AutoIt Security

[DaProgrammer]

i am thinking to create a USB ThumbDrive Token(OTS password generator)

now i was thinking to link the exe file to the USB Thumb Drive so it will only run if its on the ThunbDrive and not anywhere else, using stuff like :

DriveGetSerial()

DriveGetLabel()

DriveGetFileSystem()

DriveGetType()

DriveSpaceTotal()

since its a password generator security is a major concern for me.

my question is how secure is autoit ?

Question 1 : if this file ends up in the wrong hands will he be able to: run it on his Hard Drive skipping these checks ?

Question 2 : if this file ends up in the wrong hands will he be able to: find out how the passwords are generated and duplicate the process ?

Question 3 : is there a way to make the file in a way it cannot be copied from the ThumbDrive ?

ty for any help you can provide.

Edited March 30, 2008 by DaProgrammer

[monoceres]

1: Unfortunetly yes, when you "compile" a script you only compress it with UPX and there are programs which let you decompress UPX, and after that he will have full access to your source (and can therefore remove the checking part).

2: Same as number 1

3: Don't think so, if you can run it you can copy it

My suggestion is to try to do the same thing but with c++ or any other language that let you do true compiles.

[Jos]

1: Unfortunetly yes, when you "compile" a script you only compress it with UPX and there are programs which let you decompress UPX, and after that he will have full access to your source (and can therefore remove the checking part).

This doesn't sound correct ... but bottom line is that its retrievable.

My suggestion is to try to do the same thing but with c++ or any other language that let you do true compiles.

Correct but everything is "crackable" as most software developers know.

[weaponx]

I would obfuscate your code. This will make it very difficult to reverse engineer.

http://www.autoitscript.com/forum/index.ph...mp;hl=obfuscate

If you want it to work, DO NOT create your token with DriveSpaceTotal(), this changes every millisecond.

Maybe put a password prompt at the beginning of your script, a simple InputBox() with a static password in the script.

[monoceres]

Correct but everything is "crackable" as most software developers know.

But it's a lot harder.

The securest way to protect the data is to encrypt it (Or locking it up in a bank vault somewhere ).

Edited March 30, 2008 by monoceres

[Jos]

Obfuscating the script adds a lot of extra kbs to the compiled script right? Will it be slower to run?

Yes.. but that's a given, but the important questions are: Is that important and if so, how much is it slower?

That dependsw on many things so try it and let us know.

[MHz]

Question 3 : is there a way to make the file in a way it cannot be copied from the ThumbDrive ?

To stop someone moving it off the drive to defeat it, now that would be a challenge to try to stop. Truecrypt is perhaps a better solution to use. Encrypt the drive is what the norm is AFAIK.

[DaProgrammer]

Obfuscating is a given ofcourse i will do that ^^

true crypt is a problem couse then it needs to be mounted which makes the procees alot slower.

i made an alpha already and it looks pretty nice, now im just working on the encryption which ill use.

anyone know of an encryption that can be done in autoit and then decrypted in asp/vbscript ?