civilcalc Posted June 11, 2012 Share Posted June 11, 2012 So Ive made my code, compiled it and saved it to a memory stick. I really want to make it so this exe cannot be deleted from the stick, any way to do it? Before anyone suggests anything sinister, this is not a keylogger, or anything like that, I know some people sit on the edge of their seat all day waiting to attack someone or point out the rules. So I will elaborate.... I have created a very complex engineering program, hence my handle Civil(as in engineer)Calc(as in calculator). And to say its been a long time in the works is a under statement. I have been looking at ways to protect my work, and stop it being copied. So I am pretty much at the stage of installing it on a USB stick and using the script here to get the device ID and make it so the exe can only be run from this device. It works perfect! It means I have to compile each device individually, but I dont expect to sell thousands, so thats ok. I just dont want the end user to somehow delete the file, and have to send the stick back for programming. If this is not possible, and I kind of think it might not be, I think I might create a page on my website for each user with their own unique exe on, should they somehow delete it. Does any see a problem doing this, other than webspace? Am I right in thinking that using the Obfuscator with the latest compiler is the most secure Autoit has been to date? and that someone would have to go to great lengths to get the source code? Also if anyone thinks they could crack it, does anyone want to have a go? Thanks in advance for your advice. Link to comment Share on other sites More sharing options...
Moderators Melba23 Posted June 11, 2012 Moderators Share Posted June 11, 2012 civilcalc, I know some people sit on the edge of their seat all day waiting to attack someone or point out the rulesWhy the attack mode? Would you prefer that the forum was over-run by "script kiddies"? I cannot help with the "undeletable" bit - as to the "security" side I am sorry to rain on your parade but: Am I right in thinking that using the Obfuscator with the latest compiler is the most secure Autoit has been to date?With the official release tools, yes. and that someone would have to go to great lengths to get the source code?No, it would take about 30 seconds to deobfuscate and decompile your code. Also if anyone thinks they could crack it, does anyone want to have a go?I do hope no-one answers publicly. You could perhaps use Mobius' tool here to further protect the code, but remember that it is all expanded and visible in memory when you run the exe. In the end it is all a question of how much effort you want to put into protecting your work and how determined your opponents are to get at it - unfortunately they will always win if they really want to. M23 Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind Open spoiler to see my UDFs: Spoiler ArrayMultiColSort ---- Sort arrays on multiple columnsChooseFileFolder ---- Single and multiple selections from specified path treeview listingDate_Time_Convert -- Easily convert date/time formats, including the language usedExtMsgBox --------- A highly customisable replacement for MsgBoxGUIExtender -------- Extend and retract multiple sections within a GUIGUIFrame ---------- Subdivide GUIs into many adjustable framesGUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView itemsGUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeViewMarquee ----------- Scrolling tickertape GUIsNoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxesNotify ------------- Small notifications on the edge of the displayScrollbars ----------Automatically sized scrollbars with a single commandStringSize ---------- Automatically size controls to fit textToast -------------- Small GUIs which pop out of the notification area Link to comment Share on other sites More sharing options...
civilcalc Posted June 11, 2012 Author Share Posted June 11, 2012 civilcalc, Why the attack mode? Would you prefer that the forum was over-run by "script kiddies"? I cannot help with the "undeletable" bit - as to the "security" side I am sorry to rain on your parade but: With the official release tools, yes. No, it would take about 30 seconds to deobfuscate and decompile your code. I do hope no-one answers publicly. You could perhaps use Mobius' tool here to further protect the code, but remember that it is all expanded and visible in memory when you run the exe. In the end it is all a question of how much effort you want to put into protecting your work and how determined your opponents are to get at it - unfortunately they will always win if they really want to. M23 Melba, Its not an attack on the majority of people here, most are very helpful and I know your posts are some of the best and the mods do a great job. But I made a post about poker last year and got absolutely slaughtered, despite me being very clear I wasnt breaking any rules. Sure enough someone reported it, I got angry, as I expected it, nobody know anything about poker or the point of the post and I got a warning, a thread locked and I felt like shit for ages. I handled it very badly, I over reacted, but it really ruined my week, and I want to avoid it this time before some clueless wannabe trys to point out the obvious to a long time member. Anyway rant over. Do you have any suggestions, on how I can make the code secure enough that its just too difficult to decompile it. do the hackers need to know it was written with Au to decompile it? Or are they one stop shops for all decompiling? Can I somehow hide the fact it was written in Au so they dont know what to decompile? Link to comment Share on other sites More sharing options...
