Jump to content
thegreatjedi

How can I convert my AutoIT application into C++?

Recommended Posts

I've a working application written in AutoIT. However, we just found out from our client that it needs to pass a code analysis test for security reasons. The code analysis tool they're using doesn't support AutoIT, so I'll need to look into converting the code just in case the current version can't be approved.

Out of the supported languages, C++ is the only language I'm certain doesn't require installations of additional runtime dependencies that don't already exist in the production servers (we've visual c++ 2005 redist on win2k servers).

Is there any way to convert my existing AutoIT code to C++ without manually rewriting from scratch, or at least something that can help me speed things up if that's the only way? I still need to relearn C++ seeing as how I only touched it once in a single module during the third sem of univ. I found this thread in the forum but the solution linked within is dead.

Side info for those wondering: The reason why we only found out about the code analysis test requirement now is that this was originally just an exploratory effort and neither side knew what to expect. AutoIT was chosen (internally, not by contractual agreement) before I joined the project, and I was still a fresh grad so I didn't question much. But today I'm one-manning the whole thing (it's not a large app and 100% of the code is basically mine, following some heavy redesigns after they decided to fully commit to producing this thing). Questions were only raised after I figured out that the only way to run this app without runtime dependencies is to build it as a .exe, which we do know has a whole set of security red tape to go through before it can be deployed on production servers. So...here we are.

Share this post


Link to post
Share on other sites
Posted (edited)

What kind of code analysis test? There is no way to convert automatically your AutoIt code to a C variant, and definitely not code which could be human readable. Your options are to either convince them to perform a manual code analysis on your script or rewrite the whole thing in C/C++

Edited by TheDcoder

A cross-platform implementation of the AutoIt language

My contributions to the AutoIt Community ##AutoIt at freenode, real-time chat

3fHNZJ.gif

Spoiler

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) intend to do that to anybody.

Share this post


Link to post
Share on other sites

This is a too common misconception.  Tell them they walk on a path that does not lead to the top of the mountain.

Most (if not all code) analysis tools can be viewed —in the very best case only— as "assigning meaning to programs" after the facts, in the sense of R. Floyd.
This is exactly the same thing as trying to understand in great details all the semantic subtilties of a significantly large Klingon text, by just knowing the Klingon alphabet.  Obviously such approach gains you zero guaranteed knowledge about the dangerousness of the actual Klingon intents against your planet or civilization.  Monthly (weekly, daily) "vulnerability patches" from MS and others illustrate the fact.

If your client really cares about security and correctness of the programs they want to use, they should think the opposite way: "assign programs to meanings": https://www.researchgate.net/publication/220695256_The_B-book_-_assigning_programs_to_meanings

I don't expect generic IT staffs to go that route so the best you can do if setup a code review task force on the AutoIt source or write a formally proven correct B0 to AutoIt converter and re-develop the project with B method, down to proven-correct AutoIt code.  Just get warned that the latter way isn't completely trivial.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites
3 hours ago, jchd said:

This is a too common misconception.  Tell them they walk on a path that does not lead to the top of the mountain.

Most (if not all code) analysis tools can be viewed —in the very best case only— as "assigning meaning to programs" after the facts, in the sense of R. Floyd.
This is exactly the same thing as trying to understand in great details all the semantic subtilties of a significantly large Klingon text, by just knowing the Klingon alphabet.  Obviously such approach gains you zero guaranteed knowledge about the dangerousness of the actual Klingon intents against your planet or civilization.  Monthly (weekly, daily) "vulnerability patches" from MS and others illustrate the fact.

If your client really cares about security and correctness of the programs they want to use, they should think the opposite way: "assign programs to meanings": https://www.researchgate.net/publication/220695256_The_B-book_-_assigning_programs_to_meanings

I don't expect generic IT staffs to go that route so the best you can do if setup a code review task force on the AutoIt source or write a formally proven correct B0 to AutoIt converter and re-develop the project with B method, down to proven-correct AutoIt code.  Just get warned that the latter way isn't completely trivial.

Can't say I follow completely. Here's some details to help clarify my situation.

fI I remember correctly, they're using HP Fortify Software Security Center. I'm not fully certain of what the client is looking for, but it seems they want to scan the source code for vulnerabilities to stuff like SQL injections etc. The application being developed will be used in various government projects including those in defence-related domains, so there're multiple levels of approval and requirements to pass. The code analysis tool is supposed to be a first-level check that developers can immediately act upon, and to generate a report that provides a degree of assurance further down the approval process. This HP tool doesn't support the analysing of AutoIT syntax. No support, no scanning, no report, weaker case for approval by authorities for whom the compiled executable is essentially a black box.

Share this post


Link to post
Share on other sites
3 hours ago, thegreatjedi said:

weaker case for approval by authorities for whom the compiled executable is essentially a black box.

Give them the source code, let them perform a security audit manually.

There isn't anything more that can be done unfortunatley...


A cross-platform implementation of the AutoIt language

My contributions to the AutoIt Community ##AutoIt at freenode, real-time chat

3fHNZJ.gif

Spoiler

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) intend to do that to anybody.

Share this post


Link to post
Share on other sites

Then I'm afraid there isn't anything that can be done to pass the barrier: source can be reviewed but the interpreter and the core functions are closed source.


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites
7 hours ago, jchd said:

...but the interpreter and the core functions are closed source. 

Ah, true, I didn't think of this aspect... I guess this is one of the anti-features of AutoIt 😕

Oh well, atleast it is free to use ;)


A cross-platform implementation of the AutoIt language

My contributions to the AutoIt Community ##AutoIt at freenode, real-time chat

3fHNZJ.gif

Spoiler

If I have hurt or offended you in anyway, Please accept my apologies, I never (regardless of the situation) intend to do that to anybody.

Share this post


Link to post
Share on other sites
15 hours ago, thegreatjedi said:

HP Fortify Software Security Center

Fortify SCA supports a wide variety of languages, frameworks and operating systems. • Languages: ASP.NET, C/C++, C#, ColdFusion, Java, JSP, PL/SQL, T-SQL, XML, VB.NET and other .NET languages • Platforms: Windows, Solaris, Linux, Mac OS X, HP-UX, AIX • Frameworks: J2EE/EJB, Struts, Hibernate.

So that is that.

Share this post


Link to post
Share on other sites
On 6/8/2019 at 1:48 PM, thegreatjedi said:

The application being developed will be used in various government projects including those in defence-related domains, so there're multiple levels of approval and requirements to pass.

My impression is that AutoIt is very commonly used in the US military.  And, you know, if it is good enough for the Army, then, well... :)

 


Skysnake

Why is the snake in the sky?

Share this post


Link to post
Share on other sites

Did the Pentagon actually drop ADA for AutoIt? :ninja::robot:


This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...