vaultdweller Posted October 28, 2008 Share Posted October 28, 2008 (edited) Hi everyone! As many of you know, text strings are most oftenly visible in clear text if you open the EXE in an editor of some sorts. Now, the script I have needs run another .VBS script with "run as". I want to make sure a hacker can't parse the EXE and find out the login that is used in the run as part. Is there anything like var$ = SecureString("This text shouldn't be visible in the EXE!") Thanks! Edited October 28, 2008 by vaultdweller Link to comment Share on other sites More sharing options...
Bert Posted October 28, 2008 Share Posted October 28, 2008 Could you transpose the VBS script to autoit? The Vollatran project My blog: http://www.vollysinterestingshit.com/ Link to comment Share on other sites More sharing options...
vaultdweller Posted October 28, 2008 Author Share Posted October 28, 2008 Could you transpose the VBS script to autoit?Thanks for the reply, but either way the problem remains. It's for a login script, where Domain Users will have to impersonate another account to reach network resources that as themselves, they don't have any access to. Link to comment Share on other sites More sharing options...
TehWhale Posted October 28, 2008 Share Posted October 28, 2008 You could probably use a bunch of Chr() and mixing stuff so that it will return a secure string. I think I could do this so it's not easily readable but it can be read with effort. Link to comment Share on other sites More sharing options...
Szhlopp Posted October 28, 2008 Share Posted October 28, 2008 Hi everyone!As many of you know, text strings are most oftenly visible in clear text if you open the EXE in an editor of some sorts. Now, the script I have needs run another .VBS script with "run as". I want to make sure a hacker can't parse the EXE and find out the login that is used in the run as part.Is there anything like var$ = SecureString("This text shouldn't be visible in the EXE!")Thanks!bottom line, Autoit is NOT secure. You can decompile and de-obfuscate anything done in this language.Your best bet is to write it in C++ and make a DLL with the varifcation process inside. It can still be decompiled, but it's a whole lot harder. Option 2:Create your own obfuscator. I've personally done this and it isn't all that hard. Again, it can be decompiled but if you make a custom obfuscator none of the current ones will work on it.Hope this helps RegEx/RegExRep Tester!Nerd Olympics - Community App!Login UDFMemory UDF - "Game.exe+753EC" - CE pointer to AU3Password Manager W/ SourceDataFiler - Include files in your au3!--- Was I helpful? Click the little green '+' Link to comment Share on other sites More sharing options...
PsaltyDS Posted October 28, 2008 Share Posted October 28, 2008 Hi everyone!As many of you know, text strings are most oftenly visible in clear text if you open the EXE in an editor of some sorts. Now, the script I have needs run another .VBS script with "run as". I want to make sure a hacker can't parse the EXE and find out the login that is used in the run as part.Is there anything like var$ = SecureString("This text shouldn't be visible in the EXE!")Thanks!You can get some obsfucation of the data, but not hide it completely from a determined hacker. You could encrypt the string with _StringEncrypt() put the encrypted string in the script at compile time, and then have the script decrypt and use it at run time. But if the script is decompiled it will be possible to extract the pass phrase used to encrypt the original string, and then decrypt the string itself.It's an old problem and there is no easy or totally secure answer. As a general rule: Do not hard code significant passwords in a script! Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law Link to comment Share on other sites More sharing options...
Bert Posted October 28, 2008 Share Posted October 28, 2008 If they are Domain users, just make a AD group that gives them rights. That way you can avoid the issue you are having. The Vollatran project My blog: http://www.vollysinterestingshit.com/ Link to comment Share on other sites More sharing options...
vaultdweller Posted October 29, 2008 Author Share Posted October 29, 2008 yeah. I think I'll just make the account the script uses part of a specific group that is not part of the domain admins. That way, less arm if the password is found out. thanks all! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now