Mechaflash Posted June 11, 2012 Share Posted June 11, 2012 You know that in the world of computers and software, no data is safe from unrelenting eyes. I would fully expect it to be decompiled, and the time and effort put into adding security to keep it from being decompiled probably isn't worth it. Spoiler “Hello, ladies, look at your man, now back to me, now back at your man, now back to me. Sadly, he isn’t me, but if he stopped using ladies scented body wash and switched to Old Spice, he could smell like he’s me. Look down, back up, where are you? You’re on a boat with the man your man could smell like. What’s in your hand, back at me. I have it, it’s an oyster with two tickets to that thing you love. Look again, the tickets are now diamonds. Anything is possible when your man smells like Old Spice and not a lady. I’m on a horse.” Link to comment Share on other sites More sharing options...
civilcalc Posted June 11, 2012 Author Share Posted June 11, 2012 If they decompile it, what do they see? do they see the code as I wrote it? Can I write it in a way that makes it hard to find the important bits relating to serial numbers? Link to comment Share on other sites More sharing options...
Moderators Melba23 Posted June 11, 2012 Moderators Share Posted June 11, 2012 civilcalc,I handled it very badly, I over reacted, but it really ruined my weekThat is your problem, not ours. You were moderated for your attitude, not the content of your post - although that was also actionable - and here you are starting off again in the same vein. Is there a lesson in there somewhere?If they decompile it, what do they see? do they see the code as I wrote it?The decompiled code does not have the same function and variable names, nor any comment lines, but other than that it is entirely as you wrote it - with all literal strings visible. And that is as far as any discussion on AutoIt decompilation in this thread will go. Just accept that nothing is uncrackable - Flame and StuxNet were probably created by a major nation state and they have been cracked - what chance do you have? As I said before, it is just a question of how much effort your adversaries will put into cracking your code. Obfuscator will make it more difficult, but by no means impossible. M23 Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind Open spoiler to see my UDFs: Spoiler ArrayMultiColSort ---- Sort arrays on multiple columnsChooseFileFolder ---- Single and multiple selections from specified path treeview listingDate_Time_Convert -- Easily convert date/time formats, including the language usedExtMsgBox --------- A highly customisable replacement for MsgBoxGUIExtender -------- Extend and retract multiple sections within a GUIGUIFrame ---------- Subdivide GUIs into many adjustable framesGUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView itemsGUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeViewMarquee ----------- Scrolling tickertape GUIsNoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxesNotify ------------- Small notifications on the edge of the displayScrollbars ----------Automatically sized scrollbars with a single commandStringSize ---------- Automatically size controls to fit textToast -------------- Small GUIs which pop out of the notification area Link to comment Share on other sites More sharing options...
Mechaflash Posted June 11, 2012 Share Posted June 11, 2012 The application sounds super secret... G14 Classified. I don't know what the uses of your application are, but I would try my mostest bestest to not hard-code sensitive data directly into the application. Utilizing a database system or a protected ini/xml... maybe even encrypt certain data streams. Spoiler “Hello, ladies, look at your man, now back to me, now back at your man, now back to me. Sadly, he isn’t me, but if he stopped using ladies scented body wash and switched to Old Spice, he could smell like he’s me. Look down, back up, where are you? You’re on a boat with the man your man could smell like. What’s in your hand, back at me. I have it, it’s an oyster with two tickets to that thing you love. Look again, the tickets are now diamonds. Anything is possible when your man smells like Old Spice and not a lady. I’m on a horse.” Link to comment Share on other sites More sharing options...
