Jump to content
Sign in to follow this  
vaultdweller

Secure string ?

Recommended Posts

vaultdweller

Hi everyone!

As many of you know, text strings are most oftenly visible in clear text if you open the EXE in an editor of some sorts. Now, the script I have needs run another .VBS script with "run as". I want to make sure a hacker can't parse the EXE and find out the login that is used in the run as part.

Is there anything like var$ = SecureString("This text shouldn't be visible in the EXE!")

Thanks!

Edited by vaultdweller

Share this post


Link to post
Share on other sites
vaultdweller

Could you transpose the VBS script to autoit?

Thanks for the reply, but either way the problem remains. It's for a login script, where Domain Users will have to impersonate another account to reach network resources that as themselves, they don't have any access to.

Share this post


Link to post
Share on other sites
TehWhale

You could probably use a bunch of Chr() and mixing stuff so that it will return a secure string. I think I could do this so it's not easily readable but it can be read with effort.

Share this post


Link to post
Share on other sites
Szhlopp

Hi everyone!

As many of you know, text strings are most oftenly visible in clear text if you open the EXE in an editor of some sorts. Now, the script I have needs run another .VBS script with "run as". I want to make sure a hacker can't parse the EXE and find out the login that is used in the run as part.

Is there anything like var$ = SecureString("This text shouldn't be visible in the EXE!")

Thanks!

bottom line, Autoit is NOT secure. You can decompile and de-obfuscate anything done in this language.

Your best bet is to write it in C++ and make a DLL with the varifcation process inside. It can still be decompiled, but it's a whole lot harder.

Option 2:

Create your own obfuscator. I've personally done this and it isn't all that hard. Again, it can be decompiled but if you make a custom obfuscator none of the current ones will work on it.

Hope this helps

Share this post


Link to post
Share on other sites
PsaltyDS

Hi everyone!

As many of you know, text strings are most oftenly visible in clear text if you open the EXE in an editor of some sorts. Now, the script I have needs run another .VBS script with "run as". I want to make sure a hacker can't parse the EXE and find out the login that is used in the run as part.

Is there anything like var$ = SecureString("This text shouldn't be visible in the EXE!")

Thanks!

You can get some obsfucation of the data, but not hide it completely from a determined hacker. You could encrypt the string with _StringEncrypt() put the encrypted string in the script at compile time, and then have the script decrypt and use it at run time. But if the script is decompiled it will be possible to extract the pass phrase used to encrypt the original string, and then decrypt the string itself.

It's an old problem and there is no easy or totally secure answer. As a general rule: Do not hard code significant passwords in a script!

:P


Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law

Share this post


Link to post
Share on other sites
vaultdweller

yeah. I think I'll just make the account the script uses part of a specific group that is not part of the domain admins. That way, less arm if the password is found out.

thanks all!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×