Jump to content

I found a security hole in the compiler


Guest
 Share

Recommended Posts

hello,

i found a security hole in the compiler..

the hole is that there is a easy way to know on which programing language the script/software is written and this info is a good start point for haker..

Assuming we deleted the autoit icon and any other identifying mark in the exe file, there is a still way to know the programing language!

this is the security hole:

after the exe file was built:

1) open the exe file with NotePad++ (text editor)

2) Change an ordinary letter to a different letter like i did it this example:

2rhy629.jpg

2v2xe7p.jpg

3) Save the exe file

now if you will run the exe file, you will get this error massage:

9ar37o.jpg

the error massage notes that the exe file was Written in Autolt.

i think that this is a security hole because it gives a starting point about on which programing language the exe was written..

is there a way to fix it?

Link to comment
Share on other sites

you didnt see AU3! in plain text while in notepad++

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

Link to comment
Share on other sites

  • Moderators

gil900,

Why are some people so mad keen on protecting their compiled executables? What on earth do you code that you all feel needs so much protection? :huh:

Once again: AutoIt is not and never will be secure - which is also true for any other language. Being interpreted just makes AutoIt an easier target. And the "hole" you point to above is not really that useful to a hacker - I would suggest that having the entire interpreter in each executable is a much bigger giveaway than a simple MsgBox. ;)

And could I also point out that doing what you say you have done ("deleted the autoit icon and any other identifying mark in the exe file") could be considered in contravention of the EULA: :naughty:

 

"Reverse engineering. You may not reverse engineer or disassemble the SOFTWARE PRODUCT or compiled scripts that were created with the SOFTWARE PRODUCT"

M23

Public_Domain.png.2d871819fcb9957cf44f4514551a2935.png Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind

Open spoiler to see my UDFs:

Spoiler

ArrayMultiColSort ---- Sort arrays on multiple columns
ChooseFileFolder ---- Single and multiple selections from specified path treeview listing
Date_Time_Convert -- Easily convert date/time formats, including the language used
ExtMsgBox --------- A highly customisable replacement for MsgBox
GUIExtender -------- Extend and retract multiple sections within a GUI
GUIFrame ---------- Subdivide GUIs into many adjustable frames
GUIListViewEx ------- Insert, delete, move, drag, sort, edit and colour ListView items
GUITreeViewEx ------ Check/clear parent and child checkboxes in a TreeView
Marquee ----------- Scrolling tickertape GUIs
NoFocusLines ------- Remove the dotted focus lines from buttons, sliders, radios and checkboxes
Notify ------------- Small notifications on the edge of the display
Scrollbars ----------Automatically sized scrollbars with a single command
StringSize ---------- Automatically size controls to fit text
Toast -------------- Small GUIs which pop out of the notification area

 

Link to comment
Share on other sites

  • Moderators

If only the world were filled with hackers who thought they'd stumbled on something big by opening a script in Notepad++, we'd all be safe! :)

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

If only the world were filled with hackers who thought they'd stumbled on something big by opening a script in Notepad++, we'd all be safe! :)

Yeah I think I have decrypted the source code corresponding to the first line...  :geek:

Link to comment
Share on other sites

but a more neutral error messagebox would be nice. like: scriptname error, abnormal termination. it's on my autoit wish list ;)

I agree with him.

Link to comment
Share on other sites

  • Moderators

And I would ask the same question as Melba. Why that level of paranoia? If you are coding something that super-secret, AutoIt shouldn't be your language of choice in the first place.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

And I would ask the same question as Melba. Why that level of paranoia? If you are coding something that super-secret, AutoIt shouldn't be your language of choice in the first place.

.

i am not paranoid. i just wish that my compiled exe would give out a different error notification. a user of my script may be surprised that he gets an "AutoIt error" instead a "MyProgram error", because he did not expect to have started an Autoit application.

[color=rgb(255,0,0);][font="'comic sans ms', cursive;"]FukuLeaks[/color][/font]

Link to comment
Share on other sites

.

i am not paranoid. i just wish that my compiled exe would give out a different error notification. a user of my script may be surprised that he gets an "AutoIt error" instead a "MyProgram error", because he did not expect to have started an Autoit application.

There is a udf for that.

But I doubt it covers the compiled script having been tampered with.

AutoIt Absolute Beginners    Require a serial    Pause Script    Video Tutorials by Morthawt   ipify 

Monkey's are, like, natures humans.

Link to comment
Share on other sites

And I would ask the same question as Melba. Why that level of paranoia? If you are coding something that super-secret, AutoIt shouldn't be your language of choice in the first place.

I understand ..

I knew I could not secure the software.

But I did not think it would be're so easy to get the name "autoit" ..

But you know what? It does not really matter to me.

But I still prefer that it will be like Edano said

Link to comment
Share on other sites

This answer will be extreme: If your code is well written, no AutoIt Error messagebox will ever show up.

even if i will do the trick with NotePad++ ?

Link to comment
Share on other sites

even if i will do the trick with NotePad++ ?

Sure, because everyone enjoy doing this.

Try with another application and this one will also have an unexpected behavior.

Edited by FireFox
Link to comment
Share on other sites

This answer will be extreme: If your code is well written, no AutoIt Error messagebox will ever show up.

.

yes that is true, but still the wish is valid.

[color=rgb(255,0,0);][font="'comic sans ms', cursive;"]FukuLeaks[/color][/font]

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...