Proph Posted September 19, 2005 Share Posted September 19, 2005 I have written some pretty good programs with autoit that I spent a lot of time writing... and I have seen people get my source code even though I specifically clicked to not allow decompilation. I tried reading around the forums for a solution... but it looks like there is no way to prevent this. If that is the case... is there any methods I can use to make it more difficult for my scripts to be cracked like that? Should I put a password in it myself? Or is the option Do not allow decompilation better protection? Would it be possible to change the algorithems used to encrypt the exe? I am just curious to what method would be the safest method to use if I do not want my source to be leaked. Thanks to anyone who can help me. Link to comment Share on other sites More sharing options...
Valuater Posted September 19, 2005 Share Posted September 19, 2005 (edited) I have written some pretty good programs with autoit that I spent a lot of time writing... and I have seen people get my source code even though I specifically clicked to not allow decompilation. I tried reading around the forums for a solution... but it looks like there is no way to prevent this.If that is the case... is there any methods I can use to make it more difficult for my scripts to be cracked like that? Should I put a password in it myself? Or is the option Do not allow decompilation better protection? Would it be possible to change the algorithems used to encrypt the exe?I am just curious to what method would be the safest method to use if I do not want my source to be leaked.Thanks to anyone who can help me.FirstI could not find ONE LINE of code you have written here... NOT ONE LINESo... who has broken what great programs you have written????Second to decompile is not easy... just take a look at these poststhis one has developers saying how tough it is to decompilehttp://www.autoitscript.com/forum/index.ph...st=0&p=108930here is a lengthy onehttp://www.autoitscript.com/forum/index.ph...pic=15457&st=0#there are developers in this one toohttp://www.autoitscript.com/forum/index.ph...st=0&p=104633so.... what programs did "they" decompile??????8) Edited September 19, 2005 by Valuater Link to comment Share on other sites More sharing options...
Proph Posted September 19, 2005 Author Share Posted September 19, 2005 (edited) Well... the one that got decompiled is not one that I should post on the board. It was not a very big program... and I could care less that the source was leaked from it. But... I would hate to see a few of my other programs source get leaked. If what you say is true that would make me feel much safer. Maybe some of the posts I have read were old ones. BTW... I have not posted any programs here. One of the programs I would hate to see my code leaked from is called "Edited". Also... why are you so sarcastic in your post? I was asking what I feel is not such a stupid question. Do you think I was lieing or what? Edited September 19, 2005 by Proph Link to comment Share on other sites More sharing options...
Proph Posted September 19, 2005 Author Share Posted September 19, 2005 (edited) Well... I found out how to decompile an exe... even if the author doesn't want you too. I have a version of EXE2AU3 that does not need to have the passphrase. This is what is in the readme.txt AutoIt3-Decompiler ================== What is this? This will extract the AutoIt3-script(*.au3) from AutoIt3-Installations(*.exe) --> http://www.autoitscript.com/autoit3/ Often AutoIt3 is misused by Trojan writers to install their crap on your PC so the decompiler may bring some light in the dark. To see if some file is a AutoIt3-Installations watch the file properties version information. What has improved? (Version 1.0) * Now to make things easier there is no need to enter the pass phrase anymore - it is auto filled for you during decompiling. * You can directly enter the filenames The pass phrase is ridicules it is stored inside the script so why enter it again? Anyway there is also problem with the pass phrase textbox which was limited to 64 char but the password sometimes can be 256 chars. Well if you force 256 chars into textbox decompilation successed but after its finished the program crashed because of buffer overflow. But by now you needn't about it anymore. :) Limitations: Files stored inside an AutoIt3-Installation are not extracted Tools used to create: Ollydebug, PE-Explorer, UPX So it doesn't look like my question was stupid. Actually... I hope the admins look into this. I tried this file on my programs and it easily got the code. Didn't take any time at all. It was instant. Please someone... at least PM me with info on how I may be able to prevent this. We must be able to do something. This is a serious issue. Edited September 19, 2005 by Proph Link to comment Share on other sites More sharing options...
Valuater Posted September 19, 2005 Share Posted September 19, 2005 (edited) 1 Nice program... 2 Definitely written in Autoit 3 if that EXE2AU3 does it that easy... then it needs attention 4 there was no proof of you doing anything here in the autoit forums except asking questions....so If that is you.. then, I sincerely appologize... siginet 8) Edited September 19, 2005 by Valuater Link to comment Share on other sites More sharing options...
Proph Posted September 19, 2005 Author Share Posted September 19, 2005 (edited) No problem. But yes it does exactly what I stated... and it does need to be looked into. I hope the admins contact me asap. I will send them this file I have so they can look into the issue deeper. The program is basically a skeleton key to autoit. BTW... thanks for the compliment of my program. But I could have never made it without the help of people on the forums here. Edited September 19, 2005 by Proph Link to comment Share on other sites More sharing options...
