Best way to secure script

11/14/2017 19:03 Szmycu#1

Hello what is the best way to secure autoit scripts right now?

People say prebuild stripper in SciTE is not high secure. Other problem is if I use stripper in my program I use a lot of _Timer_SetTimer functions. After stripping timers not work.

I seen this but now it not work

[Only registered and activated users can see links. Click Here To Register...]

Next thing is [Only registered and activated users can see links. Click Here To Register...]

Is it better than stripper builded in SciTE and got more secure?

Please write me ur knowledge about how to make scripts secure. I know its hard to recieve but tell me ur thoughts

11/14/2017 19:31 florian0#2

Nothing will secure your script. No PeLock, No Themida, No VMProtect, No Enigma, nothing.

Use an AutoIT-Obfuscation to obfuscate the source of your high-value algorithms. Everything else is just useless.

11/14/2017 19:40 Szmycu#3

I know it would not be perfect but something can be done to make it secure as more as it can.

Maybe someone got other obfuscator, crypter etc?

11/14/2017 22:48 elmarcia#4

Compile x64, exe2aut decompiler only support x32 files

11/15/2017 09:46 FacePalmMan#5

You can also just use authentification.

your examplecode:

Code:

Func __CalculateWorldFormula($bob)
	$a = DiscreteLogarithm(Mod($bob ^ 4, 3))
	return $a
EndFunc

becomes

Code:

$HardwareID = _getHWID()
Func __CalculateWorldFormula($bob)
	$sCode = __GetCodeFromServer($HardwareID, "Worldformula-line.au3")
	If @error > 0 And $sCode = "HWID not registered" Then
		MsgBox(16, "Nope", "You son of a nice Mother!" & @CRLF & "You are not allowed to use this!")
		Exit 1337
	EndIf
	$a = Execute($sCode)
	return $a
EndFunc

No If clauses that could be bypassed to grant access. So also no need to protect your code anymore.
If there is an error, the server just doesn't give you the code. And thus you can't find it out. The downsides are that you need to have an FTP-server that has to run 24/7 and you need to register every user that buys a license one by one. (Or you could also write a script for it)

100% safe (in case the attacker doesn't own a license (buying a license + getting your precious code + publishing it for free = no profit = still 100% safe))

Just get yourself a free FTP server, (there are plenty out there) and an webaddress (freedns.afraid.org gives you some like (youraddress).ignorelist.com for free, which is fine for this purpose)

11/15/2017 14:11 Szmycu#6

Ou man great way of thinking and very helpful. I got my server which one is connecting with autoit program and I register all users with license.

I understand the general assumption but dont know exactly how to implement this code.

How it looks now:
- autoit program first gui input login user and pass + check _getHWID
- query to php on server about login user and his HWID
- autoit program recieve response with true or false, login or error
- If everything correct second gui with main functions will be appeared, if not return error

How it will looks with this great authentication method u mentioned?

Where this main code would be saved on ftp, there probably would be a path(web adress) in first gui to main code - second gui saved in ftp?

11/15/2017 20:55 xShizoidx#7

[Only registered and activated users can see links. Click Here To Register...]

11/15/2017 21:40 Szmycu#8

I have tried Safe v1.1.1.rar but after compilation, compiled safe file give me msg. "This file would not work on ur System". I got windows 10 x64 maybe it caused by, but final program must work on windows 10 too.

I tried this too but it not work with new ver of autoit [Only registered and activated users can see links. Click Here To Register...]

only shadow obfuscator will not give me much [Only registered and activated users can see links. Click Here To Register...]

and the ASM I dont know and hopefully would not know

:( :(

11/17/2017 14:55 owadziak#9

Pelock isnt a good idea, cause if u got GUI build to your bot, Pelock will give you Error Everytime you try to obfuscate code with "Case $Variablename"....
I tried to talk with PeLock Dev, but after i send him few msg, about error's he just stop to respond me.
Im also looking for a way to "Protect " my script ;)

11/17/2017 17:23 Szmycu#10

I wrote them about this too [Only registered and activated users can see links. Click Here To Register...]

they only repeat f***ing rhyme about no security way. Sama frajernia xd

11/23/2017 11:03 atom0s#11

No matter how you "protect" your script it will be able to be dumped since it is interpreted at some point.

