Sign in to follow this  
Followers 0
Proph

Stolen Source code :(

72 posts in this topic

I have written some pretty good programs with autoit that I spent a lot of time writing... and I have seen people get my source code even though I specifically clicked to not allow decompilation. ;)

I tried reading around the forums for a solution... but it looks like there is no way to prevent this.

If that is the case... is there any methods I can use to make it more difficult for my scripts to be cracked like that? Should I put a password in it myself? Or is the option Do not allow decompilation better protection? Would it be possible to change the algorithems used to encrypt the exe?

I am just curious to what method would be the safest method to use if I do not want my source to be leaked.

Thanks to anyone who can help me.

Share this post


Link to post
Share on other sites



#2 ·  Posted (edited)

I have written some pretty good programs with autoit that I spent a lot of time writing... and I have seen people get my source code even though I specifically clicked to not allow decompilation. ;)

I tried reading around the forums for a solution... but it looks like there is no way to prevent this.

If that is the case... is there any methods I can use to make it more difficult for my scripts to be cracked like that? Should I put a password in it myself? Or is the option Do not allow decompilation better protection? Would it be possible to change the algorithems used to encrypt the exe?

I am just curious to what method would be the safest method to use if I do not want my source to be leaked.

Thanks to anyone who can help me.

First

I could not find ONE LINE of code you have written here... NOT ONE LINE

So... who has broken what great programs you have written????

Second

to decompile is not easy... just take a look at these posts

this one has developers saying how tough it is to decompile

http://www.autoitscript.com/forum/index.ph...st=0&p=108930

here is a lengthy one

http://www.autoitscript.com/forum/index.ph...pic=15457&st=0#

there are developers in this one too

http://www.autoitscript.com/forum/index.ph...st=0&p=104633

so.... what programs did "they" decompile??????

8)

Edited by Valuater

NEWHeader1.png

Share this post


Link to post
Share on other sites

#3 ·  Posted (edited)

Well... the one that got decompiled is not one that I should post on the board.

It was not a very big program... and I could care less that the source was leaked from it. But... I would hate to see a few of my other programs source get leaked. If what you say is true that would make me feel much safer. Maybe some of the posts I have read were old ones.

BTW... I have not posted any programs here. One of the programs I would hate to see my code leaked from is called "Edited".

Also... why are you so sarcastic in your post? I was asking what I feel is not such a stupid question. Do you think I was lieing or what?

Edited by Proph

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

Well... I found out how to decompile an exe... even if the author doesn't want you too. ;)

I have a version of EXE2AU3 that does not need to have the passphrase.

This is what is in the readme.txt

AutoIt3-Decompiler
==================

What is this?
    This will extract the AutoIt3-script(*.au3) from AutoIt3-Installations(*.exe)
    --> http://www.autoitscript.com/autoit3/
    Often AutoIt3 is misused by Trojan writers to install their crap on your PC 
    so the decompiler may bring some light in the dark.
    To see if some file is a AutoIt3-Installations watch the file properties 
    version information.

What has improved? (Version 1.0)
    * Now to make things easier there is no need to enter the pass phrase anymore
      - it is auto filled for you during decompiling.
    * You can directly enter the filenames

    The pass phrase is ridicules it is stored inside the script
    so why enter it again?  Anyway there is also problem with the pass phrase 
    textbox which was limited to 64 char but the password sometimes can be 
    256 chars.  Well if you force 256 chars into textbox decompilation successed 
    but after its finished the program crashed because of buffer overflow. 
    But by now you needn't about it anymore. :)

Limitations:
    Files stored inside an AutoIt3-Installation are not extracted

Tools used to create:
    Ollydebug, PE-Explorer, UPX

So it doesn't look like my question was stupid. Actually... I hope the admins look into this. :P I tried this file on my programs and it easily got the code. Didn't take any time at all. It was instant.

Please someone... at least PM me with info on how I may be able to prevent this. We must be able to do something. This is a serious issue. :mad2:

Edited by Proph

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

1

Nice program...