Valuater Posted September 19, 2005 Share Posted September 19, 2005 i also found this from "jon"..... the manhttp://www.autoitscript.com/forum/index.php?showtopic=11802#8) Link to comment Share on other sites More sharing options...
Proph Posted September 19, 2005 Author Share Posted September 19, 2005 Thanks for the link. Seems I do not have permisson to post in that topic. Maybe cause I have a low post count? But if I could post to it I would agree to get rid of the EXE2AUT option. I don't think there is a need for it at all. I never use it. Why do I need it if I have my original .au3 file? If it causes a security risk like this than it is too much of a risk in my opinion. Could there maybe be 2 versions of autoit? One that has the decompile functions (For newbies) and one that doesn't (For advanced users)? Link to comment Share on other sites More sharing options...
Valik Posted September 19, 2005 Share Posted September 19, 2005 You can blame whiny bitches who can't seem to maintain proper backups for the decompiler. Jon literally got tired of listening to people bitch for the decompiler and most were from idiots who for one reason or another would manage to lose their source and only have a binary. Thus, he created the decompiler. Anyway, to answer your question: The best security is to never let anybody touch your binary; anything else is insecure by default. It's as simple as it is impractical but it is the only absolute truth in security. Link to comment Share on other sites More sharing options...
Proph Posted September 19, 2005 Author Share Posted September 19, 2005 Anyway, to answer your question: The best security is to never let anybody touch your binary; anything else is insecure by default. It's as simple as it is impractical but it is the only absolute truth in security.That would not be very practicle for most programs... unless it was only for private use. But I understand what you mean. I know that no matter what there will allways be someone that will crack anything... but that doesn't mean we have to make it easy for them. Most of us here probably are experts at cracking most tools. I hope john may reconsider removing the decompiler. Just add in his disclaimer that users are responsible of making there own backups. Like someone on the forums stated... "If autoit is going to be used as a tool for doing things as good as it does now... It should not have such an easy way to decompile it. For security reasons." Sombody said something like that (Not in the exact words). Link to comment Share on other sites More sharing options...
Moderators SmOke_N Posted September 19, 2005 Moderators Share Posted September 19, 2005 maintain proper backupsI would agree to get rid of the EXE2AUT option.IMHO... I would have to agree w/ both of those. Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer. Link to comment Share on other sites More sharing options...
ParoXsitiC Posted September 19, 2005 Share Posted September 19, 2005 EXE compression is a good way to get rid of stealing source code. It also shrinks program size down alot. One of my exe's was around 180K and I compressed it to 50K. Another way I use to do was get rid of every space and line break in the course code. That way it would be a mess and would atleast make the stealer not want to format it. (other langs.)http://upx.sourceforge.net/ is a good EXE compressor Link to comment Share on other sites More sharing options...
Moderators SmOke_N Posted September 19, 2005 Moderators Share Posted September 19, 2005 http://upx.sourceforge.net/ is a good EXE compressorHmm, (UPX) isn't that the one that we use? Thanks for the link though. Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer. Link to comment Share on other sites More sharing options...
Uten Posted September 19, 2005 Share Posted September 19, 2005 I just have to add my 2 cents worth of tought :"> In my mind autoit is primarly a scriptig tool, and as suche the code is open to all eys prying. I to have found it realy easy to write usefull tools in it. But If my tool is of such nature that people should not be able to see the source I think I owe it to myself to port my code to a "proper" language. Not that it helps much against proffesional peekers thought. Please, this is not ment to be a "blame your self" speach, just my 2 cents of scripting languages source code secrets. Best Regards Uten Please keep your sig. small! Use the help file. Search the forum. Then ask unresolved questions :) Script plugin demo, Simple Trace udf, TrayMenuEx udf, IOChatter demo, freebasic multithreaded dll sample, PostMessage, Aspell, Code profiling Link to comment Share on other sites More sharing options...
Proph Posted September 19, 2005 Author Share Posted September 19, 2005 I just have to add my 2 cents worth of tought :"> In my mind autoit is primarly a scriptig tool, and as suche the code is open to all eys prying.I to have found it realy easy to write usefull tools in it. But If my tool is of such nature that people should not be able to see the source I think I owe it to myself to port my code to a "proper" language. Not that it helps much against proffesional peekers thought.Please, this is not ment to be a "blame your self" speach, just my 2 cents of scripting languages source code secrets.Best RegardsUtenThat would have been true before Autoit was able to have a gui and do most if not all things that other scripting languages do. But now autoit has gotten much more advanced. So I have to 100% disagree with you there. Autoit is a great scripting language and it should have the capability of being more secure if the script writer chooses so. Just my 2 more cents. Link to comment Share on other sites More sharing options...
