spoiler

“Hello, ladies, look at your man, now back to me, now back at your man, now back to me. Sadly, he isn’t me, but if he stopped using ladies scented body wash and switched to Old Spice, he could smell like he’s me. Look down, back up, where are you? You’re on a boat with the man your man could smell like. What’s in your hand, back at me. I have it, it’s an oyster with two tickets to that thing you love. Look again, the tickets are now diamonds. Anything is possible when your man smells like Old Spice and not a lady. I’m on a horse.”

 

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

I think I might create a page on my website for each user with their own unique exe on, should they somehow delete it.

How do I use protected ini's?

This isn't in the vein of obfuscating your work so much as license control, but it might help ease some of your concerns. You could use Zedna's great Resources UDF in the Examples forum to include an .ini or .txt file. Unlike FileInstall, you can interact with the file directly without having to save it to disk. You could then add in a license key, and prompt the user for the key on first launch. Once they put in the correct key, write something to the registry so they're not prompted again. Below is a very simple example:

.ini file (partial)

039857230857340572078558723049587205987324502897520349857203984572302825709856702897452875039857230857340
572078558723049587205987324502897520349857203984572302825709856702897452875039857230857340572078558723049
587205987324502897520349857203984572302825709856702897452875039857230857340572078558723049587205987324502
897520349857203984572302825709856702897452875039857230857340572078558723049587205987324502897520349857203
984572302825709856702897452875039857230857340572078558723049587205987324502897520349857203984572302825709
856702897452875039857230857340572078558723049587205987324502897520349857203984572302825709856702897452875
039857230857340572078558723049587205987324502897520349857203984572302825709856702897453141592652875039857
230857340572078558723049587205987324502897520349857203984572302825709856702897452875039857230857340572078
558723049587205987324502897520349857203984572302825709856702897452875039857230857340572078558723049587205
987324502897520349857203984572302825709856702897452875039857230857340572078558723049587205987324502897520
349857203984572302825709856702897452875039857230857340572078558723049587205987324502897520349857203984572
302825709856702897452875039857230857340572078558723049587205987324502897520349857203984572302825709856702
897452875039857230857340572078558723049587205987324502897520349857203984572302825709856702897452875039857
230857340572078558723049587205987324502897520349857203984572302825709856702897452875039857230857340572078
558723049587205987324502897520349857203984572302825709856702897452875039857230857340572078558723049587205
987324502897520349857203984572302825709856702897452875039857230857340572078558723049587205987324502897520
349857203984572302825709856702897452875039857230857340572078558723049587205987324502897520349857203984572
302825709856702897452875

Include file and check for existence of "key"

#AutoIt3Wrapper_Res_File_Add="C:1.ini", rt_rcdata, TEST_TXT
#include <resources.au3>
#include <file.au3>
#include <array.au3>

$var = _ResourceGetAsString("TEST_TXT", $RT_RCDATA, 0, -1)

If StringInStr($var, "314159265") Then
   ;RegWrite etc. etc.
Else
   MsgBox(0, "", "No go, Ke-mo sah-bee")
EndIf
Edited by JLogan3o13

√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

Each idea is as useless as the next.

I don't disagree. However, the stated point that no data is 100% secure seems not to sit well with the OP.


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

#16 ·  Posted (edited)

I don't disagree. However, the stated point that no data is 100% secure seems not to sit well with the OP.

Hey, I know how it is. I just want to reduce my exposure. IF in ten years time ive made enough money from it to buy something nice, and as few people as possible have been able to steal my work, I will be happy. But if in 5 years time my software is being used by every engineer for free because I did nothing to protect it, and overhear someone saying the girl that designed it must of been an idiot for making it so easy, I would probably jump out of the window.

Maybe I should think of it another way? Not protect the source, but make it difficult to use without permission.

Back to the question of putting resources on my website, what if all the prompts were on my website, and the GUI needed to retrieve the data to display the prompt? It would make it a pain to use without them. I guess I have over 2000 controls already..... What you think?

Edited by civilcalc

Share this post


Link to post
Share on other sites

At some point, though, you have to weigh the potential benefits against ease of use for the customer. If you make your application difficult to use or slow it down by maintaining a connection to your site, it won't matter how great it does its job; customers will go elsewhere.


√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

At some point, though, you have to weigh the potential benefits against ease of use for the customer. If you make your application difficult to use or slow it down by maintaining a connection to your site, it won't matter how great it does its job; customers will go elsewhere.

Yeah, I get that too. :-( catch 22 isnt it.

I might sell each copy with an armed guard, obv need to build this into the price.

Share this post


Link to post
Share on other sites

If your sofware requires an internet connection, and by that I mean if it would

be useless without the internet, and you are hell bent on protecting it then

I would consider keeping the whole application server side.

I'm unsure if there are ways of running autoit files in that fashion so I'd go with

a different language like php, or some other language that is happy over there.


AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Share this post


Link to post
Share on other sites

#20 ·  Posted (edited)

Or give up filthy capitalism altogether, become a pioneer and release your project as Open Source to the world ;) You'll sleep better, and it'll be great kharma.

Edited by JLogan3o13

√-1 2^3 ∑ π, and it was delicious!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0