Quote:
Originally Posted by FacePalmMan
You can also just use authentification.

your examplecode:
Code:
Func __CalculateWorldFormula($bob)
	$a = DiscreteLogarithm(Mod($bob ^ 4, 3))
	return $a
EndFunc
becomes
Code:
$HardwareID = _getHWID()
Func __CalculateWorldFormula($bob)
	$sCode = __GetCodeFromServer($HardwareID, "Worldformula-line.au3")
	If @error > 0 And $sCode = "HWID not registered" Then
		MsgBox(16, "Nope", "You son of a nice Mother!" & @CRLF & "You are not allowed to use this!")
		Exit 1337
	EndIf
	$a = Execute($sCode)
	return $a
EndFunc
No If clauses that could be bypassed to grant access. So also no need to protect your code anymore.
If there is an error, the server just doesn't give you the code. And thus you can't find it out. The downsides are that you need to have an FTP-server that has to run 24/7 and you need to register every user that buys a license one by one. (Or you could also write a script for it)

100% safe (in case the attacker doesn't own a license (buying a license + getting your precious code + publishing it for free = no profit = still 100% safe))

Just get yourself a free FTP server, (there are plenty out there) and an webaddress (freedns.afraid.org gives you some like (youraddress).ignorelist.com for free, which is fine for this purpose)

This isn't really "safe" as it can be bypassed extremely easily.

11/23/2017 19:26 FacePalmMan#12

Quote:

Originally Posted by atom0s

No matter how you "protect" your script it will be able to be dumped since it is interpreted at some point.

This isn't really "safe" as it can be bypassed extremely easily.

Where do you see that it can be bypassed? The code is downloaded by the server. If you are not registered, the server will not give you the code (and that is what you need, cuz that is what the computer needs so that it can know what to do). HWID not registered = Server doesn't give you code = nothing that someone could steal = only bypassable if that person buys your product and then steals your code.
If you want to further protect your code, do the following:

But if you still fear that this might happen, just do the following:
1. Copy all code from the includes into your script (if you are not sure about this point, just decompile a script that has includes and look at where the actual code is)

Example of how it could look like (I took the smallest UDF as an example to keep things easy. If you use things like WinAPI or GDIPlus you will have a few thousand lines, but that's ok. Will be even better for hiding!)

Spoiler

Code:

#include <SendMessage.au3>
_SendMessage(...,stuff,...)

becomes

Code:

#include-once

; #INDEX# =======================================================================================================================
; Title .........: SendMessage
; AutoIt Version : 3.3.12.0
; Language ......: English
; Description ...: Functions that assist SendMessage calls.
; Author(s) .....: Valik, Gary Frost
; Dll(s) ........: user32.dll
; ===============================================================================================================================

; #CURRENT# =====================================================================================================================
; _SendMessage
; _SendMessageA
; ===============================================================================================================================

; #FUNCTION# ====================================================================================================================
; Author ........: Valik
; Modified.......: Gary Frost (GaryFrost) aka gafrost
; ===============================================================================================================================
Func _SendMessage($hWnd, $iMsg, $wParam = 0, $lParam = 0, $iReturn = 0, $wParamType = "wparam", $lParamType = "lparam", $sReturnType = "lresult")
	Local $aResult = DllCall("user32.dll", $sReturnType, "SendMessageW", "hwnd", $hWnd, "uint", $iMsg, $wParamType, $wParam, $lParamType, $lParam)
	If @error Then Return SetError(@error, @extended, "")
	If $iReturn >= 0 And $iReturn <= 4 Then Return $aResult[$iReturn]
	Return $aResult
EndFunc   ;==>_SendMessage

; #FUNCTION# ====================================================================================================================
; Author ........: Valik
; Modified.......: Gary Frost (GaryFrost) aka gafrost
; ===============================================================================================================================
Func _SendMessageA($hWnd, $iMsg, $wParam = 0, $lParam = 0, $iReturn = 0, $wParamType = "wparam", $lParamType = "lparam", $sReturnType = "lresult")
	Local $aResult = DllCall("user32.dll", $sReturnType, "SendMessageA", "hwnd", $hWnd, "uint", $iMsg, $wParamType, $wParam, $lParamType, $lParam)
	If @error Then Return SetError(@error, @extended, "")
	If $iReturn >= 0 And $iReturn <= 4 Then Return $aResult[$iReturn]
	Return $aResult
EndFunc   ;==>_SendMessageA

_SendMessage(...,stuff,...)

2. Hide some really nasty code that checks for @compiled (or instead of @compiled you may try: Execute(BinaryToString("0x40636F6D70696C6564")) is the same but is much harder to find) in it. (I would love to see a script that makes the leechers reply to your thread with "I have tried to leech your code. But I am too dumb and have not enough skills for that." and then deletes their accounts)

Example code:

Spoiler