JohnOne Posted June 11, 2012 Share Posted June 11, 2012 How many civil engineers do you know that like to steal software in their spare time?It has been said many times, spend the time and effort you would trying in vain tosecure your code from possible theives, on improving, and developing your product.You simply cannot secure it from curious prying eyes. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
civilcalc Posted June 11, 2012 Author Share Posted June 11, 2012 (edited) The application sounds super secret... G14 Classified. I don't know what the uses of your application are, but I would try my mostest bestest to not hard-code sensitive data directly into the application. Utilizing a database system or a protected ini/xml... maybe even encrypt certain data streams.Ok, I admit im out of my depth a little, but I did think I could put certain resources on my website. Could that work? How do I use protected ini's? that could work! and its G13 classified, which is why I am allowed to discuss it on this forum, G14 requires either encrypted posts or posts written in dingbats. Edited June 11, 2012 by civilcalc Link to comment Share on other sites More sharing options...
civilcalc Posted June 11, 2012 Author Share Posted June 11, 2012 How many civil engineers do you know that like to steal software in their spare time?It has been said many times, spend the time and effort you would trying in vain tosecure your code from possible theives, on improving, and developing your product.You simply cannot secure it from curious prying eyes.Not many I guess, but they are generally inquisitive by their nature, and they are generally smart enough to know a few things about programming and computers. So anything is possible. Link to comment Share on other sites More sharing options...
JohnOne Posted June 11, 2012 Share Posted June 11, 2012 Not many I guess, but they are generally inquisitive by their nature, and they are generally smart enough to know a few things about programming and computers. So anything is possible.I don't doubt it, but I'd guess that most of your possible clients will never even have heardabout autoit, but regardless, the fact remains, if they want to enough, they can.What resources were you thinking of putting on your website? AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
Mechaflash Posted June 11, 2012 Share Posted June 11, 2012 (edited) One idea... if the sensitive data is constant... WILL NEVER EVER CHANGE... you can encrypt the data, and plug the encrypted data into the program. ; A little example on how encryption works. #include _Crypt_Startup() $key = _Crypt_DeriveKey("password", $CALG_AES_256) ; Build the key for encryption $encrypt = _Crypt_EncryptData("EncryptThis", $key, $CALG_USERKEY) ; Encrypts "EncryptThis" string and outputs to variable msgbox(0,"", $encrypt & @LF & @error) ; shows output $decrypt = _Crypt_DecryptData($encrypt, $key, $CALG_USERKEY) ; Decrypts the encrypted string. msgbox(0,"",BinaryToString($decrypt)) ; shows output _Crypt_DestroyKey($key) ; destroys the generated key _Crypt_Shutdown() So encrypt the sensitive data string, and hard code the encrypted data, then run the decryption process to output it when you need, so the sensitive data cannot be seen raw on decompile. If the app has access to the web and you have a MYSQL database, you can utilize the MySQL udf and store the sensitive data on the server. As far as protected ini/xml files, you can figure that out =D. It's basic file permission/network admin stuff. Edited June 11, 2012 by mechaflash213 Spoiler “Hello, ladies, look at your man, now back to me, now back at your man, now back to me. Sadly, he isn’t me, but if he stopped using ladies scented body wash and switched to Old Spice, he could smell like he’s me. Look down, back up, where are you? You’re on a boat with the man your man could smell like. What’s in your hand, back at me. I have it, it’s an oyster with two tickets to that thing you love. Look again, the tickets are now diamonds. Anything is possible when your man smells like Old Spice and not a lady. I’m on a horse.” Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted June 11, 2012 Moderators Share Posted June 11, 2012 (edited) I think I might create a page on my website for each user with their own unique exe on, should they somehow delete it. How do I use protected ini's? This isn't in the vein of obfuscating your work so much as license control, but it might help ease some of your concerns. You could use Zedna's great Resources UDF in the Examples forum to include an .ini or .txt file. Unlike FileInstall, you can interact with the file directly without having to save it to disk. You could then add in a license key, and prompt the user for the key on first launch. Once they put in the correct key, write something to the registry so they're not prompted again. Below is a very simple example: .ini file (partial) 039857230857340572078558723049587205987324502897520349857203984572302825709856702897452875039857230857340 572078558723049587205987324502897520349857203984572302825709856702897452875039857230857340572078558723049 587205987324502897520349857203984572302825709856702897452875039857230857340572078558723049587205987324502 897520349857203984572302825709856702897452875039857230857340572078558723049587205987324502897520349857203 