Jump to content

I'm going to release a program with personal information in the source.


Recommended Posts

I'm planning to release a program that will have personal information such as passwords within the source. When I compress the source I first use obfuscator and disable the decompile option.

Now my question is, how safe are my passwords? If thousands of people are going to get my program, would it be unsafe?

Is there any way to solve this?

Thanks in advance. :)

Link to comment
Share on other sites

I'm planning to release a program that will have personal information such as passwords within the source. When I compress the source I first use obfuscator and disable the decompile option.

Now my question is, how safe are my passwords? If thousands of people are going to get my program, would it be unsafe?

Is there any way to solve this?

Thanks in advance. :)

AutoIt is not as secure as other languages that compile to native machine code. The latest version of AutoIt has obfuscation and compression available; the devs have also removed the ability to decompile. However, your programs can still be decoded.

To solve this problem for a RunAs with embedded credentials, you could develop a tiny app in .NET (as far as language goes, choose your poison), Delphi, C++, or any other language that compiles to machine code that does nothing but accept filename parameters. The app would then simply perform a runas with credentials (which are safe in machine code).

Although, you're always susceptible to memory reading.

Certifications: A+, Network+, Security+, Linux+, LPIC-1, MCSA | Languages: AutoIt, C, SQL, .NETBooks: AutoIt v3: Your Quick Guide - $7.99 - O'Reilly Media - September 2007-------->[u]AutoIt v3 Development - newbie to g33k[/u] - Coming Soon - Fate Publishing - Spring 2013UDF Libraries: SkypeCOM UDF Library | ADUC Computers OU Cleanup | Find PixelChecksumExamples: Skype COM Examples - Skype4COMLib Examples converted from VBS to AutoIt
Link to comment
Share on other sites

To solve this problem for a RunAs with embedded credentials, you could develop a tiny app in .NET (as far as language goes, choose your poison), Delphi, C++, or any other language that compiles to machine code that does nothing but accept filename parameters. The app would then simply perform a runas with credentials (which are safe in machine code).

Although, you're always susceptible to memory reading.

How would I make such an application? Are there any examples? I can still code in AutoIT with this method right?

Also, are C++ programs or whatever just as susceptible to memory reading as AutoIT programs?

Edited by tom13
Link to comment
Share on other sites

How would I make such an application? Are there any examples? I can still code in AutoIT with this method right?

I don't know of any examples, but the program would be extremely simple. You'd need to learn how to perform a command-line run in C++ and how to create command-line parameters.

Also, are C++ programs or whatever just as susceptible to memory reading as AutoIT programs?

Yes, but you could try encrypting the credentials... if possible. For something like Local Administrator accounts, however, you're stuck with plain text. The risk is somewhat dependent upon which type of credentials you are embedding and how much privilege would be available to someone who got them. Edited by Airwolf123
Certifications: A+, Network+, Security+, Linux+, LPIC-1, MCSA | Languages: AutoIt, C, SQL, .NETBooks: AutoIt v3: Your Quick Guide - $7.99 - O'Reilly Media - September 2007-------->[u]AutoIt v3 Development - newbie to g33k[/u] - Coming Soon - Fate Publishing - Spring 2013UDF Libraries: SkypeCOM UDF Library | ADUC Computers OU Cleanup | Find PixelChecksumExamples: Skype COM Examples - Skype4COMLib Examples converted from VBS to AutoIt
Link to comment
Share on other sites

I don't know of any examples, but the program would be extremely simple. You'd need to learn how to perform a command-line run in C++ and how to create command-line parameters.

Yes, but you could try encrypting the credentials... if possible. For something like Local Administrator accounts, however, you're stuck with plain text. The risk is somewhat dependent upon which type of credentials you are embedding and how much priveledge would be available to someone who got them.

Thanks for your help but unfortunately I have no idea how to do all that. :-[
Link to comment
Share on other sites

so if I understand right only one such program would have to be made to fix the popular issue of AutoIT's decompilement?

and that program source could be used for every autoit program?

that'd be great if someone could make it quickly? really.. really great

Link to comment
Share on other sites

  • Moderators

so if I understand right only one such program would have to be made to fix the popular issue of AutoIT's decompilement?

and that program source could be used for every autoit program?

that'd be great if someone could make it quickly? really.. really great

I don't believe you are understanding correctly.

