Sign in to follow this  
Followers 0
Theo Tonge

Compiled RunAsSet - is it secure?

6 posts in this topic

I am wondering if i can use the RunAsSet function to create a simple compiled script that launches particular apps as particular users without them needing to know the password.

I am unsure however if once compiled there would be anyway for someone to find out the password???

Any help would be much appreciated.

Share this post


Link to post
Share on other sites



May be Yes and may be No. The data is there so if you dig deep enough you can get it out, but you will need to dig very deep, it's safe enough for you.

You can also use StringEncrypt to encrypt a string, paste that into the code and decrypt it when running the code.

Share this post


Link to post
Share on other sites

Simple answer : NO

Technical Details

The compiled script and additional files added with FileInstall are compressed with my own (Jon) compression scheme.

Because a compiled script must "run" itself without a password it needs to be able to decrypt itself - i.e., the encryption is two-way. For this reason you should regard the compiled exe as being encoded rather than completely safe. For example, if I wrote a script that contained a username and password (say, for a desktop rollout) then I would be happy using something like a workstation-level user/password but I would not consider it safe for a domain/entire network password unless I was sure that the end-user would not have easy access to the .exe file.


Visit the SciTE4AutoIt3 Download page for the latest versions        Beta files                                                          Forum Rules
 
Live for the present,
Dream of the future,
Learn from the past.
  :)

Share this post


Link to post
Share on other sites

I am wondering if i can use the RunAsSet function to create a simple compiled script that launches particular apps as particular users without them needing to know the password.

I am unsure however if once compiled there would be anyway for someone to find out the password???

Any help would be much appreciated.

What I do is break the password up into two or three character strings and throw some dummy strings into the mix as well. Then I construct the password by appending the proper strings. Kind of like this:

$a = "pas"
$b = "mt"
$c = "swo"
$d = "not"
$e = "here"
$f = "rd"

$password = $a & $c & $f; ends up being "password"

If someone runs a strings command against your code, they won't find the password all at once. Still isn't 100% but is much better than simply having one string with a password in it.

A more secure option is to create your own password encoding program in AutoIt. Also create a decoding routine to include as a function in any program needing the password. Run the encoding program with your password, copy the resulting encoded password to your new program and use the decoding routine to re-create the original password. Just a thought.


[font="Arial"]benched42Who lied and told you life would EVER be fair?[/font]

Share this post


Link to post
Share on other sites

What I do is break the password up into two or three character strings and throw some dummy strings into the mix as well. Then I construct the password by appending the proper strings. Kind of like this:

$a = "pas"
$b = "mt"
$c = "swo"
$d = "not"
$e = "here"
$f = "rd"

$password = $a & $c & $f; ends up being "password"

If someone runs a strings command against your code, they won't find the password all at once. Still isn't 100% but is much better than simply having one string with a password in it.

A more secure option is to create your own password encoding program in AutoIt. Also create a decoding routine to include as a function in any program needing the password. Run the encoding program with your password, copy the resulting encoded password to your new program and use the decoding routine to re-create the original password. Just a thought.

lol your funny.

[quote name='AceLoc']I gots new sunglasses there cool.[/quote]

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

May be Yes and may be No. The data is there so if you dig deep enough you can get it out, but you will need to dig very deep, it's safe enough for you.

You can also use StringEncrypt to encrypt a string, paste that into the code and decrypt it when running the code.

Encrypting the string won't help because if you know the source then the decryption mechanism is staring you right in the face. The best way is to use obfuscation along with encryption.

Edited by DarthVega

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0