984572302825709856702897452875039857230857340572078558723049587205987324502897520349857203984572302825709 856702897452875039857230857340572078558723049587205987324502897520349857203984572302825709856702897452875 039857230857340572078558723049587205987324502897520349857203984572302825709856702897453141592652875039857 230857340572078558723049587205987324502897520349857203984572302825709856702897452875039857230857340572078 558723049587205987324502897520349857203984572302825709856702897452875039857230857340572078558723049587205 987324502897520349857203984572302825709856702897452875039857230857340572078558723049587205987324502897520 349857203984572302825709856702897452875039857230857340572078558723049587205987324502897520349857203984572 302825709856702897452875039857230857340572078558723049587205987324502897520349857203984572302825709856702 897452875039857230857340572078558723049587205987324502897520349857203984572302825709856702897452875039857 230857340572078558723049587205987324502897520349857203984572302825709856702897452875039857230857340572078 558723049587205987324502897520349857203984572302825709856702897452875039857230857340572078558723049587205 987324502897520349857203984572302825709856702897452875039857230857340572078558723049587205987324502897520 349857203984572302825709856702897452875039857230857340572078558723049587205987324502897520349857203984572 302825709856702897452875 Include file and check for existence of "key" #AutoIt3Wrapper_Res_File_Add="C:1.ini", rt_rcdata, TEST_TXT #include <resources.au3> #include <file.au3> #include <array.au3> $var = _ResourceGetAsString("TEST_TXT", $RT_RCDATA, 0, -1) If StringInStr($var, "314159265") Then ;RegWrite etc. etc. Else MsgBox(0, "", "No go, Ke-mo sah-bee") EndIf Edited June 11, 2012 by JLogan3o13 "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
JohnOne Posted June 11, 2012 Share Posted June 11, 2012 Each idea is as useless as the next. You excrypt data Attacker decrypts data You add resource file Attacker extracts resource file you xx Attacker yy etc... Seriouslu civil, don't waste your time. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted June 11, 2012 Moderators Share Posted June 11, 2012 Each idea is as useless as the next.I don't disagree. However, the stated point that no data is 100% secure seems not to sit well with the OP. "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
civilcalc Posted June 11, 2012 Author Share Posted June 11, 2012 (edited) I don't disagree. However, the stated point that no data is 100% secure seems not to sit well with the OP.Hey, I know how it is. I just want to reduce my exposure. IF in ten years time ive made enough money from it to buy something nice, and as few people as possible have been able to steal my work, I will be happy. But if in 5 years time my software is being used by every engineer for free because I did nothing to protect it, and overhear someone saying the girl that designed it must of been an idiot for making it so easy, I would probably jump out of the window.Maybe I should think of it another way? Not protect the source, but make it difficult to use without permission.Back to the question of putting resources on my website, what if all the prompts were on my website, and the GUI needed to retrieve the data to display the prompt? It would make it a pain to use without them. I guess I have over 2000 controls already..... What you think? Edited June 11, 2012 by civilcalc Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted June 11, 2012 Moderators Share Posted June 11, 2012 At some point, though, you have to weigh the potential benefits against ease of use for the customer. If you make your application difficult to use or slow it down by maintaining a connection to your site, it won't matter how great it does its job; customers will go elsewhere. "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
civilcalc Posted June 11, 2012 Author Share Posted June 11, 2012 At some point, though, you have to weigh the potential benefits against ease of use for the customer. If you make your application difficult to use or slow it down by maintaining a connection to your site, it won't matter how great it does its job; customers will go elsewhere.Yeah, I get that too. :-( catch 22 isnt it.I might sell each copy with an armed guard, obv need to build this into the price. Link to comment Share on other sites More sharing options...
JohnOne Posted June 11, 2012 Share Posted June 11, 2012 If your sofware requires an internet connection, and by that I mean if it wouldbe useless without the internet, and you are hell bent on protecting it thenI would consider keeping the whole application server side.I'm unsure if there are ways of running autoit files in that fashion so I'd go witha different language like php, or some other language that is happy over there. AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
Moderators JLogan3o13 Posted June 11, 2012 Moderators Share Posted June 11, 2012 (edited) Or give up filthy capitalism altogether, become a pioneer and release your project as Open Source to the world You'll sleep better, and it'll be great kharma. Edited June 11, 2012 by JLogan3o13 "Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball How to get your question answered on this forum! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now