2

Definitely written in Autoit

3

if that EXE2AU3 does it that easy... then it needs attention

4

there was no proof of you doing anything here in the autoit forums except asking questions....so

If that is you.. then, I sincerely appologize... siginet

8)

Edited by Valuater

NEWHeader1.png

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

No problem. :P

But yes it does exactly what I stated... and it does need to be looked into. I hope the admins contact me asap. I will send them this file I have so they can look into the issue deeper. The program is basically a skeleton key to autoit. ;)

BTW... thanks for the compliment of my program. :mad2: But I could have never made it without the help of people on the forums here. :oops:

Edited by Proph

Share this post


Link to post
Share on other sites

Thanks for the link.

Seems I do not have permisson to post in that topic. ;) Maybe cause I have a low post count?

But if I could post to it I would agree to get rid of the EXE2AUT option. I don't think there is a need for it at all. I never use it. Why do I need it if I have my original .au3 file? If it causes a security risk like this than it is too much of a risk in my opinion. Could there maybe be 2 versions of autoit? One that has the decompile functions (For newbies) and one that doesn't (For advanced users)?

Share this post


Link to post
Share on other sites

You can blame whiny bitches who can't seem to maintain proper backups for the decompiler. Jon literally got tired of listening to people bitch for the decompiler and most were from idiots who for one reason or another would manage to lose their source and only have a binary. Thus, he created the decompiler.

Anyway, to answer your question: The best security is to never let anybody touch your binary; anything else is insecure by default. It's as simple as it is impractical but it is the only absolute truth in security.

Share this post


Link to post
Share on other sites

Anyway, to answer your question: The best security is to never let anybody touch your binary; anything else is insecure by default. It's as simple as it is impractical but it is the only absolute truth in security.

That would not be very practicle for most programs... unless it was only for private use. ;) But I understand what you mean. I know that no matter what there will allways be someone that will crack anything... but that doesn't mean we have to make it easy for them. Most of us here probably are experts at cracking most tools. :P I hope john may reconsider removing the decompiler. Just add in his disclaimer that users are responsible of making there own backups. Like someone on the forums stated... "If autoit is going to be used as a tool for doing things as good as it does now... It should not have such an easy way to decompile it. For security reasons." Sombody said something like that (Not in the exact words).

Share this post


Link to post
Share on other sites

maintain proper backups

I would agree to get rid of the EXE2AUT option.

IMHO... I would have to agree w/ both of those.


Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Share this post


Link to post
Share on other sites

EXE compression is a good way to get rid of stealing source code. It also shrinks program size down alot. One of my exe's was around 180K and I compressed it to 50K.

Another way I use to do was get rid of every space and line break in the course code. That way it would be a mess and would atleast make the stealer not want to format it. (other langs.)

http://upx.sourceforge.net/ is a good EXE compressor

Share this post


Link to post
Share on other sites

http://upx.sourceforge.net/ is a good EXE compressor

Hmm, (UPX) isn't that the one that we use? ;):P

Thanks for the link though.


Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Share this post


Link to post
Share on other sites

I just have to add my 2 cents worth of tought :">

In my mind autoit is primarly a scriptig tool, and as suche the code is open to all eys prying.

I to have found it realy easy to write usefull tools in it. But If my tool is of such nature that people should not be able to see the source I think I owe it to myself to port my code to a "proper" language. Not that it helps much against proffesional peekers thought.

Please, this is not ment to be a "blame your self" speach, just my 2 cents of scripting languages source code secrets.

Best Regards

Uten

Share this post


Link to post
Share on other sites

I just have to add my 2 cents worth of tought :">

In my mind autoit is primarly a scriptig tool, and as suche the code is open to all eys prying.

I to have found it realy easy to write usefull tools in it. But If my tool is of such nature that people should not be able to see the source I think I owe it to myself to port my code to a "proper" language. Not that it helps much against proffesional peekers thought.

Please, this is not ment to be a "blame your self" speach, just my 2 cents of scripting languages source code secrets.

