Jump to content

Secure string ?

vaultdweller
 Share

Recommended Posts

vaultdweller Seeker

vaultdweller

Posted
Posted (edited)

Hi everyone!

As many of you know, text strings are most oftenly visible in clear text if you open the EXE in an editor of some sorts. Now, the script I have needs run another .VBS script with "run as". I want to make sure a hacker can't parse the EXE and find out the login that is used in the run as part.

Is there anything like var$ = SecureString("This text shouldn't be visible in the EXE!")

Thanks!

Edited by vaultdweller
Link to comment
Share on other sites
vaultdweller Seeker

vaultdweller

Posted
  • Author
Posted

Could you transpose the VBS script to autoit?

Thanks for the reply, but either way the problem remains. It's for a login script, where Domain Users will have to impersonate another account to reach network resources that as themselves, they don't have any access to.

Link to comment
Share on other sites
Szhlopp Universalist

Szhlopp

Posted
Posted

Hi everyone!

As many of you know, text strings are most oftenly visible in clear text if you open the EXE in an editor of some sorts. Now, the script I have needs run another .VBS script with "run as". I want to make sure a hacker can't parse the EXE and find out the login that is used in the run as part.

Is there anything like var$ = SecureString("This text shouldn't be visible in the EXE!")

Thanks!

bottom line, Autoit is NOT secure. You can decompile and de-obfuscate anything done in this language.

Your best bet is to write it in C++ and make a DLL with the varifcation process inside. It can still be decompiled, but it's a whole lot harder.

Option 2:

Create your own obfuscator. I've personally done this and it isn't all that hard. Again, it can be decompiled but if you make a custom obfuscator none of the current ones will work on it.

Hope this helps

RegEx/RegExRep Tester!Nerd Olympics - Community App!Login UDFMemory UDF - "Game.exe+753EC" - CE pointer to AU3Password Manager W/ SourceDataFiler - Include files in your au3!--- Was I helpful? Click the little green '+'
Link to comment
Share on other sites
PsaltyDS Universalist

PsaltyDS

Posted
Posted

Hi everyone!

As many of you know, text strings are most oftenly visible in clear text if you open the EXE in an editor of some sorts. Now, the script I have needs run another .VBS script with "run as". I want to make sure a hacker can't parse the EXE and find out the login that is used in the run as part.

Is there anything like var$ = SecureString("This text shouldn't be visible in the EXE!")

Thanks!

You can get some obsfucation of the data, but not hide it completely from a determined hacker. You could encrypt the string with _StringEncrypt() put the encrypted string in the script at compile time, and then have the script decrypt and use it at run time. But if the script is decompiled it will be possible to extract the pass phrase used to encrypt the original string, and then decrypt the string itself.

It's an old problem and there is no easy or totally secure answer. As a general rule: Do not hard code significant passwords in a script!

:P

Valuater's AutoIt 1-2-3, Class... Is now in Session!For those who want somebody to write the script for them: RentACoder"Any technology distinguishable from magic is insufficiently advanced." -- Geek's corollary to Clarke's law
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...