I've not tried the runas method, doesn't make much sense to me the way he's explained it anyway. I have written wrappers in other languages to prevent direct disassemble, but of course the other issue still exist.

I doubt anyone would write something for your proprietary project... well... I doubt they would do it for free anyway.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites

I don't believe you are understanding correctly.

I've not tried the runas method, doesn't make much sense to me the way he's explained it anyway. I have written wrappers in other languages to prevent direct disassemble, but of course the other issue still exist.

I doubt anyone would write something for your proprietary project... well... I doubt they would do it for free anyway.

Yeah.. the runas method was not making sense for me either. Running an AutoIT exe with a c++ file would not make the AutoIT exe non decompileable..

But what do you mean then? Do you have any suggestions on how to make it impossible to decompile it? What do you mean with writing wrappers in other languages to prevent direct disassemble? Is that what you made with EnCodeIt ? Too bad you removed the program. The discussion about you being not trustable was total BS anyway. Oh well.. :)

Edited by tom13
Link to comment
Share on other sites

  • Moderators

Yeah.. the runas method was not making sense for me either. Running an AutoIT exe with a c++ file would not make the AutoIT exe non decompileable..

But what do you mean then? Do you have any suggestions on how to make it impossible to decompile it? What do you mean with writing wrappers in other languages to prevent direct disassemble? Is that what you made with EnCodeIt ? Too bad you removed the program. The discussion about you being not trustable was total BS anyway. Oh well.. :)

No, EnCodeIt was written in AutoIt... after I removed it, Jos wrote a nicer one anyway in BCX.

They are/were obfuscators, which simply jumbled the visual output but still allowed the code to be runnable.

But theres those out there with more time on their hands and no moral standing on how their efforts effect others and their work, so even obfuscation is sort of obsolete in AutoIt.

My suggestion is if you are making proprietary applications, to do so in a language that does in fact compile to machine code, but keep in mind, even those are cracked if someone wants something bad enough.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites

My suggestion is if you are making proprietary applications, to do so in a language that does in fact compile to machine code, but keep in mind, even those are cracked if someone wants something bad enough.

Doh, I wish someone would have told me that _before_ learning this language. :[ I pretty much do AutoIT for couple of years now and just when I finally got my real project finished I hear I can't even publish it..

1 more thing though, in this topic (#518301) you said this:

If you are looking to "Secure" your own scripts, I'd suggest writing your own obfuscation method and keeping it to yourself, find a packing method other than UPX that still works, or use a language that compiles to byte code.

Now I was wondering how exactly could I make my own obfuscator and/or packing method?
Link to comment
Share on other sites

  • Moderators

Doh, I wish someone would have told me that _before_ learning this language. :[ I pretty much do AutoIT for couple of years now and just when I finally got my real project finished I hear I can't even publish it..

They did tell you that. It's always been in the help file as long as I've been here under compile.

Unfortunately, most people only read what benefits them at the moment.

1 more thing though, in this topic (#518301) you said this:

Now I was wondering how exactly could I make my own obfuscator and/or packing method?

The first time I wrote EnCodeIt I was fairly new, and it took me about 3 months off and on... the 2nd time (total re-write) took me 2 weeks off and on.

If you look at any autoit obfuscated script, you'll see what you will have to do in order to make it work correctly.

The bottom line IMHO, AutoIt just isn't for proprietary applications at the moment.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites

Yeah.. the runas method was not making sense for me either. Running an AutoIT exe with a c++ file would not make the AutoIT exe non decompileable..

That is not its purpose. The purpose is to put the credentials in the C++ utility, so there is nothing sensitive in the AutoIt exe. It makes sense to me, but I guess I'm having trouble explaining it.
Certifications: A+, Network+, Security+, Linux+, LPIC-1, MCSA | Languages: AutoIt, C, SQL, .NETBooks: AutoIt v3: Your Quick Guide - $7.99 - O'Reilly Media - September 2007-------->[u]AutoIt v3 Development - newbie to g33k[/u] - Coming Soon - Fate Publishing - Spring 2013UDF Libraries: SkypeCOM UDF Library | ADUC Computers OU Cleanup | Find PixelChecksumExamples: Skype COM Examples - Skype4COMLib Examples converted from VBS to AutoIt
Link to comment
Share on other sites

That is not its purpose. The purpose is to put the credentials in the C++ utility, so there is nothing sensitive in the AutoIt exe. It makes sense to me, but I guess I'm having trouble explaining it.

hmm with credentials you mean passwords etc?

so if my autoit program is supposed to pull the passwords etc out of the c++ program, what stops other programs from doing so aswell? and if my autoit needs a password or something to access the c++ file they could simply get that password by decompiling the autoit script?