Best Regards

Uten

That would have been true before Autoit was able to have a gui and do most if not all things that other scripting languages do. But now autoit has gotten much more advanced. So I have to 100% disagree with you there. Autoit is a great scripting language and it should have the capability of being more secure if the script writer chooses so. Just my 2 more cents. ;)

Share this post


Link to post
Share on other sites

That would have been true before Autoit was able to have a gui and do most if not all things that other scripting languages do. But now autoit has gotten much more advanced. So I have to 100% disagree with you there. Autoit is a great scripting language and it should have the capability of being more secure if the script writer chooses so. Just my 2 more cents. ;)

exe packing is definitely the easiest way to go, but just remember that for every packager, there is atleast one unpackager. also obfuscation is the choice of alot of people that try to secure programs written in flash or java, either of which can be easily taken apart with a freeware decompiler. Basically the idea is to make your code as unreadable as possible. Don't use meaningful variable or function names, add extra functions that don't do anything, rather than using literal strings have string values created by looping concatenations. It is alot of extra work, and kind of defeats the purpose of using high lvl languages in my opinion, but it does add alot of security when done correctly. Also keep in mind that you could probably make a script to sufficiently muddle up your code without harming the actual integrity of it prior to packaging it. Maybe that'll be my next UDF an Obfuscator...(don't hold your breath though, i AM very lazy...)

1100111 00001011101111 00011101101111 00010111100100 00001111110100 00110111110010 00101101111001 0011100i didn't make up this form of encryption, but i like it.credit to the lvl 6 challenge on arcanum.co.nz

Share this post


Link to post
Share on other sites

OK THIS HAS GONE TOO FAR

1. You have only posted a few times and new any source, or even binarys for that matter. You have made no contributions, support or source wise.

2. AutoIt is an automated process intended to make the daily programmers lives easier, EVERYTHING I HAVE EVER WRITTEN I HAVE GIVEN SOURCE. I wrote an Instant Messaging program, actually quite many of them and experimented alot. I did not want to release them, but I released a database of 64 files with experimental scripts in them.

3. It doesn't matter if they have the source code. With a few questions you can spot a stealer.

4. "Great program" what great program. I have written a Blackjack game that took a week and around 1000+ lines and split it for developers and that was just a simple little game. A "great program" is like SciTe(not written in autoit) or Scriptomatic or even Tidy. So don't think anything is great until you can surpass even the lowest forms of scripting such as me.

5. END OF DISCUSSION......

**For those others I am really sorry for my outburst. I've seen tons of these posts and a 2 page discussion over this to a newb is just weird.**

Share this post


Link to post
Share on other sites

END OF DISCUSSION......

I don't really see why this had to be repeated -- this was rather obvious from the last post date.

Anyway, I must agree that it wouldn't hurt to ditch EXE2AUT in the future. I'd be all for the idea.

Share this post


Link to post
Share on other sites

#19 ·  Posted (edited)

OK THIS HAS GONE TOO FAR

1. You have only posted a few times and new any source, or even binarys for that matter. You have made no contributions, support or source wise.

2. AutoIt is an automated process intended to make the daily programmers lives easier, EVERYTHING I HAVE EVER WRITTEN I HAVE GIVEN SOURCE. I wrote an Instant Messaging program, actually quite many of them and experimented alot. I did not want to release them, but I released a database of 64 files with experimental scripts in them.

3. It doesn't matter if they have the source code. With a few questions you can spot a stealer.

4. "Great program" what great program. I have written a Blackjack game that took a week and around 1000+ lines and split it for developers and that was just a simple little game. A "great program" is like SciTe(not written in autoit) or Scriptomatic or even Tidy. So don't think anything is great until you can surpass even the lowest forms of scripting such as me.

5. END OF DISCUSSION......

**For those others I am really sorry for my outburst. I've seen tons of these posts and a 2 page discussion over this to a newb is just weird.**

Talk about somebody with a big head.

:P

BTW... I wrote this program... In autoit. With the help of a few members here.

Link Removed by myself

Just cause I don't post source code on the forums doesn't mean anything. I mean... why would I mention that I do not want my source code to be stolen? Because I would rather it not. I was just pointing out a serious breach in autoit. And you flame me for it? I help people all of the time... just because it isn't here doesn't mean a thing. If I was pointing out something like this... would it not be that I was trying to help and warn the developers of such a thing? I guess your post count makes you god here huh?

Sincerly...

A Newb ;)

Edited by Proph

Share this post


Link to post
Share on other sites

#20 ·  Posted (edited)

as you can see by my original posts... i was very Skeptical of Proph also... but if you noticed my later posts stating that i give recognition that that script ( now demonstrated above ) was written in Autoit and Siginet was the Author...

And as stated previously... Proph... please understand our hesitancy to anyone whom just shows up with your statements and we do not recognize as a continual name seen in our forums or we cannot find many posts of scipting from.

8)

Edited by Valuater

NEWHeader1.png

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0