seandisanti Posted September 19, 2005 Share Posted September 19, 2005 That would have been true before Autoit was able to have a gui and do most if not all things that other scripting languages do. But now autoit has gotten much more advanced. So I have to 100% disagree with you there. Autoit is a great scripting language and it should have the capability of being more secure if the script writer chooses so. Just my 2 more cents. exe packing is definitely the easiest way to go, but just remember that for every packager, there is atleast one unpackager. also obfuscation is the choice of alot of people that try to secure programs written in flash or java, either of which can be easily taken apart with a freeware decompiler. Basically the idea is to make your code as unreadable as possible. Don't use meaningful variable or function names, add extra functions that don't do anything, rather than using literal strings have string values created by looping concatenations. It is alot of extra work, and kind of defeats the purpose of using high lvl languages in my opinion, but it does add alot of security when done correctly. Also keep in mind that you could probably make a script to sufficiently muddle up your code without harming the actual integrity of it prior to packaging it. Maybe that'll be my next UDF an Obfuscator...(don't hold your breath though, i AM very lazy...) Link to comment Share on other sites More sharing options...
themax90 Posted October 9, 2005 Share Posted October 9, 2005 OK THIS HAS GONE TOO FAR 1. You have only posted a few times and new any source, or even binarys for that matter. You have made no contributions, support or source wise. 2. AutoIt is an automated process intended to make the daily programmers lives easier, EVERYTHING I HAVE EVER WRITTEN I HAVE GIVEN SOURCE. I wrote an Instant Messaging program, actually quite many of them and experimented alot. I did not want to release them, but I released a database of 64 files with experimental scripts in them. 3. It doesn't matter if they have the source code. With a few questions you can spot a stealer. 4. "Great program" what great program. I have written a Blackjack game that took a week and around 1000+ lines and split it for developers and that was just a simple little game. A "great program" is like SciTe(not written in autoit) or Scriptomatic or even Tidy. So don't think anything is great until you can surpass even the lowest forms of scripting such as me. 5. END OF DISCUSSION...... **For those others I am really sorry for my outburst. I've seen tons of these posts and a 2 page discussion over this to a newb is just weird.** Link to comment Share on other sites More sharing options...
LxP Posted October 9, 2005 Share Posted October 9, 2005 END OF DISCUSSION......I don't really see why this had to be repeated -- this was rather obvious from the last post date.Anyway, I must agree that it wouldn't hurt to ditch EXE2AUT in the future. I'd be all for the idea. Link to comment Share on other sites More sharing options...
Proph Posted October 11, 2005 Author Share Posted October 11, 2005 (edited) OK THIS HAS GONE TOO FAR1. You have only posted a few times and new any source, or even binarys for that matter. You have made no contributions, support or source wise.2. AutoIt is an automated process intended to make the daily programmers lives easier, EVERYTHING I HAVE EVER WRITTEN I HAVE GIVEN SOURCE. I wrote an Instant Messaging program, actually quite many of them and experimented alot. I did not want to release them, but I released a database of 64 files with experimental scripts in them. 3. It doesn't matter if they have the source code. With a few questions you can spot a stealer.4. "Great program" what great program. I have written a Blackjack game that took a week and around 1000+ lines and split it for developers and that was just a simple little game. A "great program" is like SciTe(not written in autoit) or Scriptomatic or even Tidy. So don't think anything is great until you can surpass even the lowest forms of scripting such as me.5. END OF DISCUSSION...... **For those others I am really sorry for my outburst. I've seen tons of these posts and a 2 page discussion over this to a newb is just weird.**Talk about somebody with a big head. BTW... I wrote this program... In autoit. With the help of a few members here.Link Removed by myselfJust cause I don't post source code on the forums doesn't mean anything. I mean... why would I mention that I do not want my source code to be stolen? Because I would rather it not. I was just pointing out a serious breach in autoit. And you flame me for it? I help people all of the time... just because it isn't here doesn't mean a thing. If I was pointing out something like this... would it not be that I was trying to help and warn the developers of such a thing? I guess your post count makes you god here huh?Sincerly...A Newb Edited October 14, 2005 by Proph Link to comment Share on other sites More sharing options...
Valuater Posted October 11, 2005 Share Posted October 11, 2005 (edited) as you can see by my original posts... i was very Skeptical of Proph also... but if you noticed my later posts stating that i give recognition that that script ( now demonstrated above ) was written in Autoit and Siginet was the Author... And as stated previously... Proph... please understand our hesitancy to anyone whom just shows up with your statements and we do not recognize as a continual name seen in our forums or we cannot find many posts of scipting from. 8) Edited October 11, 2005 by Valuater Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now