How Secure is AutoIT?

[emergc]

I have been using and studying AutoIT scripting for almost a year now. I am very happy with the software and I there is no doubt that it is very useful.

AutoIT has also become a part of my day to day activities at work and at home. I have never doubted its security until an officemate mentioned the program in an email.

The guy is a member of the Power Users group in his Windows XP computer in the office. He seems to know a lot about computers and even makes comments and gives his suggestion as to how we should do our job in the IT department.

He has given me the impression that he can actually analyse and disassemble our compiled AutoIT scripts. I am not sure about him but I have tried to "hack" or crack my own scripts just to find out if it could be done.

I am not a hacker or a cracker but sometimes I have to be one or at least, try and pretend to be one, just to check a script.

In our case, some scripts contain administrator passwords.We want to be sure that end-users will never find out what these passwords are. Actually, I am the one who brought AutoIT in the office.

Are there tools that allow anyone to see what's inside an AutoIT script? Or is it enought to disallow decompilation in the compiler options?

Thank you.

[Wb-FreeKill]

Very interresting point, im listening....

[Jon]

From the helpfile

Technical Details

The compiled script and additional files added with FileInstall are compressed with my own (Jon) compression scheme. 

Because a compiled script must "run" itself without a password it needs to be able to decrypt itself - i.e., the encryption is two-way.  For this reason you should regard the compiled exe as being encoded rather than completely safe.  For example, if I wrote a script that contained a username and password (say, for a desktop rollout) then I would be happy using something like a workstation-level user/password but I would not consider it safe for a domain/entire network password unless I was sure that the end-user would not have easy access to the .exe file.