Or is that not what you mean?

Maybe you could give an example or something to clear things up?

Any help would be greatly appreciated.. really greatly. =]

Made a project and really want to publish it, but can't atm due to passwords in source.

Link to comment
Share on other sites

hmm with credentials you mean passwords etc?

so if my autoit program is supposed to pull the passwords etc out of the c++ program, what stops other programs from doing so aswell? and if my autoit needs a password or something to access the c++ file they could simply get that password by decompiling the autoit script?

Or is that not what you mean?

Maybe you could give an example or something to clear things up?

Any help would be greatly appreciated.. really greatly. =]

Made a project and really want to publish it, but can't atm due to passwords in source.

C++ program:

1. Takes input via command-line parameter (i.e. cppfilename.exe /runas "program.exe").

2. Performs RunAs on program listed in parameter with proper credentials.

3. Exits

All the AutoIt program has to do is call the cppfilename.exe with the proper parameters (i.e. RunWait('cppfilename.exe /runas "program.exe"').

This would leave no sensitive information in the AutoIt exe; the credentials would be compiled into the machine code C++ exe.

Certifications: A+, Network+, Security+, Linux+, LPIC-1, MCSA | Languages: AutoIt, C, SQL, .NETBooks: AutoIt v3: Your Quick Guide - $7.99 - O'Reilly Media - September 2007-------->[u]AutoIt v3 Development - newbie to g33k[/u] - Coming Soon - Fate Publishing - Spring 2013UDF Libraries: SkypeCOM UDF Library | ADUC Computers OU Cleanup | Find PixelChecksumExamples: Skype COM Examples - Skype4COMLib Examples converted from VBS to AutoIt
Link to comment
Share on other sites

  • Moderators

C++ program:

1. Takes input via command-line parameter (i.e. cppfilename.exe /runas "program.exe").

2. Performs RunAs on program listed in parameter with proper credentials.

3. Exits

All the AutoIt program has to do is call the cppfilename.exe with the proper parameters (i.e. RunWait('cppfilename.exe /runas "program.exe"').

This would leave no sensitive information in the AutoIt exe; the credentials would be compiled into the machine code C++ exe.

Unfortunately, it would still leave the door open if decompiled to see how to call the command line params correctly.

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites

Unfortunately, it would still leave the door open if decompiled to see how to call the command line params correctly.

But what would that get them? The credentials would not be input via command-line, they would be embedded in the C++ exe. :)

EDIT: Okay, I guess it would allow a user to actually perform a runas on something that you do not want them to. However, the security of the account credentials remains intact.

Edited by Airwolf123
Certifications: A+, Network+, Security+, Linux+, LPIC-1, MCSA | Languages: AutoIt, C, SQL, .NETBooks: AutoIt v3: Your Quick Guide - $7.99 - O'Reilly Media - September 2007-------->[u]AutoIt v3 Development - newbie to g33k[/u] - Coming Soon - Fate Publishing - Spring 2013UDF Libraries: SkypeCOM UDF Library | ADUC Computers OU Cleanup | Find PixelChecksumExamples: Skype COM Examples - Skype4COMLib Examples converted from VBS to AutoIt
Link to comment
Share on other sites

  • Moderators

But what would that get them? The credentials would not be input via command-line, they would be embedded in the C++ exe. :)

EDIT: Okay, I guess it would allow a user to actually perform a runas on something that you do not want them to. However, the security of the account credentials remains intact.

lmao... yeah ... that they would (unless you stored them as a string lol ).

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites

Unfortunately, it would still leave the door open if decompiled to see how to call the command line params correctly.

Exactly.. that's what I meant in my previous post.

So that method is basically broken.

Unfortunately =(

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...